SBOP BPC 75 NW Security Guide

Security GuideSAP BusinessObjects Planning and Consolidation 7.5version for SAP NetWeaver

Target Audience ■ Technical Consultants ■ System Administrators

PUBLICDocument version: 2:0 – 2010-06-15

SAP AGDietmar-Hopp-Allee 16

69190 WalldorfGermany

T +49/18 05/34 34 34F +49/18 05/34 34 20

www.sap.com

© Copyright 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.MaxDB is a trademark of MySQL AB, Sweden.SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

DisclaimerSome components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components.Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way.

2/42 PUBLIC 2010-06-15

Typographic Conventions

Example Description

<Example> Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your <User Name>”.

ExampleExample

Arrows separating the parts of a navigation path, for example, menu options

Example Emphasized words or expressions

Example Words or characters that you enter in the system exactly as they appear in the documentation

http://www.sap.com Textual cross-references to an internet address

/example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web

123456 Hyperlink to an SAP Note, for example, SAP Note 123456

Example ■ Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options.

■ Cross-references to other documentation or published works

Example ■ Output on the screen following a user action, for example, messages ■ Source code or syntax quoted directly from a program ■ File and directory names and their paths, names of variables and parameters, and

names of installation, upgrade, and database tools

EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE

EXAMPLE Keys on the keyboard

2010-06-15 PUBLIC 3/42

http://www.sap.com

http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=123456&_NLANG=en&_NVERS=0

http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=123456&_NLANG=en&_NVERS=0

Document History

CAUTION

Before you start the implementation, make sure you have the latest version of this document.

You can find the latest version at the following location: http://service.sap.com/

securityguide.

The following table provides an overview of the most important document changes.

Version Date Description

1.0 2009-12-15 First Version

2.0 2010-06-15 This is the update for SP03. For detailed information, refer to the appropriate SAP central note.

4/42 PUBLIC 2010-06-15

http://service.sap.com/securityguide


Table of Contents

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 2 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 3 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 4 Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 5 User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 15

5.1 User Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

5.2 Authenticating through CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5.3 Authenticating through Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5.4 Setting Up Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.5 Setting Up Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.6 Authorization Objects for SAP Business Explorer . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 6 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

6.1 Task Profile Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

6.2 Member Access Profile Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 7 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

7.1 Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

7.2 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Chapter 8 Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Chapter 9 Dispensable Functions that Affect Security . . . . . . . . . . . . . . . . . . . . . . . . 39

Chapter 10 Trace and Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

2010-06-15 PUBLIC 5/42

This page is left blank for documents that are printed on both sides.

1 Introduction

This document is not included as part of the Installation Guides, Configuration Guides, Technical

Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software

life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.

Why is Security Necessary

With the increasing use of distributed systems and the Internet for managing business data, the demands

on security are also on the rise. When using a distributed system, you need to be sure that your data

and processes support your business needs without allowing unauthorized access to critical

information. User errors, negligence, or attempted manipulation on your system should not result in

loss of information or processing time. These demands on security apply likewise to Planning and

Consolidation. To assist you in securing your system, we provide this Security Guide.

About This Document

The Security Guide provides an overview of the security-relevant information that applies to the system

Overview of the Main Sections

The Security Guide comprises the following main sections:

■ Before You Start

This section contains references to other Security Guides that build the foundation for this Security

Guide.

■ Technical System Landscape

This section contains a link to more information about the system landscape.

■ Security Overview

This section explains the initial users in the system and default authorizations. The section also

provides an overview of the high-level steps needed to establish Planning and Consolidation

security.

■ User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

● Active Directory domain considerations

● User setup

● Team setup

1 Introduction

2010-06-15 PUBLIC 7/42

■ Authorizations

This section provides details on the authorization concept that applies to Planning and

Consolidation.

■ Network and Communication Security

This section provides an overview of the network topology and communication protocols used

by the application.

■ Data Storage Security

This section describes the security aspects involved with saving data used by the application.

■ Dispensable Functions with Impact on Security

This section describes which functions are not absolutely necessary and how you can deactivate

them.

■ Trace and Log Files

This section provides a link to where trace and log files are located.

1 Introduction

8/42 PUBLIC 2010-06-15

2 Before You Start

Fundamental Security Guides

For a complete list of the available SAP Security Guides, see http://service.sap.com/

securityguide on the SAP Service Marketplace.

Important SAP Notes

The most important SAP Notes that apply to the security of the system are shown in the table below.

Important SAP Notes

SAP Note Number Title Comments

1410517 SAP Planning and Consolidation 7.5 SP00, version for the NetWeaver platform

This is the Central Note for Planning and Consolidation 7.5.


This is the Central Note for Planning and Consolidation 7.5, Service Pack 01.





Additional Information

For more information about specific topics, see the Quick Links as shown in the table below.

Quick Links to Additional Information

Content Quick Link on the SAP Service Marketplace or SDN

Security http://sdn.sap.com /irj/sdn/security

Security Guides https://service.sap.com/securityguide

Related SAP Notes https://service.sap.com/notes

Released Platforms https://service.sap.com/pam

Network Security https://service.sap.com/securityguide

SAP Solution Manager https://service.sap.com/solutionmanager

SAP NetWeaver http://sdn.sap.com /irj/sdn/netweaver

2 Before You Start

2010-06-15 PUBLIC 9/42



http://sdn.sap.com/irj/sdn/security

https://service.sap.com/securityguide

https://service.sap.com/notes

https://service.sap.com/pam

https://service.sap.com/securityguide

https://service.sap.com/solutionmanager

http://sdn.sap.com/irj/sdn/netweaver


3 Technical System Landscape

For information about the technical system landscape, see the Master Guide from http://

service.sap.com/instguidescpm-bpc 7.5, version for SAP NetWeaver .

3 Technical System Landscape

2010-06-15 PUBLIC 11/42

http://service.sap.com/instguidescpm-bpc

http://service.sap.com/instguidescpm-bpc


4 Security Overview

This section describes the security features included with Planning and Consolidation.

Features

Security Upon Initial System Installation

When you first install the system, the following items apply:

■ The installation user can access Server Manager locally on the application server, and access the

Administration Console and Administration for the Web from any client machine. (After

additional users are defined, they can also access the administration features remotely.)

■ The system administrator can perform all administrative tasks, but does not have any access to

members.

■ There are no other users defined. See User Setup [page 18].

■ There is one Admin team defined that can be used as a sample. See Team Setup [page 18].

■ There is one sample task profile that has full Administration privileges (PrimaryAdmin), and

another sample task profile that has full Administration privileges and dimension access

(SysAdmin). See Team Setup [page 18].

■ Administrators must specifically assign task profiles to users or teams of users before they can access

any tasks. Similarly, if they do not assign member access profiles to users or teams to define access

to members of a secured dimension, no one has access to that dimension. See Member Access Profile

Setup [page 27].

Steps to Define Security

Defining security involves the following steps:

■ Name each user. See User Setup [page 18].

■ Assign users to teams. See Team Setup [page 18].

■ Assign task profiles to users or teams. See Task Profile Setup [page 21].

■ Assign member access profiles to users or teams. See Member Access Profile Setup [page 27].

Security Audit Files

All security-related changes, such as adding, changing, and deleting users, teams, task profiles and

member profiles can be audited by Planning and Consolidation.

4 Security Overview

2010-06-15 PUBLIC 13/42

Administrators control whether activity auditing on administration tasks (including security tasks) is

enabled or not. If enabled for administration tasks, all administration tasks are audited (see Activity

Auditing in the Application Help for more information).

To enable activity auditing for Administration tasks, you choose Manage Activity Audit from the

Administration from the Web interface, then choose Administration Activity. Once the system records an activity,

you can run a report that shows activity based on specified criteria (see Reporting on Activity Auditing in the

Application Help).

Emergency User

When normal access to the system is no longer available, SAP customers can log on to the .NET server

as SysAdmin (or other operating system users with administrative rights) to repair the Planning and

Consolidation installation. For access to the ABAP server, see the NetWeaver Security Guide.

4 Security Overview

14/42 PUBLIC 2010-06-15

5 User Administration and Authentication

There are two authentication methods available in Planning and Consolidation:

■ SAP BusinessObjects User Management System (CMS)

■ Microsoft Windows (Active Directory)

During the installation of the Planning and Consolidation server, you specify which authentication

method is appropriate for your needs.

NOTE

If you are currently authenticating through Active Directory, there is a migration tool available

that allows you to convert your users over to authenticate through CMS. For more information,

see the Operations Guide.

This section contains information about user administration and authentication in the following topics:

■ User Authentication Process

■ Authenticating through CMS

■ Authenticating through Active Directory

■ Setting up Users

■ Setting up Teams

■ Authorization Objects for SAP Business Explorer

5.1 User Authentication Process

This section describes how users are authenticated from the Office and Web clients.

Authentication of Office Clients

1. From the Logon window, credentials are either taken from the Windows operating system, or they

must be entered using an alternate ID. In the latter case, the user enters a domain, user ID, and

password.

2. The client creates a stub to call the Planning and Consolidation .NET Web server. This is configured

to use the credentials supplied by the user during logon.



2010-06-15 PUBLIC 15/42

3. The system builds a SOAP request, including the user credentials. The request is sent to the

application server.

4. The system validates that the user connecting to the Web server is the same user identified by the

credentials.

5. The Web server calls the Planning and Consolidation authentication service to validate the user

credentials. If CMS has been configured, the user credentials are validated against the

BusinessObjects Enterprise SDK. If CMS authentication is not used, the user credentials are

validated directly against Active Directory. For more details, see Authenticating through CMS [page

17] and Authenticating through Active Directory [page 17].

6. If the user credentials are not valid, the authentication service returns Access is denied. If the

credentials are valid, the service returns Auth Success.

7. If the user is authenticated successfully, the Web server sends the results to the Planning and

Consolidation client. If the user is not authenticated, the Web server returns an HTTP 401 error.

Authentication of Web Clients

1. The user navigates to the Planning and Consolidation home page. The Web server uses IIS Windows

(Integrated or Basic) authentication. If the user credentials are not valid, Windows prompts the

user to enter a user ID and password.

2. The client creates a stub to call the Planning and Consolidation application server.

3. The system builds a SOAP request, including the user credentials. The request is sent to the

application server.

4. The system validates that the user connecting to the Web server is same user identified by the

credentials.

5. The system calls the Planning and Consolidation authentication service to validate credentials.

6. If CMS has been configured, the user credentials are validated against the BusinessObjects

Enterprise SDK. If CMS authentication is not used, the user credentials are validated directly against

Active Directory. For more details, see Authenticating through CMS [page 17] and Authenticating through

Active Directory [page 17].

7. If the user credentials are not valid, the authentication service returns Access is denied. If the

credentials are valid, the service returns Auth Success.

8. If the user is authenticated successfully, the application server sends the results to the Planning

and Consolidation client. If the user is not authenticated, the Web server returns an HTTP 401

error.



16/42 PUBLIC 2010-06-15

5.2 Authenticating through CMS

The BusinessObjects Enterprise (BOE) SDK and Central Management Server (CMS) subsystem provides

additional authentication options that are not available in Active Directory, including single sign-on

(SSO). Using SSO means that you do not need to provide authentication information when moving

between Planning and Consolidation and other applications such as Xcelsius or Infoview. CMS

maintains a database of information about BOE (in the CMS database), and manages security, including

access rights and authentication.

The following diagram shows the BOE SDK and CMS architecture.

Figure 1: BusinessObjects SDK & CMS

5.3 Authenticating through Active Directory

If authenticating users through Active Directory, and a user ID is added to the system with a domain

name (for example, PC\hsmith), the system assumes the user ID is maintained within Active Directory.

(If not on a domain, users must be valid Windows users on the .NET application server.) When the user

logs on, the system validates the password against Active Directory.

NOTE

In Server Manager, you can specify specific domains that are being used for Planning and

Consolidation users. In addition, filters can be applied to those domains to select specific users

from them. For more information, see the Operations Guide.


5.2 Authenticating through CMS

2010-06-15 PUBLIC 17/42

When you are adding new users from a domain to the system, you have the ability to select one

of the user-defined groups, and customize it further, if required.

When setting up users on the system, take the following considerations into account:

■ We recommend that all users come from a single domain.

■ We recommend that all users have access to the domain the server is on. If they do not have direct

access, the domain must be trusted between the server and user domain.

■ The installation user must have rights to browse the users from all user domains.

5.4 Setting Up Users

You can add new users and assign them to teams, task profiles, and member access profiles.

If you are not using the default task or member access profiles and have not set them up yet, we

recommend that you define them before adding users. You might also want to create teams, so you

can assign the newly added users to the appropriate teams.

Alternatively, when you define the teams and profiles, you can assign users to them at that time.

FeaturesAdding Users

You can add users in the Admin Console. To do so, choose Security Users , then expand the domain

name. In the Manage Users action pane, select Add New User, then enter the required data to specify the

domain, e-mail address, teams, task profiles, and member access profiles.

Modifying Users

You can modify a user definition in the Admin Console. To do so, choose Security Users . Select a

user. In the Manage Users Options task pane, choose Modify the selected user's definition. Follow the prompts in

the assistant.

NOTE

You can enable the server to be Sarbanes-Oxley compliant if you want all clients that access the

server to challenge users for a user name and password. See the Server Manager section of the

Application Help located at http://help.sap.com/epm.

5.5 Setting Up Teams

You can set up and maintain teams of users. When you assign security to a team, the security works

collectively on the team members. This allows you to set up task-based or member–based security for

several users at the same time. Teams are not required to successfully process security.


5.4 Setting Up Users

18/42 PUBLIC 2010-06-15

http://help.sap.com/epm

Features

Adding teams

To add a team, in the Admin Console by selecting Security Teams Add New Team . Enter data as

required.

Assigning team leaders

Assigning a team leader is useful when you want to give one person from the team special access rights,

for example, the rights to save templates to the team folder. A team leader that has ManageTemplate

privileges can save templates to their respective team folder. For more information, see the

ManageTemplate task in Task Profile Setup [page 21].

In addition, a team leader is the only one who can save Data Manager conversion and transformation

files. See TeamLeadAdmin in Task Profile Setup [page 21].

To assign a team leader, in the Admin Console select Security Teams , and select the desired user

from the team list.

Modifying teams

You can modify the definition of an existing team. When modifying a team, you can change everything

except the team name.

To modify a team definition, in the Admin Console select Security Teams . Select the team then

click Modify the selected team's definition. Follow the prompts in the assistant to revise the team definition,

revise selected team members, or assign different task and member access profiles.

5.6 Authorization Objects for SAP Business Explorer

For reporting through SAP Business Explorer (BEx), users must logon to the SAP backend system.

Authorization objects for each user must be maintained in that system.

The following table describes the authorization objects that are required.

Authorization Object Technical Name Description

BEx – Components S_RS_COMP Authorization for using different components for the query definition

BEx – Components S_RS_COMP1 Authorization for queries from specific owners

BEx – Components S_RS_FOLD Display authorization for folders

BEx – Individual Tools S_RS_TOOLS Authorization for individual Business Explorer tools

BEx – Enterprise Reports S_RS_ERPT Authorization for BEx enterprise reports

BEx – Enterprise Report Reusable Elements

S_RS_EREL Authorization for reusable elements of a BEx enterprise report



2010-06-15 PUBLIC 19/42

BEx – Data Access Services S_RS_DAS Authorizations for working with data access services

BEx – Web Templates S_RS_BTMP Authorization for working with BEx Web templates

BEx – Reusable Web Items S_RS_BITM Authorization for working with BEx Web items

BEx Information Broadcasting Authorization for Scheduling

S_RS_BCS Authorization for registering broadcast settings for execution

BEx Texts (Maintenance) S_RS_BEXTX Authorization for maintaining BEx texts



20/42 PUBLIC 2010-06-15

6 Authorizations

Authorization is defined by task profiles and member access profiles:

■ Task profiles define what type of activities or tasks a user or a team of users can perform.

■ Member access profiles define the specific applications to which users have access.

6.1 Task Profile Setup

A task profile defines the type of activities or tasks a user or a team of users can perform in Planning

and Consolidation. After creating a task profile, you assign it to one or more users. You can add tasks

to a profile as needed.

Features

Administrator Roles

A role is a predefined set of administration tasks. If you want to assign a user one or more administration

tasks, you must assign them one of the predefined administrator roles. Without one of these role

assignments, the user cannot perform any administrator tasks.

The three administrator roles are:

■ System Admin

■ Primary Admin

■ Secondary Admin

Default task rights

A System Administrator (System Admin), by default, has the following task rights:

■ Appset

■ DefineSecurity

A Primary Administrator (Primary Admin), by default, has the following task rights:

■ Application

■ BusinessRules

■ DefineSecurity

■ Dimensions

■ Lockings

■ ManageAudit

6 Authorizations


2010-06-15 PUBLIC 21/42

■ ManageComments

■ ManageContentLibrary

■ ManageDistributor

■ ManageLiveReport

■ ManageTemplates

■ Misc

■ UpdateToCompanyFolder

■ WebAdmin

A Secondary Administrator (Secondary Admin), by default, has the following task rights:

■ Dimensions

Administration Task Profile Descriptions

The following table describes the available tasks in the Administration interface:

Task Can be assigned to Description

Application Only the primary administrator (default) Can create, modify, and delete applications in this application set, make changes to dimensions and add dimensions, and optimize applications.

Appset System administrator, by default, but can be assigned to primary administrator

Can create new application sets, modify application sets, and set application set parameters (in Web Admin Tasks).

Business Rules Primary administrator, by default, but can be assigned to secondary administrator

Define business rules.

Dimension Only primary and secondary administrators (default)

Create, modify, process, and delete dimensions and members.

Lockings Primary administrator, by default, but can be assigned to secondary administrator

Define and edit work status codes.

ManageDrillThrough Primary administrator, by default, but can be assigned to secondary administrator

Create and modify drill-through setup.

Misc Primary administrator, by default, but can also be assigned to system and secondary administrators.

View application set status.

AnalysisCollection Task Profile Descriptions

The following table describes the available tasks in the AnalysisCollection interface:


eAnalyze Anyone Access, manage, and edit ad hoc and audit reports.

EditDynamicHierarchy Anyone A user with this task can edit dynamic hierarchy structures.

6 Authorizations


22/42 PUBLIC 2010-06-15

ManageTemplate Anyone A user with this task can access templates from the company folder, and restrict workbook options.A team member or team leader with this task can access and save templates to their respective team folder.

OpenWordPptFiles Anyone A user with this task can open Microsoft Word and Microsoft PowerPoint files.

SaveWordPptFiles Anyone A user with this task can save Microsoft Word and Microsoft PowerPoint files.

SubmitData Anyone Can access the build input schedules and send data. Can use spread, weight, and trend options. Can post documents with application context to the Content Library.

Audit Task Profile Descriptions

The following table describes the available tasks in the Audit interface:


ManageAudit Anyone Can manage activity and data auditing.

Business Process Flows Task Profile Descriptions

The following table describes the available tasks in the Business Process Flow interface:


BPFExecution Anyone This user or team can execute business process flow tasks.

ManageBPF Only the primary administrator (default) This user or team can create, modify, and delete business process flows.

Collaboration Task Profile Descriptions

The following table describes the available tasks in the Collaboration interface:


ManageDistributor Anyone This user or team can use the Offline Distributor.

PublishOffline Anyone This user or team collects changes to offline input schedules and sends data to a database.

Comments Task Profile Descriptions

The following table describes the available tasks in the Comments interface:


AddComment Anyone This user or team can add comments.

ManageComments Anyone This user or team can remove comments.

Data Manager Task Profile Descriptions

6 Authorizations


2010-06-15 PUBLIC 23/42

The following table describes the available tasks in the DM interface:

Task Can be assigned to

Description

Execute Anyone This user or team can manage Data Manager packages: ■ Data upload ■ Data download ■ Data Preview ■ Clear saved prompts ■ View status based on user ID ■ View schedule status based on user ID ■ Run Specific package ■ Run user package ■ Validate & Process conversion files for company ■ Validate & Process transformation files for company ■ Maintain status based on user ID ■ View status

CalculateOwnership Anyone This user or team can run the Data Manager package Calculate Ownership.

GeneralAdmin Anyone This user or team can perform tasks such as: ■ New Transformation ■ Test transformation with data ■ New Conversion ■ New Conversion Sheet ■ Transformation ■ Save ■ Save Transformation As ■ Save Conversion ■ Save Conversion As

PrimaryAdmin Anyone Can perform the following default PrimaryAdmin tasks: ■ Manage transformation files for company and Validate & Process ■ Manage conversion files for company and Validate & Process ■ Packages that against the fact table directly are limited to admin ■ Manage team package access ■ Organize package list ■ Maintain status regardless of user ID ■ Run admin package

TeamLeadAdmin Anyone Can perform the following tasks: ■ Open transformation files from team folder and validate & process ■ Open conversion files from team folder and validate & process ■ Perform a data preview from the team folder ■ Perform a data upload from the team folder

6 Authorizations


24/42 PUBLIC 2010-06-15

■ Perform a data download from the team folder

NOTE

These tasks cannot be performed on the Company folder.

TeamLeadAdmin Team Leader ■ All tasks described in TeamLeadAdmin, above ■ Save transformation files ■ Save conversion files

FileAccess Task Profile Descriptions

The following table describes the available tasks in the FileAccess interface:


Description

UpdateToCompanyFolder Anyone A user, team member, or team leader with this task can save templates to the company folder, but they must also have ManageTemplate rights.

Journal Task Profile Descriptions

The following table describes the available tasks in the Journal interface:


AdminJournal Anyone Can manage journals as follows: ■ Create and maintain journal templates ■ Clear journal tables ■ Create Journal

CreateJournal Anyone Can create or modify journal entries.

PostJournals Anyone Can post journals.

ReviewJournals Anyone Can review journals

UnpostJournals Anyone Can unpost journal entries.

Security Task Profile Descriptions

The following table describes the available tasks in the Security interface:


Description

DefineSecurity Only system and primary administrators (by default).

Can manage users, task, and member access profiles.

CAUTION

We recommend that you restrict access of this task to a few privileged users.

ViewSystemReport Task Profile Descriptions

The following table describes the available tasks in the ViewSystemReport interface:

6 Authorizations


2010-06-15 PUBLIC 25/42


AuditReport Anyone This user or team can create audit reports.

SecurityReport Anyone This user or team can create security reports.

CommentReport Anyone This user or team can run a comment report.

JournalReport Anyone This user or team can run a journal report.

Workstatus report Anyone This user or team can run a work status report.

WorkStatus Task Profile Descriptions

The following table describes the available tasks in the WorkStatus interface:


SetWorkStatus Anyone This user or team creates work status on a data region.

ZFP Task Profile Descriptions

The following table describes the available tasks in the Web interface:


Description

AccessContentLib Anyone This user or team can access, filter, and sort, and add pages to the Content Library in the Web interface.

CreateWebPage Anyone This user or team can create new web pages in the Web interface.

LiveReport Anyone This user or team can access live reports in the Web interface.

ManageContentLib Anyone Can manage all items in the Content Library.

ManageLiveReport Anyone This user or team allows you to manage live reports using drag & drop in the Web interface.

WebAdmin Anyone Can do the following in Web Admin Tasks: ■ Set application parameters ■ Manage dimensions (make changes to existing dimensions based

on dimension) ■ Manage document types and subtypes ■ Publish Non-Planning and Consolidation reports

Adding a Task Profile

To create a new task profile in the Admin Console, choose Security Task Profiles . Enter data as

required.

Tips for Assigning Task Profiles

■ The number of task profiles administrators can assign to a user is not limited. However, we

recommend that you do not assign multiple task profiles to users because it may cause confusion

in determining their ultimate access rights.

Task access security is cumulative, and tasks cannot be explicitly denied. As a result, assigning

multiple task profiles can create a situation where users have access to tasks that you may not want

6 Authorizations


26/42 PUBLIC 2010-06-15

them to have. For example, an administrator wants UserA to only retrieve data. If UserA belongs

to a team that possesses data-send task rights, UserA can also send data.

■ Administrators can assign multiple task profiles to a team. However, we recommend that you do

not assign multiple task profiles to a team because it may cause confusion in determining the

ultimate access rights of that team.

6.2 Member Access Profile Setup

You must define a member access profile for all secured dimensions of an application. If no profile is

defined for a secured dimension, the users assigned to the profile do not have access rights to that

application. If you partially define access, for example, for one of two secured dimensions, users are still

denied access to the application.

After creating a Member Access profile, you assign it to users as needed.

FeaturesGeneral Rules for Member Access Security

Member access security is based on the following rules:

■ By default, no one other than the system administrator has access to members. Member access

must be explicitly granted.

■ A user can be assigned member access individually and through team membership.

■ Member access privileges flow down the hierarchy, from parent to child.

■ When in conflict, the least restrictive member access profile is applied.

■ In case of a conflict between individual and team member access, the least restrictive setting is

applied.

■ Denial of member access can be set only at the user level.

Defining Access to Members with Children

When defining access to a secured dimension that has one or more defined hierarchies, security is

applied to the member and all of its children. For example, if you grant access to a member that has 10

children, users with access to the parent member also have access to the 10 children.

You can restrict a child member of a parent with ‘Read’ or ‘Read and Write’ access by creating a separate

member access profile and assigning the child ‘Denied’ access. Alternatively, you can use the same

member access profile as the parent, but create a new line item for the child.

Creating Member Access Profiles

You can add member access profiles from the Admin Console by choosing Security Member Access

Profiles Add a New Member Access Profile and follow the prompts in the New Member Access Profile

assistant. Be sure to choose Apply to process the new member access profiles

6 Authorizations


2010-06-15 PUBLIC 27/42

Modifying Member Access Profiles

You can modify an existing member access profile by selecting Modify the selected profile definition in the

Manage Profile Options action pane. Follow the prompts in the Modify Profile assistant.

Resolving Member Access Profile Conflicts

Since you can define member access by individual users and by teams, there may be situations in which

conflicts occur. The following topics describe some potential member access conflict scenarios and the

rules the system applies to resolve those conflicts. These scenarios are based on the assumption that

the Entity dimension is a secured dimension and has the following hierarchical structure:

Hierarchy Members

H1 WorldWide1 Sales SalesAsia SalesKoreaSalesJapanESalesAsia

SalesEurope SalesItalySalesFranceESalesEurope

H2 WorldWide2 Asia Korea SalesKorea

Japan SalesJapan

eAsia ESalesAsia

Europe Italy SalesItaly

France SalesFrance

eEurope ESalesEurope

Conflict Between Profiles

When there is a conflict between member access profiles, the least restrictive profile is always applied.

This section describes three different scenarios where there are conflicts between profiles.

EXAMPLE

Scenario 1:

■ User1 belongs to Team1 and Team2.

■ There are two member access profiles: ProfileA and ProfileB.

■ ProfileA is assigned to Team1 and ProfileB is assigned to Team2.

The member access profiles are described in the following table:

Member access profile Access Dimension Member

ProfileA Read & Write Entity Sales

ProfileB Read Only Entity SalesAsia

6 Authorizations


28/42 PUBLIC 2010-06-15

In this case, the least restrictive profile between the two, ProfileA (Read & Write), is applied. As a

result, ProfileB is ignored by the system, and User1 is able to send data to both SalesKorea and

SalesItaly.

EXAMPLE

Scenario 2:

■ User1 belongs to Team1 and Team2


■ ProfileA is assigned to Team1 and ProfileB is assigned to Team2.



ProfileA Read Only Entity Sales

ProfileB Read & Write Entity SalesAsia

In this case, the least restrictive profile between the two, ProfileB (Read & Write), is applied for the

child members of SalesAsia. As a result, ProfileA is ignored by the system, and User1 is able to send

data to SalesKorea, but not to SalesItaly.

EXAMPLE

Scenario 3:

■ User1 does not belong to any team.


■ Both the profiles are assigned to the user.



ProfileA Denied Entity SalesAsia

ProfileB Read Only Entity Sales

In this case, the least restrictive profile between the two, ProfileB (Read Only), is applied. As a

result, ProfileA is ignored by the system, and User1 is able to retrieve data from both SalesKorea

and SalesItaly.

Conflict Between Parent and Child Members

Authority always flows down the hierarchy from parent to child. Child members always have the access

level of their parents, unless otherwise specified.

6 Authorizations


2010-06-15 PUBLIC 29/42

EXAMPLE

Scenario 1:

■ User1 belongs to Team1 and ProfileA is assigned to Team1.

■ Two levels of member access profiles are defined for ProfileA.

The member access profiles for the ProfileA are described in the following table:


ProfileA Read & Write Entity Sales

ProfileA Read Only Entity SalesAsia

In this case, the Read & Write access of the Sales member flows down to its children. This flow is

interrupted by assigning Read Only access to SalesAsia (a descendant of Sales), and SalesAsia’s

access flows down to its descendants. As a result, User1 is able to send data to SalesItaly, but not

to SalesKorea.

EXAMPLE

Scenario 2:

■ User1 belongs to Team1 and ProfileA is assigned to Team1.

■ ProfileA has two levels of member access profiles.

The member access profiles for the ProfileA are described in the following table:


ProfileA Read Only Entity Sales

ProfileA Read & Write Entity SalesAsia

In this case, the Read Only access of the Sales member flows down to its children. This flow is

interrupted by assigning Read & Write access to SalesAsia (a descendant of Sales), and SalesAsia’s

access flows down to its descendants. As a result, User1 is able to send data to SalesKorea but not

to SalesItaly.

Conflict When the Same Member Belongs to Different Hierarchies

When a member belongs to different hierarchies, and there is a conflict in member access, the most

restrictive access is applied.

EXAMPLE

Scenario: ProfileA and ProfileB are assigned to User1. The member access profiles are described in

the following table:


6 Authorizations


30/42 PUBLIC 2010-06-15

ProfileA Read Only Entity WorldWide1

ProfileB Read & Write Entity WorldWide2

In this case, ProfileB determines User1’s access. As a result, User1 is able to send data to SalesKorea,

even if ProfileA denies User1 Write access to SalesKorea (in WorldWide1 hierarchy).

6 Authorizations


2010-06-15 PUBLIC 31/42


7 Network and Communication Security

Your network infrastructure is important in protecting your system. Your network needs to support

the communication necessary for your business and your needs without allowing unauthorized access.

A well-defined network topology can eliminate many security threats based on software flaws (at both

the operating system and application level) or network attacks such as eavesdropping. If users cannot

log on to your application or database servers at the operating system or database layer, then there is

no way for intruders to compromise the machines and gain access to the backend system’s database or

files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot

exploit well-known bugs and security holes in network services on the server machines.

The network topology for Planning and Consolidation is based on the topology used by the SAP

NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP

NetWeaver Security Guide also apply to Planning and Consolidation. Details that specifically apply to

Planning and Consolidation are described in the following topics:

■ Communication Channel Security

This topic describes the communication paths and protocols used by the application.

■ Network Security

This topic describes the recommended network topology for the application. It shows the

appropriate network segments for the various client and server components and where to use

firewalls for access protection.

For more information, see the following sections in the SAP NetWeaver Security Guide:

■ Network and Communication Security

■ Security Guides for Connectivity and Interoperability Technologies

7.1 Communication Channel Security

The table below shows the communication paths used by the application, the protocol used for the

connection, and the type of data transferred.


7.1 Communication Channel Security

2010-06-15 PUBLIC 33/42

Communication Paths

Communication Path Protocol Used Type of Data TransferredData Requiring Special Protection

Client and .NET web/app server

HTTP/HTTPS Client requests and server responses

PasswordsProprietary business financial and performance metrics

.NET web/app server and NetWeaver server

RFC (through the SAP RFC Connector)

Client requests and server responses

Passwords,Proprietary business financial and performance metrics

.NET web/app server and Windows Active Directory

TCP/IP Windows native behavior Proprietary business financial and performance metrics

NetWeaver application server and NetWeaver databases

Details are covered in the SAP NetWeaver Security Guide.

Client and Windows Active Directory (Optional)

TCP/IP Windows native behavior Proprietary business financial and performance metrics

NOTE

Communication with the Windows Active Directory is done by the native Windows Operation

System.

We recommend HTTPS for enhanced security. HTTPS is required if the client uses basic

authentication to access the .NET web/application server.

The RFC destination is used for after-import transactions for transports on the ABAP side, and

must be configured exclusively for the Planning and Consolidation application. For more

information on creating the RFC destination, see the Configuring the ABAP Component

section of the Installation Guide.

For information about application ports, see the Server Options section in the Operations Guide or

the Installation Guide.

7.2 Network Security

You can implement the following components of the application in different network segments:

■ Client

■ .NET Web/application server

■ NetWeaver application server



34/42 PUBLIC 2010-06-15

We recommend any of the following three environments, based on your on your technical

requirements.

■ All components in one network zone (LAN)

■ Client in Internet zone, while all server side components (.NET application server and NetWeaver

tier) are in one zone (LAN)

■ Client in Internet zone, .NET application server in DMZ, and the NetWeaver tier in a different

zone

NOTE

The NetWeaver tier includes a database server and an optional BIA, therefore we support a

NetWeaver application server, and a NetWeaver database and BIA in a different network zone.



2010-06-15 PUBLIC 35/42


8 Data Storage Security

In Planning and Consolidation, user data is stored in Active Directory, and authorization data is stored

in the SAP NetWeaver database.

Business data is loaded by end users and administrators and stored in the SAP database.

Some configuration data is loaded upon system installation; the configuration file is located on the .NET

server tier in \PC\Websrvr\web\ServerConfiguration.config. The system is pre-configured to provide a

substantial level of data protection, but you should also make sure that no one has access to the service

accounts defined during the installation.

The system uses a client-side file system to store metadata and template data temporarily because read,

write, delete, change, and query access for existing data may be required. This data is stored in the local

file system of the client within the \MyDocuments\OutlookSoft directory. We recommend that only end

users and administrators have access to this directory.

Since Interface for the Web uses a browser as its interface, it uses cookies to store front-end metadata

and configuration information during individual user sessions. This data requires no special protection,

and no special measures to protect the cookies are necessary.

8 Data Storage Security

2010-06-15 PUBLIC 37/42


9 Dispensable Functions that Affect Security

Planning and Consolidation uses the following system resources:

■ Client tier — File system, system components, operating system

■ .NET server tier — System components, operating system

■ ABAP server — System components, operating system

There are no administration tools or installation tools that can be deleted after installation.

Server Installation

For the server installation, all functional modules are necessary and are used at runtime.

An installation contains a default application set named ApShell. This is the only component you can

remove after you complete your own application set development.

Client Installation

A Planning and Consolidation installation includes a Microsoft Office client and an Administration

client for different kinds of end users. Users can install one or both.

9 Dispensable Functions that Affect Security

2010-06-15 PUBLIC 39/42


10 Trace and Log Files

Every day the system creates two log files: one that contains information about server operations, and

one that contains information about client operations. The format of log files is log<date>.txt.

The log files for the .NET application and web server are stored in <c:>\PC_NW\Logging on the server

machine. The log files for the client are stored in <c:>\Documents and Settings\<username>\My

Documents\Planning and Consolidation\Logging on the client machine.

Trace files are located in <c:>\PC_NW>\Logging\ trace. They are named BPCTRACEx.LOG, where x

is a number between 0 and 9, such as BPCTRACE.5.LOG.

10 Trace and Log Files

2010-06-15 PUBLIC 41/42

SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +49/18 05/34 34 34F +49/18 05/34 34 20www.sap.com

© Copyright 2010 SAP AG. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.