Upload
trankiet
View
243
Download
3
Embed Size (px)
Citation preview
Security Guide CUSTOMER
SAP Hybris Marketing On PremiseDocument Version: 1.0 – 2017-02-17
Security Guide 1702
Content
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Security Aspects of Data, Data Flow, and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.2 Integration into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
5 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
6 Session Security Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507.1 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507.2 Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527.3 Communication Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
8 Internet Communication Framework Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
9 Virus Scan Profile (ABAP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
10 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
11 Security-Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
12 Services for Security Lifecycle Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
2 C U S T O M E RSecurity Guide 1702
Content
Document History
Before you start, make sure you have the latest version of this document. You can find the latest version at the following location:
http://service.sap.com/mkt
The following table provides an overview of the most important document changes. If the information you are looking for is not described in this guide or if you find something described incorrectly, please send an email to mailto:[email protected] and we'll update this guide.
Table 1: Document History
Version Date Description
1.0 2016-11-21 Initial version for SAP Hybris Marketing 1611 (1.2 SP04)
Security Guide 1702Document History C U S T O M E R 3
1 Introduction
NoteThis guide does not replace the administration or operation guides that are available for productive operations.
Target Audience
● Technology consultants● Security consultants● System administrators
This document is not included as part of the installation guides, configuration guides, technical operation manuals, or upgrade guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the security guides provide information that is relevant for all life cycle phases.
Feedback
We'd really like to know what you think of the quality, structure or content of this guide. Please send your feedback to us at mailto:[email protected].
Why is Security Necessary
With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These security demands apply to SAP Hybris Marketing, based on SAP NetWeaver 7.5. To assist you in securing SAP Hybris Marketing, we provide this security guide.
About This Document
The security guide provides an overview of the security-relevant information that applies to SAP Hybris Marketing. For more information about security, see also the SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information Security Guide (English) SAP NetWeaver Security Guide .
4 C U S T O M E RSecurity Guide 1702
Introduction
Overview of the Main Sections
The security guide comprises the following main sections:
● Before You StartThis section contains information about why security is necessary, how to use this document, and references to other security guides that build the foundation for this security guide.
● Technical System LandscapeThis section provides an overview of the technical components and communication paths that are used by SAP Hybris Marketing.
● Security Aspects of Data, Data Flow, and ProcessesThis section provides an overview of security aspects involved throughout the most widely-used processes within SAP Hybris Marketing.
● User Administration and AuthenticationThis section provides an overview of the following user administration and authentication aspects:○ Recommended tools to use for user management○ User types that are required by SAP Hybris Marketing○ Standard users that are delivered with SAP Hybris Marketing○ Overview of the user synchronization strategy, if several components or products are involved○ Overview of how integration into Single Sign-On environments is possible
● AuthorizationsThis section provides an overview of the authorization concept that applies to SAP Hybris Marketing
● Session Security ProtectionThis section provides information about activating secure session management, which prevents JavaScript or plug-ins from accessing the SAP logon ticket or security session cookie(s).
● Network and Communication SecurityThis section provides an overview of the communication paths used by SAP Hybris Marketing, and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.
● Internet Communication Framework SecurityThis section provides an overview of the Internet Communication Framework (ICF) services that are used by SAP Hybris Marketing.
● Application-Specific Virus Scan Profile (ABAP)This section provides information about an interface for virus scanners to prevent manipulated or malicious files from damaging the system.
● Data Storage SecurityThis section provides an overview of any critical data that is used by SAP Hybris Marketing, and the security mechanisms that apply.
● Security-Relevant Logging and TracingThis section provides an overview of the trace and log files that contain security-relevant information, for example, so you can reproduce activities if a security breach occurs.
● Services for Security Lifecycle ManagementThis section provides an overview of services provided by Active Global Support that are available to assist you in maintaining security in your SAP systems on an ongoing basis.
Security Guide 1702Introduction C U S T O M E R 5
NoteFor more information about the Technical System Landscape, see the Master Guide for SAP Hybris Marketing on SAP Help Portal at http://help.sap.com/mkt Installation and Upgrade Information .
6 C U S T O M E RSecurity Guide 1702
Introduction
2 Before You Start
Fundamental Security Guides
The architecture of SAP Hybris Marketing is based on web-based front ends (Web Dynpro ABAP and SAP UI5 library-based applications on SAP Gateway technology) on top of SAP NetWeaver 7.5 Application Server ABAP. The underlying database is SAP HANA. Many security-relevant components of SAP Hybris Marketing are built using SAP NetWeaver 7.5 Application Server ABAP (including , SAP Gateway and SAP NetWeaver UI Extension), and SAP HANA 1.0. For more information about releases, see the SAP Hybris Marketing installation guide at http://help.sap.com/mkt Installation and Upgrade Information .
Therefore, the corresponding security guides also apply to SAP Hybris Marketing. Pay particular attention to the most relevant sections or specific restrictions as indicated in the following table:
Table 2:
Scenario, Application, or Component Security Guide Most Relevant Sections or Specific Restrictions
SAP NetWeaver 7.5 Application Server ABAP User Management, Authorization, and Authentication, Secure Session Management
SAP HANA Database 1.0 Data Storage Security
SAP HANA 1.0 Trigger-Based Data Replication Data replication from source system to SAP Hybris Marketing
SAP Gateway Foundation 7.50 Network and Communication Security
SAP Fiori Security Information Communication, User Management and Authentication, Session Protection
SAP HANA Rules Framework Security Guide of the SAP HANA Rules Framework, User Management, Roles and Authorizations, Communication Destinations
For a complete list of the available SAP security guides, see SAP Service Marketplace at http://service.sap.com/securityguide
Important SAP Notes
For the most important notes for the underlying technology, refer to the security guides of SAP NetWeaver, SAP HANA Database, and SAP Gateway. For a list of additional security-relevant SAP Hot News and SAP Notes, see also SAP Support Portal at http://support.sap.com/securitynotes .
Security Guide 1702Before You Start C U S T O M E R 7
Configuration
You can find a summary of the configuration steps for implementing security for SAP Hybris Marketing in the Solution Manager Content for SAP Hybris Marketing.
Additional Information
For more information about specific topics, see the Quick Links as shown in the following table:
Table 3:
Content Quick Link on SAP Service Marketplace, SAP Support Portal, or SDN
Security http://sdn.sap.com/irj/sdn/security
Security Guides http://service.sap.com/securityguide
Related SAP Notes https://service.sap.com/sap/support/notes/
http://support.sap.com/securitynotes
Released platforms http://support.sap.com/pam
Network security http://service.sap.com/securityguide
SAP Solution Manager http://support.sap.com/solutionmanager
SAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver
8 C U S T O M E RSecurity Guide 1702
Before You Start
3 Security Aspects of Data, Data Flow, and Processes
SAP Hybris Marketing includes the marketing platform SAP Hybris Marketing Data Management, which provides a single view on your customer data (accounts, contacts, interactions, target groups). Based on this platform, you can use additional marketing applications that are available individually on the price list. The additional applications are the following:
● SAP Hybris Marketing Segmentation enables marketing, sales, and service professionals to rapidly and easily segment large customer populations with the support of insightful charts.
● SAP Hybris Marketing Acquisition allows you to create marketing campaigns by email or text message that are based on predefined content templates. You can release, and send the campaigns out to a preselected list of contacts. A campaign-based lead creation in SAP Hybris Cloud for Customer triggers the lead management process from SAP Hybris Marketing. The calendar allows you to gain an overview of your current campaign success with regard to time.
● SAP Hybris Marketing Recommendation enables data scientists to create and manage recommendation models that provide consumers with relevant product recommendations in real time, simultaneously across multiple sales channels. You can create models to leverage algorithms and SAP HANA to query and retrieve product recommendations from SAP ERP, SAP CRM, or business event data sources.
● SAP Hybris Marketing Insight supports on-the-fly insights into all customer data for sales and marketing. With this solution, several millions of orders, invoices and financial data can be analyzed in real time. In addition, it enables marketing executives to review the success of marketing investments. This dashboard is comprised of the most important Key Performance Indicators (KPIs) for marketing effectiveness.
● SAP Hybris Marketing Planning supports marketing managers in planning budgets, programs, and spends as well as marketing experts in planning campaigns and spends in a simple and intuitive way. In the calendar, marketing managers and marketing experts can have a complete overview of ongoing and planned marketing activities.
The main process in SAP Hybris Marketing is to retrieve account information (master data or transactional data), for example from an SAP ERP system (sales and distribution system), and to store this information in the SAP HANA database. Once the data is available, it is ready for analysis and segmentation. New target groups and ad-hoc segments can be created and sent to an SAP CRM system. SAP Hybris Marketing also supports the processing and analysis of information from various social media platforms, and allows follow-up actions, such as campaign creation, as well within SAP CRM.
The following table shows the security aspects to be considered for the various process steps and what security mechanism applies.
Security Guide 1702Security Aspects of Data, Data Flow, and Processes C U S T O M E R 9
Table 4:
Business Group Description Security Measure
Contacts and Profiles Retrieve account statistics and master data from an SAP ERP system (sales and distribution system)
In the SAP SLT data replication, the SLT server can be a separate SAP system that is connected to SAP ERP by RFC.
We recommend using channel encryption via Secure Network Communication wherever possible.
Account/relationship analysis Make sure that the authorization policy is enforced by assigning organizational levels (for example, company codes, sales groups, marketing areas) to the users via appropriate roles. For more information see, Authorizations [page 18].
Data maintenance and clean-up Once accounts are deleted or archived in the SAP ERP system, the data is deleted in the SAP Hybris Marketing system automatically using SLT. Related target groups and campaigns can be deleted by the administrators of SAP Hybris Marketing.
Profile dashboard Analyze contacts for creating marketing campaigns or target groups. Make sure that the authorization policy is enforced for working with contacts and target groups. For more information, see Authorizations [page 18]
Sentiment engagement Analyze, filter, process, and group data that have been harvested from external channels.
NoteThe setup of external channels is not part of the standard shipment.
Make sure that the authorization policy is enforced for working with contacts and target groups. For more information, see Authorizations [page 18].
10 C U S T O M E RSecurity Guide 1702
Security Aspects of Data, Data Flow, and Processes
Business Group Description Security Measure
Track and record events in interactions and interaction contacts
Make sure that the authorization policy is enforced for working with campaign content in SAP HANA, and ABAP, especially with regard to the required technical users in SAP HANA, and ABAP. For more information, see Authorizations [page 18].
Segmentation Define segmentation Make sure that the authorization policy is enforced for working with segmentation models. For more information, see Authorizations [page 18].
Acquisition Create campaigns Make sure that the authorization policy is enforced by assigning organizational levels (for example, company codes, sales groups, marketing areas) to the users via appropriate roles. For more information see, Authorizations [page 18].
Create campaigns in SAP CRM Make sure that the authorization policy is enforced for working with campaign creation, and management in SAP CRM. For more information, see Authorizations [page 18].
Create campaign content with personalized content template
Make sure that the authorization policy is enforced for working with Campaign Content in SAP HANA, and ABAP, especially with regard to the required technical users in SAP HANA, and ABAP. For more information, see Authorizations [page 18].
Insight Analyze customer data Make sure that the authorization policy is enforced by assigning organizational levels (for example, company codes, sales groups, marketing areas) to the users via appropriate roles. For more information see, Authorizations [page 18].
Security Guide 1702Security Aspects of Data, Data Flow, and Processes C U S T O M E R 11
Business Group Description Security Measure
Planning Perform budget planning, spend planning
Make sure that the authorization policy is enforced for creating plans in budget planning, for planning spend on campaigns, and managing proposed spends, and assigning campaigns in programs. For more information, see Authorizations [page 18].
Recommendation Create and manage recommendation models
Make sure that the authorization policy is enforced for working with recommendation models. For more information, see Authorizations [page 18].
Lead Management Classify contacts by stages, create SAP Hybris Cloud for Customer leads, and activities, such as phone calls, appointments, tasks. by a campaign, and analyze lead management process
Make sure that the authorization policy is enforced for lead stages, campaign creation, transfer leads and lead dashboard. For more information, see Authorizations [page 18], and SAP Hybris Marketing installation guide on SAP Help Portal at http://help.sap.com/mkt
Installation and Upgrade Information
Installation Guide Installation of SAP Smart Business, executive
edition .
Define lead scores via Score Builder Make sure that the authorization policy is enforced for SAP HANA Rules Framework (HRF). For more information, see User Management [page 13]
12 C U S T O M E RSecurity Guide 1702
Security Aspects of Data, Data Flow, and Processes
4 User Administration and Authentication
SAP Hybris Marketing uses the user management and authentication mechanisms provided with the SAP NetWeaver Platform, in particular the SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to SAP Hybris Marketing.
In addition to these guidelines, we include information about user administration and authentication that specifically applies to the the following topics:
● User Management [page 13]This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with SAP Hybris Marketing.
● Integration into Single Sign-On Environments [page 16]This topic describes how SAP Hybris Marketing supports Single Sign-On mechanisms.
For more information about user management and authentication, see the related topic in SAP Library at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide User Administration and Authentication .
4.1 User Management
User management for SAP Hybris Marketing uses the mechanisms provided with the SAP NetWeaver Application Server ABAP, for example, tools, user types, and password policies. For an overview of how these mechanisms apply for SAP Hybris Marketing, see the following sections. In addition, we provide a list of the standard users required for operating SAP Hybris Marketing.
User Administration Tools
The following table shows the tools to use for user management and user administration with SAP Hybris Marketing.
Security Guide 1702User Administration and Authentication C U S T O M E R 13
Table 5:
Tool Detailed Description
User and role maintenance with SAP NetWeaver AS ABAP (SU01, PFCG)
User Role Administration of Application Server ABAP
For more information, see SAP Help Portal at http://
help.sap.com/nw SAP NetWeaver Platform SAP
NetWeaver 7.5 Application Help SAP NetWeaver Library:
Function-Oriented View English Security Identity
Management User and Role Administration of Application
Server ABAP
User and role maintenance with SAP HANA Extended Application Services (XS)
For more information, see SAP Note 2006478 , and the SAP HANA Security Guide on the SAP Help Portal at http://
help.sap.com/nw SAP HANA Platform SAP HANA
Platform (Core) Security .
User Types
It is necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their password on a regular basis, but not those users with background processing jobs.
The user types that are required for SAP Hybris Marketing include the following:
● Individual usersBusiness users are SAP Hybris Marketing users who run the customer analysis, create target groups, and so on. For more information, see Authorizations [page 18].
● Technical users in SAP NetWeaver ABAP, and in SAP HANA○ RFC users that are used to communicate with an SAP ERP system (sales and distribution system), or an
SAP CRM system○ Background users are used for processes, such as data loading and data extraction, which are typically
scheduled in the background.○ Technical user in SAP NetWeaver ABAP, or in SAP HANA that will be used during technical configuration
For more information about these user types, see the related topic on the SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide Security Guides for the Application Server Security Guides for the AS ABAP .
14 C U S T O M E RSecurity Guide 1702
User Administration and Authentication
Standard Users
The table shows the standard users that are necessary for operating SAP Hybris Marketing, both in the ABAP, and in the SAP HANA layer:
Table 6:
System User ID Type Password Description
SAP System ID Variable Dialog Mandatory and following the password policies of SAP NetWeaver Application Server ABAP
-
SAP System ID Variable Technical Mandatory and following the password policies of SAP NetWeaver Application Server ABAP
-
SAP System ID Variable Service Mandatory and following the password policies of SAP NetWeaver Application Server ABAP
Technical user is required for the call of ABAP OData requests from within SAP HANA Extended Application Services (XS) (relevant for Campaign Content)
SAP InfiniteInsight
The integration to SAP InfiniteInsight requires a database user that is used in a SAP HANA ODBC connection to the SAP HANA database.
Table 7:
System User ID Password Description
SAP (SID) SAP (SID) Mandatory and following the password policies of SAP HANA
General technical user for accessing SAP HANA from ABAP via ADBC and OpenSQL. This user needs to get additional privileges for accessing schema SAP_AMP
NoteFor the communication to external mail services, a (technical) user is required in the http destination. For more information, see Communication Destinations [page 53].
These are only the SAP Hybris Marketing standard users. None of these users are predefined and shipped. They are created during the SAP Hybris Marketing system setup.
Security Guide 1702User Administration and Authentication C U S T O M E R 15
Setup of SAP HANA Rules Framework
The technical configuration task list CUAN_SETUP_HRF can be used for setting up the SAP HANA Rules Framework (HRF) for SAP Hybris Marketing. A (technical) SAP HANA user is required for this step. This user needs specific authorization. For more information about the authorizations, see the installation guide for SAP Hybris Marketing on the SAP help Portal at http://help.sap.com/mkt Installation and Upgrade InformationunderOptional Configuration Settings.
For more information, and a list of additional standard users necessary to operate a system based on SAP NetWeaver, see SAP Help Portal at http://help.sap.com/nw :
● SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide
● SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide Security Guide for SAP BW
RecommendationWe recommend changing the user IDs and passwords for users that are automatically created during the installation process.
4.2 Integration into Single Sign-On Environments
The most widely-used supported mechanisms are as follows:
● Secure Network Communications (SNC)SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.
● SAP logon ticketsSAP Hybris Marketing supports the use of logon tickets for SSO when using a Web browser as front end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.
● Client certificatesAs an alternative to user authentication using a user ID and passwords, users using a Web browser as a front end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.All certificates are handled in SAP NetWeaver in the ABAP layer.
● Security Assertion Markup Language (SAML) 2.0SAML 2.0 provides a standards-based mechanism for SSO. The primary reason to use SAML 2.0 is to enable SSO across domains.
SAP Hybris Marketing supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver, and by SAP HANA Extended Application Services (XS). Therefore, the security recommendations and guidelines for user
16 C U S T O M E RSecurity Guide 1702
User Administration and Authentication
administration and authentication as described in the SAP NetWeaver Security Guide, and in the SAP HANA Security Guide also apply to SAP Hybris Marketing.
For more information, see http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5Security Information English SAP NetWeaver Security Guide . In the table, choose Functional Unit and
Application Server Security Guides for the AS ABAP SAP NetWeaver Application Server ABAP Security Guide .
For more information about the available authentication mechanisms, seehttp://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide . In the table, choose Functional Unit and Application Server Security Guides for the AS ABAP SAP NetWeaver Application Server ABAP Security Guide User Adminstration and Authentication User Authentication .
Security Guide 1702User Administration and Authentication C U S T O M E R 17
5 Authorizations
SAP Hybris Marketing uses the authorization concept provided by the SAP NetWeaver Application Server ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to SAP Hybris Marketing.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on the Application Server ABAP.
Note
For more information about how to create roles, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Application Help SAP NetWeaver Library: Function-Oriented View English Security Identity Management User and Role Administration of Application Server ABAPConfiguration of Use and Role Administration Role Administration .
Role and Authorization Concept for SAP Hybris Marketing
Business users of SAP Hybris Marketing can run all subcomponents, such as Data Management, Insight, Segmentation, Campaigns, Planning, Recommendation, and Business Administration.
For more information about authorizations and the main tasks in SAP Hybris Marketing, see SAP Help Portal at http://help.sap.com/mkt Application Help SAP Hybris Marketing User Management .
The following types of user can be outlined in SAP Hybris Marketing:
● Marketing Expert○ General user for a marketing expert to access Data Management, Insight, Segmentation, Campaigns,
Planning, Lead Management, and Recommendation. These activities are bundled in the composite role SAP_MARKETING_EXPERT.
○ Special user for a marketing expert to access Segmentation. These activities are bundled in the composite role SAP_MARKETING_SEGMENTATION.
○ Special user for a marketing expert to access Campaign. These activities are bundled in the composite role SAP_MARKETING_CAMPAIGNS.
○ Special user for a marketing expert to access Recommendation. These activities are bundled in the These activities are bundled in the composite role SAP_MARKETING_RECOMMEND_EXPERT.
○ Special user for a marketing expert to access Insight. These activities are bundled in the composite role SAP_MARKETING_INSIGHT.
○ Special user for a marketing expert to access Data Management. These activities are bundled in the composite role SAP_MARKETING_DATA_MANAGEMENT.
○ Special user for a marketing expert to access Spend Quick Entry, Detailed Spend Planning, and Programs. These activities are bundled in the composite role SAP_MARKETING_SPEND_MGMT_PROG.
● Marketing Manager
18 C U S T O M E RSecurity Guide 1702
Authorizations
○ Special user for a marketing manager to access all marketing-related tasks. These activities are bundled in the composite role SAP_MARKETING_MANAGER.
○ Special user for a marketing manager to access Planning. These activities are bundled in the composite role SAP_MARKETING_PLANNING
● Marketing ExecutiveSpecial user for a marketing executive to access the Executive Dashboard. These activities are bundled in the composite role SAP_MARKETING_EXECUT_DASHBOARD.
● Business AnalystSpecial user for a business analyst to access apps for analytic purposes. These activities are bundled in the composite role SAP_MARKETING_RECOMMENDATION.
● Sales RepresentativeSpecial user for a sales representative to access SAP Hybris Marketing role-specific areas. These activities are bundled in the composite role SAP_SALES_REP_MKT_INFO.
● Business Administrative UserSpecial key user for key activities and administrative tasks, such as import of external data, the access to user lists, sender profiles, export definitions for target groups, and campaigns, and for managing integration errors of the SAP Hybris Cloud for Customer integration of SAP Hybris Marketing. These activities are bundled in the composite role SAP_MARKETING_BUS_ADMIN_USER.
● Technical UserSpecial technical user to access to the technical configuration of SAP Hybris Marketing. These activities are bundled in the composite role SAP_MARKETING_TECHNICAL_CONF.
These sets of activities in SAP Hybris Marketing are bundled in one single application, the home screen of SAP Hybris Marketing. The end users of this application are able to leverage all capabilities of SAP Hybris Marketing. Access is restricted on an organizational level, so that certain users of SAP Hybris Marketing are only authorized to analyze accounts of a certain country, company code, sales group, and so on. For a detailed description about the organizational levels, see the Standard Authorization Objects section in this topic.
Marketing Area
The marketing area identifies an organizational unit. It defines which instances of a business object type you are allowed to display, or change. It is used in, or affects in the following objects and applications SAP Hybris Marketing:
● Budget planning● Campaign● Campaign content● Content template● Marketing calendar● Marketing Spend● Offers● Predictive model● Program● Sender profile● Target group● Marketing Location
Security Guide 1702Authorizations C U S T O M E R 19
Target group, campaign, campaign content, content template, predictive model, and program are enhanced by an authorized user, which is the container for the relation between an object instance and a single user.
The authorization object HPA_MKT_AR is part of the PFCG roles containing the start authorizations.
NoteBudget Planning uses areas of responsibility for instance authorizations. For more information, see SAP Help Portal at http://help.sap.com/mkt SAP Hybris Marketing Worksets and Applications PlanningAuthorization Examples for Budget Planning and Marketing Spend Management .
Instance Authorization by Team Membership
In addition to the instance authorization by PFCG role, you can flexibly grant instance authorization by team membership, for example, using the Team facet of a campaign (instance of the campaign business object). When you add a user to the team of a campaign, the system nevertheless checks the user authorization based on the PFCG role. If the user is not authorized by the role, but only by the team membership, the user is indicated as External (in the list of team members).
Standard Roles
Composite Roles
In SAP Hybris Marketing, the following composite roles are provided. You can display the list of assigned single roles for each of these composite roles in the backend system in transaction PFCG.
Enter the name of the composite role, for example SAP_MARKETING_EXPERT, click on Display, and then select the tab Roles. With a double click on the single role, you can view a role description.
Table 8:
Name Composite Role Description
Access for Marketing Experts SAP_MARKETING_EXPERT To access role-specific applications in SAP Hybris Marketing
To access all data as defined by the authorization objects in the standard delivery
Access to Segmentation for the Marketing Expert
SAP_MARKETING_SEGMENTATION To access Segmentation within SAP Hybris Marketing
To access all data as defined by the authorization objects in the standard delivery
20 C U S T O M E RSecurity Guide 1702
Authorizations
Name Composite Role Description
Access to Campaigns for the Marketing Expert
SAP_MARKETING_CAMPAIGNS To access Campaigns within SAP Hybris Marketing
To access all data as defined by the authorization objects in the standard delivery
Access to Extended Application Components
SAP_MARKETING_EAC To access Extended Applications like Loyalty Management, Profile Graph and Customer Journey Manager. Customers have to subscribe to Hybris Profile on the YaaS Marketplace to use these.
Access to Planning for the Marketing Manager
SAP_MARKETING_PLANNING To access Planning within SAP Hybris Marketing
To access all data as defined by the authorization objects in the standard delivery
Access for the Marketing Manager SAP_MARKETING_MANAGER To access marketing-related tasks for managers.
Access to Recommendations for the Marketing Expert
SAP_MARKETING_RECOMMEND_EXPERT To access Recommendation within SAP Hybris Marketing
To access all data as defined by the authorization objects in the standard delivery
Access to Recommendations for the Business Analyst
SAP_MARKETING_ RECOMMENDATION To access Recommendation within SAP Hybris Marketing
To access all recommendation-relevant tasks for business analysts
Access to Contacts and Profiles for the Marketing Expert
SAP_MARKETING_DATA_MANAGEMENT To access Contacts and Profiles within SAP Hybris Marketing
To access all the data, as defined by the authorization objects in the standard delivery
Access to Insight for the Marketing Expert
SAP_MARKETING_INSIGHT To access Insight within SAP Hybris Marketing
To access all the data, as defined by the authorization objects in the standard delivery
Security Guide 1702Authorizations C U S T O M E R 21
Name Composite Role Description
Access for the Marketing Executive SAP_MARKETING_EXECUT_DASHBOARD To access the Marketing Executive Dashboard within of SAP Hybris Marketing
Access for the Business Administrative User
SAP_MARKETING_BUS_ADMIN_USER To access all applications for key user and administrative activities in SAP Hybris Marketing
Access to Spend Management and Programs for the Marketing Expert
SAP_MARKETING_SPEND_MGMT_PROG To access marketing-related tasks in spend planning
To access all the data, as defined by the authorization objects in the standard delivery
Technical Configuration of SAP Hybris Marketing
SAP_MARKETING_TECHNICAL_CONF Contains all roles required to run the technical configuration of SAP Hybris Marketing
Access to Business User Administration for System Administrators
SAP_MARKETING_USER_ADMIN To create and change SAP Hybris Marketing business users for ABAP and SAP HANA.
Access to Sales Representative SAP_SALES_REP_MKT_INFO To access SAP Hybris Marketing role-specific areas by sales experts.
NoteEach single role in composite role Access for Marketing Experts (SAP_MARKETING_EXPERT) contains information about business groups, applications, and detail screens with their facets.
S/4 HANA Composite Roles
The following role is to be used as an alternative to the SAP_MARKETING_EXPERT composite role.
NoteAccess to Insight and Customer Value Intelligence for the marketing expert are not available, therefore the SAP_MARKETING_INSIGHT composite role cannot be used.
All other roles can be used.
22 C U S T O M E RSecurity Guide 1702
Authorizations
Table 9:
Name Composite Role Description Assigned Single Roles
Access for the Marketing Expert
SAP_MARKETING_IN_S4H_EXPERT
To access SAP Hybris Marketing.
SAP_CEI_ADT
SAP_CEI_ACD_FLP
SAP_CEI_BEHAVIOUR_INSIGHT
SAP_CEI_BI_AUTH
SAP_CEI_CJI
SAP_CEI_CONTENT_LIBRARY
SAP_CEI_CONTENT_PAGES
SAP_CEI_CONTENT_PAGE_RSLT
SAP_CEI_CPM_FLP
SAP_CEI_GEN_FLP
SAP_CEI_HOME
SAP_CEI_ISG_FLP
SAP_CEI_KPI_TILES
SAP_CEI_LDB_FLP
SAP_CEI_LEAD_DASHBOARD
SAP_CEI_LEAD_STAGES
SAP_CEI_LEA_FLP
SAP_CEI_MEM
SAP_CEI_MICRO_LIST
SAP_CEI_MKT_CAL_APP
SAP_CEI_MKT_CAL_PLANNING
SAP_CEI_MSM_QE_APP
SAP_CEI_MSM_SM_APP
SAP_CEI_OFFER_APP
SAP_CEI_PBA
SAP_CEI_PROFILES
SAP_CEI_PROGRAM
SAP_CEI_RECO_MKT
Security Guide 1702Authorizations C U S T O M E R 23
Name Composite Role Description Assigned Single Roles
SAP_CEI_RECO_MKT_OFFER
SAP_CEI_RECO_SCE
SAP_CEI_ROF_FLP
SAP_CEI_SCI
SAP_CEI_SCI_FLP
SAP_CEI_SIMPLE_SCORES
SAP_CEI_SMP_FLP
SAP_CEI_TG_INI
SAP_CEI_TG_INI_FLP
Single Roles
The following table shows which single roles are available and what their function is:
Table 10:
Name Single Role Description
Business User Roles
Analysis of Accounts and Campaigns
SAP_CEI_ACC_CPG_INSIGHT To control the authorization for the application Marketing Insight for Sales of SAP Hybris Marketing in the SAP Fiori launchpad to analyze accounts and campaigns based on specific attributes in SAP Hybris Marketing.
Segmentation SAP_CEI_ADT To control the authorization for the applications Segmentation, Segmentation Models, and Segmentation Building Blocks within the business group Segmentation.
Marketing Planning SAP_CEI_AMP To control the authorization for the application Budget Plans.
Application Log SAP_CEI_APPL_LOG To control the authorization for the application Application Logs provided by the products of SAP Hybris Marketing in the SAP Fiori launchpad.
Audiences SAP_CEI_AUDIENCES To control the authorization for the application Audiences for the Marketing Effectiveness Data Foundation.
24 C U S T O M E RSecurity Guide 1702
Authorizations
Name Single Role Description
Product Recommendations SAP_CEI_B2C_RECO To control the authorization for the applications Recommendation Models, and Recommendation Types within the business group Recommendations.
Behaviour Insight SAP_CEI_BEHAVIOUR_INSIGHT To control the authorization for the application Behaviour Insight of SAP Hybris Marketing in the SAP Fiori launchpad to analyze customer's behaviour based on specific attributes.
Access to SAP NetWeaver Business Intelligence
SAP_CEI_BI_AUTH To control the authorization for access to SAP HANA, using BEx queries
To access the infrastructure of SAP Business Warehouse within SAP Hybris Marketing
For more information on authorizations, see SAP Help Portal athttp://
help.sap.com/nw SAP NetWeaver
Business Warehouse SAP NetWeaver
7.5 Application Help Function-
Oriented View (choose your language)
Business Warehouse Data
Warehousing Data Warehouse
Management Authorizations .
Campaigns SAP_CEI_CAMPAIGNS This role allows marketing experts to access the Fiori app for Campaigns with the flow-based UI in SAP Hybris Marketing.
To use the classic Campaigns app, use the role SAP_CEI_TG_INI.
C4C Sales Integration SAP_CEI_CFS This role allows sales representatives to access Contacts and Corporate Accounts in SAP Hybris Marketing.
Customer Journey Insight SAP_CEI_CJI To control the authorization for the application Customer Journey Insight.
Customer Journey Events SAP_CEI_CJI_EVENTS To control the authorization for the application Customer Journey Events.
Communication Categories and Limits
SAP_CEI_COMM_CATEG_LIMITS To control the authorization for the application Communication Categories and limits.
Security Guide 1702Authorizations C U S T O M E R 25
Name Single Role Description
Competitors SAP_CEI_COMPETITORS To control the authorization for the application Competitors for the Marketing Effectiveness Data Foundation.
Content Studio SAP_CEI_CONTENT_LIBRARY To control the authorization for the application Content Studio and the associated OData service in SAP Hybris Marketing.
Landing Pages SAP_CEI_CONTENT_PAGES To control the authorization for the application Landing Pages for managing landing pages, and the associated OData service.
Sender Profiles SAP_CEI_CPG_SENDER_PROFILES To control the authorization for the application Sender Profiles.
Release Campaigns SAP_CEI_CUAN_MK_INI_REL_APP To control the authorization for the application Release Campaigns.
Release Target Groups SAP_CEI_CUAN_MK_TG_REL_APP To control the authorization for the application Release Target Groups.
Insight SAP_CEI_CVI To control the authorization for the applications Relationship Analysis - Sales, Relationship Analysis - Presales, Stratification, Margin Decomposition within the business group Insight.
Register Extensions for Transport
SAP_CEI_EXT_ATO To access the app Register Extensions for Transport
Custom Fields and Logic SAP_CEI_EXT_CFD To access the app Custom Fields and Logic
Manage Images SAP_CEI_EXT_MAN_IMG To access the app Manage Images
Configure Software Packages SAP_CEI_EXT_SPK To access the app Configure Software Packages
Map Free Texts SAP_CEI_FREETEXT_MAP To control the authorization for the application Map Free Texts of SAP Hybris Marketing in the SAP Fiori launchpad to add free text to contacts.
Home Workset SAP_CEI_HOME This role is mandatory for the access of User Information, Personalization and Application Help, and it controls the non-Fiori UI5 applications.
26 C U S T O M E RSecurity Guide 1702
Authorizations
Name Single Role Description
Import Data for Analytics SAP_CEI_IMPORT_ANALYTICS To control the authorization for the application Import Data for Analytics.
Manage Interests SAP_CEI_INTERACTION_INTERESTS To control the authorization for the application Manage Interests.
Key Performance Indicators SAP_CEI_KPI_TILES To control the authorization for the applications for Key Performance Indicators of SAP Hybris Marketing in the SAP Fiori launchpad.
Business Administration SAP_CEI_KUA To control the authorization for the application of Business Administration for key user activities of SAP Hybris Marketing, that is, business administration tasks in the front-end system.
Business Administration for User Interface
SAP_CEI_KUI To configure the user interface for all business users of SAP Hybris Marketing.
Lead Dashboard SAP_CEI_LEAD_DASHBOARD To control the authorization for the application Lead Dashboard.
Lead Replication Administration SAP_CEI_LEAD_REPL_ADMIN To control the authorization for the application Integration Errors to access errors caused by the data transfer from SAP Hybris Cloud for Customer to SAP Hybris Marketing.
Lead Stages SAP_CEI_LEAD_STAGES To control the authorization for the application Lead Stages within the business group Lead Management, and to access Leads on the Contact factsheet.
Loyalty KPIs SAP_CEI_LOY_KPI Access to Loyalty KPIs in Home Screen
Marketing Location SAP_CEI_MARKETING_LOCATION Access to Marketing Locations in SAP Hybris Marketing.
Access to Marketing Executive Dashboard
SAP_CEI_MED To control the authorization for the application Marketing Executive Dashboard.
Messages SAP_CEI_MEM To control the authorization for the application Activate Confirmations.
Security Guide 1702Authorizations C U S T O M E R 27
Name Single Role Description
Micro Lists SAP_CEI_MICRO_LIST To control the authorization for the application Micro Lists of SAP Hybris Marketing in the SAP Fiori launchpad to access micro lists, such as Recent Items, Active Campaigns, or Create Segmentation Model .
Marketing Approvals SAP_CEI_MKT_APPROVAL Access to Marketing Approvals
Marketing Attribute Categories SAP_CEI_MKT_ATTR_CATEGORIES To control the authorization for the application Marketing Attribute categories.
Marketing Approvals for Batch Users
SAP_CEI_MKT_BATCH_APPROVAL This role enables the workflow batch user to execute the user decision in Marketing Approvals.
Marketing Calendar SAP_CEI_MKT_CAL_APP To control the authorization for the application Marketing Calendar.
Marketing Calendar in Planning SAP_CEI_MKT_CAL_PLANNING To control the authorization for the application Marketing Calendar.
Marketing Spend - Quick Entry SAP_CEI_MSM_QE_APP To control the authorization for the application Quick Campaign Spend.
Marketing Spend - Details SAP_CEI_MSM_SM_APP To control the authorization for the application Detailed Campaign Spend.
Offers SAP_CEI_OFFER_APP To control the authorization for the application Offers .
Predictive Studio SAP_CEI_PBA To control the authorization for the application Predictive Studio that can be used for certain products and market definitions.
Profiles SAP_CEI_PROFILES To access the application Profiles in SAP Hybris Marketing.
Marketing Programs SAP_CEI_PROGRAM To control the authorization for the application Programs.
Provider Credentials SAP_CEI_PROVIDER_CREDENTIALS To control the authorization for the application Provider Credentials.
Recommendation Algorithm Defaults
SAP_CEI_RECO_ALDS To control the authorization for the application Recommendation Algorithm Defaults.
28 C U S T O M E RSecurity Guide 1702
Authorizations
Name Single Role Description
Manage Recommendations SAP_CEI_RECO_MKT To control the authorization for the application Manage Recommendations.
Manage Offer Recommendations SAP_CEI_RECO_MKT_OFFER To control the authorization for the application Offer Recommendations.
Recommendation Scenarios SAP_CEI_RECO_SCE To control the authorization for the application Recommendation Scenarios.
Dimension Relationships SAP_CEI_RELATIONSHIPS To access Dimension Relationships
Contacts and Profiles SAP_CEI_SCI To control the authorization for the applications Profile Dashboard, Contacts, and Sentiment Engagement within the business group Contacts and Profiles.
Score Builder SAP_CEI_SIMPLE_SCORES To control the authorization for the application Score Builder of SAP Hybris Marketing in the SAP Fiori launchpad. To use this role correctly, please read Authorization Changes in Single Roles in the Upgrade Guide on http://help.sap.com/mkt.
Target Groups SAP_CEI_TARGET_GROUPS To allow exclusive access to target groups without allowing access to contacts. This role works only with the flow-based campaigns app.
Target Groups, Campaigns, Contacts and Accounts
SAP_CEI_TG_INI To control the authorization for the applications for business objects, such as Target Groups, Campaigns (classic campaigns, including paid search campaigns, and Facebook campaigns), Corporate Accounts, Transfer Leads, and Contacts.
Manage Workflows SAP_CEI_WORKFLOW_EDITOR To access the Workflow Editor in SAP Hybris Marketing
Access to Administrative Actions SAP_CUSTOMER_ANALYTICS_ADMIN To set up recurring and extensibility tasks, such as scheduling of background jobs to trigger a regular lead stage calculation.
Integration Roles
Security Guide 1702Authorizations C U S T O M E R 29
Name Single Role Description
Actual Spend Integration SAP_CEI_ACTUAL_INTEGRATION To use the OData service CUAN_ACTUAL_IMPORT_SRV to upload the actual and committed spend for campaigns from external systems.
B2C Recommendation Runtime SAP_CEI_B2C_RECO_RUNTIME To access the B2C recommendation runtime in SAP Hybris Marketing.
SAP Hybris Cloud for Customer Integration
SAP_CEI_C4C_INTEGRATION To use OData service CUAN_BUSINESS_DOCUMENT_IMP_SRV and CUAN_BUSINESS_PARTNER_SRV within SAP Hybris Cloud for Customer integration scenarios.
Consumer Insight 365 Integration
SAP_CEI_CI365_INTEGRATION To control the authorization for the application Consumer Insight 365 to create segmentation models directly in SAP Hybris Marketing, based on analyzed consumer behavior in Consumer Insight 365.
Landing Page Result SAP_CEI_CONTENT_PAGE_RESLT To access the OData service for storing landing page result information as a technical user.
E-Commerce Integration SAP_CEI_ECOMMERCE_INTEGRATION To enable an e-commerce system to carry out a mass import of contact persons and interaction data, and to search for campaigns (customer segments) in SAP Hybris Marketing to which a Web shop user is assigned. The Web shop can use this information to provide a personalized shopping experience to users who belong to a specific customer segment.
Campaign Optimized Execution Plan Integration
SAP_CEI_MPO_EXEC_PLAN_IMPORT To access the OData service CUAN_MPO_IMPORT_SRV to upload the optimized execution plan for campaigns.
Offer Import SAP_CEI_OFFER_IMPORT_API To import offers to SAP Hybris Marketing from external systems, using an OData API.
Offer Public API SAP_CEI_OFFER_PUBLIC_API To access the application Offers in SAP Hybris Marketing for the use in a Web shop, using an OData API.
30 C U S T O M E RSecurity Guide 1702
Authorizations
Name Single Role Description
Web Content Management Integration
SAP_CEI_WEBEXPRNCE_INTEGRATION To search for campaigns (customer segments) to which a content user is assigned, in a content management system.
Contacts and Profiles SAP_CEI_SCI_ISCE To access Contacts and Profiles with Profile Dashboard, Contacts, and Sentiment Engagement with the in-store customer engagement OData service in SAP Hybris Marketing.
Technical Configuration Roles
BI Content Activation SAP_CEI_RS_RDEAD To activate BI content for SAP Hybris Marketing.
Enhanced Authorization for Composite Role SAP_MARKETING_TECHNICAL_CONF
SAP_CEI_TECHNICAL_CONF_EHN To access and run the technical configuration.
Lead Replication Administration SAP_CEI_LEAD_REPL_ADMIN To control the authorization for the application Integration Errors to analyze errors created during the transfer of lead information form SAP Hybris Cloud for Customer to SAP Hybris Marketing.
User Management Roles
Business User Administration SAP_CEI_USER_HANDLING To control the authorization for the application User Lists.
Business Catalog Roles
Single roles with postfix _FLP, Business Catalog Roles, are used to start SAP Hybris Marketing from SAP Fiori launchpad. Those roles are only for apps that are not standard SAP Fiori apps. The business groups and business catalogs are modeled to allow business roles, such as Marketing Experts, easy access to relevant area of SAP Hybris Marketing. The business groups and catalogs are assigned to corresponding composite role via the business catalog roles.
Business Catalog Roles for the Marketing Expert (SAP_MARKETING_EXPERT)
Security Guide 1702Authorizations C U S T O M E R 31
Table 11:
Business Group Business Catalog Business Catalog Role / Description
Product (License)
Quick Launch
SAP_CEC_BCG_MKT_GEN_OP
This role has several business catalogs assigned
SAP_CEI_GEN_FLP
To access business group Marketing - Quick Launch from the SAP Fiori launchpad
All Products
SAP_CEI_TG_INI_FLP is included in several business groups
Marketing - Cross Application Components
SAP_CEC_BC_MKT_CBO1_OP
SAP_CEI_TG_INI_FLP
To access the applications Target Groups, classic Campaigns, Corporate Accounts, and Contact Engagement from the SAP Fiori launchpad.
Contacts and Profiles
SAP_CEC_BCG_MKT_DM_OP
Marketing - Contacts and Profiles
SAP_CEC_BC_MKT_DM_OP
SAP_CEI_SCI_FLP
To access the business group Profile Dashboard from the SAP Fiori launchpad.
Data Management
Marketing - Predictive Model Management
SAP_CEC_BC_MKT_PBA_OP
SAP_CEI_PBA_FLP
To access the business catalog Marketing - Predictive Model Management from the SAP Fiori launchpad.
Segmentation
SAP_CEC_BCG_MKT_SEG_OP
Marketing - Segmentation
SAP_BC_MKT_SEG_OP
SAP_CEI_ADT_FLP
To access the business group Segmentation from the SAP Fiori launchpad.
Segmentation
Campaign Management Marketing - Campaign Management
SAP_CEC_BC_MKT_CPM1_OP
SAP_CEI_CPM_FLP
To access the business group Campaigns of SAP Hybris Marketing from the SAP Fiori launchpad.
Acquisition
Campaign Management Marketing - Campaign Management
SAP_CEC_BC_MKT_CPM_OP
SAP_CEI_CPM_FLP
To access the business group Campaigns of SAP Hybris Marketing with the flow-based campaign from the SAP Fiori launchpad.
Acquisition
Insight
SAP_CEC_BCG_MKT_ISG_OP
Marketing - Insight
SAP_CEC_BC_MKT_ISG_OP
SAP_CEI_ISG_FLP
To access the business group Insight of SAP Hybris Marketing from the SAP Fiori launchpad.
Insight
32 C U S T O M E RSecurity Guide 1702
Authorizations
Business Group Business Catalog Business Catalog Role / Description
Product (License)
Customer Value Intelligence
SAP_CEI_INSIGHTS
SAP_CEI_CVI_FLP
To access the business catalog Customer Value Intelligence from the SAP Fiori launchpad.
Extended Marketing Applications (YaaS Extensions)
Spend Management and Programs
SAP_CEC_BCG_MKT_SMP_OP
Marketing - Spend Management and Programs
SAP_CEC_BC_MKT_SMP_OP
SAP_CEI_SMP_FLP
To access the business group Spend Management and Programs from the SAP Fiori launchpad
Planning
Recommendation
SAP_CEC_BCG_MKT_ROF_OP
Marketing - Recommendation
SAP_CEC_BC_MKT_ROF_OP
SAP_CEI_ROF_FLP
To access the business group Recommendation from SAP Fiori launchpad
Recommendation
Lead Management
SAP_CEC_BCG_MKT_LEA_OP
Marketing - Lead Management
SAP_CEC_BC_MKT_LEA_OP
SAP_CEI_LEA_FLP
To access the business group Lead Management from the SAP Fiori launchpad
Data Management
Marketing - Lead Dashboard
SAP_CEC_BC_MKT_LDB_OP
SAP_CEI_LDB_FLP
To access the Lead Dashboard from the SAP Fiori launchpad.
Insight
Loyalty Management Marketing - Extended Applications
SAP_CEC_BCG_MKT_LOY_OP
SAP_CEI_EAC_FLP
To access Loyalty Management from the SAP Fiori launchpad.
Extended Marketing Applications (YaaS Extensions)
Business Catalog Roles for the Marketing Manager (SAP_MARKETING_MANAGER)
Table 12:
Business Group Business Catalog Business Catalog Role / Description
Product (License)
Marketing Manager - Quick Launch
SAP_CEC_BCG_MKT_MGR_OP
Marketing - Release
SAP_CEC_BC_MKT_REL_OP
SAP_CEI_REL_FLP
To access the business catalog Marketing - Release from the SAP Fiori launchpad.
Data Management
Security Guide 1702Authorizations C U S T O M E R 33
Business Group Business Catalog Business Catalog Role / Description
Product (License)
Approvals
SAP_CEC_BC_MKT_APV_OP?DEST
SAP_CEI_PLG_FLP
To access the business catalog Approvals from the SAP Fiori launchpad.
Planning
Marketing - Planning
SAP_CEC_BC_MKT_PLG_OP
SAP_CEI_PLG_FLP
To access the business catalog Marketing Planning from the SAP Fiori launchpad
Business Catalog Roles for the Marketing Executive (SAP_MARKETING_EXECUT_DASHBOARD)
Table 13:
Business Group Business Catalog Business Catalog Role / Description
Product (License)
Marketing Executive
SAP_CEI_BCG_MARKETINGEXECUTIVE
Marketing Executive Dashboard
SAP_CEI_BC_MARKETINGEXECUTIVE
SAP_CEI_BCR_MARKETINGEXECUTIVE
To access the business catalog Marketing Executive Dashboard from the SAP Fiori launchpad.
Insight
Business Catalog Roles for the Sales Representative (SAP_SALES_REP_MKT_INFO)
Table 14:
Business Group Business Catalog Business Catalog Role / Description
Product (License)
Sales - Marketing Information
SAP_CEC_BCG_MKT_SLS_OP
Sales - Marketing Information
SAP_CEC_BC_MKT_SLS_OP
SAP_CEI_BCR_SALES_REP_MKT_INF
To access the business group Sales - Marketing Information from the SAP Fiori launchpad.
Data Management
Business Catalog Roles for the Business Analyst (SAP_MARKETING_ RECOMMENDATION)
34 C U S T O M E RSecurity Guide 1702
Authorizations
Table 15:
Business Group Business Catalog Business Catalog Role / Description
Product (License)
Recommendation Modeling
SAP_CEI_BCG_BUSINESSANALYST
Marketing - Recommendation Modeling
SAP_CEI_BC_BUSINESSANALYST
SAP_CEI_BCR_BUSINESSANALYST
To access the business group Recommendation Modeling for analysis purposes of the business analyst from the SAP Fiori launchpad.
Recommendation
Predictive Model Management
SAP_CEC_BCG_MKT_PBA_OP
Marketing - Predictive Model Management
SAP_CEC_BC_MKT_PBA_OP
SAP_CEI_PBA_FLP
To access the business group Predictive Model Management from the SAP Fiori launchpad.
Data Management
Business Catalog Roles for the Administrator (SAP_MARKETING_USER_ADMIN)
Table 16:
Business Group Business Catalog Business Catalog Role / Description
Product (License)
Business Administration
SAP_CEC_BCG_MKT_ADM_OP
Marketing - Business Administration
SAP_CEC_BC_MKT_ADM_OP
SAP_CEI_KUA_FLP
To access business administration activities, such as segmentation configuration, from the SAP Fiori launchpad via the following business groups:
● Business Administration● Import Data● Segmentation and Campaign
Configuration
All Products
Import Data
SAP_CEC_BCG_MKT_IMP_OP
Marketing - Import Data
SAP_CEC_BC_MKT_IMP_OP
Segmentation and Campaign Configuration
SAP_CEC_BCG_MKT_CPC_OP
Marketing - Segmentation and Campaign Configuration
SAP_CEC_BC_MKT_CPC_OP
Extensibility and Adaptability
AP_CEC_BCG_MKT_EXT_OP
Marketing - Extensibility and Adaptability
AP_CEC_BC_MKT_EXT_OP
Technical Catalog Roles
Security Guide 1702Authorizations C U S T O M E R 35
Table 17:
Business Group Business Catalog Business Catalog Role / Description
Product (License)
Business Administration
SAP_CEC_BCG_MKT_ADM_OP
Marketing - User Administration
SAP_CEI_KUA_TC_T
SAP_CEI_USER_HANDLING
To control the authorization for the application User Lists within the business group Business Administration.
All Products
SAP Hybris Marketing - Transactional Applications (Fiori)
SAP_CEI_TC_T
SAP_CEI_TCR_T
A technical role, which allows user administrators to access all the SAP Fiori transactional apps of SAP Hybris Marketing during the setup of business roles.
SAP Hybris Marketing - Other UI5 Transactional Apps
SAP_IC_CEC_MKT_OTHER_UI5
SAP Hybris Marketing - Key Performance Indicators
SAP_CEI_TC_A
SAP Hybris Marketing - Factsheets
SAP_CEI_TC_F
SAP Hybris Marketing - Search
SAP_CEI_TC_S
Basis
SAP_BASIS_TCR_T
NoteUse as Template for Own Roles
These roles contain all authorizations and all menu entries that you require to use SAP Hybris Marketing. You can use these roles for demonstration purposes, for example. For use in the live system, you must copy the roles to your own roles and delete the menu entries you do not require. You also need to assign the necessary authorizations using a generated authorization profile. The copies are proposed values and contain the authorizations as defined for the associated authorization objects (in transaction SU22). In addition, you have
36 C U S T O M E RSecurity Guide 1702
Authorizations
to adapt the activities and parameters contained in the authorization objects to your business processes, if required.
NoteIf you make enhancements to your own roles, for example, by adapting the standard authorization objects, you need to copy these enhancements to the standard roles, in order to display the menu entries, such as facets, for the new roles.
Editing the Role Menu
The available worksets and subworksets on the SAP Hybris Marketing UI are determined from the business roles, which are assigned to the business user. Therefore, the menu folder structure of a business role defines the order of the worksets and subworksets. The available subfolder under the folders High Performance Applications and SAP Hybris Marketing build the Application Menu. You can adapt the role menu:
● In the role maintenance (PFCG), enter the role you want to adapt.● On the Menu tab page, select the appropriate node, and choose the Create Folder symbol.
○ Enter a folder name.○ Select the new folder, and create a subfolder with the Create Folder symbol.○ Enter a folder name for the new subfolder.
● Save your changes.
SAP HANA Extended Application Services (XS) (Repository) Roles
The following roles are available in SAP HANA Extended Application Services (XS) for SAP Hybris Marketing:
Table 18:
Role Description
sap.hana-app.cuan.common.roles::TechnicalUserApplication This role is maintained in the technical configuration, and is assigned to the SAP <SID> user.
sap.hana-app.cuan.mkteff.XSAPP.roles::CMOKPI This role contains privileges to access KPIs in the Marketing Executive Dashboard.
sap.hana-app.cuan.lm.roles::LM_KPI This role contains privileges to access the Lead Dashboard in Lead Management.
Standard Authorization Objects
The following table shows the security-relevant authorization objects that are provided and used by SAP Hybris Marketing.
Security Guide 1702Authorizations C U S T O M E R 37
Table 19:
Authorization Object
Field Possible Values Description
CRA_CRMORG Sales Organization (CRA_VKORG)
customer-dependent values
Controls the authorizations to change and display organizational data from SAP CRM (sales organization, sales office, and sales group).
Sales Office (CRA_CRMOFF)
customer-dependent values
Sales Group (CRA_CRMGRP)
customer-dependent values
Activity (ACTVT) 02, 03
CRA_ERPORG Sales Organization (CRA_VKORG)
customer-dependent values
Controls the authorizations to change and display organizational data from SAP ERP (sales organization, sales office, and sales group).
Sales Office (CRA_VKBUR)
customer-dependent values
Sales Group (CRA_VKGRP)
customer-dependent values
Activity (ACTVT) 02, 03
CRA_KDGRP Customer Group (CRA_KDGRP)
customer-dependent values
Controls the authorizations to change and display customer groups.
Activity (ACTVT) 02, 03
CRA_MKTORG Marketing Organization (CRA_MKTORG(
customer-dependent values
Controls the authorizations to change and display SAP CRM marketing organizations.
Activity (ACTVT) 02, 03
CRA_BUK Company Code (BUKRS) customer-dependent values
Controls the authorizations to change and display company codes.
Activity (ACTVT) 02, 03
CRA_COUNTR Country (COUNTRY) customer-dependent values
Controls the authorizations to change and display countries.
Activity (ACTVT) 02, 03
CRA_MKTGRP Marketing Organization (MKTAUT_GRP)
customer-dependent values
Controls the authorizations to change and display marketing organizations.
Activity (ACTVT) 02, 03
38 C U S T O M E RSecurity Guide 1702
Authorizations
Authorization Object
Field Possible Values Description
CRA_STATUS Object Name (CRA_STA_OB)
customer-dependent values
Controls the authorizations to set a status (CRA_STATUS) in a target group/campaign (CRA_STA_OB), if advanced status management is activated in CustomizingLife Cycle Status
(CRA_STATUS)customer-dependent values
Activity (ACTVT) 01
HPA_ADMIN Activity (ACTVT) 16 Controls the authorizations for administrative tasks, such as clearing buffers, Business Object Processing Framework (BOPF), and OData.
HPA_FILE Activity (ACTVT) 03 Controls the authorizations for read access to CSV file uploads.
HPA_PREV Activity (ACTVT) 03 Controls the authorizations to display previews of CSV files.
HPA_ACTION Object Name (HPA_OBJ) CUAN_MARKETING_BEACON
Controls the authorizations for actions in SAP Hybris Marketing for importing marketing beacon data.
Action Name (HPA_ACTION)
IMPORT_MARKETING_BEACON
Activity (ACTVT) 16
Object Name (HPA_OBJ) CUAN_MARKETING_LOCATION
Controls the authorizations for actions in SAP Hybris Marketing for importing location data.
Action Name (HPA_ACTION)
IMPORT_MARKETING_LOCATION
Activity (ACTVT) 16
Object Name (HPA_OBJ) CUAN_MARKETING_SPEND
Controls the authorizations for actions in SAP Hybris Marketing, such as approval of spends.
Action Name (HPA_ACTION)
APPROVE_SPEND
Activity (ACTVT) 16
Object Name (HPA_OBJ) CUAN_INITIATIVE Controls the authorizations for actions in SAP Hybris Marketing, for importing campaign success data.
Action Name (HPA_ACTION)
UPDATE_EXTERNAL_REPORT-ING_DATA
Activity (ACTVT) 16
Security Guide 1702Authorizations C U S T O M E R 39
Authorization Object
Field Possible Values Description
Object Name (HPA_OBJ) CUAN_MARKETING_SPEND
Controls the authorizations for actions in SAP Hybris Marketing, for importing actual from an external system
Action Name (HPA_ACTION)
IMPORT_ACTUAL
Activity (ACTVT) 16
Object Name (HPA_OBJ) HPA_BRAND Controls the authorizations for actions in SAP Hybris Marketing, for importing Brands.
Action Name (HPA_ACTION)
IMPORT_BRANDS
Activity (ACTVT) 16
Object Name (HPA_OBJ) CUAN_CUSTOM_DIMENSION_01
Controls the authorizations for actions in SAP Hybris Marketing, for importing custom dimension ID 01.
Action Name (HPA_ACTION)
(HPA_ACTION) IMPORT_CUSTOM_DI-MENSIONS
Activity (ACTVT) 16
Object Name (HPA_OBJ) CUAN_CUSTOM_DIMENSION_02
Controls the authorizations for actions in SAP Hybris Marketing, for importing custom dimension ID 02.
Action Name (HPA_ACTION)
IMPORT_CUSTOM_DIMENSIONS
Activity (ACTVT) 16
Object Name (HPA_OBJ) CUAN_CUSTOM_DIMENSION_03
Controls the authorizations for actions in SAP Hybris Marketing, for importing custom dimension ID 03.
Action Name (HPA_ACTION)
IMPORT_CUSTOM_DIMENSIONS
Activity (ACTVT) 16
Object Name (HPA_OBJ) CUAN_CUSTOM_DIMENSION_04
Controls the authorizations for actions in SAP Hybris Marketing, for importing custom dimension ID 04.
Action Name (HPA_ACTION)
IMPORT_CUSTOM_DIMENSIONS
Activity (ACTVT) 16
40 C U S T O M E RSecurity Guide 1702
Authorizations
Authorization Object
Field Possible Values Description
Object Name (HPA_OBJ) CUAN_CUSTOM_DIMENSION_05
Controls the authorizations for actions in SAP Hybris Marketing, for importing custom dimension ID 05.
Action Name (HPA_ACTION)
IMPORT_CUSTOM_DIMENSIONS
Activity (ACTVT) 16
Object Name (HPA_OBJ) CUAN_CUSTOM_DIMENSION_06
Controls the authorizations for actions in SAP Hybris Marketing, for importing custom dimension ID 06.
Action Name (HPA_ACTION)
IMPORT_CUSTOM_DIMENSIONS
Activity (ACTVT) 16
Object Name (HPA_OBJ) CUAN_CUSTOM_DIMENSION_07
Controls the authorizations for actions in SAP Hybris Marketing, for importing custom dimension ID 07.
Action Name (HPA_ACTION)
IMPORT_CUSTOM_DIMENSIONS
Activity (ACTVT) 16
Object Name (HPA_OBJ) CUAN_CUSTOM_DIMENSION_08
Controls the authorizations for actions in SAP Hybris Marketing, for importing custom dimension ID 08.
Action Name (HPA_ACTION)
IMPORT_CUSTOM_DIMENSIONS
Activity (ACTVT) 16
Object Name (HPA_OBJ) CUAN_CUSTOM_DIMENSION_09
Controls the authorizations for actions in SAP Hybris Marketing, for importing custom dimension ID 09.
Action Name (HPA_ACTION)
IMPORT_CUSTOM_DIMENSIONS
Activity (ACTVT) 16
Object Name (HPA_OBJ) CUAN_CUSTOM_DIMENSION_10
Controls the authorizations for actions in SAP Hybris Marketing, for importing custom dimension ID 10.
Action Name (HPA_ACTION)
IMPORT_CUSTOM_DIMENSIONS
Activity (ACTVT) 16
Security Guide 1702Authorizations C U S T O M E R 41
Authorization Object
Field Possible Values Description
Object Name (HPA_OBJ) CUAN_INTERACTION Controls the authorizations for actions in SAP Hybris Marketing, for importing interactions.
Action Name (HPA_ACTION)
IMPORT_EXTERNAL_INTERACTIONS
Activity (ACTVT) 16
Object Name (HPA_OBJ) CUAN_INTERACTION_CONTACT
Controls the authorizations for actions in SAP Hybris Marketing, for importing interaction contacts.
Action Name (HPA_ACTION)
IMPORT_INTERACTION_CONTACTS
Activity (ACTVT) 16
42 C U S T O M E RSecurity Guide 1702
Authorizations
Authorization Object
Field Possible Values Description
HPA_OBJECT Object Name (HPA_OBJ) GSEG_BUILDING_BLOCK
GSEG_SEGMENTATION_MODEL
HPA_EXPORT_DEFINITION
CUAN_BUDGET_PLANNING
HPA_DOCUMENT
HPA_USER_LIST
PROD_RECO
CUAN_CUSTOMER
CUAN_INITIATIVE
CUAN_INTERACTION
CUAN_INTERACTION_CONTACT
CUAN_SOCIAL_MEDIA_ACCOUNT
CUAN_TARGET_GROUP
CUAN_VALUE_HELPS
HPA_DOCUMENT_DATA
HPA_DOCUMENT_STORAGE
HPA_OBJECT_RATINGS
HPA_USER
CUAN_CUSTOMER_REL_ANALY-SIS
CUAN_SOCIAL_MEDIA_ACCOUNT
CUAN_STRATIFICATION_CALC
Controls the authorizations to change and display business objects within SAP Hybris Marketing, or import of brands, or actuals.
Security Guide 1702Authorizations C U S T O M E R 43
Authorization Object
Field Possible Values Description
HPA_IMPORT_HEADER
CUAN_HOMESCREEN_KPI_CALC
CUAN_MARKETING_ENGAGEMENT
CUAN_MARKETING_TEMPLATE
CUAN_INTERACTION,
CUAN_SENDER_PROFILE
CUAN_MARKETING_SPEND
CUAN_DEMO_BANKING_F4
CUAN_PREDICTIVE_MODEL
CSAN_MENTION_GROUP
CSAN_VOICE_OF_CUSTOMER
CUAN_TAG_INTEREST_ASSIGNMENT
CUAN_MARKETING_ORCHESTRA-TION
CUAN_MARKETING_PERMISSION
CUAN_SOCIAL_MEDIA_ACCOUNT
CUAN_PROGRAM
CUAN_OFFER
GRES_RESULT_SET
CUAN_MARKETING_CALENDAR
CUAN_MARKETING_LEAD_STAGESET
44 C U S T O M E RSecurity Guide 1702
Authorizations
Authorization Object
Field Possible Values Description
CUAN_MKT_LEAD_STAGESET_PROFILE
CUAN_MARKETING_BEACON
CUAN_MARKETING_LOCATION
Activity (ACTVT) 02, 03
HPA_MKT_AR Object Name (HPA_OBJ) CUAN_MARKETING_LOCATION
CUAN_MARKETING_BEACON
CUAN_TARGET_GROUP
CUAN_INITIATIVE
CUAN_MARKETING_ORCHESTRA-TION
CUAN_MARKETING_ENGAGEMENT
CUAN_MARKETING_TEMPLATE
CUAN_SENDER_PROFILE
CUAN_MARKETING_CALENDAR
CUAN_MARKETING_SPEND
CUAN_BUDGET_PLANNING
CUAN_PREDICTIVE_MODEL
CUAN_OFFER
CUAN_INTERACTION
CUAN_PROGRAM
Controls the authorizations on instance level to change and display SAP Hybris Marketing objects.
The system derives the values for the marketing area (MKTAREA_ID) from the values for marketing area ID in the relevant user role (PFCG).
Activity (ACTVT) 02, 03
Security Guide 1702Authorizations C U S T O M E R 45
Authorization Object
Field Possible Values Description
Marketing Area ID (MKTAREA_ID)
customer-dependent values
HPA_RSP_AR Object Name (HPA_OBJ) CUAN_INITIATIVE
CUAN_BUDGET_PLANNING
To access the area of responsibility.
Activity (ACTVT) 02, 03
Area of Responsibility (RSPAREA_ID)
customer-dependant values
S_OA2C_USE OAuth 2.0 Client Profile (OA2C_PROF)
SAP_CUAN_ECPG_HCI
To access OAuth 2.0 Client configuration for Facebook integration, and external campaign integration
Activity (ACTVT) 16
S_OA2C_ADM Activity (ACTVT) 01, 02, 03, 06 To access OAuth 2.0 Client Configuration
S_RS_COMP InfoArea (RSINFOAREA) customer-dependent values
To access Business Explorer - Components
InfoCube (RSINFOCUBE) customer-dependent values
Type of a reporting component (RSZCOMPTP)
customer-dependent values
Name of a reporting component (RSZCOMPID)
refer to the reporting component of the corresponding role
Activity (ACTVT) 03, 16
S_RS_COMP1 Owner (person responsible) for a reporting component (RSZCOMPOWNER
)
customer-dependent values
To access Business Explorer - Components: Enhancements to the Owner
Type of a reporting component (RSZCOMPTP)
customer-dependent values
Name of a reporting component (RSZCOMPID)
refer to the reporting component of the corresponding role
46 C U S T O M E RSecurity Guide 1702
Authorizations
Authorization Object
Field Possible Values Description
Activity (ACTVT) 03, 16
S_RS_AUTH BW Analysis (BIAUTH) customer-dependent values
To access BI analyses.
S_RS_ICUBE RSICUBEOBJ customer-dependent values
To access InfoCubes for BI analyses.
Activity (ACTVT) 03
RECO_RTGET Activity (ACTVT) 33 To upload recommendations via RFC
Recommendation Model Type ID (ENGINE_ID)
customer-dependent values
RECO_MODEL Activity (ACTVT) 01, 02, 03, 06, 63 To access recommendation modeling.
RECO_MGEN Activity (ACTVT) 48, 64 To access recommendation model generation
RECO_CONF Activity (ACTVT) 01, 02, 03, 06 To access application data configuration.
GSEG_BB Application ID (GSEG_APPL)
customer-dependent values
To restrict the user access (at the start of the generic segmentation application) to segmentation building blocks for a specified combination of application ID and segmentation object type.Segmentation Object
(GSEG_OT)customer-dependent values
Activity (ACTVT) 01, 02, 03, 06
GSEG_START Application ID (GSEG_APPL)
customer-dependent values
To restrict the user access (at the start of the generic segmentation application) to segmentation models for a specified combination of application ID and profile ID.Profile ID (GSEG_PROF) customer-dependent
values
Activity (ACTVT) 01, 02, 03, 06
GSEG_ADMIN Activity (ACTVT) 02, 03 To restricting the user access when maintaining the generic segmentation administration data for a specified application ID.Application ID
(GSEG_APPL)SAP_ADT
HPA_USRGRP Activity (ACTVT) 03 To access SAP Hybris Marketing user data of user groups.
User group in user master maintenance (CLASS)
customer-dependent
Security Guide 1702Authorizations C U S T O M E R 47
This table covers the maximum scope of values for objects and activities of an authorization object. Each role using these authorization objects can contain a subset of these values.
SAP Business Information Warehouse (SAP BW) Authorizations
SAP Hybris Marketing also includes the usage of BW reports and objects. For the access and maintenance of these objects, BW authorizations can be applied. For more information about the BW authorizations, see the Security Guide for SAP BW under http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5Security Information English SAP NetWeaver Security Guide Security Guide for SAP BW .
KPI Tiles and BW authorizations
The role SAP_CEI_BI_AUTH can be used as a template for providing authorizations for KPI tiles. The KPIs are partly based on BEx queries for which access needs to be granted. The queries that are used for defining KPIs can be found in the application operations guide on the SAP Help Portal at http://help.sap.com/mkt System Administration and Maintenance Information
SAP HANA Privileges
For SAP Hybris Marketing, application privileges are available. Each technical SAP HANA user needs special privileges, such as application privileges. Create a .hdbrole file in your tmp package and assign the roles to the corresponding user. For more information about privileges, see the SAP Hybris Marketing installation guide on the SAP Help Portal at http://help.sap.com/mkt Installation and Upgrade Information .
48 C U S T O M E RSecurity Guide 1702
Authorizations
6 Session Security Protection
Session Security Protection on the AS ABAP System
To activate session security on the AS ABAP system, set the corresponding profile parameters and activate the session security for the client(s) using transaction SICF_SESSIONS. Specify the following parameter values, as shown in the following table.
Table 20:
Profile Parameter Recommended value Comment
icf/set_HTTPonly_flag_on_cookies 0 client-dependent
login/ticket_only_by_https 1 not client-dependent
For more information, a list of the relevant profile parameters, and detailed instructions, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information EnglishSAP NetWeaver Security Guide Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for the AS ABAP SAP NetWeaver Application Server ABAP Security GuideSpecial Topics Activating HTTP Security Session Management on AS ABAP Activating HTTP Security Session Management on AS ABAP .
Security Guide 1702Session Security Protection C U S T O M E R 49
7 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system level and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.
The network topology for SAP Hybris Marketing is based on the topology used by SAP NetWeaver, and by the SAP HANA Extended Application Services (XS) platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide, and in the and the SAP HANA Security Guide also apply to SAP Hybris Marketing. Details that specifically apply to SAP Hybris Marketing are described in the following topics:
● Communication Channel Security [page 50]This topic describes the communication paths and protocols used by SAP Hybris Marketing.
● Network Security [page 52]This topic describes the recommended network topology for SAP Hybris Marketing. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also includes a list of the ports needed to operate SAP Hybris Marketing.
● Communication Destinations [page 53]This topic describes the information needed for the various communication paths, for example, which users are used for which communications.
● For more information, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide Network and Communication Security .
● Security Guides for Connectivity and Interoperability TechnologiesFor more information, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide Security Guides for Connectivity and Interoperability Technologies .
7.1 Communication Channel Security
The table shows the communication channels used by SAP Hybris Marketing, the protocol used for the connection, and the type of the data transferred.
50 C U S T O M E RSecurity Guide 1702
Network and Communication Security
Table 21:
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Protection
Frontend client using SAP GUI for Windows to application server
DIAG Customizing and administration data
Usernames, passwords
Frontend client using a Web browser to application server / (Remote) Gateway, BOE Server
HTTP, HTTPS
We recommend to use HTTPS
All application data Confidential data
Application server (ERP SD/SLT) to application server (SAP Hybris Marketing)
SAP SLT Replication Server based on RFC and direct DB Connection of SLT Server and CEI
All application data Confidential data
Application Server (Remote Gateway) to Application Server (SAP Hybris Marketing)
Trusted RFC All application data -
SAP Hybris Marketing to SAP HANA Database
ADBC, openSQL All application data Confidential
SAP Hybris Marketing to SAP CRM
Enterprise Services for campaign
CRM Middleware
Campaigns, target groups Confidential
Anonymous access from Internet to Web dispatcher (acting as reverse proxy)
HTTPS Tracking information Public
Sending emails via REST APIs to email service provider
HTTPS Email information Personalized information
SAP Hybris Marketing to SAP Hybris Cloud for Customer
SAP HANA Cloud Integration (HCI), or SAP Process Orchestration (PI) via SOAP
Leads Confidential
NoteSince the source system for SAP Hybris Marketing is an SAP ERP system (sales and distribution system), or an SAP CRM system, the SLT Server may be installed on the source system itself or on a separate system. For more information about communication channel security, see SAP Help Portal at http://help.sap.com/nw
SAP HANA Platform SAP HANA Platform (Core) Security SAP HANA Security Guide English SAP HANA Network and Communication Security Communication Channel Security .
Security Guide 1702Network and Communication Security C U S T O M E R 51
Dynamic Information and Action Gateway (DIAG) and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol. SOAP connections are protected with Web services security.
RecommendationSAP strongly recommends using secure protocols (SSL, SNC) whenever possible.
● For more information about Transport Layer Security , see SAP Help Portal at http://help.sap.com/nwSAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver
Security Guide Network and Communication Security Transport Layer Security .● For more information about Web Services Security, see SAP Help Portal at http://help.sap.com/nw
SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide Security Guides for Connectivity and Interoperability Technologies Security Guide Web Services (ABAP)
7.2 Network Security
SAP Hybris Marketing is not an internet facing application. All applications are in-house applications that run within a demilitarized zone. External access is only done through mobile applications. As mentioned in the technical system landscape, and in the session security protection, Web-based applications are all embedded in a shell that handles authentication and session security. The shell communicates with the backend through a local gateway using OData services or via the WebDynpro communication framework.
For more information about the technical system landscape and a typical network setup, see the installation guide for SAP Hybris Marketing on the SAP Help Portal at http://help.sap.com/mkt Installation and Upgrade Information .
For more information, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide Network and Communication Security Using Multiple Network Zones .
Ports
SAP Hybris Marketing runs on SAP NetWeaver and uses the ports from the AS ABAP. For more information, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide Security Guides for SAP NetWeaver Functional UnitsSecurity Guides for the AS ABAP SAP NetWeaver Application Server ABAP Security Guide Network Security for SAP NetWeaver AS ABAP SAP NetWeaver Application Server ABAP Security Guide Network Security for SAP NetWeaver AS ABAP AS ABAP Ports .
SAP Hybris Marketing user interfaces can be embedded into a SAP CRM system by IFrame. Ensure that both systems follow the same origin policy, that is, they use the same host and port.
52 C U S T O M E RSecurity Guide 1702
Network and Communication Security
For the SAP Web Dispatcher, see also the document TCP/IP Ports Used by SAP Applications, which is located on SAP Developer Network at http://scn.sap.com/community/security . Search for Infrastructure Security Network and Communications Security .
7.3 Communication Destinations
The following table provides an overview of the communication destinations used by the back-end server of SAP Hybris Marketing.
Table 22:
Destination Type User, Authorizations Description
Legacy system (SAP ERP, SAP CRM)
RFC Technical user RFC based exchange of business data
Remote Gateway Trusted RFC Named user In case the SAP NW Gateway is installed remotely, a trusted RFC is required for the connection to the SAP Hybris Marketing system.
SLT RFC Technical user In case SAP SLT is set up separately from the source legacy system, an RFC connection of SAP ERP to SAP SLT is required.
SAP Jam HTTPS Technical user Used for OAuth authentication and some optional SAP Jam integration scenarios, that is, assigning a campaign to an SAP Jam Group.
NoteNo data is exchanged between SAP Hybris Marketing and SAP Jam.
Standard internet ports for UI connection
HTTPS Named user Internet Port setup of the UI connection to the backend.
For more information, see section Ports in Network Security [page 52]).
Security Guide 1702Network and Communication Security C U S T O M E R 53
Destination Type User, Authorizations Description
HTTPS connection from Extended Application Services (XS) to SAP HANA
HTTPS Technical user Used in Campaign Content for the OData service to update the status of a campaign automation when the sending process is finished.
SAP HANA Cloud Integration system (HCI)
HTTPS Named user Used for integration of SAP Hybris Marketing to SAP Hybris Cloud for Customer and External Campaign Integration.
SAP Process Orchestration (PI)
HTTPS Named user Used for Integration of SAP Hybris Marketing to SAP Hybris Cloud for Customer
Facebook Graph API HTTPS oAuth 2.0 User Access Token Create Facebook custom audiences from target groups and initial Facebook campaigns in campaign automation, as well as retrieval of reporting data of SAP Hybris Marketing campaigns.
WeChat API HTTPS oAuth 2.0 User Access Token Used to get follower data and marketing content from WeChat, and to send messages to WeChat
Inbound WeChat Events HTTPS Technical user Used to get follower events from WeChat
SAP XM API HTTPS oAuth 2.0 User Access Token Create campaigns in SAP XM retrieval or reporting data from the campaigns.
Users of the SAP Hybris Marketing user interface should be allowed to retrieve content from internet sites integrated with SAP Hybris Marketing, depending on the enabled set of features. The following table provides an overview of the communication destinations used by the frontend server of SAP Hybris Marketing.
54 C U S T O M E RSecurity Guide 1702
Network and Communication Security
Table 23:
Destination Type User, Authorizations Description
Standard internet ports for UI connection
HTTPS Named user Internet Port setup of the UI connection to the frontend.
For more information, see section Ports in Network Security [page 52]).
https://*.sapjam.com HTTPS Named user SAP Jam Feed on the SAP Hybris Markting Home screen.
https://*.here.com HTTPS Nokia Token Provider for map used in Segmentation and Marketing Locations.
https://graph.facebook.com
HTTPS Named user (oAuth 2.0 authorization code grant to retrieve user access token
Campaign automation: Create Facebook custom audiences from target groups and initial Facebook campaigns. Retrieval of reporting data of SAP Hybris Marketing campaigns.
Customized source channels of social posts, such as twitter, RSS
HTTPS None Sentiment Engagement: Link to source of social post, social user image, or profile.
https://email.*.amazonaws.com
https://sqs.*.amazonaws.com
HTTPS Amazon Web Service Access Keys
Communication from SAP HANA Extended Application Services (XS) to Amazon Web Services.
Sending of emails and pulling of feedback information to and from Amazon Web Services.
https://sms-pp.sapmobileservices.com
HTTPS Technical user Communication from SAP HANA Extended Application Services (XS) to SAP SMS 365 Web service.
Sending text messages to the SAP SMS 365 Web service.
Security Guide 1702Network and Communication Security C U S T O M E R 55
Destination Type User, Authorizations Description
https://api.yaas.io/hybris/loy-member/v1/members
https://api.yaas.io/hybris/loy-member/v1/memberActivities
https://api.yaas.io/hybris/loy-member/v1/loyaltyPrograms
https://api.yaas.io/hybris/loy-member/v1/tiers
https://api.yaas.io/hybris/oauth2/v1/token
https://api.yaas.io/hybris/loy-offer/v1/offers
HTTPS Named user
(oAuth 2.0 authorization code grant to retrieve user access token.
(Integration Scenario SAP_COM_0043)
Loyalty Integration:
These endpoints are used to get loyalty data into the Hybris marketing system. This data is used to create interactions and interaction contacts
https://builder.yaas.io HTTPS Named user UI Navigation from Hybris Marketing launchpad to YaaS Builder
https://<hostname>.com/sap/opu/odata/sap/CUAN_CAMPAIGN_SUCCESS_SRV
https://<hostname>.com/sap/opu/odata/sap/CUAN_CAMPAIGN_METRICS_SRV
https://<hostname>.com/sap/opu/odata/sap/CUAN_COMMON_SRV
HTTPS Technical user
(Integration Scenario: SAP_COM_0058)
Customer Journey Integration with Campaigns:
These endpoints are used to read campaign data from the Hybris Marketing system.
https://customerjourney.yaas.io/*
HTTPS Named user UI Navigation from Hybris marketing Launchpad to Customer Journey Application
56 C U S T O M E RSecurity Guide 1702
Network and Communication Security
Destination Type User, Authorizations Description
https://api.yaas.io/hybris/pubsub/v1/topics/hybris.ymkt-consolidation/ymarketingtopic/read
https://api.yaas.io/hybris/pubsub/v1/topics/seey.abandoned-cart-collator/abandoned-cart/read
https://api.yaas.io/hybris/oauth2/v1/token
HTTPS Named user
(oAuth 2.0 authorization code grant to retrieve user access token. (Integration Scenario: SAP_COM_0059)
Hybris Profile Integration:
These endpoints are used to get web-tracking data into the Hybris Marketing system. This data is used to create interactions and interaction contacts.
https://builder.yaas.io/#?selectedPath=****yprofile-dev-tool-graph-viewer-streaming
HTTPS Named user UI Navigation from Hybris Profile Graph Viewer
https://*.weixin.qq.com/ HTTPS oAuth 2.0 User Access Token Used to get follower data and marketing content from WeChat, and to send messages to WeChat
https://*.baidu.com HTTPS Baidu Token Used to segment users on Baidu Maps in Segmentation
Security Guide 1702Network and Communication Security C U S T O M E R 57
Destination Type User, Authorizations Description
ac3b78981.hana.ondemand.com (Europe)
b035760e1.us1.hana.ondemand.com (US East)
dae7830db.us2.hana.ondemand.com (US West)
oauthasservices-ac3b78981.hana.ondemand.com/oauth2/api/v1/authorize (Europe)
oauthasservices-b035760e1.us1.hana.ondemand.com/oauth2/api/v1/authorize (US East)
oauthasservices-dae7830db.us2.hana.ondemand.com/oauth2/api/v1/authorize (US West)
oauthasservices-ac3b78981.hana.ondemand.com/oauth2/api/v1/token (Europe)
oauthasservices-b035760e1.us1.hana.ondemand.com/oauth2/api/v1/token (US East)
oauthasservices-dae7830db.us2.hana.ondemand.com/oauth2/api/v1/token2 (US West)
HTTPS Named user (oAuth 2.0 authorization code grant to retrieve user access token)
Create campaigns in SAP XM retrieval of reporting data from the campaigns.
58 C U S T O M E RSecurity Guide 1702
Network and Communication Security
8 Internet Communication Framework Security
SAP Hybris Marketing has Web-enabled (HTML5/SAPUI5–based) content that accesses the application server using Web browsers. This content is managed by the Internet Communication Framework (transaction SICF).
NoteDuring the technical configuration, all required services for SAP Hybris Marketing are automatically activated. For more information about the technical configuration, see the SAP Help Portal athttp://help.sap.com/mkt
Installation and Upgrade Information Installation Guide Post-Installation Technical Configuration Steps .
NoteBesides the activation of ICF nodes for the OData services Gateway, you have to activate the OData services themselves within the Gateway configuration. For more information about OData service activation, see the installation guide for SAP Hybris Marketing on SAP Help Portal at http://help.sap.com/mkt Installation and Upgrade Information Installation Guide – SAP Hybris Marketing .
● For more information, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5. Application Help SAP NetWeaver Library: Function-Oriented View English Application Server Application Server Infrastructure Connectivity Components of SAP Communication TechnologyCommunication Between ABAP and Non-ABAP Technologies Internet Communication FrameworkDevelopment Server-Side Development Creating and Configuring ICF Services Activating and Deactivating ICF Services .
● For more information about ICF security, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5. Security Information English SAP NetWeaver Security Guide
Security Guides for Connectivity and Interoperability Technologies .
Security Guide 1702Internet Communication Framework Security C U S T O M E R 59
9 Virus Scan Profile (ABAP)
SAP provides an interface for virus scanners to prevent manipulated or malicious files from damaging the system. To manage the interface and what file types are checked or blocked, there are virus scan profiles.
To use a virus scanner with the SAP system, you must activate and set up the virus scan interface. During this process, you also set up the default behavior. SAP also provides default profiles. SAP Hybris Marketing is using the standard SAP NetWeaver virus scan profile /SIHTTP/HTTP_UPLOAD.
For more information about virus scanning, see the SAP Help Portal at http://help.sap.com/nw SAP NetWeaver 7.5 Application Help Function-Oriented View Security Security Developer DocumentationSecure Programming Secure Programming - ABAP Secure Programming SAP Virus Scan Interface , and SAP Note 1693981 (Unauthorized modification of displayed content).
Virus Scan in Campaign Content
Content templates used in campaign contents are build with HTML code that can contain malicious parts, such as Java Script code.
RecommendationWe recommend to use a virus scanner to prevent malicious code sequences from damaging content template coding, and email content.
60 C U S T O M E RSecurity Guide 1702
Virus Scan Profile (ABAP)
10 Data Storage Security
Data Storage
All SAP Hybris Marketing data is stored in the SAP HANA database. No data is stored on the file system.
NoteWhile a session is active, HTML5 local storage is used. However, when logging off, all local storage is deleted. All access to the database is performed through the SAP NetWeaver ABAP stack, either through Open SQL or through ABAP Database Connectivity (ADBC). Access to the database is secured by the SAP NetWeaver stack through the authorization policies described in Authorizations [page 18].
For more information about data storage security, see the SAP Help Portal at http://help.sap.com/nw SAP HANA Platform SAP HANA Platform (Core) Security SAP HANA Security Guide English SAP HANA Data Storage Security .
Data Protection
The data protection, archiving, and retention policies of SAP Hybris Marketing are directly inherited by the legacy system, an SAP ERP system, or an SAP CRM system that provides the data. If data is deleted or archived in the legacy system, the SLT framework triggers the deletion in the SAP Hybris Marketing system itself. All related data that has been created within SAP Hybris Marketing that refers to deleted data in the legacy system can be deleted by administrators of SAP Hybris Marketing, as well.
Password Storage
For the connection of an external OpenText Digital Asset Management system, a user ID and password are required regularly. To inhibit the access to these systems by unauthorized users, the password is stored in an SAP namespace in the ABAP Secure Store.
Security Guide 1702Data Storage Security C U S T O M E R 61
11 Security-Relevant Logging and Tracing
SAP Hybris Marketing uses the logging and tracing mechanisms of SAP NetWeaver. For information about logging and tracing of SAP NetWeaver, see the SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform
SAP NetWeaver 7.5 Security Information Security Guide (English) SAP NetWeaver Security GuideSecurity Guides for SAP NetWeaver Functional Units SAP NetWeaver Security Guides for Functional UnitsSecurity Aspects for Lifecycle Management Auditing and Logging .
62 C U S T O M E RSecurity Guide 1702
Security-Relevant Logging and Tracing
12 Services for Security Lifecycle Management
The following services are available from Active Global Support to assist you in maintaining security in your SAP systems on an ongoing basis.
Security Chapter in the EarlyWatch Alert (EWA) Report
This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you the following:
● Whether SAP Security Notes have been identified as missing on your system. In this case, analyze and implement the identified SAP Notes if possible. If you cannot implement the SAP Notes, the report should be able to help you decide on how to handle the individual cases.
● Whether an accumulation of critical basis authorizations has been identified. In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not, correct the situation. If you consider the situation okay, you should still check for any significant changes compared to former EWA reports.
● Whether standard users with default passwords have been identified on your system. In this case, change the corresponding passwords to non-default values.
Security Optimization Service (SOS)
The Security Optimization Service can be used for a more thorough security analysis of your system, including the following:
● Critical authorizations in detail● Security-relevant configuration parameters● Critical users● Missing security patches
This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-site service. We recommend you use it regularly (for example, once a year) and in particular after significant system changes or in preparation for a system audit.
Security Configuration Validation
The Security Configuration Validation can be used to continuously monitor a system landscape for compliance with predefined settings, for example, from your company-specific SAP Security Policy. This primarily covers
Security Guide 1702Services for Security Lifecycle Management C U S T O M E R 63
configuration parameters, but it also covers critical security properties such as the existence of a non-trivial Gateway configuration or making sure standard users do not have default passwords.
Security in the RunSAP Methodology / Secure Operations Standard
With the E2E Solution Operations Standard Security service, a best practice recommendation is available on how to operate SAP systems and landscapes in a secure manner. It guides you through the most important security operation areas and links to detailed security information from SAP’s knowledge base wherever appropriate.
More Information
For more information about these services, see the following:
● EarlyWatch Alert: http://service.sap.com/ewa● Security Optimization Service / Security Notes Report: http://service.sap.com/sos● Comprehensive list of Security Notes:http://service.sap.com/securitynotes● Configuration Validation: http://service.sap.com/changecontrol● RunSAP Roadmap, including the Security and the Secure Operations Standard: http://service.sap.com/
runsap (See the RunSAP chapters 2.6.3, 3.6.3 and 5.6.3)
64 C U S T O M E RSecurity Guide 1702
Services for Security Lifecycle Management
Important Disclaimers and Legal Information
Coding SamplesAny software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence.
AccessibilityThe information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of willful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.
Gender-Neutral LanguageAs far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet HyperlinksThe SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer).
Security Guide 1702Important Disclaimers and Legal Information C U S T O M E R 65
go.sap.com/registration/contact.html
© 2017 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.