Security Guide 1702 - SAP · PDF fileSecurity Guide 1702 Security Aspects of Data, Data Flow, and Processes CUSTOMER 9. Table 4: Business Group Description Security Measure Contacts

Security Guide CUSTOMER

SAP Hybris Marketing On PremiseDocument Version: 1.0 – 2017-02-17

Security Guide 1702

Content

1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Security Aspects of Data, Data Flow, and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.2 Integration into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

5 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

6 Session Security Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

7 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507.1 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507.2 Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527.3 Communication Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

8 Internet Communication Framework Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

9 Virus Scan Profile (ABAP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

10 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

11 Security-Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

12 Services for Security Lifecycle Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

2 C U S T O M E RSecurity Guide 1702

Content

Document History

Before you start, make sure you have the latest version of this document. You can find the latest version at the following location:

http://service.sap.com/mkt

The following table provides an overview of the most important document changes. If the information you are looking for is not described in this guide or if you find something described incorrectly, please send an email to mailto:[email protected] and we'll update this guide.

Table 1: Document History

Version Date Description

1.0 2016-11-21 Initial version for SAP Hybris Marketing 1611 (1.2 SP04)

Security Guide 1702Document History C U S T O M E R 3

http://help.sap.com/disclaimer?site=http://service.sap.com/mkt

mailto:[email protected]

1 Introduction

NoteThis guide does not replace the administration or operation guides that are available for productive operations.

Target Audience

● Technology consultants● Security consultants● System administrators

This document is not included as part of the installation guides, configuration guides, technical operation manuals, or upgrade guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the security guides provide information that is relevant for all life cycle phases.

Feedback

We'd really like to know what you think of the quality, structure or content of this guide. Please send your feedback to us at mailto:[email protected].

Why is Security Necessary

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These security demands apply to SAP Hybris Marketing, based on SAP NetWeaver 7.5. To assist you in securing SAP Hybris Marketing, we provide this security guide.

About This Document

The security guide provides an overview of the security-relevant information that applies to SAP Hybris Marketing. For more information about security, see also the SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information Security Guide (English) SAP NetWeaver Security Guide .


Introduction

mailto:[email protected]

http://help.sap.com/disclaimer?site=http://help.sap.com/nw

Overview of the Main Sections

The security guide comprises the following main sections:

● Before You StartThis section contains information about why security is necessary, how to use this document, and references to other security guides that build the foundation for this security guide.

● Technical System LandscapeThis section provides an overview of the technical components and communication paths that are used by SAP Hybris Marketing.

● Security Aspects of Data, Data Flow, and ProcessesThis section provides an overview of security aspects involved throughout the most widely-used processes within SAP Hybris Marketing.

● User Administration and AuthenticationThis section provides an overview of the following user administration and authentication aspects:○ Recommended tools to use for user management○ User types that are required by SAP Hybris Marketing○ Standard users that are delivered with SAP Hybris Marketing○ Overview of the user synchronization strategy, if several components or products are involved○ Overview of how integration into Single Sign-On environments is possible

● AuthorizationsThis section provides an overview of the authorization concept that applies to SAP Hybris Marketing

● Session Security ProtectionThis section provides information about activating secure session management, which prevents JavaScript or plug-ins from accessing the SAP logon ticket or security session cookie(s).

● Network and Communication SecurityThis section provides an overview of the communication paths used by SAP Hybris Marketing, and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.

● Internet Communication Framework SecurityThis section provides an overview of the Internet Communication Framework (ICF) services that are used by SAP Hybris Marketing.

● Application-Specific Virus Scan Profile (ABAP)This section provides information about an interface for virus scanners to prevent manipulated or malicious files from damaging the system.

● Data Storage SecurityThis section provides an overview of any critical data that is used by SAP Hybris Marketing, and the security mechanisms that apply.

● Security-Relevant Logging and TracingThis section provides an overview of the trace and log files that contain security-relevant information, for example, so you can reproduce activities if a security breach occurs.

● Services for Security Lifecycle ManagementThis section provides an overview of services provided by Active Global Support that are available to assist you in maintaining security in your SAP systems on an ongoing basis.

Security Guide 1702Introduction C U S T O M E R 5

NoteFor more information about the Technical System Landscape, see the Master Guide for SAP Hybris Marketing on SAP Help Portal at http://help.sap.com/mkt Installation and Upgrade Information .


Introduction

http://help.sap.com/disclaimer?site=http://help.sap.com/mkt

2 Before You Start

Fundamental Security Guides

The architecture of SAP Hybris Marketing is based on web-based front ends (Web Dynpro ABAP and SAP UI5 library-based applications on SAP Gateway technology) on top of SAP NetWeaver 7.5 Application Server ABAP. The underlying database is SAP HANA. Many security-relevant components of SAP Hybris Marketing are built using SAP NetWeaver 7.5 Application Server ABAP (including , SAP Gateway and SAP NetWeaver UI Extension), and SAP HANA 1.0. For more information about releases, see the SAP Hybris Marketing installation guide at http://help.sap.com/mkt Installation and Upgrade Information .

Therefore, the corresponding security guides also apply to SAP Hybris Marketing. Pay particular attention to the most relevant sections or specific restrictions as indicated in the following table:

Table 2:

Scenario, Application, or Component Security Guide Most Relevant Sections or Specific Restrictions

SAP NetWeaver 7.5 Application Server ABAP User Management, Authorization, and Authentication, Secure Session Management

SAP HANA Database 1.0 Data Storage Security

SAP HANA 1.0 Trigger-Based Data Replication Data replication from source system to SAP Hybris Marketing

SAP Gateway Foundation 7.50 Network and Communication Security

SAP Fiori Security Information Communication, User Management and Authentication, Session Protection

SAP HANA Rules Framework Security Guide of the SAP HANA Rules Framework, User Management, Roles and Authorizations, Communication Destinations

For a complete list of the available SAP security guides, see SAP Service Marketplace at http://service.sap.com/securityguide

Important SAP Notes

For the most important notes for the underlying technology, refer to the security guides of SAP NetWeaver, SAP HANA Database, and SAP Gateway. For a list of additional security-relevant SAP Hot News and SAP Notes, see also SAP Support Portal at http://support.sap.com/securitynotes .

Security Guide 1702Before You Start C U S T O M E R 7


http://help.sap.com/disclaimer?site=http://service.sap.com/securityguide


http://help.sap.com/disclaimer?site=http://support.sap.com/securitynotes

Configuration

You can find a summary of the configuration steps for implementing security for SAP Hybris Marketing in the Solution Manager Content for SAP Hybris Marketing.

Additional Information

For more information about specific topics, see the Quick Links as shown in the following table:

Table 3:

Content Quick Link on SAP Service Marketplace, SAP Support Portal, or SDN

Security http://sdn.sap.com/irj/sdn/security

Security Guides http://service.sap.com/securityguide

Related SAP Notes https://service.sap.com/sap/support/notes/

http://support.sap.com/securitynotes

Released platforms http://support.sap.com/pam

Network security http://service.sap.com/securityguide

SAP Solution Manager http://support.sap.com/solutionmanager

SAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver


Before You Start

http://help.sap.com/disclaimer?site=http://sdn.sap.com/irj/sdn/security


http://help.sap.com/disclaimer?site=https://launchpad.support.sap.com/#/notes/https://service.sap.com/sap/support/notes/

http://help.sap.com/disclaimer?site=http://support.sap.com/securitynotes

http://help.sap.com/disclaimer?site=http://support.sap.com/pam


http://help.sap.com/disclaimer?site=http://support.sap.com/solutionmanager

http://help.sap.com/disclaimer?site=http://sdn.sap.com/irj/sdn/netweaver

3 Security Aspects of Data, Data Flow, and Processes

SAP Hybris Marketing includes the marketing platform SAP Hybris Marketing Data Management, which provides a single view on your customer data (accounts, contacts, interactions, target groups). Based on this platform, you can use additional marketing applications that are available individually on the price list. The additional applications are the following:

● SAP Hybris Marketing Segmentation enables marketing, sales, and service professionals to rapidly and easily segment large customer populations with the support of insightful charts.

● SAP Hybris Marketing Acquisition allows you to create marketing campaigns by email or text message that are based on predefined content templates. You can release, and send the campaigns out to a preselected list of contacts. A campaign-based lead creation in SAP Hybris Cloud for Customer triggers the lead management process from SAP Hybris Marketing. The calendar allows you to gain an overview of your current campaign success with regard to time.

● SAP Hybris Marketing Recommendation enables data scientists to create and manage recommendation models that provide consumers with relevant product recommendations in real time, simultaneously across multiple sales channels. You can create models to leverage algorithms and SAP HANA to query and retrieve product recommendations from SAP ERP, SAP CRM, or business event data sources.

● SAP Hybris Marketing Insight supports on-the-fly insights into all customer data for sales and marketing. With this solution, several millions of orders, invoices and financial data can be analyzed in real time. In addition, it enables marketing executives to review the success of marketing investments. This dashboard is comprised of the most important Key Performance Indicators (KPIs) for marketing effectiveness.

● SAP Hybris Marketing Planning supports marketing managers in planning budgets, programs, and spends as well as marketing experts in planning campaigns and spends in a simple and intuitive way. In the calendar, marketing managers and marketing experts can have a complete overview of ongoing and planned marketing activities.

The main process in SAP Hybris Marketing is to retrieve account information (master data or transactional data), for example from an SAP ERP system (sales and distribution system), and to store this information in the SAP HANA database. Once the data is available, it is ready for analysis and segmentation. New target groups and ad-hoc segments can be created and sent to an SAP CRM system. SAP Hybris Marketing also supports the processing and analysis of information from various social media platforms, and allows follow-up actions, such as campaign creation, as well within SAP CRM.

The following table shows the security aspects to be considered for the various process steps and what security mechanism applies.

Security Guide 1702Security Aspects of Data, Data Flow, and Processes C U S T O M E R 9

Table 4:

Business Group Description Security Measure

Contacts and Profiles Retrieve account statistics and master data from an SAP ERP system (sales and distribution system)

In the SAP SLT data replication, the SLT server can be a separate SAP system that is connected to SAP ERP by RFC.

We recommend using channel encryption via Secure Network Communication wherever possible.

Account/relationship analysis Make sure that the authorization policy is enforced by assigning organizational levels (for example, company codes, sales groups, marketing areas) to the users via appropriate roles. For more information see, Authorizations [page 18].

Data maintenance and clean-up Once accounts are deleted or archived in the SAP ERP system, the data is deleted in the SAP Hybris Marketing system automatically using SLT. Related target groups and campaigns can be deleted by the administrators of SAP Hybris Marketing.

Profile dashboard Analyze contacts for creating marketing campaigns or target groups. Make sure that the authorization policy is enforced for working with contacts and target groups. For more information, see Authorizations [page 18]

Sentiment engagement Analyze, filter, process, and group data that have been harvested from external channels.

NoteThe setup of external channels is not part of the standard shipment.

Make sure that the authorization policy is enforced for working with contacts and target groups. For more information, see Authorizations [page 18].


Security Aspects of Data, Data Flow, and Processes


Track and record events in interactions and interaction contacts

Make sure that the authorization policy is enforced for working with campaign content in SAP HANA, and ABAP, especially with regard to the required technical users in SAP HANA, and ABAP. For more information, see Authorizations [page 18].

Segmentation Define segmentation Make sure that the authorization policy is enforced for working with segmentation models. For more information, see Authorizations [page 18].

Acquisition Create campaigns Make sure that the authorization policy is enforced by assigning organizational levels (for example, company codes, sales groups, marketing areas) to the users via appropriate roles. For more information see, Authorizations [page 18].

Create campaigns in SAP CRM Make sure that the authorization policy is enforced for working with campaign creation, and management in SAP CRM. For more information, see Authorizations [page 18].

Create campaign content with personalized content template

Make sure that the authorization policy is enforced for working with Campaign Content in SAP HANA, and ABAP, especially with regard to the required technical users in SAP HANA, and ABAP. For more information, see Authorizations [page 18].

Insight Analyze customer data Make sure that the authorization policy is enforced by assigning organizational levels (for example, company codes, sales groups, marketing areas) to the users via appropriate roles. For more information see, Authorizations [page 18].

Security Guide 1702Security Aspects of Data, Data Flow, and Processes C U S T O M E R 11


Planning Perform budget planning, spend planning

Make sure that the authorization policy is enforced for creating plans in budget planning, for planning spend on campaigns, and managing proposed spends, and assigning campaigns in programs. For more information, see Authorizations [page 18].

Recommendation Create and manage recommendation models

Make sure that the authorization policy is enforced for working with recommendation models. For more information, see Authorizations [page 18].

Lead Management Classify contacts by stages, create SAP Hybris Cloud for Customer leads, and activities, such as phone calls, appointments, tasks. by a campaign, and analyze lead management process

Make sure that the authorization policy is enforced for lead stages, campaign creation, transfer leads and lead dashboard. For more information, see Authorizations [page 18], and SAP Hybris Marketing installation guide on SAP Help Portal at http://help.sap.com/mkt

Installation and Upgrade Information

Installation Guide Installation of SAP Smart Business, executive

edition .

Define lead scores via Score Builder Make sure that the authorization policy is enforced for SAP HANA Rules Framework (HRF). For more information, see User Management [page 13]


Security Aspects of Data, Data Flow, and Processes


4 User Administration and Authentication

SAP Hybris Marketing uses the user management and authentication mechanisms provided with the SAP NetWeaver Platform, in particular the SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to SAP Hybris Marketing.

In addition to these guidelines, we include information about user administration and authentication that specifically applies to the the following topics:

● User Management [page 13]This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with SAP Hybris Marketing.

● Integration into Single Sign-On Environments [page 16]This topic describes how SAP Hybris Marketing supports Single Sign-On mechanisms.

For more information about user management and authentication, see the related topic in SAP Library at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide User Administration and Authentication .

4.1 User Management

User management for SAP Hybris Marketing uses the mechanisms provided with the SAP NetWeaver Application Server ABAP, for example, tools, user types, and password policies. For an overview of how these mechanisms apply for SAP Hybris Marketing, see the following sections. In addition, we provide a list of the standard users required for operating SAP Hybris Marketing.

User Administration Tools

The following table shows the tools to use for user management and user administration with SAP Hybris Marketing.

Security Guide 1702User Administration and Authentication C U S T O M E R 13



Table 5:

Tool Detailed Description

User and role maintenance with SAP NetWeaver AS ABAP (SU01, PFCG)

User Role Administration of Application Server ABAP

For more information, see SAP Help Portal at http://

help.sap.com/nw SAP NetWeaver Platform SAP

NetWeaver 7.5 Application Help SAP NetWeaver Library:

Function-Oriented View English Security Identity

Management User and Role Administration of Application

Server ABAP

User and role maintenance with SAP HANA Extended Application Services (XS)

For more information, see SAP Note 2006478 , and the SAP HANA Security Guide on the SAP Help Portal at http://

help.sap.com/nw SAP HANA Platform SAP HANA

Platform (Core) Security .

User Types

It is necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their password on a regular basis, but not those users with background processing jobs.

The user types that are required for SAP Hybris Marketing include the following:

● Individual usersBusiness users are SAP Hybris Marketing users who run the customer analysis, create target groups, and so on. For more information, see Authorizations [page 18].

● Technical users in SAP NetWeaver ABAP, and in SAP HANA○ RFC users that are used to communicate with an SAP ERP system (sales and distribution system), or an

SAP CRM system○ Background users are used for processes, such as data loading and data extraction, which are typically

scheduled in the background.○ Technical user in SAP NetWeaver ABAP, or in SAP HANA that will be used during technical configuration

For more information about these user types, see the related topic on the SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide Security Guides for the Application Server Security Guides for the AS ABAP .


User Administration and Authentication



http://help.sap.com/disclaimer?site=https://launchpad.support.sap.com/#/notes/2006478





Standard Users

The table shows the standard users that are necessary for operating SAP Hybris Marketing, both in the ABAP, and in the SAP HANA layer:

Table 6:

System User ID Type Password Description

SAP System ID Variable Dialog Mandatory and following the password policies of SAP NetWeaver Application Server ABAP

-

SAP System ID Variable Technical Mandatory and following the password policies of SAP NetWeaver Application Server ABAP

-

SAP System ID Variable Service Mandatory and following the password policies of SAP NetWeaver Application Server ABAP

Technical user is required for the call of ABAP OData requests from within SAP HANA Extended Application Services (XS) (relevant for Campaign Content)

SAP InfiniteInsight

The integration to SAP InfiniteInsight requires a database user that is used in a SAP HANA ODBC connection to the SAP HANA database.

Table 7:

System User ID Password Description

SAP (SID) SAP (SID) Mandatory and following the password policies of SAP HANA

General technical user for accessing SAP HANA from ABAP via ADBC and OpenSQL. This user needs to get additional privileges for accessing schema SAP_AMP

NoteFor the communication to external mail services, a (technical) user is required in the http destination. For more information, see Communication Destinations [page 53].

These are only the SAP Hybris Marketing standard users. None of these users are predefined and shipped. They are created during the SAP Hybris Marketing system setup.


Setup of SAP HANA Rules Framework

The technical configuration task list CUAN_SETUP_HRF can be used for setting up the SAP HANA Rules Framework (HRF) for SAP Hybris Marketing. A (technical) SAP HANA user is required for this step. This user needs specific authorization. For more information about the authorizations, see the installation guide for SAP Hybris Marketing on the SAP help Portal at http://help.sap.com/mkt Installation and Upgrade InformationunderOptional Configuration Settings.

For more information, and a list of additional standard users necessary to operate a system based on SAP NetWeaver, see SAP Help Portal at http://help.sap.com/nw :

● SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide

● SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide Security Guide for SAP BW

RecommendationWe recommend changing the user IDs and passwords for users that are automatically created during the installation process.

4.2 Integration into Single Sign-On Environments

The most widely-used supported mechanisms are as follows:

● Secure Network Communications (SNC)SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.

● SAP logon ticketsSAP Hybris Marketing supports the use of logon tickets for SSO when using a Web browser as front end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.

● Client certificatesAs an alternative to user authentication using a user ID and passwords, users using a Web browser as a front end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.All certificates are handled in SAP NetWeaver in the ABAP layer.

● Security Assertion Markup Language (SAML) 2.0SAML 2.0 provides a standards-based mechanism for SSO. The primary reason to use SAML 2.0 is to enable SSO across domains.

SAP Hybris Marketing supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver, and by SAP HANA Extended Application Services (XS). Therefore, the security recommendations and guidelines for user


User Administration and Authentication



administration and authentication as described in the SAP NetWeaver Security Guide, and in the SAP HANA Security Guide also apply to SAP Hybris Marketing.

For more information, see http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5Security Information English SAP NetWeaver Security Guide . In the table, choose Functional Unit and

Application Server Security Guides for the AS ABAP SAP NetWeaver Application Server ABAP Security Guide .

For more information about the available authentication mechanisms, seehttp://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide . In the table, choose Functional Unit and Application Server Security Guides for the AS ABAP SAP NetWeaver Application Server ABAP Security Guide User Adminstration and Authentication User Authentication .




5 Authorizations

SAP Hybris Marketing uses the authorization concept provided by the SAP NetWeaver Application Server ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to SAP Hybris Marketing.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on the Application Server ABAP.

Note

For more information about how to create roles, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Application Help SAP NetWeaver Library: Function-Oriented View English Security Identity Management User and Role Administration of Application Server ABAPConfiguration of Use and Role Administration Role Administration .

Role and Authorization Concept for SAP Hybris Marketing

Business users of SAP Hybris Marketing can run all subcomponents, such as Data Management, Insight, Segmentation, Campaigns, Planning, Recommendation, and Business Administration.

For more information about authorizations and the main tasks in SAP Hybris Marketing, see SAP Help Portal at http://help.sap.com/mkt Application Help SAP Hybris Marketing User Management .

The following types of user can be outlined in SAP Hybris Marketing:

● Marketing Expert○ General user for a marketing expert to access Data Management, Insight, Segmentation, Campaigns,

Planning, Lead Management, and Recommendation. These activities are bundled in the composite role SAP_MARKETING_EXPERT.

○ Special user for a marketing expert to access Segmentation. These activities are bundled in the composite role SAP_MARKETING_SEGMENTATION.

○ Special user for a marketing expert to access Campaign. These activities are bundled in the composite role SAP_MARKETING_CAMPAIGNS.

○ Special user for a marketing expert to access Recommendation. These activities are bundled in the These activities are bundled in the composite role SAP_MARKETING_RECOMMEND_EXPERT.

○ Special user for a marketing expert to access Insight. These activities are bundled in the composite role SAP_MARKETING_INSIGHT.

○ Special user for a marketing expert to access Data Management. These activities are bundled in the composite role SAP_MARKETING_DATA_MANAGEMENT.

○ Special user for a marketing expert to access Spend Quick Entry, Detailed Spend Planning, and Programs. These activities are bundled in the composite role SAP_MARKETING_SPEND_MGMT_PROG.

● Marketing Manager


Authorizations



○ Special user for a marketing manager to access all marketing-related tasks. These activities are bundled in the composite role SAP_MARKETING_MANAGER.

○ Special user for a marketing manager to access Planning. These activities are bundled in the composite role SAP_MARKETING_PLANNING

● Marketing ExecutiveSpecial user for a marketing executive to access the Executive Dashboard. These activities are bundled in the composite role SAP_MARKETING_EXECUT_DASHBOARD.

● Business AnalystSpecial user for a business analyst to access apps for analytic purposes. These activities are bundled in the composite role SAP_MARKETING_RECOMMENDATION.

● Sales RepresentativeSpecial user for a sales representative to access SAP Hybris Marketing role-specific areas. These activities are bundled in the composite role SAP_SALES_REP_MKT_INFO.

● Business Administrative UserSpecial key user for key activities and administrative tasks, such as import of external data, the access to user lists, sender profiles, export definitions for target groups, and campaigns, and for managing integration errors of the SAP Hybris Cloud for Customer integration of SAP Hybris Marketing. These activities are bundled in the composite role SAP_MARKETING_BUS_ADMIN_USER.

● Technical UserSpecial technical user to access to the technical configuration of SAP Hybris Marketing. These activities are bundled in the composite role SAP_MARKETING_TECHNICAL_CONF.

These sets of activities in SAP Hybris Marketing are bundled in one single application, the home screen of SAP Hybris Marketing. The end users of this application are able to leverage all capabilities of SAP Hybris Marketing. Access is restricted on an organizational level, so that certain users of SAP Hybris Marketing are only authorized to analyze accounts of a certain country, company code, sales group, and so on. For a detailed description about the organizational levels, see the Standard Authorization Objects section in this topic.

Marketing Area

The marketing area identifies an organizational unit. It defines which instances of a business object type you are allowed to display, or change. It is used in, or affects in the following objects and applications SAP Hybris Marketing:

● Budget planning● Campaign● Campaign content● Content template● Marketing calendar● Marketing Spend● Offers● Predictive model● Program● Sender profile● Target group● Marketing Location

Security Guide 1702Authorizations C U S T O M E R 19

Target group, campaign, campaign content, content template, predictive model, and program are enhanced by an authorized user, which is the container for the relation between an object instance and a single user.

The authorization object HPA_MKT_AR is part of the PFCG roles containing the start authorizations.

NoteBudget Planning uses areas of responsibility for instance authorizations. For more information, see SAP Help Portal at http://help.sap.com/mkt SAP Hybris Marketing Worksets and Applications PlanningAuthorization Examples for Budget Planning and Marketing Spend Management .

Instance Authorization by Team Membership

In addition to the instance authorization by PFCG role, you can flexibly grant instance authorization by team membership, for example, using the Team facet of a campaign (instance of the campaign business object). When you add a user to the team of a campaign, the system nevertheless checks the user authorization based on the PFCG role. If the user is not authorized by the role, but only by the team membership, the user is indicated as External (in the list of team members).

Standard Roles

Composite Roles

In SAP Hybris Marketing, the following composite roles are provided. You can display the list of assigned single roles for each of these composite roles in the backend system in transaction PFCG.

Enter the name of the composite role, for example SAP_MARKETING_EXPERT, click on Display, and then select the tab Roles. With a double click on the single role, you can view a role description.

Table 8:

Name Composite Role Description

Access for Marketing Experts SAP_MARKETING_EXPERT To access role-specific applications in SAP Hybris Marketing

To access all data as defined by the authorization objects in the standard delivery

Access to Segmentation for the Marketing Expert

SAP_MARKETING_SEGMENTATION To access Segmentation within SAP Hybris Marketing



Authorizations



Access to Campaigns for the Marketing Expert

SAP_MARKETING_CAMPAIGNS To access Campaigns within SAP Hybris Marketing


Access to Extended Application Components

SAP_MARKETING_EAC To access Extended Applications like Loyalty Management, Profile Graph and Customer Journey Manager. Customers have to subscribe to Hybris Profile on the YaaS Marketplace to use these.

Access to Planning for the Marketing Manager

SAP_MARKETING_PLANNING To access Planning within SAP Hybris Marketing


Access for the Marketing Manager SAP_MARKETING_MANAGER To access marketing-related tasks for managers.

Access to Recommendations for the Marketing Expert

SAP_MARKETING_RECOMMEND_EXPERT To access Recommendation within SAP Hybris Marketing


Access to Recommendations for the Business Analyst

SAP_MARKETING_ RECOMMENDATION To access Recommendation within SAP Hybris Marketing

To access all recommendation-relevant tasks for business analysts

Access to Contacts and Profiles for the Marketing Expert

SAP_MARKETING_DATA_MANAGEMENT To access Contacts and Profiles within SAP Hybris Marketing

To access all the data, as defined by the authorization objects in the standard delivery

Access to Insight for the Marketing Expert

SAP_MARKETING_INSIGHT To access Insight within SAP Hybris Marketing




Access for the Marketing Executive SAP_MARKETING_EXECUT_DASHBOARD To access the Marketing Executive Dashboard within of SAP Hybris Marketing

Access for the Business Administrative User

SAP_MARKETING_BUS_ADMIN_USER To access all applications for key user and administrative activities in SAP Hybris Marketing

Access to Spend Management and Programs for the Marketing Expert

SAP_MARKETING_SPEND_MGMT_PROG To access marketing-related tasks in spend planning


Technical Configuration of SAP Hybris Marketing

SAP_MARKETING_TECHNICAL_CONF Contains all roles required to run the technical configuration of SAP Hybris Marketing

Access to Business User Administration for System Administrators

SAP_MARKETING_USER_ADMIN To create and change SAP Hybris Marketing business users for ABAP and SAP HANA.

Access to Sales Representative SAP_SALES_REP_MKT_INFO To access SAP Hybris Marketing role-specific areas by sales experts.

NoteEach single role in composite role Access for Marketing Experts (SAP_MARKETING_EXPERT) contains information about business groups, applications, and detail screens with their facets.

S/4 HANA Composite Roles

The following role is to be used as an alternative to the SAP_MARKETING_EXPERT composite role.

NoteAccess to Insight and Customer Value Intelligence for the marketing expert are not available, therefore the SAP_MARKETING_INSIGHT composite role cannot be used.

All other roles can be used.


Authorizations

Table 9:

Name Composite Role Description Assigned Single Roles

Access for the Marketing Expert

SAP_MARKETING_IN_S4H_EXPERT

To access SAP Hybris Marketing.

SAP_CEI_ADT

SAP_CEI_ACD_FLP

SAP_CEI_BEHAVIOUR_INSIGHT

SAP_CEI_BI_AUTH

SAP_CEI_CJI

SAP_CEI_CONTENT_LIBRARY

SAP_CEI_CONTENT_PAGES

SAP_CEI_CONTENT_PAGE_RSLT

SAP_CEI_CPM_FLP

SAP_CEI_GEN_FLP

SAP_CEI_HOME

SAP_CEI_ISG_FLP

SAP_CEI_KPI_TILES

SAP_CEI_LDB_FLP

SAP_CEI_LEAD_DASHBOARD

SAP_CEI_LEAD_STAGES

SAP_CEI_LEA_FLP

SAP_CEI_MEM

SAP_CEI_MICRO_LIST

SAP_CEI_MKT_CAL_APP

SAP_CEI_MKT_CAL_PLANNING

SAP_CEI_MSM_QE_APP

SAP_CEI_MSM_SM_APP

SAP_CEI_OFFER_APP

SAP_CEI_PBA

SAP_CEI_PROFILES

SAP_CEI_PROGRAM

SAP_CEI_RECO_MKT


Name Composite Role Description Assigned Single Roles

SAP_CEI_RECO_MKT_OFFER

SAP_CEI_RECO_SCE

SAP_CEI_ROF_FLP

SAP_CEI_SCI

SAP_CEI_SCI_FLP

SAP_CEI_SIMPLE_SCORES

SAP_CEI_SMP_FLP

SAP_CEI_TG_INI

SAP_CEI_TG_INI_FLP

Single Roles

The following table shows which single roles are available and what their function is:

Table 10:

Name Single Role Description

Business User Roles

Analysis of Accounts and Campaigns

SAP_CEI_ACC_CPG_INSIGHT To control the authorization for the application Marketing Insight for Sales of SAP Hybris Marketing in the SAP Fiori launchpad to analyze accounts and campaigns based on specific attributes in SAP Hybris Marketing.

Segmentation SAP_CEI_ADT To control the authorization for the applications Segmentation, Segmentation Models, and Segmentation Building Blocks within the business group Segmentation.

Marketing Planning SAP_CEI_AMP To control the authorization for the application Budget Plans.

Application Log SAP_CEI_APPL_LOG To control the authorization for the application Application Logs provided by the products of SAP Hybris Marketing in the SAP Fiori launchpad.

Audiences SAP_CEI_AUDIENCES To control the authorization for the application Audiences for the Marketing Effectiveness Data Foundation.


Authorizations


Product Recommendations SAP_CEI_B2C_RECO To control the authorization for the applications Recommendation Models, and Recommendation Types within the business group Recommendations.

Behaviour Insight SAP_CEI_BEHAVIOUR_INSIGHT To control the authorization for the application Behaviour Insight of SAP Hybris Marketing in the SAP Fiori launchpad to analyze customer's behaviour based on specific attributes.

Access to SAP NetWeaver Business Intelligence

SAP_CEI_BI_AUTH To control the authorization for access to SAP HANA, using BEx queries

To access the infrastructure of SAP Business Warehouse within SAP Hybris Marketing

For more information on authorizations, see SAP Help Portal athttp://

help.sap.com/nw SAP NetWeaver

Business Warehouse SAP NetWeaver

7.5 Application Help Function-

Oriented View (choose your language)

Business Warehouse Data

Warehousing Data Warehouse

Management Authorizations .

Campaigns SAP_CEI_CAMPAIGNS This role allows marketing experts to access the Fiori app for Campaigns with the flow-based UI in SAP Hybris Marketing.

To use the classic Campaigns app, use the role SAP_CEI_TG_INI.

C4C Sales Integration SAP_CEI_CFS This role allows sales representatives to access Contacts and Corporate Accounts in SAP Hybris Marketing.

Customer Journey Insight SAP_CEI_CJI To control the authorization for the application Customer Journey Insight.

Customer Journey Events SAP_CEI_CJI_EVENTS To control the authorization for the application Customer Journey Events.

Communication Categories and Limits

SAP_CEI_COMM_CATEG_LIMITS To control the authorization for the application Communication Categories and limits.





Competitors SAP_CEI_COMPETITORS To control the authorization for the application Competitors for the Marketing Effectiveness Data Foundation.

Content Studio SAP_CEI_CONTENT_LIBRARY To control the authorization for the application Content Studio and the associated OData service in SAP Hybris Marketing.

Landing Pages SAP_CEI_CONTENT_PAGES To control the authorization for the application Landing Pages for managing landing pages, and the associated OData service.

Sender Profiles SAP_CEI_CPG_SENDER_PROFILES To control the authorization for the application Sender Profiles.

Release Campaigns SAP_CEI_CUAN_MK_INI_REL_APP To control the authorization for the application Release Campaigns.

Release Target Groups SAP_CEI_CUAN_MK_TG_REL_APP To control the authorization for the application Release Target Groups.

Insight SAP_CEI_CVI To control the authorization for the applications Relationship Analysis - Sales, Relationship Analysis - Presales, Stratification, Margin Decomposition within the business group Insight.

Register Extensions for Transport

SAP_CEI_EXT_ATO To access the app Register Extensions for Transport

Custom Fields and Logic SAP_CEI_EXT_CFD To access the app Custom Fields and Logic

Manage Images SAP_CEI_EXT_MAN_IMG To access the app Manage Images

Configure Software Packages SAP_CEI_EXT_SPK To access the app Configure Software Packages

Map Free Texts SAP_CEI_FREETEXT_MAP To control the authorization for the application Map Free Texts of SAP Hybris Marketing in the SAP Fiori launchpad to add free text to contacts.

Home Workset SAP_CEI_HOME This role is mandatory for the access of User Information, Personalization and Application Help, and it controls the non-Fiori UI5 applications.


Authorizations


Import Data for Analytics SAP_CEI_IMPORT_ANALYTICS To control the authorization for the application Import Data for Analytics.

Manage Interests SAP_CEI_INTERACTION_INTERESTS To control the authorization for the application Manage Interests.

Key Performance Indicators SAP_CEI_KPI_TILES To control the authorization for the applications for Key Performance Indicators of SAP Hybris Marketing in the SAP Fiori launchpad.

Business Administration SAP_CEI_KUA To control the authorization for the application of Business Administration for key user activities of SAP Hybris Marketing, that is, business administration tasks in the front-end system.

Business Administration for User Interface

SAP_CEI_KUI To configure the user interface for all business users of SAP Hybris Marketing.

Lead Dashboard SAP_CEI_LEAD_DASHBOARD To control the authorization for the application Lead Dashboard.

Lead Replication Administration SAP_CEI_LEAD_REPL_ADMIN To control the authorization for the application Integration Errors to access errors caused by the data transfer from SAP Hybris Cloud for Customer to SAP Hybris Marketing.

Lead Stages SAP_CEI_LEAD_STAGES To control the authorization for the application Lead Stages within the business group Lead Management, and to access Leads on the Contact factsheet.

Loyalty KPIs SAP_CEI_LOY_KPI Access to Loyalty KPIs in Home Screen

Marketing Location SAP_CEI_MARKETING_LOCATION Access to Marketing Locations in SAP Hybris Marketing.

Access to Marketing Executive Dashboard

SAP_CEI_MED To control the authorization for the application Marketing Executive Dashboard.

Messages SAP_CEI_MEM To control the authorization for the application Activate Confirmations.



Micro Lists SAP_CEI_MICRO_LIST To control the authorization for the application Micro Lists of SAP Hybris Marketing in the SAP Fiori launchpad to access micro lists, such as Recent Items, Active Campaigns, or Create Segmentation Model .

Marketing Approvals SAP_CEI_MKT_APPROVAL Access to Marketing Approvals

Marketing Attribute Categories SAP_CEI_MKT_ATTR_CATEGORIES To control the authorization for the application Marketing Attribute categories.

Marketing Approvals for Batch Users

SAP_CEI_MKT_BATCH_APPROVAL This role enables the workflow batch user to execute the user decision in Marketing Approvals.

Marketing Calendar SAP_CEI_MKT_CAL_APP To control the authorization for the application Marketing Calendar.

Marketing Calendar in Planning SAP_CEI_MKT_CAL_PLANNING To control the authorization for the application Marketing Calendar.

Marketing Spend - Quick Entry SAP_CEI_MSM_QE_APP To control the authorization for the application Quick Campaign Spend.

Marketing Spend - Details SAP_CEI_MSM_SM_APP To control the authorization for the application Detailed Campaign Spend.

Offers SAP_CEI_OFFER_APP To control the authorization for the application Offers .

Predictive Studio SAP_CEI_PBA To control the authorization for the application Predictive Studio that can be used for certain products and market definitions.

Profiles SAP_CEI_PROFILES To access the application Profiles in SAP Hybris Marketing.

Marketing Programs SAP_CEI_PROGRAM To control the authorization for the application Programs.

Provider Credentials SAP_CEI_PROVIDER_CREDENTIALS To control the authorization for the application Provider Credentials.

Recommendation Algorithm Defaults

SAP_CEI_RECO_ALDS To control the authorization for the application Recommendation Algorithm Defaults.


Authorizations


Manage Recommendations SAP_CEI_RECO_MKT To control the authorization for the application Manage Recommendations.

Manage Offer Recommendations SAP_CEI_RECO_MKT_OFFER To control the authorization for the application Offer Recommendations.

Recommendation Scenarios SAP_CEI_RECO_SCE To control the authorization for the application Recommendation Scenarios.

Dimension Relationships SAP_CEI_RELATIONSHIPS To access Dimension Relationships

Contacts and Profiles SAP_CEI_SCI To control the authorization for the applications Profile Dashboard, Contacts, and Sentiment Engagement within the business group Contacts and Profiles.

Score Builder SAP_CEI_SIMPLE_SCORES To control the authorization for the application Score Builder of SAP Hybris Marketing in the SAP Fiori launchpad. To use this role correctly, please read Authorization Changes in Single Roles in the Upgrade Guide on http://help.sap.com/mkt.

Target Groups SAP_CEI_TARGET_GROUPS To allow exclusive access to target groups without allowing access to contacts. This role works only with the flow-based campaigns app.

Target Groups, Campaigns, Contacts and Accounts

SAP_CEI_TG_INI To control the authorization for the applications for business objects, such as Target Groups, Campaigns (classic campaigns, including paid search campaigns, and Facebook campaigns), Corporate Accounts, Transfer Leads, and Contacts.

Manage Workflows SAP_CEI_WORKFLOW_EDITOR To access the Workflow Editor in SAP Hybris Marketing

Access to Administrative Actions SAP_CUSTOMER_ANALYTICS_ADMIN To set up recurring and extensibility tasks, such as scheduling of background jobs to trigger a regular lead stage calculation.

Integration Roles



Actual Spend Integration SAP_CEI_ACTUAL_INTEGRATION To use the OData service CUAN_ACTUAL_IMPORT_SRV to upload the actual and committed spend for campaigns from external systems.

B2C Recommendation Runtime SAP_CEI_B2C_RECO_RUNTIME To access the B2C recommendation runtime in SAP Hybris Marketing.

SAP Hybris Cloud for Customer Integration

SAP_CEI_C4C_INTEGRATION To use OData service CUAN_BUSINESS_DOCUMENT_IMP_SRV and CUAN_BUSINESS_PARTNER_SRV within SAP Hybris Cloud for Customer integration scenarios.

Consumer Insight 365 Integration

SAP_CEI_CI365_INTEGRATION To control the authorization for the application Consumer Insight 365 to create segmentation models directly in SAP Hybris Marketing, based on analyzed consumer behavior in Consumer Insight 365.

Landing Page Result SAP_CEI_CONTENT_PAGE_RESLT To access the OData service for storing landing page result information as a technical user.

E-Commerce Integration SAP_CEI_ECOMMERCE_INTEGRATION To enable an e-commerce system to carry out a mass import of contact persons and interaction data, and to search for campaigns (customer segments) in SAP Hybris Marketing to which a Web shop user is assigned. The Web shop can use this information to provide a personalized shopping experience to users who belong to a specific customer segment.

Campaign Optimized Execution Plan Integration

SAP_CEI_MPO_EXEC_PLAN_IMPORT To access the OData service CUAN_MPO_IMPORT_SRV to upload the optimized execution plan for campaigns.

Offer Import SAP_CEI_OFFER_IMPORT_API To import offers to SAP Hybris Marketing from external systems, using an OData API.

Offer Public API SAP_CEI_OFFER_PUBLIC_API To access the application Offers in SAP Hybris Marketing for the use in a Web shop, using an OData API.


Authorizations


Web Content Management Integration

SAP_CEI_WEBEXPRNCE_INTEGRATION To search for campaigns (customer segments) to which a content user is assigned, in a content management system.

Contacts and Profiles SAP_CEI_SCI_ISCE To access Contacts and Profiles with Profile Dashboard, Contacts, and Sentiment Engagement with the in-store customer engagement OData service in SAP Hybris Marketing.

Technical Configuration Roles

BI Content Activation SAP_CEI_RS_RDEAD To activate BI content for SAP Hybris Marketing.

Enhanced Authorization for Composite Role SAP_MARKETING_TECHNICAL_CONF

SAP_CEI_TECHNICAL_CONF_EHN To access and run the technical configuration.

Lead Replication Administration SAP_CEI_LEAD_REPL_ADMIN To control the authorization for the application Integration Errors to analyze errors created during the transfer of lead information form SAP Hybris Cloud for Customer to SAP Hybris Marketing.

User Management Roles

Business User Administration SAP_CEI_USER_HANDLING To control the authorization for the application User Lists.

Business Catalog Roles

Single roles with postfix _FLP, Business Catalog Roles, are used to start SAP Hybris Marketing from SAP Fiori launchpad. Those roles are only for apps that are not standard SAP Fiori apps. The business groups and business catalogs are modeled to allow business roles, such as Marketing Experts, easy access to relevant area of SAP Hybris Marketing. The business groups and catalogs are assigned to corresponding composite role via the business catalog roles.

Business Catalog Roles for the Marketing Expert (SAP_MARKETING_EXPERT)


Table 11:

Business Group Business Catalog Business Catalog Role / Description

Product (License)

Quick Launch

SAP_CEC_BCG_MKT_GEN_OP

This role has several business catalogs assigned

SAP_CEI_GEN_FLP

To access business group Marketing - Quick Launch from the SAP Fiori launchpad

All Products

SAP_CEI_TG_INI_FLP is included in several business groups

Marketing - Cross Application Components

SAP_CEC_BC_MKT_CBO1_OP

SAP_CEI_TG_INI_FLP

To access the applications Target Groups, classic Campaigns, Corporate Accounts, and Contact Engagement from the SAP Fiori launchpad.

Contacts and Profiles

SAP_CEC_BCG_MKT_DM_OP

Marketing - Contacts and Profiles

SAP_CEC_BC_MKT_DM_OP

SAP_CEI_SCI_FLP

To access the business group Profile Dashboard from the SAP Fiori launchpad.

Data Management

Marketing - Predictive Model Management

SAP_CEC_BC_MKT_PBA_OP

SAP_CEI_PBA_FLP

To access the business catalog Marketing - Predictive Model Management from the SAP Fiori launchpad.

Segmentation

SAP_CEC_BCG_MKT_SEG_OP

Marketing - Segmentation

SAP_BC_MKT_SEG_OP

SAP_CEI_ADT_FLP

To access the business group Segmentation from the SAP Fiori launchpad.

Segmentation

Campaign Management Marketing - Campaign Management

SAP_CEC_BC_MKT_CPM1_OP

SAP_CEI_CPM_FLP

To access the business group Campaigns of SAP Hybris Marketing from the SAP Fiori launchpad.

Acquisition

Campaign Management Marketing - Campaign Management

SAP_CEC_BC_MKT_CPM_OP

SAP_CEI_CPM_FLP

To access the business group Campaigns of SAP Hybris Marketing with the flow-based campaign from the SAP Fiori launchpad.

Acquisition

Insight

SAP_CEC_BCG_MKT_ISG_OP

Marketing - Insight

SAP_CEC_BC_MKT_ISG_OP

SAP_CEI_ISG_FLP

To access the business group Insight of SAP Hybris Marketing from the SAP Fiori launchpad.

Insight


Authorizations


Product (License)

Customer Value Intelligence

SAP_CEI_INSIGHTS

SAP_CEI_CVI_FLP

To access the business catalog Customer Value Intelligence from the SAP Fiori launchpad.

Extended Marketing Applications (YaaS Extensions)

Spend Management and Programs

SAP_CEC_BCG_MKT_SMP_OP

Marketing - Spend Management and Programs

SAP_CEC_BC_MKT_SMP_OP

SAP_CEI_SMP_FLP

To access the business group Spend Management and Programs from the SAP Fiori launchpad

Planning

Recommendation

SAP_CEC_BCG_MKT_ROF_OP

Marketing - Recommendation

SAP_CEC_BC_MKT_ROF_OP

SAP_CEI_ROF_FLP

To access the business group Recommendation from SAP Fiori launchpad

Recommendation

Lead Management

SAP_CEC_BCG_MKT_LEA_OP

Marketing - Lead Management

SAP_CEC_BC_MKT_LEA_OP

SAP_CEI_LEA_FLP

To access the business group Lead Management from the SAP Fiori launchpad

Data Management

Marketing - Lead Dashboard

SAP_CEC_BC_MKT_LDB_OP

SAP_CEI_LDB_FLP

To access the Lead Dashboard from the SAP Fiori launchpad.

Insight

Loyalty Management Marketing - Extended Applications

SAP_CEC_BCG_MKT_LOY_OP

SAP_CEI_EAC_FLP

To access Loyalty Management from the SAP Fiori launchpad.

Extended Marketing Applications (YaaS Extensions)

Business Catalog Roles for the Marketing Manager (SAP_MARKETING_MANAGER)

Table 12:


Product (License)

Marketing Manager - Quick Launch

SAP_CEC_BCG_MKT_MGR_OP

Marketing - Release

SAP_CEC_BC_MKT_REL_OP

SAP_CEI_REL_FLP

To access the business catalog Marketing - Release from the SAP Fiori launchpad.

Data Management



Product (License)

Approvals

SAP_CEC_BC_MKT_APV_OP?DEST

SAP_CEI_PLG_FLP

To access the business catalog Approvals from the SAP Fiori launchpad.

Planning

Marketing - Planning

SAP_CEC_BC_MKT_PLG_OP

SAP_CEI_PLG_FLP

To access the business catalog Marketing Planning from the SAP Fiori launchpad

Business Catalog Roles for the Marketing Executive (SAP_MARKETING_EXECUT_DASHBOARD)

Table 13:


Product (License)

Marketing Executive

SAP_CEI_BCG_MARKETINGEXECUTIVE

Marketing Executive Dashboard

SAP_CEI_BC_MARKETINGEXECUTIVE

SAP_CEI_BCR_MARKETINGEXECUTIVE

To access the business catalog Marketing Executive Dashboard from the SAP Fiori launchpad.

Insight

Business Catalog Roles for the Sales Representative (SAP_SALES_REP_MKT_INFO)

Table 14:


Product (License)

Sales - Marketing Information

SAP_CEC_BCG_MKT_SLS_OP

Sales - Marketing Information

SAP_CEC_BC_MKT_SLS_OP

SAP_CEI_BCR_SALES_REP_MKT_INF

To access the business group Sales - Marketing Information from the SAP Fiori launchpad.

Data Management

Business Catalog Roles for the Business Analyst (SAP_MARKETING_ RECOMMENDATION)


Authorizations

Table 15:


Product (License)

Recommendation Modeling

SAP_CEI_BCG_BUSINESSANALYST

Marketing - Recommendation Modeling

SAP_CEI_BC_BUSINESSANALYST

SAP_CEI_BCR_BUSINESSANALYST

To access the business group Recommendation Modeling for analysis purposes of the business analyst from the SAP Fiori launchpad.

Recommendation

Predictive Model Management

SAP_CEC_BCG_MKT_PBA_OP

Marketing - Predictive Model Management

SAP_CEC_BC_MKT_PBA_OP

SAP_CEI_PBA_FLP

To access the business group Predictive Model Management from the SAP Fiori launchpad.

Data Management

Business Catalog Roles for the Administrator (SAP_MARKETING_USER_ADMIN)

Table 16:


Product (License)

Business Administration

SAP_CEC_BCG_MKT_ADM_OP

Marketing - Business Administration

SAP_CEC_BC_MKT_ADM_OP

SAP_CEI_KUA_FLP

To access business administration activities, such as segmentation configuration, from the SAP Fiori launchpad via the following business groups:

● Business Administration● Import Data● Segmentation and Campaign

Configuration

All Products

Import Data

SAP_CEC_BCG_MKT_IMP_OP

Marketing - Import Data

SAP_CEC_BC_MKT_IMP_OP

Segmentation and Campaign Configuration

SAP_CEC_BCG_MKT_CPC_OP

Marketing - Segmentation and Campaign Configuration

SAP_CEC_BC_MKT_CPC_OP

Extensibility and Adaptability

AP_CEC_BCG_MKT_EXT_OP

Marketing - Extensibility and Adaptability

AP_CEC_BC_MKT_EXT_OP

Technical Catalog Roles


Table 17:


Product (License)

Business Administration

SAP_CEC_BCG_MKT_ADM_OP

Marketing - User Administration

SAP_CEI_KUA_TC_T

SAP_CEI_USER_HANDLING

To control the authorization for the application User Lists within the business group Business Administration.

All Products

SAP Hybris Marketing - Transactional Applications (Fiori)

SAP_CEI_TC_T

SAP_CEI_TCR_T

A technical role, which allows user administrators to access all the SAP Fiori transactional apps of SAP Hybris Marketing during the setup of business roles.

SAP Hybris Marketing - Other UI5 Transactional Apps

SAP_IC_CEC_MKT_OTHER_UI5

SAP Hybris Marketing - Key Performance Indicators

SAP_CEI_TC_A

SAP Hybris Marketing - Factsheets

SAP_CEI_TC_F

SAP Hybris Marketing - Search

SAP_CEI_TC_S

Basis

SAP_BASIS_TCR_T

NoteUse as Template for Own Roles

These roles contain all authorizations and all menu entries that you require to use SAP Hybris Marketing. You can use these roles for demonstration purposes, for example. For use in the live system, you must copy the roles to your own roles and delete the menu entries you do not require. You also need to assign the necessary authorizations using a generated authorization profile. The copies are proposed values and contain the authorizations as defined for the associated authorization objects (in transaction SU22). In addition, you have


Authorizations

to adapt the activities and parameters contained in the authorization objects to your business processes, if required.

NoteIf you make enhancements to your own roles, for example, by adapting the standard authorization objects, you need to copy these enhancements to the standard roles, in order to display the menu entries, such as facets, for the new roles.

Editing the Role Menu

The available worksets and subworksets on the SAP Hybris Marketing UI are determined from the business roles, which are assigned to the business user. Therefore, the menu folder structure of a business role defines the order of the worksets and subworksets. The available subfolder under the folders High Performance Applications and SAP Hybris Marketing build the Application Menu. You can adapt the role menu:

● In the role maintenance (PFCG), enter the role you want to adapt.● On the Menu tab page, select the appropriate node, and choose the Create Folder symbol.

○ Enter a folder name.○ Select the new folder, and create a subfolder with the Create Folder symbol.○ Enter a folder name for the new subfolder.

● Save your changes.

SAP HANA Extended Application Services (XS) (Repository) Roles

The following roles are available in SAP HANA Extended Application Services (XS) for SAP Hybris Marketing:

Table 18:

Role Description

sap.hana-app.cuan.common.roles::TechnicalUserApplication This role is maintained in the technical configuration, and is assigned to the SAP <SID> user.

sap.hana-app.cuan.mkteff.XSAPP.roles::CMOKPI This role contains privileges to access KPIs in the Marketing Executive Dashboard.

sap.hana-app.cuan.lm.roles::LM_KPI This role contains privileges to access the Lead Dashboard in Lead Management.

Standard Authorization Objects

The following table shows the security-relevant authorization objects that are provided and used by SAP Hybris Marketing.


Table 19:

Authorization Object

Field Possible Values Description

CRA_CRMORG Sales Organization (CRA_VKORG)

customer-dependent values

Controls the authorizations to change and display organizational data from SAP CRM (sales organization, sales office, and sales group).

Sales Office (CRA_CRMOFF)


Sales Group (CRA_CRMGRP)


Activity (ACTVT) 02, 03

CRA_ERPORG Sales Organization (CRA_VKORG)


Controls the authorizations to change and display organizational data from SAP ERP (sales organization, sales office, and sales group).

Sales Office (CRA_VKBUR)


Sales Group (CRA_VKGRP)



CRA_KDGRP Customer Group (CRA_KDGRP)


Controls the authorizations to change and display customer groups.


CRA_MKTORG Marketing Organization (CRA_MKTORG(


Controls the authorizations to change and display SAP CRM marketing organizations.


CRA_BUK Company Code (BUKRS) customer-dependent values

Controls the authorizations to change and display company codes.


CRA_COUNTR Country (COUNTRY) customer-dependent values

Controls the authorizations to change and display countries.


CRA_MKTGRP Marketing Organization (MKTAUT_GRP)


Controls the authorizations to change and display marketing organizations.



Authorizations



CRA_STATUS Object Name (CRA_STA_OB)


Controls the authorizations to set a status (CRA_STATUS) in a target group/campaign (CRA_STA_OB), if advanced status management is activated in CustomizingLife Cycle Status

(CRA_STATUS)customer-dependent values

Activity (ACTVT) 01

HPA_ADMIN Activity (ACTVT) 16 Controls the authorizations for administrative tasks, such as clearing buffers, Business Object Processing Framework (BOPF), and OData.

HPA_FILE Activity (ACTVT) 03 Controls the authorizations for read access to CSV file uploads.

HPA_PREV Activity (ACTVT) 03 Controls the authorizations to display previews of CSV files.

HPA_ACTION Object Name (HPA_OBJ) CUAN_MARKETING_BEACON

Controls the authorizations for actions in SAP Hybris Marketing for importing marketing beacon data.

Action Name (HPA_ACTION)

IMPORT_MARKETING_BEACON

Activity (ACTVT) 16

Object Name (HPA_OBJ) CUAN_MARKETING_LOCATION

Controls the authorizations for actions in SAP Hybris Marketing for importing location data.


IMPORT_MARKETING_LOCATION

Activity (ACTVT) 16

Object Name (HPA_OBJ) CUAN_MARKETING_SPEND

Controls the authorizations for actions in SAP Hybris Marketing, such as approval of spends.


APPROVE_SPEND

Activity (ACTVT) 16

Object Name (HPA_OBJ) CUAN_INITIATIVE Controls the authorizations for actions in SAP Hybris Marketing, for importing campaign success data.


UPDATE_EXTERNAL_REPORT-ING_DATA

Activity (ACTVT) 16




Object Name (HPA_OBJ) CUAN_MARKETING_SPEND

Controls the authorizations for actions in SAP Hybris Marketing, for importing actual from an external system


IMPORT_ACTUAL

Activity (ACTVT) 16

Object Name (HPA_OBJ) HPA_BRAND Controls the authorizations for actions in SAP Hybris Marketing, for importing Brands.


IMPORT_BRANDS

Activity (ACTVT) 16

Object Name (HPA_OBJ) CUAN_CUSTOM_DIMENSION_01

Controls the authorizations for actions in SAP Hybris Marketing, for importing custom dimension ID 01.


(HPA_ACTION) IMPORT_CUSTOM_DI-MENSIONS

Activity (ACTVT) 16




IMPORT_CUSTOM_DIMENSIONS

Activity (ACTVT) 16





Activity (ACTVT) 16





Activity (ACTVT) 16


Authorizations







Activity (ACTVT) 16





Activity (ACTVT) 16





Activity (ACTVT) 16





Activity (ACTVT) 16





Activity (ACTVT) 16





Activity (ACTVT) 16




Object Name (HPA_OBJ) CUAN_INTERACTION Controls the authorizations for actions in SAP Hybris Marketing, for importing interactions.


IMPORT_EXTERNAL_INTERACTIONS

Activity (ACTVT) 16

Object Name (HPA_OBJ) CUAN_INTERACTION_CONTACT

Controls the authorizations for actions in SAP Hybris Marketing, for importing interaction contacts.


IMPORT_INTERACTION_CONTACTS

Activity (ACTVT) 16


Authorizations



HPA_OBJECT Object Name (HPA_OBJ) GSEG_BUILDING_BLOCK

GSEG_SEGMENTATION_MODEL

HPA_EXPORT_DEFINITION

CUAN_BUDGET_PLANNING

HPA_DOCUMENT

HPA_USER_LIST

PROD_RECO

CUAN_CUSTOMER

CUAN_INITIATIVE

CUAN_INTERACTION

CUAN_INTERACTION_CONTACT

CUAN_SOCIAL_MEDIA_ACCOUNT

CUAN_TARGET_GROUP

CUAN_VALUE_HELPS

HPA_DOCUMENT_DATA

HPA_DOCUMENT_STORAGE

HPA_OBJECT_RATINGS

HPA_USER

CUAN_CUSTOMER_REL_ANALY-SIS


CUAN_STRATIFICATION_CALC

Controls the authorizations to change and display business objects within SAP Hybris Marketing, or import of brands, or actuals.




HPA_IMPORT_HEADER

CUAN_HOMESCREEN_KPI_CALC

CUAN_MARKETING_ENGAGEMENT

CUAN_MARKETING_TEMPLATE

CUAN_INTERACTION,

CUAN_SENDER_PROFILE

CUAN_MARKETING_SPEND

CUAN_DEMO_BANKING_F4

CUAN_PREDICTIVE_MODEL

CSAN_MENTION_GROUP

CSAN_VOICE_OF_CUSTOMER

CUAN_TAG_INTEREST_ASSIGNMENT

CUAN_MARKETING_ORCHESTRA-TION

CUAN_MARKETING_PERMISSION


CUAN_PROGRAM

CUAN_OFFER

GRES_RESULT_SET

CUAN_MARKETING_CALENDAR

CUAN_MARKETING_LEAD_STAGESET


Authorizations



CUAN_MKT_LEAD_STAGESET_PROFILE

CUAN_MARKETING_BEACON

CUAN_MARKETING_LOCATION


HPA_MKT_AR Object Name (HPA_OBJ) CUAN_MARKETING_LOCATION

CUAN_MARKETING_BEACON

CUAN_TARGET_GROUP

CUAN_INITIATIVE

CUAN_MARKETING_ORCHESTRA-TION

CUAN_MARKETING_ENGAGEMENT

CUAN_MARKETING_TEMPLATE

CUAN_SENDER_PROFILE

CUAN_MARKETING_CALENDAR

CUAN_MARKETING_SPEND


CUAN_PREDICTIVE_MODEL

CUAN_OFFER

CUAN_INTERACTION

CUAN_PROGRAM

Controls the authorizations on instance level to change and display SAP Hybris Marketing objects.

The system derives the values for the marketing area (MKTAREA_ID) from the values for marketing area ID in the relevant user role (PFCG).





Marketing Area ID (MKTAREA_ID)


HPA_RSP_AR Object Name (HPA_OBJ) CUAN_INITIATIVE


To access the area of responsibility.


Area of Responsibility (RSPAREA_ID)

customer-dependant values

S_OA2C_USE OAuth 2.0 Client Profile (OA2C_PROF)

FACEBOOK

SAP_CUAN_ECPG_HCI

To access OAuth 2.0 Client configuration for Facebook integration, and external campaign integration

Activity (ACTVT) 16

S_OA2C_ADM Activity (ACTVT) 01, 02, 03, 06 To access OAuth 2.0 Client Configuration

S_RS_COMP InfoArea (RSINFOAREA) customer-dependent values

To access Business Explorer - Components

InfoCube (RSINFOCUBE) customer-dependent values

Type of a reporting component (RSZCOMPTP)


Name of a reporting component (RSZCOMPID)

refer to the reporting component of the corresponding role


S_RS_COMP1 Owner (person responsible) for a reporting component (RSZCOMPOWNER

)


To access Business Explorer - Components: Enhancements to the Owner

Type of a reporting component (RSZCOMPTP)


Name of a reporting component (RSZCOMPID)

refer to the reporting component of the corresponding role


Authorizations




S_RS_AUTH BW Analysis (BIAUTH) customer-dependent values

To access BI analyses.

S_RS_ICUBE RSICUBEOBJ customer-dependent values

To access InfoCubes for BI analyses.

Activity (ACTVT) 03

RECO_RTGET Activity (ACTVT) 33 To upload recommendations via RFC

Recommendation Model Type ID (ENGINE_ID)


RECO_MODEL Activity (ACTVT) 01, 02, 03, 06, 63 To access recommendation modeling.

RECO_MGEN Activity (ACTVT) 48, 64 To access recommendation model generation

RECO_CONF Activity (ACTVT) 01, 02, 03, 06 To access application data configuration.

GSEG_BB Application ID (GSEG_APPL)


To restrict the user access (at the start of the generic segmentation application) to segmentation building blocks for a specified combination of application ID and segmentation object type.Segmentation Object

(GSEG_OT)customer-dependent values

Activity (ACTVT) 01, 02, 03, 06

GSEG_START Application ID (GSEG_APPL)


To restrict the user access (at the start of the generic segmentation application) to segmentation models for a specified combination of application ID and profile ID.Profile ID (GSEG_PROF) customer-dependent

values

Activity (ACTVT) 01, 02, 03, 06

GSEG_ADMIN Activity (ACTVT) 02, 03 To restricting the user access when maintaining the generic segmentation administration data for a specified application ID.Application ID

(GSEG_APPL)SAP_ADT

HPA_USRGRP Activity (ACTVT) 03 To access SAP Hybris Marketing user data of user groups.

User group in user master maintenance (CLASS)

customer-dependent


This table covers the maximum scope of values for objects and activities of an authorization object. Each role using these authorization objects can contain a subset of these values.

SAP Business Information Warehouse (SAP BW) Authorizations

SAP Hybris Marketing also includes the usage of BW reports and objects. For the access and maintenance of these objects, BW authorizations can be applied. For more information about the BW authorizations, see the Security Guide for SAP BW under http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5Security Information English SAP NetWeaver Security Guide Security Guide for SAP BW .

KPI Tiles and BW authorizations

The role SAP_CEI_BI_AUTH can be used as a template for providing authorizations for KPI tiles. The KPIs are partly based on BEx queries for which access needs to be granted. The queries that are used for defining KPIs can be found in the application operations guide on the SAP Help Portal at http://help.sap.com/mkt System Administration and Maintenance Information

SAP HANA Privileges

For SAP Hybris Marketing, application privileges are available. Each technical SAP HANA user needs special privileges, such as application privileges. Create a .hdbrole file in your tmp package and assign the roles to the corresponding user. For more information about privileges, see the SAP Hybris Marketing installation guide on the SAP Help Portal at http://help.sap.com/mkt Installation and Upgrade Information .


Authorizations




6 Session Security Protection

Session Security Protection on the AS ABAP System

To activate session security on the AS ABAP system, set the corresponding profile parameters and activate the session security for the client(s) using transaction SICF_SESSIONS. Specify the following parameter values, as shown in the following table.

Table 20:

Profile Parameter Recommended value Comment

icf/set_HTTPonly_flag_on_cookies 0 client-dependent

login/ticket_only_by_https 1 not client-dependent

For more information, a list of the relevant profile parameters, and detailed instructions, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information EnglishSAP NetWeaver Security Guide Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for the AS ABAP SAP NetWeaver Application Server ABAP Security GuideSpecial Topics Activating HTTP Security Session Management on AS ABAP Activating HTTP Security Session Management on AS ABAP .

Security Guide 1702Session Security Protection C U S T O M E R 49


7 Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system level and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for SAP Hybris Marketing is based on the topology used by SAP NetWeaver, and by the SAP HANA Extended Application Services (XS) platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide, and in the and the SAP HANA Security Guide also apply to SAP Hybris Marketing. Details that specifically apply to SAP Hybris Marketing are described in the following topics:

● Communication Channel Security [page 50]This topic describes the communication paths and protocols used by SAP Hybris Marketing.

● Network Security [page 52]This topic describes the recommended network topology for SAP Hybris Marketing. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also includes a list of the ports needed to operate SAP Hybris Marketing.

● Communication Destinations [page 53]This topic describes the information needed for the various communication paths, for example, which users are used for which communications.

● For more information, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide Network and Communication Security .

● Security Guides for Connectivity and Interoperability TechnologiesFor more information, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide Security Guides for Connectivity and Interoperability Technologies .

7.1 Communication Channel Security

The table shows the communication channels used by SAP Hybris Marketing, the protocol used for the connection, and the type of the data transferred.


Network and Communication Security



Table 21:

Communication Path Protocol Used Type of Data Transferred Data Requiring Special Protection

Frontend client using SAP GUI for Windows to application server

DIAG Customizing and administration data

Usernames, passwords

Frontend client using a Web browser to application server / (Remote) Gateway, BOE Server

HTTP, HTTPS

We recommend to use HTTPS

All application data Confidential data

Application server (ERP SD/SLT) to application server (SAP Hybris Marketing)

SAP SLT Replication Server based on RFC and direct DB Connection of SLT Server and CEI

All application data Confidential data

Application Server (Remote Gateway) to Application Server (SAP Hybris Marketing)

Trusted RFC All application data -

SAP Hybris Marketing to SAP HANA Database

ADBC, openSQL All application data Confidential

SAP Hybris Marketing to SAP CRM

Enterprise Services for campaign

CRM Middleware

Campaigns, target groups Confidential

Anonymous access from Internet to Web dispatcher (acting as reverse proxy)

HTTPS Tracking information Public

Sending emails via REST APIs to email service provider

HTTPS Email information Personalized information

SAP Hybris Marketing to SAP Hybris Cloud for Customer

SAP HANA Cloud Integration (HCI), or SAP Process Orchestration (PI) via SOAP

Leads Confidential

NoteSince the source system for SAP Hybris Marketing is an SAP ERP system (sales and distribution system), or an SAP CRM system, the SLT Server may be installed on the source system itself or on a separate system. For more information about communication channel security, see SAP Help Portal at http://help.sap.com/nw

SAP HANA Platform SAP HANA Platform (Core) Security SAP HANA Security Guide English SAP HANA Network and Communication Security Communication Channel Security .

Security Guide 1702Network and Communication Security C U S T O M E R 51


Dynamic Information and Action Gateway (DIAG) and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol. SOAP connections are protected with Web services security.

RecommendationSAP strongly recommends using secure protocols (SSL, SNC) whenever possible.

● For more information about Transport Layer Security , see SAP Help Portal at http://help.sap.com/nwSAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver

Security Guide Network and Communication Security Transport Layer Security .● For more information about Web Services Security, see SAP Help Portal at http://help.sap.com/nw

SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide Security Guides for Connectivity and Interoperability Technologies Security Guide Web Services (ABAP)

7.2 Network Security

SAP Hybris Marketing is not an internet facing application. All applications are in-house applications that run within a demilitarized zone. External access is only done through mobile applications. As mentioned in the technical system landscape, and in the session security protection, Web-based applications are all embedded in a shell that handles authentication and session security. The shell communicates with the backend through a local gateway using OData services or via the WebDynpro communication framework.

For more information about the technical system landscape and a typical network setup, see the installation guide for SAP Hybris Marketing on the SAP Help Portal at http://help.sap.com/mkt Installation and Upgrade Information .

For more information, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide Network and Communication Security Using Multiple Network Zones .

Ports

SAP Hybris Marketing runs on SAP NetWeaver and uses the ports from the AS ABAP. For more information, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information English SAP NetWeaver Security Guide Security Guides for SAP NetWeaver Functional UnitsSecurity Guides for the AS ABAP SAP NetWeaver Application Server ABAP Security Guide Network Security for SAP NetWeaver AS ABAP SAP NetWeaver Application Server ABAP Security Guide Network Security for SAP NetWeaver AS ABAP AS ABAP Ports .

SAP Hybris Marketing user interfaces can be embedded into a SAP CRM system by IFrame. Ensure that both systems follow the same origin policy, that is, they use the same host and port.








For the SAP Web Dispatcher, see also the document TCP/IP Ports Used by SAP Applications, which is located on SAP Developer Network at http://scn.sap.com/community/security . Search for Infrastructure Security Network and Communications Security .

7.3 Communication Destinations

The following table provides an overview of the communication destinations used by the back-end server of SAP Hybris Marketing.

Table 22:

Destination Type User, Authorizations Description

Legacy system (SAP ERP, SAP CRM)

RFC Technical user RFC based exchange of business data

Remote Gateway Trusted RFC Named user In case the SAP NW Gateway is installed remotely, a trusted RFC is required for the connection to the SAP Hybris Marketing system.

SLT RFC Technical user In case SAP SLT is set up separately from the source legacy system, an RFC connection of SAP ERP to SAP SLT is required.

SAP Jam HTTPS Technical user Used for OAuth authentication and some optional SAP Jam integration scenarios, that is, assigning a campaign to an SAP Jam Group.

NoteNo data is exchanged between SAP Hybris Marketing and SAP Jam.

Standard internet ports for UI connection

HTTPS Named user Internet Port setup of the UI connection to the backend.

For more information, see section Ports in Network Security [page 52]).


http://help.sap.com/disclaimer?site=http://scn.sap.com/community/security


HTTPS connection from Extended Application Services (XS) to SAP HANA

HTTPS Technical user Used in Campaign Content for the OData service to update the status of a campaign automation when the sending process is finished.

SAP HANA Cloud Integration system (HCI)

HTTPS Named user Used for integration of SAP Hybris Marketing to SAP Hybris Cloud for Customer and External Campaign Integration.

SAP Process Orchestration (PI)

HTTPS Named user Used for Integration of SAP Hybris Marketing to SAP Hybris Cloud for Customer

Facebook Graph API HTTPS oAuth 2.0 User Access Token Create Facebook custom audiences from target groups and initial Facebook campaigns in campaign automation, as well as retrieval of reporting data of SAP Hybris Marketing campaigns.

WeChat API HTTPS oAuth 2.0 User Access Token Used to get follower data and marketing content from WeChat, and to send messages to WeChat

Inbound WeChat Events HTTPS Technical user Used to get follower events from WeChat

SAP XM API HTTPS oAuth 2.0 User Access Token Create campaigns in SAP XM retrieval or reporting data from the campaigns.

Users of the SAP Hybris Marketing user interface should be allowed to retrieve content from internet sites integrated with SAP Hybris Marketing, depending on the enabled set of features. The following table provides an overview of the communication destinations used by the frontend server of SAP Hybris Marketing.



Table 23:


Standard internet ports for UI connection

HTTPS Named user Internet Port setup of the UI connection to the frontend.

For more information, see section Ports in Network Security [page 52]).

https://*.sapjam.com HTTPS Named user SAP Jam Feed on the SAP Hybris Markting Home screen.

https://*.here.com HTTPS Nokia Token Provider for map used in Segmentation and Marketing Locations.

https://graph.facebook.com

HTTPS Named user (oAuth 2.0 authorization code grant to retrieve user access token

Campaign automation: Create Facebook custom audiences from target groups and initial Facebook campaigns. Retrieval of reporting data of SAP Hybris Marketing campaigns.

Customized source channels of social posts, such as twitter, RSS

HTTPS None Sentiment Engagement: Link to source of social post, social user image, or profile.

https://email.*.amazonaws.com

https://sqs.*.amazonaws.com

HTTPS Amazon Web Service Access Keys

Communication from SAP HANA Extended Application Services (XS) to Amazon Web Services.

Sending of emails and pulling of feedback information to and from Amazon Web Services.

https://sms-pp.sapmobileservices.com

HTTPS Technical user Communication from SAP HANA Extended Application Services (XS) to SAP SMS 365 Web service.

Sending text messages to the SAP SMS 365 Web service.



https://api.yaas.io/hybris/loy-member/v1/members

https://api.yaas.io/hybris/loy-member/v1/memberActivities

https://api.yaas.io/hybris/loy-member/v1/loyaltyPrograms

https://api.yaas.io/hybris/loy-member/v1/tiers

https://api.yaas.io/hybris/oauth2/v1/token

https://api.yaas.io/hybris/loy-offer/v1/offers

HTTPS Named user

(oAuth 2.0 authorization code grant to retrieve user access token.

(Integration Scenario SAP_COM_0043)

Loyalty Integration:

These endpoints are used to get loyalty data into the Hybris marketing system. This data is used to create interactions and interaction contacts

https://builder.yaas.io HTTPS Named user UI Navigation from Hybris Marketing launchpad to YaaS Builder

https://<hostname>.com/sap/opu/odata/sap/CUAN_CAMPAIGN_SUCCESS_SRV

https://<hostname>.com/sap/opu/odata/sap/CUAN_CAMPAIGN_METRICS_SRV

https://<hostname>.com/sap/opu/odata/sap/CUAN_COMMON_SRV

HTTPS Technical user

(Integration Scenario: SAP_COM_0058)

Customer Journey Integration with Campaigns:

These endpoints are used to read campaign data from the Hybris Marketing system.

https://customerjourney.yaas.io/*

HTTPS Named user UI Navigation from Hybris marketing Launchpad to Customer Journey Application




https://api.yaas.io/hybris/pubsub/v1/topics/hybris.ymkt-consolidation/ymarketingtopic/read

https://api.yaas.io/hybris/pubsub/v1/topics/seey.abandoned-cart-collator/abandoned-cart/read

https://api.yaas.io/hybris/oauth2/v1/token

HTTPS Named user

(oAuth 2.0 authorization code grant to retrieve user access token. (Integration Scenario: SAP_COM_0059)

Hybris Profile Integration:

These endpoints are used to get web-tracking data into the Hybris Marketing system. This data is used to create interactions and interaction contacts.

https://builder.yaas.io/#?selectedPath=****yprofile-dev-tool-graph-viewer-streaming

HTTPS Named user UI Navigation from Hybris Profile Graph Viewer

https://*.weixin.qq.com/ HTTPS oAuth 2.0 User Access Token Used to get follower data and marketing content from WeChat, and to send messages to WeChat

https://*.baidu.com HTTPS Baidu Token Used to segment users on Baidu Maps in Segmentation



ac3b78981.hana.ondemand.com (Europe)

b035760e1.us1.hana.ondemand.com (US East)

dae7830db.us2.hana.ondemand.com (US West)

oauthasservices-ac3b78981.hana.ondemand.com/oauth2/api/v1/authorize (Europe)

oauthasservices-b035760e1.us1.hana.ondemand.com/oauth2/api/v1/authorize (US East)

oauthasservices-dae7830db.us2.hana.ondemand.com/oauth2/api/v1/authorize (US West)

oauthasservices-ac3b78981.hana.ondemand.com/oauth2/api/v1/token (Europe)

oauthasservices-b035760e1.us1.hana.ondemand.com/oauth2/api/v1/token (US East)

oauthasservices-dae7830db.us2.hana.ondemand.com/oauth2/api/v1/token2 (US West)

HTTPS Named user (oAuth 2.0 authorization code grant to retrieve user access token)

Create campaigns in SAP XM retrieval of reporting data from the campaigns.



8 Internet Communication Framework Security

SAP Hybris Marketing has Web-enabled (HTML5/SAPUI5–based) content that accesses the application server using Web browsers. This content is managed by the Internet Communication Framework (transaction SICF).

NoteDuring the technical configuration, all required services for SAP Hybris Marketing are automatically activated. For more information about the technical configuration, see the SAP Help Portal athttp://help.sap.com/mkt

Installation and Upgrade Information Installation Guide Post-Installation Technical Configuration Steps .

NoteBesides the activation of ICF nodes for the OData services Gateway, you have to activate the OData services themselves within the Gateway configuration. For more information about OData service activation, see the installation guide for SAP Hybris Marketing on SAP Help Portal at http://help.sap.com/mkt Installation and Upgrade Information Installation Guide – SAP Hybris Marketing .

● For more information, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5. Application Help SAP NetWeaver Library: Function-Oriented View English Application Server Application Server Infrastructure Connectivity Components of SAP Communication TechnologyCommunication Between ABAP and Non-ABAP Technologies Internet Communication FrameworkDevelopment Server-Side Development Creating and Configuring ICF Services Activating and Deactivating ICF Services .

● For more information about ICF security, see SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5. Security Information English SAP NetWeaver Security Guide

Security Guides for Connectivity and Interoperability Technologies .

Security Guide 1702Internet Communication Framework Security C U S T O M E R 59





9 Virus Scan Profile (ABAP)

SAP provides an interface for virus scanners to prevent manipulated or malicious files from damaging the system. To manage the interface and what file types are checked or blocked, there are virus scan profiles.

To use a virus scanner with the SAP system, you must activate and set up the virus scan interface. During this process, you also set up the default behavior. SAP also provides default profiles. SAP Hybris Marketing is using the standard SAP NetWeaver virus scan profile /SIHTTP/HTTP_UPLOAD.

For more information about virus scanning, see the SAP Help Portal at http://help.sap.com/nw SAP NetWeaver 7.5 Application Help Function-Oriented View Security Security Developer DocumentationSecure Programming Secure Programming - ABAP Secure Programming SAP Virus Scan Interface , and SAP Note 1693981 (Unauthorized modification of displayed content).

Virus Scan in Campaign Content

Content templates used in campaign contents are build with HTML code that can contain malicious parts, such as Java Script code.

RecommendationWe recommend to use a virus scanner to prevent malicious code sequences from damaging content template coding, and email content.


Virus Scan Profile (ABAP)


http://help.sap.com/disclaimer?site=https://launchpad.support.sap.com/#/notes/1693981

10 Data Storage Security

Data Storage

All SAP Hybris Marketing data is stored in the SAP HANA database. No data is stored on the file system.

NoteWhile a session is active, HTML5 local storage is used. However, when logging off, all local storage is deleted. All access to the database is performed through the SAP NetWeaver ABAP stack, either through Open SQL or through ABAP Database Connectivity (ADBC). Access to the database is secured by the SAP NetWeaver stack through the authorization policies described in Authorizations [page 18].

For more information about data storage security, see the SAP Help Portal at http://help.sap.com/nw SAP HANA Platform SAP HANA Platform (Core) Security SAP HANA Security Guide English SAP HANA Data Storage Security .

Data Protection

The data protection, archiving, and retention policies of SAP Hybris Marketing are directly inherited by the legacy system, an SAP ERP system, or an SAP CRM system that provides the data. If data is deleted or archived in the legacy system, the SLT framework triggers the deletion in the SAP Hybris Marketing system itself. All related data that has been created within SAP Hybris Marketing that refers to deleted data in the legacy system can be deleted by administrators of SAP Hybris Marketing, as well.

Password Storage

For the connection of an external OpenText Digital Asset Management system, a user ID and password are required regularly. To inhibit the access to these systems by unauthorized users, the password is stored in an SAP namespace in the ABAP Secure Store.

Security Guide 1702Data Storage Security C U S T O M E R 61


11 Security-Relevant Logging and Tracing

SAP Hybris Marketing uses the logging and tracing mechanisms of SAP NetWeaver. For information about logging and tracing of SAP NetWeaver, see the SAP Help Portal at http://help.sap.com/nw SAP NetWeaver Platform

SAP NetWeaver 7.5 Security Information Security Guide (English) SAP NetWeaver Security GuideSecurity Guides for SAP NetWeaver Functional Units SAP NetWeaver Security Guides for Functional UnitsSecurity Aspects for Lifecycle Management Auditing and Logging .


Security-Relevant Logging and Tracing


12 Services for Security Lifecycle Management

The following services are available from Active Global Support to assist you in maintaining security in your SAP systems on an ongoing basis.

Security Chapter in the EarlyWatch Alert (EWA) Report

This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you the following:

● Whether SAP Security Notes have been identified as missing on your system. In this case, analyze and implement the identified SAP Notes if possible. If you cannot implement the SAP Notes, the report should be able to help you decide on how to handle the individual cases.

● Whether an accumulation of critical basis authorizations has been identified. In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not, correct the situation. If you consider the situation okay, you should still check for any significant changes compared to former EWA reports.

● Whether standard users with default passwords have been identified on your system. In this case, change the corresponding passwords to non-default values.

Security Optimization Service (SOS)

The Security Optimization Service can be used for a more thorough security analysis of your system, including the following:

● Critical authorizations in detail● Security-relevant configuration parameters● Critical users● Missing security patches

This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-site service. We recommend you use it regularly (for example, once a year) and in particular after significant system changes or in preparation for a system audit.

Security Configuration Validation

The Security Configuration Validation can be used to continuously monitor a system landscape for compliance with predefined settings, for example, from your company-specific SAP Security Policy. This primarily covers

Security Guide 1702Services for Security Lifecycle Management C U S T O M E R 63

configuration parameters, but it also covers critical security properties such as the existence of a non-trivial Gateway configuration or making sure standard users do not have default passwords.

Security in the RunSAP Methodology / Secure Operations Standard

With the E2E Solution Operations Standard Security service, a best practice recommendation is available on how to operate SAP systems and landscapes in a secure manner. It guides you through the most important security operation areas and links to detailed security information from SAP’s knowledge base wherever appropriate.

More Information

For more information about these services, see the following:

● EarlyWatch Alert: http://service.sap.com/ewa● Security Optimization Service / Security Notes Report: http://service.sap.com/sos● Comprehensive list of Security Notes:http://service.sap.com/securitynotes● Configuration Validation: http://service.sap.com/changecontrol● RunSAP Roadmap, including the Security and the Secure Operations Standard: http://service.sap.com/

runsap (See the RunSAP chapters 2.6.3, 3.6.3 and 5.6.3)


Services for Security Lifecycle Management

http://help.sap.com/disclaimer?site=http://service.sap.com/ewa

http://help.sap.com/disclaimer?site=http://service.sap.com/sos

http://help.sap.com/disclaimer?site=http://service.sap.com/securitynotes

http://help.sap.com/disclaimer?site=http://service.sap.com/changecontrol

http://help.sap.com/disclaimer?site=http://service.sap.com/runsap

http://help.sap.com/disclaimer?site=http://service.sap.com/runsap

Important Disclaimers and Legal Information

Coding SamplesAny software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence.

AccessibilityThe information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of willful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.

Gender-Neutral LanguageAs far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.

Internet HyperlinksThe SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer).

Security Guide 1702Important Disclaimers and Legal Information C U S T O M E R 65

http://help.sap.com/disclaimer/

go.sap.com/registration/contact.html

© 2017 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

https://go.sap.com/registration/contact.html

https://go.sap.com/registration/contact.html

http://www.sap.com/corporate-en/legal/copyright/index.epx

http://www.sap.com/corporate-en/legal/copyright/index.epx

Documents

Security Guide 1702 - SAP · PDF fileSecurity Guide 1702 Security Aspects of Data, Data Flow, and Processes CUSTOMER 9. Table 4: Business Group Description Security Measure Contacts