Post on 28-Oct-2015
description
transcript
Security GuideSAPtrade GRC Access ControlregUsing SAPtrade with Release 53
Target Audience System administrators Technology consultants
PUBLICDocument version 230 ndash 2011-12-27
Document History
CAUTION
Before you start the implementation make sure you have the latest version of this document
You can find the latest version at the following location httphelpsapcom SAP
BusinessObjects SAP BusinessObjects Governance Risk Compliance (GRC) Access Control SAP GRC Access
Control 53
The following table provides an overview of the most important document changes
Version Date Description
100 2008-01- Initial release
110 2008-01- Updated structure of guide and details of roles and authorizations
115 2008-01- Updated definition of LO
200 2009-09-30 Updated UME role actions per SP09
210 2009-12-18 Updated authorization values for Customizing SPM Back-end RolesUpdated actions for Delivered Front-end Roles and Permissions for ERM
211 2010-06-07 Replaced authorization object ZVFAT_0002 with GRCFF_0002 in RFC Authorization Values for SPM tableUpdated Delivered Front-End Roles and Permissions for CUP adding two UME actions for an administratorUpdated Delivered Front-End Roles and Permissions for RAR adding two UME actions for an administrator
220 2011-06-16 Corrected spelling for the following authorization objects Changed S_FRC to S_RFC Changed S_USER_AGER to S_USER_AGR
230 2011-12-27 In section 511 Customizing SPM Back-end Roles for the role VIRSSAZ_VFAT_FIREFIGHTERremoved the authorization object GRCFF_001
252 PUBLIC 2011-12-27
Table of Contents
Chapter 1 Introduction 5
11 Target Audience 5
12 Why is Security Necessary 5
13 About this Document 6
Chapter 2 Before You Start 7
21 Fundamental Security Guides 7
22 Important SAP Notes 7
23 Additional Information 7
Chapter 3 Technical System Landscape 9
Chapter 4 Network and Communication Security 11
41 Communication Channel Security 11
42 RFC Connections 12
43 Communication Destinations 12
44 Integration into Single Sign-On Environments 13
45 Data Storage Security 14
46 User Administration and Authentication 14
461 User Management 14
462 User Types 14
463 User Administration Tools 15
47 Trace and Log Files 15
Chapter 5 Delivered Back End Roles 17
51 Delivered SPM Back-end Roles 17
511 Customizing SPM Back-end Roles 18
52 Delivered RAR Back End Roles 22
53 Delivered ERM Back End Roles 23
54 Delivered RFC Back-end Roles and Authorizations 23
55 Creating Custom RFC Roles 24
551 RFC Authorization Roles for CUP 24
2011-12-27 PUBLIC 352
552 RFC Authorization Values for ERM 26
553 RFC Authorization Values for RAR 27
554 RFC Authorization Values for SPM 28
Chapter 6 Delivered Front End Roles and Permissions 31
61 Updating Roles and Permissions from Support Packages 31
62 Customizing the Front End Roles 31
621 Delivered Front End Roles and Permissions for CUP 31
622 Delivered Front End Roles and Permissions for ERM 36
623 Delivered Front End Roles and Permissions for RAR 39
Chapter 7 Recommended Front End Roles and Permissions for SPM 43
Chapter A Reference 45
A1 The Main SAP Documentation Types 45
452 PUBLIC 2011-12-27
1 Introduction
The Security Guide provides an overview of the security-relevant information that applies to SAP GRC
Access Control You can use the information in this document to understand and implement system
security and to understand and implement the business function security features Access Control
provides for regulatory compliance
NOTE
This guide does not replace the administration or operation guides that are available for productive
operations
11 Target Audience
Technology consultants
Security administrators
System administrators
12 Why is Security Necessary
With the increasing use of distributed systems and the Internet for managing business data the demands
on security are also on the rise When you use a distributed system make sure that your data and
processes support your business needs and do not allow unauthorized access to critical information
User errors negligence or attempted manipulation on your system can result in loss of information
or processing time
SAP GRC Access Control is a suite of capabilities that monitor test and enforce access and authorization
controls across the enterprise SAP GRC Access Control helps companies to comply with regulatory
mandates such as Sarbanes-Oxley Organizations can readily identify and remove access and
authorization risks from IT systems as well as embed preventive controls in business processes to stop
segregation of duties (SoD) violations Companies benefit from considerable reduction in the time risk
and cost associated with compliance To assist you in securing Access Control we provide this Security
Guide
1 Introduction
11 Target Audience
2011-12-27 PUBLIC 552
13 About this Document
The Security Guide provides an overview of the security-relevant information that applies to Access
Control It also includes separate sections for each Access Control component
AC includes the following components
Compliant User Provisioning (CUP)
Enterprise Role Management (ERM)
Risk Analysis and Remediation (RAR)
Superuser Privilege Management (SPM)
1 Introduction
13 About this Document
652 PUBLIC 2011-12-27
2 Before You Start
This section provides information about relevant SAP Security Guides SAP Notes and the location of
other guides to help you understand Access Control security issues
21 Fundamental Security Guides
Access Control capabilities use the SAP NetWeaver Application Server for ABAP and other security
issues For more information see the following security guides
Fundamental Security Guides
Guide Location
SAP NetWeaver ABAP Security Guide httpservicesapcomsecurityguide
SAP NetWeaver Business Warehouse Security Guide httpservicesapcomsecurityguide
SAP NetWeaver Business Client (with PFCG Connection) SAP Library
NetWeaver Business Client Security Issues SAP Library
UME Authorization Guide SAP Library
SAP NetWeaver Portal Guide SAP Library
22 Important SAP Notes
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
23 Additional Information
For more information about specific topics see the Quick Links in the following table
Content SAP Service Marketplace Address
Security httpservicesapcomsecurity
Security Guides httpservicesapcomsecurityguide
Related SAP Notes httpservicesapcomnotes
Released platforms httpservicesapcomplatforms
Network security httpservicesapcomsecurityguide
SAP Solution Manager httpservicesapcomsolutionmanager
2 Before You Start
21 Fundamental Security Guides
2011-12-27 PUBLIC 752
This page is left blank for documents that are printed on both sides
3 Technical System Landscape
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
3 Technical System Landscape
2011-12-27 PUBLIC 952
This page is left blank for documents that are printed on both sides
4 Network and Communication Security
A well-defined network topology can eliminate many security threats Your network supports the
communication business needs and prevents unauthorized access This section describes the network
and communication security for Access Control
The network topology for Access Control is based on the SAP NetWeaver topology Therefore the
security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply
to Access Control Details that specifically apply to Access Control are described in the following topics
Communication Channel Security
This topic describes the communication channels and protocols used by Access Control
Communication Destinations
Access Control communicates with other SAP and non-SAP capabilities This topic lists the
required connection types and authorizations
Integration with Single Sign-on Environments
Access Control supports the Single Sign-On (SSO) mechanisms provided by the SAP Web
Application Server ABAP This topic describes Access Control support for integration with SAP
SSO environments
Data Storage Security
This topic describes how Access Control handles data storage
For more information see the following sections in the SAP NetWeaver Security Guide
Network and Communication Security [SAP Library]
Security Aspects for Connectivity and Interoperability [SAP Library]
NOTE
Access Control communicates with multiple systems therefore it is highly recommended that
HTTPS communication protocol is used for secure communication
41 Communication Channel Security
The following table contains the communication paths used by Access Control the protocol used for
the connection and the type of data transferred
Communication Path Protocol Type of Data Special Protection Data
Backend using SAP GUI DIAG All application data Logon Data
NetWeaver Business Client HTTPHTTPS All application data Logon Data
RFC RFC All application data Logon Data
4 Network and Communication Security
41 Communication Channel Security
2011-12-27 PUBLIC 1152
Communication Path Protocol Type of Data Special Protection Data
Application server to BI system HTTPHTTPS All application data Logon Data
BI system to application system HTTPHTTPS All application data Logon Data
NOTE
Secure Network Communications (SNC) protects DIAG and RFC connections The Secure
Sockets Layer (SSL) protocol protects HTTPS connections
42 RFC Connections
Access Control requires RFC destinations to call specific RFC-enabled modules For example each time
a user logs in with a Firefighter ID and creates a new session the new session opens using the RFC The
RFC destination must be basic with no access or user ID attached to it You can use an existing SAP
RFC to configure the Access Control RFC destination
NOTE
For Compliant User Provisioning we recommend that you use SLD JCo destination as part of the
connector configuration to ensure secure RFC communication
More Information
Transport Layer Security in the SAP NetWeaver Security Guide
Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP on the SAP Help Portal
43 Communication Destinations
The following table lists the communication destinations and authorizations required by Access
Control to communicate with other SAP and non-SAP capabilities
Destination Type Authorizations Comments
Control to SAP ERP RTA(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
None
SAP Standard Control to SAP ERP(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
You must assign SAP Module Authorization for the user For more information see your system administrator and the SAP NetWeaver Security Guide
IGS(Required)
RFC No special configuration required
None
Non_SAP Application(Optional)
For more information about non-SAP applications see
For more information about non-SAP applications see the solutions provided by SAP
For more information about non-SAP applications see the solutions provided by SAP partners such as Green Light Technologies
4 Network and Communication Security
42 RFC Connections
1252 PUBLIC 2011-12-27
Destination Type Authorizations Commentsthe solutions provided by SAP partners such as Green Light Technologies
partners such as Green Light Technologies
44 Integration into Single Sign-On Environments
Authentication provides a way of verifying the userrsquos identity before the user accesses the portal The
system authenticates the user and issues an SAP logon ticket to access all the applications information
and services in Access Control using Single Sign-On Since AC capabilities may contain sensitive data
it is imperative that the data is authenticated
Access Control Single Sign On (SSO) uses SAP Web Dynpro for the Launch Pad that users open to log
on to Access Control The Launch Pad uses NetWeaver Server UME configuration for SSO log on for
Access Control capabilities available from the Launch Pad Three of the four Access Control capabilities
use single sign on Compliant User Provisioning Enterprise Role Management and Risk Analysis and
Remediation
NOTE
Superuser Privilege Management is not configured for single sign-on because firefighters must
use a firefighterID to logon to the system If you specify a user ID as a firefighter ID the firefighter
can no longer use that ID for other login purposes The temporary provisioning that is the basis
for Superuser Privilege Management does not work with a single sign-on mechanism
Access Control Single Sign On (SSO) uses UME SAP Logon Tickets to allow users to access Access
Control capabilities The user must be assigned proper UME roles to access each component If the user
does not have the proper UME roles the component is grayed out on the Launch Pad The ticket is
session-based the ticket is only available from the session that created the ticket If the user launches
a second session the logon ticket no longer applies The system creates a new ticket
For more information see SAP Logon Tickets [SAP Library] in the SAP NetWeaver AS ABAP Security Guide
NOTE
If a new user is created and a password change is required on the first log on then an information
message displays as follows Password Expired Please login to UME to reset the
password As a workaround you can use Single-Sign On Launch Pad to reset your password The
Launch Pad provides a prompt for password change
4 Network and Communication Security
44 Integration into Single Sign-On Environments
2011-12-27 PUBLIC 1352
45 Data Storage Security
Master data and transaction data is stored in the ABAP and Java dictionary database on the SAP system
on which Access Control has been installed
Access Control can optionally use the NetWeaver Business Client as the front-end which uses non-
persistent session cookies for data storage
46 User Administration and Authentication
Access Control user administration uses the mechanisms provided by SAP NetWeaver such as user
types tools and the password concepts Therefore the security recommendations and guides for user
administrations and authentication described in the SAP NetWeaver Application Server ABAP Security
Guide and the NetWeaver Application Server Java Security Guide also apply to Access Control
461 User Management
User management for Access Control uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP and for Java For an overview of how these mechanisms apply to Access
Control see the sections below In addition we provide a list of the standard users required for operating
Access Control
462 User Types
Different types of users often require different security types For example your policy may specify that
users who perform tasks interactively have to change passwords on a regular basis while other types
of users may not need to change passwords with the same frequency
The user types that are required for Access Control include
Dialog Users
Use the SAP GUI for configuring and administering Access Control
Access the NetWeaver Business Client
Communication Users
Use the Access Control workflow
RTAs
Use RFC connections to connect to the BI systems
Service Users
Connect the front end ABAP session to the back end ABAP session
RTAs
Use RFC Connections to connect to the BI systems
4 Network and Communication Security
45 Data Storage Security
1452 PUBLIC 2011-12-27
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Document History
CAUTION
Before you start the implementation make sure you have the latest version of this document
You can find the latest version at the following location httphelpsapcom SAP
BusinessObjects SAP BusinessObjects Governance Risk Compliance (GRC) Access Control SAP GRC Access
Control 53
The following table provides an overview of the most important document changes
Version Date Description
100 2008-01- Initial release
110 2008-01- Updated structure of guide and details of roles and authorizations
115 2008-01- Updated definition of LO
200 2009-09-30 Updated UME role actions per SP09
210 2009-12-18 Updated authorization values for Customizing SPM Back-end RolesUpdated actions for Delivered Front-end Roles and Permissions for ERM
211 2010-06-07 Replaced authorization object ZVFAT_0002 with GRCFF_0002 in RFC Authorization Values for SPM tableUpdated Delivered Front-End Roles and Permissions for CUP adding two UME actions for an administratorUpdated Delivered Front-End Roles and Permissions for RAR adding two UME actions for an administrator
220 2011-06-16 Corrected spelling for the following authorization objects Changed S_FRC to S_RFC Changed S_USER_AGER to S_USER_AGR
230 2011-12-27 In section 511 Customizing SPM Back-end Roles for the role VIRSSAZ_VFAT_FIREFIGHTERremoved the authorization object GRCFF_001
252 PUBLIC 2011-12-27
Table of Contents
Chapter 1 Introduction 5
11 Target Audience 5
12 Why is Security Necessary 5
13 About this Document 6
Chapter 2 Before You Start 7
21 Fundamental Security Guides 7
22 Important SAP Notes 7
23 Additional Information 7
Chapter 3 Technical System Landscape 9
Chapter 4 Network and Communication Security 11
41 Communication Channel Security 11
42 RFC Connections 12
43 Communication Destinations 12
44 Integration into Single Sign-On Environments 13
45 Data Storage Security 14
46 User Administration and Authentication 14
461 User Management 14
462 User Types 14
463 User Administration Tools 15
47 Trace and Log Files 15
Chapter 5 Delivered Back End Roles 17
51 Delivered SPM Back-end Roles 17
511 Customizing SPM Back-end Roles 18
52 Delivered RAR Back End Roles 22
53 Delivered ERM Back End Roles 23
54 Delivered RFC Back-end Roles and Authorizations 23
55 Creating Custom RFC Roles 24
551 RFC Authorization Roles for CUP 24
2011-12-27 PUBLIC 352
552 RFC Authorization Values for ERM 26
553 RFC Authorization Values for RAR 27
554 RFC Authorization Values for SPM 28
Chapter 6 Delivered Front End Roles and Permissions 31
61 Updating Roles and Permissions from Support Packages 31
62 Customizing the Front End Roles 31
621 Delivered Front End Roles and Permissions for CUP 31
622 Delivered Front End Roles and Permissions for ERM 36
623 Delivered Front End Roles and Permissions for RAR 39
Chapter 7 Recommended Front End Roles and Permissions for SPM 43
Chapter A Reference 45
A1 The Main SAP Documentation Types 45
452 PUBLIC 2011-12-27
1 Introduction
The Security Guide provides an overview of the security-relevant information that applies to SAP GRC
Access Control You can use the information in this document to understand and implement system
security and to understand and implement the business function security features Access Control
provides for regulatory compliance
NOTE
This guide does not replace the administration or operation guides that are available for productive
operations
11 Target Audience
Technology consultants
Security administrators
System administrators
12 Why is Security Necessary
With the increasing use of distributed systems and the Internet for managing business data the demands
on security are also on the rise When you use a distributed system make sure that your data and
processes support your business needs and do not allow unauthorized access to critical information
User errors negligence or attempted manipulation on your system can result in loss of information
or processing time
SAP GRC Access Control is a suite of capabilities that monitor test and enforce access and authorization
controls across the enterprise SAP GRC Access Control helps companies to comply with regulatory
mandates such as Sarbanes-Oxley Organizations can readily identify and remove access and
authorization risks from IT systems as well as embed preventive controls in business processes to stop
segregation of duties (SoD) violations Companies benefit from considerable reduction in the time risk
and cost associated with compliance To assist you in securing Access Control we provide this Security
Guide
1 Introduction
11 Target Audience
2011-12-27 PUBLIC 552
13 About this Document
The Security Guide provides an overview of the security-relevant information that applies to Access
Control It also includes separate sections for each Access Control component
AC includes the following components
Compliant User Provisioning (CUP)
Enterprise Role Management (ERM)
Risk Analysis and Remediation (RAR)
Superuser Privilege Management (SPM)
1 Introduction
13 About this Document
652 PUBLIC 2011-12-27
2 Before You Start
This section provides information about relevant SAP Security Guides SAP Notes and the location of
other guides to help you understand Access Control security issues
21 Fundamental Security Guides
Access Control capabilities use the SAP NetWeaver Application Server for ABAP and other security
issues For more information see the following security guides
Fundamental Security Guides
Guide Location
SAP NetWeaver ABAP Security Guide httpservicesapcomsecurityguide
SAP NetWeaver Business Warehouse Security Guide httpservicesapcomsecurityguide
SAP NetWeaver Business Client (with PFCG Connection) SAP Library
NetWeaver Business Client Security Issues SAP Library
UME Authorization Guide SAP Library
SAP NetWeaver Portal Guide SAP Library
22 Important SAP Notes
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
23 Additional Information
For more information about specific topics see the Quick Links in the following table
Content SAP Service Marketplace Address
Security httpservicesapcomsecurity
Security Guides httpservicesapcomsecurityguide
Related SAP Notes httpservicesapcomnotes
Released platforms httpservicesapcomplatforms
Network security httpservicesapcomsecurityguide
SAP Solution Manager httpservicesapcomsolutionmanager
2 Before You Start
21 Fundamental Security Guides
2011-12-27 PUBLIC 752
This page is left blank for documents that are printed on both sides
3 Technical System Landscape
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
3 Technical System Landscape
2011-12-27 PUBLIC 952
This page is left blank for documents that are printed on both sides
4 Network and Communication Security
A well-defined network topology can eliminate many security threats Your network supports the
communication business needs and prevents unauthorized access This section describes the network
and communication security for Access Control
The network topology for Access Control is based on the SAP NetWeaver topology Therefore the
security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply
to Access Control Details that specifically apply to Access Control are described in the following topics
Communication Channel Security
This topic describes the communication channels and protocols used by Access Control
Communication Destinations
Access Control communicates with other SAP and non-SAP capabilities This topic lists the
required connection types and authorizations
Integration with Single Sign-on Environments
Access Control supports the Single Sign-On (SSO) mechanisms provided by the SAP Web
Application Server ABAP This topic describes Access Control support for integration with SAP
SSO environments
Data Storage Security
This topic describes how Access Control handles data storage
For more information see the following sections in the SAP NetWeaver Security Guide
Network and Communication Security [SAP Library]
Security Aspects for Connectivity and Interoperability [SAP Library]
NOTE
Access Control communicates with multiple systems therefore it is highly recommended that
HTTPS communication protocol is used for secure communication
41 Communication Channel Security
The following table contains the communication paths used by Access Control the protocol used for
the connection and the type of data transferred
Communication Path Protocol Type of Data Special Protection Data
Backend using SAP GUI DIAG All application data Logon Data
NetWeaver Business Client HTTPHTTPS All application data Logon Data
RFC RFC All application data Logon Data
4 Network and Communication Security
41 Communication Channel Security
2011-12-27 PUBLIC 1152
Communication Path Protocol Type of Data Special Protection Data
Application server to BI system HTTPHTTPS All application data Logon Data
BI system to application system HTTPHTTPS All application data Logon Data
NOTE
Secure Network Communications (SNC) protects DIAG and RFC connections The Secure
Sockets Layer (SSL) protocol protects HTTPS connections
42 RFC Connections
Access Control requires RFC destinations to call specific RFC-enabled modules For example each time
a user logs in with a Firefighter ID and creates a new session the new session opens using the RFC The
RFC destination must be basic with no access or user ID attached to it You can use an existing SAP
RFC to configure the Access Control RFC destination
NOTE
For Compliant User Provisioning we recommend that you use SLD JCo destination as part of the
connector configuration to ensure secure RFC communication
More Information
Transport Layer Security in the SAP NetWeaver Security Guide
Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP on the SAP Help Portal
43 Communication Destinations
The following table lists the communication destinations and authorizations required by Access
Control to communicate with other SAP and non-SAP capabilities
Destination Type Authorizations Comments
Control to SAP ERP RTA(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
None
SAP Standard Control to SAP ERP(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
You must assign SAP Module Authorization for the user For more information see your system administrator and the SAP NetWeaver Security Guide
IGS(Required)
RFC No special configuration required
None
Non_SAP Application(Optional)
For more information about non-SAP applications see
For more information about non-SAP applications see the solutions provided by SAP
For more information about non-SAP applications see the solutions provided by SAP partners such as Green Light Technologies
4 Network and Communication Security
42 RFC Connections
1252 PUBLIC 2011-12-27
Destination Type Authorizations Commentsthe solutions provided by SAP partners such as Green Light Technologies
partners such as Green Light Technologies
44 Integration into Single Sign-On Environments
Authentication provides a way of verifying the userrsquos identity before the user accesses the portal The
system authenticates the user and issues an SAP logon ticket to access all the applications information
and services in Access Control using Single Sign-On Since AC capabilities may contain sensitive data
it is imperative that the data is authenticated
Access Control Single Sign On (SSO) uses SAP Web Dynpro for the Launch Pad that users open to log
on to Access Control The Launch Pad uses NetWeaver Server UME configuration for SSO log on for
Access Control capabilities available from the Launch Pad Three of the four Access Control capabilities
use single sign on Compliant User Provisioning Enterprise Role Management and Risk Analysis and
Remediation
NOTE
Superuser Privilege Management is not configured for single sign-on because firefighters must
use a firefighterID to logon to the system If you specify a user ID as a firefighter ID the firefighter
can no longer use that ID for other login purposes The temporary provisioning that is the basis
for Superuser Privilege Management does not work with a single sign-on mechanism
Access Control Single Sign On (SSO) uses UME SAP Logon Tickets to allow users to access Access
Control capabilities The user must be assigned proper UME roles to access each component If the user
does not have the proper UME roles the component is grayed out on the Launch Pad The ticket is
session-based the ticket is only available from the session that created the ticket If the user launches
a second session the logon ticket no longer applies The system creates a new ticket
For more information see SAP Logon Tickets [SAP Library] in the SAP NetWeaver AS ABAP Security Guide
NOTE
If a new user is created and a password change is required on the first log on then an information
message displays as follows Password Expired Please login to UME to reset the
password As a workaround you can use Single-Sign On Launch Pad to reset your password The
Launch Pad provides a prompt for password change
4 Network and Communication Security
44 Integration into Single Sign-On Environments
2011-12-27 PUBLIC 1352
45 Data Storage Security
Master data and transaction data is stored in the ABAP and Java dictionary database on the SAP system
on which Access Control has been installed
Access Control can optionally use the NetWeaver Business Client as the front-end which uses non-
persistent session cookies for data storage
46 User Administration and Authentication
Access Control user administration uses the mechanisms provided by SAP NetWeaver such as user
types tools and the password concepts Therefore the security recommendations and guides for user
administrations and authentication described in the SAP NetWeaver Application Server ABAP Security
Guide and the NetWeaver Application Server Java Security Guide also apply to Access Control
461 User Management
User management for Access Control uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP and for Java For an overview of how these mechanisms apply to Access
Control see the sections below In addition we provide a list of the standard users required for operating
Access Control
462 User Types
Different types of users often require different security types For example your policy may specify that
users who perform tasks interactively have to change passwords on a regular basis while other types
of users may not need to change passwords with the same frequency
The user types that are required for Access Control include
Dialog Users
Use the SAP GUI for configuring and administering Access Control
Access the NetWeaver Business Client
Communication Users
Use the Access Control workflow
RTAs
Use RFC connections to connect to the BI systems
Service Users
Connect the front end ABAP session to the back end ABAP session
RTAs
Use RFC Connections to connect to the BI systems
4 Network and Communication Security
45 Data Storage Security
1452 PUBLIC 2011-12-27
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Table of Contents
Chapter 1 Introduction 5
11 Target Audience 5
12 Why is Security Necessary 5
13 About this Document 6
Chapter 2 Before You Start 7
21 Fundamental Security Guides 7
22 Important SAP Notes 7
23 Additional Information 7
Chapter 3 Technical System Landscape 9
Chapter 4 Network and Communication Security 11
41 Communication Channel Security 11
42 RFC Connections 12
43 Communication Destinations 12
44 Integration into Single Sign-On Environments 13
45 Data Storage Security 14
46 User Administration and Authentication 14
461 User Management 14
462 User Types 14
463 User Administration Tools 15
47 Trace and Log Files 15
Chapter 5 Delivered Back End Roles 17
51 Delivered SPM Back-end Roles 17
511 Customizing SPM Back-end Roles 18
52 Delivered RAR Back End Roles 22
53 Delivered ERM Back End Roles 23
54 Delivered RFC Back-end Roles and Authorizations 23
55 Creating Custom RFC Roles 24
551 RFC Authorization Roles for CUP 24
2011-12-27 PUBLIC 352
552 RFC Authorization Values for ERM 26
553 RFC Authorization Values for RAR 27
554 RFC Authorization Values for SPM 28
Chapter 6 Delivered Front End Roles and Permissions 31
61 Updating Roles and Permissions from Support Packages 31
62 Customizing the Front End Roles 31
621 Delivered Front End Roles and Permissions for CUP 31
622 Delivered Front End Roles and Permissions for ERM 36
623 Delivered Front End Roles and Permissions for RAR 39
Chapter 7 Recommended Front End Roles and Permissions for SPM 43
Chapter A Reference 45
A1 The Main SAP Documentation Types 45
452 PUBLIC 2011-12-27
1 Introduction
The Security Guide provides an overview of the security-relevant information that applies to SAP GRC
Access Control You can use the information in this document to understand and implement system
security and to understand and implement the business function security features Access Control
provides for regulatory compliance
NOTE
This guide does not replace the administration or operation guides that are available for productive
operations
11 Target Audience
Technology consultants
Security administrators
System administrators
12 Why is Security Necessary
With the increasing use of distributed systems and the Internet for managing business data the demands
on security are also on the rise When you use a distributed system make sure that your data and
processes support your business needs and do not allow unauthorized access to critical information
User errors negligence or attempted manipulation on your system can result in loss of information
or processing time
SAP GRC Access Control is a suite of capabilities that monitor test and enforce access and authorization
controls across the enterprise SAP GRC Access Control helps companies to comply with regulatory
mandates such as Sarbanes-Oxley Organizations can readily identify and remove access and
authorization risks from IT systems as well as embed preventive controls in business processes to stop
segregation of duties (SoD) violations Companies benefit from considerable reduction in the time risk
and cost associated with compliance To assist you in securing Access Control we provide this Security
Guide
1 Introduction
11 Target Audience
2011-12-27 PUBLIC 552
13 About this Document
The Security Guide provides an overview of the security-relevant information that applies to Access
Control It also includes separate sections for each Access Control component
AC includes the following components
Compliant User Provisioning (CUP)
Enterprise Role Management (ERM)
Risk Analysis and Remediation (RAR)
Superuser Privilege Management (SPM)
1 Introduction
13 About this Document
652 PUBLIC 2011-12-27
2 Before You Start
This section provides information about relevant SAP Security Guides SAP Notes and the location of
other guides to help you understand Access Control security issues
21 Fundamental Security Guides
Access Control capabilities use the SAP NetWeaver Application Server for ABAP and other security
issues For more information see the following security guides
Fundamental Security Guides
Guide Location
SAP NetWeaver ABAP Security Guide httpservicesapcomsecurityguide
SAP NetWeaver Business Warehouse Security Guide httpservicesapcomsecurityguide
SAP NetWeaver Business Client (with PFCG Connection) SAP Library
NetWeaver Business Client Security Issues SAP Library
UME Authorization Guide SAP Library
SAP NetWeaver Portal Guide SAP Library
22 Important SAP Notes
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
23 Additional Information
For more information about specific topics see the Quick Links in the following table
Content SAP Service Marketplace Address
Security httpservicesapcomsecurity
Security Guides httpservicesapcomsecurityguide
Related SAP Notes httpservicesapcomnotes
Released platforms httpservicesapcomplatforms
Network security httpservicesapcomsecurityguide
SAP Solution Manager httpservicesapcomsolutionmanager
2 Before You Start
21 Fundamental Security Guides
2011-12-27 PUBLIC 752
This page is left blank for documents that are printed on both sides
3 Technical System Landscape
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
3 Technical System Landscape
2011-12-27 PUBLIC 952
This page is left blank for documents that are printed on both sides
4 Network and Communication Security
A well-defined network topology can eliminate many security threats Your network supports the
communication business needs and prevents unauthorized access This section describes the network
and communication security for Access Control
The network topology for Access Control is based on the SAP NetWeaver topology Therefore the
security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply
to Access Control Details that specifically apply to Access Control are described in the following topics
Communication Channel Security
This topic describes the communication channels and protocols used by Access Control
Communication Destinations
Access Control communicates with other SAP and non-SAP capabilities This topic lists the
required connection types and authorizations
Integration with Single Sign-on Environments
Access Control supports the Single Sign-On (SSO) mechanisms provided by the SAP Web
Application Server ABAP This topic describes Access Control support for integration with SAP
SSO environments
Data Storage Security
This topic describes how Access Control handles data storage
For more information see the following sections in the SAP NetWeaver Security Guide
Network and Communication Security [SAP Library]
Security Aspects for Connectivity and Interoperability [SAP Library]
NOTE
Access Control communicates with multiple systems therefore it is highly recommended that
HTTPS communication protocol is used for secure communication
41 Communication Channel Security
The following table contains the communication paths used by Access Control the protocol used for
the connection and the type of data transferred
Communication Path Protocol Type of Data Special Protection Data
Backend using SAP GUI DIAG All application data Logon Data
NetWeaver Business Client HTTPHTTPS All application data Logon Data
RFC RFC All application data Logon Data
4 Network and Communication Security
41 Communication Channel Security
2011-12-27 PUBLIC 1152
Communication Path Protocol Type of Data Special Protection Data
Application server to BI system HTTPHTTPS All application data Logon Data
BI system to application system HTTPHTTPS All application data Logon Data
NOTE
Secure Network Communications (SNC) protects DIAG and RFC connections The Secure
Sockets Layer (SSL) protocol protects HTTPS connections
42 RFC Connections
Access Control requires RFC destinations to call specific RFC-enabled modules For example each time
a user logs in with a Firefighter ID and creates a new session the new session opens using the RFC The
RFC destination must be basic with no access or user ID attached to it You can use an existing SAP
RFC to configure the Access Control RFC destination
NOTE
For Compliant User Provisioning we recommend that you use SLD JCo destination as part of the
connector configuration to ensure secure RFC communication
More Information
Transport Layer Security in the SAP NetWeaver Security Guide
Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP on the SAP Help Portal
43 Communication Destinations
The following table lists the communication destinations and authorizations required by Access
Control to communicate with other SAP and non-SAP capabilities
Destination Type Authorizations Comments
Control to SAP ERP RTA(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
None
SAP Standard Control to SAP ERP(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
You must assign SAP Module Authorization for the user For more information see your system administrator and the SAP NetWeaver Security Guide
IGS(Required)
RFC No special configuration required
None
Non_SAP Application(Optional)
For more information about non-SAP applications see
For more information about non-SAP applications see the solutions provided by SAP
For more information about non-SAP applications see the solutions provided by SAP partners such as Green Light Technologies
4 Network and Communication Security
42 RFC Connections
1252 PUBLIC 2011-12-27
Destination Type Authorizations Commentsthe solutions provided by SAP partners such as Green Light Technologies
partners such as Green Light Technologies
44 Integration into Single Sign-On Environments
Authentication provides a way of verifying the userrsquos identity before the user accesses the portal The
system authenticates the user and issues an SAP logon ticket to access all the applications information
and services in Access Control using Single Sign-On Since AC capabilities may contain sensitive data
it is imperative that the data is authenticated
Access Control Single Sign On (SSO) uses SAP Web Dynpro for the Launch Pad that users open to log
on to Access Control The Launch Pad uses NetWeaver Server UME configuration for SSO log on for
Access Control capabilities available from the Launch Pad Three of the four Access Control capabilities
use single sign on Compliant User Provisioning Enterprise Role Management and Risk Analysis and
Remediation
NOTE
Superuser Privilege Management is not configured for single sign-on because firefighters must
use a firefighterID to logon to the system If you specify a user ID as a firefighter ID the firefighter
can no longer use that ID for other login purposes The temporary provisioning that is the basis
for Superuser Privilege Management does not work with a single sign-on mechanism
Access Control Single Sign On (SSO) uses UME SAP Logon Tickets to allow users to access Access
Control capabilities The user must be assigned proper UME roles to access each component If the user
does not have the proper UME roles the component is grayed out on the Launch Pad The ticket is
session-based the ticket is only available from the session that created the ticket If the user launches
a second session the logon ticket no longer applies The system creates a new ticket
For more information see SAP Logon Tickets [SAP Library] in the SAP NetWeaver AS ABAP Security Guide
NOTE
If a new user is created and a password change is required on the first log on then an information
message displays as follows Password Expired Please login to UME to reset the
password As a workaround you can use Single-Sign On Launch Pad to reset your password The
Launch Pad provides a prompt for password change
4 Network and Communication Security
44 Integration into Single Sign-On Environments
2011-12-27 PUBLIC 1352
45 Data Storage Security
Master data and transaction data is stored in the ABAP and Java dictionary database on the SAP system
on which Access Control has been installed
Access Control can optionally use the NetWeaver Business Client as the front-end which uses non-
persistent session cookies for data storage
46 User Administration and Authentication
Access Control user administration uses the mechanisms provided by SAP NetWeaver such as user
types tools and the password concepts Therefore the security recommendations and guides for user
administrations and authentication described in the SAP NetWeaver Application Server ABAP Security
Guide and the NetWeaver Application Server Java Security Guide also apply to Access Control
461 User Management
User management for Access Control uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP and for Java For an overview of how these mechanisms apply to Access
Control see the sections below In addition we provide a list of the standard users required for operating
Access Control
462 User Types
Different types of users often require different security types For example your policy may specify that
users who perform tasks interactively have to change passwords on a regular basis while other types
of users may not need to change passwords with the same frequency
The user types that are required for Access Control include
Dialog Users
Use the SAP GUI for configuring and administering Access Control
Access the NetWeaver Business Client
Communication Users
Use the Access Control workflow
RTAs
Use RFC connections to connect to the BI systems
Service Users
Connect the front end ABAP session to the back end ABAP session
RTAs
Use RFC Connections to connect to the BI systems
4 Network and Communication Security
45 Data Storage Security
1452 PUBLIC 2011-12-27
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
552 RFC Authorization Values for ERM 26
553 RFC Authorization Values for RAR 27
554 RFC Authorization Values for SPM 28
Chapter 6 Delivered Front End Roles and Permissions 31
61 Updating Roles and Permissions from Support Packages 31
62 Customizing the Front End Roles 31
621 Delivered Front End Roles and Permissions for CUP 31
622 Delivered Front End Roles and Permissions for ERM 36
623 Delivered Front End Roles and Permissions for RAR 39
Chapter 7 Recommended Front End Roles and Permissions for SPM 43
Chapter A Reference 45
A1 The Main SAP Documentation Types 45
452 PUBLIC 2011-12-27
1 Introduction
The Security Guide provides an overview of the security-relevant information that applies to SAP GRC
Access Control You can use the information in this document to understand and implement system
security and to understand and implement the business function security features Access Control
provides for regulatory compliance
NOTE
This guide does not replace the administration or operation guides that are available for productive
operations
11 Target Audience
Technology consultants
Security administrators
System administrators
12 Why is Security Necessary
With the increasing use of distributed systems and the Internet for managing business data the demands
on security are also on the rise When you use a distributed system make sure that your data and
processes support your business needs and do not allow unauthorized access to critical information
User errors negligence or attempted manipulation on your system can result in loss of information
or processing time
SAP GRC Access Control is a suite of capabilities that monitor test and enforce access and authorization
controls across the enterprise SAP GRC Access Control helps companies to comply with regulatory
mandates such as Sarbanes-Oxley Organizations can readily identify and remove access and
authorization risks from IT systems as well as embed preventive controls in business processes to stop
segregation of duties (SoD) violations Companies benefit from considerable reduction in the time risk
and cost associated with compliance To assist you in securing Access Control we provide this Security
Guide
1 Introduction
11 Target Audience
2011-12-27 PUBLIC 552
13 About this Document
The Security Guide provides an overview of the security-relevant information that applies to Access
Control It also includes separate sections for each Access Control component
AC includes the following components
Compliant User Provisioning (CUP)
Enterprise Role Management (ERM)
Risk Analysis and Remediation (RAR)
Superuser Privilege Management (SPM)
1 Introduction
13 About this Document
652 PUBLIC 2011-12-27
2 Before You Start
This section provides information about relevant SAP Security Guides SAP Notes and the location of
other guides to help you understand Access Control security issues
21 Fundamental Security Guides
Access Control capabilities use the SAP NetWeaver Application Server for ABAP and other security
issues For more information see the following security guides
Fundamental Security Guides
Guide Location
SAP NetWeaver ABAP Security Guide httpservicesapcomsecurityguide
SAP NetWeaver Business Warehouse Security Guide httpservicesapcomsecurityguide
SAP NetWeaver Business Client (with PFCG Connection) SAP Library
NetWeaver Business Client Security Issues SAP Library
UME Authorization Guide SAP Library
SAP NetWeaver Portal Guide SAP Library
22 Important SAP Notes
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
23 Additional Information
For more information about specific topics see the Quick Links in the following table
Content SAP Service Marketplace Address
Security httpservicesapcomsecurity
Security Guides httpservicesapcomsecurityguide
Related SAP Notes httpservicesapcomnotes
Released platforms httpservicesapcomplatforms
Network security httpservicesapcomsecurityguide
SAP Solution Manager httpservicesapcomsolutionmanager
2 Before You Start
21 Fundamental Security Guides
2011-12-27 PUBLIC 752
This page is left blank for documents that are printed on both sides
3 Technical System Landscape
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
3 Technical System Landscape
2011-12-27 PUBLIC 952
This page is left blank for documents that are printed on both sides
4 Network and Communication Security
A well-defined network topology can eliminate many security threats Your network supports the
communication business needs and prevents unauthorized access This section describes the network
and communication security for Access Control
The network topology for Access Control is based on the SAP NetWeaver topology Therefore the
security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply
to Access Control Details that specifically apply to Access Control are described in the following topics
Communication Channel Security
This topic describes the communication channels and protocols used by Access Control
Communication Destinations
Access Control communicates with other SAP and non-SAP capabilities This topic lists the
required connection types and authorizations
Integration with Single Sign-on Environments
Access Control supports the Single Sign-On (SSO) mechanisms provided by the SAP Web
Application Server ABAP This topic describes Access Control support for integration with SAP
SSO environments
Data Storage Security
This topic describes how Access Control handles data storage
For more information see the following sections in the SAP NetWeaver Security Guide
Network and Communication Security [SAP Library]
Security Aspects for Connectivity and Interoperability [SAP Library]
NOTE
Access Control communicates with multiple systems therefore it is highly recommended that
HTTPS communication protocol is used for secure communication
41 Communication Channel Security
The following table contains the communication paths used by Access Control the protocol used for
the connection and the type of data transferred
Communication Path Protocol Type of Data Special Protection Data
Backend using SAP GUI DIAG All application data Logon Data
NetWeaver Business Client HTTPHTTPS All application data Logon Data
RFC RFC All application data Logon Data
4 Network and Communication Security
41 Communication Channel Security
2011-12-27 PUBLIC 1152
Communication Path Protocol Type of Data Special Protection Data
Application server to BI system HTTPHTTPS All application data Logon Data
BI system to application system HTTPHTTPS All application data Logon Data
NOTE
Secure Network Communications (SNC) protects DIAG and RFC connections The Secure
Sockets Layer (SSL) protocol protects HTTPS connections
42 RFC Connections
Access Control requires RFC destinations to call specific RFC-enabled modules For example each time
a user logs in with a Firefighter ID and creates a new session the new session opens using the RFC The
RFC destination must be basic with no access or user ID attached to it You can use an existing SAP
RFC to configure the Access Control RFC destination
NOTE
For Compliant User Provisioning we recommend that you use SLD JCo destination as part of the
connector configuration to ensure secure RFC communication
More Information
Transport Layer Security in the SAP NetWeaver Security Guide
Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP on the SAP Help Portal
43 Communication Destinations
The following table lists the communication destinations and authorizations required by Access
Control to communicate with other SAP and non-SAP capabilities
Destination Type Authorizations Comments
Control to SAP ERP RTA(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
None
SAP Standard Control to SAP ERP(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
You must assign SAP Module Authorization for the user For more information see your system administrator and the SAP NetWeaver Security Guide
IGS(Required)
RFC No special configuration required
None
Non_SAP Application(Optional)
For more information about non-SAP applications see
For more information about non-SAP applications see the solutions provided by SAP
For more information about non-SAP applications see the solutions provided by SAP partners such as Green Light Technologies
4 Network and Communication Security
42 RFC Connections
1252 PUBLIC 2011-12-27
Destination Type Authorizations Commentsthe solutions provided by SAP partners such as Green Light Technologies
partners such as Green Light Technologies
44 Integration into Single Sign-On Environments
Authentication provides a way of verifying the userrsquos identity before the user accesses the portal The
system authenticates the user and issues an SAP logon ticket to access all the applications information
and services in Access Control using Single Sign-On Since AC capabilities may contain sensitive data
it is imperative that the data is authenticated
Access Control Single Sign On (SSO) uses SAP Web Dynpro for the Launch Pad that users open to log
on to Access Control The Launch Pad uses NetWeaver Server UME configuration for SSO log on for
Access Control capabilities available from the Launch Pad Three of the four Access Control capabilities
use single sign on Compliant User Provisioning Enterprise Role Management and Risk Analysis and
Remediation
NOTE
Superuser Privilege Management is not configured for single sign-on because firefighters must
use a firefighterID to logon to the system If you specify a user ID as a firefighter ID the firefighter
can no longer use that ID for other login purposes The temporary provisioning that is the basis
for Superuser Privilege Management does not work with a single sign-on mechanism
Access Control Single Sign On (SSO) uses UME SAP Logon Tickets to allow users to access Access
Control capabilities The user must be assigned proper UME roles to access each component If the user
does not have the proper UME roles the component is grayed out on the Launch Pad The ticket is
session-based the ticket is only available from the session that created the ticket If the user launches
a second session the logon ticket no longer applies The system creates a new ticket
For more information see SAP Logon Tickets [SAP Library] in the SAP NetWeaver AS ABAP Security Guide
NOTE
If a new user is created and a password change is required on the first log on then an information
message displays as follows Password Expired Please login to UME to reset the
password As a workaround you can use Single-Sign On Launch Pad to reset your password The
Launch Pad provides a prompt for password change
4 Network and Communication Security
44 Integration into Single Sign-On Environments
2011-12-27 PUBLIC 1352
45 Data Storage Security
Master data and transaction data is stored in the ABAP and Java dictionary database on the SAP system
on which Access Control has been installed
Access Control can optionally use the NetWeaver Business Client as the front-end which uses non-
persistent session cookies for data storage
46 User Administration and Authentication
Access Control user administration uses the mechanisms provided by SAP NetWeaver such as user
types tools and the password concepts Therefore the security recommendations and guides for user
administrations and authentication described in the SAP NetWeaver Application Server ABAP Security
Guide and the NetWeaver Application Server Java Security Guide also apply to Access Control
461 User Management
User management for Access Control uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP and for Java For an overview of how these mechanisms apply to Access
Control see the sections below In addition we provide a list of the standard users required for operating
Access Control
462 User Types
Different types of users often require different security types For example your policy may specify that
users who perform tasks interactively have to change passwords on a regular basis while other types
of users may not need to change passwords with the same frequency
The user types that are required for Access Control include
Dialog Users
Use the SAP GUI for configuring and administering Access Control
Access the NetWeaver Business Client
Communication Users
Use the Access Control workflow
RTAs
Use RFC connections to connect to the BI systems
Service Users
Connect the front end ABAP session to the back end ABAP session
RTAs
Use RFC Connections to connect to the BI systems
4 Network and Communication Security
45 Data Storage Security
1452 PUBLIC 2011-12-27
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
1 Introduction
The Security Guide provides an overview of the security-relevant information that applies to SAP GRC
Access Control You can use the information in this document to understand and implement system
security and to understand and implement the business function security features Access Control
provides for regulatory compliance
NOTE
This guide does not replace the administration or operation guides that are available for productive
operations
11 Target Audience
Technology consultants
Security administrators
System administrators
12 Why is Security Necessary
With the increasing use of distributed systems and the Internet for managing business data the demands
on security are also on the rise When you use a distributed system make sure that your data and
processes support your business needs and do not allow unauthorized access to critical information
User errors negligence or attempted manipulation on your system can result in loss of information
or processing time
SAP GRC Access Control is a suite of capabilities that monitor test and enforce access and authorization
controls across the enterprise SAP GRC Access Control helps companies to comply with regulatory
mandates such as Sarbanes-Oxley Organizations can readily identify and remove access and
authorization risks from IT systems as well as embed preventive controls in business processes to stop
segregation of duties (SoD) violations Companies benefit from considerable reduction in the time risk
and cost associated with compliance To assist you in securing Access Control we provide this Security
Guide
1 Introduction
11 Target Audience
2011-12-27 PUBLIC 552
13 About this Document
The Security Guide provides an overview of the security-relevant information that applies to Access
Control It also includes separate sections for each Access Control component
AC includes the following components
Compliant User Provisioning (CUP)
Enterprise Role Management (ERM)
Risk Analysis and Remediation (RAR)
Superuser Privilege Management (SPM)
1 Introduction
13 About this Document
652 PUBLIC 2011-12-27
2 Before You Start
This section provides information about relevant SAP Security Guides SAP Notes and the location of
other guides to help you understand Access Control security issues
21 Fundamental Security Guides
Access Control capabilities use the SAP NetWeaver Application Server for ABAP and other security
issues For more information see the following security guides
Fundamental Security Guides
Guide Location
SAP NetWeaver ABAP Security Guide httpservicesapcomsecurityguide
SAP NetWeaver Business Warehouse Security Guide httpservicesapcomsecurityguide
SAP NetWeaver Business Client (with PFCG Connection) SAP Library
NetWeaver Business Client Security Issues SAP Library
UME Authorization Guide SAP Library
SAP NetWeaver Portal Guide SAP Library
22 Important SAP Notes
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
23 Additional Information
For more information about specific topics see the Quick Links in the following table
Content SAP Service Marketplace Address
Security httpservicesapcomsecurity
Security Guides httpservicesapcomsecurityguide
Related SAP Notes httpservicesapcomnotes
Released platforms httpservicesapcomplatforms
Network security httpservicesapcomsecurityguide
SAP Solution Manager httpservicesapcomsolutionmanager
2 Before You Start
21 Fundamental Security Guides
2011-12-27 PUBLIC 752
This page is left blank for documents that are printed on both sides
3 Technical System Landscape
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
3 Technical System Landscape
2011-12-27 PUBLIC 952
This page is left blank for documents that are printed on both sides
4 Network and Communication Security
A well-defined network topology can eliminate many security threats Your network supports the
communication business needs and prevents unauthorized access This section describes the network
and communication security for Access Control
The network topology for Access Control is based on the SAP NetWeaver topology Therefore the
security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply
to Access Control Details that specifically apply to Access Control are described in the following topics
Communication Channel Security
This topic describes the communication channels and protocols used by Access Control
Communication Destinations
Access Control communicates with other SAP and non-SAP capabilities This topic lists the
required connection types and authorizations
Integration with Single Sign-on Environments
Access Control supports the Single Sign-On (SSO) mechanisms provided by the SAP Web
Application Server ABAP This topic describes Access Control support for integration with SAP
SSO environments
Data Storage Security
This topic describes how Access Control handles data storage
For more information see the following sections in the SAP NetWeaver Security Guide
Network and Communication Security [SAP Library]
Security Aspects for Connectivity and Interoperability [SAP Library]
NOTE
Access Control communicates with multiple systems therefore it is highly recommended that
HTTPS communication protocol is used for secure communication
41 Communication Channel Security
The following table contains the communication paths used by Access Control the protocol used for
the connection and the type of data transferred
Communication Path Protocol Type of Data Special Protection Data
Backend using SAP GUI DIAG All application data Logon Data
NetWeaver Business Client HTTPHTTPS All application data Logon Data
RFC RFC All application data Logon Data
4 Network and Communication Security
41 Communication Channel Security
2011-12-27 PUBLIC 1152
Communication Path Protocol Type of Data Special Protection Data
Application server to BI system HTTPHTTPS All application data Logon Data
BI system to application system HTTPHTTPS All application data Logon Data
NOTE
Secure Network Communications (SNC) protects DIAG and RFC connections The Secure
Sockets Layer (SSL) protocol protects HTTPS connections
42 RFC Connections
Access Control requires RFC destinations to call specific RFC-enabled modules For example each time
a user logs in with a Firefighter ID and creates a new session the new session opens using the RFC The
RFC destination must be basic with no access or user ID attached to it You can use an existing SAP
RFC to configure the Access Control RFC destination
NOTE
For Compliant User Provisioning we recommend that you use SLD JCo destination as part of the
connector configuration to ensure secure RFC communication
More Information
Transport Layer Security in the SAP NetWeaver Security Guide
Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP on the SAP Help Portal
43 Communication Destinations
The following table lists the communication destinations and authorizations required by Access
Control to communicate with other SAP and non-SAP capabilities
Destination Type Authorizations Comments
Control to SAP ERP RTA(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
None
SAP Standard Control to SAP ERP(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
You must assign SAP Module Authorization for the user For more information see your system administrator and the SAP NetWeaver Security Guide
IGS(Required)
RFC No special configuration required
None
Non_SAP Application(Optional)
For more information about non-SAP applications see
For more information about non-SAP applications see the solutions provided by SAP
For more information about non-SAP applications see the solutions provided by SAP partners such as Green Light Technologies
4 Network and Communication Security
42 RFC Connections
1252 PUBLIC 2011-12-27
Destination Type Authorizations Commentsthe solutions provided by SAP partners such as Green Light Technologies
partners such as Green Light Technologies
44 Integration into Single Sign-On Environments
Authentication provides a way of verifying the userrsquos identity before the user accesses the portal The
system authenticates the user and issues an SAP logon ticket to access all the applications information
and services in Access Control using Single Sign-On Since AC capabilities may contain sensitive data
it is imperative that the data is authenticated
Access Control Single Sign On (SSO) uses SAP Web Dynpro for the Launch Pad that users open to log
on to Access Control The Launch Pad uses NetWeaver Server UME configuration for SSO log on for
Access Control capabilities available from the Launch Pad Three of the four Access Control capabilities
use single sign on Compliant User Provisioning Enterprise Role Management and Risk Analysis and
Remediation
NOTE
Superuser Privilege Management is not configured for single sign-on because firefighters must
use a firefighterID to logon to the system If you specify a user ID as a firefighter ID the firefighter
can no longer use that ID for other login purposes The temporary provisioning that is the basis
for Superuser Privilege Management does not work with a single sign-on mechanism
Access Control Single Sign On (SSO) uses UME SAP Logon Tickets to allow users to access Access
Control capabilities The user must be assigned proper UME roles to access each component If the user
does not have the proper UME roles the component is grayed out on the Launch Pad The ticket is
session-based the ticket is only available from the session that created the ticket If the user launches
a second session the logon ticket no longer applies The system creates a new ticket
For more information see SAP Logon Tickets [SAP Library] in the SAP NetWeaver AS ABAP Security Guide
NOTE
If a new user is created and a password change is required on the first log on then an information
message displays as follows Password Expired Please login to UME to reset the
password As a workaround you can use Single-Sign On Launch Pad to reset your password The
Launch Pad provides a prompt for password change
4 Network and Communication Security
44 Integration into Single Sign-On Environments
2011-12-27 PUBLIC 1352
45 Data Storage Security
Master data and transaction data is stored in the ABAP and Java dictionary database on the SAP system
on which Access Control has been installed
Access Control can optionally use the NetWeaver Business Client as the front-end which uses non-
persistent session cookies for data storage
46 User Administration and Authentication
Access Control user administration uses the mechanisms provided by SAP NetWeaver such as user
types tools and the password concepts Therefore the security recommendations and guides for user
administrations and authentication described in the SAP NetWeaver Application Server ABAP Security
Guide and the NetWeaver Application Server Java Security Guide also apply to Access Control
461 User Management
User management for Access Control uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP and for Java For an overview of how these mechanisms apply to Access
Control see the sections below In addition we provide a list of the standard users required for operating
Access Control
462 User Types
Different types of users often require different security types For example your policy may specify that
users who perform tasks interactively have to change passwords on a regular basis while other types
of users may not need to change passwords with the same frequency
The user types that are required for Access Control include
Dialog Users
Use the SAP GUI for configuring and administering Access Control
Access the NetWeaver Business Client
Communication Users
Use the Access Control workflow
RTAs
Use RFC connections to connect to the BI systems
Service Users
Connect the front end ABAP session to the back end ABAP session
RTAs
Use RFC Connections to connect to the BI systems
4 Network and Communication Security
45 Data Storage Security
1452 PUBLIC 2011-12-27
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
13 About this Document
The Security Guide provides an overview of the security-relevant information that applies to Access
Control It also includes separate sections for each Access Control component
AC includes the following components
Compliant User Provisioning (CUP)
Enterprise Role Management (ERM)
Risk Analysis and Remediation (RAR)
Superuser Privilege Management (SPM)
1 Introduction
13 About this Document
652 PUBLIC 2011-12-27
2 Before You Start
This section provides information about relevant SAP Security Guides SAP Notes and the location of
other guides to help you understand Access Control security issues
21 Fundamental Security Guides
Access Control capabilities use the SAP NetWeaver Application Server for ABAP and other security
issues For more information see the following security guides
Fundamental Security Guides
Guide Location
SAP NetWeaver ABAP Security Guide httpservicesapcomsecurityguide
SAP NetWeaver Business Warehouse Security Guide httpservicesapcomsecurityguide
SAP NetWeaver Business Client (with PFCG Connection) SAP Library
NetWeaver Business Client Security Issues SAP Library
UME Authorization Guide SAP Library
SAP NetWeaver Portal Guide SAP Library
22 Important SAP Notes
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
23 Additional Information
For more information about specific topics see the Quick Links in the following table
Content SAP Service Marketplace Address
Security httpservicesapcomsecurity
Security Guides httpservicesapcomsecurityguide
Related SAP Notes httpservicesapcomnotes
Released platforms httpservicesapcomplatforms
Network security httpservicesapcomsecurityguide
SAP Solution Manager httpservicesapcomsolutionmanager
2 Before You Start
21 Fundamental Security Guides
2011-12-27 PUBLIC 752
This page is left blank for documents that are printed on both sides
3 Technical System Landscape
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
3 Technical System Landscape
2011-12-27 PUBLIC 952
This page is left blank for documents that are printed on both sides
4 Network and Communication Security
A well-defined network topology can eliminate many security threats Your network supports the
communication business needs and prevents unauthorized access This section describes the network
and communication security for Access Control
The network topology for Access Control is based on the SAP NetWeaver topology Therefore the
security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply
to Access Control Details that specifically apply to Access Control are described in the following topics
Communication Channel Security
This topic describes the communication channels and protocols used by Access Control
Communication Destinations
Access Control communicates with other SAP and non-SAP capabilities This topic lists the
required connection types and authorizations
Integration with Single Sign-on Environments
Access Control supports the Single Sign-On (SSO) mechanisms provided by the SAP Web
Application Server ABAP This topic describes Access Control support for integration with SAP
SSO environments
Data Storage Security
This topic describes how Access Control handles data storage
For more information see the following sections in the SAP NetWeaver Security Guide
Network and Communication Security [SAP Library]
Security Aspects for Connectivity and Interoperability [SAP Library]
NOTE
Access Control communicates with multiple systems therefore it is highly recommended that
HTTPS communication protocol is used for secure communication
41 Communication Channel Security
The following table contains the communication paths used by Access Control the protocol used for
the connection and the type of data transferred
Communication Path Protocol Type of Data Special Protection Data
Backend using SAP GUI DIAG All application data Logon Data
NetWeaver Business Client HTTPHTTPS All application data Logon Data
RFC RFC All application data Logon Data
4 Network and Communication Security
41 Communication Channel Security
2011-12-27 PUBLIC 1152
Communication Path Protocol Type of Data Special Protection Data
Application server to BI system HTTPHTTPS All application data Logon Data
BI system to application system HTTPHTTPS All application data Logon Data
NOTE
Secure Network Communications (SNC) protects DIAG and RFC connections The Secure
Sockets Layer (SSL) protocol protects HTTPS connections
42 RFC Connections
Access Control requires RFC destinations to call specific RFC-enabled modules For example each time
a user logs in with a Firefighter ID and creates a new session the new session opens using the RFC The
RFC destination must be basic with no access or user ID attached to it You can use an existing SAP
RFC to configure the Access Control RFC destination
NOTE
For Compliant User Provisioning we recommend that you use SLD JCo destination as part of the
connector configuration to ensure secure RFC communication
More Information
Transport Layer Security in the SAP NetWeaver Security Guide
Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP on the SAP Help Portal
43 Communication Destinations
The following table lists the communication destinations and authorizations required by Access
Control to communicate with other SAP and non-SAP capabilities
Destination Type Authorizations Comments
Control to SAP ERP RTA(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
None
SAP Standard Control to SAP ERP(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
You must assign SAP Module Authorization for the user For more information see your system administrator and the SAP NetWeaver Security Guide
IGS(Required)
RFC No special configuration required
None
Non_SAP Application(Optional)
For more information about non-SAP applications see
For more information about non-SAP applications see the solutions provided by SAP
For more information about non-SAP applications see the solutions provided by SAP partners such as Green Light Technologies
4 Network and Communication Security
42 RFC Connections
1252 PUBLIC 2011-12-27
Destination Type Authorizations Commentsthe solutions provided by SAP partners such as Green Light Technologies
partners such as Green Light Technologies
44 Integration into Single Sign-On Environments
Authentication provides a way of verifying the userrsquos identity before the user accesses the portal The
system authenticates the user and issues an SAP logon ticket to access all the applications information
and services in Access Control using Single Sign-On Since AC capabilities may contain sensitive data
it is imperative that the data is authenticated
Access Control Single Sign On (SSO) uses SAP Web Dynpro for the Launch Pad that users open to log
on to Access Control The Launch Pad uses NetWeaver Server UME configuration for SSO log on for
Access Control capabilities available from the Launch Pad Three of the four Access Control capabilities
use single sign on Compliant User Provisioning Enterprise Role Management and Risk Analysis and
Remediation
NOTE
Superuser Privilege Management is not configured for single sign-on because firefighters must
use a firefighterID to logon to the system If you specify a user ID as a firefighter ID the firefighter
can no longer use that ID for other login purposes The temporary provisioning that is the basis
for Superuser Privilege Management does not work with a single sign-on mechanism
Access Control Single Sign On (SSO) uses UME SAP Logon Tickets to allow users to access Access
Control capabilities The user must be assigned proper UME roles to access each component If the user
does not have the proper UME roles the component is grayed out on the Launch Pad The ticket is
session-based the ticket is only available from the session that created the ticket If the user launches
a second session the logon ticket no longer applies The system creates a new ticket
For more information see SAP Logon Tickets [SAP Library] in the SAP NetWeaver AS ABAP Security Guide
NOTE
If a new user is created and a password change is required on the first log on then an information
message displays as follows Password Expired Please login to UME to reset the
password As a workaround you can use Single-Sign On Launch Pad to reset your password The
Launch Pad provides a prompt for password change
4 Network and Communication Security
44 Integration into Single Sign-On Environments
2011-12-27 PUBLIC 1352
45 Data Storage Security
Master data and transaction data is stored in the ABAP and Java dictionary database on the SAP system
on which Access Control has been installed
Access Control can optionally use the NetWeaver Business Client as the front-end which uses non-
persistent session cookies for data storage
46 User Administration and Authentication
Access Control user administration uses the mechanisms provided by SAP NetWeaver such as user
types tools and the password concepts Therefore the security recommendations and guides for user
administrations and authentication described in the SAP NetWeaver Application Server ABAP Security
Guide and the NetWeaver Application Server Java Security Guide also apply to Access Control
461 User Management
User management for Access Control uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP and for Java For an overview of how these mechanisms apply to Access
Control see the sections below In addition we provide a list of the standard users required for operating
Access Control
462 User Types
Different types of users often require different security types For example your policy may specify that
users who perform tasks interactively have to change passwords on a regular basis while other types
of users may not need to change passwords with the same frequency
The user types that are required for Access Control include
Dialog Users
Use the SAP GUI for configuring and administering Access Control
Access the NetWeaver Business Client
Communication Users
Use the Access Control workflow
RTAs
Use RFC connections to connect to the BI systems
Service Users
Connect the front end ABAP session to the back end ABAP session
RTAs
Use RFC Connections to connect to the BI systems
4 Network and Communication Security
45 Data Storage Security
1452 PUBLIC 2011-12-27
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
2 Before You Start
This section provides information about relevant SAP Security Guides SAP Notes and the location of
other guides to help you understand Access Control security issues
21 Fundamental Security Guides
Access Control capabilities use the SAP NetWeaver Application Server for ABAP and other security
issues For more information see the following security guides
Fundamental Security Guides
Guide Location
SAP NetWeaver ABAP Security Guide httpservicesapcomsecurityguide
SAP NetWeaver Business Warehouse Security Guide httpservicesapcomsecurityguide
SAP NetWeaver Business Client (with PFCG Connection) SAP Library
NetWeaver Business Client Security Issues SAP Library
UME Authorization Guide SAP Library
SAP NetWeaver Portal Guide SAP Library
22 Important SAP Notes
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
23 Additional Information
For more information about specific topics see the Quick Links in the following table
Content SAP Service Marketplace Address
Security httpservicesapcomsecurity
Security Guides httpservicesapcomsecurityguide
Related SAP Notes httpservicesapcomnotes
Released platforms httpservicesapcomplatforms
Network security httpservicesapcomsecurityguide
SAP Solution Manager httpservicesapcomsolutionmanager
2 Before You Start
21 Fundamental Security Guides
2011-12-27 PUBLIC 752
This page is left blank for documents that are printed on both sides
3 Technical System Landscape
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
3 Technical System Landscape
2011-12-27 PUBLIC 952
This page is left blank for documents that are printed on both sides
4 Network and Communication Security
A well-defined network topology can eliminate many security threats Your network supports the
communication business needs and prevents unauthorized access This section describes the network
and communication security for Access Control
The network topology for Access Control is based on the SAP NetWeaver topology Therefore the
security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply
to Access Control Details that specifically apply to Access Control are described in the following topics
Communication Channel Security
This topic describes the communication channels and protocols used by Access Control
Communication Destinations
Access Control communicates with other SAP and non-SAP capabilities This topic lists the
required connection types and authorizations
Integration with Single Sign-on Environments
Access Control supports the Single Sign-On (SSO) mechanisms provided by the SAP Web
Application Server ABAP This topic describes Access Control support for integration with SAP
SSO environments
Data Storage Security
This topic describes how Access Control handles data storage
For more information see the following sections in the SAP NetWeaver Security Guide
Network and Communication Security [SAP Library]
Security Aspects for Connectivity and Interoperability [SAP Library]
NOTE
Access Control communicates with multiple systems therefore it is highly recommended that
HTTPS communication protocol is used for secure communication
41 Communication Channel Security
The following table contains the communication paths used by Access Control the protocol used for
the connection and the type of data transferred
Communication Path Protocol Type of Data Special Protection Data
Backend using SAP GUI DIAG All application data Logon Data
NetWeaver Business Client HTTPHTTPS All application data Logon Data
RFC RFC All application data Logon Data
4 Network and Communication Security
41 Communication Channel Security
2011-12-27 PUBLIC 1152
Communication Path Protocol Type of Data Special Protection Data
Application server to BI system HTTPHTTPS All application data Logon Data
BI system to application system HTTPHTTPS All application data Logon Data
NOTE
Secure Network Communications (SNC) protects DIAG and RFC connections The Secure
Sockets Layer (SSL) protocol protects HTTPS connections
42 RFC Connections
Access Control requires RFC destinations to call specific RFC-enabled modules For example each time
a user logs in with a Firefighter ID and creates a new session the new session opens using the RFC The
RFC destination must be basic with no access or user ID attached to it You can use an existing SAP
RFC to configure the Access Control RFC destination
NOTE
For Compliant User Provisioning we recommend that you use SLD JCo destination as part of the
connector configuration to ensure secure RFC communication
More Information
Transport Layer Security in the SAP NetWeaver Security Guide
Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP on the SAP Help Portal
43 Communication Destinations
The following table lists the communication destinations and authorizations required by Access
Control to communicate with other SAP and non-SAP capabilities
Destination Type Authorizations Comments
Control to SAP ERP RTA(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
None
SAP Standard Control to SAP ERP(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
You must assign SAP Module Authorization for the user For more information see your system administrator and the SAP NetWeaver Security Guide
IGS(Required)
RFC No special configuration required
None
Non_SAP Application(Optional)
For more information about non-SAP applications see
For more information about non-SAP applications see the solutions provided by SAP
For more information about non-SAP applications see the solutions provided by SAP partners such as Green Light Technologies
4 Network and Communication Security
42 RFC Connections
1252 PUBLIC 2011-12-27
Destination Type Authorizations Commentsthe solutions provided by SAP partners such as Green Light Technologies
partners such as Green Light Technologies
44 Integration into Single Sign-On Environments
Authentication provides a way of verifying the userrsquos identity before the user accesses the portal The
system authenticates the user and issues an SAP logon ticket to access all the applications information
and services in Access Control using Single Sign-On Since AC capabilities may contain sensitive data
it is imperative that the data is authenticated
Access Control Single Sign On (SSO) uses SAP Web Dynpro for the Launch Pad that users open to log
on to Access Control The Launch Pad uses NetWeaver Server UME configuration for SSO log on for
Access Control capabilities available from the Launch Pad Three of the four Access Control capabilities
use single sign on Compliant User Provisioning Enterprise Role Management and Risk Analysis and
Remediation
NOTE
Superuser Privilege Management is not configured for single sign-on because firefighters must
use a firefighterID to logon to the system If you specify a user ID as a firefighter ID the firefighter
can no longer use that ID for other login purposes The temporary provisioning that is the basis
for Superuser Privilege Management does not work with a single sign-on mechanism
Access Control Single Sign On (SSO) uses UME SAP Logon Tickets to allow users to access Access
Control capabilities The user must be assigned proper UME roles to access each component If the user
does not have the proper UME roles the component is grayed out on the Launch Pad The ticket is
session-based the ticket is only available from the session that created the ticket If the user launches
a second session the logon ticket no longer applies The system creates a new ticket
For more information see SAP Logon Tickets [SAP Library] in the SAP NetWeaver AS ABAP Security Guide
NOTE
If a new user is created and a password change is required on the first log on then an information
message displays as follows Password Expired Please login to UME to reset the
password As a workaround you can use Single-Sign On Launch Pad to reset your password The
Launch Pad provides a prompt for password change
4 Network and Communication Security
44 Integration into Single Sign-On Environments
2011-12-27 PUBLIC 1352
45 Data Storage Security
Master data and transaction data is stored in the ABAP and Java dictionary database on the SAP system
on which Access Control has been installed
Access Control can optionally use the NetWeaver Business Client as the front-end which uses non-
persistent session cookies for data storage
46 User Administration and Authentication
Access Control user administration uses the mechanisms provided by SAP NetWeaver such as user
types tools and the password concepts Therefore the security recommendations and guides for user
administrations and authentication described in the SAP NetWeaver Application Server ABAP Security
Guide and the NetWeaver Application Server Java Security Guide also apply to Access Control
461 User Management
User management for Access Control uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP and for Java For an overview of how these mechanisms apply to Access
Control see the sections below In addition we provide a list of the standard users required for operating
Access Control
462 User Types
Different types of users often require different security types For example your policy may specify that
users who perform tasks interactively have to change passwords on a regular basis while other types
of users may not need to change passwords with the same frequency
The user types that are required for Access Control include
Dialog Users
Use the SAP GUI for configuring and administering Access Control
Access the NetWeaver Business Client
Communication Users
Use the Access Control workflow
RTAs
Use RFC connections to connect to the BI systems
Service Users
Connect the front end ABAP session to the back end ABAP session
RTAs
Use RFC Connections to connect to the BI systems
4 Network and Communication Security
45 Data Storage Security
1452 PUBLIC 2011-12-27
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
This page is left blank for documents that are printed on both sides
3 Technical System Landscape
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
3 Technical System Landscape
2011-12-27 PUBLIC 952
This page is left blank for documents that are printed on both sides
4 Network and Communication Security
A well-defined network topology can eliminate many security threats Your network supports the
communication business needs and prevents unauthorized access This section describes the network
and communication security for Access Control
The network topology for Access Control is based on the SAP NetWeaver topology Therefore the
security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply
to Access Control Details that specifically apply to Access Control are described in the following topics
Communication Channel Security
This topic describes the communication channels and protocols used by Access Control
Communication Destinations
Access Control communicates with other SAP and non-SAP capabilities This topic lists the
required connection types and authorizations
Integration with Single Sign-on Environments
Access Control supports the Single Sign-On (SSO) mechanisms provided by the SAP Web
Application Server ABAP This topic describes Access Control support for integration with SAP
SSO environments
Data Storage Security
This topic describes how Access Control handles data storage
For more information see the following sections in the SAP NetWeaver Security Guide
Network and Communication Security [SAP Library]
Security Aspects for Connectivity and Interoperability [SAP Library]
NOTE
Access Control communicates with multiple systems therefore it is highly recommended that
HTTPS communication protocol is used for secure communication
41 Communication Channel Security
The following table contains the communication paths used by Access Control the protocol used for
the connection and the type of data transferred
Communication Path Protocol Type of Data Special Protection Data
Backend using SAP GUI DIAG All application data Logon Data
NetWeaver Business Client HTTPHTTPS All application data Logon Data
RFC RFC All application data Logon Data
4 Network and Communication Security
41 Communication Channel Security
2011-12-27 PUBLIC 1152
Communication Path Protocol Type of Data Special Protection Data
Application server to BI system HTTPHTTPS All application data Logon Data
BI system to application system HTTPHTTPS All application data Logon Data
NOTE
Secure Network Communications (SNC) protects DIAG and RFC connections The Secure
Sockets Layer (SSL) protocol protects HTTPS connections
42 RFC Connections
Access Control requires RFC destinations to call specific RFC-enabled modules For example each time
a user logs in with a Firefighter ID and creates a new session the new session opens using the RFC The
RFC destination must be basic with no access or user ID attached to it You can use an existing SAP
RFC to configure the Access Control RFC destination
NOTE
For Compliant User Provisioning we recommend that you use SLD JCo destination as part of the
connector configuration to ensure secure RFC communication
More Information
Transport Layer Security in the SAP NetWeaver Security Guide
Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP on the SAP Help Portal
43 Communication Destinations
The following table lists the communication destinations and authorizations required by Access
Control to communicate with other SAP and non-SAP capabilities
Destination Type Authorizations Comments
Control to SAP ERP RTA(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
None
SAP Standard Control to SAP ERP(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
You must assign SAP Module Authorization for the user For more information see your system administrator and the SAP NetWeaver Security Guide
IGS(Required)
RFC No special configuration required
None
Non_SAP Application(Optional)
For more information about non-SAP applications see
For more information about non-SAP applications see the solutions provided by SAP
For more information about non-SAP applications see the solutions provided by SAP partners such as Green Light Technologies
4 Network and Communication Security
42 RFC Connections
1252 PUBLIC 2011-12-27
Destination Type Authorizations Commentsthe solutions provided by SAP partners such as Green Light Technologies
partners such as Green Light Technologies
44 Integration into Single Sign-On Environments
Authentication provides a way of verifying the userrsquos identity before the user accesses the portal The
system authenticates the user and issues an SAP logon ticket to access all the applications information
and services in Access Control using Single Sign-On Since AC capabilities may contain sensitive data
it is imperative that the data is authenticated
Access Control Single Sign On (SSO) uses SAP Web Dynpro for the Launch Pad that users open to log
on to Access Control The Launch Pad uses NetWeaver Server UME configuration for SSO log on for
Access Control capabilities available from the Launch Pad Three of the four Access Control capabilities
use single sign on Compliant User Provisioning Enterprise Role Management and Risk Analysis and
Remediation
NOTE
Superuser Privilege Management is not configured for single sign-on because firefighters must
use a firefighterID to logon to the system If you specify a user ID as a firefighter ID the firefighter
can no longer use that ID for other login purposes The temporary provisioning that is the basis
for Superuser Privilege Management does not work with a single sign-on mechanism
Access Control Single Sign On (SSO) uses UME SAP Logon Tickets to allow users to access Access
Control capabilities The user must be assigned proper UME roles to access each component If the user
does not have the proper UME roles the component is grayed out on the Launch Pad The ticket is
session-based the ticket is only available from the session that created the ticket If the user launches
a second session the logon ticket no longer applies The system creates a new ticket
For more information see SAP Logon Tickets [SAP Library] in the SAP NetWeaver AS ABAP Security Guide
NOTE
If a new user is created and a password change is required on the first log on then an information
message displays as follows Password Expired Please login to UME to reset the
password As a workaround you can use Single-Sign On Launch Pad to reset your password The
Launch Pad provides a prompt for password change
4 Network and Communication Security
44 Integration into Single Sign-On Environments
2011-12-27 PUBLIC 1352
45 Data Storage Security
Master data and transaction data is stored in the ABAP and Java dictionary database on the SAP system
on which Access Control has been installed
Access Control can optionally use the NetWeaver Business Client as the front-end which uses non-
persistent session cookies for data storage
46 User Administration and Authentication
Access Control user administration uses the mechanisms provided by SAP NetWeaver such as user
types tools and the password concepts Therefore the security recommendations and guides for user
administrations and authentication described in the SAP NetWeaver Application Server ABAP Security
Guide and the NetWeaver Application Server Java Security Guide also apply to Access Control
461 User Management
User management for Access Control uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP and for Java For an overview of how these mechanisms apply to Access
Control see the sections below In addition we provide a list of the standard users required for operating
Access Control
462 User Types
Different types of users often require different security types For example your policy may specify that
users who perform tasks interactively have to change passwords on a regular basis while other types
of users may not need to change passwords with the same frequency
The user types that are required for Access Control include
Dialog Users
Use the SAP GUI for configuring and administering Access Control
Access the NetWeaver Business Client
Communication Users
Use the Access Control workflow
RTAs
Use RFC connections to connect to the BI systems
Service Users
Connect the front end ABAP session to the back end ABAP session
RTAs
Use RFC Connections to connect to the BI systems
4 Network and Communication Security
45 Data Storage Security
1452 PUBLIC 2011-12-27
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
3 Technical System Landscape
For more information see the SAP BusinessObjects GRC Access Control 53 Master Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
3 Technical System Landscape
2011-12-27 PUBLIC 952
This page is left blank for documents that are printed on both sides
4 Network and Communication Security
A well-defined network topology can eliminate many security threats Your network supports the
communication business needs and prevents unauthorized access This section describes the network
and communication security for Access Control
The network topology for Access Control is based on the SAP NetWeaver topology Therefore the
security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply
to Access Control Details that specifically apply to Access Control are described in the following topics
Communication Channel Security
This topic describes the communication channels and protocols used by Access Control
Communication Destinations
Access Control communicates with other SAP and non-SAP capabilities This topic lists the
required connection types and authorizations
Integration with Single Sign-on Environments
Access Control supports the Single Sign-On (SSO) mechanisms provided by the SAP Web
Application Server ABAP This topic describes Access Control support for integration with SAP
SSO environments
Data Storage Security
This topic describes how Access Control handles data storage
For more information see the following sections in the SAP NetWeaver Security Guide
Network and Communication Security [SAP Library]
Security Aspects for Connectivity and Interoperability [SAP Library]
NOTE
Access Control communicates with multiple systems therefore it is highly recommended that
HTTPS communication protocol is used for secure communication
41 Communication Channel Security
The following table contains the communication paths used by Access Control the protocol used for
the connection and the type of data transferred
Communication Path Protocol Type of Data Special Protection Data
Backend using SAP GUI DIAG All application data Logon Data
NetWeaver Business Client HTTPHTTPS All application data Logon Data
RFC RFC All application data Logon Data
4 Network and Communication Security
41 Communication Channel Security
2011-12-27 PUBLIC 1152
Communication Path Protocol Type of Data Special Protection Data
Application server to BI system HTTPHTTPS All application data Logon Data
BI system to application system HTTPHTTPS All application data Logon Data
NOTE
Secure Network Communications (SNC) protects DIAG and RFC connections The Secure
Sockets Layer (SSL) protocol protects HTTPS connections
42 RFC Connections
Access Control requires RFC destinations to call specific RFC-enabled modules For example each time
a user logs in with a Firefighter ID and creates a new session the new session opens using the RFC The
RFC destination must be basic with no access or user ID attached to it You can use an existing SAP
RFC to configure the Access Control RFC destination
NOTE
For Compliant User Provisioning we recommend that you use SLD JCo destination as part of the
connector configuration to ensure secure RFC communication
More Information
Transport Layer Security in the SAP NetWeaver Security Guide
Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP on the SAP Help Portal
43 Communication Destinations
The following table lists the communication destinations and authorizations required by Access
Control to communicate with other SAP and non-SAP capabilities
Destination Type Authorizations Comments
Control to SAP ERP RTA(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
None
SAP Standard Control to SAP ERP(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
You must assign SAP Module Authorization for the user For more information see your system administrator and the SAP NetWeaver Security Guide
IGS(Required)
RFC No special configuration required
None
Non_SAP Application(Optional)
For more information about non-SAP applications see
For more information about non-SAP applications see the solutions provided by SAP
For more information about non-SAP applications see the solutions provided by SAP partners such as Green Light Technologies
4 Network and Communication Security
42 RFC Connections
1252 PUBLIC 2011-12-27
Destination Type Authorizations Commentsthe solutions provided by SAP partners such as Green Light Technologies
partners such as Green Light Technologies
44 Integration into Single Sign-On Environments
Authentication provides a way of verifying the userrsquos identity before the user accesses the portal The
system authenticates the user and issues an SAP logon ticket to access all the applications information
and services in Access Control using Single Sign-On Since AC capabilities may contain sensitive data
it is imperative that the data is authenticated
Access Control Single Sign On (SSO) uses SAP Web Dynpro for the Launch Pad that users open to log
on to Access Control The Launch Pad uses NetWeaver Server UME configuration for SSO log on for
Access Control capabilities available from the Launch Pad Three of the four Access Control capabilities
use single sign on Compliant User Provisioning Enterprise Role Management and Risk Analysis and
Remediation
NOTE
Superuser Privilege Management is not configured for single sign-on because firefighters must
use a firefighterID to logon to the system If you specify a user ID as a firefighter ID the firefighter
can no longer use that ID for other login purposes The temporary provisioning that is the basis
for Superuser Privilege Management does not work with a single sign-on mechanism
Access Control Single Sign On (SSO) uses UME SAP Logon Tickets to allow users to access Access
Control capabilities The user must be assigned proper UME roles to access each component If the user
does not have the proper UME roles the component is grayed out on the Launch Pad The ticket is
session-based the ticket is only available from the session that created the ticket If the user launches
a second session the logon ticket no longer applies The system creates a new ticket
For more information see SAP Logon Tickets [SAP Library] in the SAP NetWeaver AS ABAP Security Guide
NOTE
If a new user is created and a password change is required on the first log on then an information
message displays as follows Password Expired Please login to UME to reset the
password As a workaround you can use Single-Sign On Launch Pad to reset your password The
Launch Pad provides a prompt for password change
4 Network and Communication Security
44 Integration into Single Sign-On Environments
2011-12-27 PUBLIC 1352
45 Data Storage Security
Master data and transaction data is stored in the ABAP and Java dictionary database on the SAP system
on which Access Control has been installed
Access Control can optionally use the NetWeaver Business Client as the front-end which uses non-
persistent session cookies for data storage
46 User Administration and Authentication
Access Control user administration uses the mechanisms provided by SAP NetWeaver such as user
types tools and the password concepts Therefore the security recommendations and guides for user
administrations and authentication described in the SAP NetWeaver Application Server ABAP Security
Guide and the NetWeaver Application Server Java Security Guide also apply to Access Control
461 User Management
User management for Access Control uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP and for Java For an overview of how these mechanisms apply to Access
Control see the sections below In addition we provide a list of the standard users required for operating
Access Control
462 User Types
Different types of users often require different security types For example your policy may specify that
users who perform tasks interactively have to change passwords on a regular basis while other types
of users may not need to change passwords with the same frequency
The user types that are required for Access Control include
Dialog Users
Use the SAP GUI for configuring and administering Access Control
Access the NetWeaver Business Client
Communication Users
Use the Access Control workflow
RTAs
Use RFC connections to connect to the BI systems
Service Users
Connect the front end ABAP session to the back end ABAP session
RTAs
Use RFC Connections to connect to the BI systems
4 Network and Communication Security
45 Data Storage Security
1452 PUBLIC 2011-12-27
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
This page is left blank for documents that are printed on both sides
4 Network and Communication Security
A well-defined network topology can eliminate many security threats Your network supports the
communication business needs and prevents unauthorized access This section describes the network
and communication security for Access Control
The network topology for Access Control is based on the SAP NetWeaver topology Therefore the
security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply
to Access Control Details that specifically apply to Access Control are described in the following topics
Communication Channel Security
This topic describes the communication channels and protocols used by Access Control
Communication Destinations
Access Control communicates with other SAP and non-SAP capabilities This topic lists the
required connection types and authorizations
Integration with Single Sign-on Environments
Access Control supports the Single Sign-On (SSO) mechanisms provided by the SAP Web
Application Server ABAP This topic describes Access Control support for integration with SAP
SSO environments
Data Storage Security
This topic describes how Access Control handles data storage
For more information see the following sections in the SAP NetWeaver Security Guide
Network and Communication Security [SAP Library]
Security Aspects for Connectivity and Interoperability [SAP Library]
NOTE
Access Control communicates with multiple systems therefore it is highly recommended that
HTTPS communication protocol is used for secure communication
41 Communication Channel Security
The following table contains the communication paths used by Access Control the protocol used for
the connection and the type of data transferred
Communication Path Protocol Type of Data Special Protection Data
Backend using SAP GUI DIAG All application data Logon Data
NetWeaver Business Client HTTPHTTPS All application data Logon Data
RFC RFC All application data Logon Data
4 Network and Communication Security
41 Communication Channel Security
2011-12-27 PUBLIC 1152
Communication Path Protocol Type of Data Special Protection Data
Application server to BI system HTTPHTTPS All application data Logon Data
BI system to application system HTTPHTTPS All application data Logon Data
NOTE
Secure Network Communications (SNC) protects DIAG and RFC connections The Secure
Sockets Layer (SSL) protocol protects HTTPS connections
42 RFC Connections
Access Control requires RFC destinations to call specific RFC-enabled modules For example each time
a user logs in with a Firefighter ID and creates a new session the new session opens using the RFC The
RFC destination must be basic with no access or user ID attached to it You can use an existing SAP
RFC to configure the Access Control RFC destination
NOTE
For Compliant User Provisioning we recommend that you use SLD JCo destination as part of the
connector configuration to ensure secure RFC communication
More Information
Transport Layer Security in the SAP NetWeaver Security Guide
Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP on the SAP Help Portal
43 Communication Destinations
The following table lists the communication destinations and authorizations required by Access
Control to communicate with other SAP and non-SAP capabilities
Destination Type Authorizations Comments
Control to SAP ERP RTA(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
None
SAP Standard Control to SAP ERP(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
You must assign SAP Module Authorization for the user For more information see your system administrator and the SAP NetWeaver Security Guide
IGS(Required)
RFC No special configuration required
None
Non_SAP Application(Optional)
For more information about non-SAP applications see
For more information about non-SAP applications see the solutions provided by SAP
For more information about non-SAP applications see the solutions provided by SAP partners such as Green Light Technologies
4 Network and Communication Security
42 RFC Connections
1252 PUBLIC 2011-12-27
Destination Type Authorizations Commentsthe solutions provided by SAP partners such as Green Light Technologies
partners such as Green Light Technologies
44 Integration into Single Sign-On Environments
Authentication provides a way of verifying the userrsquos identity before the user accesses the portal The
system authenticates the user and issues an SAP logon ticket to access all the applications information
and services in Access Control using Single Sign-On Since AC capabilities may contain sensitive data
it is imperative that the data is authenticated
Access Control Single Sign On (SSO) uses SAP Web Dynpro for the Launch Pad that users open to log
on to Access Control The Launch Pad uses NetWeaver Server UME configuration for SSO log on for
Access Control capabilities available from the Launch Pad Three of the four Access Control capabilities
use single sign on Compliant User Provisioning Enterprise Role Management and Risk Analysis and
Remediation
NOTE
Superuser Privilege Management is not configured for single sign-on because firefighters must
use a firefighterID to logon to the system If you specify a user ID as a firefighter ID the firefighter
can no longer use that ID for other login purposes The temporary provisioning that is the basis
for Superuser Privilege Management does not work with a single sign-on mechanism
Access Control Single Sign On (SSO) uses UME SAP Logon Tickets to allow users to access Access
Control capabilities The user must be assigned proper UME roles to access each component If the user
does not have the proper UME roles the component is grayed out on the Launch Pad The ticket is
session-based the ticket is only available from the session that created the ticket If the user launches
a second session the logon ticket no longer applies The system creates a new ticket
For more information see SAP Logon Tickets [SAP Library] in the SAP NetWeaver AS ABAP Security Guide
NOTE
If a new user is created and a password change is required on the first log on then an information
message displays as follows Password Expired Please login to UME to reset the
password As a workaround you can use Single-Sign On Launch Pad to reset your password The
Launch Pad provides a prompt for password change
4 Network and Communication Security
44 Integration into Single Sign-On Environments
2011-12-27 PUBLIC 1352
45 Data Storage Security
Master data and transaction data is stored in the ABAP and Java dictionary database on the SAP system
on which Access Control has been installed
Access Control can optionally use the NetWeaver Business Client as the front-end which uses non-
persistent session cookies for data storage
46 User Administration and Authentication
Access Control user administration uses the mechanisms provided by SAP NetWeaver such as user
types tools and the password concepts Therefore the security recommendations and guides for user
administrations and authentication described in the SAP NetWeaver Application Server ABAP Security
Guide and the NetWeaver Application Server Java Security Guide also apply to Access Control
461 User Management
User management for Access Control uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP and for Java For an overview of how these mechanisms apply to Access
Control see the sections below In addition we provide a list of the standard users required for operating
Access Control
462 User Types
Different types of users often require different security types For example your policy may specify that
users who perform tasks interactively have to change passwords on a regular basis while other types
of users may not need to change passwords with the same frequency
The user types that are required for Access Control include
Dialog Users
Use the SAP GUI for configuring and administering Access Control
Access the NetWeaver Business Client
Communication Users
Use the Access Control workflow
RTAs
Use RFC connections to connect to the BI systems
Service Users
Connect the front end ABAP session to the back end ABAP session
RTAs
Use RFC Connections to connect to the BI systems
4 Network and Communication Security
45 Data Storage Security
1452 PUBLIC 2011-12-27
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
4 Network and Communication Security
A well-defined network topology can eliminate many security threats Your network supports the
communication business needs and prevents unauthorized access This section describes the network
and communication security for Access Control
The network topology for Access Control is based on the SAP NetWeaver topology Therefore the
security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply
to Access Control Details that specifically apply to Access Control are described in the following topics
Communication Channel Security
This topic describes the communication channels and protocols used by Access Control
Communication Destinations
Access Control communicates with other SAP and non-SAP capabilities This topic lists the
required connection types and authorizations
Integration with Single Sign-on Environments
Access Control supports the Single Sign-On (SSO) mechanisms provided by the SAP Web
Application Server ABAP This topic describes Access Control support for integration with SAP
SSO environments
Data Storage Security
This topic describes how Access Control handles data storage
For more information see the following sections in the SAP NetWeaver Security Guide
Network and Communication Security [SAP Library]
Security Aspects for Connectivity and Interoperability [SAP Library]
NOTE
Access Control communicates with multiple systems therefore it is highly recommended that
HTTPS communication protocol is used for secure communication
41 Communication Channel Security
The following table contains the communication paths used by Access Control the protocol used for
the connection and the type of data transferred
Communication Path Protocol Type of Data Special Protection Data
Backend using SAP GUI DIAG All application data Logon Data
NetWeaver Business Client HTTPHTTPS All application data Logon Data
RFC RFC All application data Logon Data
4 Network and Communication Security
41 Communication Channel Security
2011-12-27 PUBLIC 1152
Communication Path Protocol Type of Data Special Protection Data
Application server to BI system HTTPHTTPS All application data Logon Data
BI system to application system HTTPHTTPS All application data Logon Data
NOTE
Secure Network Communications (SNC) protects DIAG and RFC connections The Secure
Sockets Layer (SSL) protocol protects HTTPS connections
42 RFC Connections
Access Control requires RFC destinations to call specific RFC-enabled modules For example each time
a user logs in with a Firefighter ID and creates a new session the new session opens using the RFC The
RFC destination must be basic with no access or user ID attached to it You can use an existing SAP
RFC to configure the Access Control RFC destination
NOTE
For Compliant User Provisioning we recommend that you use SLD JCo destination as part of the
connector configuration to ensure secure RFC communication
More Information
Transport Layer Security in the SAP NetWeaver Security Guide
Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP on the SAP Help Portal
43 Communication Destinations
The following table lists the communication destinations and authorizations required by Access
Control to communicate with other SAP and non-SAP capabilities
Destination Type Authorizations Comments
Control to SAP ERP RTA(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
None
SAP Standard Control to SAP ERP(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
You must assign SAP Module Authorization for the user For more information see your system administrator and the SAP NetWeaver Security Guide
IGS(Required)
RFC No special configuration required
None
Non_SAP Application(Optional)
For more information about non-SAP applications see
For more information about non-SAP applications see the solutions provided by SAP
For more information about non-SAP applications see the solutions provided by SAP partners such as Green Light Technologies
4 Network and Communication Security
42 RFC Connections
1252 PUBLIC 2011-12-27
Destination Type Authorizations Commentsthe solutions provided by SAP partners such as Green Light Technologies
partners such as Green Light Technologies
44 Integration into Single Sign-On Environments
Authentication provides a way of verifying the userrsquos identity before the user accesses the portal The
system authenticates the user and issues an SAP logon ticket to access all the applications information
and services in Access Control using Single Sign-On Since AC capabilities may contain sensitive data
it is imperative that the data is authenticated
Access Control Single Sign On (SSO) uses SAP Web Dynpro for the Launch Pad that users open to log
on to Access Control The Launch Pad uses NetWeaver Server UME configuration for SSO log on for
Access Control capabilities available from the Launch Pad Three of the four Access Control capabilities
use single sign on Compliant User Provisioning Enterprise Role Management and Risk Analysis and
Remediation
NOTE
Superuser Privilege Management is not configured for single sign-on because firefighters must
use a firefighterID to logon to the system If you specify a user ID as a firefighter ID the firefighter
can no longer use that ID for other login purposes The temporary provisioning that is the basis
for Superuser Privilege Management does not work with a single sign-on mechanism
Access Control Single Sign On (SSO) uses UME SAP Logon Tickets to allow users to access Access
Control capabilities The user must be assigned proper UME roles to access each component If the user
does not have the proper UME roles the component is grayed out on the Launch Pad The ticket is
session-based the ticket is only available from the session that created the ticket If the user launches
a second session the logon ticket no longer applies The system creates a new ticket
For more information see SAP Logon Tickets [SAP Library] in the SAP NetWeaver AS ABAP Security Guide
NOTE
If a new user is created and a password change is required on the first log on then an information
message displays as follows Password Expired Please login to UME to reset the
password As a workaround you can use Single-Sign On Launch Pad to reset your password The
Launch Pad provides a prompt for password change
4 Network and Communication Security
44 Integration into Single Sign-On Environments
2011-12-27 PUBLIC 1352
45 Data Storage Security
Master data and transaction data is stored in the ABAP and Java dictionary database on the SAP system
on which Access Control has been installed
Access Control can optionally use the NetWeaver Business Client as the front-end which uses non-
persistent session cookies for data storage
46 User Administration and Authentication
Access Control user administration uses the mechanisms provided by SAP NetWeaver such as user
types tools and the password concepts Therefore the security recommendations and guides for user
administrations and authentication described in the SAP NetWeaver Application Server ABAP Security
Guide and the NetWeaver Application Server Java Security Guide also apply to Access Control
461 User Management
User management for Access Control uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP and for Java For an overview of how these mechanisms apply to Access
Control see the sections below In addition we provide a list of the standard users required for operating
Access Control
462 User Types
Different types of users often require different security types For example your policy may specify that
users who perform tasks interactively have to change passwords on a regular basis while other types
of users may not need to change passwords with the same frequency
The user types that are required for Access Control include
Dialog Users
Use the SAP GUI for configuring and administering Access Control
Access the NetWeaver Business Client
Communication Users
Use the Access Control workflow
RTAs
Use RFC connections to connect to the BI systems
Service Users
Connect the front end ABAP session to the back end ABAP session
RTAs
Use RFC Connections to connect to the BI systems
4 Network and Communication Security
45 Data Storage Security
1452 PUBLIC 2011-12-27
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Communication Path Protocol Type of Data Special Protection Data
Application server to BI system HTTPHTTPS All application data Logon Data
BI system to application system HTTPHTTPS All application data Logon Data
NOTE
Secure Network Communications (SNC) protects DIAG and RFC connections The Secure
Sockets Layer (SSL) protocol protects HTTPS connections
42 RFC Connections
Access Control requires RFC destinations to call specific RFC-enabled modules For example each time
a user logs in with a Firefighter ID and creates a new session the new session opens using the RFC The
RFC destination must be basic with no access or user ID attached to it You can use an existing SAP
RFC to configure the Access Control RFC destination
NOTE
For Compliant User Provisioning we recommend that you use SLD JCo destination as part of the
connector configuration to ensure secure RFC communication
More Information
Transport Layer Security in the SAP NetWeaver Security Guide
Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP on the SAP Help Portal
43 Communication Destinations
The following table lists the communication destinations and authorizations required by Access
Control to communicate with other SAP and non-SAP capabilities
Destination Type Authorizations Comments
Control to SAP ERP RTA(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
None
SAP Standard Control to SAP ERP(Required)
RFC See Creating Custom RFC Roles for a list of RFC authorizations
You must assign SAP Module Authorization for the user For more information see your system administrator and the SAP NetWeaver Security Guide
IGS(Required)
RFC No special configuration required
None
Non_SAP Application(Optional)
For more information about non-SAP applications see
For more information about non-SAP applications see the solutions provided by SAP
For more information about non-SAP applications see the solutions provided by SAP partners such as Green Light Technologies
4 Network and Communication Security
42 RFC Connections
1252 PUBLIC 2011-12-27
Destination Type Authorizations Commentsthe solutions provided by SAP partners such as Green Light Technologies
partners such as Green Light Technologies
44 Integration into Single Sign-On Environments
Authentication provides a way of verifying the userrsquos identity before the user accesses the portal The
system authenticates the user and issues an SAP logon ticket to access all the applications information
and services in Access Control using Single Sign-On Since AC capabilities may contain sensitive data
it is imperative that the data is authenticated
Access Control Single Sign On (SSO) uses SAP Web Dynpro for the Launch Pad that users open to log
on to Access Control The Launch Pad uses NetWeaver Server UME configuration for SSO log on for
Access Control capabilities available from the Launch Pad Three of the four Access Control capabilities
use single sign on Compliant User Provisioning Enterprise Role Management and Risk Analysis and
Remediation
NOTE
Superuser Privilege Management is not configured for single sign-on because firefighters must
use a firefighterID to logon to the system If you specify a user ID as a firefighter ID the firefighter
can no longer use that ID for other login purposes The temporary provisioning that is the basis
for Superuser Privilege Management does not work with a single sign-on mechanism
Access Control Single Sign On (SSO) uses UME SAP Logon Tickets to allow users to access Access
Control capabilities The user must be assigned proper UME roles to access each component If the user
does not have the proper UME roles the component is grayed out on the Launch Pad The ticket is
session-based the ticket is only available from the session that created the ticket If the user launches
a second session the logon ticket no longer applies The system creates a new ticket
For more information see SAP Logon Tickets [SAP Library] in the SAP NetWeaver AS ABAP Security Guide
NOTE
If a new user is created and a password change is required on the first log on then an information
message displays as follows Password Expired Please login to UME to reset the
password As a workaround you can use Single-Sign On Launch Pad to reset your password The
Launch Pad provides a prompt for password change
4 Network and Communication Security
44 Integration into Single Sign-On Environments
2011-12-27 PUBLIC 1352
45 Data Storage Security
Master data and transaction data is stored in the ABAP and Java dictionary database on the SAP system
on which Access Control has been installed
Access Control can optionally use the NetWeaver Business Client as the front-end which uses non-
persistent session cookies for data storage
46 User Administration and Authentication
Access Control user administration uses the mechanisms provided by SAP NetWeaver such as user
types tools and the password concepts Therefore the security recommendations and guides for user
administrations and authentication described in the SAP NetWeaver Application Server ABAP Security
Guide and the NetWeaver Application Server Java Security Guide also apply to Access Control
461 User Management
User management for Access Control uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP and for Java For an overview of how these mechanisms apply to Access
Control see the sections below In addition we provide a list of the standard users required for operating
Access Control
462 User Types
Different types of users often require different security types For example your policy may specify that
users who perform tasks interactively have to change passwords on a regular basis while other types
of users may not need to change passwords with the same frequency
The user types that are required for Access Control include
Dialog Users
Use the SAP GUI for configuring and administering Access Control
Access the NetWeaver Business Client
Communication Users
Use the Access Control workflow
RTAs
Use RFC connections to connect to the BI systems
Service Users
Connect the front end ABAP session to the back end ABAP session
RTAs
Use RFC Connections to connect to the BI systems
4 Network and Communication Security
45 Data Storage Security
1452 PUBLIC 2011-12-27
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Destination Type Authorizations Commentsthe solutions provided by SAP partners such as Green Light Technologies
partners such as Green Light Technologies
44 Integration into Single Sign-On Environments
Authentication provides a way of verifying the userrsquos identity before the user accesses the portal The
system authenticates the user and issues an SAP logon ticket to access all the applications information
and services in Access Control using Single Sign-On Since AC capabilities may contain sensitive data
it is imperative that the data is authenticated
Access Control Single Sign On (SSO) uses SAP Web Dynpro for the Launch Pad that users open to log
on to Access Control The Launch Pad uses NetWeaver Server UME configuration for SSO log on for
Access Control capabilities available from the Launch Pad Three of the four Access Control capabilities
use single sign on Compliant User Provisioning Enterprise Role Management and Risk Analysis and
Remediation
NOTE
Superuser Privilege Management is not configured for single sign-on because firefighters must
use a firefighterID to logon to the system If you specify a user ID as a firefighter ID the firefighter
can no longer use that ID for other login purposes The temporary provisioning that is the basis
for Superuser Privilege Management does not work with a single sign-on mechanism
Access Control Single Sign On (SSO) uses UME SAP Logon Tickets to allow users to access Access
Control capabilities The user must be assigned proper UME roles to access each component If the user
does not have the proper UME roles the component is grayed out on the Launch Pad The ticket is
session-based the ticket is only available from the session that created the ticket If the user launches
a second session the logon ticket no longer applies The system creates a new ticket
For more information see SAP Logon Tickets [SAP Library] in the SAP NetWeaver AS ABAP Security Guide
NOTE
If a new user is created and a password change is required on the first log on then an information
message displays as follows Password Expired Please login to UME to reset the
password As a workaround you can use Single-Sign On Launch Pad to reset your password The
Launch Pad provides a prompt for password change
4 Network and Communication Security
44 Integration into Single Sign-On Environments
2011-12-27 PUBLIC 1352
45 Data Storage Security
Master data and transaction data is stored in the ABAP and Java dictionary database on the SAP system
on which Access Control has been installed
Access Control can optionally use the NetWeaver Business Client as the front-end which uses non-
persistent session cookies for data storage
46 User Administration and Authentication
Access Control user administration uses the mechanisms provided by SAP NetWeaver such as user
types tools and the password concepts Therefore the security recommendations and guides for user
administrations and authentication described in the SAP NetWeaver Application Server ABAP Security
Guide and the NetWeaver Application Server Java Security Guide also apply to Access Control
461 User Management
User management for Access Control uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP and for Java For an overview of how these mechanisms apply to Access
Control see the sections below In addition we provide a list of the standard users required for operating
Access Control
462 User Types
Different types of users often require different security types For example your policy may specify that
users who perform tasks interactively have to change passwords on a regular basis while other types
of users may not need to change passwords with the same frequency
The user types that are required for Access Control include
Dialog Users
Use the SAP GUI for configuring and administering Access Control
Access the NetWeaver Business Client
Communication Users
Use the Access Control workflow
RTAs
Use RFC connections to connect to the BI systems
Service Users
Connect the front end ABAP session to the back end ABAP session
RTAs
Use RFC Connections to connect to the BI systems
4 Network and Communication Security
45 Data Storage Security
1452 PUBLIC 2011-12-27
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
45 Data Storage Security
Master data and transaction data is stored in the ABAP and Java dictionary database on the SAP system
on which Access Control has been installed
Access Control can optionally use the NetWeaver Business Client as the front-end which uses non-
persistent session cookies for data storage
46 User Administration and Authentication
Access Control user administration uses the mechanisms provided by SAP NetWeaver such as user
types tools and the password concepts Therefore the security recommendations and guides for user
administrations and authentication described in the SAP NetWeaver Application Server ABAP Security
Guide and the NetWeaver Application Server Java Security Guide also apply to Access Control
461 User Management
User management for Access Control uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP and for Java For an overview of how these mechanisms apply to Access
Control see the sections below In addition we provide a list of the standard users required for operating
Access Control
462 User Types
Different types of users often require different security types For example your policy may specify that
users who perform tasks interactively have to change passwords on a regular basis while other types
of users may not need to change passwords with the same frequency
The user types that are required for Access Control include
Dialog Users
Use the SAP GUI for configuring and administering Access Control
Access the NetWeaver Business Client
Communication Users
Use the Access Control workflow
RTAs
Use RFC connections to connect to the BI systems
Service Users
Connect the front end ABAP session to the back end ABAP session
RTAs
Use RFC Connections to connect to the BI systems
4 Network and Communication Security
45 Data Storage Security
1452 PUBLIC 2011-12-27
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
463 User Administration Tools
Access Control uses user and role maintenance from SAP Web AS ABAP or SAP Web AS Java For more
information see the Access Control Users Guide
The following table shows the user administration tools available to manage users
User Administration Tool Description
Transaction SU01 Use SU01 for ABAP user maintenance create and update users and user authorizations
Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance create and update authorization profiles
User Management Administration Console Use UME for Java user and role maintenance
47 Trace and Log Files
For more information see the SAP BusinessObjects GRC Access Control 53 Operations Guide on Service
Marketplace at httpservicesapcominstguides SAP BusinessObjects SAP BusinessObjects
Governance Risk Compliance (GRC) Access Control SAP GRC Access Control 53
4 Network and Communication Security
47 Trace and Log Files
2011-12-27 PUBLIC 1552
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
This page is left blank for documents that are printed on both sides
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
5 Delivered Back End Roles
Access Control delivers several ABAP based roles that reside in the back end This section covers the
delivered roles briefly describes their relevance to business requirements and lists the available tasks
for each
In addition to the Access Control specific security functions Access Control user administration and
authorization leverages the user management and authorization features of the SAP NetWeaverreg
platform and the SAP NetWeaver Application Server ABAP and Java Therefore the recommendations
and guidelines described in the SAP NetWeaver Application Server Security Guide for ABAP and Java Technology
also apply for Access Control
You can accept the delivered roles without modification or you can build custom roles
51 Delivered SPM Back-end Roles
This section lists the delivered back-end roles for SPM ID-based and role-based administration
For more information about configuring and maintaining the roles see the SAP GRC Access Control 53
Application Help on the SAP Help Portal at httphelpsapcomgrc and choose Access Control
SAP GRC Access Control 53
NOTE
SPM provides three delivered administrator roles Their descriptions are as follows
VIRSAZ_VFAT_ADMINISTRATOR
This is the administrator for ID-based firefighting
VIRSAVFAT_ROLE_ADMINISTRATOR
This role can perform administrator tasks for both ID and role based firefighting
VIRSASVFAT_ADMINISTRATOR
This is the administrator for both deliveredID-based and Role-based roles
Delivered Roles Key Tasks Description
VIRSAZ_VFAT_ADMINISTRATOR
Define owners Assign firefighter roles to firefighters Define controllers Maintain firefighter ID passwords Maintain firefighter configuration
parameters Define reason codes Define critical transactions
Administrators control most firefighter activities
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1752
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Delivered Roles Key Tasks Description
Archive log data View reports in the toolbox
VIRSAZ_VFAT_ID_OWNER Assign firefighter IDs to firefighters View log reports Receive e-mail notifications
The owner role provides authorization for users who are defined as owners or controllers
VIRSAZ_VFAT_FIREFIGHTER
Base user authorizations required to logon as a firefighter
The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction Read SAP Note 1319031 for additional authorizations required after installation of AC53 SP07
Delivered Rose-based Roles
Delivered Roles Key Tasks Description
VIRSAVFAT_ROLE_ADMINISTRATOR
Define owners and firefighters roles Assign firefighter roles to firefighters Define controllers Maintain firefighter configuration
parameters Archive log data View reports in the toolbox
Administrators control most firefighter activities
VIRSAVFAT_ROLE_OWNER Assign firefighter roles to firefighters View log reports Receive e-mail notifications
The owner role assigns authorizations for users who are defined as owners or controllers
VIRSAVFAT_ROLE_CONTROLLER
Receive notifications View log reports
The controller role assigns authorizations to users who are defined as controllers
511 Customizing SPM Back-end Roles
You can create custom ID-based and role-based back end roles for SPM Make sure you assign the objects
and authorizations listed in the tables below to the custom roles
The following SAP notes concern how to create custom Superuser Privilege Management roles for
back end security
SAP note 1025421
SAP note 1101665
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
1852 PUBLIC 2011-12-27
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
In the following tables objects with the value of (asterisk) indicate the object contains all available
values The following table lists the available values for the authorization fields
Object Available Values Authorization Field
GRCFF_0001 01 Create or generate02 Change03 Display06 Delete36 Extended maintenance81 ScheduleDL DownloadL0 All functionsUL Upload
ACTVT
GRCFF_0002 CNTR ndash ControllerThis is who maintains the controller table for firefighter ROLES
VIRSAFAT
FFER - FirefighterThis value required to add or delete firefighter from firefighter roles
LGDN - Log DownloadYou can download logs via Administration ndash Archive
LGDS - Log DeleteYou can delete logs via Administration - Archive
LGUP - Log UploadYou can upload logs via Administration ndash Archive
OWNR - OwnerThis is who maintains the owner table for firefighter ROLES
S_DATA_SET 06 Delete33 Read34 WriteA6 Read with filterA7 Writer with filter
ACTVT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
S_TABU_DIS 02 03 ACTVT
ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZZVC ZVD ZVE ZVR
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMIT VARIANTZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 1952
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Object Values Authorization Field
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_ADMINISTRATOR
The following table lists the objects values and authorizations for the
VFAT_ROLE_ADMINISTRATOR
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_DATA_SET VIRSAFF_LOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0002 VIRSAFAT
VIRSAVFAT_ROLE_CONTROLLER
The following table lists the objects values and authorizations for the VFAT_ROLE_CONTROLLER
Object Values Authorization Field
S_TCODE VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSAVFATVIRSAZFAT_V02
TCD
S_TABU_DIS 02 03 ACTVT
ZVampZV
DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
S_BTCH_JOB RELE
OBACTIONJOBGROUP
S_DATA_SET VIRSAFFLOG_AUTO_ARCHIVE
ACTVTFILE_NAMEPROGRAM
GRCFF_0001 81 ACTVT
S_TCODE VIRSAVFAT VIRSAZVFAT_02 TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
S_PROGRAM SUBMIT BTCSUBMITZVFAT
P_ACTIONP_GROUP
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2052 PUBLIC 2011-12-27
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Object Values Authorization Field
S_BTCH_JOB RELE
OBACTIONJOBGROUP
GRCFF_0001 02 03 81 L0
NOTE
L0 in this case means View Log Control for Controllers
ACTVT
GRCFF_0002 LGDN LGDS LGUP VIRSAFAT
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ROLE_OWNER
The following table lists the objects values and authorizations for the VFAT_ROLE_OWNER
Object Values Authorization Field
S_TCODE VIRSAVFAT TCD
S_TABU_DIS 02 03 ACTVT
ZVD ZVE DICBERCLS
GRCFF_0001 02 03 ACTVT
GRCFF_0002 CNTR FFER LGDN LGDS LGUP VIRSAFAT
VIRSAVFAT_ADMINISTRATOR
The following table lists the objects values and authorizations for the VFAT_ADMINISTRATOR
Object Authorization Field Values
S_TCODE TCD VIRSAFFARCHIVEVIRSAFFCHNGLOGSVIRSTVFATVIRSAZVFAT_V02
S_DATA_SET ACTVT
FILE_NAME None
PROGRAM VIRSAFF_LOG_AUTO_ARCHIVE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampU ZVampV ZVampW ZVampX ZVampY ZVampZ ZVC ZVD ZVE ZVR
S_PROGRAM P_ACTION BTCSUBMIT SUBMIT VARIANT
P_GROUP ZVFAT
GRCFF_0001 ACTVT
GRCFF_0002 VIRSAFAT CNTR LGDN LGDS OWNR
VIRSAZ_VFAT_FIREFIGHTER
The following table lists the objects values and authorizations for the VFAT_FIREFIGHTER
5 Delivered Back End Roles
51 Delivered SPM Back-end Roles
2011-12-27 PUBLIC 2152
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Object Authorization Field Values
S_RFC ACTVTRFC_NAMERFC_TYPE
16SYSTFUGR
S_TCODE TCD VIRSAVFAT
For SP07 and after you must add these additional authorizations
Object Authorization Field Values
S_USER_GRP ACTVTGroup
02 03 05[FFIDs User Group]
NOTE
If the FFIDs are not in a unique User Group we recommend you assign them to a group
If it is not possible to change or assign a user group to the Firefighter IDs then a value of
can be assigned to CLASS
We recommend you do not grant access to transaction SU01 for any users with this access
In case of CUA Systems
1 If a UserID is used for the CUA RFC connection it should also have the above
authorizations
2 If the CUA RFC connection is based on a trusted connection then the Firefighter should
also have an ID in the CUA system with the above
VIRSAZ_FAT_ID_OWNER
The following table lists the objects values and authorizations for VFAT_ID_OWNER
Object Authorization Field Values
S_TCODE TCD VIRSAVFATVIRSAZVFAT_U02VIRSAZVFAT_U03VIRSAZFAT_U04VIRSAZVFAT_U06VIRSAZVFAT_V01
S_BTCH_JOB OBACTIONJOBGROUP
RELE
S_TABU_DIS ACTVT 02 03
DICBERCLS ZVampX ZVampY
S_PROGRAM P_ACTIONP_GROUP
SUBMIT BTCSUBMITZVFAT
GRCFF_0001 ACTVT 02 03 81
52 Delivered RAR Back End Roles
The following RAR back end roles are provided for backward compatibility with Compliance Calibrator
40 For Access Control 53 installations the front-end roles replace these back end roles and are accessed
5 Delivered Back End Roles
52 Delivered RAR Back End Roles
2252 PUBLIC 2011-12-27
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
via the Enterprise Portal For security purposes we recommend you lock access to the following back
end roles
VIRSAZ_CC_ADMINISTRATOR
VIRSAZ_CC_BUSINESS_OWNER
VIRSASZ_CC_REPORTING
VIRSSAZ_CC_SECRITY_ADMIN
VIRSA_Z_CC_USER_ADMIN
More Information
For more information about these delivered roles see the Compliance Calibrator documentation on
SAP Help Portal at httphelpsapcom
53 Delivered ERM Back End Roles
The following ERM back end roles are provided for backward compatibility with Role Expert 40 For
Access Control 53 installations the front-end roles replace these back end roles and are accessed via
the Enterprise Portal For security purposes we recommend you lock access to the following back end
roles
VIRSAZ_VRMT_ADMINISTRATOR
VIRSAZ_VRMT_ROLE_OWNER
VIRSAZ_VRMT_SECURITY
VIRSAZ_VRMT_USER
More Information
For more information about these delivered roles see the Role Expert documentation on SAP Help
Portal at httphelpsapcom
54 Delivered RFC Back-end Roles and Authorizations
Each capability uses a connector to connect to the back-end system You must associate each connector
with a user ID a password and an RFC authorization Access Control delivers one default role for each
capability You can use the default roles to connect to the back-end system
VIRSAAE_DEFAULT_ROLE (for Compliant User Provisioning)
VIRSACC_DEFAULT_ROLE (for Risk Analysis and Mediation)
VIRSAFF_DEFAULT_ROLE (for Superuser Privilege Management)
VIRSARE_DEFAULT_ROLE (for Enterprise Role Management)
5 Delivered Back End Roles
53 Delivered ERM Back End Roles
2011-12-27 PUBLIC 2352
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
55 Creating Custom RFC Roles
You can also create a custom RFC role Make sure you assign the custom roles the objects definitions
and authorization values in the tables that follow
551 RFC Authorization Roles for CUP
The Compliance User Provisioning RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC Access
ACTVT 16
RFC_NAME VIRSAAEAHHRVIRSAAEAHNHVIRSAAECOVIRSAAECUHRVIRSAAECUNHVIRSAAEFFVIRSAAEHTHRVIRSAAEPRHRVIRSAAEPRNHVIRSAAEPVHRVIRSAAEPVHR1VIRSAAEPVNHVIRSAAEPVNH1VIRSAAEREVIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZAE01VIRSAZAE01NHVIRSAZAE02VIRSAZAECCVIRSAZAECCNHVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2452 PUBLIC 2011-12-27
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Object Definition Authorization Field ValuesVIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD SU01
S_TABU_DIS Table maintenance ACTVT 03
DICBERCLS ampNCamp SC SS ZVampG ZVampH ZVampN
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVT 03 08
AUTH
OBJECT
S_USER_GRP User Master Maintenance User Groups
ACTVT 01 02 03 05 06 08 24 78
CLASS
S_USER_PRO User Master Maintenance Authorization Profile
ACTVT 03 08
PROFILE
S_USER_SAS S_USER_SAS ACTVT 01 06 22
ACT_GROUP
CLASS
PROFILE
SUBSYSTEM
S_USER_SYS User Master Maintenance System for Central User Maintenance
ACTVT 78
SUBSYSTEM
S_ADDRESS1 Central address management ACTVT 01 02 03 06
ADGRP BC01
GRCCC_0001 Table maintenance VIRSAATN MREF
PLOG Personnel planning INFOTYP 1001
ISTAT 1
OTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2552
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Object Definition Authorization Field Values
PLVAR
PPFCODE DEL DISP INSE LIST
SUBTYP
P_TCODE HR Transaction code TCD SU01
552 RFC Authorization Values for ERM
The Enterprise Role Management RFC connector role requires the following objects and field values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
REC_NAME VIRSARE VIRSAREORG BAPT RFC1 SDIF SDIFRUNTIME SDTX SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start
TCD VIRSARE_DNLDROLES
S_USER_AGR Authorizations role check ACTVTACT_GROUP
S_USER_AUT User Master Maintenance Authorizations
ACTVTAUTHOBJECT
S_USER_GRP User Master Maintenance user groups
ACTVTCLASS
S_USER_PRO User Master Maintenance authorization profile
ACTVTPROFILE
S_USER_TCD Authorizations transactions in roles
TCD
S_USER_VAL Authorizations filed values in roles
AUTH_FIELDAUTH_VALUEOBJECT
S_DEVELOP ABAP Workbench ACTVT
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYP 1000 1001
ISTAT
OTYPE
PLVAR
PPFCODE
SUBTYPE
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2652 PUBLIC 2011-12-27
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
553 RFC Authorization Values for RAR
The Risk Analysis and Remediation RFC connector role requires the following RFC objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAALRTVIRSAERMVIRSAMGMTVIRSAPFCGVIRSAVRATVIRSAZCC01VIRSAZCC02VIRSAZCC03VIRSAZCC04VIRSAZCC05VIRSAZCCHRVIRSAZMICVIRSAZMICTABVIRSAZRBHRVIRSAZVIRVIRSAZVIRHRVIRSAZVIRMITVIRSAZVR1VIRSAZVR2VIRSAZVR3VIRSAZVR4VIRSAZVR5VIRSAZVR6VIRSAZWEBVIRSAZWKFLBAPTRFC1SDIFSDIFRUNTIMESDTXSUSRSUUSSU_USERSYSTSYSU
RFC_TYPE FUGR
S_TCODE Transaction code check at transaction start
TCD VIRSARE_DNLDROLES
S_GUI Authorization for GUI activities
ACTVT
S_USER_AGR Authorizations role check ACTVT
ACT_GROUP
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2752
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Object Definition Authorization Field Values
S_USER_AUT User master maintenance authorizations
ACTVT
AUTH
OBJECT
S_USER_GRP User master maintenance user groups
ACTVT
CLASS
S_USER_PRO User master maintenance authorization profile
ACTVT
PROFILE
S_USER_TCD Authorizations transactions in roles
TCD =
S_USER_VAL Authorizations field values in roles
AUTH_FIELD
AUTH_VALUE
OBJECT
S_DEVELOP ABAP Workbench ACTVT MA
DEVCLASS VIRSA SUSO
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
PLOG Personnel planning INFOTYPE 1000 1001
ISTAT A C O P S T TS US WF WS
PLVAR
PPFCODE
SUBTYP
554 RFC Authorization Values for SPM
The Superuser Privilege Management RFC connector role requires the following objects and values
Object Definition Authorization Field Values
S_RFC Authorization check for RFC access
ACTVT 16
RFC_NAME VIRSAFF_UTIL_RPT VIRSAZVFAT BAPT RFC1 SDIF SDTX SDIRUNTIME SUSR SUUS SU_USER SYST SYSU
RFC_TYPE FUGR
S_DEVELOP ABAP Workbench ACTVT 16
DEVCLASS VIRSA
OBJNAME VIRSA
OBJTYPE FUGR
P_GROUP
GRCFF_0001 User authorizations ACTVT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2852 PUBLIC 2011-12-27
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Object Definition Authorization Field Values
GRCFF_0002 Role authorizations VIRSAFAT
5 Delivered Back End Roles
55 Creating Custom RFC Roles
2011-12-27 PUBLIC 2952
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
This page is left blank for documents that are printed on both sides
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
6 Delivered Front End Roles and Permissions
Access Control front end uses SAP NetWeaver Portal to connect to the server You use NetWeaver UME
to set up the front-end roles and configure the permissions
Each capability contains a set of delivered roles with recommended authorizations and actions
61 Updating Roles and Permissions from Support Packages
Support packages may include changes to the delivered roles permissions and actions To propagate
the changes to your system you must install the support package and then do the following
If you are using the delivered roles you must import the roles again
If you are using custom roles you must manually update your roles with the new permissions and
actions
62 Customizing the Front End Roles
The administration roles contain all the actions and authorizations All other roles contain a subset of
the authorizations When creating custom roles refer to the actions and values listed for the
administration roles in the following tables
621 Delivered Front End Roles and Permissions for CUP
Compliance User Provisioning includes the following delivered roles
AEADMIN
AESecurity
AEApprover
You assign different actions to a role to control what a user can see and do The AEADMIN role includes
all actions The other roles contain subsets of these permissions
AEAdmin
The following are actions for the AEAdmin role
6 Delivered Front End Roles and Permissions
61 Updating Roles and Permissions from Support Packages
2011-12-27 PUBLIC 3152
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Action Name Description Appears on This Tab
aewebqueryexecution This is an internally used permission and is not associated with any functionality
(Not displayed in a tab)
ApproverDelegationByAdmin Permission to view Approver Delegation in Request left navigation in Configuration tab
Configuration
ArchivingRequest Permission for Archiving Request Configuration
CreateMitigationControl Permission to create mitigation control in approver view
(Not displayed in a tab)
CreateSAPUser Permission to provision user account (create delete lock unlock) in the back-end system in the approver view
(Not displayed in a tab)
DeleteApprvDelegatorByAdmin Permission to delete the approver delegator pair from admin view
Configuration
DeleteRequestAction Permission to delete requests Configuration
DeleteRequestSubmit Permission to submit delete requests which is only available if Deleting Requests is assigned
Configuration
ManageRejectionsCancelGenerationAction Permission to cancel generate requests for manage rejections for UAR and SOD
Configuration
ManageRejectionsGenerateAction Permission to generate requests for manage rejections for UAR and SOD
Configuration
ManageUARLoadDataTask Permission to Access UAR Load Data Tasks in Config Tab
Configuration
ModifyApproversConfiguration Permission to modify Approvers configuration
Configuration
ModifyAttachmentFolder Permission for modifying Request Attachment Folder
Configuration
ModifyAttributeConfiguration Permission for modifying Attribute Configuration
Configuration
ModifyAuthenticationConfiguration Permission to modify Authentication Configuration
Configuration
ModifyBackgroundJobsConfiguration Permission to modify Background Jobs Configuration
Configuration
ModifyChangeLogConfiguration Permission to modify Change Log Configuration
Configuration
ModifyConfigLDAPMappingAction Permission for modifying LDAP Mapping Configuration
Configuration
ModifyConnectorsConfiguration Permission to modify Connectors Configuration
Configuration
ModifyCustomFieldsConfiguration Permission to modify Custom Fields Configuration
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3252 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Action Name Description Appears on This Tab
ModifyEnduserPersonalizationConfiguration Permission to modify Enduser Personalization Configuration
Configuration
ModifyHRTriggersConfiguration Permission to modify HR Triggers Configuration
Configuration
ModifyInitialSystemDataConfiguration Permission to modify Initial Data Configuration
Configuration
ModifyMiscellaneousConfiguration Permission to modify Miscellaneous Configuration
Configuration
ModifyMitigationConfiguration Permission to modify Mitigation Configuration
Configuration
ModifyNumberRangeConfiguration Permission to modify Number Range Configuration
Configuration
ModifyPasswordSelfServiceConfiguration Permission to modify Password Self Service Configuration
Configuration
ModifyProvisioningConfiguration Permission to modify Provisioning Configuration
Configuration
ModifyReaffirmsConfiguration Permission to modify Reaffirms Configuration
Configuration
ModifyRequestConfiguration Permission to modify Request Configuration
Configuration
ModifyRiskAnalysisConfiguration Permission to modify Risk Analysis Configuration
Configuration
ModifyRolesConfiguration Permission to modify Roles Configuration
Configuration
ModifyServiceLevelConfiguration Permission to modify Service Level Configuration
Configuration
ModifySupportConfiguration Permission to modify Support Configuration
Configuration
ModifyUserDefaultsConfiguration Permission to modify User Defaults Configuration
Configuration
ModifyUserSearchDataSourceConfiguration Permission to modify User Data Source Configuration
Configuration
ModifyWorkflowConfiguration Permission to modify User Defaults Configuration
Configuration
SearchChangeLog Permission to modify Workflow Configuration
Configuration
ViewAccessEnforcer Permission to search change log Configuration
ViewApprove Permission to view Access Enforcer Tab (Not displayed in a tab)
ViewApproverDelegation Permission to approve request in the approver view
Configuration
ViewAssignRolesProfiles Permission to define delegate approver for self
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3352
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Action Name Description Appears on This Tab
ViewchangeCADApprover Permission to provision roles and profiles in the back-end system from the approver view
(Not displayed in a tab)
ViewConfigApplicationLogAction Permission to view the Application Log in Configuration
Configuration
ViewConfigSystemLogAction Permission to view System Log in Configuration
Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewCopyRequest Permission to copy request from approver view
My Work
ViewCreateRequest Permission to create request from approver view
My Work
ViewDelegationReportAction Permission to view Delegation Report Informer
ViewForwardRequest Permission to forward request from the approver view
(Not displayed in a tab)
ViewHold Permission to put request on hold in the approver view
(Not displayed in a tab)
ViewIfCancelRiskViolationDetails Permission to view Informer Cancel Risk Violation Details
Informer
ViewIFChartAccessRequestAction Permission to view Informer Reports Access Request Chart View
Informer
ViewIFChartAccessProvisioningAction Permission to view Informer Reports Provisioning Chart View
Informer
ViewIFChartRiskViolationAction Permission to view Informer Reports Risk Violation Chart View
Informer
ViewIFChartServiceLevelAction Permission to view Informer Reports Service Level Chart View
Informer
ViewIFReportViewAction Permission to view Informer Report View
Informer
ViewIFRequestByStructProfilesAction Permission for viewing Informer Request By Structural Profiles
Informer
ViewIFRequestConflictsMitigationAction Permission for viewing Informer Request Conflicts and Mitigations
Informer
ViewIFRequestRoleOwnerAction Permission for viewing Informer Request Role Owner
Informer
ViewIFRequestServiceLevelAction Permission to view Informer Service Level
Configuration
ViewIfRiskViolationDetails Permission for viewing Informer Risk Violation Details
Informer
ViewIFRoleOwnerAction Permission for viewing Informer Role Owner
Informer
ViewInformer Permission to view Informer Tab Informer
ViewManageRejectionReasons Permission to view manage rejection reasons
Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3452 PUBLIC 2011-12-27
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Action Name Description Appears on This Tab
ViewManageRejections Permission to view manage rejections for UAR and SOD
Configuration
ViewMitigation Permission to mitigate a risk from risk analysis screen in the approver view
Configuration
ViewReaffirms Permission to reaffirms from approver view
My Work
ViewReject Permission to reject request in the approver view
My Work
ViewRemoveAccess Permission for viewing Remove Access Button on SOD Review page
(Not displayed in a tab)
ViewRequestsAdministration Permission for Requests Administration
Configuration
ViewRequstAuditTrails Permission to view request audit trail from the approver view
(Not displayed in a tab)
ViewReRoute Permission to reroute request from the approver view
(Not displayed in a tab)
ViewRiskAnalysis Permission to perform risk analysis from the approver view
(Not displayed in a tab)
ViewSaveRequest Permission fro viewing Save Request Button on SOD Review page
(Not displayed in a tab)
ViewSearchRequestAll Permission to search for all requests from approver view
(Not displayed in a tab)
ViewSelectPDProfiles Permission to select PD Profiles and add to request in the approver view
(Not displayed in a tab)
ViewSelectRoles Permission to select roles and add to the request in the approver view
(Not displayed in a tab)
ViewSODReviewHistoryReportAction Permission for viewing SOD Review Informer Report
Informer
ViewStaleRequests Permission to enter stale request details in the request view
(Not displayed in a tab)
ViewSubmitRequest Permission for viewing Submit Request Button on SOD Review page
(Not displayed in a tab)
ViewSuperAccess Permission to view Super Access Button (Not displayed in a tab)
ViewUARReviewHistoryReportAction Permission for viewing UAR Review Informer Report
Informer
ViewUpgradeAction Permission for Upgrade Configuration
Informer
ViewUserReviewStatusReportAction Permission to view user review status for CUP
Configuration
AESecurity and AEApprover
The following are actions for the AESecurity and AEApprover delivered roles
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3552
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
AESecurity AEApprover
CreateMitigationControl CreateMitigationControl
CreateSAPUser ManageRejectionsCancelGenerationAction
ManageRejectionsCancelGenerationAction ManageRejectionsGenerateAction
ManageRejectionsGenerateAction SeeSU01Fields
ViewAccessEnforcer ViewAccessEnforcer
ViewApprove ViewApprove
ViewApproverDelegation ViewApproverDelegation
ViewAssignRolesProfiles ViewCopyRequest
ViewCopyRequest ViewCreateRequest
ViewCreateRequest ViewForwardRequest
ViewForwardRequest ViewHold
ViewHold ViewManageRejectionReasons
ViewManageRejectionReasons ViewManageRejections
ViewManageRejections ViewMitigation
ViewMitigation ViewReaffirms
ViewReaffirms ViewReject
ViewReject ViewRejectUsers
ViewRejectUsers ViewRemoveAccess
ViewRemoveAccess ViewRequstAuditTrail
ViewRqustAuditTrail ViewReRoute
ViewReRoute ViewRiskAnalysis
ViewRiskAnalysis ViewSaveRequest
ViewSaveRequest ViewSearchRequestAll
ViewSearchRequestAll ViewSelectPDProfiles
ViewSelectPDProfiles ViewSelectRoles
ViewSelectRoles ViewSubmitRequest
VioewSubmitRequest ViewSuperAccess
ViewUserReviewStatusReportAction ViewUserReviewStatusReportAction
622 Delivered Front End Roles and Permissions for ERM
Enterprise Role Management includes the following delivered roles
READMIN
REBusinessUser
RERoleDesigner
RESecurity
RESuperUser
REConfigurator
You assign different actions to a role to control what a user can see and do The READMIN role includes
all actions The other roles contain subsets of these actions
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3652 PUBLIC 2011-12-27
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
READMIN
The following table lists the actions for the role
Action Name Value Appears on this Tab
ApplyToExistingRoles Permission to view Apply to Existing Roles button on Methodology Process Update
Configuration
ManageCache Permission to manage cache Configuration
ViewApprovalCriteria Permission to view Approval Criteria Configuration
ViewAttachmentTo RoleDef Permission to view Attach Icon in Role Maintenance
(Not displayed on a tab)
ViewAuthorizationData Permission to view Authorization data (Not displayed on a tab)
ViewBackgrounJobs Permission to view Background Jobs Configuration
ViewBusinessProcess Permission to view Business Process Configuration
ViewChangeHistory Permission to view Change History Role Management
ViewChangeRole Permission to view modify Role Role Management
ViewChangeRoleApprovers Permission to add or update role approvers Role Management
ViewCompareRoles Permission to compare Roles Role Management
ViewConditionGroups Permission to view Condition Groups Configuration
ViewConfiguration Permission to view Configuration Tab Configuration
ViewConfigurationSettingsImport Permission to view Configuration Settings Import-Export Screen
Configuration
ViewCreateRole Permission to view Create Role Role Management
ViewCustomFields Permission to view Custom Fields Configuration
ViewDeleteRole Permission to delete Role (Not displayed on a tab)
ViewDerivedRoles Permission to view Derived Roles (Not displayed on a tab)
ViewFunctionalArea Permission to view Functional Area Configuration
ViewGenerateRole Permission to Generate Role Configuration
ViewInformer Permission to view all reportsThere are no configurable actions for this tab
Informer
ViewInitialSystemData Permission to view Initial System data Role Management
ViewMassMaintenance Permission to perform Role Mass Maintenance Role Management
ViewMassMaintGenerate Permission to Manage Mass Maintenance mdash Generate
Role Management
ViewMassMaintRiskAnalysis Permission to Manage Mass Maintenance mdash Risk Analysis
Role Management
ViewMassMaintUpdate Permission to Manage Mass Maintenance mdash Update
Role Management
ViewMassRoleImport Permission to view Mass Role Import Configuration
ViewMethodology Permission to view Methodology Configuration
ViewMigration Permission to view RE Migration Configuration
ViewMiscellaneousConfiguration Permission to Miscellaneous Configuration Configuration
ViewMitigateRisks Permission to Mitigate Risk (Not displayed on a tab)
ViewNamingConvention Permission to view Naming Convention Configuration
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3752
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Action Name Value Appears on this Tab
ViewObjectsByClass Permission to view and modify Objects by Class screen
(Not displayed on a tab)
ViewObjectsByTransaction Permission to view Objects by Transactions screen
(Not displayed on a tab)
ViewOpenSQLTest Permission to view OpenSQL test screen (Not displayed on a tab)
ViewOrgValueMapping Permission to view Org Value Mapping Configuration
ViewProcessMapping Permission to view Process mapping Configuration
ViewProjectRelease Permission to view Project Release Configuration
ViewRiskAnalysis Permission to perform Risk Analysis (Not displayed on a tab)
ViewRoleApproval Permission to view Approval Button in Role Maintenance
(Not displayed on a tab)
ViewRoleDesigner Permission to view Role Designer (Not displayed on a tab)
ViewRoleExpert Permission to view Role Expert Tab Role Management
ViewRoleLibrary Permission to view Role Library Role Management
ViewRoleLocking Permission to view Role Locking in Configuration Tab
Configuration
ViewRoleStatus Permission to view Role Status in Configuration Tab
Configuration
ViewRoleUsage Permission to view Role Usage Synchronization Screen
Configuration
ViewSearchRoles Permission to search Roles Role Management
ViewSubProcess Permission to view Sub Process Configuration
ViewSystemLandscape Permission to view System Landscape Configuration
ViewSystemLogs Permission to view System Logs Configuration
ViewTestResults Permission to view Test Results Configuration
ViewTransactionImport Permission to view TransactionImport in Configuration Tab
Configuration
REBusinessUser RERoleDesigner RESecurity RESuperUser REConfigurator
The following table lists the actions the roles
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewChangeHistory ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ViewAttachmenttoRoleDef ManageCache
ViewCompareRoles ViewAuthorizationData ViewAuthorizationData ViewAuthorizationData ViewApprovalCriteria
ViewInformer ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs ViewBackgroundJobs
ViewRoleExpert ViewChangeHistory ViewChangeHistory ViewChangeHistory ViewBusinessProcess
ViewRoleLibrary ViewChangeRole ViewChangeRole ViewChangeRole ViewConditionGroups
ViewSearchRoles ViewChangeRoleApprovers ViewChangeRoleApprovers ViewChangeRoleApprovers ViewConfiguration
ViewTransactionUsage ViewCompareRoles ViewCompareRoles ViewCompareRoles ViewConfigurationSettingsImport
ViewConfiguration ViewConfiguration ViewConfiguration ViewCustomFields
ViewCreateRole ViewCreateRole ViewCreateRole ViewFunctionalArea
ViewDeleteRole ViewDeleteRole ViewDeleteRole ViewInitialSystemData
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
3852 PUBLIC 2011-12-27
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
ReBusinessUser RERoleDesigner RESECURITY RESuperUser REConfigurator
ViewDerivedRoles ViewDerivedRoles ViewDerivedRoles ViewMassRoleImport
ViewGenerateRoles ViewGenerateRoles ViewGenerateRoles ViewMethodology
ViewInformer ViewInformer ViewInformer ViewMigration
ViewMitigateRisks ViewMitigateRisks ViewMassMaintGenerate ViewMiscellaneousConfiguration
ViewRiskAnalysis ViewObjectsbyClass ViewMassMaintenance ViewNamingConvention
ViewRoleApproval ViewObjectsbyTransaction ViewMassMaintRiskAnalysis ViewOrgValueMapping
ViewRoleExpert ViewRiskAnalysis ViewMassMaintUpdate ViewProcessMapping
ViewRoleLibrary ViewRoleApproval ViewMitigateRisks ViewProjectRelease
ViewSeachRoles ViewRoleExpert ViewObjectsbyClass ViewRoleExpert
ViewTestResults ViewRoleLibrary ViewObjectsbyTransaction ViewRoleLibrary
ViewTransactionUsage ViewSearchRoles ViewRiskAnalysis ViewRoleStatus
ViewTestResults ViewRoleApproval ViewSubProcess
ViewTransactionUsage ViewRoleExpert ViewSystemLandscape
ViewRoleLibrary ViewSystemLogs
ViewSearchRoles
ViewTestResults
ViewTransactionUsage
623 Delivered Front End Roles and Permissions for RAR
Risk Analysis and Remediation includes the following delivered roles
VIRSA_CC_ADMINISTRATOR
VIRSA_CC_SECURITY_ADMIN
VIRSA_CC_REPORT
VIRSAS_CC_BUSINESS_OWNER
You assign different actions to a role to control what a user can see and do The
VIRSA_CC_ADMINISTRATOR role includes all actions The other roles contain subsets of these
permissions
VIRSA_CC_ADMINISTRATOR
The following table lists the actions
Action Name Value Appears on This Tab
ChangeAdmins Permission to change administrators Mitigation
ChangeBP Permission to change business processes Rule Architect
ChangeBUnit Permission to change a business unit Mitigation
ChangeCrActions Permission to change critical actions Rule Architect
ChangeCrProfiles Permission to change critical profiles Rule Architect
ChangeCrRoles Permission to change critical roles Rule Architect
ChangeFunction Permission to change functions Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 3952
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Action Name Value Appears on This Tab
ChangeMitCntl Permission to change a mitigating control Mitigation
ChangeMitHRObject Permission to change mitigating HR objects Mitigation
ChangeMitProfile Permission to change mitigating profiles Mitigation
ChangeMitRole Permission to change mitigation at role level Mitigation
ChangeMitUser Permission to change mitigating users Mitigation
ChangeOrgRules Permission to change org rules Rule Architect
ChangeRisks Permission to change risks Rule Architect
ChangeRuleSet Permission to change rule sets Rule Architect
ChangeSupplementRole Permission to change supplement role Rule Architect
Clear Alert Permission to clear alerts Alert Monitor
CreateAdmins Permission to create administrators Mitigation
CreateBP Permission to create business processes Rule Architect
CreateBUnit Permission to business processes Mitigation
CreateCrActions Permission to create critical actions Alert Monitor
CreateCrProfiles Permission to create critical profiles Rule Architect
CreateCrRoles Permission to create critical roles Rule Architect
CreateFunction Permission to create functions Rule Architect
CreateMitCntl Permission to create a mitigating control Mitigation
CreateMitHRObject Permission to create mitigating HR objects Mitigation
CreateMitProfile Permission to create mitigating profiles Mitigation
CreateMitRole Permission to assign mitigation at role level Mitigation
CreateMitUser Permission to create mitigating users Mitigation
CreateOrgRules Permission to org rules Rule Architect
CreateRisks Permission to create risks Rule Architect
CreateRuleSet Permission to create rule sets Rule Architect
CreateSupplementRule Permission to create supplement rules Rule Architect
DeleteAdmins Permission to delete administrators Mitigation
DeleteAlert Permission to delete alerts Alert Monitor
DeleteBP Permission to delete business processes Rule Architect
DeleteBUnit Permission to delete a business unit Mitigation
DeleteCrActions Permission to delete critical actions Rule Architect
DeleteCrProfiles Permission to delete critical profiles Rule Architect
DeleteCrRoles Permission to delete critical roles Rule Architect
DeleteFunction Permission to delete functions Rule Architect
DeleteMitCntl Permission to delete a mitigating control Mitigation
DeleteMitHRsObject Permission to delete mitigating HR objects Mitigation
DeleteMitProfile Permission to delete mitigating profiles Mitigation
DeleteMitRole Permission to delete mitigation at role level Mitigation
DeleteMitUser Permission to delete mitigating users Mitigation
DeleteOrgRules Permission to delete org rules Rule Architect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4052 PUBLIC 2011-12-27
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Action Name Value Appears on This Tab
Delete Risks Permission to delete risks Rule Architect
DeleteRuleSet Permission to delete rule sets Rule Architect
DeleteSupplementlRule Permission to delete supplement rules Rule Architect
ExportMitigationData Permission to export mitigation data Mitigation
Export Rules Permission to export rules Rule Architect
Generate Alert Permission to generate alerts Alert Monitor
ImportMitigationData Permission to import mitigation data Mitigation
ImportRules Permission to import rules Rule Architect
MassFuncMaint Permission for mass maintenance of functions Rule Architect
ManageDeletionAllRules Permission to delete all rules Configuration
ManageDeletionSystemRules Permission to delete systems Configuration
RunAuditReports Permission to run audit reports Informer
RunRiskAnalysis Permission to run risk analysis Informer
RunSecurityReports Permission to run security reports Informer
ViewAlertMonitor Permission to view Alert TabThere are no configurable actions associated with this tab Assigning this action providers the user with the ability to view all Conflicting Actions Critical Actions Control Monitoring and Cleared Alerts
Alert Monitor
ViewBgJobLog Permission to view users own background jobs Informer amp Configuration
ViewBGJobsforAllUsers Permission to view background jobs for all users Informer amp Configuration
ViewConfiguration Permission to view and execute all actions on the Configuration TabThere are no configurable actions associated with this tab Assigning this action provides the user with the ability to execute all actions within this tab
Configuration
ViewInformer Permission to view Informer Tab Informer
ViewMgmtReport Permission to view management reports Informer
ViewMitigation Permission to view the Mitigation Tab Mitigation
ViewRuleArchitect Permission to view the Rule Architect Tab Rule Architect
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSAS_CC_BUSINESS_OWNER
The following table lists the actions for the roles
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeBP RunAuditReports ChangeBUnit
ChangeBUnit RunRiskAnalysis ChangeMitCntl
ChangeCrActions RunSecurityReports ChangeMitHRObject
ChangeCrProfiles ViewAlertMonitor ChangeMitProfile
ChangeCrRoles ViewInformer ChangeMitRole
ChangeFunction ViewMgmtReport ChangeMitUser
ChangeOrgRules ViewMitigation CreateBUnit
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
2011-12-27 PUBLIC 4152
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
VIRSA_CC_SECURITY_ADMIN VIRSA_CC_REPORT VIRSA_CC_BUSINESS_OWNER
ChangeRisks CreateMitCntl
ChangeRuleSet CreateMitHRObject
CreateBP CreateMitProfile
CreateCrActions CreateMitRole
CreateCrProfiles CreateMitUser
CreateCrRoles DeleteBUnit
CreateFunction DeleteMitCntl
CreateOrgRules DeleteMitHRsObject
CreateRisks DeleteMitProfile
CreateRuleSet DeleteMitRole
CreateSupplementRule DeleteMitUser
DeleteAlert RunAuditReports
DeleteBP RunRiskAnalysis
DeleteBUnit RunSecurityReports
DeleteCrActions ViewAlertMonitor
DeleteCrProfiles ViewInformer
DeleteCrRoles ViewMgmtReport
DeleteFunction ViewMitigation
DeleteOrgRules ViewRuleArchitect
DeleteRisks
DeleteRuleSet
DeleteSupplementRule
ExportMitigationData
ExportRules
GenerateAlert
ImportMitigationData
ImportRules
MassFuncMaint
RunAuditReports
RunRiskAnalysis
RunSecuirtyReports
ViewAlertMonitor
ViewBgJobLog
ViewBGJobsForAllUsers
ViewConfiguration
ViewInformer
ViewMgmtReport
ViewMitigation
ViewRuleArchitect
6 Delivered Front End Roles and Permissions
62 Customizing the Front End Roles
4252 PUBLIC 2011-12-27
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
7 Recommended Front End Roles and Permissions for SPM
SAP does not deliver a front end role for SPM The following table lists an example role and the required
actions for an administrator
FF_ADMIN
Action Name Description Appears on This Tab
ConfChangeRoleLogReport Permission to view the Role-based Configuration Change Log report
Reports
ConfChangeUserLogReport Permission to view the User-based Change Log report Reports
ConnConfChangeLogRe port Permission to view Connector Configuration Change Log Report
Change Log
InvaildUserReport Permission to view the Invalid User report Reports
LogSummaryReport Permission to view the log Summary Report Reports
ReasonActivityReport Permission to view the ReasonActivityReport Reports
SessionSummaryReport Permission to view the Session Summary Report Reports
SessionSummaryRoleBasedReport Permission to view the Session Summary Role-based report
Reports
SODReport Permission to view the SOD Report Reports
TranUsageReport Permission to view the Transaction Usage report Reports
ViewConfigurationTab There are no configurable actions for the Configuration tab Assigning this action grants the user permission to view create and change connectors
Configuration
ViewReportsTab Permission to view reports Reports
7 Recommended Front End Roles and Permissions for SPM
2011-12-27 PUBLIC 4352
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
This page is left blank for documents that are printed on both sides
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
A Reference
A1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various
phases in the life cycle of SAP software
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages as
well as many glossary entries in English and German
Target group
Relevant for all target groups
Current version
On SAP Help Portal at httphelpsapcom Glossary
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes
Target group
Consultants
System administrators
Project teams for implementations or upgrades
Current version
On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising
security levels A collective security guide is available for SAP NetWeaver This document contains
general guidelines and suggestions SAP applications have a security guide of their own
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
The master guide is the starting point for implementing an SAP solution It lists the required installable
units for each business or IT scenario It provides scenario-specific descriptions of preparation
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4552
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
execution and follow-up of an implementation It also provides references to other documents such
as installation guides the technical infrastructure guide and SAP Notes
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit taking into
account the combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for implementations
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ndash SAP Solution Manager is a life-cycle
platform One of its main functions is the configuration of business scenarios business processes and
implementable steps It contains Customizing activities transactions and so on as well as
documentation
Target group
Technology consultants
Solution consultants
Project teams for implementations
Current version
In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system The
Customizing activities and their documentation are structured from a functional perspective (In order
to configure a whole system landscape from a process-oriented perspective SAP Solution Manager
which refers to the relevant Customizing activities in the individual SAP systems is used)
Target group
Solution consultants
Project teams for implementations or upgrades
Current version
In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver and precedes the application operations guides of SAP Business Suite The manual refers
A Reference
A1 The Main SAP Documentation Types
4652 PUBLIC 2011-12-27
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
users to the tools and documentation that are needed to carry out various tasks such as monitoring
backup restore master data maintenance transports and tests
Target group
System administrators
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The application operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed It refers users to the tools and documentation that
are needed to carry out the various operations-related tasks
Target group
System administrators
Technology consultants
Solution consultants
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of
an SAP solution It provides scenario-specific descriptions of preparation execution and follow-up of
an upgrade It also refers to other documents such as upgrade guides and SAP Notes
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into account the
combinations of operating systems and databases It does not describe any business-related
configuration
Target group
Technology consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular release or
changes to existing features since the previous release Release notes about ABAP developments are the
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide
(IMG)
Target group
A Reference
A1 The Main SAP Documentation Types
2011-12-27 PUBLIC 4752
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Consultants
Project teams for upgrades
Current version
On SAP Service Marketplace at httpservicesapcomreleasenotes
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
A Reference
A1 The Main SAP Documentation Types
4852 PUBLIC 2011-12-27
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example Words or characters quoted from the screen These include field labels screen titles pushbutton labels menu names and menu options
Cross-references to other documentation or published works
Example Output on the screen following a user action for example messages Source code or syntax quoted directly from a program File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program names transaction codes database table names and key concepts of a programming language when they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2011-12-27 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2011 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countriesOracle and Java are registered trademarks of OracleUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of TechnologySAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer StreamWork SAP HANA and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countriesBusiness Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd Business Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified or altered in any way
5052 PUBLIC 2011-12-27
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpsservicesapcomhttpservicesapcomsecurityguideinstguides
2011-12-27 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2011 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice