MDG70SP02SEC

8/12/2019 MDG70SP02SEC

http://slidepdf.com/reader/full/mdg70sp02sec 1/27

SAP Library

Master Data Governance Security Guide 1

Master Data Governance Security Guide

CUSTOMERDocument Version: 19.05.2014

8/12/2019 MDG70SP02SEC


SAP Library


Copyright© Copyright 2013 SAP AG. All rights reserved.

SAP Library document classification: PUBLIC

No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP AG. The information contained herein may be changed

without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software

components of other software vendors. National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for

informational purposes only, without representation or warranty of any kind, and SAP Group

shall not be liable for errors or omissions with respect to the materials. The only warranties for

SAP Group products and services are those that are set forth in the express warranty statements

accompanying such products and services, if any. Nothing herein should be construed as

constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in Germany and other countries.

Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for

additional trademark information and notices.

8/12/2019 MDG70SP02SEC


SAP Library


Icons in Body TextIcon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of

information at a glance. For more information, see Help on Help General InformationClasses and Information Classes for Business Information Warehouse on the first page of anyversion of SAP Library.

Typographic ConventionsType Style Description

Example text Words or characters quoted from the screen. These include field names, screen

titles, pushbuttons labels, menu names, menu paths, and menu options.Cross-references to other documentation.

Example text Emphasized words or phrases in body text, graphic titles, and table titles.EXAMPLE TEXT Technical names of system objects. These include report names, program

names, transaction codes, table names, and key concepts of a programminglanguage when they are surrounded by body text, for example, SELECT andINCLUDE.

Exampl e t ext Output on the screen. This includes file and directory names and their paths,messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the systemexactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and

characters with appropriate entries to make entries in the system.EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

8/12/2019 MDG70SP02SEC


SAP Library


Master Data Governance Security Guide

The following guide covers the information that you require to operate Master DataGovernance securely. To make the information more accessible, it is divided into a generalpart, containing information relevant for all components, and a separate part for informationspecific for individual components.

1 Introduction

This guide does not replace the administration or operation guides that are available for productive operations.

Target Audience

Technology consultants

Security consultants

System administrators

This document is not included as part of the Installation Guides, Configuration Guides,Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certainphase of the software life cycle, whereas the Security Guide provides information that isrelevant for all life cycle phases.

Why Is Securi ty Necessary?

With the increasing use of distributed systems and the Internet for managing business data,the demands on security are also on the rise. When using a distributed system, you need tobe sure that your data and processes support your business needs without allowingunauthorized access to critical information. User errors, negligence, or attemptedmanipulation of your system should not result in loss of information or processing time. Thesedemands on security apply likewise to Master Data Governance. To assist you in securingMaster Data Governance, we provide this Security Guide.

Since Master Data Governance is based on and uses SAP NetWeaver technology, it isessential that you consult the Security Guide for SAP NetWeaver. See SAP ServiceMarketplace at http://service.sap.com/securityguide SAP NetWeaver .

For all Security Guides published by SAP, see SAP Service Marketplace athttp://service.sap.com/securityguide.

Overview of the Main Sections

The Security Guide comprises the following main sections:

Before You Start [Page 5]

This section contains information about why security is necessary, how to use thisdocument, and references to other Security Guides that build the foundation for thisSecurity Guide.

Technical System Landscape [Page 6]

8/12/2019 MDG70SP02SEC


SAP Library


This section provides an overview of the technical components and communicationpaths that are used by Master Data Governance.

User Management and Authentication [Page 6]

This section provides an overview of the following user administration and

authentication aspects:

o Recommended tools to use for user management

o User types that are required by Master Data Governance

o Standard users that are delivered with Master Data Governance

o Overview of the user synchronization strategy

o Overview of how integration into Single Sign-On environments is possible

Authorizations [Page 10]

This section provides an overview of the authorization concept that applies to Master Data Governance.

Network and Communication Security [Page 10]

This section provides an overview of the communication paths used by Master DataGovernance and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.

Data Storage Security [Page 13]

This section provides an overview of any critical data that is used by Master DataGovernance and the security mechanisms that apply.

Enterprise Services Security [Page 14]

This section provides an overview of the security aspects that apply to the enterpriseservices delivered with Master Data Governance.

Security-Relevant Logs and Tracing [Page 14]

This section provides an overview of the trace and log files that contain security-relevant information, for example, so you can reproduce activities if a security breachdoes occur.

Appendix [Page 26]

This section provides references to further information.

2 Before You Start

This table contains the most important SAP notes concerning the safety of Master DataGovernance.

Title SAPNote

Comment

Code injection vulnerability inUAC_ASSIGNMENT_CONTROL_TEST

1493809 MDG and XBRL

8/12/2019 MDG70SP02SEC


SAP Library


Data can be displayed without authorization 1489976 MDG (Financial Master DataGovernance, CA-MDG-APP-FIN)

More Information

For more information about specific topics, see the sources in the table below.

Content Quick Link on SAP Service Marketplace or SDN

Security http://sdn.sap.com/irj/sdn/security

Security Guides http://service.sap.com/securityguide

Related Notes http://service.sap.com/notes

http://service.sap.com/securitynotes

Allowed platforms http://service.sap.com/pam

Network security http://service.sap.com/securityguide

SAP Solution Manager http://service.sap.com/solutionmanager

SAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver

3 Technical System Landscape

For information about the technical system landscape, see the sources listed in the tablebelow.

Subject Guide/Tool Quick Link to SAP Service Marketplace

Technical description of Master DataGovernance and theunderlying technicalcomponents, such asSAP NetWeaver

Master Guide http://service.sap.com/instguides SAPBusiness Suite Applications SAP Master Data

Governance

High availability High Availability for SAPSolutions

http://sdn.sap.com/irj/sdn/ha

Design of technicallandscape

See availabledocuments

http://sdn.sap.com/irj/sdn/landscapedesign

Security See availabledocuments

http://sdn.sap.com/irj/sdn/security

4 User Management and Authentication

8/12/2019 MDG70SP02SEC


SAP Library


Master Data Governance uses the user management and authentication mechanisms of theSAP NetWeaver platform, and in particular, SAP NetWeaver Application Server. Therefore,the security recommendations and guidelines for user management and authentication thatare described in the security guide for SAP NetWeaver Application Server for ABAP SecurityGuide [External] also apply to Master Data Governance.

In addition to these guidelines, we also supply information on user management andauthentication that is especially applicable to Master Data Governance in the followingsections:

User Administration [Page 7]

This section details the user management tools, the required user types, and thestandard users that are supplied with Master Data Governance.

User Data Synchronization [Page 9]

The components of Master Data Governance can use user data together with other components. This section describes how the user data is synchronized with theseother sources.

Integration into Single Sign-On Environments [Page 9]

This section describes how Master Data Governance supports single sign-on-mechanisms.

4.1 User Administration

Master Data Governance user management uses the mechanisms provided by SAPNetWeaver Application Server for ABAP, such as tools, user types, and the passwordconcept. For an overview of how these mechanisms apply for Master Data Governance, seethe sections below. In addition, we provide a list of the standard users required for operatingcomponents of Master Data Governance.

User Administration Tools

The following table shows the user administration tools for Master Data Governance.

Tool Description

User maintenance for ABAP-based systems(transaction SU01)

For more information on the authorization objects provided bythe components of Master Data Governance, see thecomponent specific section.

Role maintenance with theprofile generator for ABAP-based systems (PFCG)

For more information on the roles provided by Master DataGovernance, see the component specific section. For moreinformation, see User and Role Administration of ApplicationServer ABAP [External]

Central User Administration(CUA) for the maintenanceof multiple ABAP-basedsystems

For more information, see Central User Administration[External].

User Management Enginefor SAP NetWeaver AS Java

(UME)

Administration console for maintenance of users, roles, andauthorizations in Java-based systems and in the Enterprise

Portal. The UME also provides persistence options, such as ABAP Engine. For more information, see User Management

8/12/2019 MDG70SP02SEC


SAP Library


Engine [External].

For more information on the tools that SAP provides for user administration with SAPNetWeaver, see SAP Service Marketplace at http://service.sap.com/securityguide

SAP NetWeaver 7.0 Security Guides (Complete) Release User Administrationand Authentication .

User Types

It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have tochange their passwords on a regular basis, but not those users under which backgroundprocessing jobs run.

User types required for Master Data Governance include, for example:

Individual users

o Dialog users

Dialog users are used for SAP GUI for Windows.

o Internet users for Web applications

Same policies apply as for dialog users, but used for Internet connections.

Technical users:

o Service users are dialog users who are available for a large set of anonymous users (for example, for anonymous system access via an ITS

service).

o Communication users are used for dialog-free communication betweensystems.

o Background users can be used for processing in the background.

For more information about user types, see User Types [External] in the Security Guide for SAP NetWeaver AS ABAP.

Standard Users

The following table shows the standard users that are necessary for operating Master Data

Governance.

System User ID Type Password AdditionalInformation

SAP Web ApplicationServer

( sapsi d)adm SAP systemadministrator

Mandatory SAP NetWeaver installation guide


SAP Service(sapsid)adm

SAP systemserviceadministrator

Mandatory SAP NetWeaver installation guide

SAP Web Application

SAP Standard ABAPUsers (SAP*, DDIC,EARLYWATCH,

See SAPNetWeaver

SAP NetWeaver security guide

8/12/2019 MDG70SP02SEC


SAP Library


Server SAPCPIC) security guide


SAP Standard SAPWeb ApplicationServer Java Users

See SAPNetWeaver security guide

SAP NetWeaver security guide

SAP ECC SAP Users Dialog users Mandatory The number of usersdepends on the areaof operation and thebusiness data to beprocessed.

We recommend that you change the passwords and IDs of users that were createdautomatically during the installation.

4.2 User Data Synchronization

By synchronizing user data, you can reduce effort and expense in the user management of your system landscape. Since Master Data Governance is based on SAP NetWeaver, youcan use all of the mechanisms for user synchronization in SAP NetWeaver here. For moreinformation, see the SAP NetWeaver Security Guide on SAP Service Marketplace at

service.sap.com/securityguide SAP NetWeaver.

You can use user data distributed across systems by replicating the data, for examplein a central directory such as LDAP.

4.3 Integration into Single Sign-On Environments

Master Data Governance supports the single sign-on (SSO) mechanisms provided by SAPNetWeaver Application Server for ABAP technology. Therefore, the securityrecommendations and guidelines for user management and authentication that are describedin the SAP NetWeaver Security Guide [External] also apply to Master Data Governance.

Master Data Governance supports the following mechanisms:

Secure Network Communication (SNC)

SNC is available for user authentication and provides for an SSO environment when using theSAP GUI for Windows or Remote Function Calls.

SAP Logon Tickets

Master Data Governance supports the use of logon tickets for SSO when using a Webbrowser as the front-end client. In this case, users can be issued a logon ticket after theyhave authenticated themselves with the initial SAP system. The ticket can then be submittedto other systems (SAP or external systems) as an authentication token. The user does notneed to enter a user ID or password for authentication, but can access the system directly

8/12/2019 MDG70SP02SEC


SAP Library


once it has checked the logon ticket. For more information, see SAP Logon Tickets in theSecurity Guide for SAP NetWeaver Application Server .

Client Certificates

As an alternative to user authentication using a user ID and passwords, users using a Web

browser as a front-end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using theSecure Sockets Layer Protocol (SSL Protocol). No passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.

For more information see Client Certificates in the Security Guide for SAP NetWeaver Application Server. For more information about available authentication mechanisms, seeSAP Library for SAP NetWeaver under User Authentication and Single Sign-On [External].

5 Authorizations

Master Data Governance uses the authorization concept of SAP NetWeaver ApplicationServer ABAP. Therefore, the security recommendations and guidelines for authorizations thatare described in the Security Guide for SAP NetWeaver Application Server ABAP also applyto Master Data Governance. You can use authorizations to restrict the access of users to thesystem, and thereby protect transactions and programs from unauthorized access.

The SAP NetWeaver Application Server authorization concept is based on assigningauthorizations to users based on roles. For role maintenance in SAP NetWeaver ApplicationServer ABAP, use the profile generator (transaction PFCG), and in SAP NetWeaver Application Server for Java, the user management console of the User Management Engine(UME). You can define user-specific menus using roles.

For more information about creating roles, see Role Administration [External].

Standard Roles and Standard Authorization Objects

SAP delivers standard roles covering the most frequent business transactions. You can usethese roles as a template for your own roles.

For a list of the standard roles and authorization objects used by components of Master DataGovernance, see the section of this document relevant to each component.

Before using the roles listed, you may want to check whether the standard rolesdelivered by SAP meet your requirements.

Authorizations for Customizing Settings

You can use Customizing roles to control access to the configuration of Master DataGovernance in the SAP Customizing Implementation Guide (IMG).

6 Network and Communication Security

8/12/2019 MDG70SP02SEC


SAP Library


Your network infrastructure is extremely important in protecting your system. Your networkneeds to support the communication necessary for your business and your needs withoutallowing unauthorized access. A well-defined network topology can eliminate many securitythreats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders

to compromise the devices and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), theycannot exploit known bugs and security holes in network services on the server machines.

The network topology for Master Data Governance is based on the topology used by the SAPNetWeaver platform. Therefore, the security guidelines and recommendations described inthe SAP NetWeaver Security Guide also apply to Master Data Governance. Details that relatedirectly to SAP ERP Central Component are described in the following sections:

Communication Channel Security [Page 11]

This section contains a description of the communication channels and protocols thatare used by the components of Master Data Governance.

Network Security [Page 12]

This section contains information on the network topology recommended for thecomponents of Master Data Governance. It shows the appropriate network segmentsfor the various client and server components and where to use firewalls for accessprotection. It also contains a list of the ports required for operating thesubcomponents of Master Data Governance.

Communication Destinations [Page 12]

This section describes the data needed for the various communication channels, for example, which users are used for which communications.

For more information, see the following section in the SAP NetWeaver Security Guide:Security Guides for Connectivity and Interoperability Technologies [External]

6.1 Communication Channel Security

Communication channels transfer a wide variety of different business data that needs to beprotected from unauthorized access. SAP makes general recommendations and providestechnology for the protection of your system landscape based on SAP NetWeaver.

The table below shows the communication channels used by Master Data Governance, the

protocol used for the connection, and the type of data transferred.

Communication Path ProtocolUsed

Type of DataTransferred

Data RequiringSpecial Protection

Application server to applicationserver

RFC,HTTP(S)

Integration data Business data

Application server to applicationof a third party administrator

HTTP(S) Application data For example,passwords, businessdata

DIAG and RFC connections can be protected using Secure Network Communications (SNC).

HTTP connections are protected using the Secure Sockets Layer protocol (SSL protocol).

8/12/2019 MDG70SP02SEC


SAP Library


We strongly recommend that you use secure protocols (SSL, SNC).

For more information, see Transport Layer Security [External] und Web Services Security

[External] in the SAP NetWeaver Security Guide.

6.2 Network Security

Since Master Data Governance is based on SAP NetWeaver technology, for informationabout network security, see the following sections of the SAP NetWeaver Security Guide at

http://help.sap.com SAP ERP Release/Language SAP NetWeaver Library

Administrator's Guide NetWeaver Security Guide Network and Communication SecurityNetwork Services :

Using Firewall Systems for Access Control [External]

Using Multiple Network Zones [External]

If you provide services in the Internet, you should protect your network infrastructure with afirewall at least. You can further increase the security of your system or group of systems byplacing the groups in different network segments, each of which you then protect fromunauthorized access by a firewall. You should bear in mind that unauthorized access is alsopossible internally if a malicious user has managed to gain control of one of your systems.

Ports

Master Data Governance is executed in SAP NetWeaver and uses the ports of AS ABAP or

AS Java. For more information see the corresponding security guides for SAP NetWeaver inthe topics for AS ABAP Ports [External] and AS Java Ports [External]. For information aboutother components, such as SAPinst, SAProuter, or SAP Web Dispatcher, see the documentTCP/IP Ports Used by SAP Applications in SAP Developer Network athttp://sdn.sap.com/irj/sdn/security under Infrastructure Security Network andCommunications Security .

6.3 Communication Destinations

The use of users and authorizations in an irresponsible manner can pose security risks. You

should therefore follow the security rules below when communicating between systems:

Employ the user types system and communication.

Grant a user only the minimum authorizations.

Choose a secure password and do not divulge it to anyone else.

Only store user-specific logon data for users of type system and communication.

Wherever possible, use trusted system functions instead of user-specific logon data.

8/12/2019 MDG70SP02SEC


SAP Library


6.4 Use of Virus Scanners

If you upload files from application servers into Master Data Governance and you want to usean virus scanner, a virus scanner must then be active on each application server. For moreinformation, see SAP Note 964305 (solution A).

Work through the Customizing activities in the Implementation Guide under theVirus Scan Interface node.

When doing this, use the virus scan profile

/ MDG_BS_FI LE_UPLOAD/ MDG_VSCAN, which is delivered for Master Data

Governance.

When you upload files from the front-end into Master Data Governance, the system uses theconfiguration you defined for virus scan profile / SI HTTP/ HTTP_UPLOAD. For more

information, see SAP Note 1693981.

7 Data Storage Security

Using Logical Paths and File Names to Protect Access to the FileSystem

Master Data Governance saves data in files in the file system. Therefore, it is important to

explicitly provide access to the corresponding files in the file system without allowing accessto other directories or files (also known as directory traversal). This is achieved by specifyinglogical paths and file names in the system that map to the physical paths and file names. Thismapping is validated at runtime and if access is requested to a directory that does not matcha stored mapping, then an error occurs. In the application-specific part of this guide, there is alist for each component of the logical file names and paths, where it is specified for whichprograms these file names and paths apply.

Activat ing the Val idat ion of Logical Paths and File Names

The logical paths and file names are entered in the system for the corresponding programs.For downward compatibility, the validation at runtime is deactivated by default. To activate thevalidation at runtime, maintain the physical path using the transactions FILE (client-

independent) and SF01 (client-dependent). To determine which paths are used by your system, you can activate the appropriate settings in the Security Audit Log.

More Information

Logical File Names [External]

Protecting Access to the File System [External]

Security Audit Logs [External]

For information about data storage security, see the SAP NetWeaver Security Guide athttp://help.sap.com SAP NetWeaver Release/Language SAP NetWeaver Library

Administrator’s Guide NetWeaver Security Guide Security Guides for the OperatingSystem and Database Platforms

8/12/2019 MDG70SP02SEC


SAP Library


8 Enterprise Services Security

The following sections in the NetWeaver Security Guide are relevant for Master DataGovernance:

Web Services Security Guide [External]

Recommended WS Security Scenarios [External]

9 Security-Relevant Logs and Tracing

The trace and log files of Master Data Governance use the standard mechanisms of SAPNetWeaver. For more information, see the following sections in the SAP NetWeaver Security

Guide at http://service.sap.com/securityguide:

Auditing and Logging [External]

Tracing and Logging [External] (AS Java)

10 Segregation of Duties

Segregation of duties can be achieved by assigning roles to users and in addition by a strictseparation of the user groups for the workflow.

Activit ies

Assigning Roles to Users

You can assign roles to a user using the following transactions:

User Maintenance SU01

Use this transaction to assign one or more roles to one user.

Role Maintenance PFCG

Use this transaction to assign one or more users to one role.

Separating User Groups for the Workflow

Depending on the component of Master Data Governance you intend to configure, use thefollowing Customizing activities to separate the user groups:

MDG-M, MDG-F

Run the Customizing activity under Master Data Governance General SettingsProcess Modeling Workflow Rule-Based Workflow Configure Rule-Based

Workflow .

MDG-S

8/12/2019 MDG70SP02SEC


SAP Library


Run the Customizing activity under Master Data Governance Master DataGovernance for Supplier Workflow Assign Processor to Change Request Step

Number in BRFplus for Supplier .

MDG-C

Depending on the change request step, run the following Customizing activitiesunder:

o Master Data Governance General Settings Process ModelingWorkflow Other MDG Workflows Assign Processor to Change Request

Step Number (Simple Workflow)

o Master Data Governance Master Data Governance for Supplier Workflow Assign Processor to Change Request Step Number in BRFplus

for Supplier

For further information, see Configuring Master Data Governance for Customer [External].

For information about the corresponding roles, see the documents listed below:

Authorization Objects Used by Master Data Governance [Page 15]

Supplier Master Data Governance (CA-MDG-APP-SUP) [Page 18]

Customer Master Data Governance (CA-MDG-APP-CUS) [Page 20]

Material Master Data Governance (CA-MDG-APP-MM) [Page 22]

Financial Master Data Governance (CA-MDG-APP-FIN) [Page 24]

Custom Objects (CA-MDG-COB) [Page 25]

11 Authorization Objects and Roles Used byMaster Data Governance

Authorization Objects

The following authorization objects are used by all components of Master Data Governance.

To obtain more detailed information about specific authorization objects proceed asfollows:

1. Choose SAP Menu Tools ABAP Workbench Development Other

Tools Authorization Objects Objects (Transaction SU21).

2. Select the authorization object using (Find) and then choose (Display).

3. On the Display authorization object dialog box choose Display ObjectDocumentation.

Author izat ion Object Descript ion

8/12/2019 MDG70SP02SEC


SAP Library


MDG_MDF_TR Master Data: Transport

MDG_I DM Key Mapping

USMD_CREQ Change Request

USMD_MDAT Master Data

USMD_MDATH Hierarchies

USMD_UI 2 UI Configuration

DRF_RECEI VE Authorization for outbound messages for receiver systems

DRF_ADM Create Outbound Messages

CA_POWL Authorization for iViews for personal object worklists

BCV_SPANEL Execute Side Panel

BCV_USAGE Usage of Business Context Viewer

MDG_DEF Data Export

MDG_DI F Data Import

S_DMI S Authority object for SAP SLO Data migration server

For information about component specific authorization objects, see thecorresponding sections:

Master Data Governance for Business Partner (CA-MDG-APP-BP) [Page 16]

Master Data Governance for Supplier (CA-MDG-APP-SUP) [Page 18]

Master Data Governance for Customer (CA-MDG-APP-CUS) [Page 20]

Master Data Governance for Material (CA-MDG-APP-MM) [Page 22]

Master Data Governance for Financial (CA-MDG-APP-FIN) [Page 24]

Master Data Governance for Custom Objects (CA-MDG-COB) [Page 25]

Standard Role

Role Name

SAP_MDG_ADMI N Master Data Governance Administrator

This role contains authorizations needed for administrative tasks and for setting up a baseconfiguration in all components of Master Data Governance. Some authorizations enablecritical activities. If multiple users in your organization are entrusted with the administrationand configuration of Master Data Governance, we recommend that you split the role intoseveral roles, each with its own set of authorizations. The role does not contain theauthorizations for the respective master data transactions.

11.1 Master Data Governance for Business

8/12/2019 MDG70SP02SEC


SAP Library


Partner (CA-MDG-APP-BP)


Master Data Governance for Business Partner mainly uses the authorization objects of thebusiness objects Business Partner, the authorization objects of the Application Framework for Master Data Governance, and the authorization objects of the Data Replication Framework.


B_BUPA_GRP

This authorization object is optional. You need to assign thisauthorization object only if master data records are to bespecifically protected.

Business Partner: Authorization Groups

B_BUPA_RLT Business Partner: BP Roles

B_BUPR_BZT Business Partner Relationships: RelationshipCategories

BCV_QUI LST Overview

DC_OBJ ECT Data Cleansing

BCV_PERS Personalize BCV UI for Query

View

BCV_QRYVW Query View

BCV_QUERY Query

BCV_QVWSNA Query View Snapshot

S_START Start Authorization Check for TADIR Objects

S_PB_CHI P ABAP Page Builder: CHIP

S_PB_PAGE ABAP Page Builder: PageConfiguration

Authorization objects used by all components of Master Data Governance are listedin the document Authorization Objects Used by Master Data Governance [Page 15].

Standard Roles

Role Name

SAP_MDGBP_MENU_04[External]

Master Data Governance for Business Partner: Menu

8/12/2019 MDG70SP02SEC


SAP Library


SAP_MDGBP_DISP_04 [External] Master Data Governance for Business Partner: Display

SAP_MDGBP_REQ_04 [External] Master Data Governance for Business Partner:Requester

SAP_MDGBP_SPEC_04

[External]

Master Data Governance for Business Partner:

Specialist

SAP_MDGBP_STEW_04[External]

Master Data Governance for Business Partner: DataSteward

If you want to restrict the authorizations for users or roles to specific values, run theCustomizing activity under Master Data Governance General Settings Data Modeling

Define Authorization Relevance per Entity Type and define which entity types and attributesare authorization relevant.

11.2 Master Data Governance for Supplier (CA-

MDG-APP-SUP)


Master Data Governance for Supplier does not have dedicated authorization objects, butinstead uses the authorization objects of the business objects Business Partner and Vendor,the authorization objects of the Application Framework for Master Data Governance, and theauthorization objects of the Data Replication Framework.


B_BUPA_GRP

This authorization object is optional. You need to assign thisauthorization object only if master data records are to bespecifically protected.


B_BUPA_RLT Business Partner: BP Roles

B_BUPR_BZT Business Partner Relationships: Relationship

Categories

DC_OBJ ECT Data Cleansing

F_LFA1_APP Vendor: Application Authorization

F_LFA1_BEK

This authorization object is optional. You need to assign thisauthorization object only if master data records are to be

specifically protected.

Vendor: Account Authorization

8/12/2019 MDG70SP02SEC


SAP Library


F_LFA1_BUK Vendor: Authorization for Company Codes

F_LFA1_GEN Vendor: Central Data

F_LFA1_GRP Vendor: Account Group Authorization

M_LFM1_EKO Purchasing organization insupplier master data

BCV_PERS Personalize BCV UI for QueryView

BCV_QRYVW Query View

BCV_QUERY Query


BCV_QVWSNA Query View Snapshot

S_START Start Authorization Check for TADIR Objects

S_PB_CHI P ABAP Page Builder: CHIP

S_PB_PAGE ABAP Page Builder: PageConfiguration


Standard Roles

Role Name

SAP_MDGS_MENU_04 Master Data Governance for Supplier: Menu [External]

SAP_MDGS_DI SP_04 Master Data Governance for Supplier: Display [External]

SAP_MDGS_REQ_04 Master Data Governance for Supplier: Requester [External]

SAP_MDGS_SPEC_04 Master Data Governance for Supplier: Specialist [External]

SAP_MDGS_STEW_04 Master Data Governance for Supplier: Data Steward [External]

SAP_MDGS_VL_MENU_04 Master Data Governance for Supplier (ERP Vendor UI): Menu[External]

SAP_MDGS_LVC_MENU_04 Master Data Governance for Supplier (Lean Request UI): Menu[External]

SAP_MDGS_LVC_REQ_04 Master Data Governance for Supplier (Lean Request UI):Requester [External]

8/12/2019 MDG70SP02SEC


SAP Library


If you want to restrict the authorizations for users or roles to specific values, run theCustomizing activity under Master Data Governance General Settings Data ModelingDefine Authorization Relevance per Entity Type and define which entity types and attributesare authorization relevant.

11.3 Master Data Governance for Customer (CA-MDG-APP-CUS)


Master Data Governance for Customer does not have dedicated authorization objects, butinstead uses the authorization objects of the business objects Business Partner andCustomer, the authorization objects of the Application Framework for Master DataGovernance, and the authorization objects of the Data Replication Framework.

Depending on whether you use the Master Data Governance for Customer on a hubsystem [External] or on a client system [External] a different set of authorizationobjects is required.

Author izat ion Object Descript ion HubSystem

ClientSystem

B_BUPA_GRP

This authorization object is optional. Youneed to assign this authorization objectonly if master data records are to bespecifically protected.


x x

B_BUPA_RLT Business Partner: BPRoles

x x

B_BUPR_BZT Business Partner Relationships:Relationship Categories

x x

DC_OBJ ECT Data Cleansing x

F_KNA1_APP Customer: Application Authorization

x x

F_KNA1_BED

This authorization object is optional. Youdo not need to assign this authorizationobject if no master records are to bespecifically protected.

Customer: Account Authorization

x x

8/12/2019 MDG70SP02SEC


SAP Library


F_KNA1_BUK Customer: Authorization for Company Codes

x x

F_KNA1_GEN Customer: Central Data x x

F_KNA1_GRP Customer: AccountGroup Authorization

x x

MDGC_LCOPY Copy Customer Master Data from MDG Hub

— x

V_KNA1_BRG Customer: Account Authorization for Sales Areas

x x

V_KNA1_VKO Customer:

Authorization for SalesOrganizations

x x

BCV_PERS Personalize BCV UI for Query View

x x

BCV_QRYVW Query View x x

BCV_QUERY Query x x

BCV_QUI LST Overview x x

BCV_QVWSNA Query View Snapshot x x

S_START Start AuthorizationCheck for TADIRObjects

x x

S_PB_CHI P ABAP Page Builder:CHIP

x x

S_PB_PAGE ABAP Page Builder:Page Configuration

x x


Standard Roles

Role Name

SAP_MDGC_MENU_04 Master Data Governance for Customer: Menu [External]

SAP_MDGC_DI SP_04 Master Data Governance for Customer: Display [External]

SAP_MDGC_REQ_04 Master Data Governance for Customer: Requester [External]

SAP_MDGC_SPEC_04 Master Data Governance for Customer: Specialist [External]

8/12/2019 MDG70SP02SEC


SAP Library


SAP_MDGC_STEW_04 Master Data Governance for Customer: Data Steward [External]

SAP_MDGC_CL_MENU_04 Master Data Governance for Customer (ERP Customer UI):Menu [External]

SAP_MDGC_LCC_MENU_04 Master Data Governance for Customer (Lean Request UI):

Menu [External]

SAP_MDGC_LCC_REQ_04 Master Data Governance for Customer (Lean Request UI):Requester [External]

If you want to restrict the authorizations for users or roles to specific values, go to Create Authorizations for Data Model and define which entity types and attributes are authorizationrelevant.

11.4 Master Data Governance for Material (CA-MDG-APP-MM)


Master Data Governance for Material does not have dedicated authorization objects, butinstead uses, for example, the authorization objects of the Material Master and the ApplicationFramework for Master Data Governance.


M_MATE_MAT Material Master: Material

M_MATE_MAR Material Master: Material Type

M_MATE_WGR Material Master: Material Group

M_MATE_STA Material Master: MaintenanceStatus

M_MATE_MTA Material Master: Change MaterialType

M_MATE_ WRK Material Master: Plant

M_MATE_MAN Material Master: Central Data

M_MATE_ NEU Material Master: Create

M_MATE_BUK Material Master: Company Codes

M_MATE_ VKO Material Master: SalesOrganization/Distribution Channel

M_MATE_ LGN Material Master: WarehouseNumbers

C_KLAH_BKL Authorization for Classification

C_KLAH_BSE Authorization for Selection

C_TCLA_BKA Authorization for Class Types

8/12/2019 MDG70SP02SEC


SAP Library


C_DRAD_OBJ Create/Change/Display/DeleteObject Link

C_DRAW_DOK Authorization for document access

C_DRAW_TCD Authorization for document

activities

C_DRAW_TCS Status-Dependent Authorizationsfor Documents

C_DRAW_BGR Authorization for authorizationgroups

C_DRAW_STA Authorization for document status

DRF_RECEI V Authorization for outboundmessages for receiver systems

DRF_ADM Create Outbound Messages

PLM_SPUSR

You need this authorization object for the object typePLM_MAT only if the search object connector of SAP

NetWeaver Enterprise Search is created for thefollowing Enterprise Search software components:

PLMWUI

Software components that include PLMWUI

For more information about SAP NetWeaver EnterpriseSearch, see SAP NetWeaver Enterprise Search[External].

Superuser by Object Type

C_AENR_BGR CC Change Master – AuthorizationGroup

C_AENR_ERW CC Eng. Chg. Mgmt. Enhanced Authorization Check

C_AENR_RV1 CC Engineering change mgmt – revision level for material



Standard Roles

Role Name

8/12/2019 MDG70SP02SEC


SAP Library


SAP_MDGM_MENU_04 [External] Master Data Governance for Material: Menu

SAP_MDGM_DISP_04 [External] Master Data Governance for Material: Display

SAP_MDGM_REQ_04 [External] Master Data Governance for Material: Requester

SAP_MDGM_SPEC_04 [External] Master Data Governance for Material: Specialist

SAP_MDGM_STEW_04 [External] Master Data Governance for Material: Data Steward



11.5 Master Data Governance for Financials (CA-MDG-APP-FIN)



USMD_DI ST

This authorization object is used if you have not activated business function

MDG_FOUNDATI ON.

(Switch: FI N_MDM_CORE_SFWS_EHP5)

Distribution

USMD_EDTN Edition


Standard RolesRole Description

SAP_MDGF_ACC_DISP_04[External]

Master Data Governance for Financials: AccountingDisplay

SAP_MDGF_ACC_REQ_04[External]

Master Data Governance for Financials: AccountingRequester

SAP_MDGF_ACC_SPEC_04[External]

Master Data Governance for Financials: AccountingSpecialist

SAP_MDGF_ACC_STEW_04

[External]

Master Data Governance for Financials: Accounting

Data Steward

8/12/2019 MDG70SP02SEC


SAP Library


SAP_MDGF_CO_DISP_04[External]

Master Data Governance for Financials:Consolidation Display

SAP_MDGF_CO_REQ_04 [External] Master Data Governance for Financials:Consolidation Requester

SAP_MDGF_CO_SPEC_04[External]

Master Data Governance for Financials:Consolidation Specialist

SAP_MDGF_CO_STEW_04[External]

Master Data Governance for Financials:Consolidation Data Steward

SAP_MDGF_CTR_DISP_04[External]

Master Data Governance for Financials: ControllingDisplay

SAP_MDGF_CTR_REQ_04[External]

Master Data Governance for Financials: ControllingRequester

SAP_MDGF_CTR_SPEC_04

[External]

Master Data Governance for Financials: Controlling

Specialist

SAP_MDGF_CTR_STEW_04[External]

Master Data Governance for Financials: ControllingData Steward



11.6 Master Data Governance for Custom Objects

(CA-MDG-COB)


You can use the following authorization objects for Master Data Governance for CustomObjects.


USMD_DI ST Replication

USMD_DM Data Model

USMD_EDTN Edition Type


Standard Role

Role Name

SAP_MDGX_MENU_04 [External] Master data governance for self-defined objects

8/12/2019 MDG70SP02SEC


SAP Library


SAP_MDGX_FND_SAMPLE_SF_04[External]

Master data governance for self-defined objects – Flight Data Model example


Define Authorization Relevance per Entity Type and define which entity types and attributes

are authorization relevant.

12 Change Settings of Generated MDG DatabaseTables

The SAP system generates database tables for the entities of all defined data models. Thesettings of these database tables are the following:

Buffering and log of data changes is switched on.

Display and maintenance is allowed with restrictions.

Activit ies

To change these settings of generated MDG database tables run the transaction

MDG_TABLE_ADJ UST.

The results of the transaction are listed in the transaction SLG1 ( Analyse Application Log),

using Object FMDMand Subobject ADJ UST_TABLE.

You have to execute the transaction in each system manually.

After a model activation it might be necessary to execute the transaction again.

More Information

For more information see SAP note 1828363.

13 Appendix

For more information about the security of SAP applications see SAP Service Marketplace athttp://service.sap.com/security.

You can also access additional security guides via SAP Service Marketplace athttp://service.sap.com/securityguide.

For more information about security issues, see SAP Service Marketplace athttp://service.sap.com followed by:

Topic SAP ServiceMarketplace

Master guides, installation guides, upgrade guides, and SolutionManagement guides

/instguides

8/12/2019 MDG70SP02SEC


SAP Library

/ibc

Related notes /notes

Platforms /platforms

Network security /network

/securityguide

Technical infrastructure /ti

SAP Solution Manager /solutionmanager

Date post:	03-Jun-2018
Category:	Documents
Upload:	anni-verma
View:	222 times
Download:	0 times