SAP for Retail - Security Guide
Business Sui te 2005
SAP Online Help 21.10.2005
Copyright © Copyright 2004 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
SAP for Retail - Security Guide 670 2
SAP Online Help 21.10.2005
Icons in Body Text
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help → General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Typographic Conventions
Type Style Description
Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.
Cross-references to other documentation. Example text Emphasized words or phrases in body text, graphic titles, and table
titles.
EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.
Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.
Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.
SAP for Retail - Security Guide 670 3
SAP Online Help 21.10.2005
Introduction ............................................................................................................................ 5 Before You Start .................................................................................................................... 6 Technical System Landscape................................................................................................ 9 User Administration and Authentication................................................................................. 9
User Management............................................................................................................ 10 User Data Synchronization............................................................................................... 10 Integration into Single Sign-On Environments ................................................................. 10
Authorizations ...................................................................................................................... 10 Network and Communication Security................................................................................. 19
Communication Channel Security .................................................................................... 20 Network Security .............................................................................................................. 20 Communication Destinations............................................................................................ 21
Other Security-Relevant Information ................................................................................... 21 Appendix .............................................................................................................................. 21
SAP for Retail - Security Guide 670 4
SAP Online Help 21.10.2005
Introduction
This guide does not replace the daily operations handbook that we recommend customers to create for their specific productive operations.
Target Audience • Technology consultants
• System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.
Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security apply likewise to the business scenarios of SAP for Retail. To assist you in securing the business scenarios of SAP for Retail, we provide this Security Guide.
About this Document The Security Guide provides an overview of the security-relevant information that applies to the business scenarios of SAP for Retail.
Overview of the Main Sections
The Security Guide comprises the following main sections:
• Before You Start
This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.
• Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by the business scenarios of SAP for Retail.
• User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
Recommended tools to use for user management.
User types that are required by the business scenarios of SAP for Retail.
Standard users that are delivered with business scenarios of SAP for Retail.
Overview of the user synchronization strategy, if several components or products are involved.
Overview of how integration into Single Sign-On environments is possible.
• Authorizations
SAP for Retail - Security Guide 670 5
SAP Online Help 21.10.2005
This section provides an overview of the authorization concept that applies to the business scenarios of SAP for Retail.
• Network and Communication Security
This section provides an overview of the communication paths used by the business scenarios of SAP for Retail and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.
• Other Security-Relevant Information
This section contains information about Web Browser as user frontend.
• Appendix
This section provides references to further information.
Before You Start Fundamental Security Guides SAP for Retail is based on the following SAP application components:
• SAP Netweaver 2004s
• SAP ECC 6.0
• SAP SCM 4.1
• SAP SRM 4.0
• SAP CRM 5.0
In many cases the required information has already been provided in other security guides and in configuration and installation guides. In these cases the guide provides a reference to the relevant units.
The following table provides an overview of all relevant security guides for this scenario. All security guides are available at: http://service.sap.com/securityguide.
Related Security Guides
Product See
SAP SCM 4.1 SAP Supply Chain Management 4.1 Security Guide
SAP SRM 4.0 SAP Supplier Relationship Management 4.0 Security Guide
SAP ECC 6.0 SAP ERP Central Component Security Guide
SAP NetWeaver 2004s SAP NetWeaver 2004s Security Guide
SAP Business Information Warehouse Security Guides
SAP CRM 5.0 SAP Customer Relationship Management 5.0 Security Guide
Operating System and Database Platforms
Operating System and Database Platforms
Operating System and Database Platform Security Guides
SAP for Retail - Security Guide 670 6
SAP Online Help 21.10.2005
Application Platform
SAP Web Application Server SAP Web AS Security Guide for ABAP Technology
SAP Web AS Security Guide for J2EE Technology
Internet Transaction Server Security
Security Aspects in Development
SAP Content Server SAP Content Server Security Guide
SAP Knowledge Warehouse SAP Knowledge Warehouse Security Guide
People Integration
SAP Enterprise Portal SAP Enterprise Portal Security Guide
Information Integration
SAP Business Information Warehouse Security Guide
SAP Business Information Warehouse Security Guide
SAP Knowledge Management SAP Knowledge Management Security Guide
SAP Content Management Security Guide
SAP TRex Security Guide
Process Integration
SAP Exchange Infrastructure SAP Exchange Infrastructure Security Guide
Solution Life-Cycle Management
System Management Security Aspects with System Management
Security-Relevant Information:
Guide/Documentation Full Path to Guide/Documentation
http://help.sap.comSAP NetWeaver Security Guide → Documentation → SAP NetWeaver → SAP NetWeaver 04 (left frame) / English or German (right frame) → SAP Library → SAP NetWeaver → Security → SAP NetWeaver Security Guide
http://help.sap.comSAP NetWeaver Documentation → Documentation → SAP NetWeaver → SAP NetWeaver 04 (left frame) / English or German (right frame) → SAP Library → SAP NetWeaver
http://help.sap.comSAP SCM Documentation → Documentation → mySAP Business Suite → mySAP Supply Chain Management → SAP Supply Chain Management → SAP Library → SAP Supply Chain Management (SAP SCM)
http://service.sap.com/instguidesSAP SCM Installation Guide → mySAP Business Suite Solutions → mySAP SCM → Using SAP SCM <your version>
SAP for Retail - Security Guide 670 7
SAP Online Help 21.10.2005
http://service.sap.com/securityguideSAP SCM Component Security Guide
→ SAP Supply Chain Management
http://service.sap.com/securityguideSAP SRM Component Security Guide
→ mySAP Supplier Relationship Management (SRM) Security Guide
http://help.sap.comSAP SRM Documentation → Documentation → mySAP Business Suite → mySAP Supplier Relationship Management → SAP SRM 4.0 SP01
http://service.sap.com/instguidesSAP SRM Installation Guide → mySAP Business Suite Solutions → mySAP SRM → Using SAP SRM <your version>
http://help.sap.comSAP ERP Documentation → Documentation → mySAP Business Suite → SAP ERP Central Component→ mySAP ERP 2005
http://service.sap.com/instguidesSAP ERP Installation Guide → mySAP Business Suite Solutions → mySAP ERP → Using SAP ERP <your version>
http://service.sap.com/securityguideSAP ERP Component Security Guide
→ mySAP ERP Security Guides -> SAP ERP Central Component Security Guide
http://service.sap.com/securityguideSAP CRM Component Security Guide
→ mySAP CRM Security Guides -> SAP CRM Security Guide
http://help.sap.comSAP CRM Documentation → Documentation → mySAP Business Suite → SAP CRM Central Component→ mySAP CRM 2005
http://service.sap.com/instguidesSAP CRM Installation Guide → mySAP Business Suite Solutions → mySAP CRM → Using SAP CRM <your version>
For a complete list of the available SAP Security Guides, see the Quick Link securityguide on the SAP Service Marketplace.
Important SAP Notes Refer to the Component Security Guides of SAP SCM and mySAP ERP for the most important SAP Notes that apply to the security of the business scenarios of SAP for Retail.
Additional Information For more information about specific topics, see the Quick Links as shown in the table below.
Quick Links to Additional Information
Content Quick Link on the SAP Service Marketplace
Security service.sap.com/security
Security Guides service.sap.com/securityguide
Related SAP Notes service.sap.com/notes
Released platforms service.sap.com/platforms
SAP for Retail - Security Guide 670 8
SAP Online Help 21.10.2005
Network security service.sap.com/network
service.sap.com/securityguide
Technical infrastructure service.sap.com/ti
SAP Solution Manager service.sap.com/solutionmanager
Technical System Landscape Use The following table lists where you can find more information about the technical system landscape.
More Information about the Technical System Landscape
Topic Guide/Tool Quick Link to the SAP Service Marketplace (service.sap.com)
Technical System Landscape
SAP for Retail Master Guide instguides
Technical System Landscape & Installation
SCM Installation Guide(s) instguides
SRM Installation Guide(s)
SAP R/3; SAP R/3 Enterprise and ECC 6.0 Installation Guide(s)
SAP CRM 5.0
Security security
User Administration and Authentication The business scenarios of SAP for Retail uses the user management and authentication mechanisms provided with the SAP NetWeaver platform. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP Web AS Security Guide for ABAP Technology [External] and SAP Web AS Security Guide for Java Technology [External] also apply to the business scenarios of SAP for Retail.
In addition to these guidelines, we include information about user administration and authentication that specifically applies to the business scenarios of SAP for Retail in the following topics:
User Management [Page • 10]
User Data Synchronization [Page • 10]
Integration into Single Sign-On Environments [Page • 10]
SAP for Retail - Security Guide 670 9
SAP Online Help 21.10.2005
User Management User Administration Tools For more information about user management tools, see User Management in the SAP SCM Component Security Guide, SAP ERP Component Security Guide, SAP SRM Component Security Guide, SAP CRM Component Security Guide and SAP Netweaver Security Guides
For information about user types, see SAP NetWeaver Security Guide → User Administration and Authentication → User Management → User Types.
For information about SAP NetWeaver Standard Users, see SAP NetWeaver Security Guide → SAP WebAS Security Guide for ABAP Technology → User Authentication → Protecting Standard Users.
For information about SAP NetWeaver password rules, see the SAP NetWeaver documentation, under Security → Identity Management → Users and Roles (BC-SEC-USR) → User Maintenance → Logon and Password Security in the SAP System → Password Rules.
User Data Synchronization For more information about user data synchronization, see the SAP ERP Component Security Guide, SAP SRM Component Security Guide, SAP SCM Component Security Guide, SAP CRM Component Security Guide → User Data Synchronization.
Integration into Single Sign-On Environments For more information, see the SAP ERP Component Security Guide, SAP SRM Component Security Guide, SAP SCM Component Security Guide, SAP CRM Component Security Guide → Integration into Single Sign-On Environments.
Authorizations
For more information about this topic see the underlying SAP ERP Component Security Guide, SAP SRM Component Security Guide, SAP SCM Component Security Guide, SAP CRM Component Security Guide → Authorizations.
Complete overview of Retail specific authorization objects please see underlying SAP ERP Component Security Guide.
Scenario related authorization objects:
Merchandise & Assortment Planning ERP based authorization objects
Authorization Object Name Name
W_ASORT Authorization for Assortment Maintenance
Authorization for the Assignment of W_ASORT_ST Assortments to Plants
W_CM_CDT IS-R Authorization for Maintenance of Article
SAP for Retail - Security Guide 670 10
SAP Online Help 21.10.2005
Hierarchies
W_LISTVERF IS-R Authorization to Use Listing Procedure
W_LIST_EAC Authorization Acceptance for Listing Errors
IS-R Authorization Action: Purchasing W_WAKH_EKO Organization/Purchasing Group
WLM Assignment of Articles for Layout Modules
Creation of Assortments per Layout Module WLMLOCLIST and Store
WLMVREL Release of Layout Module Version
WLMVV Layout Module Version Variant Maintenance
WLWBENT Access to Layout Workbench
WPLGACT Call External Space Management
W_RFAPC_GN Authorisation for Operational APC: General
W_RFAPC_RL Authorisation for Operational APC: Release
Authorization Object for Markdown Profile Assignment W_RF_MPA
W_RF_WLAY Authorization Object Layout
Authorization Characteristic Value Maintenance C_WRFCHVAL
BW based authorization objects
Authorization Object Name Name
W_CMCDT2 Article Hiearchy Maintenance in BI
W_MAP_ALA Assignment of locations to assortments
W_MAP_AD Replaced by W_MAP_ALA as of BW 7.02
W_MAP_ASRT Assortment Maintenance
Slow Seller Management and Release Workbench W_MAP_SSM
W_MAP_BUTY Budget Type Maintenance
/MAP/EVOCC MAP Authorizations for Event Occurrences
/MAP/AVASS MAP Authorizations for Assignment to Events
Authorization for Credit Card Numbers in PIPE W_POS_CCNR
W_POS_STAT Authorization for PIPE Tasks
W_POS_TRAN Authorization for POS Transaction Data
SAP for Retail - Security Guide 670 11
SAP Online Help 21.10.2005
Category Business Planning BW based authorization objects
Authorization Object Name Name
W_CMCDT2 Article Hiearchy Maintenance in BI
W_MAP_ALA Assignment of locations to assortments
W_MAP_AD Replaced by W_MAP_ALA as of BW 7.02
W_MAP_ASRT Assortment Maintenance
Slow Seller Management and Release Workbench W_MAP_SSM
W_MAP_BUTY Budget Type Maintenance
/MAP/EVOCC MAP Authorizations for Event Occurrences
/MAP/AVASS MAP Authorizations for Assignment to Events
Authorization for Credit Card Numbers in PIPE W_POS_CCNR
W_POS_STAT Authorization for PIPE Tasks
W_POS_TRAN Authorization for POS Transaction Data
Assortment Management ERP based authorization objects
Authorization Object Name Name
W_ASORT Authorization for Assortment Maintenance
Authorization for the Assignment of W_ASORT_ST Assortments to Plants
IS-R Authorization for Maintenance of Article W_CM_CDT Hierarchies
W_LISTVERF IS-R Authorization to Use Listing Procedure
W_LIST_EAC Authorization Acceptance for Listing Errors
IS-R Authorization Action: Purchasing W_WAKH_EKO Organization/Purchasing Group
WLM Assignment of Articles for Layout Modules
Creation of Assortments per Layout Module WLMLOCLIST and Store
WLMVREL Release of Layout Module Version
WLMVV Layout Module Version Variant Maintenance
SAP for Retail - Security Guide 670 12
SAP Online Help 21.10.2005
WLWBENT Access to Layout Workbench
WPLGACT Call External Space Management
W_RFAPC_GN Authorisation for Operational APC: General
W_RFAPC_RL Authorisation for Operational APC: Release
Authorization Object for Markdown Profile Assignment W_RF_MPA
W_RF_WLAY Authorization Object Layout
Authorization Characteristic Value Maintenance C_WRFCHVAL
Retail Price & Revenue Management ERP based authorization objects
Authorization Object Name
Purchasing Organization in Purchasing Info Record M_EINF_EKO
IS-R Authorization Sales Price Calculation W_VKPR_VKO Distribution Chain (obsolete)
IS-R Authorization Sales Price Calculation: W_VKPR_VTL Distribution Chain
IS-R Authorization Sales Price Calculation: W_VKPR_PLT Distribution Chain/Price List
IS-R Authorization Sales Price Calculation: W_VKPR_WRK Distribution Chain/Plant
V_KONH_VKS Condition: Authorization for Condition Types
Condition: Authorization for Sales Organizations V_KONH_VKO
IS-R Automatic Document Adjustment: W_WIND_TYP Authorization for Document Type
IS-R Markdown Planning Authorization: MTYP, W_MARKDOWN MATCL, SOrg, DChl
W_BUDG_TY Budget Type
Authorization Object for Markdown Profile Assignment W_RF_MPA
Promotion Planning & Management ERP based authorization objects
Authorization Object Name
C_TCLA_BKA Authorization for Class Types
SAP for Retail - Security Guide 670 13
SAP Online Help 21.10.2005
Purchasing Organization in Purchasing Info Record M_EINF_EKO
IS-R Authorization Sales Price Calculation W_VKPR_VKO Distribution Chain (obsolete)
IS-R Authorization Sales Price Calculation: W_VKPR_VTL Distribution Chain
IS-R Authorization Sales Price Calculation: W_VKPR_PLT Distribution Chain/Price List
IS-R Authorization Sales Price Calculation: W_VKPR_WRK Distribution Chain/Plant
V_KONH_VKS Condition: Authorization for Condition Types
Condition: Authorization for Sales Organizations V_KONH_VKO
IS-R Authorization Document Type Allocation W_AUFT_BAA Table
IS-R Authorization Document Type Allocation W_AUFT_BAR Rule
IS-R Authorization Allocation Table: W_AUFT_RMB Display/Confirmation per Plant
W_LISTVERF IS-R Authorization to Use Listing Procedure
W_LIST_EAC Authorization Acceptance for Listing Errors
IS-R Authorization Action: Purchasing W_WAKH_EKO Organization/Purchasing Group
W_WAKH_MAT IS-R Authorization Action: Material Number
W_WAKH_THE IS-R Authorization Promotion: Theme
IS-R Authorization Action: Sales W_WAKH_VKO Organization/Distribution Channel
W_BUDG_TY Budget Type
Requirements Planning & Replenishment No specific authorization objects.
Vendor Managed Inventory No specific authorization objects.
Allocation ERP based authorization objects
Authorization Object Name Name
IS-R Authorization Document Type Allocation W_AUFT_BAA Table
IS-R Authorization Allocation Table: W_AUFT_RMB Display/Confirmation per Plant
W_GROUPTYP Authorization to Manage Site Grouping
SAP for Retail - Security Guide 670 14
SAP Online Help 21.10.2005
W_LISTVERF IS-R Authorization to Use Listing Procedure
W_LIST_EAC Authorization Acceptance for Listing Errors
W_GROUPTYP Authorization to Manage Site Grouping
Purchase Order Management ERP based authorization objects
Authorization Object Name
W_ASORT Authorization for Assortment Maintenance
Authorization for the Assignment of W_ASORT_ST Assortments to Plants
IS-R Authorization Document Type Allocation W_AUFT_BAA Table
IS-R Authorization Document Type Allocation W_AUFT_BAR Rule
IS-R Authorization Allocation Table: W_AUFT_RMB Display/Confirmation per Plant
IS-R Authorization for Maintenance of Article W_CM_CDT Hierarchies
IS-R Authorization for Merchandise Distribution W_FRM
W_GROUPTYP Authorization to Manage Site Grouping
W_LISTVERF IS-R Authorization to Use Listing Procedure
W_LIST_EAC Authorization Acceptance for Listing Errors
IS-R Markdown Planning Authorization: MTYP, W_MARKDOWN MATCL, SOrg, DChl
Retail Authorization: Create and Maintenance W_PRICATIN PRICAT per Purchasing Group
W_REF_SITE Authorization to Clean MMSITEREF Table
IS-R Authorization: Allow Changes to W_STRU_CHG Structured Material
W_TRAN_CCR IS-R Authorization: SAP Transaction
IS-R Automatic Document Adjustment: W_WIND_TYP Authorization for Document Type
W_WTAD_AM IS-R Authorization for Additionals Monitor
IS-R Authorization Additionals: W_WTAD_ASL Vendor/Purchase Order List
Request Additionals-IDoc via BAPI Call W_WTAD_IR Function
IS-R Authorization: Status Update for W_WTAD_ISU Additionals IDoc
SAP for Retail - Security Guide 670 15
SAP Online Help 21.10.2005
Standard Authorization Objects of SAP for Retail (Software Component EA-RETAIL)
Authorization Object Name
Material Hierarchy: Horizontal Hierarchy Maintenance WRF_CDT_H
Material Hierarchy: Vertical Hierarchy and Attribute Maint. WRF_CDT_V
Authorization Follow-up/Replacement Material Relationship WRF_FOLUP
WRF_GH_AUT Generic Hierarchy: Authorization Check
WRF_OTBSPR Authorization Check OTB Special Release
W_BUDG_TY Budget Type
F_LFA1_APP Vendor: Application Authorization
M_BEST_BSA Document Type in Purchase Order
M_BEST_EKG Purchasing Group in Purchase Order
M_BEST_EKO Purchasing Organization in Purchase Order
M_BEST_WRK Plant in Purchase Order
M_BEST_LGO Plant/Storage Location in Purchase Order
We recommend that you assign the following transactions only to special administrator roles. These transactions should not be used by end users and are therefore not part of the standard SAP Easy Access menu:
WBUDG01 Activate Budget Type
WBUDG02 Transport Budget Type
WBUDG03 Reorganize Budget Type
WPCTRD Delete completed Items
WPCTRQ Handling of remaining Quantities
For SRM related authorization objects, see the SAP SRM Security Guide (especially ABAP Roles for SRM 4.0/ Enterprise Buyer 5.0).
SAP for Retail - Security Guide 670 16
SAP Online Help 21.10.2005
Store Merchandise Management ERP based authorization objects
Authorization Object Name Name
IS-R Authorization Allocation Table: W_AUFT_RMB Display/Confirmation per Plant
W_ONLSTORE Authorization for Starting Online Store
Retail Authorization: Create and Maintenance W_PRICATIN PRICAT per Purchasing Group
Authorizations for Open Store Physical W_SRS_POS Inventory
Retail Store – Authorization for Daily Price W_SRS_VKPF Maintenance
W_STWB_WRK SAP Retail Store: Stores
W_TRAN_CCR IS-R Authorization: SAP Transaction
IS-R Authorization Sales Price Calculation: W_VKPR_WRK Distribution Chain/Plant
W_WAKH_MAT IS-R Authorization Action: Material Number
W_WAKH_THE IS-R Authorization Promotion: Theme
IS-R Authorization Action: Sales W_WAKH_VKO Organization/Distribution Channel
IS-R Authorization Sales Price Revaluation: W_WBEF_WRK Distribution Chain/Plant
IS-R Authorization Additionals: W_WTAD_ASL Vendor/Purchase Order List
Request Additionals-IDoc via BAPI Call W_WTAD_IR Function
IS-R Authorization: Status Update for W_WTAD_ISU Additionals IDoc
Instore Customer Relationship Management ERP based authorization objects
Authorization Object Name Name
W_ONLSTORE Authorization for Starting Online Store
W_PCAT_LAY Authorization: Product Catalog - Layout Area
W_PCAT_MTN Authorization: Product Catalog - Maintenance
Retail Authorization: Create and Maintenance W_PRICATIN PRICAT per Purchasing Group
Authorizations for Open Store Physical W_SRS_POS Inventory
Retail Store – Authorization for Daily Price W_SRS_VKPF Maintenance
W_STWB_WRK SAP Retail Store: Stores
SAP for Retail - Security Guide 670 17
SAP Online Help 21.10.2005
W_TRAN_CCR IS-R Authorization: SAP Transaction
IS-R Authorization Sales Price Calculation: W_VKPR_WRK Distribution Chain/Plant
IS-R Authorization Action: Purchasing W_WAKH_EKO Organization/Purchasing Group
W_WAKH_MAT IS-R Authorization Action: Material Number
W_WAKH_THE IS-R Authorization Promotion: Theme
IS-R Authorization Action: Sales W_WAKH_VKO Organization/Distribution Channel
IS-R Authorization Sales Price Revaluation: W_WBEF_WRK Distribution Chain/Plant
IS-R Authorization Additionals: W_WTAD_ASL Vendor/Purchase Order List
Request Additionals-IDoc via BAPI Call W_WTAD_IR Function
IS-R Authorization: Status Update for W_WTAD_ISU Additionals IDoc
Store Connectivity ERP based authorization objects
Authorization Object Name Name
W_ASORT Authorization for Assortment Maintenance
Authorization for the Assignment of W_ASORT_ST Assortments to Plants
W_GROUPTYP Authorization to Manage Site Grouping
W_LISTVERF IS-R Authorization to Use Listing Procedure
W_LIST_EAC Authorization Acceptance for Listing Errors
IS-R Markdown Planning Authorization: MTYP, W_MARKDOWN MATCL, SOrg, DChl
W_PCAT_MTN Authorization: Product Catalog - Maintenance
Authorizations for Open Store Physical W_SRS_POS Inventory
W_STWB_WRK SAP Retail Store: Stores
W_TRAN_CCR IS-R Authorization: SAP Transaction
IS-R Authorization Sales Price Calculation: W_VKPR_PLT Distribution Chain/Price List
IS-R Authorization Sales Price Calculation W_VKPR_VKO Distribution Chain
IS-R Authorization Sales Price Calculation: W_VKPR_VTL Distribution Chain
IS-R Authorization Sales Price Calculation: W_VKPR_WRK Distribution Chain/Plant
SAP for Retail - Security Guide 670 18
SAP Online Help 21.10.2005
IS-R Authorization Action: Purchasing W_WAKH_EKO Organization/Purchasing Group
W_WAKH_MAT IS-R Authorization Action: Material Number
W_WAKH_THE IS-R Authorization Promotion: Theme
IS-R Authorization Action: Sales W_WAKH_VKO Organization/Distribution Channel
IS-R Authorization Sales Price Revaluation: W_WBEF_WRK Distribution Chain/Plant
IS-R Authorization Additionals: W_WTAD_ASL Vendor/Purchase Order List
Request Additionals-IDoc via BAPI Call W_WTAD_IR Function
Runtime Measurement - Authorization to W_WTRA_LOG Delete Data Records
BW based authorization objects:
Authorization Object Name
Authorizations for credit card numbers in PIPE W_POS_CCNR
W_POS_STAT Authorizations for PIPE tasks
W_POS_TRAN Authorizations for POS transaction data
Store Analytics BW based authorization objects
Authorization Object Name
Authorizations for credit card numbers in PIPE W_POS_CCNR
W_POS_STAT Authorizations for PIPE tasks
W_POS_TRAN Authorizations for POS transaction data
Workforce Deployment Refer to the Scenario Security Guide of Workforce Deployment.
Network and Communication Security This section contains information about network and communication security in an SAP system landscape.
This involves, for example:
• Communication channel security
• Network security
SAP for Retail - Security Guide 670 19
SAP Online Help 21.10.2005
• Communication destinations
For more information about the SAP Retail Solution, see the SAP ERP Central Component Security Guide under Retail → . Network and Communication Security
Communication Channel Security As communication channels transfer all kinds of business data, they should be protected against unauthorized access. SAP offers general recommendations and technologies to protect your system landscape based on SAP NetWeaver.
To achieve a secure system landscape, you should activate the Secure Network Communication (SNC) for RFC and Secure Sockets Layer Protocol (SSL) for http within all communication channels in the GDS business scenario.
For information about the communication security of SAP NetWeaver, see the SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → Network and Communication Security.
For information about security aspects for connectivity and interoperability of SAP NetWeaver, see the SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Aspects for Connectivity and Interoperability.
The table below shows the communication paths used by the business scenario, the protocol used for the connection, and the type of data transferred.
Communication Paths
Communication Path
Protocol Used Type of Data Transferred
Data Requiring Special Protection
Front-end client using SAP GUI for Windows to application server
DIAG All application data For example, passwords, business data
Front-end client using a Web browser to application server
HTTP(S) All application data For example, passwords, business data
Application server to application server
RFC, HTTP(S) Integration data Business data
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.
For more information, see the SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → Transport Layer Security.
Network Security For more information about network security, see the SAP ERP Component Security Guide, SAP Supplier Relationship Management Security Guide, SAP Supply Chain Management
SAP for Retail - Security Guide 670 20
SAP Online Help 21.10.2005
Security Guide; SAP Customer Relationship Management Security Guides Security Guide → Network Security.
Communication Destinations
Users and authorizations for connection destinations can cause high security flaws if used carelessly.
Golden Rules for connection users and authorizations:
• Choose user type "communication" or "system".
• Assign only the minimum required authorizations to the user.
• Choose a secure and secret password for the user!
• Store only connection user logon data for users of type "system".
• Choose "trusted system" functionality when ever possible instead of storing connection user logon data.
Connection Destinations
For more information about network security, see the SAP ERP Component Security Guide, SAP SRM Component Security Guide, SAP SCM Component Security Guide → Network Security.
Other Security-Relevant Information Web Browser as User Front End To use the Web browser as a user front end, you have to activate Java script (Active Scripting) to ensure a working user interface. This could conflict with your security policy regarding Web services.
Appendix Related Security Guides You can find more information about the security of SAP applications on the SAP Service Marketplace, Quick Link security. Security guides are available under the Quick Link securityguide.
Related Information For more information about topics related to security, see the following links:
Quick Links to Related Information
Content Quick Link on the SAP Service Marketplace (service.sap.com)
instguides Master Guides, Installation Guides, Upgrade Guides, Solution Management Guides ibc
notesRelated SAP Notes
platformsReleased platforms
SAP for Retail - Security Guide 670 21
SAP Online Help 21.10.2005
network Network security securityguide
solutionmanagerSAP Solution Manager
SAP for Retail - Security Guide 670 22