SM_SEC_GUIDE_71SP13.pdf

Document version: 2014-07-31

Security Guide for SAP Solution Manager 7.1

CUSTOMER

Document History

CautionBefore you start the implementation and configuration of SAP Solution Manager, make sure you have the latest version of this document. You can find the latest version at the following location: service.sap.com/instguides

SAP Components SAP Solution Manager <current release> .

The following table provides an overview of the most important document changes.

Table 1

Support Package Stacks

(Version)

Description

SP10 General

Role enhancements for Infrastructure Roles: SAP_SYSTEM_REPOSITORY_*, and SAP_SM_RFC_*, see

section Authorization and Roles for Infrastructure.

Guide structure enhancement to the following individual sections:

● Secure System Configuration (specifically relating to system configuration issues in regard to security)

● SAP Solution Manager Authorization Concept

User Interface (SAP NWBC 4.0 not supported)

● Landscape Setup Guide

● Scenario-specific Guides

● Overviews

● User Authentication and Administration Tools:

○ new section about Solution Manager User Administration (SMUA) mass tool

○ enhanced section on Automatic User Creation in SOLMAN_SETUP (new fields User Group,

Namespace, Role Upload)

○ new section on password policy for SAP Solution Manager default users

● Roles and Authorizations for Infrastructure and LMDB usage, see section on Roles for Infrastructure and LMDB

New single roles SAP_SM_BP_* for Business Partner and Product assignment in LMDB and related

queries.

New single role for LMDB Dashboard SAP_SM_DASHBOARDS_DISP_LMDBNew authorization object check for LMDB Remote Access AI_LMDB_RE (included in roles

SAP_SYSTEM_REPOSITORY_*)

Adapted role SAP_SM_SOLUTION_ALLAdapted role SAP_SOLMAN_DIRECTORY_*Adapted role SAP_SM_RFC_ADMIN (added authorization object S_RFC_TT)

Adapted roles SAP_SYSTEM_REPOSITORY_* (primarily for authorization object S_RFC)

2

CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.

Security Guide for SAP Solution Manager 7.1Document History

http://service.sap.com/instguides


(Version)

Description

Scenario-Specific Guides

Check out changes in the Document History for the following scenarios:

● Custom-Code Life Cycle Management (CCA, CCML)

● Business Process Operations

● Business Process Change Analyser

● Change Request Management

● Incident Management

NoteAuthorizations for ST-ICC are described in the according ST-ICC Configuration Guide.

● Solution Documentation Assistant

● Test Management

● Implementation (cProject ITPPM integration)

● Solution Manager Administration

● Technical Monitoring

● Technical Administration (IT Task Inbox and Guided Procedure)

● Quality Gate Management

● SAP Engagement and Service Delivery

● Job Management

Important SAP Notes

● 1812046 (Role Updates in case of CUA)

● 1830640 (Roles for READ, TMW, and Back RFC Users)

● 1908051 (Roles for ST-PI (managed systems))

SAP TAO

● Section on SAP TAO has been transferred to the SAP TAO Administrator’s Guide, see on the Service

Marketplace at: service.sap.com/saptao .

SP11 General

● Authorization object S_ICF for temporary RFC - connections during configuration using transaction

SOLMAN_SETUP implemented. Role enhancement for all configuration users and SOLMAN_ADMIN in

SAP Solution Manager required. See update flag for roles in transaction SOLMAN_SETUP after update

for the following roles:

SAP_SM_BASIC_SETTINGS, SAP_BPCA_CONFIG, SAP_BPO_CONFIG, SAP_CHARM_CONFIG, SAP_DVM_CONFIG, SAP_SM_BIM_CONF, SAP_SM_CBTA_CONFIG, SAP_SM_CCM_CONFIG, SAP_SM_EEM_CONF, SAP_SM_IC_CONF, SAP_SM_ITMO_CONF, SAP_SM_JMON_CONF, SAP_SM_PIM_CONF, SAP_SM_SCHEDULER_CONFIG, SAP_SM_SYM_CONF, SAP_SUPPDESK_CONFIG, SAP_TAO_CONFIG, SAP_TSAM_CONF



CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.

All rights reserved. 3

http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1812046&_NLANG=en&_NVERS=0


http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1908051 &_NLANG=en&_NVERS=0

http://service.sap.com/saptao


(Version)

Description


● new scenario-specific guide: Effort and Scope Analyzer (SEA)

● Implementation and Upgrade (SEA integration)

● Change Request Management (Import Authorizations; CSOL RFC-connection; CTS)

● Job Management


● Landscape Setup Guide (Enhancement of SLD - related section)


● Test Management (CBTA)

● Custom Code Management

● Technical Administration (Guided Procedures)

● Business Process Operations

● IT Service Management (new section: Additional Security Measures)

● BPCA (new section: Additional Security Measures)

SP12 General

● Enhanced: Overview of Function Integration

● Enhanced: User Authentication and Administration Tools

○ Automatic user update using Automated Managed System Configuration

○ Storage of multiple users in SMUA

○ Expert mode for user creation and RFC creation

○ Additional user types (Reference User for Template/Demo user, Service User)

● Enhanced: Additional Security Measures (Documents: Virus Scan - automatic VSI check, use of Firefox Browser; Reject callback parameter settings)



● Landscape Setup Guide (Automatic User Update using Automated Managed System Configuration, SOLMAN_SETUP Configuration Administration)

● Guided Procedure Framework (Chapter: Authorization Concept for SAP Solution Manager)

● Business Process Operations (integration Notification Management, Job Monitoring, and Interface Channel Monitoring, Project-based Delivery)

● Technical Administration (integration of IT Task Management configuration in transaction SOLMAN_SETUP)

● Incident Management


● Technical Monitoring (Job Monitoring, individual roles for Message Flow Monitoring; CSU)

● Data Volume Management (iCI Dashboard)

● Custom Code Management (ATC integration, iCI Dashboard)

4




(Version)

Description

● Business Process Change Analyzer (and TAO)

● Test Management (Redesign CBTA user and roles)

● Implementation (CDMC; Roadmap)

● SAP Solution Manager Administration (Enhancement due to Archive Log and Role Comparison Tool)

● Measurement Platform (iCI Dashboard)

● SAP Service Delivery and Engagement

Important SAP Notes


● 1968406 (ST-PI: Authorization changes in roles for SAP-BASIS < 700)

SP13 Authorization Concept Sections

● Guided Procedure Administration Authorizations (Authorization for transaction SE61 must be assigned

manually due to security reasons)



● Landscape Setup Guide (Template Management for Mass System Configuration, Role adaptations for various users)

● Business Process Change Analyzer

● Test Management

● SAP Engagement and Service Delivery

● Business Process Operations (Business Process Analysis)

● Technical Monitoring (System Monitoring)

● Job Scheduling Management


● Data Volume Management

Important SAP Notes


● 1560717 (Roles for SAP Solution Manager and managed systems)

● 2039434 (ChaRM: extended authorization check become mandatory since ST 710 SP10)









Content

1 Security Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.1 Target Group of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.3 How to Use this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.4 Links for Additional Components on the Service Marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.5 Using SAP Solution Manager as a Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3 Terminology as Used in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4 Quick Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

5 Overviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355.1 Overview: Capabilities/Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355.2 Overview: Solution Manager Functions Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365.3 Overview: Solution Manager Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385.4 Overview: Solution Manager Technical RFC - Users per Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . 395.5 Overview: Third Party Products to Be Used with Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . 40

6 System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426.1 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

7 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437.1 Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437.2 Communication Channels and Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437.3 Internet Communication Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447.4 Secure Socket Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467.5 HTTP Connect Service for SAP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477.6 File Transfer Protocol (FTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477.7 Use of Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

8 User Administration and Authentication Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498.1 Basic SAP User Management Tools and User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498.2 Automatic User Creation using Transaction SOLMAN_SETUP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528.3 Automatic Managed System Configuration Update using Transaction SOLMAN_SETUP . . . . . . . . . . 558.4 Automatic Mass User Creation/Update using “Solution Manager User Administration”

(SMUA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568.5 Passwords for Solution Manager Default Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578.6 Secure Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588.7 Integration into Single Sign-On Environments (SSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

9 Authorization Concept for SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609.1 User Definitions in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

6


Security Guide for SAP Solution Manager 7.1Content

9.2 End - User Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619.3 Configuration User Roles for SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699.4 Integration of Functions/Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719.5 Authorizations and Roles for Infrastructure (LMDB, BP, Projects, Solutions, Directory) . . . . . . . . . . . 739.6 Guided Procedure Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749.7 Work Center Navigation Role Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759.8 Using SAP Solution Manager with Customer Relationship Management (CRM) . . . . . . . . . . . . . . . . . 839.9 Using SAP Solution Manager with Business Warehouse (BW) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

General Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 BI - Reporting Data Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Configuration of BW and Activation of BW - Content (Step by Step) . . . . . . . . . . . . . . . . . . . . . . 86 Diagnostics Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 BI - Reporting Authorizations and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Using BI - Dashboards for BI - Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

9.10 Using the Help Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929.11 Authorizations for User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939.12 Critical RFC Connections and Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Generated RFC - Connection <SM_<SIDofManSystem>CLNT<ClientofManSystem>_TRUSTED> . . . . . . . . . . . . . . . . . . . . . . 98

Authorization Objects S_RFCACL and S_RFC_TT for Trusted RFCs . . . . . . . . . . . . . . . . . . . . . . . 99 Generated RFC - Connections READ, TMW and BACK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Authorization Object S_RFC and S_DEV_REMO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Authorization Object S_TABU_DIS and S_TABU_CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Authorization Object S_TABU_NAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Authorization Object S_DEVELOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

9.13 How to Build Your Own Authorization Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

10 Using Central User Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10710.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10710.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10910.3 Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11110.4 Configuration Integration in Transaction SOLMAN_SETUP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

11 Additional Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

12 Data Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

13 Landscape Setup, Configuration, and Root Cause Analysis Guide . . . . . . . . . . . . . . . . . . . . . . 11913.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11913.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12413.3 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12513.4 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12913.5 Required TCP/IP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13213.6 SAP Solution Manager Configuration Work Center / Transaction SOLMAN_SETUP . . . . . . . . . . . . . 13513.7 Root Cause Analysis Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13713.8 SOLMAN_SETUP Configuration Administration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13813.9 Users Created During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Database User SAP<SID>DB [MANAGED.DB.USER] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 OS Engine User [MANAGED.OS.SIDADM] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140




OS User Dedicated to the Diagnostics Agent <SID>ADMIN [MANAGED.OS.AGTSIDADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

13.10 Users and Authorizations for SAP Solution Manager Configuration/Operation . . . . . . . . . . . . . . . . 140 Password Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Configuration and Administration User SOLMAN_ADMIN [SOLMAN.DUAL.ADMIN] . . . . . . . . . . . 141 Technical User SM_AMSC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Technical User SMD_AGT [SOLMAN.DUAL.AGTCOM] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Technical User SOLMAN_BTC [SOLMAN.DUAL.BTC] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Technical User SM_EXTERN_WS [SOLMAN.DUAL.EXTERN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Technical User SM_INTERN_WS [SOLMAN.DUAL.EXTERN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Dialog User SAPSUPPORT [SOLMAN.DUAL.SAPSUPPORT][SOLMAN.BI.SUPPORT] . . . . . . . . . 148 Dialog User SAPSERVICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Technical User SMD_RFC [SOLMAN_DOUBLE_SMDRFC] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Technical User SEP_WEBSRV [SOLMAN.ABAP.WEBSRV] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Technical User CONTENTSERV [SOLMAN.ABAP.CONTSERV] . . . . . . . . . . . . . . . . . . . . . . . . . 150 Technical User for RFC - connection BACK

<SMB_<SIDofManagedSystem>>[MANAGING.ABAP.RFC] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 User Wily Guest [SOLMAN.WILY.GUEST] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

13.11 Users and Authorizations for Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 NGAP - Based Managed Systems Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Administrator User in ABAP: SM_ADMIN [MANAGED.JAVA.ABAP.ADMIN] . . . . . . . . . . . . . . . . 152 Administrator User in Java: SM_ADMIN_<SolManSID> [MANAGED.JAVA.ADMIN] . . . . . . . . . . . 153 Technical User SMDAGENT_<SolManID> for Wily Host Agent

[MANAGED.ABAP.WILYAGT] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Technical Users for RFC - Connections READ and TMW [MANAGED.ABAP.RFC] . . . . . . . . . . . . . 154 SAPSUPPORT User [MANAGED.DUAL.SAPSUPPORT] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Dialog User SAPSERVICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Technical User SM_COLL_<SIDof SolMan> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 J2EE Administrator J2EE_ADMIN [MANAGED.J2EE.ADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Administrator OS User [MANAGED.OS.ADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Technical Users for CTC Configuration and Runtime Activation . . . . . . . . . . . . . . . . . . . . . . . . . 159

13.12 Users and Authorizations for BW Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 BW Administrator User SM_BW_ADMIN [SOLMAN.BI.ADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . 160 Technical User SM_BW_ACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Technical User SM_EFWK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Technical User SMD_BI_RFC [SOLMAN.BI.RFC] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Technical User SM_BW_<SID> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Dialog User SAPSUPPORT [SOLMAN.DUAL.SAPSUPPORT][SOLMAN.BI.SUPPORT] . . . . . . . . . 148 Dialog User SAPSERVICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Technical User BI_CALLBACK [SOLMAN.BI.CALLBACK] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Diagnostics Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

13.13 Users and Authorizations for SLD and LMDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Technical User SLD_CS_USER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Technical User SLDAPIUSER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Technical User SLDDSUSER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Technical User for CTC Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

13.14 S-Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 S-User for SAP Backend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 S-User for Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

13.15 Landscape Modelling and Infrastructure Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

8



User Roles for System Landscape Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 User Roles for Solutions, Projects, Solution Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 User Roles for System Landscape Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

13.16 User Role for TREX Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17413.17 Configuration User Roles for SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6913.18 Business Partners Created During Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17713.19 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

14 Scenario-Specific Guide: Solution Manager Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 17914.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17914.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18014.3 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

15 Scenario-Specific Guide: Technical Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18515.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18515.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19015.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Scenario Configuration Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

15.4 Work Center Technical Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19715.5 User Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19815.6 User Roles for System, Database, Host Monitoring, and Self - Monitoring . . . . . . . . . . . . . . . . . . . . 199

First Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Second Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

15.7 User Roles for Process Integration - Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 First Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Second Level Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

15.8 User Roles for Message Flow Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 First Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Second Level Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Function Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

15.9 User Roles for End-User Experience Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 First Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Second Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

15.10 User Roles for Business Intelligence Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 First Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Second Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

15.11 User Roles for Interface (Channel) Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 First Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Second Level Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

15.12 End-User Roles for Job Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 First Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Second Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

15.13 User Roles for Infrastructure Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 First Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Second Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218




15.14 Integration Visibility in Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21915.15 Role for Technical Monitoring Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22015.16 Role for Technical Monitoring Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22015.17 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22115.18 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22215.19 Background Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

16 Scenario-Specific Guide: Maintenance Optimizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22516.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22516.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22516.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Scenario Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER) . . . . . . . . . . . . . . . . . . 230 S-User Authorization for Maintenance Optimizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

16.4 CRM Standard Customizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23116.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 User Roles in Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

16.6 System Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

17 Scenario-Specific Guide: Change Request Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23617.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23617.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23917.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

17.4 CRM Standard Customizing for Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24717.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Users and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Best Practice: Manage Import Authorizations in Managed Systems . . . . . . . . . . . . . . . . . . . . 256 User Roles for Additional Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

17.6 System Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23517.7 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

18 Scenario-Specific Guide: Quality Gate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26418.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26418.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26618.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

18.4 CRM Standard Customizing for Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

10



18.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 User Descriptions and User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . 271 User Descriptions and User Roles in the Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Central CTS-Integration User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . 274 Critical Authorization Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

18.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

19 Scenario-Specific Guide: Configuration Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27719.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27719.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27819.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27819.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

User Descriptions and User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . 27919.5 Critical Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28219.6 System Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

20 Scenario-Specific Guide: Implementation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28420.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28420.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28520.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

20.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 User Descriptions and User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . 292 User Descriptions and User Roles in Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

20.5 User Roles for Additional Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 User Roles for Roadmap Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 User Roles for Activation of Business Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 User Roles for Custom Development Management Cockpit (CDMC) . . . . . . . . . . . . . . . . . . . . . 310 User Roles for Upgrade Dependency Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 User Roles for Customizing Comparison and Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 User Roles for BC-Set Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Solution Maintenance via Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

20.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31320.7 External Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Business Process Management Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Enterprise Service Repository within Process Integration (PI) . . . . . . . . . . . . . . . . . . . . . . . . . . 318 SAP Productivity Pak by RWD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Business Process Blueprinting Tool (BPB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

20.8 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

21 Scenario-Specific Guide: Solution Documentation Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . 32121.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32121.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32221.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323




Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

21.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

21.5 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33221.6 Background Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

22 Scenario-Specific Guide: Test Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33422.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33422.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Technical Users for RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

22.3 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

22.4 User Roles for Additional Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 User Roles for Test Workbench Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 User Roles for Extended Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 User Roles for CBTA (Component-Based Test Automation) . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

22.5 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36522.6 External Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Tool with BC — ECATT- Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Quality Center by HP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 IBM Rational Test Management Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368

23 Scenario-Specific Guide: Business Process Change Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . 37023.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37023.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37223.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

23.4 CRM Standard Customizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37723.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37823.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38323.7 Additional Security Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

24 Scenario-Specific Guide: Custom - Code Life Cycle Management . . . . . . . . . . . . . . . . . . . . . . 38524.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38524.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38624.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387


24.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

12



User Descriptions and User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . 391 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

24.5 Background Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

25 Scenario-Specific Guide: Scope and Effort Analyzer (SEA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 39425.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39425.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39425.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395


25.4 User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39925.5 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40125.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

26 Scenario-Specific Guide: IT Service Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40326.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40326.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40526.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Technical Users for RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER) . . . . . . . . . . . . . . . . . . 230 S-User Authorization for Service Desk and Expert on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . 413

26.4 CRM Standard Customizing for Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41426.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

26.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42126.7 External Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

External Service Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42326.8 Additional Security Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

27 Scenario-Specific Guide: Job Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42527.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42527.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42627.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Technical User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

27.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 User Roles (Old) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 User Roles (New) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

27.5 Solution Maintenance via Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31327.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44327.7 External Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

SAP CPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446




28 Scenario-Specific Guide: SAP Engagement and Service Delivery . . . . . . . . . . . . . . . . . . . . . . 44728.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44728.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44828.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER) . . . . . . . . . . . . . . . . . . 230 S-User Authorization for Service Desk and Expert on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . 413 S-User Authorization for Data Download from SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Business Partners Created During Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

28.4 CRM Standard Customizing for Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45928.5 Recommended Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460

User Descriptions and User Roles to Use the Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 User Description and User Roles for Service Delivery (Premium Engagement) . . . . . . . . . . . . . . 465 Enterprise Service Reporting User - ES_REP_<SID> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 Supportability Performance Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 User Descriptions and User Integration Roles for Issue Management . . . . . . . . . . . . . . . . . . . . . 467 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

28.6 Security Optimization Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46928.7 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

29 Scenario-Specific Guide: Technical Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47029.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47029.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47229.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

29.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 User Descriptions and Roles for Technical Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 User Roles for IT Task Inbox and Guided Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Service Availability Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

29.5 Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48429.6 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

30 Scenario-Specific Guide: Business Process Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48630.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48630.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48930.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

30.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

30.5 User Roles for Additional Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502

14



Dashboard User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 Solution Maintenance via Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 End-User Roles for CDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502

30.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

31 Scenario-Specific Guide: Data Volume Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50431.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50431.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50631.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Scenario Configuration User and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510

31.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 User and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 Critical Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514

31.5 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514

32 Measurement Platform and Enterprise Support Reporting (iCI - Interactive Continuous Improvement) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

32.1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51632.2 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51732.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Scenario Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

32.4 Interactive Continuous Improvement (iCI) Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

33 Service Provider Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52233.1 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52233.2 Service Provider Customer RFC-Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52233.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52333.4 Service Provider—Specific Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52433.5 Incident Management User Descriptions and User Roles for Customers . . . . . . . . . . . . . . . . . . . . . 52433.6 Solution Documentation User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52733.7 Work Centers for Service Provider Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52733.8 Granting Work Center Access to Service Provider Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

34 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53034.1 HowTo Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530

SDN Wiki for Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 How to Create Users and Business Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 How to Administer Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 How to Create a User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 How to Maintain Authorizations in Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535 How to Generate a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 How to Assign Roles to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540 How to Create Scenario Configuration Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 How to Upgrade Authorizations after Release Upgrade or Support Package Upgrade . . . . . . . . . 544 How to Use an ST01 Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545




How to User Transaction SU24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 How to Translate Your Own Customizing Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

34.2 Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 Links for Additional Components on Service Marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 SAP Notes as Mentioned in the IMG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550

34.3 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 Terminology: System Landscape and Related Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 Terminology: Solution and Related Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

A Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560A.1 The Main SAP Documentation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560

16



1 Security Guide

CautionUsage Rights for SAP Solution Manager Enterprise Edition

The extent of the usage of the software package „SAP Solution Manager 7.1“ depends upon the type of maintenance contract you have signed. If you have a signed contract for:

● SAP Enterprise Support

● Product Support for Large Enterprises

● SAP Premium Support

● SAP MaxAttention

you are authorized to use all functions in the software package, without any restrictions.

If you have signed exclusively standard support contracts, you are allowed to install this software package, but you are only allowed to use a restricted functionality. You are not allowed to use the following Enterprise Edition functions:



● Custom Development Management Cockpit

This Security Guide is updated in the SAP Service Marketplace at: service.sap.com/instguides SAP ComponentsSAP Solution Manager <current release> ) with every Support Package.

For any issues with security, authorizations, roles, and user management for SAP Solution Manager use SV-SMG-AUT.

Integration

Security topics are relevant for the following phases:

● Installation and Upgrade

● Configuration

● Operation

RecommendationUse this guide during all phases. For a detailed overview of which documentation is relevant for each phase, see guides reference on the Service Marketplace at: service.sap.com/instguides SAP Components SAP Solution Manager 7.1 .

More Information

For a complete list of the available SAP Security Guides, see the SAP Service Marketplace: service.sap.com/securityguides

Security Guide for SAP Solution Manager 7.1Security Guide





http://service.sap.com/securityguides

http://service.sap.com/securityguides

2 Introduction

2.1 Target Group of This Guide

The purpose of SAP Solution Manager is to provide an administration, and implementation environment, to allow for better managing your systems and business processes in a transparent way.

The target groups of this guide are readers who are familiar with SAP Solution Manager and configuration procedures in an implementation and/or upgrade project, that is technical consultants, system administrators and/or application consultants.

● technology consultants: working with technical processes supported by SAP software during implementation, when deciding which settings to make

● system administrators: optimizing the SAP Solution Manager system during and after implementation

● application consultants: mapping a company’s actual business processes to the processes and functions supported by SAP software during implementation, and when deciding which settings to make

● SAP Security Professionals: securing the system landscape settings

2.2 Getting Started

This security guide provides you with an overview of the security-relevant information that applies to SAP Solution Manager 7.1 as of SP01 and higher. Since SAP Solution Manager covers several scenarios, this document first provides general security recommendations for SAP Solution Manager in a so called Core Guide followed by specific security guidelines for the individual capabilities.

In other words, this guide consists of a main guide, the core guide, containing general information on how to execute on authorizations and roles within SAP Solution Manager, such as authorizations concept and integration as well as user management functions. The Specific Scenario Guides are descriptions of the delivered scenarios in analogy to the work centers and configuration view structure in transaction SOLMAN_SETUP.

The SAP Solution Manager IMG comprises several nodes for configuration, see configuration guide for SAP Solution Manager for more information. Scenario configuration is done during Capabilities configuration. This graphic references the IMG as delivered with SAP Solution Manager 7.1 as of SP02. The structure can change when delivered with further SPs, due to changes or additions in capabilities. Therefore, this graphic only represents an example for IMG structure.

Authorization assignments or specific user creation for scenarios are described in the according IMG activities, which are referenced as well in the scenario - specific security guides.

The initial configuration, or Basic Configuration, references to the automated basic configuration using transaction SOLMAN_SETUP or Solution Manager Configuration work center.

RecommendationWe recommend to always use this security guide in combination with transaction SOLMAN_SETUP and the Implementation Reference Guide (IMG) for configuration.

18


Security Guide for SAP Solution Manager 7.1Introduction

Which topics are covered in the core guide

The following topics are covered in this core security guide:

● Target Group: Who should use this guide

● How to use this guide: How should different user groups use this guide effectively?

● Links to additional components: Where can you find further information for functions, tools, and third party product which are not covered in this guide?

● Using Solution Manager as Service Provider: How to use this guide as a Service Provider?

● Terminology: How are specific terms to be understood in this guide?

● System Landscape

● Security Dependencies: Which additional dependencies have to be taken into account?

● Network and Communication Security: How should your network be built up?

● User Management Tools: Which tools are used within SAP Solution Manager to create users?

● Central User Administration: How to set up CUA in Solution Manager?

● Secure Storage

● Integration into Single Sign-On Environments

● Authorization Integration Concept: How is the authorization concept for SAP Solution Manager defined?

● User Definitions: How do we define users?

● User Roles: How do we define user roles?

● Data Storage

What should you know in advance

If you have little or no knowledge concerning security and authorization concepts, start with reading the general documentation for authorizations at SAP. This topic is not covered in this guide and is regarded as a prerequisite. In addition, before using this guide you should familiarize yourself with the respective Master Guide for SAP Solution Manager, and general user and authorization information for SAP NetWeaver systems:

Transaction SPRO SAP Customer Reference Guide SAP NetWeaver Application Server System Administration User and Authorization.

2.3 How to Use this Guide

Setting up an authorization concept for your own company for SAP Solution Manager is not simple. It requires approaching the topic from a technical as well as content - oriented perspective.

Authorizations are strongly tied to configuration topics for certain scenarios, as well as security relevant technical information. The knowledge for these sectors is seldom found within one department at the customer's side, as technical and application components must be aligned for a successful concept. Especially with SAP Solution Manager this is important, as the product is aimed at the support for the life - cycle of systems (maintained by technical staff), but also the life - cycle of solutions (maintained by application - oriented staff).

Therefore, as described in the former section, this guide is directed to differing groups with different focus on SAP Solution Manager. These groups can be organizationally divided.

This guide addresses the resulting differing ways of approaching authorizations and their maintenance from a content oriented view (for instance application consultant), and a technically oriented view (for instance system administrator).




RecommendationTo set up a stable authorization concept, both views are to be considered, and involved.

The following sections give you a short guidance to how to use this guide, depending on your main tasks when setting up an authorization concept or authorization roles for SAP Solution Manager.

How to use the guide from a technically - oriented perspective

What do we mean by technical perspective? The technical perspective means, that you should know how to apply an authorization concept in an SAP system effectively. You know how to handle transactions PFCG, SU01, and roles and profile generation. This implies that you are familiar with the SAP role concept and its specifics, such as for instance profiles SAP_ALL and SAP_NEW.

It also includes a basic technical background knowledge of the SAP Solution Manager system and its landscape structure, such as Business Warehouse (BW) integration or the handling of the System Landscape Directory (SLD) specifics. The maintenance of roles and authorizations depends on this knowledge.

In addition, you should have a basic idea about the basic configuration of the SAP Solution Manager system, and its managed systems.

From a Technical Perspective (Recommendation)

Table 2

Step Section Remark

1 Core Guide This guide includes all relevant information to know about the SAP Solution Manager authorization concept, overall topics such as clients to be used, setup information, and so on.

2 Setup Landscape Guide If the system is initially installed or upgraded, most users and authorizations need to be adapted. This guide contains all information on basic system landscape setup, users, and authorizations needed to run SAP Solution Manager

3 Scenario-specific Guides Each scenario-specific guide contains roles for users, which can be assigned to users. These roles are recommendations of SAP. For each scenario, or function a so called ALL or ADMIN (administration) role is delivered. This

role contains full authorization for a specific scenario. In addition, SAP delivers a so called DISP (display) role, which contains only display

authorizations for the respective scenario. If your company's business processes are different to the recommended SAP process, these roles need to be adapted. Your application consultant should define the applicable roles to be used. If the definition differs, according authorization objects must be maintained.

4 Glossary in this guide, Transaction SUIM in the

system, WIKI for

Authorizations

If you need to maintain authorization objects, you may check the mentioned information sources on individual authorization objects, and how they relate to functions.

The glossary gives you an overview of all roles mentioned in this guide with the main authorization objects included in these roles.

In transaction SUIM, you can search for individual authorization objects and read their documentation.

The new WIKI page for authorizations in SAP Solution Manager covers many of the relevant authorization objects for Solution Manager with

20



Step Section Remark

according use cases, such as how should the authorization object be maintained to restrict certain functions. The use cases are more or less taken from customer situations.

5 HowTo section This section covers how-to guides for technical as well as content - oriented tasks.

How to use the guide from a content - oriented perspective

What do we mean by content - oriented perspective? The SAP Solution Manager is an SAP product that supports your business. Roles and authorization objects are delivered to allow your end - users to work within the limits of their tasks. In other words, they should only be allowed to execute and see what they need in their daily work. These tasks depend on your specific business processes. As a logical consequence, the authorizations and roles assigned to your users depend heavily on the business processes you deploy, and are depending on the configuration of your system accordingly. The concept of your configuration needs to be considered for the concept of your authorizations. Although we deliver template roles for your use, they can hardly ever be applied without modification to your business. Therefore, before tailoring authorizations or using SAP template roles, you need to consider your business processes, the content of your business.

From a Content - Oriented Perspective (Recommendation)

Table 3

Step Section Remark

1 Core Guide This guide includes all relevant information to know about the SAP Solution Manager authorization concept, overall topics such as clients to be used, setup information, and so on.

2 Setup Landscape Guide If the system is initially installed or upgraded, most users and authorizations need to be adapted. This guide contains all information on basic system landscape setup, users, and authorizations needed to run SAP Solution Manager. It gives you an overview on which scenarios should be running “out-of-the-box” after the setup is done.

3 Scenario-specific Guides Each scenario-specific guide contains roles for users, which can be assigned to users. These roles are recommendations of SAP. If the definition differs, according authorization objects must be maintained. You need to discuss which authorizations must be maintained in these cases with the person responsible for the technical implementation of the authorization concept.

All roles are delivered according to a specific user definition. This user definition gives you an overview of which tasks the user is authorized if the SAP delivered template roles are used.

4 HowTo section This section covers how-to guides for technical as well content - oriented tasks.

How to use this guide when upgrading from Release 7.0 to 7.1

1. Read the SAP Solution Manager Upgrade Guide first, for information see section Additional Links.

2. Check out the Document History for the specific scenarios you are using.

3. Check for updates in transaction SOLMAN_SETUP.




4. Activate the Release Note info button in the IMG to display all information icons for new release features for the configuration of the specific scenarios.

5. If required, read additional guides for additional functions and tools.

NoteIf you are already acquainted with the authorization concept in SAP Solution Manager, we strongly recommend to read the Document History for changes in roles and authorization objects, and in addition the Operations Guide for SAP Solution Manager on the Service Marketplace at: service.sap.com/instguidesSAP Components SAP Solution Manager. .

2.4 Links for Additional Components on the Service Marketplace

Your Solution Manager system is the platform for administrative tasks in implementing, operating and upgrading systems in your system landscape. It relies heavily on mandatory and optional components implemented in addition to SAP Solution Manager. This guide cannot describe all relevant details for integrated components, like third party product or other SAP components. We refer therefore to the applicable guides, Service Marketplace links, or IMG - activities as relevant information sources.

The following table gives you an overview of these additional components, where to find more details, and what they are used for in connection with SAP Solution Manager.

RecommendationTo ensure a smooth integration of these components, familiarize yourself with their installation, configuration, and operation if needed.

Additional Information on SAP Solution Manager

Table 4

Component Where in the Service Marketplace? And Additional Sources

Master Guide for SAP Solution Manager

service.sap.com/instguides SAP Components SAP Solution Manager 7.1

Upgrade Guide for SAP Solution Manager


Operations Guide for SAP Solution Manager


Installation Guide for SAP Solution Manager


Implementation Reference Guide for SAP Solution Manager

no link, see transactions SOLMAN_SETUP and SPRO in the SAP Solution Manager system

Solution Manager Diagnostics service.sap.com/diagnostics

22








http://service.sap.com/diagnostics

Component Where in the Service Marketplace? And Additional Sources

IMG projects and project

IMGs

How to Create Customizing Projects and Project IMGs on the Service Marketplace:

service.sap.com/solutionmanager Media Library Technical Papers.

Additional Information on InfrastructureTable 5

Component Where in the Service Marketplace?

Guide Landscape Management Database

service.sap.com/instguides SAP Components SAP Solution Manager Release 7.1

Additional Guides

System Landscape Directory (SLD)

service.sap.com/sld

or sdn.sap.com SAP NetWeaver Capabilities Lifecycle Management Application

Management System Landscape Directory

NoteTransaction SOLMAN_SETUP in the SAP Solution Manager system

Software Life-Cycle Manager (SLM)

service.sap.com/slm and help.sap.com/nw70 Functional View Solution Life Cycle

Management Software Life Cycle Management

NoteInformation and Configuration Prerequisites Change Control scenario (technical name: SOLMAN_MOPZ_SLM_INFO)

Adobe Document Services (ADS)

service.sap.com/adobe

NoteInformation and Configuration Prerequisites ADS setup (technical name: SOLMAN_ADS_INFO)

One Transport Order service.sap.com/solutionmanager Media Library Technical Papers

TREX help.sap.com/nw2004s

NoteInformation and Configuration Prerequisites TREX (technical name:

SOLMAN_TREX_INFO)

Master Data Management (MDM) — MDM Administration

Cockpit

service.sap.com/mdm and service.sap.com/installmdm

SAP NetWeaver Administrator

service.sap.com/nwa

Adaptive Controlling (ACC) ● for general information sdn.sap.com/irj/sdn/adaptive




http://service.sap.com/solutionmanager


http://service.sap.com/sld

http://sdn.sap.com

http://service.sap.com/slm

http://help.sap.com/nw70

http://service.sap.com/adobe

http://help.sap.com/nw2004s

http://service.sap.com/mdm

http://service.sap.com/installmdm

http://service.sap.com/nwa

http://sdn.sap.com/irj/sdn/adaptive


● for application help, such as starting and stopping an application service:

help.sap.com

● for installation information service.sap.com/instguides

Application help for security topics connected to ICF services

help.sap.com/nw07

System security for SAP NetWeaver ABAP and Java

(Help setting up system security for ABAP and Java)

service.sap.com/security Media Library Literature

Current list of ports used by SAP

service.sap.com/security Infrastructure Security TCP/IP Ports Used by SAP

Applications or wiki.scn.sap.com/wiki/display/TCPIP/Home+of+TCP-IP+Ports .

Diagnostics service.sap.com diagnostics .

Authorization object S_RFCACL

help.sap.com/nw70

Auditing and Logging help.sap.com Search Documentation , search for Auditing and Logging.

Web Dispatcher See according Help documentation for Web Dispatcher step in transaction SOLMAN_SETUP

Additional Information on Business Warehouse Integration

Table 6


Business Warehouse (BW) service.sap.com/bi

NoteInformation and Configuration Prerequisites BW (technical name:

SOLMAN_BI_CLIENT_INF)

Additional Information on Third Party

Table 7


SAP Quality Center by HP service.sap.com/solutionmanager SAP Quality Center by HP

NoteInformation and Configuration Prerequisites Third Party (technical name: SOLMAN_THIRDPARTY_IN)

SAP Redwood Job Scheduling

service.sap.com/job-scheduling

24



http://help.sap.com



http://service.sap.com/security

http://service.sap.com/security

http://wiki.scn.sap.com/wiki/display/TCPIP/Home+of+TCP-IP+Ports

http://service.sap.com


http://help.sap.com

http://service.sap.com/bi



NoteInformation and Configuration Prerequisites Third Party (technical name: SOLMAN_THIRDPARTY_IN)

SAP TAO service.sap.com/saptao

Wily Introscope User Administration

Introscope Installation for SAP Introscope® Version 8.0 Installation Guide for SAP.

NoteSee SAP Note 797147

Used in Root Cause Analysis and Technical Monitoring Work Center

Additional Information on User Management

Table 8


User Management Engine (UME)

help.sap.com/saphelp_nw04

/helpdata/6a/d39b3e09cdf313e10000000a114084/frameset.htm

Central User Administration (CUA)

help.sap.com/saphelp_nw73

/helpdata/en /23/cbce3b1bc7fa20e10000000a114084/frameset.htm

NoteYou can find the complete CUA configuration guide on the Service Marketplace at:

help.sap.com

Single Sign-On service.sap.com/sso-smp.

Additional Information on other SAP Product

Table 9


PI Security Guide help.sap.com/saphelp_nw04 /helpdata/en/58 /

d22940cbf2195de10000000a1550b0/frameset.htm

Additional Information on Roles Management

Table 10


SAP NW Guide for PFCG general PFCG link

Details about OBN navigation in SAP NWBC wiki.wdf.sap.corp/wiki/display /NWBC/Documentation .

on roles for SAP Change and Transport Analysis Sessions

SAP Note 1074808





http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=SAP Note 797147&_NLANG=en&_NVERS=0

http://help.sap.com/saphelp_nw04


http://help.sap.com

http://service.sap.com/sso-smp


https://wiki.wdf.sap.corp/wiki/display


2.5 Using SAP Solution Manager as a Service Provider

As a Service Provider, you provide services to your customers using SAP Solution Manager. The Service Provider scenario extends the SAP Solution Manager standard scenario setup for specific customer contexts.

Figure 1: Customer Contexts

If your SAP Solution Manager is used for one of the above contexts, you can use it as a Service Provider. For this purpose you would also need to add some additional configuration and specific authorizations for you, as the Service Provider, and your customers/subsidiaries.

See the section Service Provider and Service Provider Customer Specification.

For more information on Service Provider scenarios and definition, see the master guide for SAP Solution Manager in the Service Marketplace: service.sap.com/instguides SAP Components SAP Solution Manager <current release> .

26




3 Terminology as Used in SAP Solution Manager

This section gives you an overview of the main terms used in this security guide. It refers only to terminology specifically used in regard to SAP Solution Manager. It does not cover overall SAP terminology. For more detail on SAP terminology, refer to the SAPterm.

General SAP Solution Manager Guide Terminology

Table 11

Term Definition as Used in This Guide Synonyms as Could be Used by Other Sources

Core Security Guide In the Core Security Guide you find all sections referring to conceptual issues concerning the security for SAP Solution Manager. In contrast to the more specific scenario guides, it outlines prerequisites for dealing with the landscape setup or operation of SAP Solution Manager in this regard.

Main Guide, Main Security Guide

Scenario - Specific Guide In analogy to the configuration structure in transaction SPRO, each capability is regarded as a separate

scenario. For each scenario, you find the according information for RFC connections, users,

configuration, and so on in the scenario - specific guides. Due to the nature of SAP Solution Manager as an end-to-end platform, you find as well sections for scenario integrations, and the integration with external products.

Scenario Guides

User Management

Table 12


User A user is a person working in the system with a user ID. human user, end - user

Technical User The technical user is the overall term for users which are not dialog users in the system. They can be service users, system users, or communication users. The user types are explained in more detail in the core guide section for User Management.

service user, system user, RFC - user, communication

user

CUA CUA, Central User Management

User Master Record User Master Records defines all data which belongs to a user with user ID in the system.

SU01 data,

Security Guide for SAP Solution Manager 7.1Terminology as Used in SAP Solution Manager




Consumer ID PI - specific term, user ID: SOLMAN_<SIDofSM>, see

scenario - specific guide for Technical Monitoring

Roles and Authorization

Table 13


Authorization Concept An authorization concept defines the structure of how authorizations are bundled and assigned to users in a system. According to the nature of the system's application this can vary extensively from one SAP product to another.

Segregation of Duty Separation of duties (SoD) is the concept of having more than one person required to complete a task. In business, the separation by sharing of more than one individual in one single task shall prevent fraud and error. (www.wikipedia.org)

Separation of Duty

Business Role The term Business Role is used to define, that the role is used for segregation of duty. It contains authorization objects that are used for restricting specific business tasks.

In the context of CRM is defines a CRM role. This

definition is not used within SAP Solution Manager, see core guide section on the integration of CRM with SAP

Solution Manager.

Role, User role

Standard SAP Roles The Standard SAP Role is a role shipped by SAP as a template recommendation for use by customers. It is modeled according to the recommended process of a business task by SAP. Customer requirements need to be adapted nevertheless.

Template role, Technical roles

CRM Role A CRM role is used to define a role that only contains

CRM authorization objects.

Standard CRM role

Template Roles see Standard SAP Roles

Technical Roles The term Technical Role is used to define that the according role contains mainly authorization objects to allow a technical component of the system to run, for instance Extractor Framework.

Standard SAP Roles

Reporting Roles The Reporting Role defines a role that is used for BI -

reporting. It contains primarily BW related authorization

objects.

Standard SAP Roles

28




Composite Role Composite roles simplify the user administration within an ABAP SAP system. They consist of a defined number

of single roles. Users who are assigned a composite role are automatically assigned the associated single roles during the compare activity. Composite roles do not contain authorization data. Setting up composite roles is useful for example if some of your staff need authorization for several roles. You can create a composite role and assign it to the users instead of putting each user in each required single role.

In the description tab of the composite role, you find a short instruction on how to further handle the delivered SAP Standard role. All roles shipped by SAP are only templates. You may use them 1:1 if they fit exactly your requirements. For a user and role description, see the relevant scenario-specific security guide. In most cases, your requirements will not fit the SAP delivered role. Therefore, you have to adapt either complete single roles or individual authorization objects. Make sure you have built up an appropriate authorization concept for your users in advance.

Collective Role,

Single Role Single roles are collections of activities which allow a user to use one or more business scenarios of an organization. This is basically an enumeration of credentials which can be applied to one or several users within an SAP System. After a system administrator assigns a role to a user, the SAP system displays a specialized user menu for that user (SAP Gui - relevant). In addition, the user role also assigns the authorizations the user requires for these activities. The standard SAP system contains a large number of template roles. You can use these as is, or copy them and change them. The integrity of business data is also ensured by the assignment of roles.

Assignment of a role requires the system administrator to generate a profile for this role. This so-called authorization profile is generated to restrict the activities of users in the SAP System, depending on the maintained authorization objects in the roles.

NoteAs of release 7.1, no single profiles are shipped anymore, only roles.





Profile A profile of a role defines the maintained authorization objects. Without a profile and a profile generation authorization restriction does not work for the specified user. You can generate more than one profile for one role, depending on the authorization values you maintain.

As of release 7.1, single profiles are not shipped anymore. A profile must always be generated by the customer him/herself.

Authorization Object An authorization object is defined by authorization values. The object is checked in the coding by AUTHORITY-CHECK for its values. An authorization

object can be maintained according to the specific requirements of the customer.

Authorization (Field) An authorization field is defined by authorization values, that can be entered for it. In general, the authorization values can be selected using Value Help.

Authorization Value Authorization values are defined in value tables for the authorization object.

Roles for Infrastructure Infrastructure comprises all entities that are the basis for scenarios. Infrastructure roles contain all necessary authorization objects for it. For more information, see in the Landscape Setup Guide section on User roles for Infrastructure.

SAP Standard Role

Scenarios, Core Business Processes, Capabilities, FunctionsTable 14


Scenario SAP Solution Manager is a tool which supports the entire product life-cycle of your business processes and systems, within a system/platform. The product life-cycle can be regarded as a set of scenarios. A scenario is a group of business process - related functions which support the sequential and logical relationships of processes within the life - cycle of the product. We differentiate between scenarios (for instance: Implementation/Upgrade of SAP Solutions or Test Managerment), processes relating to these scenarios (for instance: Roadmap), and functions that can be used in one or more of them (for example, the function Document Management can be used inImplementation and/or Test Management).

Capabilities

30




NoteUsage data about the functions and scenarios used by the customer is sent to SAP. See: SAP Note 939897 (How to prevent this transfer).

IT Service Management Used as synonym for Incident Management, Problem Management, Request Management, Service Desk, Support Desk

Service Desk, Support Desk, Incident Management, Incident Application Management

Solution Manager InfrastructureTable 15


Configuration The configuration of SAP Solution Manager consists of two main parts, the basic settings of the SAP Solution Manager configuration in transaction SOLMAN_SETUP (thirst three views), and the scenario configuration which is done for Technical Monitoring in transaction SOLMAN_SETUP and for other scenarios in transaction

SPRO.

Installation, Infrastructure

Infrastructure Before you can work with a scenario/function in the Solution Manager systems, you need to make all relevant systems, databases, and servers known, and maintain primary units such as solutions and logical components, and your business processes. This guide refers to all these as infrastructure.

Configuration, Installation

Operations Operations refers to the tasks executed in a system, after it is installed, and configured.

Business Intelligence (BI) BW

Business Warehouse (BW) BI

Dashboard Framework The dashboard framework integrates dashboards in applications of the Solution Manager and allows the usage and presentation of data from the Business Warehouse in the Solution Manager. The dashboard framework enables the flexible configuration of dashboards by the help of business apps.

Dashboard Type A dashboard type is a template for dashboard instances.







Dashboard - Instance A dashboard instance is the representation of a dashboard type. It is a container for a collection of business app instances and/or dashboard instances.

App - Instances An app instance is the representation of an app type. With the help of business apps users can compose their individual dashboards. A business app instance is the user interface for the visualization of KPI data.

App - Type An app type is a template for business app instances.

Child system Child system

used in connection with CUATarget system

Central system Central system

used in connection with CUASource system

Client system Client system

used in connection with CUA

Business system Managed system managed system, if the focus is set on the use of the system for the business of the costumer

32



4 Quick Guide

This section provides you with a number of steps, you should perform to secure your SAP Solution Manager system.

Procedure

Table 16

Step

What to Do? Further Information in Source/Section in This Guide, See...

Phase: Setup SAP Solution Manager (Installation)

Check Security Settings according to Installation Guide

0 Check Security Settings according to Installation Guide

1 Network 7.1

2 SSL 7.4

3 Apply all relevant Security Patches function System Recommendations and check the Online Documentation for SAP Solution Manager

Phase: Configuration Preparation of SAP Solution Manager

Check steps in System Preparation view in transaction SOLMAN_SETUP

4 ICF Services (change default settings if you do not use HTTPS) 7.3

5 Step 2: Check Recommended Profile Parameters according activity documentation

6 Step 4.1: Check Web Dispatcher Configuration documentation link in the HELP text

7 Step 4.2: Authentication Types for Web Services according activity documentation

8 Step 4.4: Set Authentication Policy for Agents according activity documentation

9 Step 4.5: Gateway Configuration (optional) ● 7. 7

● recommended documentation in the HELP text

Phase: Configuration of SAP Solution Manager

Check steps in Basic Settings view in transaction SOLMAN_SETUP

10 Step 3.2: Configure SAProuter (optional) ● 7. 6

● recommended documentation in the HELP text

Security Guide for SAP Solution Manager 7.1Quick Guide



Step

What to Do? Further Information in Source/Section in This Guide, See...

Phase: Configuration of Managed Systems

Check steps in Managed Systems view in transaction SOLMAN_SETUP

11 Step 3: RFC - Connections 9.10

Phase: Additional Activities

12 HTTP Connect Service 7.5

Phase: User and Roles Management

13 SSO / SNC ● 7.6

● 8.4

● SAP Note 1121248

14 Familiarize with SAP Solution Manager Authorization Concept 9

15 Check the scenario-specific Security Guides

34


Security Guide for SAP Solution Manager 7.1Quick Guide


5 Overviews

5.1 Overview: Capabilities/Functions

The following table gives you an overview over the functions covered in this guide and which work center/scenario/specific guide they belong to.

Table 17

Specific Functions Work Center / Scenario/Specific Guide Remark

System, Host, Database Monitoring Technical Monitoring see scenario guide

PI Monitoring

BI Monitoring

End-User Experience Monitoring

Connection Monitoring

Self Monitoring

Infrastructure Monitoring

Message Flow Monitoring

BI - Reporting Technical Monitoring

Test Management

Incident Management

Solution Manager Administration

Business Process Operations

Change Management / Change Request Management

Described in section BI Integration

Dashboards Technical Monitoring

Test Management

Incident Management


Change Request Management

Described in section BI Integration

Maintenance Transactions Maintenance Optimizer see scenario guide

Road maps Implementation and Upgrade

Business Blueprint/Configuration

Project Administration Implementation and Upgrade

Solution Manager Administration

Business Blueprint/Configuration Implementation and Upgrade

Security Guide for SAP Solution Manager 7.1Overviews



Specific Functions Work Center / Scenario/Specific Guide Remark

Business Functions

Upgrade Dependency Analyzer

Customizing Distribution

BC-Set Activities

Help Center

Learning Maps

Digital Signature

Document Management Implementation and Upgrade

Test Management

Solution Documentation Assistant

Change Management / Change Request Management

Implementation and Upgrade scenario guide

Solution Directory Implementation and Upgrade Described in section Infrastructure Roles

Test Automation Test Management see scenario guide

Test Plans, Test Packages

Test Information

Testing

Test Workbench Workflow

Extended Capabilities

Solution Documentation Assistant Solution Documentation Assistant

TBOMs Test Management / Business Process Change Analyzer

Change Analyzer Test Management / Business Process Change Analyzer

Incident Management Incident Management In addition, described in section CRM Integration

5.2 Overview: Solution Manager Functions Integration

This section gives you an overview about integration of functions. Only those functions are listed which rely on cross-work center usage. For instance; Upgrade Dependency Analyzer is not mentioned as it does not integrate with functions in other work centers than Implementation and Upgrade. But, Business Blueprint and Configuration are mentioned as they are used in work centers Implementation and Upgrade and Solution Documentation Management.

36



More details are described in the scenario-specific guides.

How to read the table

The header determines in which function the integration is placed. For instance, the integration of TBOMs into Business Blueprint/Configuration can be done in transaction SOLAR01/02. In this case read: Header Line for Business Blueprint/Configuration number 1 and check the integration with vertical number for Business Process Change Analyzer number 7.

1. Business Blueprint and Configuration

2. CDMC

3. Customizing Distribution

4. Document Management

5. Solution Directory

6. Solution Documentation Assistant

7. Business Process Change Analyzer

8. Incident Management

9. Issue Management

10. Test Management

11. Business Process Monitoring

12. Change Request Management

13. Job Management

14. SAP Engagement and Service Delivery

15. Root Cause Analysis

16. Technical Monitoring

17. Notification Management

18. Quality Gate Management

19. Configuration Validation

20. Data Volume Management

21. Exception Management

22. Guided Procedure Browser

23. CBTA24. cProject

25. Project Administration

26. Message Flow Monitoring

Table 18

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

1 X X X X

2 X

3 X

4 X

5 X X X X




1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

6 X

7 X X X X

8 X X X X X X X X

9 X X

10 X X X X

11 X X X

12 X X X X X X X

13 X X

14

15 X X

16 X X X

17 X X X X

18 X

19 X

20

21 X X X X X X

22 X X

23 X X

24 X X

25 X X

26 X X X

5.3 Overview: Solution Manager Configuration

This section gives you an overview on which functions are configured using transactions SOLMAN_SETUP:

● All Technical Monitoring scenarios

● Incident Management (ITSM)

● Change Request Management (ITSM)


● Business Process Monitoring and Analytics

● SAP TAO

● Data Volume Management

● Measurement Platform (ESR)

38



● Service Availability Management (SAM)

● EWA Management

● CBTA

All other scenarios can be configured using transaction SPRO.

5.4 Overview: Solution Manager Technical RFC - Users per Scenario

This section gives you an overview about which users are necessary pro scenario. An X in a column determines whether the user is necessary for this scenario. Detailed information about the RFC - destination used can be found in the according scenario - specific guides.

Scenarios

● Implementation = A

● Solution Documentation Assistant = B

● Test Management = C

● Business Process Change Analyzer = D

● Incident Management = E

● Change Request Management = F

● Quality Gate Management = G

● Technical Monitoring = H

● Business Process Operation = I

● Job Management = J

● SAP Engagement and Service Delivery = K

● Technical Administration = L

● Data Volume Management = M

● Root Cause Analysis = N

● Maintenance Optimizer = O

● Custom Code Lyfe - Cycle Management = P

● IT Task Inbox and Guided Procedures = R

Table 19

User and/or RFC

A B C D E F G H I J K L M N O P R

READ RFC (X)9 (X)9 X X X (X)9 (X)9 X (X)9 X X X X X X (X)9

TMW RFC X 1 X X 2 X X X

BACK RFC X 3 X X X X

TRUSTED RFC

X 4 X 8 X 5 X11 X 6 X8 X

10




User and/or RFC

A B C D E F G H I J K L M N O P R

SMD_RFC User

X 7 X 7 X

BI_CALLBACK User

X X X X X

SM_EFWK User

X X X X X X X

SMD_BI_RFC User

X X X X X X X

OSS_RFC User

X x X

1 for CDMC2 for creating and releasing of transport request

3 for EWA data transfer

4 for Customizing Distribution; Customizing Synchronization, BC-SetsCDMC5 for Task List Framework

6 for CDC, value help for BP Monitoring

7 Java - related

8 Alternatively Login RFC - Connection can be used

9 if a TMW connection is in place, the TMW connection user has all required authorizations as the READ connection user plus batch and write authorizations. If you have a TMW connection in place, you do not necessarily need a READ connection.

10 in case of automatic activities (only in customer owned settings)

11 for Message Flow Monitoring

5.5 Overview: Third Party Products to Be Used with Solution Manager

In this section you find an overview over Third Party Integration with individual scenarios. For more details see the scenario-specific guide section External Integration. For more information on security for external tools, see the according documentation for the tool.

1. Implementation

2. Incident Management

3. Test Management

4. Business Process Change Analyzer

5. Job Management

40



Table 20

1 2 3 4 5

Business Process Management Suite (NW CE)

X

Enterprise Service Repository (PI)

X

SAP Productivity Pak by RWD

X

Service Desk X

HP QC X

ECatt X

Test Tools X

IBM Rational Test Management Tool

X

SAP TAO X

SAP CPS X




6 System Landscape

6.1 Technical System Landscape

SAP Solution Manager is based on AS ABAP and AS Java. To use SAP Solution Manager you need either client: SAP GUI, Web Browser or SAP NetWeaver Business Client (NWBC) (for work center functionality). Communication with other systems is via RFC technology and web services.

You find explanations for scenario - specific technical system landscapes within each scenario - specific guide.

More Information

For a detailed view of the overall system architecture of SAP Solution Manager, see master guide for SAP Solution Manager in the Service Marketplace: service.sap.com/instguides SAP Components SAP Solution Manager <current release>. .

42


Security Guide for SAP Solution Manager 7.1System Landscape


7 Network and Communication Security

As part of its basic functions, SAP NetWeaver offers several interfaces to the network. This includes remote function call (RFC) - enabled function modules or services offered using the Internet Communication Framework (ICF). A standard function available from the ICF is the Simple Object Access Protocol (SOAP) - based RFC interface allowing RFC requests over HTTP. This interface is activated for use by another application.

This section gives an overview of the communications concept for SAP Solution Manager, including sections on topics related to HTTP connections and RFC connections.

7.1 Network Topology

Your network infrastructure must protect your system. It needs to support the communication necessary for your business and your needs, without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the back-end system’s database or files. Additionally, if users are able to connect to the server LAN (local area network), they can exploit well-known bugs and security holes in network services on the server machines. The network topology for the Solution Manager is based on the topology used by the SAP NetWeaver platform.

RecommendationThe security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the Solution Manager.

7.2 Communication Channels and Communication Destinations

SAP Solution Manager's task is to manage your system landscape. To do so, you need to configure various connections to/from your managed systems.

All required communication channels and destinations are explained in the landscape setup guide and the various scenario-specific guides.

Trusted RFC

In the web of your system landscape, SAP Solution Manager receives data from all the systems you have connected to it via various RFC - connection. The most security relevant RFC- connection is the trusted RFC, which allows for immediate access to/from your managed systems without any additional login. The RFC is required for several scenarios within SAP Solution Manager, but not all.

Security Guide for SAP Solution Manager 7.1Network and Communication Security



READ RFC

The RFC for Read access is an RFC- connection with a specific RFC user of type system. It is required to read information from managed systems in many scenarios.

TMW RFC

An additional RFC, which may be used for some scenarios, is TMW RFC. This RFC allows for read access as well as batch authorizations in the managed system. If you require TMW, you have all authorization for READ access included.

BACK RFC

The BACK RFC allows the managed system to send data to SAP Solution Manager for further usage. This is required for Services and Incidents.

RFCs to SAP

Apart from the communication to its managed systems, SAP Solution Manager needs connections to SAP. Many of Solution Managers scenarios rely on a close communication with its backbone. In addition to SAPOSS RFC, Solution Manager requires two further RFCs, which are copied from SAPOSS RFC.

Users

This setup of Solution Manager with its connections to many managed systems and SAP requires a number of RFC users and S-user with specified authorizations.

7.3 Internet Communication Framework

Most functions in SAP Solution Manager use either BSP or Web Dynpro technology. They are based on HTTP protocol.

The Internet Communication Framework (ICF) provides the infrastructure for handling HTTP requests in work processes in an SAP system (server and client). It enables you to use standard protocols (HTTP, HTTPS, and SMTP) for communication between systems through the Internet. You do not need any additional SAP program libraries. The only condition is that your system platform is Internet-compliant. This gives you a maximum amount of flexibility in responding to varying communication requirements.

Communication through the ICF has the following benefits:

● Increased security: The HTTPS protocol guarantees secure data transmission at the same level as modern security standards for RFC/SNC communication and other interfaces. You can change default settings for services if you do not maintain an HTTPS - connection and you are required to enter your user and password (message in the logon screen: No Switch to HTTPS occurred, so it is not secure to send a password):

1. Choose transaction SICF and the according service (/default_host/sap/bc/webdynpro).

2. Select tab Error Pages and choose the button Configuration.

3. Change the protocol selection.

4. Save.

44



Figure 2: SICF Service System Logon Configuration

● Increased flexibility: Using the ICF, the user can open a connection to an SAP system across the Internet from any location.

CautionSAP delivers all ICF services inactive, for security reasons.

To activate a single service, choose the service in transaction SICF. Choose right mouse click, and Activate Service.

● Reduced technological barriers: The open HTTP standard is used worldwide, which makes it efficient to install and configure.

ICF - Service Reports

In the SAP Solution Manager setup, the system activates services in different configuration scenarios. Most of the services are activated in the Basic Configuration view, Step 5 (Configure Automatically). Services are grouped and can be activated together by running the report in transaction SICF_INST. One group can contain up to 100 services.

The following ICF - Service Reports are activated during SOLMAN_SETUP:

● SM_BASIC_SETTINGS*● WEB DYNPRO ABAP● SM_DTM● SM_CRM_UI● SM_MONITORING● SM_CROSS_SCENARIO● SM_JOB_SCHEDULING● SM_BPO_DASHBOARD● SM_SDA




● SM_IMPLEMENTATION● SM_BW

If you decide to deactivate a service, proceed as follows:

1. Check the SICF path of the application (service).

2. Go to transaction SICF, and enter the path name.

3. Using the right mouse click, choose the activity Deactivate in the menu.

4. Deactivate the service.

The service is greyed out in the SICF host tree.

7.4 Secure Socket Layer (SSL)

The Secure Sockets Layer (SSL) protocol is a protocol layer placed between a reliable connection-oriented network-layer protocol (for example TCP/IP) and the application protocol layer (for example HTTP). SSL provides secure communication between a client and server by allowing mutual authentication, the use of digital signatures for integrity, and encryption for privacy. Secure Socket Layer (SSL) allows you to create secure connections for HTTP.

CautionYou must set - up SSL for SAP NetWeaver ABAP and Java (for instance: Diagnostics Agents, Maintenance Optimizer and SLM), see SAP Note 1138061. SSL only provides a secure channel between partners communicating directly in a network. SSL protects the messages only while in transit, but offers no security for (XML) data in storage.

To set - up SSL in your system, follow the procedure described in SAP Note 510007, and for the Diagnostics Agent the according step in transaction SOLMAN_SETUP later on. See also the installation guide for SAP Solution Manager in the Service Marketplace: service.sa.com/instguides SAP Components SAP Solution Manager <current release> .

NoteTo check if SAP Cryptolib has been successfully implemented, run program SSF02. Set the flag get version and choose execute. The system displays the current version of SAP Cryptolib.

More Information

on: Maintenance Optimizer (SLM), see IMG activity Information and Configuration Prerequisites for Maintenance Optimizer and SLM (technical name: SOLMAN_MOPZ_SLM_INFO).

Further Information on SSL

46





http://service.sa.com/instguides

Table 21

Information Source Remarks

SAP Note 510007 Setting Up SSL on the Web Application Server (Procedure

to set up SSL)

SAP Note 1000000 Web Dynpro ABAP FAQ (General authorization checks for

services and application are available over the ICF)

SAP Note 938809 Web Dynpro ABAP checklist for creating problem messages

(If you create an error message for Web Dynpro ABAP under

component BC-WD-ABA, see the checklist in SAP Note)

SAP Note 810159 Subsequent installation of SAP JAVA CRYPTO TOOLKIT

Application help for security topics connected to ICF services

help.sap.com/nw07

Installation guides service.sap.com//instguides SAP Components SAP

Solution Manager <current release>

System security for SAP NetWeaver ABAP and Java (Help

setting up system security for ABAP and Java)

service.sap.com/security Media Library Literature

7.5 HTTP Connect Service for SAP Support

Due to the fire wall between customer and SAP systems, it is not possible to display pages of BSPs or Web Dynpro applications in SAP Solution Manager using standard service or support connections. To receive support from SAP for these technology types, you need to set - up an HTTP Connect Service. To do so, follow the descriptions in SAP Note 1072324. You need to maintain this connection for on site and remote support. Make this HTTP secure for remote support with HTTPS.

7.6 File Transfer Protocol (FTP)

FTP is a network protocol used to send data from one computer to another through a network such as the Internet. You use FTP for SAProuter permission table.

RecommendationWe recommend protecting FTP communication with SAPFTP, using Secure Socket Shell (SSH). For more information, see SAP Note 795131.




http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=SAP Note 510007 &_NLANG=en&_NVERS=0

http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=SAP Note 1000000 &_NLANG=en&_NVERS=0





7.7 Use of Gateway

In transaction SOLMAN_SETUP, view System Preparation, Step 4.5, you can configure Gateway settings for Solution Manager applications on mobile devices. You can either configure it in the Solution Manager system or a separate system.

RecommendationWe recommend a separate system.

If you configure Gateway in the same system as Solution Manager, assign role SAP_SM_GATEWAY_ACTIVATION to your administration user, for instance SOLMAN_ADMIN.

For more information, read the HELP section for the according step in transaction SOLMAN_SETUP and read the security guide for Gateway on: help.sap.com/saphelp_gateway20sp03 .

48



http://help.sap.com/saphelp_gateway20sp03

8 User Administration and Authentication Tools

The SAP Solution Manager uses the user management and authentication mechanisms provided by the SAP NetWeaver platform, in particular the SAP NetWeaver ABAP. If you use Root Cause Analysis, the user management and authentication mechanisms provided by SAP NetWeaver Java are used, so the security recommendations and guidelines for user administration and authentication, as described in the SAP NetWeaver ABAP Security Guide and the SAP NetWeaver Java Security Guide, also apply to SAP Solution Manager. We also provide a list of the standard users required to operate the Solution Manager for each scenario. As the mechanisms provided by the SAP NetWeaver Java only apply for Diagnostics, see according information in the Service Marketplace: service.sap.com/diagnostics .

8.1 Basic SAP User Management Tools and User Types

A user in a computing context refers to a human person who uses a computer. Users may need to identify themselves for the purposes of accounting, security, logging and resource management.

In an SAP system, users must be created, and roles containing authorizations and a user menu must be assigned to user master records. A user can only log on to the system if he or she has a user master record. It contains user data such as e-mail address, language and password. It can be changed by an administrator or the user.

Creating and changing user master records is done in the User Management. The User Management for SAP Solution Manager uses the mechanisms provided by the SAP NetWeaver ABAP, and Java tools, user types, and password policies. Since SAP Solution Manager is based on SAP NetWeaver ABAP and Java, the User Management Engine (UME) of the Java stack is to be configured against the ABAP stack. This is done during automated basic settings configuration, see Landscape Setup Guide.

The users created in the User Management tool are typically assigned user types which follow specific demands regarding their password policy.

You can also use external applications for the User Management by using technologies like LDAP, Active Directory (Microsoft OS only), or NIS (Linux). For more information regarding any external User Management solutions like the LDAP scenario, see the documentations available on the SAP Service Market Place.

CautionThe ABAP stack is the User Management tool for users / roles / profiles, which are fetched on the Java UME storage. However, in some cases, some Java users have to be stored and maintained within the Java stack. This is for example the case for the SLD users (SLD is a Java application).

The following sections give you an overview over the User Management tools used by SAP Solution Manager as well as the user types used.

User Management

Tools Overview

Security Guide for SAP Solution Manager 7.1User Administration and Authentication Tools



http://service.sap.com/diagnostics

Table 22

Object Recommended Tool Remarks

Users Transaction SU01 User Management in the ABAP system(s)

CautionFor password security information, see SAP Note 862989

PFCG roles Transaction PFCG Note

User Comparison feature was corrected, see SAP Note 1272331

J2EE security

roles and UME roles (only applies to Java application, for instance Root Cause Analysis)

UME and the Visual

Administrator

Administration console to manage UME roles, and administration tool of

the Java Server, to manage J2EE security roles. Both of these tools are

part of SAP NetWeaver Java. To integrate the Java-based authorizations supplied by J2EE security roles and UME roles with PFCG roles, you can

integrate PFCG roles as groups in SAP NetWeaver Java.

More information on UME conversion, see IMG activity: Convert UME

(technical name: SOLMAN_CHANGE_UME)

Automatic creation of SAP Solution Manager - specific default users and assignment of relevant roles

Transaction SOLMAN_SETUP

see section on Automatic User Creation in transaction SOLMAN_SETUP

Mass Maintenance for automatic creation of SAP Solution Manager - specific default users and assignment of relevant roles

Work Center SAP Solution Manager Administration

see section on Automatic User Creation in Solution Manager User Administration (SMUA)

For more information how to create roles, how to maintain authorizations and authorization profiles, and how to execute the user comparison, see How-to section in this guide.

User Types

When speaking about user types, we mean users in a system, which are created for various purposes. This is necessary to specify different security policies for different types of users. For example, your policy may specify that human users (end users) who perform tasks interactively must change their passwords regularly, whereas users who run jobs in the background need not do so. In this guide we differentiate between human users, who are represented in the system by dialog users, and technical users who perform tasks on behalf of other users in the system. These are represented in the system by the type of system user, service users, or reference users. In transaction SU01, tab Logon Data, you can determine the user type for your user.

50





During the SAP Solution Manager configuration, any user can be created automatically and manually, depending whether they are created during basic Solution Manager configuration, technical monitoring setup, or during scenario–specific setup.

Dialog User

A dialog user represents human users, also called end users. It is required for individual, interactive sessions in the SAP system. An end user requires this user type.

With dialog users, it is possible to check for expired/initial passwords, to change passwords, and the system checks for multiple logons. You should assign to a dialog user exactly the authorizations that he or she requires to perform his or her tasks, in accordance with an established roles concept and authorization concept.

SAP Solution Manager ships composite template roles for predefined end users for each scenario, see according scenario-specific guides. This means, that we deliver template roles with authorization objects in roles that are maintained according to a specified authorization concept. This authorization concept is a recommendation by SAP, which you can use. Since your requirements may differ, you need to adapt these delivered templates. In the scenario- specific guides you find a user description relevant for the specific template role.

In case of a dialog user using ABAP stack and Java stack UI, an assigned role (for instance SAP_J2EE_ADMIN) can be propagated to user groups of the user management engine (UME), which are then assigned to security roles for Java applications by using the Security Provider service of the Visual Administrator. These roles include no authorization objects.

Dialog users are maintained in the ABAP stack. A session-based single sign-on is supported.

NoteIf you use SAP NWBC as front-end client, you can only logon with a dedicated dialog user.

Service User

A service user is available to a larger user community that is anonymous for the moment, and allows interactive system access. Although a service user does not log on interactively, it is authenticated and the attributes contain a valid ticket. This user type is used, for example, for guest accesses, or to connect to a remote system with certain rights. With this user type, the system does not check for expired or initial passwords, only a user administrator can change the password, and multiple logons are permissible. Since it is security–relevant, these users should be assigned exactly the authorizations that are required by a large number of users of equal status. In the IMG, it is explicitly mentioned, if a user should be of user type Service.

System User

A system user does not allow interactive system access. This user is used to be able to perform certain system activities, such as background processing, ALE, workflow, and so on. The system excludes a user of this type from the expiry date of passwords. Therefore, the password of these users can only be changed by user administrators in transaction SU01. You should also ensure for users of this type that you assign only the rights that are required in the system. If, for example, users of type system users for RFC connections have too many authorizations, RFC administrators from the calling system can easily log on to the called system and abuse the technical user’s authorizations. SAP Solution Manager ships according predefined standard roles for such users. This user type is used for user SOLMAN_BTC or RFC - users. All technical users created by the automated basic settings configuration via SOLMAN_SETUP are of type system.

Reference User

Instead of assigning roles to each user individually, a reference user is created for a selection of roles that are to be assigned to a larger group of users, and the selected roles are assigned to this user. The reference user must




now be assigned to the dialog users in the roles tab of the user master record. This minimizes administration costs and improves performance. This method is used when you need to create a high number of users in your system with the same authorizations assigned. For instance in Application Incident Management the report AI_SDK_SP_GENERATE_BP is used to create users as well as additional business partners.

Figure 3: Report: AI_SDK_SP_GENERATE_BP

With this report, you can use a reference user to create users and according business partners.

8.2 Automatic User Creation using Transaction SOLMAN_SETUP

Configuration Users and Template/Standard Users

Configuration Users

In transaction SOLMAN_SETUP, you can create specific configuration users for all scenarios that are configured automatically in a guided procedure in transaction SOLMAN_SETUP. These users are created during the Basic Settings Configuration. They allow you to provide one specific configuration user per scenario.

You can as well provide an existing user. In this case, the system adds the according missing roles to this user. For instance, you can provide user SOLMAN_ADMIN.

The configuration user contains all necessary authorizations for configuring the scenario using the guided procedure. It also contains authorizations to check system prerequisites and run the application.

Template/Standard Users

Within each guided procedure for scenarios it is possible to create so-called Template/Standard Users. These users contain authorizations/roles to allow exactly only those activities in the according application, which are

52



defined in the user description by SAP. Therefore, these users can be considered as DEMO users. To create those users is an optional activity.

The template users contain only authorizations for the main functions of the scenario. They do not include authorizations for additional functions (see sections on Additional Functions per scenario- specific guide), or authorizations for integration purposes with other scenarios/functions (see section on Scenario Integration per scenario – specific guide). In both cases, you need to manually add the according authorizations.

The roles assigned to a specified user are also available as composite roles, see section on Users and Authorizations in the scenario–specific guides.

User Description and Role Descriptions

For all users created in transaction SOLMAN_SETUP, and all roles assigned, a documentation is provided through a link in the according user creation step. The user description states which tasks are allowed for this user in the specific application. The role description describes for which functions authorizations are provided.

The roles are listed in the according scenario–specific guides and the system HELP Text ID is mentioned. This HELP Text ID can be checked directly in transaction SE61.

For authorization object descriptions, see the SDN Wiki on the topic or check transaction SUIM for this authorization object.

User Types

You can create users of the following user types:

● Dialog User

This option should only be used for System Preparation, Basic Settings, and Managed System Configuration. In these configuration procedures users must be created as displayed in the screen. Otherwise, a change of user type can lead to errors during configuration. After configuration, the user type for administration users such as SOLMAN_ADMIN, managed system administrator, or BW administrator can be changed to Service User in transaction SU01 to disable active logon.

● System User

This option is always used for technical users, and should not be changed if it is suggested in the guided procedure for this user.

● Reference User

This option allows you to create reference users if required.

RecommendationWe recommend to use this option for the creation of template/demo users in the guided procedure.

● Service User

User Creation and Update

Create Users

When you create a user, the system tells you if an according user already exists. Use field Action to create a new user. The system provides you with the default name for this user. You can change this user name. The system then automatically creates the user and assigns the roles which are displayed in the column Copy from SAP Role. Navigation roles and CRM Business Roles are not copied (see section on Navigation Roles). The system then does not provide any suggestion for a role copy.




Update Users

You need to update your users, when roles/authorizations need to be updated. In addition, you can choose to update/enhance an existing users with additional role assignments using the update functionality. For instance, you can update/enhance user SOLMAN_ADMIN with configuration roles for scenario-specific guided procedures in SOLMAN_SETUP.

Business Partners

Some scenarios, like CRM - based scenarios or Technical Monitoring, require that the user is assigned a Business Partner (BP). When you create a new user using transaction SOLMAN_SETUP an additional business partner is created as well. The system does not create a Business Partner when you update existing users.

Roles Assignment and Update

Role Assignment

All roles assigned to automatically created users in transaction SOLMAN_SETUP are fully maintained. This means, that for authorization fields which cannot be prefilled by SAP with default values, an asterisk (*) is maintained, which allows full authorization for this field. For instance, the Solution ID field in authorization object D_SOL_VSBL cannot be prefilled by SAP due to its generic nature.

RecommendationIf you would like to use these users in productive environment, we recommend to check the roles manually and assign specific values to all fields containing an asterisk.

Update of Role Assignment

When you update a user with new SAP roles, for instance if adapted roles are shipped with a new Support Package, the system indicates which roles need to be updated. Technically, when updating a role, the existing copied role is deleted and a new copy of the SAP role is created by the system. Therefore, if you have manually changed any authorization values for authorization objects in your copied roles, you need to be aware of this. In addition, in case you have manually created a role in the Z name space, such as ZSAP_SUPPDESK_CREATE, the system will not update the role as it detects that the copied role had been created manually.

NoteWhen roles need to be updated, you must at least run transaction SU25 points 2a) and 2b). Alternatively, follow SAP Note 368496.

Role Upload into Managed Systems

You can upload the authorization roles for the READ - User and the TMW - User from the SAP Solution Manager - system into the managed systems.

CautionThis function is only available for the upload of roles for the above-mentioned users. You should only upload the relevant roles into managed systems, which are not productive. We recommend to upload the roles into your development system and transport them into your productive system. Alternatively, you can download/upload the roles manually.

54




Expert Mode

The Expert Mode allows you to use the following features in regard to user creation and role creation as well as assignment:

● Define name space for roles

● Define and assign the user to a specified user group

Name Space for Roles

You can set a specified name space for the roles, which the system assigns to one user. The default name space is *Z*.

NoteAll roles assigned to the predefined user SAPSERVICE receive name space *SD*. This name space is set, because the authorizations for this user are predefined by SAP Support. For more information on this default user SAPSERVICE, see the according section in the scenario-specific guide for SAP Engagement and Service Delivery.

User Group

You can define a user group for the users you create. The user is assigned to this user group.

Recommendationwe recommend to group users in user group. You can then easily search for then and restrict access to them using authorization object S_USER_GRP.

BW Scenarios

Depending on your scenario setup for BW, the system detects in which system/client you run BW. It determines in which system the according BW user needs to be created and displays this in the User Interface. In case of a standard BW scenario, all BW roles are added to the user created in the Solution Manager system.

In case of a remote BW, a separate user is created in the BW system/client. This last setup requires that both users, in the SAP Solution Manager system as well as in the BW system, receive the additional authorization for trusted RFC destinations, authorization object S_RFCACL. The roles for trusted RFC - destination are explicitly explained in the User Interface HELP. Also check section Users and Authorizations in each scenario - specific guide.

If you run BW in a remote scenario, user names and passwords of the created users in the Solution Manager system and in the BW - system must be identical.

8.3 Automatic Managed System Configuration Update using Transaction SOLMAN_SETUP

In case of update to your managed systems, the Managed System Setup in transaction SOLMAN_SETUP can be run automatically. This can also require the automatic update of users in your managed system.




In Case of SLD Changes

Use Case

In case of system updates in the System Landscape Directory (SLD), a configuration update job runs in the Solution Manager with a dedicated technical user SM_AMSC.

Technical User SM_AMSC

The update job of the managed system configuration is run by the technical user SM_AMSC in the Solution Manager system. This user is created during Basic Settings Configuration in the Solution Manager system. For more details, see the Landscape Setup Guide section on Technical User SM_AMSC.

In Case of Mass System Updates with Templates

Use Case

Mass Configuration is a feature to run the Managed System Setup in the background with already provided variables. You can use this option to update a number of similar managed systems (technical systems) on the basis of a predefined template. This update runs independent of any System Landscape Directory (SLD) changes. It is triggered in the Solution Manager system, and runs in the managed system with the managed system administration user.

Authorization Objects

SM_SETUP

The access to mass update in transaction SOLMAN_SETUP is controlled by authorization object SM_SETUP activity mass Update (A8). The object is contained in role SAP_SM_BASIC_SETTINGS, assigned by default to user SOLMAN_ADMIN in transaction SOLMAN_SETUP.

SM_MASS_UP

To access and use the Template Management for the Mass System Update, authorization object SM_MASS_UP is required. It is contained in roles SAP_SM_MS_TMPL_UPDATE*, which is assigned as optional to user SOLMAN_ADMIN in transaction SOLMAN_SETUP. For more details, see the Landscape Setup Guide section on User SOLMAN_ADMIN.

8.4 Automatic Mass User Creation/Update using “Solution Manager User Administration” (SMUA)

The Solution Manager User Administration (SMUA) allows you to maintain all users (technical users as well as dialog users), which can be created automatically using transaction SOLMAN_SETUP, in one application.

In general, the functionality reflects the same technical aspects as the user creation using transaction SOLMAN_SETUP. SMUA allows you to see all created users in one table for Solution Manager users, managed system users, BW-system users.

For all individual Solution Manager - specific default users, you can:

● display users and their user roles per system landscape relevance (used in Solution Manager - system, used in managed system, used in BW-system)

● create and update users and their user roles

● create users in mass maintenance

56



● set passwords (For more information on passwords, see the according section)

● upload user roles for Read-User (Read - Connection) and TMW - User (TMW - Connection) into the managed system (for more information, see the according section on these RFC - Connections).

Tool Access

To access the application, your user needs to have:

● authorizations for the work center Solution Manager Administration assigned (see Scenario-Specific Guide for Solution Manager Administration). In the view navigation in the work center Solution Manager Administration, choose Users. This allows you to access and use SMUA.

● authorization object SM_SMUA assigned. This object is contained in the new single role SAP_SM_SMUA_*. The role SAP_SM_SMUA_* is contained in the composite roles for SAP Solution Manager Administration (see the according scenario-specific guide for reference).

For more information on the features of the application itself, see the Online Help for SAP Solution Manager.

Additional Authorizations

You can use the user creation and update in SMUA only if:

● general user management and role assignment authorizations are granted. These authorizations are contained in role SAP_SM_USER_*.

● RFC - connections related to specific technical users can only be displayed if authorizations for transaction SM59 is granted. These authorizations are contained in role SAP_SM_RFC_*.

Multiple Storage of Users

The system stores all dialog users created within transaction SOLMAN_SETUP and in SMUA. For technical users, it stores the last user created.

8.5 Passwords for Solution Manager Default Users

You can create a number of SAP Solution Manager default users using transaction SOLMAN_SETUP or the Solution Manager User Administration (SMUA) in the work center SAP Solution Manager Administration.

Set Initial Passwords

When creating these users, the system automatically:

● sets an automatically generated password to all users of type system user.

● requires of you to set an initial password for all users of type dialog users, with the exception of the following user:

○ SAPSUPPORT user, because this user is used only for the purpose of support by SAP, and should be usable immediately after generation.

Within SMUA, you can set a password for a number of dialog users in one User Interface. Users of type system user are not displayed in the User Interface. For more information, see Online Documentation for SMUA.




NoteSAP-wide default users such as DDIC, SAP*, and so on, are not considered. For those users, the general SAP policy for passwords is relevant. After configuration, change the password for these users, or deactivate them. For more information, check the SAP NetWeaver Security Guide.

Update Passwords

If you update/change the password of users of type system user which are used in RFC - Connections (such as READ or TMW users) in user management (transaction SU01), you need to change the password for these users in the RFC - Destination in the Solution Manager system as well.

8.6 Secure Storage

The secure storage stores encoded data, for instance access data of systems, SLD, SAP Portal connection, and so on. The system uses the installation number of the system and the system ID when creating the key for the secure storage.

CautionIf one or more of these values change, the system can no longer read the data in the secure storage.

More Information

SAP Note 816861 and SAP Note 1027439.

8.7 Integration into Single Sign-On Environments (SSO)

The Solution Manager supports the Single Sign-On (SSO) mechanisms provided by the SAP NetWeaver. It uses various front ends (SAP GUI, SAP NWBC, and Web browser, in this case an HTML Control). The system opens several sessions on the server, that require, for example, a second logon. The user uses SAP GUI to log on to a system, the application uses the SAP GUI for HTML Control to call another application, and the system then prompts the user to re-enter the logon data.

CautionIf you are using external SSO with SAP Solution Manager, see SAP Note 1153116.

The supported mechanisms are:

● Secure Network Communications (SNC) : SNC authenticates users and provides an SSO environment when using the SAP GUI for Windows or Remote Function Calls.

● SAP logon tickets: The Solution Manager supports the use of logon tickets for SSO when using a Web browser to access Solution Manager documents via URLs from outside. Users can be issued a logon ticket after they have authenticated themselves with the Solution Manager system. The ticket can then be submitted to the

58






system as an authentication token, each time the users access documents via URLs from within the same Browser session. The user does not need to enter a user ID or password for authentication, he can access the system directly after the system has checked the logon ticket.

More Information

● on SNC, see Secure Network Communications (SAP Library) in the SAP NetWeaver Application Server ABAP Security Guide.

● on how to use Single Sign-On, see Service Marketplace: service.sap.com/sso-smp.




http://service.sap.com/sso-smp

9 Authorization Concept for SAP Solution Manager

The following sections provide a general overview on which roles are delivered and how the principle of segregation of duty is mapped.

Users and User Composite Roles

Since SAP Solution Manager release 7.1 roles for end users are defined by a user definition according SAP processes. According to the user definition a roles concept is assigned, which is a composite role. Since one composite role can contain a high number of single roles with differing purposes, the purpose of the roles is explained in more detail. For instance, User Interface roles for the work center and the CRM user interface with its corresponding authorization objects; as well as the integrated use of BW roles, with BW - related authorization objects, and so on.

Authorization Dependencies

SAP Solution Manager is based on several SAP components, such as SAP NetWeaver, SAP CRM, and Business Warehouse, for more information see the master guide for SAP Solution Manager on the Service Marketplace

service.sap.com/instguides SAP Components SAP Solution Manager <current release> . Each of these components has its own configuration options, which must be set correctly to provide an appropriate overall level of security. The tasks include not only configuration during normal operation but also activities to be performed before, during, and after installation (such as providing secure passwords during installation, changing default passwords after installation, or performing customizing activities). Read the appropriate configuration and security guides for each component. Since SAP NetWeaver integrates the ABAP and Java stacks, both stacks need proper configuration.

In addition, several external components at the network level, such as routers and fire walls, influence the overall security of the system landscape.

RFC - Authorizations

Apart from user authorizations, a quintessential part for SAP Solution Manager to function are its RFC connections to and from other systems (managed systems). For many scenarios they form the basis for a successful built up. In SAP Solution Manager we have different RFC - connections for different purposes. In the following sections, these RFC connections are explained in more detail.

For each RFC connection a technical user is created who receives the corresponding authorizations. In the following, main critical authorizations for these users are explained in more detail.

9.1 User Definitions in SAP Solution Manager

Within the context of business processes users are relevant. These users represent human users within a business scenario, who are mapped in a system such as SAP Solution Manager by a user ID, in transaction SU01 (User Management). Each user in a business scenario has specified tasks to execute. These may vary from company to company. For instance, in a financial environment you find accountants and controllers.

60


Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager


These user definitions do not contain the full range of functions which are possible for one scenario, but rather the core business. For instance, using Implementation and Upgrade requires a specific number of roles to execute the main transactions/applications which are absolutely necessary for the process, such as project administration, business blueprint, document management, and so on. The delivered composite roles do not contain authorizations for BC-set execution, as this is a specific function, which is not considered to be part of the core process by SAP. The roles required for these additional functions are described in a section for Additional Roles for Functions in each scenario - specific guide.

Using SAP Solution Manager, a number of business scenarios exist, see scenario - specific guides. Therefore, we deliver defined users for explicit tasks. For instance, in Incident Management you always have a number of so called key users, users in business systems who create messages for errors or insufficient functions within the systems they are working in. In addition, we have a so called processor who solves the Incident messages or sends them to SAP for solving. This business process and the according user definition is clearly defined.

Figure 4: Example: business users in a business process

Due to these user definitions it is possible to deliver according authorization roles, which map the defined tasks. This is done for all scenarios and user definitions within SAP Solution Manager. Therefore, in the scenario - specific guides you find a chapter for user definitions and their according user roles as defined by SAP. The user definitions delivered cannot display the business as done by varying companies. Therefore, the user definitions as well as the user roles can only be regarded as templates for your own authorization concepts.

9.2 End - User Roles in SAP Solution Manager

As described in the previous chapter, users are defined by a specific set of tasks/processes they have to fulfil in their company.




User Differentiation

Considering SAP Solution Manager as a management platform for other systems (system landscape), and business solutions (application cycle), we differentiate between:

1. users who administer the SAP Solution Manager system itself, and

2. the users who use SAP Solution Manager to manage other systems.

This differentiation of tasks can overlap. For instance the user responsible for the setup, administration, and operation of the SAP Solution Manager system may also be able to administer other systems in the landscape. Another user may only be responsible for the configuration of one of the systems in the landscape:

● Administrator of SAP Solution Manager

The user responsible for the tasks area of setup, configuration, and operation of the SAP Solution Manager system is called SAP Solution Manager Administrator, with user ID by default SOLMAN_ADMIN. The administrator user is first created during the automated basic settings configuration via transaction SOLMAN_SETUP. We differentiate between different roles for this user when setting up the basic system landscape, and roles for scenario-specific setup .

During automated basic setup (in transaction SOLMAN_SETUP or SAP Solution Manager configuration work center) the Solution Manager administration user is authorized to automatically create users and assign roles. Due to the automatic assignment, the authorization values in these roles are delivered with predefined authorization values. All fields which could not be determined by SAP, because they can only be restricted to certain values by the customers, are delivered with value '*' (asteriks defines full authorization). If you want to restrict authorizations during setup, you need to do this manually. We recommend using the delivered Standard SAP roles as displayed in the User Interface by the guided procedure in the system.

RecommendationThere are specific administration users for the scenario - specific setup in transaction SOLMAN_SETUP. Roles for scenario - specific configuration in transaction SPRO are not delivered. For these configurations, we recommend creating so called configuration roles from projects. The procedure is described in the How-To document on how to create configuration users in this guide. Alternatively, you can use SAP profiles SAP_ALL and SAP_NEW.

● Users of SAP Solution Manager

For each scenario, we deliver user definitions and according composite roles with the technical name ending *_COMP according to the principle of segregation of duty. For each scenario more than one user definition is delivered. There is always a user with full administration authorization and a user with display authorization delivered (see multilevel separation). All delivered composite roles contain an appropriate number of single roles. The single roles represent individual functions in the system (see modular separation), Software Components (see software component separation), whereas these two overlap in most cases. A further differentiation relates to the roles usage as defining the navigation and related authorizations (see navigation/UI/backend separation). This definition can vary according to your own needs. Therefore, all roles shipped by SAP are only template roles for you to copy and adapt.

62



Figure 5: Composite User Roles

○ Business Roles = ST related roles for business tasks (scenario - related)

○ Technical Roles= ST related authorization roles for technical frameworks like Extractor Framework, and so on

○ CRM roles = roles related to CRM 7.01○ Reporting roles = roles related to BW - reporting

All roles are delivered in the SAP name space starting with SAP_*. The technical role name represents the scenario it is used for, the level of authorizations it contains, and the technical information whether it is a composite role or a single role. For instance, the technical role name SAP_SUPPDESK_PROCESS_COMP represents the following information: It is delivered by SAP <SAP>, used for scenario Service Desk <SUPPDESK>, user definition is processor <PROCESS>, and it is the composite role <COMP>.




Figure 6: Example: Incident Management Processor Role

The following sections explain in more detail the multilevel segregation, the module/software component segregation, and navigation/UI/back-end separation for all roles:

Composite Roles

According to the user definitions, composite roles are shipped, which contain all relevant single roles needed to fulfil the required tasks.

NoteThe composite roles are not shipped with a menu included. If more than one navigation role is contained in such a composite role, the system cannot handle both navigation structures and can only display the first navigation role in the list.

Multilevel Separation

The principle of segregation of duty requires that each user in a system has exactly the authorizations he/she requires for the tasks they are to execute. In this respect, we deliver according user roles. The definition of the users varies from scenario to scenario, for instance in technical administration a user may be required who has authorizations for all system administration tasks with technical name *ADMIN* in addition to a display user. In Incident Management or Change Request Management, the scenario is defined by a sequential process, a key user creates incidents, a processor processes the incident, and an administrator is allowed to create business partners and other configuration tasks. Here, the roles are defined for the user purpose, for instance with the technical role name *PROCESS*. All roles are build on top of each other. This means, that the authorizations for a display user are included in the authorizations for an operations user, and in turn the authorizations for the operations user are included in the authorizations for the administration user.

64



Figure 7: Example: Incident Management Roles

Module Separation

SAP Solution Manager roles are composite roles, which contain a number of single roles, which easily allow a further restriction of authorizations for a user. Each single role defines the authorization for one specific function/module/transaction, for instance technical role name *SOLAR01*. The composite roles then contain all relevant authorization for one user in a scenario. This may include roles for work center navigation, work center authorization, BW - related authorizations, CRM - related authorizations, function - related authorizations and so on. The composite roles can therefore be easily extended or reduced with authorizations. The clear demarcation simplifies the role maintenance and prevents the unintentional assignment of authorizations that are not required. Even though, some authorization objects may appear in more than one single role in different scenarios, see section Integration of Functions/Capabilities. They are then maintained only for the purpose within the scenario. For instance, authorization object S_PROJECTS may occur in roles for Implementation, but also for Quality Gate Management. The authorization fields for this object allow a clear demarcation for the authority check, and are maintained accordingly.




Figure 8: Module Separation of Processor Role of Incident Management

In this case, role:

● SAP_BI_E2E contains all authorization for BW activation

● SAP_SUPPDESK_PROCESS contains all authorization to run the application as a processor in SAP Solution Manager

● SAP_SMWORK_* contain all authorizations to run the work center

● SAP_SM_CRM_UIU_* contain all authorizations to run the application in the new CRM WebClient UI

Software Component Separation

SAP Solution Manager uses in its applications a variety of different Software Components, which also demand a mapping in the authorization concept. Therefore, we differentiate between them by defined single roles, for instance BW - related roles contain BW - related authorization objects, because they are delivered with Software Component ST_BCO. The following Software Components are used within SAP Solution Manager:

● SAP_BASIS● CRM● ST_BCO

As of SP02, authorization roles for BW - reporting for SAP Solution Manager are delivered in Software Component ST_BCO (before BI_CONT).

● ST● ST-PI

66



Figure 9: BW Component ST_BCO and SAP Solution Manager Component ST separation

For instance, a clear - cut differentiation between roles for BW is necessary due to the possibility to run BW in different scenarios. Depending whether the BW runs in SAP Solution Manager or separate, roles must be assigned to users. For this to be realized, some roles must be deliverable for SAP BW systems, which can deploy software component ST_BCO. Therefore, roles for BW- reporting that must be present in a remote BW system are delivered with ST_BCO. Roles which are relevant for BW- reporting in the SAP Solution Manager system, for instance for displaying BW - reports, are delivered with software component ST.

These roles can be present in one composite role.




Figure 10: Software Component Separation within Processor Role for Incident Management

In this case, roles:

● SAP_BI_E2E for BW activation is delivered with ST_BCO● SAP_SM_CRM_UIU_* are relevant for CRM component CRM WebClient UI, delivered with ST● SAP_SUPPDESK_PROCESS and SAP_SMWORK_* are relevant for SAP Solution Manager component delivered

with STFor more information, see sections on Using SAP Solution Manager with CRM and Using SAP Solution Manager with BW in this guide.

Navigation/UI/Backend

Due to the use of different clients and the concept of work centers, we differentiate between navigation roles and back-end roles, which contain authorizations. For more information, see section on Work Center Navigation Role Concept. In this respect, we consider User Interface authorizations separately. For more information, see section Authorization for User Interfaces.

68



Figure 11: Navigation/UI/Backend Authorization Separation for Processor Role for Incident Management

In this case, roles:

● SAP_BI_E2E, SAP_SUPPDESK_PROCESS contain back-end authorizations

● SAP_SMWORK_INCIDENT_MAN, SAP_SM_CRM_UIU_SOLMANPRO are navigation roles for work center and CRM WebClient UI. These roles contain no authorization objects and are solely defined by their menu.

● SAP_SMWORK_BASIC_INCIDENT, SAP_SM_CRM_UIU_SOLMANPRO_PROC, SAP_SM_CRM_UIU_FRAMEWORK are UI roles and contain authorization objects which define the UI for the work center and the CRM WebClient UI.

9.3 Configuration User Roles for SAP Solution Manager

There are:

● specified roles for the automated basic settings configuration (transaction SOLMAN_SETUP)

● dedicated authorization roles for scenario-specific configuration done in transaction SOLMAN_SETUP● no dedicated authorization roles for scenario-specific configuration done in transaction SPRO

This section tells you how to create your own roles for the configuration of scenarios.

NoteConfiguration of scenario—specific functions can involve configuration of cross-scenario settings. For these functions, additional configuration roles may be needed (if you do not use profiles SAP_ALL and SAP_NEW). They are specified in the IMG activity for cross-scenario functions.




To be able to create authorization roles for scenario—specific configuration, you have created an IMG project in transaction SPRO_ADMIN. For more information, see configuration guide for SAP Solution Manager.

Procedure

NoteThis procedure is based on the example customizing project in the How-to document How to Create Customizing Projects and Project IMGs.

1. Create an IMG Project (See section More Information)

Before you can create a role for scenario-specific configuration, you need to create an IMG project. This project is the basis for role configuration as it contains all transactions you run later on.

2. Create a Role in Transaction PFCG

1. Choose transaction PFCG.

2. Enter a role name in your name space, for instance: ZROLE_IMG_MYPROJECT and choose button Single Role.

3. Enter a description for your role, for instance: IMG project: Implementation/Upgrade as of ST SP15.

4. Save your role.

NoteYou are asked for a transport request.

3. Define Configuration Transactions for Your IMG Project

In role creation, transactions form the basis to easily maintain all necessary authorization objects. When you enter a transaction in the menu tab in your role, the system traces all authorization objects required for this transaction.

1. To receive all transactions which are contained in the customizing project, choose in the menu:Utilities Customizing auth.

2. In the appearing dialog box, choose button Add to attach your customizing project or customizing project view. In our case, we choose the customizing view that was created.

3. In the various dialog boxes, choose your customizing project or customizing project view, in our case myproject.

The system automatically assigns all relevant transactions and authorization objects for your customizing project or customizing project view.

4. Confirm your project assignment.

4. Maintain Authorization Objects

Authorization object defaults delivered by SAP contain minimal authorizations. To grant full authorization for the according authorization objects you need to maintain these objects.

1. In the Role Maintenance, choose tab Authorizations.

2. Choose button Change.

3. Maintain all activity values per authorization object according to your needs, for instance if you want to grant full authorization, always choose all activities.

70



CautionAll authorization objects need to receive a green traffic light. Beware, that the authorization trace does not trace values for critical authorization objects S_RFC and S_TABU_DIS.

4. Generate the profile.

5. To assign this profile to a user, choose tab User, add your user in the table and execute the user comparison.

6. Save.

Result

You have now created a role for your specific IMG configuration project.

CautionIf a project or a project view was assigned to a role, you cannot manually assign any transactions to this role and vice versa. You should therefore only use the role to generate and assign Customizing authorizations.

More Information

● on: configuration and on how to create an IMG project, see:

○ Document: How to Create Customizing Projects and Project IMGs on the Service Marketplace: service.sap.com/solutionmanager Media Library Technical Papers.

○ Configuration Guide for SAP Solution Manager on the Service Marketplace: service.sap.com/instguides SAP Components Solution Manager <current release>.

9.4 Integration of Functions/Capabilities

The life cycle of a product comprises various phases, such as implementation, operation, upgrade, and so on. Tools can be used to realize a process within these phases. The tools integrate strongly with each other to support seamless document and information flow over the whole life cycle. The work center approach demonstrates this integration. To realize this integrated approach and at the same time allow you the freedom to build and configure according to your company's needs, configuration and SAP template roles are function/capability - related. Configuration and authorizations for integrated functions are based on a modular approach.

The integration of functions and scenarios within SAP Solution Manager is an integral part of its value as end - to - end business process platform. Due to this heavy integration of functions and scenarios, according authorizations are affected as well. Therefore, you might find authorizations in roles which belong too a different function than the one you are using, but then with a specific maintenance.

The two following examples demonstrate the integration of authorizations due to the end-to-end integration processes within SAP Solution Manager. You can find more examples within the appropriate section for Scenario Integration in the scenario - specific guides.







Example: Authorization object AI_SA_TAB

Authorization object AI_SA_TAB is used to restrict tabs in transactions SOLAR01 (Business Blueprint), SOLAR02 (Configuration), and SOLMAN_DIRECTORY (Solution Directory). This object is needed for the roles restricting access to the mentioned transactions for scenario Implementation and Upgrade. Still, the authorization object is also included in roles for Issue Management (scenario SAP Engagement and Service Delivery), due to the integration between both scenarios. You can assign issues to a project when using Implementation transactions or using Issue Management. Since the authorization object is primarily used for the implementation transactions, it is specifically maintained in the Issue Management roles.

Figure 12: Authorization object AI_SA_TAB in role SAP_ISSUE_MANAGEMENT_*

The authorization object is maintained only with activity 02 for Change authorization for the Issue tab in transaction SOLAR01 (Business Blueprint).

CautionIf a user simultaneously has the task of using Issue Management with the authorization to assign Issues to Projects, but is restricted to display only for the complete transaction SOLAR01, then the authorization values in role SAP_ISSUE_MANAGEMENT_* for authorization object AI_SA_TAB override the display authorization for this object in the business blueprint role SAP_SOLAR01_DIS.

Example: Authorization object S_PROJ_GEN

Similar to the case described above, authorization object S_PROJ_GEN is maintained in various user roles for different scenarios. This authorization object contains an overall restriction on project maintenance for specific purposes. Here, the authorizations are maintained in a way that they are specifically designed for certain functions within a scenario. The authorization object is primarily used in its main context Project Administration. Still, using Quality Gate Management (QGM), an overall project maintenance must be possible for the users. Therefore, the authorization object is contained in roles for QGM and project management, Change Request Management, and others.

Figure 13: Authorization object S_PROJ_GEN in role SAP_SM_QGM_CHANGE

The authorization values for field Project Management Authorizations are restricting project maintenance to a Quality Gate Management user only. Contrary to the above described case of authorization object AI_SA_SAB, the authorization object S_PROJ_GEN can never overlap for two different scenarios due to the fact that functions are explicitly restricted within one field of the object.

72



9.5 Authorizations and Roles for Infrastructure (LMDB, BP, Projects, Solutions, Directory)

In the context of the SAP Solution Manager, we use the term Infrastructure for all entities related to systems, hosts, databases, solutions, and projects. These units form the bases for all scenarios.

Still, whereas systems are needed in all scenarios, solutions and projects are used in specific scenarios. Which of the two units is used depends on the “position” of the scenario in the end-to-end process of your solution's life cycle, relative to whether you are in preparation of going life, or whether you are already life. If you are preparing for going life with your solution, using Business Blueprint, Test Management, and so on, you are primarily using projects for your basis. If you are already life with your solution, you are primarily using solutions or only systems, such as in Business Process Operations. Nevertheless, some scenarios can also use both units, depending on the nature of the functions.

Project information can be transferred to solution information and vice versa. This can be done using the Solution Directory. The Solution Directory can be regarded as a repository for your solution information, as it allows for a smooth hand-over of information in your life cycle process.

Given the basic nature of these entities, solution authorizations, project authorizations, and system authorizations are needed in different scenarios. It must be possible to maintain these authorizations in a way, that hey are only to be maintained once, even if used for different functions. Therefore, we have extrapolated these authorizations into specific user roles for infrastructure:

● Systems (SAP_SYSTEM_REPOSITORY_*, SAP_SMSY_*, SAP_SM_DASHBOARDS_DISP_LMDB)

● RFC Maintenance (SAP_SM_RFC_*)

● Solutions (SAP_SM_SOLUTION_*), for solution transfer SAP_SOLUTION_TRANSFER.

● Projects (SAP_SOL_PROJ_ADMIN_*)

● Solution Directory (SAP_SOLMAN_DIRECTORY_*)

● Business Partner Assignment SAP_SM_BP_*

NoteIf this role (or the corresponding authorization objects) are not assigned to a user, this user will not be able to display the Business Partner tab in transaction LMDB, or be able to filter in the POWL queries SMWORK_TSYS_DIAG_REL and SMWORK_DIAG_ALL is not available.

Within transaction LMDB, you are able to go to the Business Partner detail screen of the CRM WebClient application. To be able to do so, you need to additionally assign the following two roles to your user:

○ SAP_SM_CRM_UIU_SOLMANPRO (do not copy into your name space) for navigation access

○ SAP_SM_CRM_UIU_SOLMANPRO_PROC (do copy into your name space) for authorization access

System Landscape

Table 23

Role Included Authorization Objects

SAP_SYSTEM_REPOSITORY_DIS

The role contains all relevant authorizations for systems AI_LMDB_*, as well as:

● SM_CMDB_OB● SM_SETUP manually entered





SAP_SYSTEM_REPOSITORY_ALL

Additional to all authorization objects for SAP_SYSTEM_REPOSITORY_DIS the role

includes as well:

● AI_LMDB_AD● S_TCODE; TCD value LMDB

RFC MaintenanceTable 24


SAP_SM_RFC_* ● S_RFC_ADM● S_ADMI_FCD● S_RFC_TT manually added

Additionally authorization objects S_TCODE and S_SERVICE

Business PartnerTable 25


SAP_SM_BP_* The role contains all relevant authorizations for business partner and product assignment for POWL queries SMWORK_TSYS_DIAG_REL and SMWORK_DIAG_ALL● B_BUPA_RLT● COM_IL

All additional authorization objects for business partners can, but must not necessarily be used.

Critical Authorization Objects

AI_LMDB_OB

This authorization object allows you restrict your users for systems to display, edit, and so on. It is contained in role SAP_SYSTEM_REPOSITORY_*. If you restrict AI_LMDB_OB, do not allow System Landscape Directory (SLD) authorizations at the same time. Minimal SLD authorizations have complete read access. For more information, see SLD security guide.

9.6 Guided Procedure Framework

Guided Procedures can run in any application of SAP Solution Manager. They are based on the Guided Procedures Framework (GP Framework). We differentiate between the GP Framework and the GP Content. The GP Content is provided by the individual application running and using the GP Framework.

Authorization Roles for GP Framework

Composite role SAP_SM_GP_FRAMEWORK_COMP allows you to access the Guided Frameworks. The following single roles are necessary for any Guided Framework to run:

74



● SAP_SM_GP_PLUGIN (Guided Procedure SAP Note PlugIn)

CautionThe role contains authorization object S_RFC_ADM with value 36 (extended maintenance) for SAP-OSS RFC.

● SAP_SM_GP_EXE (Guided Procedure execution)

● SAP_SYSTEM_REPOSITORY_DIS (System display access)

● SAP_SUPPDESK_CREATE (Incident creation)

NoteIf you want to customize your own Guided Procedure, assign SAP_SM_GP_ADMIN. This role contains critical authorization object S_SYS_RWBO with ACTVT 01, 02, 03 , and authorization object S_TRANSPRT with ACTVT 01, 02, 03, 07 for Workbench Requests and Customizing Requests. If you do not want to allow the user to create, change, delete or display transports then you need to deactivate these objects. Additionally, authorization object S_CTS_ADMI with value TABL is included in the role. It should not be assigned in combination with transaction codes SE80 or STMS, as it allows super user authorizations in ABAP development environment and transport environment.

In case you need to maintain SAPscript documentation using transaction SE61, you need to assign the following authorization objects to the role:

● S_TCODE with value SE61● S_DEVELOP with ACTVT 03 (display) for all object types

Authorizations Roles for GP Content

The authorizations for the GP content are provided by the applications. These are explained in the individual scenario-specific guides:

● Application roles

● Work Center navigation roles

9.7 Work Center Navigation Role Concept

When using SAP Solution Manager you work within the frame of so called Work Centers. The work centers are ABAP WebDynpro applications. They provide the user with a user interface that easily allows the user to access all necessary tools for his/her tasks. Therefore, the important factor of a Work Center is the navigation structure it provides.

To be able to access the work centers, you need to be assigned to so called work center navigation roles. For each work center one navigation role exists.

All composite user roles contain the according navigation role(s): SAP_SMWORK_<WorkCenter> needed for the user to execute tasks. In addition, all relevant authorizations for the work center frame work are contained in authorization role SAP_SMWORK_BASIC_<WorkCenter>. Each work center navigation role has a dedicated SAP_SMWORK_BASIC_<WorkCenter> role with the UI authorization for the work centers assigned. For instance, navigation role for work center Incident Management with the technical role name SAP_SMWORK_INCIDENT_MAN




needs to be assigned together with the authorization role for the work center with the technical role name SAP_SMWORK_BASIC_INCIDENT. The following sections explain technical details for both roles.

Navigation Roles (Technical Role Names: SAP_SMWORK_<WorkCenter>)

General Information

Work center navigation roles (naming convention: SAP_SMWORK_<WorkCenter>) are based on the concept of authorization roles (transaction PFCG). In the description tab, you can find a first introduction and most important information about the navigation role.

Figure 14: Role Description Tab

Folder Hierarchy in the Menu

The defining factor of the navigation roles is the menu. The menu information in the role can be found on the tab Menu in the role. Therefore, you do not need to generate any profiles, but you need to execute a user comparison.

76



Figure 15: Role Menu Structure

The menu always consists of a two - folder hierarchy. It displays the menu hierarchy/entries in the SAP NetWeaver Business Client (NWBC).

CautionSAP NWBC 4.0 and higher is not supported.

The first level is the home page or default page Web Dynpro application (WDA) of the work center (for instance Incident Management). The second level consists of several related links, such as Service Marketplace or Help Portal.

Adaptation of Related Links in the Navigation Panel

We recommend to use the delivered navigation roles. But you can also define them for your own purposes. This means, you can add new folders with applications in the Related Links area in the work center navigation panel. You can also delete defined folders. You cannot change entries in the work center areas Common Tasks or Navigation Panel Views in the role. You can adapt these areas using authorization object SM_WC_VIEW.

Inactive Authorization Objects

In contrast to authorization roles, which contain a number of authorization objects for authorization purposes, work center navigation roles are only relevant for the navigation in the work center via menu options. They do not contain active authorization objects, except for authorization object S_TCODE with value SOLMAN_WORKCENTER.




Figure 16: S_TCODE for work center Incident Management

Nevertheless, in some navigation role menus you find additional transactions. These transactions must be present in the menu tab, as they define the transaction navigation in the work center User Interface. Having transactions in the menu tab allows the system to automatically trace all relevant authorization objects, which are connected to this transaction. Authorization objects for these transactions are set inactive. Do not activate inactive authorization objects in the navigation roles, as this may override your existing authorization concept. For instance, work center Implementation and Upgrade contains transactions. The according authorization objects are set inactive.

Figure 17: S_TCODE for work center Implementation and Upgrade

Clients to Run Work Centers

You can run the work centers in three clients: SAPGui, Internet Browser, and SAP NWBC.

NoteTo define how the work centers are called in the SAPGUI (either in SAPGUI or opening the Browser) for certain users or user groups, see IMG - entries for SAP Solution Manager (Technical settings - work centers).

● SAP GUI: using transaction SOLMAN_WORKCENTERAs of SAP Solution Manager Release 7.1 (SAP_BASIS 7.02), the SAP Easy Access menu can be hidden by setting the according flag Hide Menu from SAP Easy Access in the navigation role. In transaction PFCG,

78



choose tab Menu for the role, then go to button Menu Options. Here, you can set the flag to hide the menu in the SAP Easy Access menu. The roles are delivered with the flag set. Therefore, by default transaction entries do not appear in the SAP Easy Access menu. Nevertheless, you can call the work centers in the SAPGUI by entering transaction SOLMAN_WORKCENTER in the command field. Transaction SOLMAN_WORKCENTER is contained in all work center navigation roles.

Figure 18: Transaction PFCG Default - Hide Menu from SAP Easy Access

● Browser: using either the URL itself or calling transaction SM_WORKCENTER in the SAP Easy Access menu.

● SAP NWBC 3.0The SAP NWBC is an additional client you can use. It needs a so called Control Sequence in the navigation role (see figure Role Menu Structure). You may encounter a URL NWBC Control Sequence. This URL is only relevant for the use of work centers in the SAP NetWeaver Business Client (SAP NWBC).

NoteThe folder display in the SAP NWBC is different to SAPGui and Internet Browser. The Related Links section can be found underneath the upper menu.




Figure 19: Change Management Work Center in SAP NWBC

Authorization Role for Navigation in the UI (Technical Role Name: SAP_SMWORK_BASIC_<WorkCenter>)

General Information

Each user who works within work centers needs the authorization role SAP_SMWORK_BASIC_<WorkCenter> in addition to the navigation role. With Release 7.1 we deliver a master role SAP_SMWORK_BASIC, which contains authorization objects that are relevant for all work centers. Authorization object SM_WC_VIEW is maintained individually for each work center ID.

80



Figure 20: Authorization object SM_WC_VIEW in role SAP_SMWORK_BASIC

It does not contain authorization objects that are required for individual work centers.

These roles are also contained in the composite roles for users, and must be fully maintained, including profile generation and user comparison. Due to the nature of the role, governing all User Interface authorizations for the work center navigation, its menu is not required to be displayed to the user. It is therefore hidden in the SAP Easy Access menu, see previous section on how to hide the Easy Access Menu.

User Interface (UI) Authorization Objects for POWL and Navigation Panel

All relevant authorizations that are related to the work center User Interface are contained in role SAP_SMWORK_BASIC_<WorkCenter> . This role needs to be assigned to the user together with the navigation role.

NoteProfile S_SMWC_BA contains the same authorizations. It is delivered for SAPSUPPORT user for RCA.

The following authorization objects are relevant:

● Authorization object CA_POWL

Authorizations for Personal Object Work List (POWL)

● Authorization object S_DEVELOP

If you use function PDF Print, you need authorization object S_DEVELOP (activity: 03, object type OBJTYPE: SMIM) to be able to display icons in the document. This authorization must be added manually to the role.

● Authorization object SM_WC_VIEW

You can define the views in a work center navigation panel by adapting the authorization object SM_WC_VIEW in the SAP_SMWORK_BASIC_<WorkCenter> role attached to the work center. For instance, if you only want




to see the views for the Maintenance Optimizer in the work center for Change Management, you can do so by selecting the according views.

NoteIn addition, for the following work centers you can also hide links, transactions, and buttons in the User Interface:

○ Technical Monitoring

○ Technical Administration

○ SAP Solution Manager Administration

○ SAP Solution Manager Configuration

○ Root Cause Analysis

○ Data Volume Management

○ Custom Code Management

This adaptation requires the restriction of two additional authorization objects, which are included in the main authorization roles for the according scenarios. In these roles the authorization objects are maintained according to the user definition of the composite role. The authorization objects and the according framework are explained in more detail in section Authorizations for User Interface.

Object Based Navigation (OBN) Targets for Client SAP NWBC 3.0

The roles SAP_SMWORK_BASIC_<WorkCenter> contain Object Based Navigation (OBN) targets. The OBN targets are defined by BOR object: SolManNavigation.

Figure 21: OBN Targets

Since the system always refers to the first OBN target to be found in the role assignment for a user, do not enter any OBN targets in one of the navigation roles for work centers.

82



CautionWhen working with the SAP NWBC, only ONE OBN target entry should be assigned within the roles. Therefore, if you have two work centers assigned to your users, and also two SAP_SMWORK_BASIC_<WorkCenter> roles, you need to delete the OBN target entries at least from one SAP_SMWORK_BASIC_<WorkCenter> role. Proceed as follows:


2. Choose theSAP_SMWORK_BASIC_<WorkCenter> role for which you want to delete the OBN target navigation.

3. Go to tab Menu.

4. Choose button Other Node Details.

The system displays in a column all links which have an OBN target entry.

5. Delete the OBN target entry.

For further details about OBN navigation in SAP NWBC see: wiki.wdf.sap.corp/wiki/display/NWBC/Documentation .

9.8 Using SAP Solution Manager with Customer Relationship Management (CRM)

In Solution Manager, the concept of authorizations and navigation for this integration is similar to the work center navigation and authorization concept. We deliver one navigation role and several User Interface authorization roles.

As of Release 7.1, SAP Solution Manager is based on CRM 7.0 EhP1. In CRM 7.01, so called business roles are introduced, which define the navigation of any CRM UI screen, the CRM WebClient UI.

CRM WebClient UI Navigation Role

In SAP Solution Manager, the scenarios Incident Management, Change Request Management, and Issue Management use the CRM WebClient UI. Therefore, additional CRM UI navigation roles are required for any user for these scenarios. All roles that refer to the CRM WebClient UI have the naming convention SAP_SM_CRM_UIU_*.

As with work center navigation roles for SAP Solution Manager, the CRM navigation is defined by specific roles: SAP_SM_CRM_UIU_SOLMANPRO, which are included in all relevant composite roles. In SAP Solution Manager only these roles are needed. They do not contain any authorization objects, and need only be assigned to the user by user comparison.

CRM UI authorization roles contain the authorization object CRM_UIU. This authorization object defines which CRM components can be called by the application.

By default, they are specifically maintained, which gives unique access to CRM components needed for the required CRM WebClient UI screens for the required scenarios.

● SAP_SM_CRM_UIU_FRAMEWORK: This role contains all UIU_COMP authorization necessary in all scenarios

● Additional SAP_SM_CRM_UIU_SOLMANPRO_*: These roles contain specifically maintained UIU_COMP authorizations. The roles are complimentary.




https://wiki.wdf.sap.corp/wiki/display/NWBC/Documentation

https://wiki.wdf.sap.corp/wiki/display/NWBC/Documentation

Figure 22: SAP_SM_CRM_UIU_* Role for Administrator for Incident Management

The roles for CRM - specific navigation are also contained in the respective composite roles for a scenario.

New Transaction Types

With the introduction of the CRM WebClient UI, we deliver new transaction types for Incident Management, Change Request Management, and Issue Management. The maintenance of most authorization objects of authorization class CRM are affected. If you customize your own transaction types, you need to add them to the according objects.

The standard roles are delivered with standard transaction types. If you modify the transaction types you use, you need to adapt the according authorization objects in CRM - related roles. This concerns many authorization objects of class CRM, as well as authorization objects B_USERSTAT and B_USERST_T.

9.9 Using SAP Solution Manager with Business Warehouse (BW)

9.9.1 General Information

Scenario Differentiation

The setup of BW for use with SAP Solution Manager is based on the so called Extractor Framework (EFWK). The EFWK is used to collect data, for instance from SAP Solution Manager and Introscope Enterprise Manager, for Business Warehouse by means of various extractors.

Within the automated basic settings configuration of the SAP Solution Manager system landscape, we differentiate between two possible setup scenarios for Business Warehouse (BW) integration. You run either:

Standard Scenario

● BW within Solution Manager system on the same client as the Solution Manager application

Remote BW Scenario

84



● BW within Solution Manager system in another client

● BW in another system

Most BW - related authorizations and roles are shipped with software component ST-BCO.The configuration of the BW - related tasks is divided into two parts, in analogy to the setup of the SAP Solution Manager system. Here, we first run a basic system configuration after which all mandatory scenarios must run. This configuration is done mostly automated. After this basic setup, all required scenarios can be set up. The same principle applies to the BW - setup. During the basic configuration of Solution Manager you execute the basic configuration for its integration with the BW. This initial configuration is a mandatory prerequisite to run the scenario - specific configuration for BW - reporting.

The following sections give you an overview on the respective configuration of the BW scenarios in regard to the authorizations, users, and RFC - connections, as well as the reporting dashboards based on BI - data.

BW Setting in Transaction SOLMAN_SETUP

For the system to be able to configure the data extraction correctly, you need to specify the setup scenario. In transaction SOLMAN_SETUP, you specify the system and the client in which your data extraction runs.

9.9.2 BI - Reporting Data Extraction

The BI reporting role concept is based on the existing role concept of the SAP Solution Manager 7.1. The BI reporting is integrated in the SAP Solution Manager Work Centers for the different applications. At present, we differentiate between two types of use cases in the area of BI based reporting:

● Reporting data is stored in the SAP Solution Manager system

● Reporting data is stored in the managed systems

● Reporting data is stored in the BW-system

Reporting data extracted from the SAP Solution Manager system

The first type is a combination of a Solution Manager system and a BI system. Here, the data for the reporting is stored in the SAP Solution Manager. The BI - based reporting delivered with the SAP Solution Manager 7.1 contains at the present the following applications:

● Incident Management Reporting (work center Incident Management)

● Test Workbench Reporting (work center Test Management)

● Enterprise Support Reporting

Reporting data extracted from a managed systems

The second type is extracting data from a managed system outside of the SAP Solution Manager system. Managed systems reporting applications:

● End - User Experience Monitoring Reporting (work center Technical Monitoring)

● Process Integration Monitoring Reporting (work center Technical Monitoring)

● Connection Monitoring Reporting (work center Technical Monitoring)

● Root Cause Analysis Reporting (work center Root Cause Analysis)

● Alert Management (work center Technical Monitoring)

● Early Watch Alert (work center Technical Monitoring)




● Database Performance (work center Technical Monitoring)

● Business Process Monitoring Reporting (work center Business Process Operations)

● Job Monitoring Reporting (work center Job Management)

● Data Base Performance Reporting (work center Technical Monitoring)

● Data Volume Management Reporting (work center Data Volume Management)

Reporting data extracted from a managed systems

The third type is extracting data from the BW-system. BW-system reporting applications:

● ES-Reporting

● Monitoring and Alerting

9.9.3 Configuration of BW and Activation of BW - Content (Step by Step)

NoteSee also SAP Note 1487626.

.

In this section, the configuration and operation process for BW-data extraction and reporting is explained for both main setup scenarios. All users mentioned and their assigned roles are explained in more detail in the chapter on users for BW in the Landscape Setup Guide.

Table 26

Standard Scenario Remote Scenario Additional Remarks

Configure BW and Activate Content

To use Business Warehouse (BW), you need to initially configure it. This includes the activation of all technical content and

the source system in the according BW - client. The system executes the initial configuration via transaction

SOLMAN_SETUP (work center SAP Solution Manager configuration) in a number of configuration steps.

The configuration is done by user SM_BW_ACT, who is authorized to plan

activation job CCMS_BI_SETUP to activate

the BW - content. The user activating the

technical content is also user SM_BW_ACT.

Since BW runs in the same client as the

productive Solution Manager, the SOLMAN_ADMIN user is used as the BW administration user. Since BW - client and

Solution Manager client are the same, RFC –

destination NONE is used to connect them.

The configuration is done by a dedicated BW -

Administration user in the BW - system, for

instance SM_BW_ADMIN, who is authorized to

plan activation job CCMS_BI_SETUP to

activate the BW content. The user activating

the technical content is also the SM_BW_ADMIN user. The RFC - destination

used is SAP_BID.

All necessary RFC -

destinations are created and written in table E2E_WA_CONFIG:

● SAP_BID: a write RFC -

destination BI_CLNT<BWClient> with RFC - user

SMD_BI_RFC (in case

of its use for content activation, a user parameter BATCH_USER_ID

86





requires the administration user)

● SAP_BIEX: a read RFC - destination BW_SM_<BI_SID>CLNT<BIClient> with

RFC - user

BW_SM_<SolManSID>

● SAP_BILO: a trusted

RFC for end-users

2 Start Extractors in the Managed System, the SAP Solution Manager System, and the BW System

The job EFWK RESOURCE MANAGER is scheduled by user SOLMAN_ADMIN.

SOLMAN_ADMIN has the authorization to allow that another technical user SM_EFWK can

run the program E2E_EFWK_RESOURCE_MGR, which is called in the step of the job. In the

step, the program is started, and run by user SM_EFWK.

The program starts the framework for the extractors. It starts extractors in the local system (Solution Manager) for instance for CRM - related data, TWB - related data and ESR - related

data, in the managed systems for KPI - related data, and the BW - system for ESR - related

data.

For each extractor the user SM_EFWK is assigned separate authorization roles.

Table E2E_ACTIVE_WLI contains all extractors which have been started.

3 Run Extractors in the Managed System, the SAP Solution Manager System, and the BW System

Extractors in the local system are started by technical user SM_EFWK.

Extractors in the managed systems are run by the READ user as the READ RFC destination is used.

Extractors in the local system are started by technical user SM_EFWK.

Extractors in the managed systems are run by the READ user as the READ RFC destination

is used.

Extractors in the BW - system are run by the

technical user SM_BW_<SolManSID> via

RFC connection

SM_BW_<BI_SID>CLNT<BIClient>.

4 Load Data in the BW System

The data, extracted from the various systems into SAP Solution Manager, is downloaded into the BW - system.

The data in the SAP Solution Manager client are pushed to the BW component in SAP

Solution Manager using RFC NONE. The

same user as for executing the extractor program, SM_EFWK, is used to load data

into the BI cubes.

The data in the SAP Solution Manager client are pushed to the BW - system from Solution

Manager using RFC BI_CLNT<BI_Client>. User

SMD_BI_RFC is used in this RFC.

Data extracted in the BW -

system for ESR are send to

SAP.

Data extracted in the BW -

system for MAI are pushed

into MAI in the Solution

Manager system.





5 Display BW -Content

According to the individual scenarios, user roles (composite roles) are provided as templates. These composite roles include BW - reporting roles (single roles) for the

appropriate user. These reporting roles contain all relevant authorizations for displaying BW - content. To fetch the data,

the RFC NONE is needed for the according

dialog user.

According to the individual scenarios, user roles (composite roles) are provided as templates. These composite roles include a BW - reporting roles (single roles) for the

appropriate user. These reporting roles contain all relevant authorizations for displaying BW - content.

BI - reporting uses Web Templates. In the BW - system a query is executed. To fetch the data, an HTTP call is made and a trusted RFC destination SAP_BILO is used to read data.

This requires, that the dialog user in the Solution Manager system has a corresponding user in the BW system/client. Both users have

trusted authorizations, same User ID and Password.

The RFC - destination

SAP_BILO is also used for

the Monitoring and Alerting Infrastructure (in the Alert Inbox, it is possible to display the Metric Monitor application), and all dashboards which have data in the BW - system.

6 Reorganize BW Data (Not RCA) and Validate Configuration

For the triggering of reorganization of BW - data and configuration validation, a BW - Callback

RFC - destination <SolutionManager-client>CLNT<SolutionManager– ProductiveClient> with technical user BI_CALLBACK is needed in the SAP Solution

Manager.

The same RFC - destination is

used for enriching LMDB -

data.

9.9.4 Diagnostics Center

The Diagnostics Center is a tool to check your configuration of BI - Reporting by executing checks.

1. A dialog user starts the diagnostic center from the Solution Manager Administration work center Infrastructure BW Reporting .

2. The checks in the managed system are running with system user SM_<Client>_READ.

3. The checks in the Solution Manager system are running via the logged on dialog user.

4. The checks for the BI are running via RFC destination NONE (dialog user). In the case of a remote scenario, RFC destination BI_CLNT<client> (user SMD_BI_RFC).

9.9.5 BI - Reporting Authorizations and Roles

Using BW - reporting requires that the user has BW - authorizations (Authorization object class RS) assigned. In general, these authorizations are included in the relevant BW - composite roles. As BI - reporting is based on the extractor framework, the user needs to have the according BW - reporting authorizations as well as extractor authorizations. For more information, see according scenario - specific guides.

88



Software Components Containing Authorization Objects

With each of the software components ST and ST-BCO functionality for the SAP Solution Manager is delivered.

Authorization Check

The authorization check for BW is as follows: If the system does not have any BW - data available, it can not display them. For instance in Business Process Operations for Health Check Analysis, you may select a solution for which no BW - data are present in the system. In this case, the system does not display any solution data.

Display Authorization for Role SAP_BI_E2E

Role SAP_BI_E2E contains activation authorizations for all BI - reporting scenarios as well as batch authorizations. It is not delivered as a display role, as such a use case would be very specific. For instance, if you want to display performance data in the Alerting Framework in work center SAP Solution Manager Administration, you need to add role SAP_BI_E2E as well.

If you want to restrict the role for display purposes, do as follows:

1. Copy role SAP_BI_E2E.

2. Restrict the activity field ACTVT for all authorizations to display (usually 03).

3. The authorization objects S_BTCH_* should be set inactive.

9.9.6 Using BI - Dashboards for BI - Reporting

BI - reporting is implemented in several work centers of the SAP Solution Manager. Recently, it became more and more important to aggregate data for several business areas. Dashboards provide an adequate type of display of BI data in a compressed way, filtered for different user groups. Therefore, it is necessary to limit the access to different information for different users.

BI - reporting is implemented for various scenarios, see section BI - Reporting Scenarios. BI - dashboards are based on the BI - reporting function for some of these scenarios.

Dashboard Framework

The dashboard framework integrates dashboards in applications of the Solution Manager and allows the usage and presentation of data from the Business Warehouse in the Solution Manager. It enables the flexible configuration of dashboards by the help of business apps.




Dashboard View

Figure 23: Dashboard View

Authorization Concept

BI - reporting dashboards are integrated in the Dashboard Framework.

During runtime the system creates a dashboard - instance from a dashboard type. A dashboard - instance contains one or more app - instances and/or dashboard - instances. The app - instances are derived from app - type.

The following areas are restricted:

● Activities for existing dashboard (instance): Authorization object SM_DSBINSTThe content of dashboards is restricted at the same time. Individual app - instances are not explicitly restricted.

● Data suppliers are restricted implicitly by according app - type. Authorization object SM_APPTYPE● Activities for existing app - types, including dashboard types: Authorization object SM_APPTYPE● Extended administrative activities on framework level, such as registration and transport, creation of new

dashboard: Authorization object SM_DSBFWKIn addition, we introduce an attribute authorization group, which differentiates instances and types in authorization groups. This enables the administrator to restrict instances with one authorization. A restriction on an individual instance can be done by assigning one authorization group to it. We deliver the default authorization group Public. The entity can be locked when the authorization group is explicitly changed.

Required Tables

Authorization for the creation and usage of dashboards and apps has to be assigned on the type and instance level. Consider the following table entries:

● The differentiation between dashboard and app can be found in field APP_TYPE of table DSH_APPTYPE.

● For the categorization of types and instances, the tables DSH_APPTYPE and DSH_APP_INSTANCE contain the field AUTH_GROUP.

● The field AUTH_GROUP is maintained in tables DSH_APP_INSTANCE and DSH_APPTYPE. In table DSH_AUTHGROUPS the valid values are stored.

90




The following authorization objects are used in the delivered roles:

● SM_DSBINST: Solution Manager Dashboard Instance

● SM_APPTYPE: Solution Manager App Type

● SM_DSBFWK: Solution Manager Dashboard Framework

Figure 24: Authorization Objects in Role SAP_SM_DASHBOARD_DISP

For the control of these authorizations the components of the framework are responsible, not the apps or the dashboards. Apps and dashboards are publishing their authorization groups only.

Authorization Roles

According to the overall authorization concept of SAP Solution Manager three roles are delivered:

● SAP_SM_DASHBOARDS_DISPYou assign this role to a standard dashboard user who is not maintaining the existing dashboards. The user is able to display dashboard instances attributed with the value public for the authorization group field. All embedded app instances and dashboard instances are visible.

All necessary roles for displaying dashboards in scenarios are included in the according composite roles for users. They have the naming convention SAP_SM_DASHBOARDS_DISP_<scenario> or SAP_SM_DASHBOARD_DISP_CIO_<scenario>, for instance SAP_SM_DASHBOARDS_DISP_EEM for scenario End User Experience Monitoring in work center Technical Monitoring, see scenario - specific guides.

● SAP_SM_DASHBOARDS_PROCESSYou assign this role to a dashboard user maintaining the existing dashboard instances. The user can create, copy and configure existing app instances within an existing dashboard.

● SAP_SM_DASHBOARDS_ADMINYou assign this role to a dashboard user administrating the Dashboard Framework. Furthermore, the role contains all necessary authorizations to perform all governance tasks concerning dashboards. In a development environment, this role is assigned to dashboard developers.




Figure 25: Authorization roles for Dashboards

In addition, the following dashboard roles are delivered:

● SAP_SM_DASHBOARDS_DISP_PUB This roles allows you to create your own dashboards. In addition to this role, you always need to assign either SAP_SM_DASHBOARDS_ADMIN or SAP_SM_DASHBOARDS_PROCESS as well as scenario - related end-user roles (see according scenario - specific guides).

● SAP_SM_DASHBOARDS_DISP_CIO_MGT (Role for management reporting on KPIs)

● SAP_SM_DAHSBOARDS_DISP_CIO_TOP (The role for technical operations does not contain any authorization values. It can be customized. For information, see according online documentation.)

9.10 Using the Help Center

You have the option to use the help center functionality, which resides in SAP Solution Manager as well in the managed systems.

If you want to maintain/administer the help center you need to have additional authorization. In the following paragraphs we outline, which additional user roles and authorizations you need to assign to your users.

Roles and Authorizations

Roles for Using and Administering Help Center in SAP Solution Manager and Managed Systems

Roles for Help Center in managed systems can also be applied to SAP Solution Manager itself, if you want to maintain the Help Center for SAP Solution Manager.

Table 27

Name Remarks

SAP_BC_WDHC_ADMINISTRATOR Authorization to administer Help Center

SAP_BC_WDHC_POWERUSER Authorization to use Help Center

Prerequisite

On configuring and connecting Help Center of a managed system, see IMG - activity: Information and Configuration Prerequisites (technical name: SOLMAN_HC_INFO)

92



9.11 Authorizations for User Interfaces

Since SAP Solution Manager is based on a variety of software components, its user interface technologies are also varied. SAP Solution Manager uses the following technologies, which are integrated with each other:

● ABAP WebDynpro

● BSP based technology (CRM 7.01 WebClient UI)

● ABAP SAPGUI transactions

● Java WebDynpro (Java stack)

All user interfaces can be called via the different clients. The following sections give an overview of the varying authorizations that determine the user interfaces.

ABAP WebDynpro Authorizations

ABAP WebDynpro is used for most applications in SAP Solution Manager. Especially, newly developed functions are developed in ABAP WebDynpro.

Start Authorization Object: S_SERVICE

The maintenance of authorization objects for ABAP WebDynpro in transaction PFCG is mainly done manually, due to former restrictions for this type of technology in transaction PFCG.

Since Release 7.1 is based on component SAP_BASIS 7.02, it is possible to maintain the application in transaction PFCG.

Figure 26: Enter a service as authorization default in a role in transaction PFCG

The system uses the SU22 trace and adds authorization objects automatically into the profile with status Standard. It is therefore possible to add or delete individual application IDs. This technique is only used in SAP Solution Manager for completely new functions and roles, for instance Notification Administration. For all other




roles, manually maintained authorization objects are still existing. The maintenance of applications in transaction PFCG on tab Menu involves authorization object S_SERVICE. For each application entered in the menu tab of a role, the system enters the application as a service in this object. The authorization object is therefore always included in the authorizations roles for the function as the start authorization. In this function it resembles authorization object S_TCODE for SAPGUI transactions.

Figure 27: Authorization object S_SERVICE

The service appears as an ID in the authorization object.

Work Center Navigation View Panel Authorization Object: SM_WC_VIEW

All work center home page applications are ABAP WebDynpro based. Work center views, if required subviews, and the common task level can be restricted by the authorization object SM_WC_VIEW. This authorization object is contained in the role SAP_SMWORK_BASIC_<WorkCenter>.

You may need to adapt this authorization object for instance in scenarios in which the user can select copied transaction types in subviews or views, such as Incident Management or Change Request Management. To be able to adapt, proceed as follows:

1. Choose transaction SM30.

2. Choose table AGS_WORK_VIEW.

3. Copy the according entry for the transaction type.

4. Adapt the copied entry.

Table AGS_WORK_VIEW is used as the value help for the authorization object. You can add views and tasks to your work centers and control them using this authorization object. Activate the BAdI Implementation in the IMG for SAP Solution Manager in transaction SPRO.

The BAdI implementation fills the value help table for the authorization object. To use the trace, you must activate the BAdI and go to the work center. The system enters the work center IDs in the value help table AGS_WORK_VIEW. You can then adjust the authorization object in the role.

In a nutshell:

1. Activate BAdI: AGS_WORK_AUTH_SM_WC_VIEW in Enhancement EHN_AGS_WORK_AUTH_UI (activate via transaction SOLMAN_SETUP)

2. Activate BAdI: AGS_WORK_AUTH_F4_TRACE in Enhancement EHN_AGS_WORK_AUTH_TRACE (activate via transaction SPRO).

3. Go to transaction PFCG, and call role SAP_SMWORK_BASIC_<work center>.

4. Change the values in the authorization object, for instance only add those views which you want to see, leave out those you do not want to see.

5. Generate the profile, and assign the role to the user.

URL Framework: SM_WD_COMP and SM_APP_ID

Specific applications can be restricted by the authorization objects SM_SW_COMP and SM_APP_ID. It is used in the following work centers in SAP Solution Manager:

94



● Technical Administration


● SAP Solution Manager Configuration

● Solution Manager Administration

● Root Cause Analysis

Both authorization objects restrict views, subviews, URL links, transactions, or buttons leading to separate screens. For all roles delivered as default template roles by SAP, these objects are already maintained according to the user definition by SAP. The authorization objects are included in the applicable core single authorization roles for the application.

For instance, for End-user experience monitoring (EEM), the core single role is SAP_SM_EEM_*.

Figure 28: EEM core single role with UI authorization objects SM_APP_ID and SM_WD_COMP

The role contains all relevant application IDs for the relevant EEM user role. It does not contain the application ID for the dashboard application for EEM though. This ID is included in the core authorization role dashboards for EEM: SAP_SM_DASHBOARDS_DISP_EEM.

Figure 29: EEM Dashboard role with UI authorization objects SM_APP_ID and SM_WD_COMP

Both authorization objects SM_WC_VIEW and SM_WD_COMP are used to define the User Interface of the above mentioned work centers.




Figure 30: Integration of authorization objects SM_WC_VIEW and SM_WC_COMP

CautionThe use of user interface authorizations can lead to misleading ST01 traces. If you trace one application due to authorization error messages, the analysis of the trace displays all authority checks executed by the system. This also includes user interface authorizations. In case of restrictions to user interfaces by the above-mentioned objects any missing authorizations for them are marked with return - code (RC) = 4. If you are not tracing for the user interface element, you can ignore this entry.

You can adapt the authorization objects, and therefore the user interface for all scenarios of these work centers. To do so, you need to apply the so called URL - framework. Here, you can find the according values for the application you want to restrict. Proceed as follows:

1. Call URL: <server.domain>:<HTTPport>/sap/bc/webdynpro/sap/urlapi_app_manager .

2. Open the links for the work center you want to adapt.

3. Check the application view.

The authorization object is displayed on the same page.

96



Figure 31: URL Framework

NoteWe recommend not to change the delivered SAP roles.

BSP CRM WebClient

BSP based technology is used within the CRM WebClient User Interface, which is called from within the work centers ABAP WebDynpro applications for Incident Management and Change Request Management. Similar to the work center navigation role concept, a CRM navigation role is delivered with the according authorization roles for the authorizations for the user interface. For more information, see section Using SAP Solution Manager with CRM.

The authorization object for the user interface for CRM is UIU_COMP. It restricts authorizations for CRM components and its used applications. The authorization object controls which components can be called by the user.

Figure 32: Authorization Object UIU_COMP

We deliver specific roles for this authorization object, which are again contained in the respective composite roles. All roles for the UIU_COMP authorization object have the naming convention SAP_SM_CRM_UIU_*. They are layered according to the user definition they are defined for. They are additive. For instance, if you use the administrator role for Incident Management, you find two UIU_COMP roles included, as UIU_COMP authorizations




in both roles add up. The Incident Management role for the processor includes only one UIU_COMP role. We recommend not to change the delivered SAP roles.

CautionAn ST01 trace always displays all possible values for this authorization object. Only the objects included in the above-mentioned roles are relevant for SAP Solution Manager applications. For instance, a trace may result in about 500 checks for the authorization object UIU_COMP of which only about 20 checks are relevant for SAP Solution Manager use. We recommend not to change the delivered SAP roles.

ABAP SAPGUI Transactions

SAP GUI transactions are still called from within ABAP WebDynpro in the work centers. The start authorization for ABAP transactions is contained in authorization object: S_TCODE.

9.12 Critical RFC Connections and Authorization Objects

9.12.1 Generated RFC - Connection <SM_<SIDofManSystem>CLNT<ClientofManSystem>_TRUSTED>

In a heterogeneous system landscape with SAP Solution Manager as the managing platform, you need RFC connections between SAP Solution Manager and the managed systems.

The most critical RFC - connection in SAP Solution Manager with it's managed systems is the so called Trusted RFC - connection. This connection allows for a seamless integration of both systems involved. This means, that if the according configuration is done, you can log on to one system and work within the other system without logging on again. Therefore, this connection is only used in defined cases in which such an integration is absolutely necessary.

For more information about which scenarios require a trusted RFC - connection, see scenario-specific guides.

NoteUsing SAP router between Solution Manager and managed systems may cause problems in some functions, for instance BSP applications. To solve these, see SAP Note 555162.

Trusted RFC - connection configuration

The Trusted RFC connection can be set up in transaction SOLMAN_SETUP (SAP Solution Manager configuration work center) in view Managed Systems. How to set up this RFC - connection is described in the Help section for this step in the system.

98




Figure 33: Transaction SOLMAN_SETUP: Setting up RFC connections

9.12.2 Authorization Objects S_RFCACL and S_RFC_TT for Trusted RFCs

The trusting RFC destination has the Current User settings, and Trust Relationship Yes in transaction SM59.

Figure 34: Trusted RFC Logon Settings

Authorization errors in the use of an RFC destination flagged as a Trusted System cause the following message to be sent: No Authorization to logon as Trusted System (Trusted RC = #).

Every authorization error when using an RFC destination flagged as a Trusted System, is a RABAX (ABAP exception). The RABAX contains detailed error information. To analyze the error:




1. Choose transaction ST22 and the selection period.

2. Choose the entry under the user SAPSYS and the program name CALL_FUNCTION_SYSCALL_ONLY. The paragraph Troubleshooting, contains the information necessary to correct the error.

Return Code

Table 28

Return Code Explanation To Do

0 Invalid logon data (user and client) for the trusting system

Create a corresponding user in the client system for the user in the server system (trusting system)

1 The calling system is not a trusted system, or the system security ID is invalid.

Create the trusted RFC connection

again.

2 The user has no authorization containing the authorization object S_RFCACL, or is logged on as the

protected user DDIC or SAP*.

Give the user the authorization, or do not use the protected users DDIC or

SAP* (see: profile parameter and value:

login/no_automatic_user_sapstar = 0)

3 The timestamp of the logon data is invalid. Check the system time in the client and in the server, and the validity date of the logon data.

Synchronize the system times

Authorization Object S_RFCACL

To use the trusted RFC connection, you need to have the authorization object S_RFCACL in the Solution Manager and in the managed system assigned to your user. This authorization object is not contained in profile SAP_ALL due to its highly critical nature.

NoteThe roles SAP_SM_S_RFCACL and SAP_SM_BW_S_RFCACL for Template users created in transaction SOLMAN_SETUP contain the authorization object S_RFCACL, which consists of a number of authorization fields to allow a trusting trusted relationship between SAP Solution Manager and any managed system. In addition, the authorization object is included in role SAP_SM_BASIC_SETTINGS for automated basic configuration of Solution Manager. If your security rules do not allow the use of this authorization object, deassign the user role and/or deactivate the authorization object in the role after basic settings configuration.

Authorization Object S_RFC_TT

Authorization object S_RFC_TT is only required for creating trusted authorization for managed systems as of SAP_BASIS_7.02 SP03 and higher, see SAP Note 1734607.

More Information

● on authorization object S_RFCACL see: help.sap.com/nw70

100





● on role SAP_SM_BASIC_SETTINGS, see Landscape Setup Guide

9.12.3 Generated RFC - Connections READ, TMW and BACK

Apart from the trusted RFC, three core RFC connections for the SAP Solution Manager are:

● READ RFC● TMW RFC● BACK RFC

All three RFC - connections are automatically generated in transaction SOLMAN_SETUP (work center SAP Solution Manager configuration). The system automatically:

1. creates the RFC connection

2. creates the RFC - user in the specific system

3. assigns the RFC user to the created RFC4. copies user roles from predefined SAP roles

5. assigns the according user roles to the RFC - user

The following section explains the PFCG templates and the creation of the user roles in more detail. You will find detailed information about the individual RFC connections, assigned user roles (according to PFCG templates), and the users in the Landscape Setup Guide.

RFC - connection configuration

Figure 35: Transaction SOLMAN_SETUP: Setting up RFC connections

9.12.4 Authorization Object S_RFC and S_DEV_REMO

Authorization Object S_RFC

A remote function call (RFC) calls a function module in another system. Due to the nature of SAP Solution Manager, the number of RFC calls to and from other systems is high. Therefore, a high number of function modules are affected. In the context of security of RFC calls we have to look at three areas:




● Authentification

Incoming RFC connections must authenticate in the system. For instance, the READ RFC call is an incoming RFC call in the managed system. Therefore, a user must be present in the managed system to authenticate the RFC call. Here, user of type system is used. From the SAP Solution Manager system's point of view, the READ RFC connection is an outgoing RFC. Outgoing RFC connections are maintained in transaction SM59 in the present system. In the RFC itself, the user is maintained. During the Solution Manager setup of managed systems, most RFCs are automatically created, as well as the user in the managed system, and the assignment of according authorizations for this user. The RFCs are added automatically to transaction SM59. For their evaluation and monitoring, RFC traces (transaction ST05) can be used as well as the Security Audit Log.

● System profile parameter

The RFC authorization check can be activated / deactivated with the system profile parameter auth/rfc_authority_check. This parameter must not be set to the value ‘0’. For more information, see SAP Note 931252.

● Authorization objects

The authorization object S_RFC is used to check, whether the called RFC user is authorized to execute RFC function modules. The authorization object is delivered with dedicated values.

ExampleThe SYST function group is needed to call SM59. If it is missing, the remote logon in transaction SM59 causes the RFC_NO_AUTHORITY ABAP runtime error in the target system.

For S_RFC value changes for the technical RFC - users for READ and TMW RFC connection, see SAP Note 1572183.

Since SAP_BASIS 7.02, you can maintain the authorization object for certain function groups but also function modules. Within SAP Solution Manager, you may find the authorization object maintained according to this differentiation.

Authorization object S_RFC can be traced with audit log trace in transaction SM19 and SM20. To protect the deletion of traces, maintain field ACTVT with value 36 of authorization object S_RFC_ADM.

CautionCurrently, RFC - function modules in function group /SSF/INTRFC have no own authorization checks.

Authorization Object S_DEV_REMO

In managed systems as of SAP_BASIS 8.03 and higher, function group RFC1 is additionally protected by authorization object S_DEV_REMO. Therefore, all relevant roles for the setup of managed systems using transaction SOLMAN_SETUP include authorization object S_DEV_REMO.

9.12.5 Authorization Object S_TABU_DIS and S_TABU_CLI

In many scenarios for SAP Solution Manager, the system needs to read table entries. The direct access to tables should be limited wherever possible, because a huge number of changes might be executed this way. In some

102







cases, users need to look at data directly. To look at data in a table, users use these transaction codes most frequently: SE16, SE16N, or SE17, SM30, SM34, SM31 or "proxy"-transactions.

S_TABU_DIS

Authorization object S_TABU_DIS is used to control table access. It determines, what table someone can look at when they use any of the transaction codes above. The authorization object S_TABU_DIS controls complete accesses during standard table maintenance (transaction SM31), advanced table maintenance (transaction SM30) or the Data Browser (transaction SE16).

You can assign a table to a specified group. Group assignments are defined in table TDDAT (transaction SE54). For Solution Manager, we deliver dedicated authorization groups for specific functions, for instance authorization group SDA for Solution Documentation Assistant. All relevant delivered tables for Solution Documentation Assistant are assigned this group.

The following authorization groups are used in SAP Solution Manager:

Table 29

Authorization Group Remarks

CRMC For all CRM - related customizing views as CRM - based scenarios can refer to the

same tables

AISU For all S-USER - related tables

BI* (Remodeling, Repartitioning,

Warehouse)

For all BI - related tables

CHRM For other than CRM - related tables for Change Request Management

SDCO For all other than CRM - related tables for Incident Management

LMDB For all LMDB and SMSY - related tables

SMAN For Implementation and Upgrade - related tables

SDA For Solution Documentation Assistant -related tables

BPCA For Business Process Change Analyzer - related tables

TSTM For Test Management - related tables

SISE For Solution Manager Basic Configuration (transaction SOLMAN_SETUP) - related

tables

DFWK For Dashboard Framework - related tables

SMAL For Monitoring and Alerting (Technical Monitoring) – related tables

SGEN For ES-Reporting and SUGEN - related tables

BUFU For Business Functions - related tables

SARC, BCTA For Data Volume Management

BCSV For CRM: Status Profile Maintenance

DNO For CRM: Basis Message




Authorization Group Remarks

SS RS: SAP Control

NoteAuthorization object S_TABU_DIS is delivered with value asterisk (*) for roles assigned to prominent users in SOLMAN_SETUP as SOLMAN_ADMIN and SOLMAN_BTC.

The majority of users in a production environment do not need direct access to tables. They view data through transaction codes. However, a few users might need access. When providing direct access to tables, you should use transaction SM30. Extra precautions should be taken for the selected users who require access to transaction SE16, because powerful access to a variety of data might be incorporated. You can make SE16 safer by creating a custom transaction code. With a custom transaction code, the user executes SE16 with a view of the table they require. This means they do not enter the table name, instead the custom transaction code takes them into transaction SE16 and directly into the table.

S_TABU_CLI

Authorization object S_TABU_CLI grants authorization to maintain cross-client tables with the standard table maintenance transaction SM31, extended table maintenance transaction SM30, the Data Browser. It acts as an additional security measure for cross-client tables and enhances the general table maintenance authorization S_TABU_DIS.

9.12.6 Authorization Object S_TABU_NAM

CautionIf your managed systems are on SAP_BASIS 7.03, 7.3 or higher, you need to add this authorization object to your managed system roles for SAP Solution Manager, as the authorization check for this authorization object is included in the normal shipment. For all lower SAP_BASIS releases the introduction of this object is optional.

NoteSee SAP Note 1481950, SAP Note 1500054 and SAP Note 1434284.

As of SAP_BASIS 7.0 release, authorization object S_TABU_NAM for generic table access is delivered as an additional optional authorization concept.

Prerequisites

The existing SAP table authorization concept is mainly based on the group assignment of tables and the authorization object S_TABU_DIS, see section on Authorization Object S_TABU_DIS and S_TABU_LIN. But, authorization object S_TABU_DIS might not always be sufficient.

Run report SUSR_TABLES_WITH_AUTH (see SAP Note 1500054) for analyzing table authorizations for a user or a single role. You can use this program to selectively determine the authorizations for the object S_TABU_DIS or S_TABU_NAM with regard to the tables that can be accessed using it. Transaction SU24_S_TABU_NAM reduces the

104





http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=SAP Note 1434284.&_NLANG=en&_NVERS=0


effort required for maintaining authorization default values during the introduction of an authorization concept with S_TABU_NAM.

Authorization Object S_TABU_NAM

The authorization object contains the fields:

● ACTVT: display and change access similar to S_TABU_DIS● TABLE: table name

With this object, the system checks the view names or table names directly so that an exact authorization check is possible. In the function module VIEW_AUTHORITY_CHECK, the system checks S_TABU_NAM only if the authorization check on S_TABU_DIS was unsuccessful.

9.12.7 Authorization Object S_DEVELOP

S_DEVELOP is the general authorization object for ABAP Workbench objects. You use it to grant access authorizations for all ABAP Workbench components, which include the following:

● ABAP development tools

● ABAP Dictionary and Data Modeler

● Screen Painter and Menu Painter

● Function Builder

● Repository Browser and Info System

● SAP SmartForm

From a production perspective, be aware of everyone who has S_DEVELOP authorization object assigned. In general, authorization object S_DEVELOP with more than display access (ACTVT 03) is not required by anyone in production.

NoteThe authorization object is assigned for maintaining transaction SNOTE during the SAP Solution Manager basic setup to the SOLMAN_ADMIN user in role SAP_SM_BASIC_SETTINGS. After implementing all required SAP Notes into the system, you can set the according authorization object inactive. Documentation is given in the guided procedure for the automated setup.

9.13 How to Build Your Own Authorization Concept

Since there is no general authorization configuration that fits all possible use scenarios, we recommend that you design an authorization concept tailored to your specific use scenario.

How you maintain authorization objects and bundle them depends on your company's security concept. You customize/maintain your roles according to your company's concept. Each company has different priorities, departments and so on. As each business requires a different authorization concept, the template roles delivered by SAP are only templates. Before you grant authorizations to your end users, you must have a clear concept of who is to receive which authorizations, because you need to adjust your authorizations over time due to company




changes or extended use of Solution Manager functions. Here is what you should consider when designing your authorization concept.

NoteAll the authorization mechanisms must be configured (and configured consistently) to provide appropriate security.

Procedure

1. Identify which functions/capabilities of Solution Manager scenarios you use.

2. Create a menu matrix according to these functions/capabilities.

3. Identify your roles.

4. Populate your menu matrix.

5. Create your roles from SAP template roles. Use a unique naming convention.

6. Maintain your roles.

7. Test your roles.

106



10 Using Central User Administration

10.1 Introduction

You can use CUA with SAP Solution Manager to manage all users and roles in one central system. Central User Administration (CUA) enables central administration of the user data for all back-end systems, like a Solution Manager system, a managed PI system, and so on. That means, you administer users for all systems of the CUA and their authorizations in the central system. With an active CUA, you can only create and delete users in the central system and not in the connected child systems. You can lock and unlock users, assign roles to users, and so on, from the central system, in accordance with the settings that you have chosen in transaction SCUM for the distribution of the data.

This documentation regarding the integration of CUA in the automated basic configuration for SAP Solution Manager does not replace CUA configuration guide. It supplements the usage of central user administration (CUA) in combination with SAP Solution Manager configuration. During the automated basic setup (in transaction SOLMAN_SETUP or SAP Solution Manager configuration work center) numerous technical users and dialog users are automatically created. In former releases you had to create these users manually on SAP Solution Manager and its managed systems as soon as the effected system was connected to a CUA.

As of SAP Solution Manager 7.1 SP01 the automated basic setup is able to communicate with the CUA central system, so that no more manual effort is necessary.

Possible CUA scenarios

Central User Administration can be activated on every SAP NetWeaver system (as a CUA client or central system). Since every SAP NetWeaver system in your landscape can be candidate for CUA central system, the following three scenarios exist in the SAP Solution Manager environment:

1. Standalone CUA central system

2. SAP Solution Manager as CUA central system

3. Managed System as CUA central system

Figure 36: Possible CUA scenarios in your landscape

Security Guide for SAP Solution Manager 7.1Using Central User Administration



RecommendationWe recommend you configuring the CUA on a high availability solution. In case you want to install the CUA central system on SAP Solution Manager, consider the required maintenance windows of the system.

Steps for configuration of CUA:

If the CUA is already in place within your system landscape you can skip the following step:

1. Decide which system in your landscape should become the CUA central system.

2. Configure your CUA as described in the SAP help documentation.

These configuration steps have to be considered in order to link SAP Solution Manager to CUA:

1. the configuration for user CUA_<SID> (example: CUA_ADM) on the CUA central system, see section Prerequisites.

2. Verify which RFC scenario you are using for your CUA configuration, see section Configuration.

NoteIf your preceding check shows that you are using Trusted RFC destinations, you still need to create a system user on the CUA client system.

3. Finally, we recommend you running report PFCG_TIME_DEPENDENCY, see section Prerequisites.

Example

The subsequent sections explain the configuration based on the following example scenario:

● System SM7 (SAP Solution Manager with Solution Manager client and local BI client)

● System SAT (managed system with one productive client, which is connected to SAP Solution Manager)

● CUA system ADM (Central User Administration central system)

Figure 37: Example

108



10.2 Prerequisites

CUA should be configured as described in the SAP help documentation, see section Additional Links.

SLD Configuration

Ensure that software component LMTOOLS 702 SP6 Patch Level 6 is applied on your SAP Solution Manager Java stack. This ensures that the local SLD configuration can be performed when SAP Solution Manager is connected to CUA.

NoteIn case the SLD is in a CUA environment, you have to manually add the parameter &CUA=true at the end of the URL called by the SLD Local Configuration and Central SLD Configuration in transaction SOLMAN_SETUP in System Preparation for SLD.

You need to apply SAP Note 1572856 and SAP Note 1577918 in your SAP Solution Manager system in advance.

RFC Destinations, Users and Authorizations

As a prerequisite, you define the logical systems for all effected systems. The RFC - destinations have the same names (like logical systems), and must exist in each direction:

● from the CUA central system to the CUA client system (for example: SM7CLNT300, SM7CLNT100, SATCLNT100)

● from the CUA client system to the CUA central system (for example: ADMCLNT200)

In the CUA central system the user CUA_<SID> (for example: CUA_ADM) is assigned the following ABAP single roles:

Roles for user CUA_<SID>

Table 30

Technical Role Name Remarks

SAP_BC_USR_CUA_CENTRAL Authorization for the CUA central system user to maintain user master data and

distribute changes to the CUA client systems.

SAP_BC_USR_CUA_CENTRAL_BDIST All users in the central system require this role if CUA field attributes are set to

redistribution.

SAP_BC_USR_CUA_CLIENT This role contains authorizations for user administration in the child systems. For calling the CUA central system, and initiate the user creation in transaction

SOLMAN_SETUP, the CUA central system user requires this permission. For

more information, see notes below.

This user is assigned in all RFC destinations in direction of the CUA central system (for example: ADMCLNT200).

NoteRole SAP_BC_USR_CUA_CLIENT contains extensive authorizations for user administration in the child systems. If you do not allow this ABAP role on the CUA central system, use the following alternative: Copy ABAP role SAP_BC_USR_CUA_CENTRAL_EXTERN in your name space according to SAP Note 492589 section 2, and maintain the following minimum authorizations:







Minimum Authorizations

Table 31

Authorization Object Field Value Remarks

S_USER_GRP ACTVT 01, 03 no remarks

CLASS full authorization

S_USER_AGR ACTVT 02 (22) If you set the customizing switch ASSIGN_ROLE_AUTH to

the value ASSIGN in your

CUA central system

according to SAP Note 312682, set in field ACTVT value 22, otherwise value

02.

ACT_GROUP full authorization

S_USER_PRO ACTVT 22 no remarks

PROFILE full authorization

S_USER_SYS ACTVT 78 no remarks

SUBSYSTEM *

NoteIf you activated the authorization check on object S_USER_SAS according to SAP Note 536101 (customizing switch CHECK_S_USER_SAS), assign the following authorization to the ABAP role: S_USER_SAS with activity ACTVT 01, 06, 22. In field SUBSYSTEM, enter the logical systems that you would like to connect to your SAP Solution Manager. Consider that you might need to change this authorization later as soon as you need to connect a new system.

User Master Data Reconciliation

If you assign roles to users for a limited period of time only, you must perform a comparison at the beginning and at the end of the validity period. We recommend that you schedule the background job PFCG_TIME_DEPENDENCY in such cases.

CautionDo not enter generated profiles directly into the user master record in transaction SU01. During a user comparison, the system removes generated profiles from the user masters if they are not among the roles that are assigned to the user.

Proceed as follows:

1. Start transaction PFUD.

For the system to consider all roles, do not specify any roles and leave the fields empty.

2. Choose action Schedule or check job for the full comparison.

Here, you can start the report PFCG_TIME_DEPENDENCY by specifying the time when the job is to start. The overview displays the status of background jobs that have already been scheduled.

110






If you schedule the report PFCG_TIME_DEPENDENCY daily before the start of business as a total comparison and it runs error-free, the authorization profiles in the user master are up-to-date every morning.

10.3 Configuration Scenarios

You can configure the CUA with two options:

● RFC - destination with defined system user

● Trusted RFC - destination

RFC - destination with defined system user

This CUA variant requires RFC - destinations to CUA client systems with defined system users named CUA_<SID>_<Client>. The user requires the following role: SAP_BC_USR_CUA_CLIENT. This role contains extended authorizations for the user administration in the child systems. This division is only useful for background processing.

The following graphic shows the example scenario with the corresponding users and RFC - destinations with the default naming convention:

Figure 38: Example

Trusted RFC - destination

CUA configuration using trusted RFC - destinations to the CUA client systems needs a user in the CUA client with role SAP_BC_USR_CUA_CLIENT, and the additional authorization object S_RFCACL (for trusting permission). According to the SAP Solution Manager configuration the user administrator is the CUA central system user CUA_<SID> (for example: CUA_ADM).

To complete the CUA configuration for the SAP Solution Manager integration this user must exist on the CUA client systems with the following role :SAP_BC_USR_CUA_CLIENT.

NoteFor trusted systems, the authorization object S_RFCACL is checked and therefore required in child systems. This ensures that only particular applications (such as transaction SU01) can access the child system by RFC.




You cannot use trusted systems with the current user settings for data distribution from the child to the central system (redistribution with distribution parameters) as the users could change their own user data with transaction SU3 and distribute it to the central system by redistribution. This means that all users would require change authorization for the user administration in the central system and could also change all other user data.

The following graphic shows an example scenario with the corresponding users and RFC - destinations with the default naming convention:

Figure 39: Example

10.4 Configuration Integration in Transaction SOLMAN_SETUP

Whenever a user (in our example: on the Managed System) is created or changed by the automated basic setup from SAP Solution Manager the user master data is changed as follows:

1. On SAP Solution Manager an administrative user (for example: user SOLMAN_ADMIN) creates or changes a user. For this the corresponding administrative user on the target system (for example: user SOLMAN_ADMIN) is called.

112



Figure 40: Example

2. The administrative user on the target system (for example: user SOLMAN_ADMIN) automatically calls RFC - destination to the CUA central system (for example: ADMCLNT200) with CUA central system user CUA_<SID> (for example: CUA_ADM).

3. CUA central system user CUA_<SID> (for example: CUA_ADM) now changes the user master records on the central system.

4. Finally, the CUA central system user CUA_<SID> (for example: CUA_ADM) distributes the changes to the CUA client system using RFC - destination <SID>_CLNT_<Client>.

The user master data changes on the client system are executed by either the user defined in the RFC destination (for example: CUA_SAT_100), or the CUA central system user (for example: CUA_ADM).

Figure 41: Example




11 Additional Security Issues

This section covers a range of additional security - related issues.

SAPUI5 Security

SAPUI5 offers an enhanced user experience. Standard SAPUI5 applications use OData/Gateway services for data provision.

Profile Parameter rfc/reject_callback

Within an synchronous ABAP-ABAP RFC connection the preconfigured internal RFC destination ‘BACK’ can be used to call back into the callers system and execute an arbitrary RFC enabled function module. This callback is executed in the caller's context, the RFC authority of the caller is performed, and if the authorization object S_RFC right to execute the function module is available the function module is executed. The callback is done on the already existing RFC connection. A deactivated RFC callback prevents the communication using an internal RFC connection BACK.

The call back function poses a security risk for instance if managed systems are owned by customers in a Service Provider scenario

For more information, see SAP Notes 1992755 and 1515925.

Using Web Browsers as Clients

Active X

The execution of active code in web browsers (for example: ActiveX, Java, JavaScript, VB Script) can pose a security problem. Active code is therefore only used on pages if it is absolutely necessary. You can disable ActiveX without impacting the functionality of the according applications.

Using Firefox Browser

If you use Firefox Browser, make sure that the following security settings in the browser apply. If they don’t apply, you might encounter issues with JNET graphs, for instance in Change Request Management:

● Enable Java Plugin (by default it is disabled)

● Open the Java Control Panel, switch to the Security tab, and set the security level to Medium.

● Allow cookies

Securing Third–Party Applications

For cases where the use or configuration of third-party products is necessary, we refer to the products documentation for the appropriate instructions.

Displaying Internal System Information

Internal system information can be available for SAP Solution Manager users in many work centers concerning system landscape, administration, or monitoring as well as in Service Desk messages, and so on. IP address, host address that are necessary for SAPGUI - logon, can be avoided if only HTTP access over reverse proxy or SAP web dispatcher is used.

114


Security Guide for SAP Solution Manager 7.1Additional Security Issues



There exist as well error messages with specific data like user name, S - user, installation number, or missing authorizations. This information is typical for an administration tool such as SAP Solution Manager.

Session Keeping for Work Centers

Work Center Framework Time Out

Session keeping is active for all work centers by default. It is possible, that the default session keeping can be deactivated by setting a specific parameter. For more information, see the Implementation Reference Guide (IMG) for SAP Solution Manager SAP Solution Manager Technical Settings Work Center .

Figure 42: IMG: Work Center Time Out Activation

Individual Application Time Out

Some applications offer an auto-refresh option.

The following section lists the applications that do not time out due to the implementation of an auto-refresh. If the auto-refresh is set to value Never, these applications will time - out. If a value, like 5 minutes, 10 minutes, and so on, is set, the applications do not time - out.

work center Technical Monitoring

● Alert Inbox




Figure 43: Auto-Refresh Configuration

● System Monitoring

● Connection Monitoring

● PI Monitoring (Overview and Message Monitor)

Figure 44: Auto Refresh Configuration

● BI Monitoring

● End-User Enterprise Monitoring

work center Technical Administration

● IT Calendar

Figure 45: Auto Refresh Configuration

● Work Mode Management

116



● MDM Administration




12 Data Storage

All data is stored in the database.

More Information

Data Storage to database in general is described in the SAP NetWeaver Installation Guides.

118


Security Guide for SAP Solution Manager 7.1Data Storage

13 Landscape Setup, Configuration, and Root Cause Analysis Guide

13.1 Document History

Here, all changes to the specific scenario guide are listed according to Support Package.

Table 32


(Version)

Description

SP05 General

● During Basic Settings configuration and Managed System Setup, you have the option to create Configuration Users for the scenario-relevant guided procedures in transaction SOLMAN_SETUP, for

instance Incident Management, Change Request Management, Business Process Operations, Business Process Change Analyzer, Data Volume Management, and Technical Monitoring. For more information, see scenario-specific guides in section Prerequisites -> Scenario Configuration.

● Support for NGAP - based systems, see section on NGAP - based systems

● Access authorization for transaction SOLMAN_SETUP extended to optional display activity for

authorization object SM_SETUP.

Infrastructure Roles

● All roles for infrastructure are required for users created during system setup and scenario setup in transaction SOLMAN_SETUP. They are therefore delivered with complete authorizations, see description

tab in the specific roles.

● extended role SAP_SOL_PROJ_ADMIN_ALL, see description tab in the role

● extended role SAP_SYSTEM_REPOSITORY_*, see description tab in the role

SM_BW_ADMIN User

Changes are documented on the DESCRIPTION tab in the role

● roles SAP_SM_BW_ADMIN and SAP_BI_E2E extended

● new role SAP_SM_BW_USER_ADMIN for user administration in BWSAPSUPPORT User


● extended role SAP_DBA_DIS● extended role SAP_RCA_DISP● added role SAP_CV_DIS for Configuration Validation

● new role for Exception Management SAP_EM_DISPLAYSM_EFWK User

Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide




(Version)

Description

New user for executing report E2E_EFWK_RESOURCE_MGR, see section on SM_EFWK User. Consequently,

user roles for users SMD_RFC and SMD_BI_RFC changed as well depending on which BW scenario is in place,

see Core Guide on the concept of BW integration.

SOLMAN_ADMIN User


● extended role SAP_SM_BASIC_SETTINGS● extended role SAP_SM_USER_ADMIN

SOLMAN_BTC User


● extended role SAP_SM_BATCHSMDAGENT_<SID> User


● extended role SAP_IS MONITOR

SP06 SOLMAN_ADMIN User

Role SAP_SM_CONF_SEC with specific authorization object S_DEVELOP deleted from role assignment. The

authorization object is included in role SAP_SM_BASIC_SETTINGS (see description tab of the role)

SM_BW_<SID> User

New user for collecting extractor data for ESR and MAI in a remote BW - system, see section on Technical

User SM_BW_<SID>. See also Core Guide on the concept of BW integration.

SP07 SM_EFWK User

● Role SAP_SM_DVM_EXTRACTOR added

SM_BW_<SID> User

● Role SAP_SM_BW_ESR_EXTRACTOR added

Role Adaptions

For detailed information, see the description tab of the specified role

● SAP_SM_EXTERN_WS● SAP_RCA_AGT_ADM_VIA_SLD to perform protected “Agent Candidate Management” operations

SP08 New SAPSERVICE User

A new user SAPSERVICE is introduced for SAP Service Delivery. See section on SAPSERVICE User.

Roles Update for Set Users

As these roles are adapted, you need to update the according users in transaction SOLMAN_SETUP. Check

the Update Flag in the step for the user. For more information on which authorization objects and authorization fields have been adapted, see the Description Tab in the specified roles. (See also SAP Note 1560717

● SAP_SM_BATCH (User SOLMAN_BTC)

● SAP_SM_BASIC_SETTINGS (User SOLMAN_ADMIN)

120





(Version)

Description

● SAP_SM_EXTERN_WS (User SM_EXTERN_WS)

● SAP_BI_E2E (Users SMD_BI_RFC or SM_EFWK, depending on BW landscape)

● SAP_SM_BI_ADMIN (Users SMD_BI_RFC, SM_EFWK, or SM_BW_ADMIN depending on BW landscape)

● SAP_SM_BI_ESR_EXTRACTOR (User SM_BW_<SID>)

● SAP_SM_BW_USER_ADMIN (user SM_BW_ADMIN) in case of a remote BW

● READ RFC and READ-RFC User

● See SAP Note 1572183

SP10 User Creation Steps in SOLMAN_SETUP

● Steps for user creation are optional for Template users and configuration users, but not for default users. For more information, see section on Solution Manager Configuration Work Center.

Roles Update

As these roles are adapted, you need to update the according users in transaction SOLMAN_SETUP. Check

the Update Flag in the step for the user. For more information on which authorization objects and authorization fields have been adapted, see the Description Tab in the specified roles. (See also SAP Note 1560717)

● extended SAP_SM_BI_EXTRACTOR● adapted navigation role SAP_SMWORK_DIAG due to User Interface changes

● adapted role SAP_BI_E2E● adapted role SAP_BI_CALLBACK

New Mass User Creation for SAP Solution Manager Users

You can create all users for SAP Solution Manager using the tool Solution Manager User Administration. See section on Solution Manager User Administration (SMUA) in chapter for User Authentication and Administration.

New Concept for READ RFC User and /TWM RFC User

● The PFCG template concept has been removed in favor of a role concept for READ - User and TMW User.

New authorization roles are introduced:

○ SAP_SOLMAN_READ*○ SAP_SOLMAN_TMW○ SAP_SOLMAN_BACK

● New roles are shipped in Software Component ST. They can be distributed into managed systems client (see transaction SOLMAN_SETUP)

● Authorizations for authorization object S_RFC in the READ user roles have been redesigned.

Configuration Service Delivery Enablement

● Due to Service Delivery Enablement, a READ - RFC into the 000 client of the managed system is

required. If Service Delivery Enablement is chosen in transaction SOLMAN_SETUP, the RFC - User in the

000 client of the managed system receives the additional role SAP_SM_BATCH_SD to allow scheduling

of background job SAP_COLLECTOR_FOR_PERFMONITOR. For more information, see section on

Technical Users READ and TMW.







(Version)

Description

SOLMAN_BTC User

● Adapted role SAP_SM_BATCHSOLMAN_ADMIN User

● Added role SAP_SM_DASHBOARDS_DISP_LMDB to display LMDB Dashboard added.

● Adapted role SAP_SM_BASIC_SETTINGS● Adapted role SAP_SM_USER_ADMIN● Adapted role SAP_SMWORK_CONFIG due to User Interface changes

● Adapted role SAP_SMWORK_BASIC_CONFIG● Added role SAP_RCA_ADMIN_CONFIG to allow the configuration of SAP Solution Manager as a

managed system

● Removed authorizations for BW-content activation due to new user SM_BW_ACT for BW-content

activation

● Removed role SAP_SM_CONF_SEC as according authorizations are included in role

SAP_SM_BASIC_SETTINGSSM_EXTERN_WS User

● SAP_SM_EXTERN_WS (User SM_EXTERN_WS)

SMD_BI_RFC User

● SAP_BI_E2E (Users SMD_BI_RFC or SM_EFWK, depending on BW landscape)


SM_EFWK User

● extended SAP_BI_E2E (Users SMD_BI_RFC or SM_EFWK, depending on BW landscape)

● extended SAP_SM_BI_ESR_EXTRACTOR● adapted SAP_SM_TWB_EXTRACTOR● Added new roles SAP_SM_BATCH_RELE and SAP_SM_MAI_EXTRACTOR● Added new role SAP_SMPI_AUTH_EXTRACTOR containing /SDF/* authorizations delivered with

Software Component ST-PI, see also SAP Note 1899598

SM_BW_ADMIN User


SM_ADMIN_<SolManID> User

● Extended section in regard to which users are created by user SM_ADMIN_<SolManID> depending on

whether the managed system is of type double stack, ABAP single stack, or Java single stack

● Adapted role SAP_RCA_CONF_ADMINSMD_ADMIN User (rename: SMD_AGT)

● Renamed user SMD_ADMIN to SMD_AGT● Substituted Java security role SAP_J2EE_ADMIN with SAP_RCA_AGT_CONN

SAPSUPPORT User

122





(Version)

Description

● Adapted role SAP_DBA_DISP● Adapted role SAP_RCA_DISP● Adapted role SAP_EM_DISPLAY

New User for BW-activation: SM_BW_ACT

For more information, see section on User SM_BW_ACT

SM_COLL_<SolManID> User

For detailed information, see the according section for this user.

● UME security role SAP_BPM_Solution Manager is required for new BPM extractors.

● New J2EE user roles for function Integration Visibility.

SMD_RFC User

● Adapted role SAP_SOLMANDIAG_E2ESM_ADMIN_<SolManSID> user for Java Administration

● Added additional section for the required Administration User in a Java stack for a managed system.

Only valid for: Solution Manager |

New Mass Update Configuration for Managed Systems

You can update the configuration for your managed systems using the function Mass Update in the managed system setup procedure. See section on Mass Update Configuration in chapter SAP Solution Manager Configuration Work Center / Transaction SOLMAN_SETUP.

End of: Solution Manager |

SP11 SMDAGENT_<SID> User


● extended role SAP_IS MONITORSM_EFWK User


● enhanced role SAP_SM_MAI_EXTRACTORSOLMAN_ADMIN User


● enhanced role SAP_SM_BASIC_SETTINGS

SP12 SM_EFWK User


● enhanced role SAP_SM_ICI_EXTRACTORSOLMAN_BTC User


● Adapted role SAP_SM_BATCHSOLMAN_ADMIN User






(Version)

Description

● Adapted role SAP_SM_BASIC_SETTINGS● Assigned role SAP_SM_S_RFCACL for use of trusted RFC

● Assigned role for Roles Comparison Tool, see according subsection

New SM_AMSC User

● For the new automatic managed system update user SM_AMSC is automatically created. See section on

this user

SP13 SOLMAN_ADMIN User


● Adapted role SAP_SM_BASIC_SETTINGSSOLMAN_BTC User


● Adapted role SAP_SM_BATCHSAPSERVICE user


● Added new role SAP_SM_ST14● To allow for the integration of ITPPM projects

○ SAP_SM_DASHBOARDS_DISP_VBD○ SAP_BPR_PPM○ SAP_CPR_PROJECT_ADMINISTRATOR○ SAP_CPR_USER○ SAP_XRPM_ADMINISTRATOR

13.2 Getting Started

What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. You need to setup the SAP Solution Manager first, and make your system landscape known. This is done during SAP Solution Manager setup. Subsequently, you setup the specific scenarios you want to use. For more information, see scenario-specific security guides per scenario which cover all relevant information.

CautionBefore you start using this system landscape setup guide, you must read the core information about security issues in SAP Solution Manager. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.

Setting up the system landscape includes to configure the basic SAP Solution Manager scenarios, that is enable Solution Manager to run Maintenance Optimizer, Root Cause Analysis, Services, and simple Incident Management. This requires, the setup of the Solution Manager itself, the connection to its managed systems, the

124



integration of BW functionality, and basic CRM functionality. It requires the setup of dedicated users for the setup and the assignment of specific authorizations in roles. To be able to run the setup, you must know how the setup of all these components is realized in your landscape. That is, you should know how you setup the SLD, remote or local, how you setup BW, standard or remote, and so on.

Therefore, this guide covers the following topics:

Technical System Landscape

Due to the complexity of the setup of SAP Solution Manager, we give you an overview of specific aspects of the technical system landscape for SAP Solution Manager, which are relevant for security aspects, such as the setup of managed systems and their RFC connections, the integration of BW depending on your system landscape, and the technical overview over the new system landscape repository, its integration with SLD and transaction SMSY. To get to know the different aspects helps you setting up the SAP Solution Manager successfully.

Communication Channels and Destinations

Here, you find an overview of all channels and destinations created during the automated basic setup. Note, that in the process of setting up individual scenarios, you may need to create other RFC connection or communication channels. Each scenario-specific guide contains all relevant RFCs needed for the scenario. For instance, even if you can setup all RFC connections to the managed system during basic setup, you might not need all of them, when you run just one scenario.

Users and Authorizations

Users and authorizations are divided into a number sections, which are semantically divided into the following categories:

● Users Created During Installation

● SAP Solution Manager specific

● Managed system specific

● BW specific

● LMDB and SLD specific

● S-users

In each category, you find one section specifically for one user. The users can be of type dialog, like user SOLMAN_ADMIN, or of type system (technical user), such as SOLMAN_BTC. The role assignment for all of these users is documented in the system in the guided procedure in transaction SOLMAN_SETUP. Here, you find the according Help ID texts, which you can call separately in the system and also adapt to your own needs.

A number of users that are relevant in any other system like user DDIC or the J2EE Administration users, are not explicitly explained in this guide. For more information refer to the NW guides security relevant sections. If necessary the users are mentioned in relation to the setup of SAP Solution Manager.

Any users and authorizations for other than Solution Manager or managed systems, like Wily Introscope, are mentioned, but not explained in detail. For more information refer to the according guides.


The following sections give you an overview of the technical system landscape of your system landscape setup and Root Cause Analysis, focusing on various aspects:




● connection between SAP Solution Manager and its managed systems after the setup

● BW - related infrastructure according to all possible options after the setup

● LMDB/SLD infrastructure after the setup

SAP Solution Manager and Managed Systems

The following graphic displays the technical setup after you have executed the basic configuration of SAP Solution Manager and attached the managed systems to it. The attachment of managed systems includes the RFC generation as well as the integration for Root Cause Analysis.

Figure 46: Technical Infrastructure after the automated basic settings configuration (transaction SOLMAN_SETUP)

The overall system landscape includes your SAP Solution Manager double stack system, your managed systems, and SAP. SAP Solution Manager has several connections to SAP, and to your managed systems. When setting up your system landscape, you set up all relevant connections for your scenario. All required connections need technical users, which require specific authorizations.

To run Root Cause Analysis, you need to implement additional components in SAP Solution Manager (for instance Introscope Enterprise Manager) as well as the managed systems (for instance Diagnostics Agent)

BW System/Client

The following graphic displays the integration of SAP Solution Manager with BW after the setup of SAP Solution Manager is done. During the setup, you have to choose whether you run the standard scenario for BW, or the remote scenario. Options 2 and 3 display the remote scenario setup.

126



Figure 47: BI-setup after the automated basic settings configuration (transaction SOLMAN_SETUP)

As outlined in the core Security Guide, we differentiate between three possible options to use BW with SAP Solution Manager. According to which option you choose, the BW setup differs in which connections and technical users are required.

● Option 1: Standard Scenario

● Option 2: Remote BW, whereas the system is SAP Solution Manager, but not the productive client

● Option 3: Remote BW, whereas the system is a dedicated BW system

You find more information on which connections are used and which technical users are required for BW - setup in the individual scenario-specific guides.

System Landscape Repository

The following graphic gives you an overview of the technical landscape setup focusing on the new system repository, the Landscape Management Data Base (LMDB). The LMDB is tightly integrated with the System Landscape Directory (SLD) and the transaction SMSY. As of Release 7.1, all three components are tightly integrated. You find more information about this integration in the Online Documentation for LMDB.




Figure 48: SLD/LMDB landscape configuration after the automated basic settings configuration (transaction SOLMAN_SETUP)

Root Cause Analysis

The following graphic gives you an overview of the technical landscape setup focusing on the scenario Root Cause Analysis.

Figure 49: RCA system landscape

128



13.4 Communication Channels and Destinations

The tables below show the communication channels and destinations created during system landscape setup (transaction SOLMAN_SETUP)

Communication Channels

The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.


Table 33

Communication Channel Protocol Type of Data Transferred / Function

Solution Manager to OSS RFC Exchange of problem messages, retrieval of services

Solution Manager to managed systems and back

RFC Reading information from managed systems

Solution Manager to remote BW -

system

RFC Reading information from remote BW -

system

Solution Manager to managed systems within customer network

FTP Update route permission table, content: IP addresses, see section File Transfer

Protocol (FTP)

Solution Manager to SAP Service Marketplace

HTTP(S) Search for notes

Third Party SOAP over HTTP (S) Third Party Data

Communication RFC Destinations

SAP Solution Manager to OSS

For your RFC connections to SAP, the system enters an S-user into each RFC. This S-user information must be given before the system creates the RFC connection. In this respect, you are asked to enter the S-user for your RFC communication for RFCs, and in addition the S-user for the SAP Backend to be used, for instance to be entered in table AISUSER. More information on S-users, their passwords, and authorizations, see the according sections in this guide.

The system then creates the according RFC connections as copies from SAPOSS RFC.

RFC Connections from SAP Solution Manager to Managed Systems

NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems). If not specified differently, passwords are customer - specific.




Table 34

RFC Destination Name Target Host Name

System Number

Logon Client

Logon User

SM_<SID>CLNT<Client>_LOGIN (ABAP connection)

Managed System

System-specific

Customer-specific

Customer-specific

SM_<SID>CLNT<Client>_READ (ABAP connection)

Managed System

System-specific

System-specific

Default user: SM_<SID of Solution Manager system>

SM_<SID>CLNT<Client>_TRUSTED (ABAP connection)

Managed System

System-specific

System-specific

Customer-specific

SM_<SID>CLNT<Client>_TMW (ABAP connection)

Managed System

System-specific

System-specific

Default user: SMTW<SID of Solution Manager system>

RFC Connection from Managed System to SAP Solution Manager

Table 35


System Number

Logon Client Logon User

SM_<SID>CLNT<Client>_BACK (ABAP connection)

Solution Manager System

System-specific

System-specific SMB_<managed system ID>

Internet Graphics Server (IGS) RFC Connection

Table 36

RFC Destination Name Activation Type

ITS_RFC_DEST Registered Server program (program: IGS.<SID>)

RFC Connection for BW integration

Table 37


Connection Type Authentication Remark

SAP_BILO remote BW -

system

(source: SAP Solution Manager)

RFC trusted Dialog user Used to read data from remote BW for BI -

Reporting

, created during SOLMAN_SETUP

BI_CLNT<BWclient> remote BW -

system


RFC trusted Dialog User

130





NONE, if BW - reporting is realized in

a BW - standard scenario, for

content activation

Solution Manager productive client

Dialog User

<SolutionManagerSID>CLNT <SolutionManager– ProductiveClient> BI-

Callback RFC for reorganization of

data and configuration validation


BI_CALLBACK (customer specific)

in transaction SOLMAM_SETUP

SLD - LMDB DestinationTable 38



SLD_UC (Unicode) - analogous to

SLD_NUC (Non-Unicode)


RFC destination

(type T; Registered Server program: SLD_UC) Java

Connector (JCo)

Gateway Used by the SLD data

supplier (ABAP)

configured in transaction RZ70 of the managed

system

Connection for SLD data supplier

(Java stack)


(source: managed system Java stack)

Java HTTP(s) port

(for instance 5xx00) or web

dispatcher

SLDDSUSER Used by the SLD data

supplier (Java) configured in the Visual Administrator or NetWeaver Administrator of the managed system

LMDB_SyncDest<n> System Landscape Directory (SLD),


RFC destination

(type G; Java HTTP[s] port, e.g.

5xx00, or web

dispatcher)

User with read permission (for instance: SLD_CS_USER)

Used for content synchronization created in transaction SOLMAN_SETUP or the

SAP Solution Manager Configuration work center

Connections relevant for Root Cause Analysis (also relevant for SLD-LMDB data flow)Table 39



WEBADMIN SAP Solution Manager (ABAP Stack), (souce:

Java Connector (JCo)

SMD_(BI)_RFC WEBADMIN is an internal

connection in SAP Solution Manager used






SAP Solution Manager (Java Stack))

for the communication between ABAP and Java.

WEBADMIN SAP Solution Manager (Java Stack), (source: SAP Solution Manager (ABAP Stack))

RFC destination

(type T; Registered Server program: WEBADMIN)

Gateway

Connection for Diagnostics Agent to SAP Solution Manager

SAP Solution Manager, (source: Diagnostics Agent (on Managed System)

P4 port / Message Server port

SMD_AGT /

Password authentification

Used for outside discovery; created in transaction SOLMAN_SETUP or the

SAP Solution Manager Configuration work center

13.5 Required TCP/IP Ports

The following ports have to be opened up in your fire wall, prior to installation. The connections listed in the below section Ports for Communication to SAP Solution Manager, allow for example Root Cause Analysis users to connect to the Java managed system to access so called Expert Tools (System Information page, and so on). This access is normally performed using the credentials of the SAPSUPPORT read-only user. Generally speaking, the tables below allow to understand also that the Non-RFC type connections (HTTP, P4 and other TCP/IP) are established by the Diagnostics Agent, running on the (productive) managed system host to connect either locally to the managed system itself, or to the Solution Manager System and the Introscope Enterprise Manager Server. Note that this chapter does not address the classical RFC connectivity, which is setup between the Solution Manager System and the ABAP managed systems.

NoteOnly in case you have a business requirement to register the Diagnostics Agents in a central SLD, pay attention to the following. For further details see SAP Note 1365123.

Ports for Communication to SAP Solution Manager

Ports for Communication to SAP Solution Manager

132




Table 40

Established Connection Service on Destination Host (Protocol)

Format (example)

From Hosts/Source Host To Host/Destination Host

SAP Support All Solution Manager Instances

J2EE engine (HTTP) 5<instance no.>00(50100)


ITS (HTTP) 80<instance no.>(8000)


Introscope Manager (HTTP) Default: 8081

Diagnostics Server All Solution Manager Instances

IGS (HTTP) 4<instance no.>80(40180)

Diagnostics Agent (managed system Host)

All Solution Manager Instances

J2EE engine (P4) 5<instance no.>04(50104)


Solution Manager Java Message Server

Message Server (HTTP) 81<instance no.>(8101)


Relevant Introscope Enterprise Manager Host

Introscope Enterprise Manager (TCP/IP)

Default: 6001

Consider the following lines when operating a SAP Solution Manager system 7.1 SP03 or higher, setup with a Web Dispatcher, especially when having multiple dual-stack instances.

Table 41

From Host/Source Host To Hosts/Destination Hosts Service on Destination Hosts (Protocol)

Format (example)


Web Dispatcher Web Service (HTTP) (80)

Diagnostics Agent (managed system host)

Web Dispatcher Web Service (HTTP) (80)

Web Dispatcher (forwarded HTTP requests


Web Service via ICM (HTTP)

80<instance no.>(8000)

Consider the following line when operating a Solution Manager system 7.1 SP03 or higher, having one single dual-stack instance and setup without a Web Dispatcher

Table 42


Format (example)


Solution Manager Single Instance



Consider the following line when operating a Solution Manager system prior to 7.1 SP03.




Table 43


Format (example)



Web Service via ABAP Message Server (HTTP)


Additional communications performed LOCALLY on Solution Manager host (requiring in general no special security settings)

Consider also following line when operating a SAP Solution Manager system 7.1 SP03 or higher, having one single dual-stack instance and setup without a Web Dispatcher.

Table 44


Format (example)

Solution Manager single Instance (ABAP stack)

Solution Manager Single Instance (Java Stack and ABAP stack)



Consider also following lines when operating a SAP Solution Manager system prior to 7.1 SP03.

Table 45


Format (example)

Solution Manager Instance(s) (ABAP stack(s))

All Solution Manager Instances (Java Stack and ABAP stack)

Web Service via Message Server (HTTP)


Ports for Communication with Managed Systems

Ports for Communication with Managed Systems

Table 46

Established Connection Service on Destination Hosts (Protocol)

Format (example)

From Host/Source Hot To Hosts/Destination Hosts

SAP Support All managed systems J2EE engine (HTTP) 5<instance no.>00 (50200)

SAP Support All managed systems ITS (HTTP) 80<instance no.> (8000)

Additional communications are performed LOCALLY on managed system hosts (requiring in general no special security settings)Table 47


Format (example)


Associated managed systems

J2EE engine (P4) 5<instance no.>04 (50204)

134




Format (example)


Associated managed systems

Java Message Server (internal port)

36<instance no.> (3601) or 39<instance no.> (3901)


Associated SAP Host Agent (applies when using SAP Solution Manager 7.0 EhP1 SP20 and higher, and

Diagnostics Agents 7.11 and higher)

SAP Host Agent Web Service (HTTP)

1128 (standard)

More Information

on the current list of ports used by SAP, in the SAP Service Marketplace: service.sap.com/securityInfrastructure Security TCP/IP Ports Used by SAP Applications .

13.6 SAP Solution Manager Configuration Work Center / Transaction SOLMAN_SETUP

You can execute the automated basic configuration using transaction SOLMAN_SETUP.

The application is also the home application for work center SAP Solution Manager configuration. Therefore, to set up your SAP Solution Manager and update it, you can either use the transaction or the work center. When you initially set up an SAP Solution Manager system, the system automatically guides you to the transaction. At a later stage, you can lock the transaction and work within the SAP Solution Manager configuration work center.

The following graphic gives you an overview of the work center and its authorizations.




Figure 50: SAP Solution Manager configuration work center as of SP05

In general, the authorizations for this work center are automatically assigned during the configuration process to the users, which are created during the setup. These users are explained in more detail in the next sections of this guide.

User Creation Steps

Steps for creating template/standard users and configuration users are optional. They are mandatory for default users for Basic Settings Configuration and Managed System Configuration.

The optional flag works at activity level. An optional activity is an activity for which the end-users are not forced to execute the corresponding configuration. The status of this activity is not taken into account in the status consolidation at step level. If a step contains only optional activities, the step itself is considered as optional. The step is then grayed out.

Log Upload

NoteThe logs of any guided procedure in transaction SOLMAN_SETUP can be attached to an Incident message and download for the purpose of error reference. Any user data or other data in this respect are visible in these HTML reports. Reports are only available for download if the current user has access to SOLMAN_SETUP or the SAP Solution Manager Configuration work center.

Mass Configuration Update for Managed Systems

You can update your configurations of managed systems (productive and others) to all clients except client 000 using the function Mass Update in the guided procedure for Managed Systems. This allows you to update the configuration for more than one system at the time using templates.

CautionMake sure that only specified users are allowed to automatically update any configuration settings in your managed system via SAP Solution Manager.

136



Authorization

The mass update is allowed by default for user SOLMAN_ADMIN by authorization object SM_SETUP and activity 79 (Mass Update). This authorization object is included in role SAP_SM_BASIC_SETTINGS. The activity should be removed from the user after the update has been completed.

RFC — Connection Trusted

The mass update configuration needs a trusted RFC - Connection between SAP Solution Manager and the Managed System.

CautionMake sure that this Trusted RFC - Connection is removed again after the mass update has been executed.

13.7 Root Cause Analysis Work Center

This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for Root Cause Analysis.

Work Center

The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WD_COMP. For more information about user interface authorizations, see core security guide.

Figure 51: Root Cause Analysis Work Center

The tables underneath give you a further overview. During automated setup, the user SAPSUPPORT automatically receives all relevant roles, see section on SAPSUPPORT user. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.




Related Links in the Work Center

In the related links section in the work center, you find all possible links for this work center. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-to section.

Analysis

All links require at least role SAP_RCA_DISP.

Configuration

For the following two links, you need authorization for the work center SAP Solution Manager configuration and according roles, see the specific guide on Landscape Setup.

● Solution Manager Configuration

● Managed System Setup

Administration

● Solution Manager Administration:

You need authorization for the SAP Solution Manager Administration work center and according authorizations, see scenario-specific guide for SAP Solution Manager Administration.

● Landscape Browser:

You need authorization for LMDB maintenance SAP_SYSTEM_REPOSITORY_*.

● Self-Diagnosis:

You need authorization for solutions SAP_SM_SOLUTION_*.

● My Notification Settings:

You need role SAP_NOTIF_*.

Documentation

There are no authorization checks for URL links.

13.8 SOLMAN_SETUP Configuration Administration Tool

You can use transaction SOLMAN_SETUP_ADMIN to administer the configuration done in transaction SOLMAN_SETUP.

The transaction SOLMAN_SETUP_ADMIN contains the following views:

● Overview

● Generic Storage Admin

This view contains the data which is stored during the execution of transaction SOLMAN_SETUP. The view of the steps is controlled by authorization object SM_SETUP (similar to the use of the object within transaction SOLMAN_SETUP).

● Data Storage

138



This view contains log information of the changes executed during configuration in transaction SOLMAN_SETUP, which are stored as well in the SOLMAN_SETUP log tables.

● Solman Setup Migration

This view displays logs of the migrations related to SOLMAN_SETUP.

● Log Archiving

Roles and Authorizations

The transaction is not integrated in any work center. You have to assign the following roles to a dedicated user, manually:

Roles allowing access to all views, but Log Archiving are:

● SAP_SOLMAN_SETUP_ADMIN_ALL● SAP_SOLMAN_SETUP_ADMIN_DIS

Role allowing access to Log Archiving only: SAP_SM_ARCHIVE_LOG_ALL

Log Archiving

Log Archiving can be accessed from the following applications:

● any step in transaction SOLMAN_SETUP, see section on user SOLMAN_ADMIN in Landscape Setup Guide

● transaction SOLMAN_SETUP_ADMIN● work center SAP Solution Manager Administration view Users: within application Solution Manager User

Management (SMUA), see Scenario-specific Guide for SAP Solution Manager Administration

13.9 Users Created During Installation

13.9.1 Database User SAP<SID>DB [MANAGED.DB.USER]

This database administrator user (situated in the database server) is created during the SAP engine installation of the managed system, and it is the owner of the database schema created for the system needs. The user store is the database server, group: database administrators. This user is required during the SAP Engine installation and also for some Diagnostics tools like:

● DBA Cockpit

● In case of JDBC connection problems, you are able to retrieve the full JDBC configuration by using the Diagnostics Config Tool available by running the following script: /usr/sap/<SID>/Shortcuts/configtool .

NoteIf you require a dedicated user for Root Cause Analysis with the corresponding credentials, it is possible to create a user with read access to the database schema.

Password change

It is strongly recommended not to update this user. If necessary, this user's password can be updated in the database administration tool. The password change has to be applied accordingly within the configtool in the secStore part.




13.9.2 OS Engine User [MANAGED.OS.SIDADM]

This OS user is created with the installation of the SAP Engine on the Windows platform of the managed system. This user is required to restart the managed system to take into account the Java parameter updates performed by Diagnostics.

Note that on UNIX systems the user <SID>adm must have an unmask like 027 as well as make sure that the group sapsys has at least a read access to the managed system engine files. On Windows, the recommended value for the user is SAPService<SID>adm in group administrators.

This user's password can be upgraded according to the local user policy.

13.9.3 OS User Dedicated to the Diagnostics Agent <SID>ADMIN [MANAGED.OS.AGTSIDADMIN]

This OS user is created during the Diagnostics Agent installation on the managed system. The default user name is: <SID>ADMIN. Therefore, for the UNIX system, this user has to have the required credentials to read data from the managed system, and to write them to the agent directory. It is mandatory to restart for instance Diagnostics Agent. The following platform families may be considered:

● Managed system based on a Microsoft Windows Server

Using Microsoft OS which involves having a user part of the administrators group OS● Managed system based on a UNIX OS

On UNIX system, this user must be a member of the sapsys group. The Diagnostics agent temp directory must have the read, write and execute permissions for the group. This allows users belonging to sapsys group to have full access to it. The permission must be equal to the result of the command chmod g+rwx on the Diagnostics agent temp directory. This user must have the mask equal to 027 (umask).

Note● If your system owns a daemon task to check and restore automatically your default permissions access,

you may have to adapt this daemon to remain compliant with the requirements described above.

● see SAP Note 1163751 for solution check

13.10 Users and Authorizations for SAP Solution Manager Configuration/Operation

You need to create users during system preparation and during basic setup.

Described UsersIn this section, all users created in the SAP Solution Manager system are described. Not described are users created in the managed systems, BW - users, SLD users, and S - users.

Roles DescriptionsThe assigned roles are not described in detail. All role descriptions are linked in the setup screen when you create the according users in transaction SOLMAN_SETUP or the SAP Solution Manager Configuration work center. This

140




help text can also be called using transaction SE61. In the following sections, only the technical ID of the help text is given. For more information on any specific role, call transaction SE61 or check in the according step for user creation in transaction SOLMAN_SETUP. If you check in transaction SE61, proceed as follows:

1. Call transaction SE61.

2. Choose Document Class General text (TX).

3. Choose your language.

4. Enter the technical ID of the help text as given in the tables underneath.

5. Choose button Display. The system displays the text, which is also linked in the setup screen.

All documents for authorization roles description have the naming convention <AUTH_*>Role updates are mentioned in the description tab of the according role and in the Document History of this security guide.

13.10.1 Password Changes

When you have changed passwords for users or deleted them, you need to readjust via transaction SOLMAN_SETUP to do so, use the function Update Password or Provide Credentials for updating the password for a user.

13.10.2 Configuration and Administration User SOLMAN_ADMIN [SOLMAN.DUAL.ADMIN]

When you configure your Solution Manager initially, you need to create your configuration/administration user (user type: dialog user) during system preparation. Per default this user is called SOLMAN_ADMIN. You can use the default user name, but you can also use any other user name. You can use this user for:

● Configuration of the basic settings, managed system settings, and Early Watch Alert Management of SAP Solution Manager

● Update of the configuration of the basic settings managed system settings, and Early Watch Alter Management of SAP Solution Manager

Configuration

The user SOLMAN_ADMIN is created by the system automatically during the automated configuration procedure in transaction SOLMAN_SETUP (work center SAP Solution Manager Configuration). It is assigned a number of different roles for various purposes.

SAP delivers all roles in SAP name space (SAP roles). When assigning the roles, the system automatically detects which roles need to be copied in a customer name space <Z> (customer roles). For instance, navigation roles for work center usage (SAP_SMWORK_<work center>) do not need to be copied into the customer names space, as they do not contain any relevant authorization objects, but only menu options. The user interface shows you which roles should be copied into a name space. Before copying the roles, you can choose your own name space for the roles that are automatically copied by the system. To do that, enter your name space instead of the <Z> - name space in the column for Copy from SAP Role before you create the roles.




NoteNot all roles need to be copied into your own name space, for instance role SAP_J2EE_ADMIN must not be copied as it is just a “connecting” role between ABAP and Java stacks. In addition, navigation roles for work centers should not be copied, as the menu can then be easily overwritten by a new SAP delivery with a new interface navigation, see section on work center navigation role concept in the core security guide.

The system automatically assigns the selected roles to the SOLMAN_ADMIN user, and generates the according profiles. This allows the user to immediately function as all authorization values in the mentioned roles are delivered with dedicated values. For all fields that are generic, the value asterisk (*) is delivered.

Therefore, if you want to change delivered values, you still need to maintain the authorization objects for the according role manually. For more information, read the Role Description for the according role. The role description is provided in the according screen in the user interface of the guided procedure.

The following table gives you an overview over the roles assigned to this user.

Default Roles Assigned to User SOLMAN_ADMIN (Help Text ID: USER_SOLMAN_ADMIN)

Table 48

Assigned Roles Help Text — ID

for Basic Configuration

SAP_J2EE_ADMIN

NoteYou may also assign role SAP_RCA_AGT_ADM.

AUTH_SAP_J2EE_ADMIN

SAP_SM_BASIC_SETTINGS AUTH_SAP_SM_BASIC_SETTINGS

SAP_SM_USER_ADMIN AUTH_SAP_SM_USER_ADMIN

SAP_SM_BI_ADMIN AUTH_SAP_SM_BI_ADMIN

SAP_PI_CCMS_SETUP AUTH_SAP_PI_CCMS_SETUP

SAP_SM_BI_EXTRACTOR AUTH_SAP_SM_BI_EXTRACTOR

SAP_SMWORK_BASIC AUTH_SAP_SMWORK_BASIC

SAP_SMWORK_CONFIG AUTH_SAP_SMWORK_CONF

SAP_SMWORK_INCIDENT_MAN AUTH_SAP_SMWORK_INCIDENT_MAN

SAP_SMWORK_DIAG AUTH_SAP_SMWORK_DIAG

SAP_SMWORK_SM_ADMIN AUTH_SAP_SMWORK_ADMIN

SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON

SAP_SMWORK_SYS_ADMIN AUTH_SAP_SMWORK_SYS_ADM

SAP_SMWORK_CHANGE_MAN AUTH_SAP_SMWORK_CHANGE_MAN

SAP_SMWORK_SERVICE_DEV AUTH_SAP_SMWORK_SERVICE_DEV

SAP_SM_DASHBOARDS_DISP_LMDB AUTH_SAP_SM_DASHBOARDS_DISP_LMDB

142





SAP_RCA_ADMIN_CONFIG AUTH_SAP_RCA_ADMIN_CONFIG

SAP_SM_S_RFCACL AUTH_SAP_SM_S_RFCACL

Optional: End-User Experience Monitoring Configuration

SAP_SM_EEM_CONF AUTH_SAP_SM_EEM_CONF

Optional: Mass Update with Template Management

SAP_SM_MS_TMPL_UPDATE_ALL AUTH_SAP_MS_TMPL_UPDATE

Optional: Role Comparison Tool

SAP_SM_ROLECMP_ALL AUTH_SAP_SM_ROLECMP_ALL

After creating the SOLMAN_ADMIN user, you continue configuring your SAP Solution Manager system using this user. Therefore, this user creates other users you need in the system, such as user SMD_RFC, SAPSUPPORT, and so on. These users are described in more detail in the following sections.

Template Management for Mass System Configuration

You can use Template Management to mass configure managed systems by using one template for a number of similar systems. The configuration of the managed systems is done in the background. You can use SOLMAN_ADMIN user for it. You can also create a specific user for this task manually. You need to assign this user the following authorizations/roles:

● SAP_SM_MS_TMPL_UPDATE_ALLThe role contains authorization for Template Management SM_MASS_UP.

NoteTo allow the user to access transaction SOLMAN_SETUP and the Mass Update Application, you need to manually assign authorization object SM_SETUP with ACTVT 03 (Display) and ACTVT A8 (Mass Update).

● SAP_SYSTEM_REPOSITORY_ALL● SAP_SM_RFC_ADMIN

Role Comparison Tool: Role Adjust

CautionThe use of this tool can be critical as it allows manipulation of any customer roles if authorization is given.

You can use SOLMAN_ADMIN user to use the Role Comparison Tool for comparing your own customer roles with updated SAP Standard roles in transaction SOLMAN_SETUP per user. You can also create a specific user for this task, manually. You need to assign this user the following authorizations/roles:

● SAP_SM_ROLECMP_ALLThe role contains authorization for role adjustment SM_ROLECMP.

● SAP_SM_USER_ADMIN




● In addition, you need to assign authorization objects S_TCODE (for SOLMAN_SETUP) and SM_SETUP with ACTVT 03 to access transaction SOLMAN_SETUP.

NoteRole SAP_SM_ROLECMP_ALL is assigned to all configuration users, created in step 8 of Basic Configuration in transaction SOLMAN_SETUP, technical names: SMC_***.

Incident Management Integration

To allow the SOLMAN_ADMIN user to create Incidents, you need to assign role SAP_SUPPDESK_CREATE additionally.

Update

NoteWhen you update your Solution Manager, you need to check the user authorizations for this user again, and update its authorizations. This is described in the according screen in transaction SOLMAN_SETUP.

Administration

After the configuration of SAP Solution Manager, you can restrict authorizations for the user SOLMAN_ADMIN, if needed. For instance, role SAP_J2EE_ADMIN allows administration authorization for all areas of J2EE. To separate and/or restrict this authorization, you can de-assign this role to user SOLMAN_ADMIN and assign the relevant restrictive roles. In addition, the following roles can be de-assigned after configuration is done, without status change in SOLMAN_SETUP:

● SAP_SM_USER_ADMIN● SAP_SM_CONF_SEC● SAP_SM_S_RFCACL● SAP_SM_GATEWAY_ACTIVATION● SAP_SM_MS_TMPL_UPDATE_ALL

Restricting Roles for User SOLMAN_ADMIN

Table 49

Assigned Roles Restricting roles Help Text - ID

SAP_J2EE_ADMIN SAP_RCA_AGT_ADM AUTH_SAP_RCA_AGT_ADM

SAP_JAVA_NWADMIN_CENTRAL_READONLY

no Help Text ID, see the according security guide for NW Java

SAP_RCA_AGT_ADM_VIA_SLD This role allows to use the Expert User Interface in Java for the Agent Candidate Management. It should only be assigned to specified users.

sap.com/tc~monitoring~systeminfo*sap_monitoring/SystemInfo_Support_Role


144



Assigned Roles Restricting roles Help Text - ID

sap.com/SQLTrace*OpenSQLMonitors / OpenSQLMonitorLogonRole


SAP_SLD_GUEST Read access to SLD

CautionIf you restrict access to technical systems in the ABAP stack, using

authorization object AI_LMDB_OB,

a user with access to SLD and role

SAP_SLD_GUEST can read all

system information in SLD.

Restrict Access to SOLMAN_SETUP (Authorization Object SM_SETUP)

The authorization object SM_SETUP controls, if a user can access transaction SOLMAN_SETUP. In addition, it controls which functions can be used by SOLMAN_ADMIN with this transaction, such as:

● editing steps (ACTVT 02),

● using the archiving functionality (ACTVT 24)● allow automatic mass configuration for managed systems (ACTVT A8)

The object is contained in role SAP_SM_BASIC_SETTINGS.

Authorization to Unlock Users

SOLMAN_ADMIN user role SAP_SM_BASIC_SETTINGS contains authorization object S_USER_GRP with ACTVT 05 (unlock). This authorization is used to unlock locked users during the configuration of users (create, update).

13.10.3 Technical User SM_AMSC

This technical user is used during the Automated Managed System Configuration to run the update job in the Solution Manager - system. The user is assigned role SAP_SM_MS_SETTINGS.

the following use cases are handled by this user:

● Read RFC destination update

● Java Server Node removed

● Java Server Node added

● ABAP client removed

● Delete, add, remove Instance

● Instance moved to different physical host

● Product Version/Instance upgraded

● Product Version/Instance added, removed

● Update SLD Content




NoteThe LMDB notification job runs with user SOLMAN_BTC.

Specific Authorization Objects

S_ADMI_FCD

The role contains authorization object S_ADMI_FCD with value DBA. One use case of AMSC is the automatic adoption to rename a host name. For this purpose, the user calls the DBA Cockpit setup and provides the new host name. All configuration steps for the remote connection in DBA Cockpit require S_ADMI_FCD authorization with value DBA.

SM_SMUA

One use case of AMSC is the possibility to upgrade an ABAP stack. In this situation, the system checks if the roles for the RFC users (such as READ user) need to be updated, too. The update of these users is restricted by authorization object SM_SMUA.

13.10.4 Technical User SMD_AGT [SOLMAN.DUAL.AGTCOM]

You need to create a user (user type: system user) to connect the Diagnostics Agent to your SAP Solution Manager Java stack during system preparation. The default name of this user is SMD_AGT. The user is mandatory to register the SMD - agent during startup of the agent with the Java Stack via P4 connection. Be aware that if some agents are not connected during the password maintenance, the system does not update those agents and therefore they are not able to connect anymore. In that case, a manual update operation is mandatory as described within the Diagnostics Agent Setup Guide.

Role Assignment to User SMD_AGT (Help Text ID: USER_SMD_ADMIN)

Table 50

Assigned Role Help Text-ID

SAP_RCA_AGT_CONN AUTH_SAP_RCA_AGT_CONN

NoteRole SAP_RCA_AGT_CONN must not be copied into the customer name space, as this role does not contain authorizations. It refers to its security role in the Java stack.

13.10.5 Technical User SOLMAN_BTC [SOLMAN.DUAL.BTC]

During system preparation, you create this technical user (user type: system user) to run all batch jobs (see table SMCONFIGJOBS), that are relevant for the basic configuration including the update of the MAI -configuration after an upgrade to a new Support Package (authorization object SM_MOAL_TC). The default name for the user is SOLMAN_BTC. This user must receive role SAP_SM_BATCH which contains all relevant authorizations. For changes per Support Package, (see also SAP Note 1314587).

146




If you set up BW as standard scenario (local), you also need to assign role SAP_BI_E2E for the user to execute all BW - related batch jobs.

User Roles for User SOLMAN_BTC (Help Text ID: USER_SOLMAN_BTC)

Table 51


SAP_SM_BATCH AUTH_SAP_SM_BATCH

SAP_BI_E2E AUTH_SAP_BI_E2E

List of Background Jobs

All background jobs that run with this user can be found in SAP Note 894279.

If your system is marked as non-productive, the following jobs are not running in your system:

13.10.6 Technical User SM_EXTERN_WS [SOLMAN.DUAL.EXTERN]

To ease support (user tracing) and a potential user locking, the technical user SM_EXTERN_WS is used for external web services communication between Diagnostics Agents and SAP Solution Manager.

User Role for SM_EXTERN_WS (Help Text ID: USER_SM_EXTERN_WS)

Table 52

Assigned Roles Help Text-ID

SAP_SM_EXTERN_WS AUTH_SAP_SM_EXTERN_WS

SAP_J2EE_ADMIN AUTH_SAP_J2EE_ADMIN

13.10.7 Technical User SM_INTERN_WS [SOLMAN.DUAL.EXTERN]

The technical user SM_INTERN_WS is used for internal web services communication between the ABAP and Java stack of SAP Solution Manager.

Roles Assigned to User SM_INTERN_WS (Help Text ID: USER_SM_INTERN_WS)

Table 53


SAP_SM_INTERN_WS AUTH_SAP_SM_INTERN_WS

SAP_J2EE_ADMIN AUTH_SAP_J2EE_ADMIN





13.10.8 Dialog User SAPSUPPORT [SOLMAN.DUAL.SAPSUPPORT][SOLMAN.BI.SUPPORT]

The SAPSUPPORT user is a Read User for Root Cause Analysis of type Dialog. The user SOLMAN_ADMIN automatically creates this user in the SAP Solution Manager system, the managed systems, and as well the BW - client/system. This user is the main user to log on to Diagnostics.

In the SAP Solution Manager System: Standard BW Scenario (Help Text ID: USER_SAPSUPPORT)Table 54


SAP_BI_E2E

NoteNote role: SAP_BI_E2E_DISP

AUTH_SAP_BI_E2E

SAP_RCA_DISP

NoteThis role allows only for read access to all tools. If you want to allow your SAPSUPPORT user to be able to change

settings, you need to adapt the role. How to adapt the role, see How-to Section.

AUTH_SAP_RCA_DISP

SAP_DBA_DISP AUTH_SAP_DBA_DISP

SAP_CV_DIS AUTH_SAP_CV_DIS

SAP_EM_DISPLAY

NoteRole SAP_EM_COCKPIT allows the usage of the cockpit

with the authorization to display total of records, including payload.

AUTH_SAP_EM_DISPLAY


SAP_SMWORK_CONFIG AUTH_SAP_SMWORK_CONFIG



NoteIn the display role for RCA, the authorization object D_SM_S_DIA is delivered with activities 02 (change) and 03 (display). This is due to the nature of the function of self diagnosis and its configuration possibilities. It has no impact on data changes, but on data display.

148



In the BW Client / System: Remote Scenario (Help Text ID: USER_SAPSUPPORT_MS)

Table 55



13.10.9 Dialog User SAPSERVICE

The user is used for Service Delivery for SAP. It is present in all relevant system in your system landscape. You can create this user during Basic Settings Configuration for SAP Solution Manager and BW, and in the Managed Systems Configuration for the specified managed system.

● SAP Solution Manager

● Managed Systems

● BW System

In general, this user retains all authorizations of SAPSUPPORT user (read access). In addition, it receives further authorizations in the SAP Solution Manager system and the managed systems.

Trusted RFC Authorizations

The authorization for trusted RFCs should be assigned, in case trusted RFCs are created between SAP Solution Manager and managed systems, and in case BW is remote, in the BW-system and the SAP Solution Manager. The according role in Solution Manager and managed systems would be SAP_SM_S_RFCACL. In the BW-system the role is called SAP_SM_BW_S_RFCACL.

Specific Role Namespace

Due to the nature of the user as being a set user which should not be changed in its authorizations, all roles in the SAP Solution Manager system and BW system (in case it is remote), are copied automatically into their own namespace ZSD*.

In the SAP Solution Manager

For all roles assigned to the SAPSERVICE user in the SAP Solution Manager system, check the according entry in step 2.4 Create Users in the view Basic Settings. If you are not sure about the roles assigned by the system, check out the documentation link behind the according role. The single roles are also shipped with composite role SAP_SERVICE_EXE_ALL_COMP.

In the Managed System

In the managed systems the user is not created automatically due authorizations which depend on the business contexts. Check SAP Note 1405975 for appropriate roles.

In the BW Client / System: Remote Scenario (Help Text ID: USER_SAPSERVICE)

Table 56







ITPPM Project Integration

The following roles are required for the ITPPM Project integration:

● SAP_SM_DASHBOARDS_DISP_VBD● SAP_BPR_PPM● SAP_CPR_PROJECT_ADMINISTRATOR● SAP_CPR_USER● SAP_XRPM_ADMINISTRATOR

13.10.10Technical User SMD_RFC [SOLMAN_DOUBLE_SMDRFC]

The SMD_RFC user is created by user SOLMAN_ADMIN during runtime for communication between Root Cause Analysis/Java and SAP Solution Manager /ABAP.

Role Assignment to User SMD_RFC (Help Text ID: USER_SMD_RFC)

Table 57

Assigned Role Remarks

SAP_SM_WEBSERVICE_ADMIN ABAP authorization role, full authorization for Java stack

SAP_SOLMANDIAG_E2E ABAP authorization role, for diagnostics

13.10.11Technical User SEP_WEBSRV [SOLMAN.ABAP.WEBSRV]

The technical user SEP_WEBSERV is used for the BMC Appsight License Check Service in the Internet Communication Framework (ICF).

Role Assigned to User SEP_WEBSRV (Help Text ID: SEP_WEBSRV)

Table 58


SAP_APPSIGHT_INTERFACE AUTH_SAP_APPSIGHT_INTERFACE

13.10.12Technical User CONTENTSERV [SOLMAN.ABAP.CONTSERV]

The technical user CONTENTSERV is used for services in the Internet Communication Framework (ICF).

User roles for CONTENTSERV (Help Text ID: USER_CONTENTSERV)

150



Table 59


SAP_SOL_LEARNING_MAP_DIS AUTH_SAP_SOL_LEARNING_MAP_DI

13.10.13Technical User for RFC - connection BACK <SMB_<SIDofManagedSystem>>[MANAGING.ABAP.RFC]

The technical user is used for the BACK - RFC connection from the managed system to the SAP Solution Manager system. It is created during managed system setup by user SOLMAN_ADMIN. The default name of this user is SMB_<SIDofManagedSystem>. The password can either be customer-specific or generated by the system.

The RFC is used to send SDCCN data or messages from a managed system to the SAP Solution Manager system, lock customizing objects against changes in Customizing Distribution, integrate Change Request Management into the Service Desk, and so on.

NoteIf you change the password of this user in user management (transaction SU01, you need to change the password for this user in the RFC destination in the Solution Manager system as well.

The user is automatically assigned a generated role: <name space>SAP_SOLMAN_BACK.

13.10.14User Wily Guest [SOLMAN.WILY.GUEST]

This application user Guest is a built-in user of the Introscope Enterprise Manager (EM). By default it is used to open the proprietary JDBC connection between SAP Solution Manager and the Introscope Enterprise Manager to extract the collected performance data. The user and password is maintained in two places:

● Within Root Cause Analysis

● Within Introscope Enterprise Manager use store (XML files: users.xml, domains.xml)

13.11 Users and Authorizations for Managed Systems

You need to create users during the configuration of the managed systems.

Described Users

All users created in the managed system are described.




In addition, the system creates users in the UME of a managed system, if this system is Java system or double stack. Also, CTC runtime users are automatically created. These users are mentioned in the protocol of the configuration setup, but not explicitly on the UI.

Roles Descriptions

The assigned roles are not described in detail. All role descriptions are linked in the setup screen when you create the according users in transaction SOLMAN_SETUP or the SAP Solution Manager Configuration work center. This help text can also be called using transaction SE61. In the following sections, only the technical ID of the help text is given. For more information on any specific role, call transaction SE61 or check in the according step for user creation in transaction SOLMAN_SETUP. If you check in transaction SE61, proceed as follows:

1. Call transaction SE61.

2. Choose Document Class General text (TX).

3. Choose your language.

4. Enter the technical ID of the help text as given in the tables underneath.

5. Choose button Display. The system displays the text, which is also linked in the setup screen.

All documents for authorization roles description have the naming convention <AUTH_*>

13.11.1 NGAP - Based Managed Systems Support

In NGAP - based systems you differentiate between application client and administration/system client. In the administration/system client you can see all cross-client data. Therefore, this client is used for system monitoring, and so on. This requires for instance for system monitoring, that the relevant connections between SAP Solution Manager and the managed NGAP - system are done towards the administration/system client.

In general, all required actions that need to be executed to connect managed systems, apply to NGAP - based systems.

13.11.2 Administrator User in ABAP: SM_ADMIN [MANAGED.JAVA.ABAP.ADMIN]

When you set up the managed systems with SAP Solution Manager, the system creates a configuration user SM_ADMIN_<Solution Manager SID> of type system user with specific authorizations in the managed system. This user is allowed to create other users in the managed system, assign roles, and run some Diagnostics self - check activities.

This user creates the following users in the managed systems of type Double Stack:

● SAPSUPPORT (dialog user in ABAP)

● SM_COLL_<SolManID> (technical user - relevant for Diagnostics Agent in Java)

● SMDAGENT<SolManID> (technical user for JCo/RFC - relevant for Diagnostics Agent in ABAP)

This user creates the following users in an ABAP Single Stack of the managed systems:

● SAPSUPPORT (dialog user in ABAP)

● SMDAGENT<SolManID> (technical user for JCo/RFC - relevant for Diagnostics Agent in ABAP)

152



Roles Assigned to Configuration User SM_ADMIN_<SolutionManager SID>

Table 60

Assigned Roles Help Text — ID Additional Remarks


SAP_RCA_CONF_ADMIN AUTH_SAP_RCA_CONF_ADMIN Main configuration authorization for managed system, including SDCCN

SAP_SM_USER_ADMIN AUTH_SAP_SM_USER_ADMIN ABAP authorization role,

authorizations for transaction SU01 and PFCG to allow the creation of,

change, and deletion of users and roles. If your security policy does not allow this, you need to create all users manually.

SAP_J2EE_ADMIN AUTH_SAP_J2EE_ADMIN in case of double stack or single Java, must be manually added

Operations/Upgrade Mode

RecommendationThe user can be locked after finished configuration tasks. In case of upgrade configuration, you need to unlock it again.

13.11.3 Administrator User in Java: SM_ADMIN_<SolManSID> [MANAGED.JAVA.ADMIN]

When you set up the managed systems with SAP Solution Manager, you need to create an administration user for Java manually. This user must be allowed to create other users in the managed system, assign roles, and run some Diagnostics self - check activities.

This user creates the following users in the managed systems of type Double Stack:

● SAPSUPPORT● SM_COLL_<SolManID> (technical user - relevant for Diagnostics Agent in Java)

This user creates the following users in a Java Single Stack of the managed systems:

● SAPSUPPORT● SM_COLL_<SolManID> (technical user - relevant for Diagnostics Agent)




13.11.4 Technical User SMDAGENT_<SolManID> for Wily Host Agent [MANAGED.ABAP.WILYAGT]

The user SMDAGENT_<SOLMANSID> connects Wily Host agent to the managed system. This is an ABAP user who is used by the Wily Host agent. It is automatically created during runtime during the managed system setup.

The user is used to run dedicated extractors on the managed systems, which are delivered with the ABAP Add-On ST/A-PI. The Wily Host Applications running within the Diagnostics Agent use this user for managed ABAP systems to open a JCo connection, and collect application - specific performance data.

For self monitoring purposes, this user should also exist on the SAP Solution Manager, and the actual ST/A-PI should be installed there as well. The name of the user SMDAGENT_<SOLMANSID> is fixed and must not be changed.

Role Assigned to User SMDAGENT_<SolManID>

Table 61

Role Text ID Remarks

SAP_IS_MONITOR AUTH_SAP_IS_MONITOR ABAP

More Information

For further details regarding Wily Introscope user administration, read the Introscope Installation for SAP Introscope® Version 8.0 Installation Guide for SAP.

13.11.5 Technical Users for RFC - Connections READ and TMW [MANAGED.ABAP.RFC]

In the managed system, you create two technical users (user type: system user) for RFC - connections, the READ user, or the TMW user.

Role Upload from SAP Solution Manager to the Managed System

You can upload the roles for the READ user and TMW user using the function “Upload”. This function allows you to upload the roles for the individual users from SAP Solution Manager into your respective client of the managed system. To be able to upload the roles, the system requires you to enter an administration user of your managed system into a pop-up beforehand, which has the authorizations to upload roles in your managed system. The system opens a temporary trusted RFC connection in order to be able to upload the role.

NoteThe function can only be used if:

● the client in the managed system is not a productive client. We recommend to upload the role into your development client and transport it into your productive client.

● your user in the SAP Solution Manager system has authorization object SM_SMUA assigned. This authorization object is included in role SAP_SM_SMUA* for user SOLMAN_ADMIN.

154



Read RFC - Connection (technical name: SM_<SIDofSolManSystem>CLNT<Clientof SolManSystem>_READ)

The READ - RFC connection is used to read data from the managed system, to run a set of extractors and enable the E2E tracing in the managed systems (for instance initial E2E checks on the managed systems run E2E extractors). It is mandatory for each managed system, as it enables basic SAP Solution Manager functions.

NoteIf the SAP Solution Manager system is set up as a managed system, the default RFC destination is NONE. You have to replace the RFC destination NONE and create a standard RFC READ destination.

User and Password

The default name of the user is SM_<SIDofSolutionManagerSystem>.

The password for this user can either be customer-specific or generated by the system. If you change the password of this user in user management (transaction SU01), you need to change the password for this user in the RFC destination in the Solution Manager system as well.

Authorization Roles

For these RFC users, the system assigns authorization roles. Which roles are assigned to the individual user is determined by the SAP_BASIS level of the managed systems required. The technical role names are visible in the configuration screen of the system.

The system assigns the following roles to the RFC user:

● role <namespace>SAP_SOLMAN_READ for all authorizations as of SAP_BASIS < 7.0

CautionTo be able to generate this RFC connection during automatic configuration, you need at least ST-PI 2008_1_700 SP08. If you have not this specified ST-PI applied, please see the same section in security guide for SP08. We strongly recommend to have the latest ST-PI Support Package applied to SAP Solution Manager and managed systems.

● role <namespace>SAP_SOLMAN_READ_70 for all authorizations as of SAP_BASIS => 7.0

● role <namespace>SAP_SOLMAN_BI_READ; PFCG template: SAP_SOLMAN_BI_READ (template for BW - authorizations, only available, if the managed system contain software component BI_CONT as of SP04)

NoteIf you configure your managed system in transaction SOLMAN_SETUP for Service Delivery Enablement, a READ RFC - connection to the 000 client of your managed system is required. In addition, role SAP_SM_BATCH_SD is assigned to the READ user to schedule the collection job: SAP_COLLECTOR_FOR_PERFMONITOR. As this job is a collective job, authorizations are not definitely determined. Therefore, the job is run by user DDIC in the managed system client 000. This user has full SAP system permission with profiles SAP_ALL and SAP_NEW.

TMW RFC - Connection (technical name: SM_<SID>CLNT<Client>_TMW)

The TMW RFC - connection consists of all authorizations of READ RFC - connection and additional authorizations for Change Request Management (remote creation of transport requests with tasks for designed developers in the development systems), and batch job authorizations. The default name for this user is SMTM_<SID of




Solution Manager system>, whereas the SID refers to the connected managed system. The password can either be customer-specific or generated by the system.

NoteIf you change the password of this user in user management (transaction SU01), you need to change the password for this user in the RFC destination in the Solution Manager system as well.

For this RFC, the system uses all three roles for the READ RFC - connection, and an additional role for TMW RFC - connection. The roles are then assigned to the RFC user. The additional role:

● role <namespace>SAP_SOLMAN_TMW for all authorizations regarding Change Request Management and batch job authorization

13.11.6 SAPSUPPORT User [MANAGED.DUAL.SAPSUPPORT]

The SAP Support user is a dialog user automatically created during the managed system setup. By default, the system proposes the user-ID SAPSUPPORT, which is the SAP recommended user name.

SAPSUPPORT User (Help Text ID: USER_SAPSUPPORT_MS)

Table 62

Role Text ID

SAP_RCA_SAT_DISP AUTH_SAP_RCA_SAT_DISP

XI roles UME roles:AUTH_XI_ROLE_SAPSUPPORT,

see also SAP Note 1042450

J2EE roles UME roles:AUTH_J2EE_ROLES_SAPSUPPORT

SLD roles UME roles:AUTH_SLD_ROLES_SAPSUPPORT

NoteOnly those UME roles are assigned to the user which are relevant for the according Java system version.




● Managed Systems

● BW System


156













Table 63






13.11.8 Technical User SM_COLL_<SIDof SolMan>

This user is created for data collection in the managed system.





Table 64

Role Text ID

NoteThe documentation texts (see column Text ID), include information on which roles are being assigned according to the SAP BASIS release of the system. Therefore, the system assigns only those roles which are available per SAP Basis release.

XI roles AUTH_XI_ROLES_SM_COLL

NoteIf you do not use XI roles, you do not need to assign the according roles to this user.

J2EE roles AUTH_J2EE_ROLES_SM_COLL

NoteThe Java role SAP_XI_API_DISPLAY_J2EE is only

available, if the Software Component SAP_XI_TOOLS is

installed.

SAP_BPM_SolutionManager This role is required for the BPM Workflow Monitoring

extractor (see scenario-specific guide for Technical Monitoring: BPM), which extracts BPM processes and task

instance statistics from the managed system (UME action

bpm.solutionmanager). It is only applicable for NW CE 7.31 and higher.

INTEGRATION_VISIBILITY_DATA_COLLECTOR_EVENT_CONSUMER

These J2EE user roles are required for the function

Integration Visibility, see scenario-specific guide for Technical Monitoring: Process Integration.INTEGRATION_VISIBILITY_CONSUMER

CautionThe CCDB CTC Extractor and CCDB DB Extractor need SAP_J2EE_ADMIN rights to run. The role SAP_J2EE_ADMIN allows administration rights for the complete Java Stack, including UME (user administration).

13.11.9 J2EE Administrator J2EE_ADMIN [MANAGED.J2EE.ADMIN]

This user exists on any SAP dual stack system. However, SAP recommends to provide the SMD_AGT_ADM user credential during RCA setup. This user account can be useful for administration like manual user creation or UME

158



role / J2EE security role assignment. It could be also used for SLD configuration and validation procedures. The role assigned is SAP_J2EE_ADMIN.

13.11.10Administrator OS User [MANAGED.OS.ADMIN]

The user is an OS user with administrator permissions. It is mandatory to perform the Root Cause Analysis Agent installation. This administrator user is mandatory to perform some tasks like:

● Creating OS user dedicated to the Diagnostics

● Restarting Java processes

On UNIX the user belongs to group root, and on Windows the user belongs to group administrator.

13.11.11 Technical Users for CTC Configuration and Runtime Activation

The users underneath are created automatically for CTC configuration and activation.

User for CTC Configuration and Activation

Table 65

User User Type Remarks

SM2CTC<Solution Manager ID><client> (automatically created)

System User Technical user for CTC templates, automatically created

whenCTC runtime is activated. User is responsible for

communication from Solution Manager to CTC, if the

CTC runtime of the Solution Manager J2EE stack is

called for the initial automatic basic configuration of Solution Manager; automatically assigned role in the related ABAP stack: SAP_J2EE_ADMIN

13.12 Users and Authorizations for BW Configuration

The following section give you an overview of all users and authorizations for BW based on the configuration of the scenario, standard or remote. You may find here descriptions of users, which are already mentioned in the sections for users and authorizations for Solution Manager system and managed systems.

For information about the BW / Extractor Framework - concept, see in Core Guide section on BW - Integration.




13.12.1 BW Administrator User SM_BW_ADMIN [SOLMAN.BI.ADMIN]

You create a BW - administration user when you use a remote BW system/client during the basic settings setup. The default name for this user is SM_BW_ADMIN.

NoteIf the BW runs in the standard scenario, these roles are assigned to user SOLMAN_ADMIN.

Roles Assigned to User SM_BW_ADMIN

Table 66




SAP_PI_CCMS_SETUP AUTH_SAP_PI_CCMS_SETUP


SAP_SM_USER_ADMIN AUTH_SAP_SM_USER_ADMIN

13.12.2 Technical User SM_BW_ACT

Due to the „divided“ activation of BW content (job CCMS_BI_SETUP) in Basic Settings and in various scenario-related configurations, it becomes necessary to introduce another new user: SM_BW_ACT (type: system user). The user is assigned single role SAP_BI_E2E.

Table 67

Role Help TXT ID


13.12.3 Technical User SM_EFWK

The SM_EFWK user is created by user SOLMAN_ADMIN in the Solution Manager system during the BW setup. The user is used to run the step report E2E_EFWK_RESOURCE_MGR in the Job EFWK RESOURCE MANAGER (Extractor Resource Manager). The job itself is scheduled by the batch user SOLMAN_BTC. Which roles the user is assigned depends on two major factors:

● In which system runs BW?

Depending on whether BW runs in the same client as the productive Solution Manager (local), or in a remote BW scenario, the user receives a dedicated set of roles. If BW runs local, then, apart from running the program for the extractors the SM_EFWK also takes over the loading of data into BW.

160



● For which scenarios is BW - reporting required?

Depending on the scenario-specific dedicated BW - roles need to be assigned to the user for executing the program E2E_EFWK_RESOURCE_MGR and for loading data into BW.

The following sections describe which roles are assigned to the user for which task and scenario:

Executing program E2E_EFWK_RESOURCE_MGR

Automatic Role Assignment to User SM_EFWK for running program E2E_EFWK_RESOURCE_MGR

Table 68

Assigned Role Help Text ID Scenario-relevance

SAP_SM_BI_EXTRACTOR AUTH_SAP_SM_BI_EXTRACTOR for all scenarios

SAP_SOLMANDIAG_E2E AUTH_SAP_SOLMANDIAG_E2E Root Cause Analysis

SAP_SM_TWB_EXTRACTOR AUTH_SAP_SM_TWB_EXTRACTOR Test Management

SAP_SM_ICI_EXTRACTOR AUTH_SAP_SM_ICI_EXTRACTOR Ici Dashboards

SAP_SM_INC_EXTRACTOR AUTH_SAP_SM_INC_EXTRACTOR Incident Management

SAP_SM_CHARM_EXTRACTOR

AUTH_SAP_SM_CHARM_EXTRACTOR Change Request Management

SAP_SM_BI_ESR_EXTRACTOR

AUTH_SAP_SM_BI_ESR_EXTRACTOR Enterprise Reporting

SAP_SM_CCDB_EXTRACTOR AUTH_SAP_SM_CCDB_EXTRACTOR CCDB

SAP_SM_DVM_EXTRACTOR AUTH_SAP_SM_DVM_EXTRACTOR Data Volume Management

SAP_SM_CV_EXTRACTOR AUTH_SAP_SM_CV_EXTRACTOR Configuration Validation

SAP_SM_MAI_EXTRACTOR AUTH_SAP_SM_MAI_EXTRACTOR MAI Framework

SAP_SM_BATCH_RELE AUTH_SAP_SM_BATCH_RELE Batch job release authorization for BPO Data Collectors to run

SAP_SMPI_AUTH_EXTRACTOR

AUTH_SAP_SMPI_AUTH_EXTRACTOR The role contains authorizations (/SDF/*)

delivered with Software Component ST-PI,

which are required in the Solution Manager system for extractor usage.

NoteSee also SAP Note 1899598

In case of local BW, loading data

NoteIf BW runs remote, loading of data is executed by technical user SMD_BI_RFC in the BW system.





13.12.4 Technical User SMD_BI_RFC [SOLMAN.BI.RFC]

The SMD_BI_RFC user is only created by user SM_BW_ADMIN if you use a remote BW system/client.

Role Assignment to User SMD_BI_RFC

Table 69

Assigned Role Help Text ID


13.12.5 Technical User SM_BW_<SID>

The SM_BW_<SID> user is created by user SM_BW_ADMIN if you use a remote BW system/client. The user is assigned to RFC-destination: SM_BW_<SID>CLNT<Client>_READ.

Role Assignment to User SM_BW_<SID>

Table 70

Assigned Role Help Text ID

SAP_SM_BI_ESR_EXTRACTOR

AUTH_SAP_SM_BI_ESR_EXTRACTOR

SAP_SM_BI_MAI_EXTRACTOR

AUTH_SAP_SM_BI_MAI_EXTRACTOR

SAP AUTH_SAP_

Usage

Allow Extractor Data to be Read

The user authorization contains extractor authorization for scenarios ESR and Technical Monitoring (MAI). For more information, see scenario-specific guides for ESR and Technical Monitoring.

Check User Status in BW - System

The user authorization allows to check the status for all users created in the BW-system by transaction SOLMAN_SETUP. If this authorization is not given, the system is not able to display the status of BW-users in transaction SOLMAN_SETUP. Status check is triggered by using the Refresh link.

NoteFor first installation and configuration of SAP Solution Manager, the user status check can only be displayed by the system when the complete configuration is finished. This is due to the creation of users before creation of RFC-destinations. As soon as you have created the RFC-destination and the users, the system can check the user status automatically.

162



13.12.6 Dialog User SAPSUPPORT [SOLMAN.DUAL.SAPSUPPORT][SOLMAN.BI.SUPPORT]

The SAPSUPPORT user is a Read User for Root Cause Analysis of type Dialog. The user SOLMAN_ADMIN automatically creates this user in the SAP Solution Manager system, the managed systems, and as well the BW - client/system. This user is the main user to log on to Diagnostics.

In the SAP Solution Manager System: Standard BW Scenario (Help Text ID: USER_SAPSUPPORT)Table 71


SAP_BI_E2E

NoteNote role: SAP_BI_E2E_DISP

AUTH_SAP_BI_E2E

SAP_RCA_DISP

NoteThis role allows only for read access to all tools. If you want to allow your SAPSUPPORT user to be able to change

settings, you need to adapt the role. How to adapt the role, see How-to Section.

AUTH_SAP_RCA_DISP

SAP_DBA_DISP AUTH_SAP_DBA_DISP

SAP_CV_DIS AUTH_SAP_CV_DIS

SAP_EM_DISPLAY

NoteRole SAP_EM_COCKPIT allows the usage of the cockpit

with the authorization to display total of records, including payload.

AUTH_SAP_EM_DISPLAY


SAP_SMWORK_CONFIG AUTH_SAP_SMWORK_CONFIG



NoteIn the display role for RCA, the authorization object D_SM_S_DIA is delivered with activities 02 (change) and 03 (display). This is due to the nature of the function of self diagnosis and its configuration possibilities. It has no impact on data changes, but on data display.




In the BW Client / System: Remote Scenario (Help Text ID: USER_SAPSUPPORT_MS)

Table 72






● Managed Systems

● BW System











Table 73



164







13.12.8 Technical User BI_CALLBACK [SOLMAN.BI.CALLBACK]

The BI_CALLBACK user is created manually. This user is relevant for reorganization of BW - data in the SAP Solution Manager and configuration validation.

Role Assignment to User BI_CALLBACK

Table 74

Assigned Role Help Text ID Remarks

SAP_BI_CALLBACK AUTH_SAP_BI_CALLBACK ABAP authorization role

13.12.9 Diagnostics Center

The Diagnostics Center is a tool to check your configuration of BI - Reporting by executing checks.

1. A dialog user starts the diagnostic center from the Solution Manager Administration work center Infrastructure BW Reporting .

2. The checks in the managed system are running with system user SM_<Client>_READ.

3. The checks in the Solution Manager system are running via the logged on dialog user.

4. The checks for the BI are running via RFC destination NONE (dialog user). In the case of a remote scenario, RFC destination BI_CLNT<client> (user SMD_BI_RFC).

13.13 Users and Authorizations for SLD and LMDB

The SLD and LMDB configuration is done by the system automatically in one step during SOLMAN_SETUP. All necessary users are created during this step. They are explained in more detail in the following sections.

The Landscape Management Database (LMDB) serves as a central directory for system landscape data in SAP Solution Manager. It is used by Root Cause Analysis and in the Technical Monitoring work center scenarios. LMDB integrates with the System Landscape Directory (SLD) in productive or non - productive landscape, transaction SMSY, and the Landscape Verification Tool to gather landscape data and provide it to client applications in the SAP Solution Manager. For more information on its configuration, see the LMDB Setup Guide: service.sap.com/instguides SAP Components SAP Solution Manager 7.1 Additional Guides .






Technical System Landscape SLD, LMDB, and transaction SMSY

In SAP Solution Manager Release 7.1, the System Landscape Directory (SLD) is the primary data provider for LMDB. Technically, LMDB is the ABAP complement of SLD in Java. SLD and LMDB cooperate via a connection to synchronize contents, using the same principle as the synchronization between two SLD systems. The data contained in transaction SMSY provides data for several applications of SAP Solution Manager (e.g. Change Request Management or Application Incident Management). LMDB and SMSY contain redundant data like technical system information. These data is synchronized from LMDB to SMSY. The Maintenance possibilities of data in SMSY are limited in SAP Solution Manager release 7.1. Therefore, authorizations/roles for LMDB contain authorizations for SMSY.

The managed systems send their system information directly via data suppliers to the SLD which is later synchronized with the LMDB. In the LMDB the systems are recognized as technical systems.

Diagnostics Agents are usually installed on each application and database server (of managed systems or SAP Solution Manager) in a system landscape and are additional data providers (of system information) for LMDB. The Diagnostics Agents are connected directly to SAP Solution Manager and constantly send technical system information to LMDB. This process is called Outside Discovery and can be configured using transaction SOLMAN_SETUP or the SAP Solution Manager Configuration work center.

Figure 52: Technical System Landscape

NoteCommunication Channels are covered in section Communication Channels and Destinations in this guide.

166



13.13.1 Technical User SLD_CS_USER

For collecting system landscape information from the SLD, a user with read permission (for instance SLD_CS_USER) is required on the Java stack of the remote or local SLD. In case the SLD system is a dual stack system it is defined as a system user in transaction SU01 of the ABAP stack.

When connecting the SLD to SAP Solution Manager the user credentials are required in transaction SOLMAN_SETUP.

User Creation

The user must exist on the SLD system.

In case of local SLD

If the local SLD on SAP Solution Manager is activated, the user is created automatically.

In case of remote SLD

If you connect a remote SLD (central or productive) to SAP Solution Manger the user, you need to create the user manually on the SLD system.

User Authorizations

The user requires following authorizations:

● UMErole: SAP_SLD_CONTENT_SYNC (SAP NetWeaver 7.1 or higher)

● UME role: SAP_SLD_GUEST (SAP NetWeaver 7.0, update the support package stack to at least SPS 12)

13.13.2 Technical User SLDAPIUSER

The SLDAPIUSER user is created during installation of the Solution Manager system. In case of a central SLD exists in the central SLD. The credentials of the user are needed by the system to configure the SLD Data Supplier and CIM Client.

When connecting the SLD to SAP Solution Manager the user credentials are required in transaction SOLMAN_SETUP.

User Creation

The user must exist on the SLD system.

In case of local SLD

If the local SLD on SAP Solution Manager is activated, the user is created automatically.

In case of remote SLD

If you connect a remote SLD (central or productive) to SAP Solution Manger the user, you need to create the user manually on the SLD system.




User Authorizations

The user requires following authorizations:

● UMErole: SAP_SLD_CONTENT_SYNC (SAP NetWeaver 7.1 or higher)

● UME role: SAP_SLD_GUEST (SAP NetWeaver 7.0, update the support package stack to at least SPS 12)

13.13.3 Technical User SLDDSUSER

The user SLDDSUSER in the SAP Solution Manager is required by the SLD data suppliers to write technical system information into SLD. The user exists in the Java stack of the SLD system and is automatically created during the SLD activation. In case the SLD system is a dual stack system it is defined as a system user in transaction SU01.

User Authorizations

The user requires UME role: SAP_SLD_DATA_SUPPLIER to create, modify, and delete CIM instances of the landscape description subset as a data supplier without access to the SLD User Interface.

NoteYou need to create he role SAP_SLD_DATA_SUPPLIER manually before you can assign it to the user. For more information, see the SLD Configuration Guide.

13.13.4 Technical User for CTC Usage

User for CTC Configuration

Table 75

User (Password) Type Remarks

SM2CTCand CTC2SM

System User Technical user for CTC templates; automatically

created when CTC runtime is activated; responsible

for communication from Solution Manager to CTC, if

the CTC runtime is called; automatically assigned role

in related ABAP stack: SAP_J2EE_ADMIN

13.14 S-Users

The S-user is a customer user stored within SAP office. It is used by the SAP customer in the following scenarios:

● Exchange problem messages with SAP

● Synchronize system data with Support Portal and send data about satellite systems

● Service connection

● Retrieve information about which messages have been changed at SAP

168



● To send an up-to-date version of the component ST-SER for delivery of services by SAP Active Global Support

● Get some user documentation from SAP Market Place used by the Help Center within Diagnostics

13.14.1 S-User for SAP Backend

The S-user is needed to access SAP-internal systems via RFC destinations such as SAP-OSS and SAP-OSS-LIST-O01. The S-user entered in these RFC - connections requires a password and has to be assigned to your customer number. For security reasons it should have no authorizations since it could be misused for direct logon.

13.14.2 S-User for Communication

The S-user for communication is used in various scenarios. According to these scenarios, the user needs certain authorizations. These authorizations are listed in the different scenario-specific guides.

NoteIf a user has sufficient authorization and is assigned correctly to the appropriate S-user in transaction AISUSER, this user can display the same personal contact data (name, phone number) for a system as in SAP Support Portal, as this data is replicated from there to the Solution Manager system. Displaying this data is not logged.

13.15 Landscape Modelling and Infrastructure Roles

13.15.1 User Roles for System Landscape Infrastructure

SAP Solution Manage relies heavily on the use of systems, hosts, and databases. It manages them and monitors them. In this respect, these entities are the basis for all scenarios in SAP Solution Manager.

Roles

The roles for systems are:

● SAP_SYSTEM_REPOSITORY_ALL (contains full authorization for LMDB and transaction SMSY)

● SAP_SYSTEM_REPOSITORY_DIS (contains display authorization for LMDB and transaction SMSY)

● SAP_SMSY_ALL (contains full authorization for transaction SMSY)

● SAP_SMSY_DIS (contains display authorization for transaction SMSY)

Authorization Objects AI_LMDB_*

The Landscape Management Database (LMDB) uses the following authorization objects:

● AI_LMDB_OB for LMDB objects




NoteIn general, the object is designed as every SAP authorization object – using the explicit authorization concept. Only in transaction LMDB the concept differs in that if you restrict on a certain level, the system restricts the next level underneath, too. This level is then displayed by default, but cannot be changed. For instance, a restriction on a Technical System also shows the host, the restriction on a Product System also shows the Technical Systems.

● AI_LMDB_AD for administration tasks in LMDB● AI_LMDB_PS for Product System restriction

● AI_LMDB_RE for remote access

The purpose of authorization object AI_LMDB_OB is to define authorizations dealing with objects like technical systems or hosts. The purpose of authorization object AI_LMDB_AD is to define authorizations dealing with administrative tasks in the context of LMDB. A detailed description of the authorization objects can be found directly in the system. It can be accessed using the F1 help of the corresponding authorization object.

Figure 53: LMDB Authorization Objects

How to Maintain LMDB Authorization Objects

When you maintain the authorization values for these objects, you need to take into consideration that the values help for the fields is generated dynamically depending on the values you choose.

170



Figure 54: LMDB Objects Maintenance

In the above picture, we attempted to maintain the activity field. Automatically a screen appears, in which we can maintain all fields for this object.

CautionYou should always start to maintain the Main Entity Types first. According to your choice, you get a selection of depending Entity Subtypes.

Authorization Objects S_SMSYSYST and S_SMSYEDIT

Figure 55: SMSY Authorization Objects

In authorization object S_SMSYEDIT, you restrict on possible entities to be edited. In authorization object S_SMSYSYST, you restrict on specific product systems.




13.15.2 User Roles for Solutions, Projects, Solution Directory

Solutions

Solutions form the basis infrastructure for many scenarios. A solution combines a number of systems (logical components) due to the business processes they are referring to. For a detailed information, see the Glossary.

Roles

The roles for solutions are:

● SAP_SM_SOLUTION_ALL (full authorization)

● SAP_SM_SOLUTION_DIS (display authorization)

Authorization Object D_SOL_VSBL

The main authorization object for solution restriction is D_SOL_VSBL. The obsolete authorization object D_SOLUTION is only used for solution reporting purposes. In addition, authorization object D_SOLM_ACT is needed.

Figure 56: D_SOL_VSBL

Authorization Objects for Solution Copy

If you want to copy a solution, you need to activate the authorization objects D_SOL_VIEW and D_SVAS_SES. While D_SOL_VIEW only restricts sessions setup or operations, D_SVAS_SES restricts the complete session. Both objects are needed as sessions are copied as well when you copy a solution.

If you want to run the copy process in the background, the authorization objects S_BTCH_ADM and S_BTCH_JOB with value RELE are required.

Projects

Projects form the basis for those scenarios which deal with a solution before it goes life. Like a solution, a project contains a number of systems (logical components) due to the business processes they are referring to.

Roles

The roles are:

● SAP_SOL_PROJ_ADMIN_ALL (full authorization)

● SAP_SOL_PROJ_ADMIN_DIS (display authorization)

172



Figure 57: Role SAP_SOL_PROJ_ADMIN_ALL

All three important authorization objects are explained in more detailed underneath. The authorizations restrict separate entities, but need to be considered in connection with each other. In the individual sections, examples of possible integrations are given.

Authorization Object S_PROJ_GEN

The authorization object S_PROJ_GEN protects general project functions for individual scenarios, such as system landscape, Change Request Management or Quality Gate Management.

● Problem: Restrict System Landscape

The system administrator creates the system landscape for your project. The project manager maintains all other data for the project, in the project administration. Your system administrator should not have access to other project data than the system landscape information.

Solution: In role SAP_SOL_PROJ_ADMIN_*, the user should have the value 03 (display) for authorization object S_PROJECT, and the value SYST (access to system landscape maintenance in a project) for authorization object S_PROJ_GEN.

Authorization Object S_PROJECT

Authorization object S_PROJECT allows the maintenance of projects within the functions of Business Blueprint and Configuration. This authorization can be combined with authorization AI_SA_TAB for tab restriction.

Authorization Object S_PROJECTS

Authorization object S_PROJECTS allows for super authorization for projects in connection with other scenarios and the project type used, such as Maintenance Projects in Quality Gate Management. Therefore, you can find the authorization object as well in user roles for Quality Gate Management with a dedicated maintenance. The delivered defaults are specified.

Solution Directory

Roles

The roles are:




● SAP_SOLMAN_DIRECTORY_ADMIN (full authorization)

● SAP_SOLMAN_DIRECTORY_EDIT (edit authorization for business processes, but not solution settings)

● SAP_SOLMAN_DIRECTORY_DISP (display authorization)

Authorization Object AI_SOL_DIR

Figure 58: Authorization Object AI_SOL_DIR in Role SAP_SOLMAN_DIRECTORY_ADMIN

This authorization object controls whether you can change or display elements of a solution, for instance business processes. The display or change of a solution in general is controlled by authorization object D_SOL_VSBL (contained in roles SAP_SM_SOLUTION_*). Therefore, both authorization objects complement each other. Without solution authorization you cannot edit the solution in the Solution Directory. ACTVT 36 of authorization object AI_SOL_DIR controls tab Solution Settings. If this activity is granted, the user can change solution settings on this tab. This is only available in the administration role.

13.15.3 User Roles for System Landscape Verification

The user roles are necessary to verify system landscape data, to read and to write in tables relevant for transaction SMSY.

User Roles

Table 76

Roles Remarks

SAP_SMSY_LV_ALL

Full authorization

SAP_SMSY_LV_DIS

Display authorization

13.16 User Role for TREX Administration

TREX can be administered using the TREX Admin Tool.

TREX

174



Table 77

Name Type Remarks

SAP_BC_TREX_ADMIN ABAP For TREX configuration using the TREX Admin tool

More Information

see IMG activity Information and Configuration Prerequisites (technical name: SOLMAN_TREX_INFO)

13.17 Configuration User Roles for SAP Solution Manager

There are:

● specified roles for the automated basic settings configuration (transaction SOLMAN_SETUP)

● dedicated authorization roles for scenario-specific configuration done in transaction SOLMAN_SETUP● no dedicated authorization roles for scenario-specific configuration done in transaction SPRO

This section tells you how to create your own roles for the configuration of scenarios.

NoteConfiguration of scenario—specific functions can involve configuration of cross-scenario settings. For these functions, additional configuration roles may be needed (if you do not use profiles SAP_ALL and SAP_NEW). They are specified in the IMG activity for cross-scenario functions.

To be able to create authorization roles for scenario—specific configuration, you have created an IMG project in transaction SPRO_ADMIN. For more information, see configuration guide for SAP Solution Manager.

Procedure

NoteThis procedure is based on the example customizing project in the How-to document How to Create Customizing Projects and Project IMGs.

1. Create an IMG Project (See section More Information)

Before you can create a role for scenario-specific configuration, you need to create an IMG project. This project is the basis for role configuration as it contains all transactions you run later on.



2. Enter a role name in your name space, for instance: ZROLE_IMG_MYPROJECT and choose button Single Role.

3. Enter a description for your role, for instance: IMG project: Implementation/Upgrade as of ST SP15.




4. Save your role.


3. Define Configuration Transactions for Your IMG Project

In role creation, transactions form the basis to easily maintain all necessary authorization objects. When you enter a transaction in the menu tab in your role, the system traces all authorization objects required for this transaction.

1. To receive all transactions which are contained in the customizing project, choose in the menu:Utilities Customizing auth.

2. In the appearing dialog box, choose button Add to attach your customizing project or customizing project view. In our case, we choose the customizing view that was created.

3. In the various dialog boxes, choose your customizing project or customizing project view, in our case myproject.

The system automatically assigns all relevant transactions and authorization objects for your customizing project or customizing project view.

4. Confirm your project assignment.

4. Maintain Authorization Objects

Authorization object defaults delivered by SAP contain minimal authorizations. To grant full authorization for the according authorization objects you need to maintain these objects.

1. In the Role Maintenance, choose tab Authorizations.

2. Choose button Change.

3. Maintain all activity values per authorization object according to your needs, for instance if you want to grant full authorization, always choose all activities.

CautionAll authorization objects need to receive a green traffic light. Beware, that the authorization trace does not trace values for critical authorization objects S_RFC and S_TABU_DIS.

4. Generate the profile.

5. To assign this profile to a user, choose tab User, add your user in the table and execute the user comparison.

6. Save.

Result

You have now created a role for your specific IMG configuration project.

CautionIf a project or a project view was assigned to a role, you cannot manually assign any transactions to this role and vice versa. You should therefore only use the role to generate and assign Customizing authorizations.

176



More Information

● on: configuration and on how to create an IMG project, see:

○ Document: How to Create Customizing Projects and Project IMGs on the Service Marketplace: service.sap.com/solutionmanager Media Library Technical Papers.

○ Configuration Guide for SAP Solution Manager on the Service Marketplace: service.sap.com/instguides SAP Components Solution Manager <current release>.

13.18 Business Partners Created During Configuration

When you configure the SAP Solution Manager using the automatic basic settings configuration, additional business partners are created.

For SAP Engagement and Service Delivery

The business partners are created as follows:

Table 78

First Name Last Name Remarks

SAP Technical Quality Manager Automatically assigned ID TQM or

SAPTQM

SAP Support Advisor Automatically assigned ID SAPSUPAD

SAP Engagement Architect Automatically assigned ID SAPENAR

SAP Back Office Automatically assigned ID SAPBACKO

SAP Consulting Automatically assigned ID SAPCON

Customer Program Management Automatically assigned ID CUSTPM

Customer Business Process Operations Automatically assigned ID CUSTBPM

Customer Custom Development Automatically assigned ID CUSTCD

Customer Technical Operations Automatically assigned ID CUSTTO

Customer Partner Automatically assigned ID CUSTPAR

NoteAn additional business partner (name: SAP Support) is automatically created for user SAPSUPPORT as soon as this user is created during the automatic basic settings configuration (see section:User SAPSUPPORT).

For SOLMAN_SETUP Template Users and Configuration Users

Users created using transaction SOLMAN_SETUP are assigned an according business partner, if the scenario requires this. The system displays the relevant Business Partner number in the log when you create the relevant user.







More Information

on how to configure the basic settings, see Configuration Guide SAP Solution Manager in the Service Marketplace: service.sap.com/instguides SAP Components SAP Solution Manager <current release> .

13.19 Traces and Logs

This section provides an overview of the trace and log files that contain, for example, security-relevant information, so that you can reproduce activities if a security breach does occur.

See the Auditing and Logging on the Service Marketplace at: help.sap.com Search Documentation , search for Auditing and Logging.

Service Connection

If a user has sufficient authorization and is assigned correctly to the appropriate S-user in transaction AISUSER, this user can display the same personal contact data (name, phone number) for a system as in SAP Support Portal, as this data is replicated from there to the Solution Manager system. Displaying this data is not logged.

System Landscape

● Update logs

● RFC logs

● Data save logs

Solution Manager Implementation:

● All tabs can be traced. Each change on a tab is recorded.

● No changes of the assigned object are logged (except documents).

● You can specify which project and tab can be traced.

● Documentation can get different versions when changed.


● Each distribution is logged.

● Each distributed object is logged.

Solution Manager Operations

● Traces are available in “Solution Directory”.

● All tabs can be traced. Each change on a tab can be recorded.


● You can specify which solution is traced.

● Documentation can get different versions when changed

178




http://help.sap.com

14 Scenario-Specific Guide: Solution Manager Administration

The business process life cycle stretches via all phases of the life cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system. To be able to run the SAP Solution Manager system itself with optimal performance, fulfilling all required tasks, you can use the SAP Solution Manager Administration work center. Here, you find all necessary tools to administer the SAP Solution Manager on a daily basis.



Table 79


(Version)

Description

SP08 End-User Roles

● Added single role SAP_SM_CMDB_EXE for CMDB access to composite role

SAP_SOLMAN_ADMIN_COMP.

SP10 End-User Roles

● Added new single roles SAP_SM_SMUA_* for SMUA access to composite role

SAP_SOLMAN_ADMIN_*_COMP. For more information on new application for Solution Manager User

Administration SMUA, see section User Administration and Authentication Tools.

● Added LMDB dashboard role SAP_SM_DASHBOARDS_DISP_LMDB to composite roles

SAP_SOLMAN_ADMIN*COMP.

● Adapted role SAP_SMWORK_BASIC_SMADMIN● Adapted role SAP_SMWORK_SM_ADMIN due to User Interface changes

SP12 End-User Roles

● Adapted role SAP_SM_SMUA_ALL

New: Archive Log

For more information, see sub-section Archive Log in Users and Authorizations

● new role SAP_SM_ARCHIVE_LOG_* added to SAP_SOLMAN_ADMIN_*_COMP

New: Role Comparison Tool

For more information, see sub-section Role Comparison Tool in Users and Authorizations

Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Manager Administration




(Version)

Description

● new role SAP_SM_ROLECMP_* added to SAP_SOLMAN_ADMIN_*_COMP


What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. To run them, the Solution Manager system must perform well. This guide covers all aspects for users and authorizations for the work center SAP Solution Manager Administration. In principle, the work center is closely connected to the configuration of SAP Solution Manager.

RecommendationUse this guide together with the Landscape Setup Guide, as most users, technical prerequisites, and so on are used for both.

14.3 Users and Authorizations

The SAP Solution Manager administration work center is used to manage the SAP Solution Manager system. Therefore, it is primarily used by system administrators.

The user roles delivered in the composite roles underneath contain all necessary single roles.

Work Center

The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WD_COMP. For more information on user interface authorizations, see core security guide.

180



Figure 59: SAP Solution Manager Administration Work Center

The table underneath gives you an overview, which single roles are included in the composite roles. An additional column indicates, for which section of the navigation panel the according single role is absolutely necessary. As the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.

Administrator (technical role name: SAP_SOLMAN_ADMIN_COMP)

The administrator user is allowed to:

● Access the work center SAP Solution Manager Administration

● Run Root Cause Analysis due to Self Diagnosis and Self Monitoring of the Solution Manager system

● Maintain solutions, projects, and systems (infrastructure) in the SAP Solution Manager system

● Access CMDB● Access SMUA● Access Archive Log link Archive

● Allow role comparison

● Call LMDB Dashboard

Table 80

Single role Remarks Mapping to Navigation Panel of Work Center

SAP_RCA_AGT_ADM Agent Administration authorization Self Diagnosis

Self MonitoringSAP_RCA_DISP Root Cause Analysis authorization

SAP_SERVICE_CONNECT Service Connect authorizations Related Link: Service Connection

NoteThe related links are contains links to other work centers. If





you want to allow access to these work centers, you need to check the according scenario - specific security guide for the relevant scenario.

Authorizations for notifications are included in roles: SAP_NOTIF_ADMIN

SAP_SM_SOLUTION_ALL Full authorization for solutions Solutions

SAP_SMWORK_BASIC_SMADMIN Contains full authorization for work center - related functions.

Work Center

SAP_SMWORK_SM_ADMIN Allows access to the change management work center.

SAP_SM_SYM_CONF Configuration Authorization for System Database Host Monitoring

Self Diagnosis

Self Monitoring

SAP_SOL_PROJ_ADMIN_ALL Full authorization for projects Projects

SAP_SYSTEM_REPOSITORY_ALL Full authorization for LMDB Infrastructure

NoteAuthorizations for infrastructure are needed in all sections, as this role includes authorizations on systems.

SAP_SM_CMDB_EXE CMDB Access

SAP_SM_SMUA_ADMIN Access SMUA application User

SAP_SM_DASHBOARDS_DISP_LMDB Access LMDB Dashboard Infrastructure

SAP_SM_ARCHIVE_LOG_ALL Access Archive Log Link: Archive in view: User

SAP_SM_ROLECMP_ALL Access to Role Comparison Tool Link: Adjust Roles

Solution Manager User Administration (SMUA)

This tool provides you with the possibility to manage all users that are created in transaction SOLMAN_SETUP at once. For more information, see Online Documentation.

The role SAP_SM_SMUA_* is used to access the SMUA tool in view Users. Authorization object SM_SMUA is contained in this role.

You can assign the authorization for SMUA to a dedicated user. In this case, you need to additionally assign the following roles to your user:

● SAP_SMWORK_BASIC_SMADMIN● SAP_SMWORK_SM_ADMIN

182



● SAP_SM_USER_ADMIN● SAP_SYSTEM_REPOSITORY_ALL

NoteIn case of technical users, the user interface of SMUA allows you to display in one table users and RFC-Destinations. You can only see RFC-Destination displayed, if the according end-user has authorization for transaction SM59. Otherwise the system does not display RFC-Destinations. The according authorizations are contained in roles SAP_SM_RFC_*.

Archive Log

The role SAP_SM_ARCHIVE_LOG_ALL for Archive Log contains authorization object SM_SETUP with ACTVT 24 (Archive).

RecommendationWe recommend to limit scenario visible for which archive log should be accessible in SM_SETUP.

You can assign the authorization for Archive Log to a dedicated user. In this case, you need to additionally assign the following roles to your user:

● SAP_SMWORK_BASIC_SMADMIN● SAP_SMWORK_SM_ADMIN● SAP_SYSTEM_REPOSITORY_ALL● SAP_SM_SMUA_DIS

Role Comparison Tool: Role Adjust

The role SAP_SM_ROLECMP_* allows the user to adjust already customized roles with newly shipped values, or value changes, from SAP Standard roles. Access to the application is restricted by authorization object SM_ROLECMP. As the link to Adjust Roles is situated within SMUA, the role contains authorization object SM_WC_VIEW for the view USER.

You can assign the authorization for the role comparison tool to a dedicated user. In this case, you need to additionally assign the following roles to your user:

● SAP_SMWORK_BASIC_SMADMIN● SAP_SMWORK_SM_ADMIN● SAP_SM_USER_ADMIN● SAP_SM_SMUA_DIS

Display User (technical role name: SAP_SOLMAN_ADMIN_DISP_COMP)

The display user is allowed to:

● Access the work center SAP Solution Manager Administration

● Display Root Cause Analysis due to Self Diagnosis and Self Monitoring of the Solution Manager system

● Display solutions, projects, and systems (infrastructure) in the SAP Solution Manager system

● Display LMDB Dashboard

● Display SMUA● Display role comparison




Table 81


SAP_RCA_DISP Root Cause Analysis authorization Self Diagnosis

Self Monitoring

SAP_SERVICE_CONNECT Service Connect authorizations Related Link: Service Connection

NoteThe related links are contains links to other work centers. If you want to allow access to these work centers, you need to check the according scenario - specific security guide for the relevant scenario.

Authorizations for notifications are included in roles: SAP_NOTIF_ADMIN_DISP

SAP_SM_SOLUTION_DIS Authorization for solutions Solutions

SAP_SMWORK_BASIC_SMADMIN Contains full authorization for work center - related functions.

Work Center

SAP_SMWORK_SM_ADMIN Allows access to the change management work center.

SAP_SM_SYM_LEVEL01 Level one authorization for System, Database Host Monitoring

Self Diagnosis

Self Monitoring

SAP_SOL_PROJ_ADMIN_DIS Display authorization for projects Projects

SAP_SYSTEM_REPOSITORY_DIS Display authorization for LMDB Infrastructure


SAP_SM_DASHBOARDS_DISP_LMDB Display LMDB Dashboard Infrastructure

SAP_SM_ROLECMP_DISPLAY Display Role Comparison Tool Link: Adjust Roles

SAP_SM_ROLECMP_DIS Display SMUA

184



15 Scenario-Specific Guide: Technical Monitoring

The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution/systems, and the optimization of productive processes in a project. All systems, databases, and host should be monitored during all phases. This guide gives you an overview over all relevant security-related issues for the scenario technical monitoring of your systems in your landscape.

NoteTechnical Monitoring substitutes the System Monitoring scenario. Nevertheless, System Monitoring is still supported. The work center System Monitoring and the work center Technical Monitoring are intended to be used alternatively and not in parallel. While System Monitoring is completely relying on central CCMS running on the context of product systems, Technical Monitoring is based on end-to-end Monitoring and Alerting running on the context of technical systems. All selection capabilities are built appropriately.

In the current guide, you find a general section on prerequisites for all scenarios, such as additional links or technical users. User descriptions and their according roles are described in more detail per scenario. The scenarios are clearly differentiated.



Table 82


(Version)

Description

SP05 General

Technical Monitoring is configured using the automated guided procedure within transaction SOLMAN_SETUP or SAP Solution Manager Configuration work center. Therefore, all users defined by SAP as

default templates can be automatically created within this procedure. The following users are created:

● Scenario Configuration Users for each sub-scenario: These users are created during the guided procedure of the Basic Settings in transaction SOLMAN_SETUP. For configuration, you can also choose

the user SOLMAN_ADMIN. In both cases, the system automatically assigns the necessary authorization

roles. The according configuration user can be used later on for configuring the corresponding sub-scenario for Technical Monitoring in transaction SOLMAN_SETUP. The configuration user for System

Monitoring can also be used for Connection Monitoring, and Self Monitoring.

● Standard Users: Standard users for the individual process are created during the guided procedure of the according sub-scenario in transaction SOLMAN_SETUP. These users can be regarded as “demo”

Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring




(Version)

Description

Standard users. The system automatically assigns the necessary authorization roles with according authorization values for the SAP standard scenario. If your processes require customizing due to a different process, and other user differentiation, you must adapt the authorizations. The template users are created in the Solution Manager system and the required BW - system.

● Due to the creation of Standard users in transaction SOLMAN_SETUP, documentation for the users and

roles is directly linked in transaction SOLMAN_SETUP. In this security guide it is only referred to the

according document Text ID in the system.

For more information, see specific Landscape Setup Guide in section User Generation.

● New section on background jobs.

SAP IT Infrastructure Management and IT Infrastructure Monitoring

To be able to display views for SAP IT Infrastructure Management and IT Infrastructure Monitoring in the appropriate work centers for configuration and Technical Monitoring, you need to deploy the relevant Add-On, and add the relevant authorization for the views in the authorization object SM_WC_VIEW for roles

SAP_SMWORK_BASIC_CONFIG and SAP_SMWORK_BASIC_TECH_MON, see also the help text in the

system, specifically in transaction SOLMAN_SETUP when configuring the scenario.

Scenario Configuration

Adaptation according to guided procedure in transaction SOLMAN_SETUP.

User Roles and Authorization

● Support Tool role SAP_SM_TECH_MON_TOOL delivered.

● Added role SAP_SM_DTM_ALL to EEM configuration composite role.

● New BW - related composite roles delivered with Software Component ST-BCO for Level 2 users, see

section Users and Authorizations for sub- scenarios.

● Updated all PI - Monitoring roles SAP_SM_PI_*.

● Additional display role for Technical Monitoring work center SAP_TECHMON_DISPLAY_COMP, see new

section on display user.

Sub-scenario Interface Monitoring

Roles for System Monitoring are also relevant for new sub-scenario Interface Monitoring. According authorization objects are adapted: SM_WC_VIEW, SM_WD_COMP, SM_MOAL_OB, and SM_WD_APP.

Sub-scenario Infrastructure Monitoring

● Roles for Infrastructure Monitoring, see section Users for Infrastructure Monitoring, and Prerequisites.

● New main authorization object SM_CMDB_OB, included in Infrastructure roles, see Core Guide and

Landscape Setup Guide.

Sub-scenario System Monitoring

Role SAP_SM_SYM_CONF extended for Content Delivery Synchronization (see description tab in the role for

extensions and new authorization objects)

SP07 Sub-scenario System Monitoring

adapted roles: see description tab in the specified role for extensions and new authorization objects

186




(Version)

Description

● SAP_SM_SYM_CONF● SAP_SM_SYM_LEVEL02● SAP_SM_CONF_COMP as well as SOLMAN_SETUP configuration user role assignment (added new role:

SAP_SM_SYM_TRANSPORT containing critical authorization object S_TRANSPRT for changing

Consumer settings data (Incidents/Notifications/Third Party) at SAP Template level, creating a Custom template and saving it in a valid package, as well as changing data in a Custom template which had been saved in a valid package)

SP08 Sub-scenario End-User Experience Monitoring


● SAP_SM_EEM_*Sub-scenario PI - Monitoring


● SAP_SM_PIM_*Sub-scenario System - Monitoring


● Added new single role SAP_SM_SYM_TRANSPORT to configuration composite role, and to

configuration user for System Monitoring in transaction SOLMAN_SETUP.

● SAP_SM_SYM_*● For SP08 only, single role SAP_ICMON_DELTA is shipped, for the usage of Interface and Channel

Monitoring. This role needs to be added to the L1 user roles (composite role SAP_SM_L1_COMP) if

needed. There will be complete composite roles dedicated for Interface and Channel Monitoring with the next SP.

Sub-scenario BI - Monitoring


● SAP_SM_BIM_*Sub-scenario Infrastructure - Monitoring

Corrected technical name of Infrastructure Monitoring composite roles in the according sections to SAP_IT_L2_COMP and SAP_IT_L1_COMP.

SP10 General

See description tab in the specified role for extensions and new authorization objects

● Adapted work center role navigation menu SAP_SMWORK_TECH_MON to new requirements

● Adapted single role for Support Tool Usage SAP_SM_TECH_MON_TOOL.

Sub-scenario Interface (Channel) - Monitoring

Roles for Interface Monitoring: see description tab in the specified role for extensions and new authorization objects

● in transaction SOLMAN_SETUP● composite roles SAP_IC_*COMP with new single roles SAP_SM_IC_*





(Version)

Description

● removed single role SAP_ICMON_DELTA from composite role SAP_SM_L1_COMP● new role SAP_SMWORK_BASIC_IC and adapted role SAP_SMWORK_BASIC_TECHMON

Sub-scenario Job - Monitoring

Roles for new scenario Job Monitoring: see description tab in the specified role for extensions and new authorization objects

● in transaction SOLMAN_SETUP● composite roles SAP_JMON_*COMP with new single roles SAP_SM_JMON_* (Note, that role

SAP_SM_JMON_LEVEL01 is also included in composite roles for Business Process Operations and Job

Management, see according scenario-specific section.)

● new role SAP_SMWORK_BASIC_JMON and adapted role SAP_SMWORK_BASIC_TECHMONSub-scenario System - Monitoring


● Removed in roleSAP_SM_SYM_CONF all authorizations for Content Delivery Synchronization (see

description tab in the role for extensions and new authorization objects)

● Adapted authorization objects in roles SAP_SM_SYM_* due to new roles for Interface Channel

Monitoring, for more information see section on sub-scenario Interface Channel Monitoring, see description tab in the specified role for extensions and new authorization objects.

● Added Business Partner roles SAP_SM_BP_* to composite roles and SOLMAN_SETUP template user

roles.

● Adapted role SAP_SMWORK_BASIC_SM due to User Interface changes

Sub-scenario Infrastructure - Monitoring


● Adapted role SAP_SM_ITMO_CONF in regard to User Interface changes in transaction SOLMAN_SETUPSub-scenario PI - Monitoring and Message Flow - Monitoring

Message Flow Monitoring (MFM) allows to monitor message-based processes and extends Exception Management.

See description tab in the specified role for extensions and new authorization objects.

● If you use Message Flow - Monitoring, the same user roles are required as for PI - Monitoring. All single roles SAP_SM_PIM_* and role SAP_SMWORK_BASIC_PIM for PI - Monitoring have been adapted

accordingly.


roles.

● See description tab in the specified role for extensions and new authorization objects for SAP_SM_PIM_*

● Adapted role SAP_SMWORK_BASIC_PIM due to User Interface changes

Sub-scenario BI - Monitoring


roles.

188




(Version)

Description

● See description tab in the specified role for extensions and new authorization objects for SAP_SM_BIM_*

● Adapted role SAP_SMWORK_BASIC_BIM due to User Interface changes

Sub-scenario End - User Experience Monitoring


roles.

● See description tab in the specified role for extensions and new authorization objects for SAP_SM_EEM_*

● Adapted role SAP_SMWORK_BASIC_EEM due to User Interface changes

Additional Function: Integration Visibility in Managed Systems (IV)

Roles for the integration of Integration Visibility with SAP Solution Manager are delivered for all managed systems: SAP_*IV*. For an overview, see new section on Integration Visibility in this document.

SP11 Sub-scenario System - Monitoring


● Enhanced roles SAP_SM_SYM_CONF and SAP_SM_SYM_LEVEL02

SP12 Sub - scenario Job Monitoring


● enhanced composite role SAP_JMON_L2_COMP with single role SAP_SM_SCHEDULER_BPO (integration Job Scheduling Management - Job Documentation)


Role SAP_SM_SYM_CONF extended for Content Delivery Synchronization (see description tab in the role for

extensions and new authorization objects)

Sub-scenario End-User Experience Monitoring

Role SAP_SM_EEM_CONF extended (see description tab in the role for extensions and new authorization

objects)

New scenario Message Flow Monitoring

● see new section Message Flow Monitoring

SP13 See description tab in the specified role for extensions and new authorization objects


● SAP_SM_SYM_LEVEL02● SAP_SM_SYM_CONF

Sub-scenario Interface (Channel) Monitoring

● SAP_SM_IC_LEVEL01● SAP_SM_IC_LEVEL02● SAP_SM_IC_CONF

Sub-scenario IT Monitoring





(Version)

Description

● SAP_ITTM_CONFSub-scenario Business Intelligence Monitoring

● SAP_SM_BIM_CONFSub-scenario End-User Experience Monitoring

● SAP_SM_EEM_CONFSub-scenario Job Monitoring

● SAP_SM_JMON_CONFSub-scenario Message Flow Monitoring

● SAP_SM_MFM_LEVEL01● SAP_SM_MFM_LEVEL02● SAP_SM_MFM_CONF


What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.

CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations section that we recommend customers to create for their productive operations.

This guide covers the following topics:

● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other. Additional links can be found in the core guide.

● Users and Authorizations: find out, which users we recommend, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).

● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.

190



15.3 Prerequisites

15.3.1 Technical System Landscape

The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete Technical Monitoring. The SAP Solution Manager is connected via READ - RFC, Trusted - RFC (alternatively LOGIN) to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.

Figure 60: Infrastructure

NoteThe PI Monitoring depends on the version of the PI-system used. It is currently only available as of PI 7.11 Support Package 6, and PI 7.30.

15.3.2 Scenario Configuration Users

NoteFor conceptual information on:

● configuration users in SAP Solution Manager, see Core Guide chapter Configuration Users.

● the BW integration concept, see Core Guide chapter on BW integration.




You configure the technical monitoring scenarios using the automated guided procedure in the SAP Solution Manager Configuration work center or the transaction SOLMAN_SETUP.

To configure the scenarios, proceed as follows:

Creating Configuration User in Basic Configuration transaction SOLMAN_SETUP

After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions.

During basic automated configuration, you can create specific configuration users (default technical user name: SMC_<sub—scenario>_<XXXclient> ) for the individual sub-scenarios:

● System Monitoring including SolMan Self-Monitoring, Connection Monitoring, and Interface Monitoring (default user name: SMC_SM_<SMclient>)

● End-User Experience (default user name: SMC_EEM_<SMclient>)

● PI Monitoring (default user name: SMC_PI_<SMclient>)

● BI Monitoring (default user name: SMC_BIMN_<SMclient>)

● IC Monitoring (default user name: SMC_IC_<SMclient>)

● Message Flow Monitoring (default user name: SMC_MFM_<SMclient>)

● Infrastructure Monitoring including SAP IT Infrastructure Management (default user name: USER_SMC_ITMO and USER_SMC_ITMA)

NoteTo be able to use Infrastructure Monitoring, you need to configure:

1. SAP IT Infrastructure Management

2. Infrastructure Monitoring

As a prerequisite you need to have applied the according Add-On.

The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.

If you want to create the configuration users manually, you need to assign:

● the composite roles SAP_<sub-scenario>_CONF_COMP which contain all single roles that are automatically assigned to the configuration users in the SAP Solution Manager system.

NoteTo be able to:

○ create users and assign user roles, you need to assign as well role SAP_SM_USER_ADMIN.

○ use a trusted RFC connection between the Solution Manager and the managed systems, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system as well as the managed system.

● the composite role SAP_SM_BW_<sub-scenario>_CONF_COMP which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.

NoteTo be able to use a trusted RFC connection between the Solution Manager and the BW-system, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system and role SAP_SM_BW_S_RFCACL in the BW-system.

192



Scenario Configuration transaction SOLMAN_SETUP

To configure the individual scenarios, you need to configure it using transaction SOLMAN_SETUP.During the specific guided configurations you can create Standard template users. The system automatically adds all relevant user roles, see according sections on Users and User Roles.

15.3.3 Communication Channels and Destinations

The tables below show the communication channels and destinations used by SAP Solution Manager for all technical Monitoring scenarios.




Table 83





Solution Manager to remote BW -

system

RFC

Solution Manager to managed systems HTTP

Solution Manager to managed systems Web Service



Protocol (FTP)



Communication Destinations

The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).


NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.




Table 84


System Number

Logon Client Logon User (Password)

Remarks


Managed System

System-specific

System-specific

Default user: SM_<SID of Solution Manager system> Customer-specific

to read data from the managed system (pullmetrics: availability, exceptions, performance, configuration —> visible in the Repository Tool


Table 85


System Number


Use How Created



System-specific

System-specific

Default user: SMB_<managed system ID>(Customer-specific)

pushmetrics: visible in the Repository Tool

Automatically created via transaction SOLMAN_SETUP (view:

managed systems)

BW- Reporting RFC Connection

Table 86


System Number


How Created

NONE, if BW - reporting is realized

in a BW - standard scenario, for

content activation


System-specific System-specific System-specific

BI_CLNT<BWclient>if BW is

realized in remote BW - scenario

system , for content activation

Managed System or Solution Manager System

System-specific System-specific in transaction SOLMAN_SETUP

<SolutionManagerSID>CLNT<SolutionManager– ProductiveClient> BI-

Callback RFC for reorganization

of data and configuration validation


System-specific System-specific BI_CALLBACK(customer specific)

in transaction SOLMAN_SETUP

194




System Number


How Created

Trusted RFC to remote BW systemSAP_BILO

remote BW -

system


System-specific System-specific Dialog User Used to read data from remote BW for

BI - Reporting



Table 87

RFC Destination Name Activation Type How Created


Manually in transaction SM59

CCMSPing RFC Connection

Table 88

RFC Destination Name Activation Type Logon User (Password) Use (Scenario) Remarks

CCMSPING.<server><SystemNr.>

Registered Server Program (program ccmsping.00)

CSMREG (customer-

specific)

Service Level Reporting with CCMSPING;

system availability overview in System Monitoring work center; IT Performance Reporting

User created during configuration of Central Monitoring (CCMS),

see IMG activity

Information and Configuration Prerequisites for setting up a central monitoring system CEN (technical name: SOLMAN_INPERF_CCMS)

15.3.4 Technical Users

The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the technical monitoring scenarios.

User for READ - access in Managed Systems

Users for RFC connection READ




Table 89


SM_<SID of Solution Manager system> (system-specific)

CautionDuring automated basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),

you need to change the password for this user in the RFC destination in

the Solution Manager system as well.

System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated

during basic configuration via transaction SOLMAN_SETUP,

see Landscape Setup Guide

CautionIf your managed system runs on SAP_BASIS 7.31 or higher, you need to add the following authorization object to your READ user for PI Monitoring purposes (in particular for PI Message Alerting): S_XMB_ALERT with activity ACTVT: 33 and CONSUMER ID: full authorization. The PI Consumer should be set to full authorization to allow it for all Solution Managers. You can restrict it also to specific consumers. The consumer is usually named: SOLMAN_<SIDof SolMan>.

Process Integration Monitoring: Technical user SM_COLL_<SIDof SolMan>In general, this user is used for connecting into the Java Stack and collecting data from there. This means, the SMD agent connects to the Java Managed System via this user. In addition, the SAP Solution Manager system uses this user for Web Service connections into the managed systems of type Java.

This technical user is automatically created during automated basic configuration (managed system configuration), and used for collecting CCDB data and PI Monitoring data via agent (by means of a managed system servlet) and Solution Manager (by means of a managed web service). It is only used for managed systems of type Java-only. All role assignment information can be found in the Landscape Setup Guide section for Users for Managed Systems.

User for BW - Reporting (Reorganization of Data and Configuration Validation)User for BW - Reporting (Reorganization of Data and Configuration Validation)

Table 90


BI_CALLBACK

CautionDuring automatic basic configuration, the system automatically generates a user

System User Technical user BI_CALLBACK for reorganization of BW - data

assigned role SAP_BI_CALLBACK. It is automatically

generated during configuration via transaction SOLMAN_SETUP

196




password. If you change the password of this user in User Management (transaction SU01),



SMD_BI_RFC, in case of remote BW System User Technical user for data lownload

SM_EFWK System User Technical user for extractor execution

15.4 Work Center Technical Monitoring

The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users.


The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.

Related Links

In the related links section in the work center, you find all possible links for this work center. This means for instance, even if your user is an L1 or L2 user, the link for configuration is visible. Still, the user is not able to run the application since the according authorizations are not included in the defined user roles. This link collection is




a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-To section.

Monitoring

Introscope: For more information, see the Additional Link section in the core guide.

Configuration

You cannot run the applications with L1 and L2 user authorizations.

● Solution Manager and managed system configuration require authorizations for the configuration user (technical role name: SAP_*_CONF_COMP)

Administration

● Solution Manager Administration: Requires authorizations for the work center SAP Solution Manager Administration, see scenario-specific guide for SAP Solution Manager Administration

● Landscape Browser: You can only display the landscape with all three defined users. If you want to allow for change authorization, you need to add role SAP_SYSTEM_REPOSITORY_ALL.

● Self-Diagnosis

● My Notifications Settings

Documentation

Here, no specific authorization is needed.

15.5 User Descriptions

To enable your users to work with the application, you need to assign them authorizations in the Solution Manager system and in the managed systems.

When you are operating the SAP Solution Manager and its managed system, you need to monitor your system landscape. We deliver recommended user descriptions on which SAP delivered roles are modeled. In general, technical monitoring distinguishes three different types of users for all scenarios.

The according user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.

CautionThe roles delivered by SAP can only be regarded as models for adjustment to your company's needs.

Roles for Technical Monitoring are predefined Composite Roles (technical abbreviation: *_COMP) for users. These composite roles contain a set of single roles that are relevant for the business tasks. In this section, we give a short overview over the general expectations of the three user types for all technical monitoring scenarios. They are described in more detail in later sections in this guide.

Level 1 Users

Level 1 users assigned to a level 1 role have access to all display activities, and are able to distribute incoming events and alerts to other users. The assigned users are not allowed to do central or local Root Cause Analysis, or

198



to change the configuration of the different monitoring capabilities. These users are also not allowed to confirm alerts.

Level 2 Users

Level 2 users assigned to a level 2 role can be considered as a second level for a particular topic. They have all authorizations as level 1 users for a this topic. In addition, they have access to all end-to-end Root Cause Analysis capabilities provided by SAP Solution Manager as well as to all local Root Cause Analysis capabilities provided by the managed systems. The assigned users are not allowed to change the configuration of the different monitoring capabilities.

Configuration Users

Configuration users assigned to a configuration role can be considered as a kind of third level for a particular topic. They have all authorizations as level 1 users and level 2 users for a certain topic. In addition, they have access to setup and configuration capabilities of the different monitoring capabilities. Setup and configuration of Technical Monitoring capabilities is available in SAP Solution Manager Configuration Work Center.

15.6 User Roles for System, Database, Host Monitoring, and Self - Monitoring

15.6.1 First Level User Description and User Role


First Level User (Help Text ID: TP_SM_L1)

Technical composite role SAP_SM_L1_COMP in SAP Solution Manager system

Table 91

Included Single Roles Remarks Mapping to Navigation Panel of Work Center

SAP_SM_SYM_LEVEL01 AUTH_SAP_SM_SM_LEVEL01 Alert Inbox

System Monitoring

Connection Monitoring

SAP_SMWORK_BASIC_TECHMON AUTH_SAP_SMWORK_BASIC_TECHMO Work Center


SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS Infrastructure

NoteAuthorizations for infrastructure are needed in all sections, as this role includes




Included Single Roles Remarks Mapping to Navigation Panel of Work Center

authorizations on systems.

SAP_SUPPDESK_CREATE

CautionIf you are Service Provider, you need to assign SAP_SUPPDESK_SP_CREATE instead.

AUTH_SAP_SUPPDESK_CREATE Alert Inbox

SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN Alert Inbox

SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY Infrastructure


15.6.2 Second Level User Description and User Role


Authorization for Trusted RFC between SAP Solution Manager and BW - System

In case of a remote BW - connection, the user in the SAP Solution Manager system is additional assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).

Second Level User (Help Text ID: TP_SM_L2)

Technical composite role SAP_SM_L2_COMP in SAP Solution Manager system

Table 92

Single Roles Help Text ID

SAP_SM_SYM_LEVEL02 AUTH_SAP_SM_SYM_LEVEL02

SAP_SMWORK_BASIC_DIAG AUTH_SAP_SMWORK_BASIC_DIAG

200




SAP_SMWORK_BASIC_TECHMON AUTH_SAP_SMWORK_BASIC_TECHMO



SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS

SAP_RCA_DISP AUTH_SAP_RCA_DISP

SAP_SUPPDESK_CREATE

CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE

AUTH_SAP_SUPPDESK_CREATE

SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN

Technical composite role name: SAP_SM_BW_SM_L2_COMP in the BW system/client

In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system. For more information on BW user concept, see section on BW configuration in section Prerequisites.

Table 93


SAP_BI_E2E_SM AUTH_SAP_BI_E2E

SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP

15.7 User Roles for Process Integration - Monitoring

15.7.1 First Level User Role


The views EEM or System Monitoring are visible, because Interactive Reporting can also be called via these views. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.

First Level User (Help Text ID: TP_PIM_L1)

Technical composite role SAP_PIM_L1_COMP in SAP Solution Manager system




Table 94

Single Roles Remarks Mapping to Navigation Panel of Work Center

SAP_SM_PIM_LEVEL01 AUTH_SAP_SM_PIM_LEVEL01 Alert Monitoring

System Monitoring

PI Monitoring



SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS Infrastructure


SAP_SUPPDESK_CREATE

CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE instead.

AUTH_SAP_SUPPDESK_CREATE Alert Inbox


SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY Infrastructure


15.7.2 Second Level Roles in SAP Solution Manager


202






Second Level User (Help Text ID: TP_PIM_L2)

Technical composite role name SAP_PIM_L2_COMP in SAP Solution Manager system

Table 95


SAP_SM_PIM_LEVEL02 AUTH_SAP_SM_PIM_LEVEL02







SAP_SUPPDESK_CREATE




SAP_SM_DASHBOARDS_DISP_ALM AUTH_SAP_SM_DASHBOARD_ALM

SAP_SM_BI_BILO AUTH_SAP_SM_BI_BILO

SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY

Technical composite role name: SAP_SM_BW_PIM_L2_COMP in the BW system/client

In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.

Table 96


SAP_BI_E2E_PIM AUTH_SAP_BI_E2E


Roles in the PI managed system




Table 97

UME role/group Remarks

SAP_XI_RWB_SERV_USER Used for adapter engine PING and self-test DC

SAP_XI_RWB_SERV_USER_MAIN

XI_AF_CHANNEL_ADMIN Used for channel status DC

15.8 User Roles for Message Flow Monitoring


The technical system landscape of MFM is oriented on the overall technical system landscape of Technical Monitoring, specifically PI Monitoring. Nevertheless, some functions offered have an impact on the managed system:

● Restart or cancel of PI Message

● Process or delete Idoc

Since these functions are changing data in the managed system, it is required to use a specific user for data collection, which is not the standard user for it. This is achieved by using Trusted RFC-destinations or, in case of Web Service communication, logical ports with ticket based authentication.

RFC-communication is used between SAP Solution Manager (ABAP stack) and managed system of type ABAP. Web Service communication is used between SAP Solution Manager (ABAP stack) and managed system of type Java. All connections are created during the managed system configuration. They have usually the following names:

● RFC: SM_<SIDofMgmtSys>CLNT<Client>_TRUSTED● Logical Port: E2E_SOLMAN_<SIDofMgmtSys>DIALOG




First Level User (Help Text ID: TP_MFM_L1)

Technical composite role SAP_MFM_L1_COMP in SAP Solution Manager system

204



Table 98

Single Roles Remarks

SAP_SM_MFM_LEVEL01 AUTH_SAP_SM_MFM_LEVEL01




SAP_SUPPDESK_CREATE





Authorizations in the Managed System

If the current user is used to logon to managed system via trusted relationship (RFC) or assertion ticket (Web Service call), the following authorizations are required for this user in the managed system:

● S_RFCACL (trusted)

● S_XMB_MONI, S_XMB_AUTH, S_XMB_DSP (PI message handling) with ACTVT 03 (display), 16 (execute), and A3 (read)

● S_IDOCCTRL (Idoc handling) with ACTVT 10










If the current user is used to logon to managed system via trusted relationship (RFC) or assertion ticket (Web Service call), the following authorizations are required for this user in the managed system:

● S_RFCACL (trusted)

● S_XMB_MONI, S_XMB_AUTH, S_XMB_DSP (PI message handling) with ACTVT 03 (display), 16 (execute), and A3 (read)

● S_IDOCCTRL (Idoc handling) with ACTVT 10

Second Level User (Help Text ID: TP_MFM_L2)

Technical composite role name SAP_MFM_L2_COMP in SAP Solution Manager system

Table 99


SAP_SM_MFM_LEVEL02 AUTH_SAP_SM_MFM_LEVEL02







SAP_SUPPDESK_CREATE







Technical composite role name: SAP_SM_BW_PIM_L2_COMP in the BW system/client


Table 100


SAP_BI_E2E_PIM AUTH_SAP_BI_E2E


Roles in the PI managed system

206



Table 101

UME role/group Remarks

SAP_XI_RWB_SERV_USER Used for adapter engine PING and self-test DC

SAP_XI_RWB_SERV_USER_MAIN

XI_AF_CHANNEL_ADMIN Used for channel status DC

15.8.4 Authorization Objects

Authorizations for MFM are based on restricting access to flow groups. A flow group corresponds to a technical scenario.

SM_MFM_FG

This authorization object restricts the display of flow groups for users.

Payload Display in MFM and PI-Monitoring

MFM: SM_MFM_PYL

This authorization object controls if the payload information for a flow group is visible or not.

CautionThe object is actively shipped for user L2 for Message Flow Monitoring.

In this context, payload information refers to User Defined Search (UDS) attributes. The business user can decide which values from Payload should also be UDA attributes. These are typically 1-10 attributes from Payload. Therefore, payload in Solution Manager displays the self-defined attributes of Payload. Per default the system does not display any UDS attributes. UDS attributes can only be displayed when the features is activated in the PI-system.

Central User-Defined Search)

In PI-Monitoring, SAP Solution Manager displays the Central User-Defined Search (cUDS). With this function, you can centrally choose a search criteria in Solution Manager, and thus trigger a UDS in your PI-Systems. The result is displayed in Solution Manager. The user is able to navigate from here into the according PI-system to view the individual messages. The search function itself is started centrally on the SAP Solution Manager side. It runs directly on the various selected PI-systems. The RFC-destination used in these case is Trusted or a logical port for Web Service (Java). This supports the concept that a named user is running the search. The system searches only for the payload data previously defined by customizing or set to being sensitive in the individual PI-system. The search result is not saved within the SAP Solution Manager. Within MFM UDS attributes are saved nevertheless, but this function is secured by the authorization object mentioned above.




Use Case CombinationsTable 102

User Flow Group SM_MFM_FG (Flow group visible)

SM_MFM_PYL (Payload visible)

Action

A 1 yes yes

B 2 yes not

C 3 schiefff

D 4

X 5

15.8.5 Function Integration

Within the Message Flow Monitoring Application, you can create incidents and notifications. You can also use Guided Procedures. For each integration authorization check the individual function information:

● Incidents: Scenario-specific guide for IT Service Management

● Notification and Guided Procedure: Scenario-specific guide for Technical Administration

15.9 User Roles for End-User Experience Monitoring



The view System Monitoring is visible, because EEM Monitoring can also be called via this view. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.

First Level User (Help Text ID: TP_EEM_L1)

Technical composite role name SAP_EEM_L1_COMP in SAP Solution Manager system

Table 103

Single Roles Help Text ID Mapping to Navigation Panel of Work Center

SAP_SM_EEM_LEVEL01 AUTH_SAP_SM_EEM_LEVEL01 Alert Monitoring

System Monitoring

End User Experience Monitoring

208



Single Roles Help Text ID Mapping to Navigation Panel of Work Center



SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS Infrastructure


SAP_SUPPDESK_CREATE

CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE instead

AUTH_SAP_SUPPDESK_CREATE Alert Monitoring

SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN Alert Monitoring

SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY Authorizations for infrastructure are needed in all sections, as this role includes authorizations on Business Partner.



The view System Monitoring is visible, because EEM Monitoring can also be called via this view. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.






Second Level User (Help Text ID: TP_EEM_L2)

Technical composite role SAP_EEM_L2_COMP in SAP Solution Manager system

Table 104

Single Role Remarks

SAP_SM_EEM_LEVEL02 AUTH_SAP_SM_EEM_LEVEL02







SAP_SUPPDESK_CREATE




SAP_SM_DASHBOARDS_DISP_EEM AUTH_SAP_SM_DASHBOARD_EEM




Technical composite role name: SAP_SM_BW_EEM_L2_COMP in the BW system/client


Table 105


SAP_BI_E2E_EEM AUTH_SAP_BI_E2E


15.10 User Roles for Business Intelligence Monitoring


The table underneath gives you an overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the

210



Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.

The view System Monitoring is visible, because BI Monitoring can also be called via this view. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.

First Level User (Help Text ID: TP_BIM_L1)

Technical composite role name SAP_BIM_L1_COMP in the SAP Solution Manager system/client

Table 106

Single Roles HELP Text ID

SAP_SM_BIM_LEVEL01 AUTH_SAP_SM_BIM_LEVEL01

SAP_SMWORK_BASIC_BIM AUTH_SAP_SMWORK_BASIC_TECHMO



SAP_SUPPDESK_CREATE

CautionIf you are Service Provider, you need to assign roleSAP_SUPPDESK_SP_CREATE instead.






The view System Monitoring is visible, because BI Monitoring can also be called via this view. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.



Second Level User (Help Text ID: TP_BIM_L2)

Technical composite role SAP_BIM_L2_COMP in SAP Solution Manager system




Table 107

Single Role Remarks

SAP_SM_BIM_LEVEL02 SAP_SM_BIM_LEVEL02

SAP_SMWORK_BASIC_DIAG SAP_SMWORK_BASIC_DIAG

SAP_SMWORK_BASIC_TECHMON SAP_SMWORK_BASIC_TECHMON

SAP_SMWORK_TECH_MON SAP_SMWORK_TECH_MON

SAP_SMWORK_DIAG SAP_SMWORK_DIAG

SAP_SYSTEM_REPOSITORY_DISP SAP_SYSTEM_REPOSITORY_DISP

SAP_RCA_DISP SAP_RCA_DISP

SAP_SUPPDESK_CREATE


SAP_SUPPDESK_CREATE

SAP_NOTIF_ADMIN SAP_NOTIF_ADMIN

SAP_SM_DASHBOARDS_DISP_ALM SAP_SM_DASHBOARDS_DISP_ALM

SAP_SM_BI_BILO SAP_SM_BI_BILO


Technical composite role name: SAP_SM_BW_BIM_L2_COMP in the BW system/client


Table 108


SAP_BI_E2E_EEM AUTH_SAP_BI_E2E


15.11 User Roles for Interface (Channel) Monitoring



212



Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.

First Level User (Help Text ID: IC_L1_XXX)

Technical composite role SAP_IC_L1_COMP in SAP Solution Manager system

Table 109

Single Roles Help TXT ID

SAP_EM_DISPLAY AUTH_SAP_EM_DISPLAY

SAP_SMWORK_BASIC_IC AUTH_SAP_SMWORK_BASIC_TECHMO



SAP_SUPPDESK_CREATE




SAP_SM_IC_LEVEL01 AUTH_SAP_SM_IC_LEVEL01







Second Level User (Help Text ID: IC_L2_XXX)

Technical composite role SAP_IC_L1_COMP in SAP Solution Manager system




Table 110

Single Roles Help TXT ID

SAP_EM_DISPLAY AUTH_SAP_EM_DISPLAY


SAP_SMWORK_BASIC_IC AUTH_SAP_SMWORK_BASIC_TECHMO

SAP_SMWORK_BASIC_DIAG AUTH_SAP_SMWORK_BASIC_TECHMO






SAP_SUPPDESK_CREATE




SAP_SM_IC_LEVEL02 AUTH_SAP_SM_IC_LEVEL01




Table 111




15.12 End-User Roles for Job Monitoring


The table underneath gives you an overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.

214




First Level User (Help Text ID: TP_JMON_L1)

Technical composite role name SAP_JMON_L1_COMP in the SAP Solution Manager system/client

Table 112

Single Roles HELP Text ID

SAP_SM_JMON_LEVEL01 AUTH_SAP_SM_JMON_LEVEL01

SAP_SMWORK_BASIC_JMON AUTH_SAP_SMWORK_BASIC_TECHMO



SAP_SUPPDESK_CREATE

CautionIf you are Service Provider, you need to assign roleSAP_SUPPDESK_SP_CREATE instead.




15.12.2 Second Level User Role





Second Level User (Help Text ID: TP_JMON_L2)

Technical composite role SAP_JMON_L2_COMP in SAP Solution Manager system

Table 113

Single Role Remarks





Single Role Remarks

SAP_SMWORK_BASIC_DIAG SAP_SMWORK_BASIC_DIAG

SAP_SMWORK_BASIC_JMON SAP_SMWORK_BASIC_TECHMON

SAP_SMWORK_TECH_MON SAP_SMWORK_TECH_MON

SAP_SMWORK_DIAG SAP_SMWORK_DIAG

SAP_SYSTEM_REPOSITORY_DISP SAP_SYSTEM_REPOSITORY_DISP

SAP_RCA_DISP SAP_RCA_DISP

SAP_SUPPDESK_CREATE


SAP_SUPPDESK_CREATE

SAP_NOTIF_ADMIN SAP_NOTIF_ADMIN

SAP_SM_DASHBOARDS_DISP_ALM SAP_SM_DASHBOARDS_DISP_ALM

SAP_SM_BI_BILO SAP_SM_BI_BILO


SAP_SM_SCHEDULER_BPO AUTH_SAP_SM_SCHEDULER_BPO

Technical composite role name: SAP_SM_BW_JMON_L2_COMP in the BW system/client


Table 114


SAP_BI_E2E_JMON AUTH_SAP_BI_E2E


15.13 User Roles for Infrastructure Monitoring

To be able to use SAP IT Infrastructure Management and Infrastructure Monitoring you have to:

1. deploy the required Add-On.

2. check if the following authorization values are contained in the mentioned roles:

- in role SAP_SMWORK_BASIC_CONFIG in authorization object SM_WC_VIEW (values Work Center ID: WD_SISE_MAIN, Text: View - IT Infrastructure Management)

- in role SAP_SMWORK_BASIC_CONFIG in authorization object SM_WC_VIEW (values Work Center ID: WD_SISE_MAIN, Sub View - Infrastructure)

- in role SAP_SM_ITMA_CONF in authorization object SM_SETUP (value: CMDB_INF_MAN)

216



- in role SAP_SM_ITMO_CONF in authorization object SM_SETUP (value: E2E_MAI_SETUP5)

Before you are able to configure Infrastructure Monitoring, you need to configure IT Infrastructure Management.



First Level User (Help Text ID: TP_IT_L1)

Technical composite role SAP_IT_L1_COMP in SAP Solution Manager system

Table 115

Included Single Roles Remarks

SAP_SM_SYM_LEVEL01 AUTH_SAP_SM_SM_LEVEL01

SAP_SMWORK_BASIC_ITMO AUTH_SAP_SMWORK_BASIC_TECHMO


SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS

SAP_SUPPDESK_CREATE

CautionIf you are Service Provider, you need to assign SAP_SUPPDESK_SP_CREATE instead.



Related Links

In the related links section in the work center, you find all possible links for this work center. This means for instance, even if your user is an L1 or L2 user, the link for configuration is visible. Still, the user is not able to run the application since the according authorizations are not included in the defined user roles. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-To section.

Monitoring

Introscope: For more information, see the Additional Link section in this guide

Configuration

You cannot run the applications with L1 and L2 user authorizations

● Solution Manager and managed system configuration require authorizations for the configuration user (technical role name: SAP_ITMO_CONF_COMP)




Administration

● Solution Manager Administration: Requires authorizations for the work center SAP Solution Manager Administration, see scenario-specific guide for SAP Solution Manager Administration

● Landscape Browser: You can only display the landscape with all three defined users. If you want to allow for change authorization, you need to add role SAP_SYSTEM_REPOSITORY_ALL.

● Self-Diagnosis

● My Notifications Settings

Documentation

Here, no specific authorization is needed.


The table underneath gives you an overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.



Second Level User (Help Text ID: TP_IT_L2)

Technical composite role SAP_IT_L2_COMP in SAP Solution Manager system

Table 116




SAP_SMWORK_BASIC_ITMO AUTH_SAP_SMWORK_BASIC_TECHMO





SAP_SUPPDESK_CREATE AUTH_SAP_SUPPDESK_CREATE

218





SAP_NOTIF_ADMIN AUTH_SAP_SUPPDESK_CREATE



Table 117



SAP_SM_BI_DIS AUTH_SAP_SM_BI_DIS

15.14 Integration Visibility in Managed Systems

Integration Visibility is a technical foundation that discovers message flows and enables consumer applications to subscribe and consume monitoring events for a selected set of discovered message flows in PI. This includes all A2A and B2B in the monitored landscape. It can be used with SAP Solution Manager. Then, Solution Manager is used as User Interface to correlate the data collected from different sources.

NoteThis documentation only describes the necessary roles if you use Integration Validation with SAP Solution Manager. For more information on the scenario and the UME roles for it, see the online documentation for Integration Visibility in PI.


Figure 62: Data Flow

User Roles

In the overall Integration Visibility landscape proposed roles are needed for following positions:

Table 118

Single Role User Type Remarks

SAP_IV_DC_SUBSCRIBE System User position 3 in the data flow graphic: distribute flow subscriptions and message filter criteria. It is used for subscription and query handling, when request arrives from Subscription Manager.

SAP_IV_EVENT_CONSUMER position 5 in the data flow graphic: In terms of Solution Manager: Integration Visibility Consumer acts as Managing system




Single Role User Type Remarks

SAP_IV_DC_EXECUTE It is used to run the data collector, generate, and persist events

SAP_IV_DC_CONFIG Dialog User Corresponds to Integration Architect and is used to manage data collector configuration. Users assigned to this role will be able to:

● configure IV Discovery settings and to manage flow definitions

● navigate to whole “Integration Visibility” User Interface

● configure Data Collector execution

SAP_IV_DC_SUPPORTER Corresponds to Technical Supporter. Users assigned to this role, will be able to:

● read data from all Integration Visibility tables in NWA Open SQL Data Browser (without BC_IV_DC_EVENT – contains

business sensitive information)

● navigate to whole “Integration Visibility” User Interface with read-only rights

● have full access to: WS Navigator/ Log Viewer/Log Configurator/ WS Log Viewer/ WS Log Configurator/ GET operations from all IV web services

SAP_IV_DC_ADMIN Composite role. Includes:

● SAP_IV_DC_SUBSCRIBE● SAP_IV_DC_EXECUTE● SAP_IV_EVENT_CONSUMER● SAP_IV_DC_CONFIG

15.15 Role for Technical Monitoring Display

For display usage of Technical Monitoring, composite role SAP_TECHMON_DISPLAY_COMP is delivered. The role contains authorization for displaying the complete technical monitoring applications.

15.16 Role for Technical Monitoring Support

For the support of Technical Monitoring, the single role SAP_SM_TECH_MON_TOOL is delivered. The role contains authorization object SM_SP_TOOL for access to various support tools.

220



15.17 Main Authorization Objects

The following section describes the main authorization object for Technical Monitoring. For more detail, see the SDN Wiki on Authorizations.

Authorization Object SM_MOAL_TC

This authorization object defines on the application level which contexts the user is allowed to work in, for instance Problem Context Configuration should be possible for Level 2 and configuration users.

Figure 63: SM_MOAL_TC in role SAP_SM_SYM_CONF for System, Host, Database Monitoring

The authorizations for the object are maintained differently for all user roles for the technical monitoring scenarios. For instance, activity 02 (change) allows for start, stop, ping (button: Manage) in Channel Monitoring for configuration user and level 2 user in PI Monitoring roles.

Authorization Object SM_SETUP

This authorization object restricts the access to the configuration for the technical monitoring scenario. Only the configuration users are allowed to access this transaction.

Figure 64: SM_SETUP in role SAP_SM_SYM_CONF for System, Host, Database Monitoring




In this case, the configuration user is allowed to access the edit mode for the setup of technical monitoring data.

Authorization Object S_TRANSPRT

Authorization object S_TRANSPRT is only relevant and maintained in the configuration user roles for the scenarios as the configuration application requests creating, changing, releasing a transport and request.

Authorization Object SM_BWDEST

This authorization object is included in role SAP_SM_BI_BILO to protect the usage of a trusted RFC that is generated per user, who displays BW - content (specifically dashboards and the metrics monitor). The user must have both, authorization for the trusted RFC and authorization for the BW-destination. The object is requested for the button Reports in the Alert Inbox.

Authorization Object SM_CMDB_OB

The authorization object is relevant for Infrastructure Monitoring.

Content Delivery Synchronization

CSU_PACK

This objects controls if the user is allowed to create and maintain registration details, as well as create content packages and maintain content packages related information. Change authorization refers to the following activities:

● Create a new delivery package type in Content Delivery tool.

● Edit delivery package related information like Service Marketplace Place Link, Notification Status type in Content Delivery tool.

● Download a “local” Delivery Package.

● Send Notification to the SAP Backend on the availability of a new content package.

● Create or Register a new content type in Content Delivery tool.

● Edit and delete a content type related details in Content Delivery tool.

CSU_UNPACK

This objects controls if the user is allowed to download and install content packages on SAP Solution Manager. Change authorization refers to the following activities:

● Maintain configuration details like Service Market Place user information, SAP Backend user information, frequency to check for content updates and the user to be notified.

● Download content package from Service Market Place into local store.

● Install content in case of framework delivery type.

15.18 Scenario Integration

Technical Monitoring refers to the phase in your product life-cycle when you operate your systems, and you have to monitor them. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions which come into play in your daily business, such as handling of problems and so on. The following sections describe the integration of technical monitoring with other scenarios within SAP Solution Manager, and which user roles are applicable.

222



NoteFor more detail on each individual scenarios, see the according Scenario—Specific Guide.

Incident Management

In technical monitoring users can create service desk messages. You can create Incidents for an alert from the Alert Inbox, Connection Monitoring. The according user role SAP_SUPPDESK_CREATE is included in the user roles. If you want your users to also check for their Incident messages, you should assign composite role SAP_SUPPDESK_PROCESS_COMP.

Note● A key user can only display his/her own messages, when the key user is the reporter.

● For a key user to see messages created by other users, see SAP Note 1256661 (1. Substitution).

NoteIn case you are a Service Provider, you need to assign the according service provider roles. For more information, see specific Service Provider Guide.

Root Cause Analysis

Technical Monitoring is highly integrated with Root Cause Analysis. The according role SAP_RCA_DISP is included in the user roles.

Notification Management (Technical Administration)

You can create notifications. The according role SAP_NOTIF_ADMIN is included in the user roles. You can create notifications from Alert Inbox, Connection Monitoring

Figure 65: Create Notification from Alert Inbox





EarlyWatch Alert / Service Report Generated Documents

To view generated documents for EarlyWatch Alert, you need to assign role SAP_OP_DSWP_EWA to your user.

Figure 66: EarlyWatch Alert and Service Reporting from Generated Documents

15.19 Background Jobs

The following background jobs run:

● SAP_ALERT_CALCULATION_ENGINE● SAP_ALERT_HOUSEKEEPING● SAP_METRIC_STORE_CLEANUP

All jobs run with system user SOLMAN_BTC.

Details on the jobs can be found in work center Solution Manager Administration in view Self-Monitoring (Description).

224



16 Scenario-Specific Guide: Maintenance Optimizer

The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization and upgrade of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). Using the Maintenance Optimizer, you are able to easily upgrade your managed systems via SAP Solution Manager as the managing platform. This guide gives you an overview over all relevant security-related issues for using Maintenance Optimizer.



Table 119


(Version)

Description

SP05 User Roles and Authorization

● Single role SAP_MAINT_OPT_ADMIN extended due to new LMDB authorization object AI_LMDB_PS.

● Composite role SAP_MAINT_ADMIN_COMP adapted: substituted single role

SAP_SYSTEM_REPOSITORY_DIS with single role SAP_SYSTEM_REPOSITORY_ALLCommunication Channels

Added additional information on RFC usage

SP08 End-User Roles

The following roles have been adapted for authorization objects and/or authorization field values. For more information, see the Description Tab for the specified role.

● Single roles adapted due to obsolete authorization object D_MOPZSYSI (since SP03 of Solution

Manager 7.1). According section in chapter Users and Authorization has been deleted.


What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape.

Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Maintenance Optimizer



Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.

CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.


● Getting Started: find out about target groups of this guide. Links for any additional components can be found in the Core Guide.

● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.

● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles, which represent them. Here, you also find information on the relevant work center(s).

● User Roles for Additional Functions:: find out about additional roles for users that must execute special functions within the scenario.

16.3 Prerequisites


The graphic below gives you an overview over the basic technical system landscape that is needed to run the Maintenance Optimizer. For more information on Service Provider - specific settings, see the Service Provider Guidelines. The SAP Solution Manager is connected via READ - RFC to your managed systems, and do have the connection SAP-OSS to SAP in place. More information on these RFCs, and required technical users is explained in more detail in the following sections.

226




16.3.2 Scenario Configuration

When you run the automated basic setup for Solution Manager, the system automatically configures Maintenance Optimizer for use. This means, after the basic configuration and the attachment of the according managed systems, you are able to use the Maintenance Optimizer.

NoteAll required system information for your managed system must be up-to-date.

For configuration, you can use all users and authorizations as described in the Landscape Setup Guide.


The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.







Table 120



Solution Manager to managed systems RFC Reading information from managed systems



Protocol (FTP)







Table 121


System Number

Logon Client

Logon User (Password)

Remarks


Managed System

System-specific

System-specific


Read all necessary information from the managed systems, such as the activation status of the installed switchable framework software components, and the activation status of the installed country specific HR Support

Packages

RFC Connections from SAP Solution Manager to SAP

228



Table 122

RFC Destination Name

Target Host Name System Number

Logon Client


Use Remarks

SAP-OSS (ABAP connection)

/H/SAPROUTER/S//sapserv/H/oss001

01 001 S-User (Customer-specific)

Exchange problem messages with SAP, Service Connection, product data download. The following calculation service is performed on the SAP backbone systems:

● system identification

● compatibility check

● Support Package calculation

NoteFor more information on Service Provider - specific settings, see Service Provider Guidelines.

Created in transaction SOLMAN_SETUP


The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the implementation and upgrade scenario.

User for SAP Connection

User General Infrastructure

Table 123

User (Password) Remarks

OSS_RFC (CPIC) Notes Assistant; Update Service Definitions; Service Preparation Check (RTCCTOOL)



Table 124










CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),



16.3.5 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER)

Users who communicate with SAP Support Portal via RFC destination SAP-OSS need an SAP Support Portal contact to SAP Solution Manager. You maintain the contact in table AISUSER (transaction AISUSER). This contact corresponds to the S-user in the SAP Support Portal, without the initial S.

CautionThe S-User for the SAP Support Portal must be requested via service.sap.com; see section S-User Authorizations

More Information

see IMG activity: Assign S-User for SAP Support Portal functionality (SOLMAN_PROFILE_PARAM)

16.3.6 S-User Authorization for Maintenance Optimizer

Your S-user needs the following authorization in the SAP Support Portal, for the Maintenance Optimizer function.

Features

S-user Authorization for Maintenance Optimizer

230




Table 125

Activity Authorization

Execute Maintenance Optimizer SWCATALOG Order Software in Software Catalog

16.4 CRM Standard Customizing

Transaction TypesTable 126

Transaction Type

Usage Remarks

SDMO Product Update not productive

SLMO Product Maintenance supported


To enable your end-users to work with the application, you need to assign them authorizations in the Solution-Manager-system.

SAP delivers recommended user descriptions on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. For Maintenance Optimizer the executing user should have administration authorization and in some cases as well additional authorizations for XML file upload. SAP also delivers a display user for the function.


Roles for Maintenance Optimizer are predefined Composite Roles (technical abbreviation: *_COMP). These composite roles contain a set of single roles that are relevant for the business tasks.




Figure 68: Maintenance Optimizer Process

16.5.1 User Descriptions and User Roles

This paragraph gives you an overview over users as recommended by SAP and their according user roles assignment for the Maintenance Optimizer. All users are assigned a composite role, which contains a number of single roles. For a detailed overview on each of the single roles and their main authorization objects.

Work Center

The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. The work center for Change Management is relevant for more than one scenario:

● Maintenance Optimizer


It includes as well additional function for Change Management, such as System Recommendations, License Management, or Configuration Validation. If you want to restrict the access and/or the authorizations for a particular user you can easily do so. Access in the navigation panel is restricted by using the authorization object SM_WD_COMP. For more information about user interface authorizations, see core security guide.

232



Figure 69: Work Center Change Management


In the column for Mapping to Navigation Panel of Work Center, we only those views and tasks, which are relevant for Maintenance Optimizer. Authorizations for additional functions are included in additional single roles, which are explained in more detail in the section for Additional Functions in this guide.

Administrator (technical role name: SAP_MAINT_ADMIN_COMP)


● access Change Management work center

● execute maintenance optimizer transactions

NoteIf this user should be allowed to upload XML files, you must assign user role SAP_MAINT_OPT_ADD in addition.

Mapping: Roles and Navigation Panel

Table 127


SAP_MAINT_OPT_ADMIN Authorization for Maintenance Optimizer

Maintenance Optimizer

New Maintenance Transaction in the Common Task List

SAP_SM_SOLUTION_DIS Authorization for solutions Infrastructure in general

SAP_SYSTEM_REPOSITORY_ALL Authorization for systems





SAP_SMWORK_BASIC_CHANGE_MAN Contains full authorization for work center - related functions.

Work Center

SAP_SMWORK_CHANGE_MAN Allows access to the change management work center.

Display User (technical role name: SAP_MAINT_DIS_COMP)



● display maintenance optimizer transactions


Table 128


SAP_MAINT_OPT_DIS Authorization for displaying Maintenance Optimizer


SAP_SM_SOLUTION_DIS Authorization for displaying solutions

Infrastructure in general

SAP_SYSTEM_REPOSITORY_DIS Authorization for systems


Work Center


16.5.2 User Roles in Managed Systems

In the managed system, your user needs authorization for transactions such as SPAM, SPAU, SNOTE and so on. For more information, see the SAP NetWeaver Security Guide.

16.5.3 Main Authorization Objects

This section gives some information on the main authorization objects. For detailed information, see SDN Wiki for Authorizations.

Authorization Object SM_DPL_EFF

The authorization object controls the access to the Deployment Effort Recording function (create, change, lock = close). It is only contained in role SAP_MAINT_OPT_ADMIN.

234



16.6 System Recommendations

The view in the work center allows you to:

● see a list of SAP Notes relevant for a dedicated technical system

● create a Maintenance Transaction from it

● integrate with Maintenance Optimizer, Change Request Management, and Configuration Validation

The single tabs for SAP Notes can be restricted (authorization object SM_FUNCS).

The following additional roles are needed in addition to the existing composite roles for Change Request Management, Maintenance Optimizer, or Configuration Validation:

Administrator (technical role name: SAP_SYSTEM_RECOMMEND_COMP)

Security Notes can only be displayed if the user has this role and authorizations. The administrator user is allowed to:


● edit System Recommendations tabs


Table 129


SAP_SYSREC_ALL Authorization for System Recommendations tab

System Recommendations

SAP_SM_SOLUTION_ALL Authorization for solutions

SAP_SYSTEM_REPOSITORY_ALL Authorization for systems, host, and so on


Work Center


NoteIn addition, a display role is shipped, but currently not supported.




17 Scenario-Specific Guide: Change Request Management

The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). This guide gives you an overview over all relevant security-related issues for the scenario Change Request Management.



Table 130


(Version)

Document Adaptations

SP05 General

Change Request Management (sub-scenario to ITSAM Management) is configured using the automated

guided procedure within transaction SOLMAN_SETUP or SAP Solution Manager Configuration work center.

Therefore all users defined by SAP as default templates can be created within this procedure. The following users are created:

● CHARM Configuration User: This user is created during the guided procedure of the Basic Settings in transaction SOLMAN_SETUP. For configuration, you can also choose the user SOLMAN_ADMIN. In both

cases, the system automatically assigns the necessary authorization roles. The according configuration user can be used later on for configuring the Change Request Management settings within ITSAM Management in transaction SOLMAN_SETUP.

● Standard CHARM Template Users: Standard Template users for the Change Request Management process are created during the guided procedure of the ITSAM Management in transaction

SOLMAN_SETUP. These users can be regarded as “demo” template users for Change Request

Management. The system automatically assigns the necessary authorization roles with according authorization values for the SAP standard scenario. If your Change Request Management process requires customizing due to a different process, and other user differentiation, you must adapt the authorizations, specifically CRM-related authorizations. The template users are created in the Solution Manager system.

Due to the creation of Standard Template users in transaction SOLMAN_SETUP, documentation for the users

and roles is directly linked in transaction SOLMAN_SETUP. In this security guide, it is only referred to the



236


Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management


(Version)





Added value CRMC in authorization object S_TABU_DIS in all relevant roles.

End-User Roles

● User Roles have been adapted according to SU22 default values, see section on Authorization Objects.

● Roles SAP_CM_SMAN_* have been extended due to additional status change values and extended

functionality (for instance Downgrade Protection). For detailed information, see the description tab of the relevant roles.

● Additional role SAP_CM_MANAGED_DEVELOPER_RETRO for developer for retrofit functionality in

managed systems, see section on Users and Authorizations.

Additional Functions and User Roles

● Additional role SAP_CM_MANAGED_DEVELOPER_RETRO for developer for retrofit functionality in

managed systems, see section on User Roles for Additional Functions.

● Only valid for: Solution Manager |

New roles SAP_BC_CCTS_CHARM_<user definition>_TMPL for Central CTS Administration, see

section on User Roles for Additional Functions.


● Roles for the communication system, see section on User Roles for Additional Functions.

Scenario Integration

Integration possibility with scenario BPCA, see section Scenario Integration.

BW - Reporting Integration

You can use the BW-reporting functionality with Change Request Management, see section Users and

Authorizations for BW - roles, and section BW integration in the Core Guide for detailed information on the BW -

concept.

Communication Channels/Technical Users

Adapted due to BW RFC - connections

SP06 Scenario Configuration User

Additional role assignment to the configuration user SAP_SM_CONF_SEC which contains authorization object

S_DEVELOP with full authorization to execute transaction SNOTE.

SP07 End-User Roles

for details on the adapted roles changes, see the description tab of the specified role

● SAP_SOCM_CHANGE_MANAGER● SAP_CM_SMAN_*

SP08 End-User Roles





(Version)



● SAP_SOCM_TESTER● SAP_CHARM_CONFIG

SP10 End-User Roles


● SAP_SOCM_*● SAP_CM_SMAN_*● SAP_CHARM_CONFIG● SAP_SOL_PROJ_ADMIN_ALL (adapted with ChaRM relevant values for authorization objects)

● SAP_CM_MANAGED_ADMIN, SAP_CM_MANAGED_OPERATOR, and

SAP_CM_MANAGED_CHANGEMAN● New role SAP_CM_MANAGED_IMPORT for import authorization, for details see new section on Best

Practice: Import Authorization.

SOLMAN_SETUP creation of Template Users

● A step for creating Template Users on Managed Systems has been integrated into the Change Request Management configuration procedure.

● Added role SAP_ITCALENDAR_DIS to all Template users for Solution Manager to view the IT Calendar

(adapted respective composite roles)

● Added role SAP_CPR_USER to Change Management template user for cPro application integration

(adapted respective composite role)

● Added role SAP_SYSTEM_REPOSITORY_DISP for LMDB usage (adapted respective composite role)

● Added role SAP_SM_RFC_ADMIN for transaction SM59 administration

SP11 Import Authorizations

Managed system roles have been adapted to requirement of import authorizations and secure role concept. For details on the adapted roles changes, see the description tab of the specified role in transaction PFCG. For

more information on the concept, see section Best Practice: Import Authorization in Managed Systems:

● SAP_CM_MANAGED_TESTER● SAP_CM_MANAGED_DEVELOPER● SAP_CM_MANAGED_CHANGEMAN● SAP_CM_MANAGED_OPERATOR

CSOL Back-Destination

● added information on CSOL Back-Destination for cross-system lock function, see sections on Technical

Users and Communication Channels.

● adapted role SAP_SOLMANTMWCOL accordingly.

CTS Integration in Change Request Management

● see section User Role for CTS Integration

238




(Version)


SP12 End-User Roles


● SAP_CHARM_CONFIG● SAP_SMWORK_CHANGE_MAN (Best Practice link)







● CRM Standard Customizing for Solution Manager: find out about Standard CRM customizing delivered by SAP, and how to adapt roles if you copy transaction types, and so on.

● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).

● System Recommendation: find out about additional roles for the view System Recommendation.


Additional Important Information Sources

● Check general SAP Note 1574224.





17.3 Prerequisites


The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete change request management scenario. The SAP Solution Manager is connected via READ - RFC, TRUSTED - RFC, TMW – RFC to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. A SAPOSS connection to SAP is in place. In addition, between managed systems RFC connections exist, for instance for retrofit purposes. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.


17.3.2 Scenario Configuration User




The scenario CHARM is configured using transaction SOLMAN_SETUP.

To configure the scenario proceed as follows:

240





During basic automated configuration, you can create a specific configuration user (default technical name: SMC_CHRM_<XXXClient>) for CHARM (Help Text ID: USER_CONFIG_CHARM). The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.

If you want to create the configuration user manually, you need to assign:

● the composite role SAP_CM_CONF_COMP which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.

NoteTo be able to:



● the composite role SAP_SM_BW_CHARM_ADMIN_COMP which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.



You can configure the basic technical settings using transaction SOLMAN_SETUP, running the guided procedure for Change Request Management for ITSAM Service Management.

During the specific guided configuration you can create Standard template users. The system automatically adds all relevant user roles, see according sections on Users and User Roles.









Table 131







Table 132


System Number

Logon Client


Remarks


Managed System

System-specific

System-specific


This RFC is

generally needed for reading data in connection with transports (transport infrastructure), such as tracking reporting or object changes, read status of transports.


Managed System

System-specific

System-specific

Customer-specific

The RFC -

connection is mandatory for all tasks that involve system changes due to transports. Within the tasklist framework the Login Prompt is avoided.


Managed System

System-specific

System-specific


Only necessary when transport management is in place; allows for creating and releasing of

242




System Number

Logon Client


Remarks

transport requests via remote pattern


Table 133


System Number


Use How Created



System-specific

System-specific

Default user:SMB_<managed system ID>


managed systems)

SM_<SID>CLNT<Client>_BACK_CSOL (ABAP connection)


System-specific

System-specific

Customer-specific

For function Cross System Object Lock CSOL

NoteSAP Solution Manager manages the lock information.

Manually created


Table 134


System Number


How Created



content activation



BI_CLNT<BWclient>,if BW is


system , for content activation and data download

Managed System or Solution

System-specific System-specific System-specific in transaction SOLMAN_SETUP





System Number


How Created

Manager System







Trusted RFC to remote BW system SAP_BILO

remote BW -

system



BI - Reporting


Retrofit RFC - Connections

Table 135


System Number

Logon Client

Logon User Remarks

RETRO_<SID>_<CLNT> Managed system, development system (Implementation landscape)

System-specific System-specific

Customer-specific

Trusted RFC -

connection, For transport of copies

CWBADM_<SID>_<CLNT> Managed System, development system (Maintenance landscape)

System-specific System-specific

Customer-specific

Trusted RFC -

connection, for comparison and merge of coding according to ToDo list in correction workbench

TMS CI RFC - Connections

As of SAP Solution Manager 7.1, instead of TMS CI RFC - connections you can use the Trusted RFC - connection. For more information, see SAP Note 1384598.


Table 136




244





NoteCheck SAP Note 807228.

The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the Change Request Management scenario.

User for READ - Access in Managed Systems


Table 137








see Landscape Setup Guide.

User for Back-Destination in SAP Solution Manager System

User for Back-destination

Table 138


SMB_<managed system ID> (system-specific)


you need to change the password for

System User Technical user “Back User”; assigned role <namespace>_SOLMAN_BACK. It is automatically created








this user in its RFC destination in


User for CSOL Back-Destination in SAP Solution Manager SystemUser for CSOL Back-destination

Table 139


Customer-specific user


you need to change the password for this user in its RFC destination in


Service User Technical user manually created (See documentation in IMG or transaction SOLMAN_SETUP) assigned role

<namespace>SAP_SOLMANTMWCOL.

User for TMW - Connection for Read Authorization and Batch Authorization in Managed SystemsUser for Change Management Connection in managed systems

Table 140


SMTM<SID of Solution Manager system>(system-specific)

System User Technical User “TMW User”, assigned role: <namespace>_SOLMAN_TMW. It is automatically generated



User for BW - Reporting (Reorganization of Data and Configuration Validation)User for BW - Reporting (Reorganization of Data and Configuration Validation)

Table 141


BI_CALLBACK

CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the




246




password of this user in User Management (transaction SU01),



SMD_BI_RFC, in case of remote BW System User Technical user for data download


17.4 CRM Standard Customizing for Solution Manager

The Change Request Management scenario is based on CRM 7.0 EHP1, and uses CRM customizing such as transaction types, action profiles, and so on. SAP delivers a standard CRM customizing, which is also maintained in the individual CRM authorization objects for Change Request Management. The following table gives you an overview of the transaction types used.

CautionIf you copy SAP standard customizing you need to add the changed values in the according CRM - authorization objects for the scenario. See also How-to Guide on how to maintain authorization objects.

Transaction Types

Table 142

Transaction Type

Usage Remarks

SDAD Administration not supported in Release 7.1

NoteNew transaction type for this usage: SMAD.

SDCD Job Request Change Document

SDCR Change Request not supported in Release 7.1

NoteNew transaction type for this usage: SMCR.

SDDV Project Cycle not supported in Release 7.1

NoteNew transaction type for this usage: SMDV.

SMDV Project Cycle supported




Transaction Type

Usage Remarks

NoteNew with Release 7.1

SDHF Urgent Correction not supported in Release 7.1

NoteNew transaction type for this usage SMHF.

SMHF Urgent Change supported


SDMI Normal Correction with transport of copies

not supported in Release 7.1

NoteNew transaction type for this usage SMMJ.

SDMJ Normal Correction with transport of copies

not supported in release 7.1

NoteNew transaction type for this usage SMMJ.

SMMJ Normal Change (Standard) supported


SDMM Maintenance Cycle not supported in Release 7.1

NoteNew transaction type for this usage SMMM.

SMMM Maintenance Cycle supported


SDMN Maintenance Cycle not supported in Release 7.1

NoteNew transaction type for this usage SMMN.

SMMN Maintenance Cycle supported

248



Transaction Type

Usage Remarks


SDTM Test Message not supported in Release 7.1

NoteNew transaction type for this usage SMTM.

SMTM Defect Correction supported


SMCG General Change supported


SMCR Request for Change supported


SMCT Request for ChangeTemplate supported


SMAD Administration supported



To enable your end-users to work with the application, you need to assign them authorizations in the Solution-Manager-system and in the managed systems.

When you are working in a project to implement new business processes or change existing ones, a number of project members with different tasks is involved. SAP delivers recommended user descriptions on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.





Roles for Change Request Management are predefined Composite Roles (technical abbreviation: *_COMP). These composite roles contain a set of single roles that are relevant for the business tasks.

Figure 71: Example: Urgent Correction Process

17.5.1 Users and Roles

This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for Change Request Management. All users are assigned a composite role, which contains a number of single roles.

Work Center

The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see core security guide.

250



Figure 72: Change Management Work Center

The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single role is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.

Authorization for Trusted RFCs between SAP Solution Manager, Managed Systems, and BW - System

Trusted authorizations are needed between SAP Solution Manager and its managed systems, as well as SAP Solution Manager and a remote BW - system.

● In case of a remote BW - connection, the user in the SAP Solution Manager system is additionally assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).

● The user in the managed system receives role SAP_SM_S_RFACL (Help Text ID: AUTH_SAP_S_SM_RFCACL) with authorization object S_RFCACL.

Both roles are not contained in the respective composite roles, due to their highly security-relevant character.

Requester (Help Text-ID: TP_CM_REQ)

Single Roles for Requester (technical composite role name: SAP_CM_REQUESTER_COMP) in the SAP Solution Manager System

Table 143

Role Help Text-ID

SAP_SMWORK_BASIC_CHANGE_MAN AUTH_SAP_SMWORK_BASIC_CHARM


SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAME




Role Help Text-ID

SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMAN

SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM

SAP_SOCM_REQUESTER AUTH_SAP_SOCM_REQ

SAP_ITCALENDER_DIS AUTH_SAP_ITCALENDER


Change Manager (Help Text-ID: TP_CH_CM)

Single Roles for Change Manager (technical role name: SAP_CM_CHANGE_MANAGER_COMP) in the SAP Solution Manager System

Table 144

Role Help Text-ID

SAP_CM_SMAN_CHANGE_MANAGER AUTH_SAP_CM_SMAN_CM






SAP_SOCM_CHANGE_MANAGER AUTH_SAP_SOCM_CM

SAP_SOLAR01_DIS AUTH_SAP_SOLAR01_DIS


SAP_CPR_USER AUTH_SAP_CPR_USER




Technical composite role name: SAP_SM_BW_CHARM_DISPLAY_COMP in the BW system

In case you use remote BW scenario, these roles must be assigned to the user with the same user ID in the BW system.

Table 145


SAP_BI_E2E_CHARM AUTH_SAP_BI_E2E


Role in the Managed System

The role must be assigned to the user with the same user ID in the managed system.

252



Table 146


SAP_CM_MANAGED_CHANGE_MANAGER AUTH_SAP_CM_MANAGED_CHANGE

SAP_CM_MANAGED_IMPORT AUTH_SAP_CM_MANAGED_IMPORT

Developer (Help Text-ID: TP_CM_DEV)

NoteFor import authorizations, see SAP Note 807228.

Single Roles for Developer (technical role name: SAP_CM_DEVELOPER_COMP) in the SAP Solution Manager System

Table 147

Role Help Text-ID

SAP_CM_SMAN_DEVELOPER AUTH_SAP_CM_SMAN_DEVELOP






SAP_SOCM_DEVELOPER AUTH_SAP_SOCM_DEVELOPER





Table 148


SAP_CM_MANAGED_DEVELOPER AUTH_SAP_CM_MANAGED_DEVELOP

SAP_CM_MANAGED_DEVELOPER_RETRO Additional role for functionality of Retrofit. Needs to be assigned manually.


Tester (Help Text-ID: USER_TP_CH_TESTER)

NoteFor import authorizations, see SAP Note 807228.

Single Roles for Tester (technical role name: SAP_CM_TESTER_COMP) in the SAP Solution Manager System






Table 149

Role Help Text-ID

SAP_CM_SMAN_TESTER AUTH_SAP_CM_SMAN_TESTER






SAP_SOCM_TESTER AUTH_SAP_SOCM_TESTER





Table 150


SAP_CM_MANAGED_TESTER AUTH_SAP_CM_MANAGED_TESTER


IT-Operator (Help Text-ID: TP_CM_OPERATOR)

Single Roles for IT-Operator (technical role name: SAP_CM_OPERATOR_COMP) in the SAP Solution Manager System

Table 151

Role Help Text-ID

SAP_CM_SMAN_OPERATOR AUTH_SAP_CM_SMAN_OPERATOR






SAP_SOCM_IT_OPERATOR AUTH_SAP_SOCM_OPERATOR





254



Technical composite role name: SAP_SM_BW_CHARM_DISPLAY_COMP in the BW system


Table 152






Table 153


SAP_CM_MANAGED_OPERATOR AUTH_SAP_CM_MANAGED_OPERATOR

Administrator (Help Text-ID: TP_CH_ADMIN)

Single Roles for Administrator (technical role name: SAP_CM_ADMINISTRATOR_COMP) in the SAP Solution Manager System

Table 154

Role Help Text-ID

SAP_CM_SMAN_ADMINISTRATOR AUTH_SAP_CM_SMAN_ADMIN

SAP_CPR_PROJECT_ADMINISTRATOR AUTH_SAP_CPR_PROJECT_ADMIN

SAP_CPR_USER AUTH_SAP_CPR_USER





SAP_SM_CRM_UIU_SOLMANPRO_ADMIN AUTH_SAP_SM_CRM_UIU_ADMIN


SAP_SOCM_ADMIN AUTH_SAP_SOCM_ADMIN


SAP_SOL_PROJ_ADMIN_ALL AUTH_SAP_PROJ_ADMIN_ALL




Technical composite role name: SAP_SM_BW_CHARM_ADMIN_COMP in the BW system





Table 155






Table 156


SAP_CM_MANAGED_ADMIN AUTH_SAP_CM_MANAGED_ADMIN

17.5.2 Best Practice: Manage Import Authorizations in Managed Systems

Import Authorizations are necessary in the Change Management process. It allows Business users to being able to automatically create transport requests and import transports from a source system into a target systems. The authorization object required is S_CTS_ADMI. If you use cluster or non-ABAP systems in TMS communication systems, we recommend to use the equivalent authorization object S_CTS_SADM instead. Authorization object S_CTS_SADM allows you to additionally restrict on systems and domains.

Prerequisites

You are using delivered Standard Roles SAP_CM_MANAGED_* for users in your managed systems. These roles contain specific security-critical authorizations for the individual Business users, which should be handled separately.

Procedure

We recommend two alternatives for handling these security-critical authorizations, depending on your level of security protection for your systems:

● a) Use Existing Standard Roles for Managed Systems (assigned import authorization)

● b) Use Delivered Import Role SAP_CM_MANAGED_IMPORT

Use Existing Standard Roles

Use the existing roles for users with additional import authorizations.

256



Use Delivered Import Role SAP_CM_MANAGED_IMPORT

This practice allows you to use role SAP_CM_MANAGED_IMPORT for any Business User required. This role contains all required import authorizations needed.

CautionThe above roles should only be assigned to the following users in the respectively mentioned systems, but never in production systems or security relevant systems:

● Developers in consolidation systems

● Testers in all test systems

● Change Managers in consolidation systems

A combination of authorization object S_DATASET and S_CTS_ADMI with value IMPA and EPS1 can jeopardize security in your system. You should only use this practice if you require a smooth Change Request Management process.

17.5.3 User Roles for Additional Functions

17.5.3.1 User Roles for Retrofit

To be able to execute retrofit functionality the developer needs additional authorizations in the managed system. You need to assign role SAP_CM_MANAGED_DEVELOPER_RETRO to the “developer” user. Check the user definition for the developer in your Solution Manager system, transaction SOLMAN_SETUP, guided procedure for Change Request Management.

17.5.3.2 User Roles for Communication Systems

In the communication systems, you require the same roles as for your managed systems. See section Users and Authorizations.

17.5.3.3 CTS-Integration User Roles in the SAP Solution Manager

You can use CTS with Change Request Management. To be able to use this integration, assign the following roles to your SAP Solution Manager users.

RFC - Destinations

You require:

● TMW — RFC Destination

● TMS Deploy Destination ([email protected])




Developer - Transport Authorization (technical role name: SAP_BC_CCTS_CHARM_DEVELOP_TMPL)

This role allows the user to:

● create projects in CTS (system-specific and cluster-specific)

● create and delete import locks (system-specific and cluster-specific)

● trigger imports (system-specific and cluster-specific)

● create, change, delete, and release collections (system-specific and cluster-specific)

IT Operator - Transport Authorization (technical role name: SAP_BC_CCTS_CHARM_OPERAT_TMPL)






● change import queues

Change Manager - Transport Authorization (technical role name: SAP_BC_CCTS_CHARM_CH_MGR_TMPL)







Administrator - Transport Authorization (technical role name: SAP_BC_CCTS_CHARM_ADMIN_TMPL)







Tester - Transport Authorization (technical role name: SAP_BC_CCTS_CHARM_TESTER_TMPL)






258




This section gives you an overview over the main authorization objects. For detailed information, see SDN Wiki for Authorizations.

General Information

Roles SAP_SOCM_* and SAP_CM_SMAN_* are maintained according to profile generator default values for all ST - relevant transactions. The following transactions contain values according to Software Component SAP_ABA and BBPCRM: SCMA, CRMD_ORDER, CRM_DNO_MONITOR. Therefore, all CRM - objects, TMWFLOW - objects and authorization object S_PROGRAM appear in status manual within the roles.

Roles SAP_CM_SMAN_* contain a number of /TMWFLOW/ - authorization objects with status MANUAL due to transaction SCMA. Authorization object B_BUPA_RTL and CRM authorizations are set inactive in SAP_CM_SMAN* as all BP authorization are contained in roles SAP_SOCM_*. The roles SAP_CM_SMAN* contain all additional authorizations for solutions and projects (Note: For Change Request Management solution and project authorizations are not separated into infrastructure roles), RFC authorizations, and table access authorizations.

In SAP_SOCM_* roles, development environment authorizations are set inactive. SAP_SOCM_* roles contain BP authorizations, product master authorizations, status change authorizations, HR authorizations such as authorization object PLOG, and all relevant CRM - authorizations.

As Change Request Management is highly integrated into CRM, please see section on CRM integration in the Core Guide.

CRM Authorization Objects

Roles for Change Request Management contain CRM - authorizations. For more information on CRM - authorization objects, see Core Security Guide, section on CRM integration.

Authorization Objects B_USERST_T and B_USERSTAT (status change)

In the roles for Change Request Management the authorization object B_USERST_T (status of a previous change document can only be set by the system) is used instead of B_USERSTAT (The status of the change document is influenced by the user).

Authorization Object S_RFC (RFC access)

Roles for the managed system contain authorization object S_RFC. The authorization object contains values with added asterisk (*), because the field length of the authorization field for these function groups is not efficient with SAP_BASIS Release 4.6C.

Authorization Object S_TABU_DIS (table access)

In user roles for Change Management you find authorization object S_TABU_DIS. Authorization group CRMC protects all relevant customizing views and customizing clusters for this scenario.
















Table 157







Work Center




Change Request Management refers to the phase in your product life-cycle when you define and refine your business processes by means of projects, business blueprints and related activities. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions which come into play in your daily business, such as handling of problems, and so on. The following sections describe the integration of Change Request Management with other scenarios within SAP Solution Manager, and which user roles would be applicable.

NoteFor more detail on each individual scenario, see the according Scenario—Specific Guide.

260



Customizing Synchronization

Customizing Synchronization is part of scenario Implementation and Upgrade, for more information see the scenario - specific guide for Implementation and Upgrade and SAP Note 1061644.

Incident Management

A change request can result from an incident (a service desk message). Service desk messages can be created by any user and also by the requester. To be able to do so, you need to assign the user role SAP_SUPPDESK_CREATE_COMP..

Figure 73: Integration with Incident Management

NoteIn case you are a service provider, you need to assign the according service provider roles. For more information, see specific Service Provider Guide.

Test Management

● As of Release 7.1, in the assignment block Test Management, you can maintain test plans and test packages. This requires authorization object S_TWB for test management. You can either assign this authorization with required field values to your user or you can assign the role for test plans SAP_STWB_2_*

● Testing normal corrections and urgent corrections requires test management role for the tester: SAP_STWB_WORK_ALL.

Document Management

As of Release 7.1, in the assignment block Documents, you can maintain documents. This requires authorization object S_IWB for document management. The user, having authorization object S_IWB assigned is able to select any documents that are maintained in transactions SOLAR01, SOLAR02, and SOLMAN_DIRECTORY for the required project or solution. Therefore, the authorization is not included in the change request management roles, as this constellation may pose a security problem within your company. If you want to use assignment block Documents, you need to assign this authorization explicitly to your users. You can restrict this authorization to folder groups. To do this, go to transaction SPRO in your SAP Solution Manager system and execute IMG - activity Definition of





Folder Groups under node SAP Solution Manager Technical Settings Document ManagementAuthorizations .

Quality Gate Management (QGM)

You can integrate QGM with Change Request Management. When integrating assign the respective roles for QGM to your users according to the tasks they have to perform. See scenario-specific guide for QGM.

Figure 74: Integration QGM


You can integrate with Maintenance Optimizer. When integrating assign the respective roles to your users according to the tasks they have to perform. See scenario-specific guide for Maintenance Optimizer.

Solutions and Solution Directory

If you want to work with the solution directory, and create change request from here, you need to assign additionally the role SAP_SOLMAN_DIRECTORY_EDIT or SAP_SOLMAN_DIRECTORY_ADMIN to your user.

262



Figure 75: Integration with Solution Directory

Business Process Change Analyzer

For BPCA integration, you need to add additional BPCA roles, depending on which BPCA functionality, see scenario-specific guide for Business Process Change Analyser.

Configuration Validation

See scenario - specific guide for Configuration Validation




18 Scenario-Specific Guide: Quality Gate Management

The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). All processes need quality assurance. This guide gives you an overview over all relevant security-related issues for the function Quality Gate Management.

Figure 76: Quality Gate Management Process



264


Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Quality Gate Management

Table 158


(Version)


SP05 Authorization Objects

Added values TSTM, CRMC in authorization object S_TABU_DIS in role SAP_STWB_SET_ALL.

End-User Roles

Added role SAP_SOL_KW_ALL to all composite roles.

The following end-user roles were changed. For detailed information, see the description tab of the role in transaction PFCG.

● SAP_SM_QGM_ALL● SAP_SM_QGM_CHANGE● SAP_SM_QGM_TRANSPORT● SAP_SM_QGM_STATUS_QM● SAP_SM_QGM_STATUS_QAB

SP07 Added section on CRM Customizing

SP10 End-User Roles


● SAP_SM_QGM_ALL● SAP_SM_QGM_CHANGE● SAP_SM_QGM_TRANSPORT● SAP_SM_QGM_STATUS_QM● SAP_SM_QGM_STATUS_QAB● SAP_SM_QGM_CM_ALL● SAP_SM_QGM_CM_TRANSPORT● all composite roles, due to integration of roles SAP_ITCALENDER_DIS (IT calendar integration) and

SAP_SYSTEM_REPOSITORY_DIS (LMDB integration)

Additional Roles

● For the integration of QGM with CTS in SAP Solution Manager the following roles are

delivered:SAP_BC_CCTS_QGM_*_TMPL. For more information, see new section on CTS Integration

Roles.

SP11 End-User Roles

The following end-user roles were changed. For detailed information, see the Description tab of the role in transaction PFCG.

● SAP_SM_QGM_CM_ALL● SAP_SM_QGM_CM_TRANSPORT● SAP_SM_QGM_STATUS_QM





(Version)


● SAP_SM_QGM_STATUS_QAB









18.3 Prerequisites


The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete implementation and upgrade scenario. The SAP Solution Manager is connected via READ - RFC, TRUSTED - RFC (alternatively LOGIN), TMW – RFC to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.

266




18.3.2 Configuration

Basic Configuration transaction SOLMAN_SETUP


Scenario Configuration transaction SPRO

To run Quality Gate Management, you need to configure it using the Implementation Reference Guide (IMG) in transaction SPRO.




Figure 78: Transaction SPRO

Configuration Roles

There are no specific configuration roles when using transaction SPRO. Nevertheless, you can use the possibility in creating your own configuration roles. For more information, see the according How-to Guide.






Table 159





268





Table 160


System Number

Logon Client


Remarks


Managed System

System-specific

System-specific


reads data from the managed system, see scenario-specific guide for Change Request Management


Managed System

System-specific

System-specific


Used for specific Change Management authorization, see scenario-specific guide for Change Request Management


Table 161





The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the Quality Gate Management scenario.






Table 162









User for TMW - Connection for Read Authorization and Batch Authorization in Managed Systems

User for Change Management Connection in managed systems

Table 163







The Quality Gate Management scenario is based on CRM, and uses CRM customizing such as transaction types, action profiles, and so on. SAP delivers a standard CRM customizing, which is also maintained in the individual CRM authorization objects. The following table gives you an overview of the transaction types used.


270



Transaction Type

Table 164

Transaction Type

Usage Remarks

SMQC Quality Gate Management supported


18.5.1 User Descriptions and User Roles in the SAP Solution Manager

This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for Quality Gate Management. All users are assigned a composite role, which contains a number of single roles.

Work Center

The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see core security guide.






IT Operator (technical role name: SAP_QGM_TRANSPORT_COMP)

The IT-operator creates transport requests, assigns them to the developers, and releases the transports after finishing the development work. He triggers the import into the different systems.

Table 165

Single Roles Remarks Mapping to Navigation Panel Views

SAP_SM_QGM_TRANSPORT Quality Gate Management authorizations

Projects

SAP_SMWORK_BASIC_CHANGE_MAN Basic authorizations for work centers Work Center Access

SAP_SMWORK_CHANGE_MAN Access to work center Change Management

Development Lead (technical role name: SAP_QGM_CHANGE_MANAGER_COMP)

The development lead manages changes within the QGM project (for instance: create, edit, delete, status).

Table 166


SAP_SM_QGM_CHANGE Quality Gate Management authorizations

Projects



SAP_SM_BUSINESS_PARTNER Authorization for creating Business Partner

Projects

Quality Manager (technical role name: SAP_QGM_QM_COMP)

The quality manager processes messages, and makes one of the two status assignments in Quality Gate Management to initiate a phase switch.

Table 167


SAP_SM_QGM_STATUS_QM Quality Gate Management authorizations

Projects




Projects

Quality Advisory Board Member (technical role name: SAP_QGM_QAB_COMP)

A member of the quality advisory board makes the second status assignment for the phase switch (segregation of duties).

272



Table 168


SAP_SM_QGM_STATUS_QAB Quality Gate Management authorizations

Projects




Projects

QGM Project Administrator (technical role name: SAP_QGM_ADMIN_COMP)

The project manager is responsible for managing projects.

Table 169


SAP_CPR_PROJECT_ADMINISTRATOR cProject administration authorization cProjects authorization

SAP_CPR_USER cProject user authorization

SAP_SM_QGM_ALL Quality Gate Management full authorization

Projects



SAP_SOL_PROJ_ADMIN_ALL Full authorization for project management

Projects


Projects

Common Task Panel in the Work Center

The common task area contains links for applications that are often used:

New Request for Change

See scenario - specific guide for Change Request Management.

New Defect Correction


New Maintenance Transaction

See scenario - specific guide for Maintenance Optimizer.

IT Service Management







Schedule Manager



See scenario - specific guide for Configuration Validation.

18.5.2 User Descriptions and User Roles in the Managed Systems

For some of the users working in the SAP Solution Manager, you need to assign authorizations in the according managed systems:

● QGM Project Administrator (technical role name: SAP_CM_MANAGED_ADMIN)

● QGM Quality Manager (technical role name: SAP_CM_MANAGED_TESTER)

● QGM Quality Advisory Board Member (technical role name: SAP_CM_MANAGED_TESTER)

● QGM IT-Operator (technical role name: SAP_CM_MANAGED_OPERATOR)

NoteAll users need authorization object S_RFCACL additionally assigned to be able to use the trusted - connection between systems.

18.5.3 Central CTS-Integration User Roles in the SAP Solution Manager

You can use CTS with QGM. To be able to use this integration, assign the following roles to your SAP Solution Manager users.

RFC - Destinations

You require:

● TMW — RFC Destination

● TMS Deploy Destination ([email protected])

274



Change Manager - Transport Authorization (technical role name: SAP_BC_CCTS_QGM_CH_MGR_TMPL)




● changes in regard to previous Support Packages

The main critical authorization object is S_CTS_ADMI with value PROJ.

IT Operator - Transport Authorization (technical role name: SAP_BC_CCTS_QGM_OPERAT_TMPL)









QA Manager and Advisory Board - Transport Authorization (technical role name: SAP_BC_CCTS_QGM_QA_MGR_TMPL)







Administrator - Transport Authorization (technical role name: SAP_BC_CCTS_QGM_ADMIN_TMPL)












18.5.4 Critical Authorization Object

This section gives you an overview over the main authorization objects. For detailed information, see SDN Wiki for Authorizations.


The QGM roles contain authorization object S_PROJ_GEN with QGM specific values.

Authorization Object S_TABU_DIS

In user roles for QGM you find authorization object S_TABU_DIS. Authorization group CRMC protects all relevant customizing views and customizing clusters for this scenario.


QGM refers to the phase in your product life-cycle when you approve the quality of your past activities. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions which come into play in your daily business. The following sections describe the integration of QGM with other scenarios within SAP Solution Manager, and which user roles would be applicable.

NoteFor more detail on each individual scenarios, see the according Scenario-Specific Guide.


If Q-Gates and phases are managed in QGM, the process is managed in Change Request Management, you need additionally to the QGM role SAP_QGM_ADMIN_COMP, the Change Request Management role SAP_CM_ADMINISTRATOR_COMP.

Issue Management

You need to assign role SAP_ISSUE_MANAGEMENT_*_COMP in addition for your Administrator, Quality Manager, and Quality Advisory Board.

276



19 Scenario-Specific Guide: Configuration Validation

The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). The configuration validation supports the processes. It enables you to determine whether the systems in your landscape are configured consistently and in accordance with your requirements. This guide gives you an overview over all relevant security-related issues for the function Validation Configuration.

Configuration Validation can run as stand - alone application using work center change management, but also with user SAPSUPPORT immediately after the finished configuration of the managed systems, see Landscape Setup Guide.

Figure 80: Configuration Validation Process



Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Configuration Validation



Table 170


(Version)

Description

SP05 Technical System Landscape

● Added graphical overview

SP10 End-User Roles

● Adapted role SAP_CV_ALL (with authorization object S_TCODE: CCDB)









19.3 Prerequisites

To use configuration validation, you need to have Root Cause Analysis configured, see Landscape Setup Guide.

278




Figure 81: Technical Landscape Overview



This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for Change Request Management. All users are assigned a composite role, which contains a number of single roles.

Work Center

The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WD_COMP. For more information about user interface authorizations, see core security guide.





The tables underneath give you a further overview, which single roles are included in the respective composite roles. In the work center, you find the configuration validation function in section Related Links.

Administrator (technical role name: SAP_CV_ADMIN_COMP)

The administration user:

● has access to work center Change Management

● has access to the Report Directory

● if active, can read user data in the User ConfigStore

● display BI - reports

Table 171


SAP_CV_ALL Full authorization for Configuration Validation, especially Report Directory

NoteAuthorization object AI_CCDB_SC is set inactive in the role. The

authorization restricts access to the User ConfigStores, and therefore security-relevant data. If you allow your administration user to read these data, set the authorization object active in this role.

SAP_SYSTEM_REPOSITORY_DIS Display authorization for System Repository (LMDB)

SAP_SMWORK_BASIC_CHANGE_MAN Basic authorizations for work centers


SAP_BI_E2E BI - Reporting authorizations.

SAP_SM_BI_ADMIN

280




CautionIf the BI - scenario is remote, these roles have to be assigned to the BI -

user in the remote system in addition with authorization object S_RFCACL.

Display User (technical role name: SAP_CV_DISPLAY_COMP)

The display user

● has access to work center Change Management

● has display access to the Report Directory

● display BI - reports

Table 172


SAP_CV_DIS Display authorization for Configuration Validation, especially Report Directory

SAP_SYSTEM_REPOSITORY_DIS Display authorization for System Repository (LMDB)

SAP_SMWORK_BASIC_CHANGE_MAN Basic authorizations for work centers


SAP_BI_E2E BI - Reporting authorizations.

CautionIf the BI - scenario is remote, these roles have to be assigned to the BI -

user in the remote system in addition with authorization object S_RFCACL.

SAP_SM_BI_DISP


The common task area contains links for applications that are used:

New Request for Change


New Defect Correction


New Maintenance Transaction

See scenario - specific guide for Maintenance Optimizer.

IT Service Management



In the related links section in the work center, you find all possible links for this work center. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the




work center navigation role accordingly. For more information about how to adapt the related links section, see the How-to section.

Schedule Manager



You need one of the stated composite roles, depending on the user description of the user.

19.5 Critical Authorizations

The following authorization objects are checked for Configuration Validation:

AI_CCDB_SC (Store Content)

The Configuration Change Database (CCDB), transaction CCDB, contains configuration data of the managed systems in so called ConfigStores. The authorization object AI_CCDB_SC controls which protected ConfigStore content can be accessed by a user. Only ConfigStores which are defined to be protected are checked. All other not protected ConfigStores are available for all users. Refer to the documentation how to protect a ConfigStore of CCDB.

NoteIf you use RFC BI_CALLBACK with scenario Configuration Validation, please activate authorization object AI_CCDB_SC to be able to read data from the User ConfigStore

AI_CCDB_CU

There are a few ConfigStores having a customizing which influence the content of a ConfigStore. This authorization object restricts customizing access.










282






Table 173







Work Center






20 Scenario-Specific Guide: Implementation and Upgrade

The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). This guide gives you an overview over all relevant security-related issues for the scenario Implementation and Upgrade, and additional functions such as business functions, customizing distribution and so on.



Table 174


(Version)

Description

SP05 End User Roles

Shipped changes in role SAP_CDMC_MASTER. For detailed information, see description tab in the roles.

External Integration

● New integration with Business Process Blueprinting Tool (BPB), see section on External Integration.


Authorization object S_CTS_ADMI is set inactive in all roles, see section on Authorization Objects.

Configuration

Check SAP Note 1699667 if you use Roadmaps and MS Office 2010.

SP06 CDMC

Shipped new role SAP_SM_CDMC_INT for integration with BPCA authorization object SM_BPCA. For detailed

information, see description tab in the roles.

SP08 CDMC

Roles SAP_CDMC_MASTER and SAP_CDMC_USER were adapted due to authorization object value changes.

For more information, see Description Tab in the specified roles.

SP10 End User Roles

For detailed information, see description tab in the roles.

284


Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade



(Version)

Description

● added role SAP_CPR_USER in composite role SAP_SOL_PM_COMP (Project Manager) for cPro

integration. If you require your user to use project administration, role SAP_CPR_PROJECT_LEAD must

be added.

CDMC

● adapted CDMC - Authorization Roles

● new roles for critical authorizations for CDMC result list usage: SAP_CDMC_CRITICAL_AUTH, see

section on Additional Function: CDMC.

SP11 Scenario Integration

● SEA integration into Work Center

SP12 CDMC

● adapted CDMC - Authorization Roles for managed systems for systems with SAP_BASIS =>7.00:

SAP_CDMC_MASTER and SAP_CDMC_USER (delivered with ST-PI)

Roadmap

● Roadmap is delivered with SAPUI5 application. Adapted role SAP_RMMAIN_* (see description in the

role). For more information on SAPUI5, see section on Additional Security Issues.





● Getting Started: find out about target groups of this guide. Additional links you find in the core guide.


● Users and Authorizations: find out, which users we recommend, and which user roles we delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).




● Roles for Additional Functions: find out about roles and authorizations for functions which complete the core functions and authorizations.


● External Integration: find out about prerequisites, users, and roles for external functions such as HP Quality Center, and so on.

20.3 Prerequisites


The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete implementation and upgrade scenario. The SAP Solution Manager is connected via READ - RFC, TRUSTED - RFC, TMW – RFC to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. TREX is connected to the ABAP stack, as well as IGS via specified RFC connections. Optionally, you can attach a third party product such as SAP Productivity Pak to the SAP Solution Manager via specified destinations. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.

Figure 83: Implementation and Upgrade

286




Basic Configuration SOLMAN_SETUP

After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions for the implementation and upgrade scenario, like:

● Project Administration

● Business Blueprint (including graphics)

● Configuration (including graphics)

● using Solution Directory (including graphics)

NoteCheck SAP Note 1699667 if you use Roadmaps and MS Office 2010.

Scenario Configuration SPRO

If you want to add other functions for Implementation, you can configure them using the Implementation Reference Guide (IMG) in transaction SPRO.


Roles











Table 175







Protocol (FTP)



SAP Productivity Pak by RWD SOAP over HTTP (S) External Integration: Document Management





Table 176


System Number

Logon Client


Remarks


Managed System

Customer-specific

Customer-specific


Managed System

System-specific

System-specific

Default user: SM_<SID of

To read data of assigned objects in transactions

288




System Number

Logon Client


Remarks

Solution Manager system>

SOLAR*;read BC

Set activation log;


Managed System

System-specific

System-specific

Customer-specific

Necessary for CDMC,

Customizing Synchronization; BC Set content activation; IMG project/view creation


Managed System

System-specific

System-specific


Used only for the integration of Custom Development Management Cockpit connection to productive systems (CDMC), see

section on additional functions


Table 177


System Number

Logon Client


Use How Created



System-specific

System-specific

SMB_<managed system ID>

For Help Center Function

Automatically created via transaction SOLMAN_SETUP (view: managed systems)

HELP_CENTER_TO_SOLMAN Solution Manager System

Customer-specific

Customer-specific

Customer-specific For write access to Knowledge Warehouse in Solution Manager

Transaction SU01




TREX RFC Connections

Table 178


TREX_<server> (ABAP connection) Registered Server Program (program TREXRfcServer_<instance number>)

Manually in transaction SM59;

TREX can be administered using the

TREX admin tool, see IMG activity

Information and Configuration Prerequisites for TREX Setup

(technical name: SOLMAN_TREX_INFO)

IMSDEFAULT Start on explicit host (program: ims_server_admin.exe)

IMSDEFAULT_REG Registered Server Program (program: rfc_sapretrieval)


Table 179








Table 180









290



User for SAP RWD Info Pak

User for SAP RWD Info Pak

Table 181


RWD InfoPak integration user Communication User Technical user for web service; assigned role SAP_RWD_INTERFACE

User for Access in Managed Systems for CDMC

You use the TMW RFC - connection for CDMC productive systems. For other than the productive system in CDMC, quality acceptance systems (QA systems), development systems (DEV systems) or test and upgrade system ( sandbox / reference systems) analysis activities are executed via TRUSTED RFC - connection.


Table 182







To enable your users to work with the application, you need to assign them authorizations in the Solution-Manager-system and in the managed systems.

When you are working in a project to implement new business processes or change existing ones, a number of project members with different tasks are involved. SAP delivers recommended user descriptions on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.


Roles for Implementation and Upgrade are predefined Composite Roles (technical abbreviation: *_COMP) for users such as Project Manager (technical abbreviation: *_PM_*) or Technical Consultant (technical abbreviation: *_TC_*). These composite roles contain a set of single roles that are relevant for the business tasks.




Figure 85: Implementation Process


This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for implementation and upgrade. All users are assigned a composite role, which contains a number of single roles.

NoteApart from implementation-relevant authorizations, each composite role also contains authorizations for Test Management. These roles are explained in more detail in the scenario-specific guide for Test Management.

The suggested users are restricted to all additional authorizations, like upgrade dependency analyzer or customizing distribution, BC-set related activities, manage issues, create service messages, execute CDMC-related activities, and so on. For additional authorization, see sections on Additional Authorizations, Scenario Integration, and External Integration.

Work Center

The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WD_COMP. For more information on user interface authorizations, see core security guide.

292



Figure 86: Work Center Implementation and Upgrade

The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. As the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.

Project Manager (technical role name: SAP_SOL_PM_COMP)

The Project Manager is responsible for organization and project planning, for the realization of the desired project results and the daily management of the project. They anticipate deviations from the project direction and carry out the necessary corrective measures immediately. Project Managers should understand the integration of the business processes within the enterprise. They are also members of the steering committee, and have decision-making authority in matters concerning the program and budget. The Project Manager forwards strategic questions to the sponsor to make joint decisions. Project Managers are allowed to:

● access the Implementation work center and Test Management work center

● set up projects

● maintain roadmaps

● maintain system landscape data

● maintain solutions

● maintain business blueprint and business configuration

● execute all test-related activities

● create transport requests

● maintain training materials

● create a service desk message

● use cPro integration

Single roles included in composite role




Table 183

Single Role Remarks Mapping to Navigation Panel of Work Center

SAP_RMMAIN_EXE Contains authorization for roadmap maintenance

Plan

Reports

SAP_SMSY_ALL Contains full authorizations you need for maintaining the system landscape in transaction SMSY that includes logical

components.

All views

SAP_SM_SOLUTION_ALL Contains full authorization for solutions. You use solutions in transaction SOLMAN_DIRECTORY, for instance using

check out/check in function (solution to maintenance project and maintenance project to solution)

Evaluate

Build

Going Live Preparation

Reports

SAP_SOLMAN_DIRECTORY_ADMIN Contains full authorization for the Solution Directory (transaction SOLMAN_DIRECTORY) and the

maintenance of solutions on the solution settings tab.

Evaluate

Build


Reports

SAP_SOLAR01_ALL Contains full authorization for business blueprint (transaction SOLAR01). Allows

you to build your business processes and steps.

Projects

Plan

Build

Reports

SAP_SOLAR02_ALL Contains full authorization for business configuration (transaction SOLAR02).

Allows you to add all necessary configuration information your business processes and steps.

Projects

Plan

Build

Reports

SAP_SOL_KW_ALL Contains full authorization for Document Management within transactions SOLAR01, SOLAR02, and

SOLMAN_DIRECTORY (Knowledge

Warehouse folders)

Projects

Plan

Build

Reports

SAP_SOL_PROJ_ADMIN_ALL Contains full authorization for project management.

NoteProject administration provides the possibility to enter e-mail address and phone number without separate authorization for user management.

Projects

Evaluate

Plan

Reports

294




SAP_SOL_TRAINING_ALL Contains full authorization for Learning Maps access.

Build

Reports

SAP_SOL_TRANSPORT_EXE Contains authorization to create transport requests.

Only necessary if an IMG project is created in the managed system from within Project Administration

SAP_CPR_USER Contains cPro integration authorizations Projects

SAP_SMWORK_BASIC_IMP Contains full authorization for work center - related functions for implementation.

Work Center Access

SAP_SMWORK_IMPL Allows access to the implementation and upgrade work center.

SAP_STCE_ALL Caution

Only relevant for Test Management

SAP_STWB_2_ALL Caution


SAP_STWB_INFO_ALL Caution


SAP_STWB_SET_ALL Caution


SAP_STWB_WORK_ALL Caution


SAP_SMWORK_BASIC_TEST_MAN Caution


SAP_SMWORK_ITEST Caution


SAP_SUPPDESK_CREATE Authorization to create a service desk message

If the following functions are used:

● Roadmap

● Business Blueprint

● Configuration




Application Consultant (technical role name: SAP_SOL_AC_COMP)

Application consultants are responsible for making sure that the Business Blueprint and software configuration are tailored to the business processes and that analysis and report requirements are fulfilled. They use their knowledge of proven business procedures to support them in these tasks. Application consultants also function as advisers and work closely with the rest of the project team. They also work in close cooperation with legacy system experts, when extraction of legacy data is necessary. The application consultant is allowed to:


● display projects


● display system landscape data



● execute all test-related activities




● display BW - reports for Test Management


Table 184



Plan

Reports

SAP_SMSY_DIS Contains display authorizations for the system landscape in transaction SMSY,

that includes logical components.

All views

SAP_SM_SOLUTION_ALL Contains full authorization for solutions. You use solutions in transaction SOLMAN_DIRECTORY, for instance using

check out/check in function (solution to maintenance project and maintenance project to solution)

Evaluate

Build


Reports



Evaluate

Build


Reports

SAP_SOLAR01_ALL Contains full authorization for business blueprint (transaction SOLAR01). Allows


Projects

Plan

Build

Reports

296




SAP_SOLAR02_ALL Contains full authorization for business configuration (transaction SOLAR02).

Allows you to add all necessary configuration information to your business processes and steps.

Projects

Plan

Build

Reports



Warehouse folders)

Projects

Plan

Build

Reports

SAP_SOL_PROJ_ADMIN_DIS Contains display authorization for project management.

Projects

Evaluate

Plan

Reports

SAP_SOL_TRAINING_EDIT Contains full authorization for Learning Maps access.

Build

Reports



SAP_STCE_ALL Caution


SAP_STWB_2_ALL Caution


SAP_STWB_INFO_ALL Caution


SAP_STWB_SET_ALL Caution


SAP_STWB_WORK_ALL Caution



Work Center Access










SAP_SUPPDESK_CREATE Full authorization to create a service desk message


● Roadmap


● Configuration

Technical Consultant (technical role name: SAP_SOL_TC_COMP)

Technical consultants plan the technical requirements for a project with the project manager and the manager of the technical team and then carry out the required technical tasks in the system. Depending on the scope and complexity of the implementation, technical consultants may work in several areas, for example, system administration, database administration, network administration, operating system administration, development of cross-application components, or ABAP development. The technical consultant is allowed to:

● access the Implementation work center




● display solutions



Table 185



Plan

Reports

SAP_SMSY_ALL Contains full authorizations you need for maintaining the system landscape in transaction SMSY, that includes logical

components.

All views

SAP_SMSY_ACC_RFC Adapting Computing role

SAP_SM_SOLUTION_DIS Contains display authorization for solutions.

Evaluate

Build

298





Reports

SAP_SOLMAN_DIRECTORY_DISP Contains display authorization for the Solution Directory (transaction SOLMAN_DIRECTORY).

Evaluate

Build


Reports


Projects

Evaluate

Plan

Reports



SAP_SMWORK_BASIC_IMP Contains full authorization for work center - related functions.

Work Center Access


Basis/Development Consultant (technical role name: SAP_SOL_BC_COMP)

Development consultants work with the project manager and the application consultant on the planning and organization of the authorization concept. They also perform developmental tasks and customer-specific developments.







● execute test-related activities, except for administrative task







Table 186



Plan

Reports



All views


Evaluate

Build


Reports


Evaluate

Build


Reports

SAP_SOLAR01_EXE Contains full authorization for business blueprint (transaction SOLAR01). Allows


Projects

Plan

Build

Reports

SAP_SOLAR02_EXE Contains full authorization for business configuration (transaction SOLAR02).

Allows you to add all necessary configuration information to your business processes and steps.

Projects

Plan

Build

Reports



Warehouse folders)

Projects

Plan

Build

Reports


Projects

Evaluate

Plan

Reports



300




SAP_STWB_2_DIS Caution


SAP_STWB_INFO_DIS Caution


SAP_STWB_WORK_DIS Caution



Work Center Access






SAP_SUPPDESK_CREATE Full authorization to create a service desk message


● Roadmap


● Configuration

Display User (technical role name: SAP_SOL_RO_COMP)

The display user is allowed to display:


● projects

● roadmaps

● system landscape data

● solutions

● business blueprint and business configuration

● display BW-reports for Test Management





Table 187


SAP_RMMAIN_DIS Contains authorization for displaying roadmaps.

Plan

Reports



All views


Evaluate

Build


Reports


Evaluate

Build


Reports

SAP_SOLAR01_DIS Contains display authorization for business blueprint (transaction SOLAR01). Allows you to display business

processes and steps.

Projects

Plan

Build

Reports

SAP_SOLAR02_DIS Contains display authorization for business configuration (transaction SOLAR02). Allows you to display all

necessary configuration information for your business processes and steps.

Projects

Plan

Build

Reports

SAP_SOL_KW_DIS Contains display authorization for Document Management within transactions SOLAR01, SOLAR02, and


Warehouse folders)

Projects

Plan

Build

Reports


Projects

Evaluate

Plan

Reports

SAP_STCE_DIS Caution


SAP_STWB_INFO_DIS Caution


302




SAP_STWB_2_DIS Caution



Work Center Access






Read-Only User (According to Document Status) (technical role name: SAP_SOL_RE_COMP)

The read-only user is allowed to display:


● projects

● roadmaps


● solutions


● test-related activities

NoteIn contrast to the display user, the read - user can access documents according to the customizing of the document status.


Table 188


SAP_RMMAIN_READ Contains authorization for roadmap according to the document status.

Plan

Reports



All views


Evaluate

Build






Reports


Evaluate

Build


Reports

SAP_SOLAR01_DIS Contains display authorization for business blueprint (transaction SOLAR01). Allows you to display business

processes and steps.

Projects

Plan

Build

Reports

SAP_SOLAR02_DIS Contains display authorization for business configuration (transaction SOLAR02). Allows you to display all

necessary configuration information for your business processes and steps.

Projects

Plan

Build

Reports

SAP_SOL_KW_READ Contains authorization for Document Management within transactions SOLAR01, SOLAR02, and


Warehouse folders) according to the document status

Projects

Plan

Build

Reports


Projects

Evaluate

Plan

Reports

SAP_STWB_INFO_READ Caution


SAP_STWB_2_READ Caution



Work Center Access




304







The common task area contains links for applications that are often used:

NoteThe authorizations for system landscape maintenance must always be assigned. These authorizations are contained in role SAP_SMSY_*. If you jump from the main application to another application, you need to assign additional roles, depending on the application which is integrated.

Show Roadmap

To show road maps. you need roadmap authorizations contained in role SAP_RMMAIN_*, project authorizations contained in role SAP_SOL_PROJ_ADMIN_*, documentation management authorizations contained in SAP_SOL_KW_*

Maintain Project

To maintain projects, you need project authorizations SAP_SOL_PROJ_ADMIN_*

Maintain Business Blueprint

To maintain Business Blueprint, you need authorization for transaction SOLAR01 contained in role SAP_SOLAR01_*. In addition, you need project authorization contained in role SAP_SOL_PROJ_ADMIN_*, and document management authorization contained in role SAP_SOL_KW_*.

Configure Business Processes

To configure Business Processes, you need authorization for transaction SOLAR02 contained in role SAP_SOLAR02_*. In addition, you need project authorization contained in role SAP_SOL_PROJ_ADMIN_*, and document management authorization contained in role SAP_SOL_KW_*.

Manage Issues

See section Scenario Integration


In the related links section in the work center, you find all possible links for this work center. Still, the user is not able to run some of the applications since the according authorizations are not included in the defined user roles, but rather additional authorizations included in additional roles, see section Additional Functions. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-To section.




System Data, System Transfer

Requires system landscape infrastructure authorizations included in role SAP_SMSY_*.

Project Administration

Requires authorizations for project management included in role SAP_SOL_PROJ_ADMIN_*

Copy Projects and Solutions

Requires authorizations for project management included in role SAP_SOL_PROJ_ADMIN_*, and authorizations for solutions concluded in role SAP_SM_SOLUTION_*

Learning Maps

Requires authorizations for project management included in role SAP_SOL_PROJ_ADMIN_*, authorizations for solutions concluded in role SAP_SM_SOLUTION_*, and authorization for learning maps included in role SAP_SOL_TRAINING_*

Custom Development Management Cockpit

See section User Roles for Additional Functions

20.4.2 User Descriptions and User Roles in Managed Systems

In the managed system, you need to assign the according user application-specific authorizations. For more information, see the applicable security guide for the relevant application.


The following section gives you information about main authorization objects. For detailed information, see SDN Wiki for Authorizations.

Blueprint/Configuration Authorization Object AI_SA_TAB

Authorization Object AI_SA_TAB allows you to restrict change access to the individual tabs. If you want to make tabs generally invisible for users, you need to set this feature in the project administration transaction SOLAR_PROJECT_ADMIN for tab access. You can also restrict members for a project in this transaction. The combination of assignment of users in the project administration with authorization object S_PROJECT (general restriction on projects) and authorization object AI_SA_TAB allows you to fine tune authorizations.

You can also set user specific settings for individual users in transaction SU01.

Blueprint/Configuration Authorization Object AGS_BOATTR

This object allows to control the locking of business object attributes.

306



Roadmap Authorization Object S_AIRMTAB

Similar to the authorization object AI_SA_TAB for transactions SOLAR01 and SOLAR02, authorization object S_AIRMTAB restricts access to the tabs in transaction RMMAIN.

NoteTab Service Plan only appears with node type Service Session.

Document Management Authorization Object S_IWB

The main authorization object which restricts access to documents is S_IWB. Important fields which are prefilled by default are areas IWB_AREA: IWBASAP (AcceleratedSAP) and IWBSOLAR (Solution Manager) as well as the folder group IWB_FLDGRP. For which function documents are restricted is defined by the according folder group. In the role SAP_SOL_KW_*, you will find that the object has many versions with only two active:

● no folder group assigned

● 'SAP' enhancement assigned

Figure 87: S_IWB in role SAP_SOL_KW_ALL

The active maintenance of the object allows for full authorization for all folders. If you want to restrict the usage, you should deactivate this maintenance and activate the respective other one. Here, you'll find the various usage of the S_IWB object that are set inactive in the template role:

● Authorization for folder group BPRFOLDERS for the Business Process Repository

● Authorization for folder groups SAPTWBTESTNOTES and TEMPLATES for Test Management functions

● Authorization for folder group HELP_CENTER for Help center functionality

The system saves Solution Manager documents in folders. You can control the access rights to documents in the project by assigning authorizations for groups of documents in the Knowledge Warehouse of SAP Solution




Manager, for instance you can specify that only the project management can change documentation templates. The system saves Solution Manager documents in folders.

Figure 88: IMG transaction SPRO

Example Problem: Document Management: Unlock Documents

You want to allow a user to unlock documents which are locked by a status schema.

This can be controlled with the authorization object S_IWB and the activity 95.

Documents remain locked during signature procedure.

Example Problem: Document Management: Restrict Project

You want users who are assigned to a project to only be able to search for, edit or display the documents for this project.

This can be done with the combination of folder group and project authorizations. When documents are created for a project, the system puts them in a folder group which is assigned to the project, and its name, for instance the folder group with the name XYZ, is assigned to the project. You restrict the following authorization objects:

● S_PROJECT with field PROJECT_ID● S_IWB and S_IWB_ATTR with field IWB_FLDGRP

Digital Signature C_SIGN_BRG

NoteIn the system, users can maintain their Own Data via Menu System User Profile . This includes the maintenance of SSF settings on tab Address button Other Communication. If you use Digital Signature, you should restrict authorization to maintain these data for all relevant users (authorization object S_TCODE transaction SU3).

Example Problem: Digital Signature: Restrict by Authorization Group

User A can sign for the authorization group PROD (production), but not for the authorization group QUAL (quality assurance).

308



Solution: In role SAP_SOL_KW_*, the user has the authorization value PROD for field SIGNAUTH, in authorization object C_SIGN_BGR.

Authorization Object S_CTS_ADMI

The authorization object is set inactive in all roles due to its critical nature. If you need to allow changes in transaction SCCA you must activate this authorization object.

20.5 User Roles for Additional Functions

20.5.1 User Roles for Roadmap Definition

Before defining your business process in a project, you can define a roadmap for your project or adapt a roadmap that was delivered by SAP to your purposes. To do this, you need to have implementation authorization as described earlier, and additional authorizations. In the following table we outline, which additional user roles and authorizations you need to use the functionality for roadmap definition.

User roles for roadmap definition

Table 189

Roles Remarks

SAP_RMDEF_RMAUTH_EXE For administration: change roadmaps

SAP_RMDEF_RMAUTH_DIS For display : display roadmaps

20.5.2 User Roles for Activation of Business Functions

Within the implementation and upgrade, you have the option to evaluate business functions residing in the managed systems and also activate the business function from within the SAP Solution Manager. To do this, you need to have implementation authorization as described earlier, and additional authorizations. In the following tables we outline, which additional user roles and authorizations, you need to use the functionality for business functions.

Authorizations in SAP Solution Manager System

You can use the user roles for implementation and upgrade, which include authorization object AI_SA_TAB with authorization for tab Business Functions. This authorization object restricts access to any of the tabs for the business blueprint and configuration in transactions SOLAR01, SOLAR02, and SOLMAN_DIRECTORY.

In addition, you need to assign authorization object S_SWITCH to the users in both systems, the SAP Solution Manager and the managed system. This authorization allows to activate a business function, and should only be assigned to dedicated users. This authorization object is not included in any of the roles delivered by SAP Solution Manager. Therefore, see section in How-to Guides on how-to create your own role for this object.


If you want to activate business functions in the managed system, you need to assign authorization object S_SWITCH to the users in both systems, the SAP Solution Manager and the managed system. This authorization




allows to activate a business function, and should only be assigned to dedicated users. This authorization object is not included in any of the roles delivered by SAP Solution Manager. Therefore, see section in How-to Guides on how-to create your own role for this object. We would also advise to assign roles for switch framework transactions SFW*.

In addition, you must also assign role SAP_SM_BUSINESS_FUNCTION to the users. This role contains authorizations to read access necessary function groups as test work bench. objects.

20.5.3 User Roles for Custom Development Management Cockpit (CDMC)

Configuration

See SAP Note 1244713

Users and Authorizations

Custom Development Management Cockpit can be accessed from the Implementation and Upgrade work centers. It contains two use cases:

● Clearing Analysis

● Upgrade/Change Impact Analysis

NoteSee use case description in the Application Help for SAP Solution Manager in the Help Portal:

help.sap.com SAP Solution Manager .

Both use cases involve several systems. The systems are connected by RFC.

You must have TMW RFC - connection in place for the connection to the productive systems. For the other projects, like Clearing Analysis or Upgrade Change Impact Analysis TRUSTED RFC - connection is used.

CautionIf you useTRUSTED RFC - destination, you need to assign to your user in the managed system user role SAP_CDMC_MASTER (with full authorization) or SAP_CDMC_STAT_SYST(with restricted authorization).

Custom Development Management Cockpit

Table 190

Name Type Remarks

SAP_CDMC_USER ABAP Execution authorization for CDMC

SAP_CDMC_MASTER ABAP Administration authorization for CDMC including maintaining global settings and deleting CDMC projects

SAP_CDMC_STAT_SYSTEM ABAP Restricted authorization for the statistics system in Clearing Analysis. It contains only the authorizations necessary for the tasks carried out on

310




http://help.sap.com

Name Type Remarks

the statistics system. These tasks are activation of statistics collection, import of the collected statistics to the control center, determination of empty tables, syntax check for source code objects.

SAP_SM_CDMC_INT ABAP Integration with BPCA authorization object SM_BPCA.

NoteTo be able to work with the result list, assign an additional role SAP_CDMC_CRITICAL_AUTH which contains all relevant critical authorizations for execution. For more information, see the Description Tab in the role in the system (transaction PFCG).

In the Solution Manager, you need also assign the authorization object SM_BPCA to your roles for the user.

20.5.4 User Roles for Upgrade Dependency Analyzer

Within the implementation and upgrade, you have the option to use the Upgrade Dependency Analyzer in accordance with its analog function on the SAP Portal. To use this function within SAP Solution Manager, you need to have implementation authorization as described earlier, and additional authorizations. In the following table we outline, which additional user roles and authorizations you need to use the functionality for business functions.

NoteMain authorization object is SM_UDA_PRJ, which controls if a user is allowed to create, change, or delete UDA - projects.

Upgrade Dependency Analyzer

Table 191

Name Remarks

SAP_SM_UDA_ALL Role allows full authorization for Upgrade Dependency Analyzer

SAP_SM_UDA_DIS Role allows display authorization for Upgrade Dependency Analyzer

Authorization Object SM_UDA_PRJ

Main authorization object is SM_UDA_PRJ, which controls if a user is allowed to create, change, or delete UDA - projects.




20.5.5 User Roles for Customizing Comparison and Distribution

Within the implementation and upgrade, you have the option to use the function of customizing distribution. To use this, you need to have implementation authorization as described earlier, and additional authorizations. For customizing comparison and distribution SAP delivers composite roles for administrator tasks and display user. These composite roles contain a number of single roles, which are outlined underneath.

Administrator (technical role name: SAP_CUSTDIST_ALL_COMP)

NoteThis role should be assigned in addition to one of the following implementation user roles: SAP_SOL_PM_COMP, SAP_SOL_AC_COMP, or SAP_SOL_TC_COMP.

Table 192

Single Role Remarks

SAP_SCOUT_ALL Contains full authorization for customizing scout

SAP_SCDT_ALL Contains full authorization for customizing distribution (transaction SCDT)

SAP_SCIDM_ALL Contains full authorization for customizing ID-mapping

Display User (technical role name: SAP_CUSTDIST_DIS_COMP)

NoteThis role should be assigned in addition to one of the following implementation user roles: SAP_SOL_RO_COMP, or SAP_SOL_RE_COMP.

Table 193

Single Role Remarks

SAP_SCOUT_DIS Contains display authorization for customizing scout

SAP_SCDT_DIS Contains display authorization for customizing distribution (transaction SCDT)

SAP_SCIDM_DIS Contains display authorization for customizing ID-mapping

Authorization Objects S_CD_SYNC and S_CD_SYSAC

Important authorization objects are:

● S_CD_SYNCauthorization for synchronizer and scout

● S_CD_SYSACcontrols system access for customizing distribution

312



20.5.6 User Roles for BC-Set Activities

Within the implementation and upgrade, you have the option to use BC-Sets.

You can activate BC-Sets in the SAP Solution Manager system, and in the managed system. To be able to use this function in either system your users need one of the following roles:

User roles for BC-Set Activities

Table 194

Single Role Remarks

SAP_BCS_ACTIV Activate BC-Sets

Notesee SAP Note 505603 Activate BC Sets.

SAP_BCS_CREATE Create BC-Sets

SAP_BCS_ADMIN Administration of BC-Sets

20.5.7 Solution Maintenance via Work Center

As of SAP Solution Manager Release 7.1 SP01, transactions GSAP (SAP Global Service Access Point) and SOLUTION_MANAGER, SOLUTION_MANAGER_BSP, alternatively DSWP, DSWP_MOVE, DSMOP, are obsolete. All references to these transactions are deleted in the relevant user roles for Issue Management, Solution Operations, Solution Documentation Assistant, Solution Reporting, Solution Directory. Solutions can be created in Work Center Solution Manager Administration.


Implementation and Upgrade refers to the phase in your product life-cycle when you define and refine your business processes by means of projects, business blueprints and related activities. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions, which come into play in your daily business, such as the handling of problems, and so on. The following sections describe the integration of implementation and upgrade with other scenarios within SAP Solution Manager, and which user roles would be applicable.

NoteFor more detail on each individual scenario, see the according Scenario - Specific Guide.

Business Process Change Analyzer (BPCA)

In the business blueprint and configuration transactions of SAP Solution Manager, users (for instance the application consultant) can record TBOMs for the Business Process Change Analysis. To be able to do so, you need





to assign your user the required BPCA - roles: SAP_SM_BPCA_TBOM_ALL (generating TBOMs), and SAP_SM_BPCA_RES_ALL (analyzing results).

In the managed systems, you need to assign the according application-specific authorizations to your users.

Figure 89: Transaction SOLAR02 - Tab: Transactions

Incident Management

In the business blueprint and configuration, users can create service desk messages.

Figure 90: Transaction SOLAR02 - Tab: Service Messages

To be able to do so, you need to assign user role SAP_SUPPDESK_CREATE if you are using transaction type SLFN. If you are using the new transaction types for Service Desk (Incident Management), you need to assign the according composite role: SAP_SUPPDESK_*_COMP, see scenario-specific guide for Incident Management.

314




Issue Management

In the business blueprint and configuration, users can create issue messages. To be able to do so, you need to assign user role SAP_ISSUE_MANAGEMENT_EXE_COMP

Job Management

You can also integrate Job Scheduling within your business blueprint and configuration transactions. If you assign Job Scheduling related objects, you need to assign user roles SAP_SM_SCHEDULER_EXE and SAP_SM_SOLUTION_ALL to your users.

Figure 91: Transaction SOLAR02 - Tab: Transactions

Test Management

You need to use the according test management relevant roles in the user roles.




Figure 92

Business Process Operation

When transferring a project into the Solution Directory, the business process can be set to “Production” and then allow for Business Process Monitoring.

Figure 93: Business Process Monitoring Integration

To be able to monitor business processes, you need to assign role SAP_OP_DSWP_BPM and SAP_SM_SOLUTION_* to your user. Alternatively, you can assign the appropriate composite role for Business Process Operations, see the according scenario - specific guide.


When you have a project transferred into the Solution Directory, you can switch on the check out / check in functionality and use it with Change Requests.

316



Figure 94: Change Request Management Integration

You need to assign in addition user role SAP_SOCM_REQUESTER.

Scope and Effort Analyzer (SEA)

You can access the SEA functionality from view PLAN in the Implementation work center. To use the functionality use either of the two composite roles (administration authorization or display authorization) relevant for SEA end-users: SAP_SEA_*_COMP. For more information on SEA, see the scenario-specific guide for Effort and Scope Analyzer.

20.7 External Integration

You can integrate with SAP Solution Manager external products. The term External Product refers to either Third Party Products or SAP products, which can be used to complement a function within SAP Solution Manager.




Figure 95: Configuration of Integration with External Products

20.7.1 Business Process Management Suite

The Business Process Management Suite is based on SAP NetWeaver Composition Environment (CE). Integrating this function, allows you to easily model business processes and document them in the business blueprint of your Solution Manager project.

To use this integration, you need to assign in the managed system the User Management (UME) role SAP_BPM_Solution Manager. In SAP Solution Manager, your users should be assigned the user roles for implementation and upgrade as described above.

20.7.2 Enterprise Service Repository within Process Integration (PI)

Enterprise Service Repository (ESR) resides on the SAP product SAP NW Process Integration (PI). It allows you to document in the business blueprint processes, activities, and interfaces in more detail. To use this integration, you need to assign in the managed system the User Management (UME) roles for this environment as described in the according process integration security guide. In SAP Solution Manager, your users should be assigned the user roles for implementation and upgrade as described above.

318



20.7.3 SAP Productivity Pak by RWD

The SAP Productivity Pak by RWD allows you to document in more detail you business processes. To be able to run this integration, you need to create a technical user (type: service user) RWD_ALIAS for web service access. This user needs to be assigned role SAP_RWD_INTERFACE. Your end-users should be assigned the user role roles for implementation and upgrade as described above.

20.7.4 Business Process Blueprinting Tool (BPB)

The BPB Tool is supported by an integration between the SAP Solution Manager and the Solution Composer. The Solution Composer allows data exchange between Solution Manager and Business Process Blueprinting. It synchronizes data between the client and server. SAP Solution Manager stores content of the offered SAP solutions in form of realized business scenarios, business processes and process steps in the Business Process Repository (BPR).

Additional Information

See the according guides for the BPB Tool on the Service Marketplace: service.sap.com/instguides SAP Components SAP Solution Manager Additional Guides .

Relevant Authorization Object AI_SA_TAB

If you use this tool in combination with Business Blueprint functionality in SAP Solution Manager, you need to extend the authorization object AI_SA_TAB for value EBB in roles SAP_SOLAR01_*. This allows you, to see the relevant tab for it.


This section provides an overview of the trace and log files that contain, for example, security-relevant information, so that you can reproduce activities if a security breach does occur.

See the Auditing and Logging on the Service Marketplace at: help.sap.com Search Documentation , search for Auditing and Logging.

Service Connection

If a user has sufficient authorization and is assigned correctly to the appropriate S-user in transaction AISUSER, this user can display the same personal contact data (name, phone number) for a system as in SAP Support Portal, as this data is replicated from there to the Solution Manager system. Displaying this data is not logged.

System Landscape

● Update logs

● RFC logs

● Data save logs





http://help.sap.com

Solution Manager Implementation:

● All tabs can be traced. Each change on a tab is recorded.


● You can specify which project and tab can be traced.

● Documentation can get different versions when changed.


● Each distribution is logged.

● Each distributed object is logged.


● Traces are available in “Solution Directory”.

● All tabs can be traced. Each change on a tab can be recorded.


● You can specify which solution is traced.

● Documentation can get different versions when changed

320



21 Scenario-Specific Guide: Solution Documentation Assistant

The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). The Solution Documentation Assistant supports this implementation and upgrade process. The function allows you to analyze your business processes automatically, to prepare upgrade projects, to evaluate new functionality, and to analyze your own developments. This guide gives you an overview over all relevant security-related issues for the scenario Solution Documentation Assistant. For more information, see the Application Help on the Service Marketplace at:

help.sap.com

CautionThe Solution Documentation Assistant should only be made accessible for dedicated users by the system administrator, and only for a dedicated time as the usage of Solution Manager Assistant may have impacts on the managed systems. Users need to have extended knowledge of the definition of check steps and its use in analysis projects.



Table 195


(Version)

Description

SP05 Adapted sections:

● Prerequisites

● Technical System Landscape

● Communication Channels and Destinations

● Technical Users

Additional section on Background Jobs

SP10 End-User Roles

Role SAP_SMWORK_BASIC_SDA has been adapted. For detailed information, see the description text in the

according role.

Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Documentation Assistant



http://help.sap.com





● Getting Started: find out about target groups of this guide. Links for any additional components you can find in the Core Guide.




● Background Jobs: lists all related background jobs

21.3 Prerequisites

Solution Documentation Assistant can analyze business processes running on ABAP and Java stacks of one or more managed systems.

Most data (for instance transactions, reports) for the analysis is requested from Early Watch Alert for the managed systems. Nevertheless, other data can be retrieved using the Diagnostics agents in the managed systems.

Workload data can be retrieved via:

● Early Watch Alerts

● RFC● Business Warehouse

UPL data can be retrieved via Business Warehouse.

All prerequisites need to be fulfilled as described for the scenario of Root Cause Analysis. All prerequisites for Root Cause Analysis apply as well for Solution Documentation Assistant. When using the Diagnostics agents for data information, you must also set up your SAP Solution Manager in connection with a Business Warehouse (BW).

For more information on the BW - authorization concept, see the section on BW - authorizations in the Core Guide).

322



The following paragraphs give you an overview over all required prerequisites for running the Solution Documentation Assistant scenario.


The graphic below gives you an overview over the basic technical system landscape that is needed to run the Solution Documentation Assistant scenario. The SAP Solution Manager is connected via TMW – RFC to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. IGS is connected to the ABAP stack via specified RFC connection. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.




After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions, like:

● Business Blueprint (including graphics), using transaction SOLAR01● Configuration (including graphics), using transaction SOLAR02





To run Solution Documentation Assistant, you need to configure it using the Implementation Reference Guide (IMG) in transaction SPRO.

Configuration Roles



SDA table views and view clusters AGSRBE* are protected by Authorization Group SDA.






Table 196




RFC Exchange information with managed systems



Protocol (FTP)







324



Table 197


System Number

Logon Client


Remarks


Managed System

Customer-specific

Customer-specific

Can be used instead of Trusted RFC


Managed System

System-specific

System-specific

Customer-specific

Optional, can be used to jump directly into the managed system; Used for instance for managed systems jump in if required in transactions SOLAR01 or SOLAR02


Managed System

System-specific

System-specific


Named as RFC for Change Manager in transaction SOLMAN_SETUP. Contains

batch job authorization; Used to push data, for instance which check steps should be executed, and control data, for instance when jobs should run, or configuration data; Used to read check step results, for instance workload data (object data such as object name, and so on)


Table 198


System Number

Logon Client


Use How Created



System-specific

System-specific


For EarlyWatch Alert data from the managed systems


managed systems)

Business Warehouse RFC - Connections

Table 199


System Number


How Created



content activation

Solution Manager






System Number


How Created

productive client






MDX PARSER


Table 200






CautionIf you use diagnostics agent for data retrieval, please refer to section technical users in the Scenario-Specific Guide for Root Cause Analysis.

User for TMW - connection for Read Authorization and Batch Authorization in Managed Systems

User for batch authorization in managed systems

Table 201



System User Technical User “TMW User”, assigned role <namespace>_SOLMAN_TMW. It is automatically generated





326



Table 202









Users for Business Warehouse

Users for BW - Reporting

Table 203





Target group for the Solution Documentation Assistant are business experts, which need to perform an analysis for business processes running in the company. To enable these end-users to work with the application, you need to assign them authorizations in the Solution-Manager-system and in the managed systems.

When you are working in a Solution Documentation Assistant analysis project to analyze new business processes or change existing ones, you need to have full authorization for all your tasks. Therefore, SAP delivers recommended user descriptions for an administration user and a display user on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.


Roles for Solution Documentation Assistant are predefined Composite Roles (technical abbreviation: *_COMP). These composite roles contain a set of single roles that are relevant for the business tasks.





This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for the Solution Documentation Assistant. All users are assigned a composite role, which contains a number of single roles.

NoteThe suggested users are allowed to execute/display tasks in the Solution Documentation Assistant. For additional authorizations, for instance for implementation and upgrade, see section on Scenario Integration.

Work Center


Figure 97: Solution Documentation Assistant Work Center

The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single roles is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.

Administration User (technical role name: SAP_SODOCA_ALL_COMP)

The administration user is allowed to:

● access Solution Documentation Assistant work center and Implementation work center

● execute all functions of Solution Documentation Assistant

● maintain Business Blueprint

328



● maintain Solution Manager projects

● display Service Data Control Center

NoteIf this user should be allowed to maintain/display solutions and system landscape data, you need to assign additional roles. These roles are not included in the composite roles, as Solution Documentation Assistant should be based on an existing system landscape with already created projects and solutions.

● SAP_SMSY_* (full or display authorization for system landscape data maintenance)

● SAP_SOLMAN_DIRECTORY_* (full or display authorization for solution maintenance)


Table 204

Single Role Remarks Mapping to Navigation Panel Views

SAP_SDA_ALL Contains full authorization for executing tasks in the Solution Documentation Assistant.

Analysis Projects

Analyses

Rule Database

Content Interface

SAP_SOLAR01_ALL Contains full authorization for business blueprint (transaction SOLAR01). Allows you to update

your business processes and steps with information retrieved from your analysis projects.

Analysis Projects


Allows you to create analysis projects from Solution Manager projects and to update them.

Analysis Projects

SAP_SM_SOLUTION_ALL Contains full authorization for solutions.

Allows you to create analysis projects from solutions and to update them.

Analysis Projects

SAP_SDCCN_DIS Display of Service Data Control Center; allows batch job execution for analysis

SAP_SMWORK_BASIC_IMP Contains full authorization for work center - related function for Implementation and Upgrade.

Work center Access

SAP_SMWORK_BASIC_SDA Contains full authorization for work center - related function for SDA.





SAP_SMWORK_SDA Allows access to the Solution Documentation Assistant work center.


CautionAuthorization for trusted RFC - connections S_RFCACL is required, if your users should be able to connect to the managed systems without separate log on.

Display User (technical role name: SAP_SODOCA_DIS_COMP)


● access Solution Documentation Assistant work center

● display all functions of Solution Documentation Assistant

● display Business Blueprint

● display Solution Manager project data

NoteIf this user should be allowed to display solutions and system landscape data, you need to assign additional. These roles are not included in the composite roles, as Solution Documentation Assistant should be based on an existing system landscape with already created projects and solutions.

● SAP_SMSY_DISP (display authorization for system landscape data maintenance)

● SAP_SOLMAN_DIRECTORY_* (full or display authorization for solution maintenance)


Table 205


SAP_SDA_DIS Contains display authorization for executing tasks in the Solution Documentation Assistant.

Analysis Projects

Analyses

Rule Database

Content Interface

SAP_SOLAR01_DIS Contains display authorization for business blueprint (transaction SOLAR01). Allows you to update

your business processes and steps with information retrieved from your analysis projects.

Analysis Projects


Analysis Projects

330




SAP_SM_SOLUTION_DISP Contains display authorization for solutions.

Analysis Projects

SAP_SMWORK_BASIC_SDA Contains access authorization for work center - related functions.

Work Center Access

SAP_SMWORK_SDA Allows access to the Solution Documentation Assistant work center.


The common task panel contains links for applications that are often used:

Create Analysis Project

To create analysis projects, you need SDA authorizations contained in role SAP_SDA_*, project authorizations or / and solution authorization contained in roles SAP_SOL_PROJ_ADMIN_* and SAP_SM_SOLUTION_*. In addition, if you want to update your project business blueprint, you need business blueprint authorizations contained in role SAP_SOLAR01_*.

Create Analysis and Create Check Step

To create an analysis from an analysis project and to create check steps, you need SDA authorizations contained in role SAP_SDA_*


In the related links section in the work center, you find all possible links for this work center. Still, the user is not able to run some of the applications since the according authorizations are not included in the defined user roles, but rather additional authorizations included in additional roles, see section Additional Functions. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-to section.

Business Process Repository

There is no authorization check available for this application.

Project Administration

Requires authorizations for project management included in role SAP_SOL_PROJ_ADMIN_*. If system maintenance authorization is required in addition, role SAP_SMSY_* must be assigned.

Business Blueprint

Requires authorizations for business blueprint contained in role SAP_SOLAR01_*, project management included in role SAP_SOL_PROJ_ADMIN_*, and authorizations for solutions concluded in role SAP_SM_SOLUTION_*. In addition, document management authorization can be required which is contained in role SAP_SOL_KW_*.




Solutions

Requires authorizations for solutions included in role SAP_SM_SOLUTION_*, and authorization for SAP_SOLMAN_DIRECTORY_*

Solution Manager System Landscape

Requires authorizations contained in role SAP_SMSY_*.

Authorizations in the Managed SystemsTable 206

Roles Remarks

Authorization object S_RFCACL

Authorization for trusted RFC - connections, if your users should be able to connect to the

managed systems without separate log on.

Application - specific roles

Authorizations for certain tasks in the managed systems, for instance SQL queries


Solution Documentation Assistant refers to the phase in your product life-cycle when you analyze and evaluate your business processes. According to the end-to-end business process life-cycle, this phase needs to integrate with other functions which come into play in your daily business, such as defining business processes, changing them, and so on. Therefore, Solution Documentation Assistant mainly integrates with the implementation and upgrade of business processes within SAP Solution Manager. Here, additional implementation user roles apply: SAP_SOL_*_COMP.

332



Figure 98: Business Blueprint and Solution Manager Project Administration Integration

NoteFor more detail on the implementation and upgrade scenario and the users, see the according Scenario—Specific Guide.


The following background jobs are run in the Solution Manager system:

● RBE_* (main jobs)

● <GUID> (create Solution Manager project)

● SDA_BI*● SDA_UPL*● SDA_E2E*

NoteThe number of jobs depends on the settings for the application Creation of Analysis for each managed system. This can result in a very high workload.




22 Scenario-Specific Guide: Test Management

The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. After having implemented new business processes or changed existing ones, you need to test if your implementation can successfully applied to your productive system. This guide gives you an overview over all relevant security-related issues for the scenario Test Management.



Table 207


(Version)

Description

SP05 Authorization Objects

Added value TSTM in authorization object S_TABU_DIS in role SAP_STWB_SET_ALL.

End User Roles

The following end user roles were changed. For detailed information, see the description tab of the role in transaction PFCG.

● SAP_STWB_SET_ALL● SAP_SMWORK_BASIC_TEST_MAN (new view)

Test Management Dashboard

Test Management Dashboard role SAP_SM_DASHBOARDS_DISP_TWB delivered

SP07 CBTA

● Added new use case function CBTA, see new section in User Roles for Additional Functions. This includes

new roles for the use case: SAP_*TST*. The roles are shipped with Software Component ST-TST.

Adapted End User Roles

● SAP_SMWORK_BASIC_TEST_MAN

SP10 Adapted End User Roles

For more details on changes, please see the description tab of the role.

● SAP_STWB_WORK_*● SAP_STWB_SET_ALL

CBTA User Creation in SOLMAN_SETUP

334


Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management


(Version)

Description

A new guided procedure in transaction SOLMAN_SETUP for CBTA is available, for more information see

section on User Roles for CBTA.

The following roles are shipped:

● SAP_SM_CBTA_CONF● SAP_CBTA_CONFIG_COMP● SAP_CBTA_COMP



● SAP_SM_TCE_RFC● SAP_TST_AGENT_RFC

SP12 Redesign of CBTA roles

● adapted roles and users, see according section. For more details on changes, please see the description tab of the role.

● added single role SAP_STCE_* (contains authorization object S_DEVELOP with execution

authorization)

● Added new single role SAP_SM_TST_RTL_DEV



● SAP_STWB_2_ALL

22.2 Prerequisites


The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete test management scenario. The SAP Solution Manager is connected via READ - RFC, TRUSTED - RFC (alternatively LOGIN) to your managed systems. Optionally, you can attach a third party product to the SAP Solution Manager via specified connections. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.









Basic Configuration using transaction SOLMAN_SETUP



Scenario Configuration using transaction SOLMAN_SETUP

You can use the scenario configuration via transaction SOLMAN_SETUP for CBTA. For more information, see section on CBTA.

Scenario Configuration using transaction SPRO

To run Test Management, you need to configure it using the Implementation Reference Guide (IMG) in transaction SPRO.

336



BI - Reporting

To use BI - Reporting for Test Management, you need to run additionally the BI - content activation in the basic automated setup view Technical Monitoring Interactive Reporting

Configuration roles


NoteIn the work center view Administration you find links for configuration purposes. This view contains links to configuration transactions which are necessary for daily operational use of the work center, such as creating business partners or checking RFC connections. The view can only be accessed using the administration role for the scenario (see later section on user description and user roles), as the view is restricted by authorization object S_TCODE with value SPRO.


The tables below show the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.




Table 208







Solution Manager to/from Quality Center by HP

SOAP over HTTP (S) Test requirements (send and receive data)

Third - Party Test Tools SOAP over HTTP (S) Depends on the individual application








Table 209


System Number

Logon Client


Remarks


Managed System

System-specific

Customer-specific

Customer-specific

can be used instead of TRUSTED connection


Managed System

System-specific

System-specific

Default user: SM_<SID of Solution Manager system> (automatically generated, can be defined by customer via transaction SMSY)

To read data from the managed system


Managed System

System-specific

System-specific

current user You have the same user ID in the managed system


Table 210



Transaction SM59


Table 211


System Number


How Created



content activation



338




System Number


How Created

BI_CLNT<BWclient>,if BW is












remote BW -

system



BI - Reporting


22.2.4 Technical Users for RFCs

The users in the following tables are created, automatically or manually, during configuration. The overviews are structured according to main functions/scenarios. Some users are relevant for more than one scenario and are therefore mentioned more than once.


Users for RFC - Connection READ

Table 212




you need to change the password for








this user in the RFC destination in


User for BW - Reporting (Reorganization of Data and Configuration Validation)


Table 213


BI_CALLBACK











When the implementation team has finished working in a project to implement new business processes or change existing ones, the tests need to be organized and testers need to test, if the implemented changes work correctly in a production-like environment. SAP delivers recommended user descriptions for users such as test organizer or tester on which SAP delivered roles are modelled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.


340



Figure 100: Test Management Process


This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for test management. All users are assigned a composite role, which contains a number of single roles.

Work Center

The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. The view Administration is only visible for the Quality Expert. Here, authorization object S_TCODE with value SPRO is necessary. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see core security guide.




Figure 101: Test Management Work Center

The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.



● In case of a remote BW - connection, the user in the SAP Solution Manager system is additionally assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).



Application - Specific Authorizations in Managed Systems

For Test Management, you need to assign authorizations in the managed system depending on the application you are using in the managed system. In addition, when you are using the trusted RFC - connection, you need to assign authorization object S_RFCACL to your user. This authorization object is not included in profile SAP_ALL.

Tester (technical role name: SAP_SOL_TESTER_COMP)

The Tester is responsible for executing test cases. Testers are allowed to:




342



● maintain business configuration

● display business blueprint

● display test plan information

● display test workbench information

● execute tests

● execute eCATs


Table 214


SAP_SMSY_DIS Display the system landscape Execution

Reports

Test Preparation

SAP_SOLAR01_DIS Display business blueprint information

Reports

Test Preparation

SAP_SOLAR02_EXE Maintain configuration information for test cases

Reports

Test Preparation

Execution

SAP_SOL_KW_DIS Display all relevant documents Reports

Test Preparation

Execution

SAP_SOL_PROJ_ADMIN_DIS Display project information Reports

Test Evaluation

Test Preparation

Execution

SAP_STCE_EXE Test Automation See Common Task section

SAP_STWB_2_DIS Display test plan and test packages Reports

Test Evaluation

Test Plan Management

Execution

SAP_STWB_INFO_DIS Display information relating to tests

Reports

Test Evaluation


Execution

SAP_STWB_WORK_ALL Maintain tests Reports

Tester Worklist

Execution





SAP_SMWORK_BASIC_TEST_MAN Contains full authorization for test management work center - related functions and user interface

Work Center Access

SAP_SMWORK_ITEST Access to work center for test management

Project Manager/Test Organizer

The Project Manager is responsible for organization and project planning, for the realization of the desired project results and the daily management of the project. They anticipate deviations from the project direction and carry out the necessary corrective measures immediately. Project Managers should understand the integration of the business processes within the enterprise. They are also members of the steering committee, and have decision-making authority in matters concerning the program and budget. The user forwards strategic questions to the sponsor to make joint decisions. Project Managers are allowed to:


● set up projects







● maintain test plans

● process mass data for test plans

● execute test workbench info

● maintain test workbench settings

● execute tests

● display BW - reports

● execute and administer eCats

● execute BW-reports

Single roles included in composite role (technical role name: SAP_SOL_PM_COMP)

in SAP Solution Manager system

Table 215



CautionOnly relevant for Implementation and Upgrade

344




SAP_SMSY_ALL Contains full authorizations you need for maintaining the system landscape in transaction SMSY,

which includes logical components.

Reports

Test Preparation

Execution

SAP_SM_SOLUTION_ALL Contains full authorization for solutions. You use solutions in transaction SOLMAN_DIRECTORY, for

instance using check out/check in function (solution to maintenance project and maintenance project to solution)


Tester Worklist

Test Evaluation

Reports

Execution



Test Evaluation

Reports

Execution

SAP_SOLAR01_ALL Contains full authorization for business blueprint (transaction SOLAR01). Allows you to build

your business processes and steps.

Reports

Test Preparation

Execution

SAP_SOLAR02_ALL Contains full authorization for business configuration (transaction SOLAR02). Allows

you to add all necessary configuration information your business processes and steps.

Reports

Test Preparation

Execution


SOLMAN_DIRECTORY (Knowledge Warehouse folders)

Reports

Test Preparation

Execution


Reports

Test Evaluation

Test Preparation

Execution





SAP_SOL_TRAINING_ALL Contains full authorization for Learning Maps access.




SAP_STCE_ALL Test Automation See Common Task section

SAP_STWB_2_ALL Maintain test plan and test packages, including eCATT authorization for background job usage and foreground execution.

CautionThis role contains S_DEVELOP execution and administration authorization.

Execution

Reports

Test Evaluation


SAP_STWB_INFO_ALL Maintain information relating to tests

Execution

Reports

Test Evaluation


SAP_STWB_SET_ALL Maintain central test workbench settings

Execution

Reports

Test Evaluation


SAP_STWB_WORK_ALL Maintain tests Execution

Reports

Tester Worklist

SAP_SMWORK_BASIC_IMP Contains full authorization for implementation work center - related functions and user interface.

Work Center Access


SAP_SMWORK_IMPL Allows access to the implementation and upgrade work center

346




SAP_SMWORK_ITEST Allows access to the test management work center

SAP_SM_BI_EXTRACTOR Extractor Framework authorization In case of BW - Reporting

SAP_SM_BI_BILO Authorization to restrict BI -

reporting Access in case of remote BW scenario

BW - reporting

SAP_SUPPDESK_CREATE To create Service Desk messages Indirectly required in view Test Preparation

NoteIf you want to use the Test Management Dashboard, you need to assign additionally single role SAP_SM_DASHBOARDS_DISP_TWB.

Technical composite role name: SAP_SOL_BW_AC_COMP in the BW system/client


Table 216

Single Roles Help Text ID Mapping to Navigation Panel Views

SAP_BI_E2E_TWB AUTH_SAP_BI_E2E Reports

SAP_BI_TWB AUTH_SAP_BI_E2E

SAP_SM_BI_DISP AUTH_SAP_SM_BI_DIS

Application Consultant/Test Organizer

Application consultants are responsible for making sure that the Business Blueprint and software configuration are tailored to the business processes and that analysis and report requirements are fulfilled. They use their knowledge of proven business procedures to support them in these tasks. Application consultants also function as advisers and work closely with the rest of the project team. They also work in close cooperation with legacy system experts, when extraction of legacy data is necessary. The application consultant is allowed to:









● maintain test plans

● process mass data for test plans




● execute test workbench info

● maintain test workbench settings

● execute tests

● set up BW - reports, generate views and display BW - reports

● execute and administer eCats

● execute BW - reports

Single roles included in composite role (technical role name: SAP_SOL_AC_COMP)

Table 217




SAP_SMSY_DIS Contains display authorizations for the system landscape in transaction SMSY, that includes

logical components.

Execution

Reports

Test Preparation

SAP_SM_SOLUTION_ALL Contains full authorization for solutions. You use solutions in transaction SOLMAN_DIRECTORY, for

instance using check out/check in function (solution to maintenance project and maintenance project to solution)


Tester Worklist

Test Evaluation

Execution

Reports



Test Evaluation

Execution

Reports

SAP_SOLAR01_ALL Contains full authorization for business blueprint (transaction SOLAR01). Allows you to build


Execution

Reports

Test Preparation

SAP_SOLAR02_ALL Contains full authorization for business configuration (transaction SOLAR02). Allows

you to add all necessary configuration information to your business processes and steps.

Execution

Reports

Test Preparation

348






Execution

Reports

Test Preparation


Execution

Reports

Test Evaluation

Test Preparation

SAP_SOL_TRAINING_EDIT Contains full authorization for Learning Maps access.




SAP_STWB_2_ALL Maintain test plan and test packages including eCATT authorization for background job usage and foreground execution.

CautionThis role contains S_DEVELOP execution and administration authorization.

Execution

Reports

Test Evaluation


SAP_STWB_INFO_ALL Maintain information relating to tests

Execution

Reports

Test Evaluation


SAP_STWB_SET_ALL Maintain central test workbench settings

Execution

Reports

Test Evaluation


SAP_STWB_WORK_ALL Maintain tests Execution

Reports

Tester Worklist





SAP_STCE_ALL Execute and administer eCats See Common Task section

SAP_SMWORK_BASIC_IMP Contains full authorization for implementation work center - related functions and user interface

Work Center Access



SAP_SMWORK_ITEST Allows access to the test management work center.

SAP_SM_BI_EXTRACTOR Relevant for BI - reporting for Test

Management

BW - reporting





Technical composite role name: SAP_SOL_BW_RO_COMP in the BW system/client


Table 218


SAP_BI_E2E_TWB AUTH_SAP_BI_E2E Reports

SAP_BI_TWB_REPORTING AUTH_SAP_BI_E2E


Basis/Development Consultant (technical role name: SAP_SOL_BC_COMP)

Development consultants work with the project manager and the application consultant on the planning and organization of the authorization concept. They also perform developmental tasks and customer-specific developments.

350










● display test plans

● display test workbench info

● display test cases


Table 219





logical components.

Execution

Reports

Test Preparation



Tester Worklist

Test Evaluation

Execution

Reports


Test Evaluation

Execution

Reports

SAP_SOLAR01_EXE Contains full authorization for business blueprint (transaction SOLAR01). Allows you to build


Execution

Reports

Test Preparation

SAP_SOLAR02_EXE Contains full authorization for business configuration (transaction SOLAR02). Allows

you to add all necessary configuration information to your business processes and steps.

Execution

Reports

Test Preparation







Execution

Reports

Test Preparation


Execution

Reports

Test Evaluation

Test Preparation



SAP_STWB_2_DIS Display test plan and test packages Log

Reports

Test Evaluation


SAP_STWB_INFO_DIS Display information related to tests Log

Reports

Test Evaluation


SAP_STWB_WORK_DIS Display tester's worklist Log

Reports

Tester Worklist

SAP_SMWORK_BASIC_IMP Contains full authorization for work center - related functions and user interface

Work Center Access





352



Display User

The display user is allowed to display:


● projects

● roadmaps


● solutions


● display test-related activities

● display BW - reports

● display eCats

Single roles included in composite role (technical role name: SAP_SOL_RO_COMP)

Table 220


SAP_RMMAIN_DIS Contains authorization for displaying roadmaps.



logical components.

Execution

Reports

Test Preparation



Tester Worklist

Test Evaluation

Execution

Reports


Test Evaluation

Execution

Reports

SAP_SOLAR01_DIS Contains display authorization for business blueprint (transaction SOLAR01). Allows you to display

business processes and steps.

Execution

Reports

Test Preparation

SAP_SOLAR02_DIS Contains display authorization for business configuration (transaction SOLAR02). Allows you to display

all necessary configuration information for your business processes and steps.

Execution

Reports

Test Preparation





SAP_SOL_KW_DIS Contains display authorization for Document Management within transactions SOLAR01, SOLAR02, and


Execution

Reports

Test Preparation


Execution

Reports

Test Evaluation

Test Preparation

SAP_STWB_INFO_DIS Display information related to tests Execution

Reports

Test Evaluation


SAP_STWB_2_DIS Display test plan and test packages Execution

Reports

Test Evaluation


SAP_STCE_DIS Display eCats See Common Task section

SAP_SMWORK_BASIC_IMP Contains full authorization for implementation work center - related functions and user interface

Work Center Access




SAP_SM_BI_EXTRACTOR Relevant for BI - reporting for Test

Management

In case of BW - reporting



354




Technical composite role name: SAP_SOL_BW_AC_COMP in the BW system/client


Table 221


SAP_BI_E2E_TWB AUTH_SAP_BI_E2E Reporting

SAP_BI_TWB AUTH_SAP_BI_E2E


Read-Only User (According to Document Status) (technical role name: SAP_SOL_RE_COMP)

The read-only user is allowed to display:


● projects

● roadmaps


● solutions


● test-related activities

NoteIn contrast to the display user, the read - user can access documents according to the customizing of the document status.


Table 222


SAP_RMMAIN_READ Contains authorization for roadmap according to the document status.



logical components.

Execution

Reports

Test Preparation



Tester Worklist





Test Evaluation

Execution

Reports


Test Evaluation

Execution

Reports

SAP_SOLAR01_DIS Contains display authorization for business blueprint (transaction SOLAR01). Allows you to display

business processes and steps.

Execution

Reports

Test Preparation

SAP_SOLAR02_DIS Contains display authorization for business configuration (transaction SOLAR02). Allows

you to display all necessary configuration information for your business processes and steps.

SAP_SOL_KW_READ Contains authorization for Document Management within transactions SOLAR01, SOLAR02, and

SOLMAN_DIRECTORY (Knowledge Warehouse folders) according to the document status


Execution

Reports

Test Evaluation

Test Preparation

SAP_STWB_INFO_READ Display information related to tests

SAP_STWB_2_READ Display test plan and test packages

SAP_SMWORK_BASIC_IMP Contains full authorization for implementation work center - related functions and user interface.

Work Center Access




356





Easy Test Automation

To easily use test automation, you need authorization for transaction STCE: role SAP_STCE_*.

Extended Test Automation

For the extended create test automation, you need authorization for transaction SECATT.

Create Test Plan

To create test plans, you need role SAP_STWB_2_ALL, for project authorization role SAP_SOL_PROJECT_ADMIN_*.


In this section the main authorization objects are explained. For detailed information, see the SDN Wiki for Authorizations.

Authorization Object S_TWB

Authorization object S_TWB is the main authorization for Test Management. In the relevant roles for Test Management the authorization object is specifically maintained. The authorization object must always be assign in addition to project and document management authorizations.

Figure 102: S_TWB in Role SAP_STWB_2_ALL

The first maintenance is relevant for test cases, the second maintenance with value TWB3T for eCatt.


22.4.1 User Roles for Test Workbench Workflow

The workflow functionality can specify and start actions at specified events in the test management process or during testing.




User Roles

The user role for test workbench workflow needs to be assigned to the user in addition to the respective composite role.

Test Workbench Workflow

Table 223

Role Remark

SAP_STWB_WORKFLOW_ADMIN Full authorization

SAP_STWB_WORKFLOW_CREATE Authorization to create actions

SAP_STWB_WORKFLOW_DIS Display authorization

CRM Standard Customizing

The workflow functionality is based on CRM, and uses CRM Customizing such as transaction types, action profiles, and so on. SAP delivers a standard CRM customizing, which is also maintained in the individual CRM authorization objects for workflow. The following table gives you an overview of the transaction types used.


Transaction Types

Table 224

Transaction Type

Usage Remarks

TWSQ Test Sequence Procedure (Test Organizer)

supported, status profile: TWSQ0001 used in authorization object

B_USERSTAT and B_USERST_T

TWTP Test Plan Tester Procedure (Test Organizer)

supported, status profile: TWTP0001 used in authorization object



The main CRM - authorization objects are included in the according roles. For details see Core Security Guide, section on CRM integration. PICCCCC

22.4.2 User Roles for Extended Capabilities

You use test case work items to assign incorrect or unfinished test cases for further maintenance to a responsible person. This person can display these test cases as so called work items in the inbox.

358



User RolesTable 225

Role Remark

SAP_STWB_WITC_CREATE Authorization to create or maintain work items

SAP_STWB_WITC_EXE Authorization to maintain work items as responsible person, but not to create new ones

SAP_STWB_WITC_ADMIN Administration authorization

SAP_STWB_WITC_DIS Display authorization


The workflow functionality is based on CRM. and uses CRM Customizing such as transaction types, action profiles, and so on. SAP delivers a standard CRM customizing, which is also maintained in the individual CRM authorization objects for workflow. The following table gives you an overview of the transaction types used.


Transaction Types

Table 226

Transaction Type

Usage Remarks

TWTC Test case maintenance supported, status profile: TWTC0001 used in authorization object



CRM - Authorization Objects

The standard CRM - authorization objects are used. For details, see Core Security Guide, section on CRM integration

Authorization object SM_TSTMGNT

This authorization object controls, if a Test Case work item can be created or changed.

22.4.3 User Roles for CBTA (Component-Based Test Automation)

Component Based Test Automation is an optional SAP Software Component which can be installed on SAP Solution Manager. It allows creation, usage and maintenance of automated Tests. Such tests can execute on various SUT (Systems under Test). Kinds of supported SUTs by CBTA:

● SAP SUT based on ABAP technology, like e.g. SAP GUI, CRM Web UI, Web Dynpro ABAP, and so on.




● SAP SUT running non-ABAP technology, like Web Dynpro Java, BSP, and so on.

● SAP SUT running a mix of ABAP and non-ABAP technology, like Java-ABAP double Stacks, Portal, and so on.

● Non-SAP SUT, like 3rd party servers running Web technology, and so on.

You use: CBTA use cases:

● without TBOM creation (BPCA integration)

● with TBOM creation

Configuration

You can configure CBTA in transaction SOLMAN_SETUP. The configuration can be executed using user SMC_CBTA_>SID>, which you can create in the Basic Settings Step Create Configuration User.

NoteThe systems under test must not be production systems.

CautionRole SAP_SM_CBTA_CONFIG contains transaction SM30 with authorization object S_TABU_DIS value &NC& (no authorization group). The table that is maintained is ECCUST_ET, which is used for registering the CBTA tool. See SAP NOTE 1976897 to maintain a specific authorization group for the table.

Used RFC - Connections and Users

NoteFor detailed information, see SAP Note 1763697.

In general, the scenario is using the RFCs as defined in SOLMAN_SETUP, see transaction SOLMAN_SETUP.

In order to enable automated testing, information needs to be persisted on SAP Solution Manager in order to enable the CBTA application to communicate with the SUT. For this purpose, the SUT Management Application allows to define:

1. System under Test which is subject of the test

○ The SUT based on ABAP technology: RFC-destination is used having a technical user maintained

○ SUT not based on ABAP technology: URL is to be provided in order to identify the SUT2. User ID for the scenario execution

○ SUT based on ABAP technology: the provision is mandatory

○ SUT not based on ABAP technology: the provision is optional

User credentials are persisted in the Secure Password Storage.

Disregarding of which scenario you use, between your SAP Solution Manager system (TCE) and your managed system (SUT), the following RFC connections are in place:

● READ RFC: SM_<SID>_CLNT<Client>_READ with technical user SM_<SID>● RFC: TST_<SUTSID>_CLNT<Client> with technical user TST_SUT_<SolutionManagerSID>● Trusted (can also be Login) RFC destination as defined in the Target System of the SDC● BACK RFC with BACK RFC user

360





Data Flow Information

Creation / Maintenance of Test Profiles (Design Time) - user: Test Coodinator/Administrator

1. Selection of the System Data Container (SDC) to be used

2. Import of chosen SDC definition into SUT Management Application.

This creates an enhance-able structure SDC – SDC Target Systems – System Roles.

3. Definition of SDC Enhancements in SUT Management per available System Role.

Usage of Test Profiles in Test Scripts (Runtime)

1. Creation of tests in Test Composition Environment (TCE).

○ Selection of underlying SDC and Target System

○ Selection of appropriate Test Profile

○ Execution of Recording Wizard

(records the business scenario processed on the SUT, creates automatically the Test Script components out of the recorded scenario, persists in the Test Repository)

2. Execution of previously created tests from within TCE.

3. Maintenance of previously created tests from within TCE.

NoteFor both recording- and execution scenarios, the opening of sessions on the SUT is necessary. For this session opening, data from tables of SUT Management Application are retrieved. Execution authorization is required for accessing that data at runtime.

Technical System User on the managed system: TST_SUT_<SolutionManagerSID> (SUT)

To be able to work with CBTA, you need to have a system user TST_SUT_<SolutionManagerSID> in place for the respective RFC TST_<SUTSID>_CLNT<Client>. This user needs the following roles:

Technical User Roles

Table 227

Role Help Text ID

SAP_TST_AGENT_RFC AUTH_SAP_TST_AGENT_RFC

SAP_CRM_TST_RFC (optional)

NoteIf your managed system is a CRM-based system,

you need to add role SAP_CRM_TST_RFC.

Download this role from your SAP Solution Manager system onto your PC, then upload it in your CRM system. You need to maintain the

authorization objects, generate the profile, and execute the user comparison.

AUTH_SAP_CRM_TST_RFC

SAP_SM_TCE_RFC AUTH_SAP_SM_TCE_RFC




Role Help Text ID

NoteSee SAP Note 1907764

SAP_WDA_TST_RFC

NoteIf your managed system is a WD-ABAP-based

system

AUTH_SAP_WDA_TST_RFC

Authorization for Trusted RFC between SAP Solution Manager and Managed System (SUT)

In case of BPCA integration, the end-user on the Solution Manager system and in the managed system are assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).

Test Engineer (Help Text ID: TP_CBTA_TE)

User Roles in the SAP Solution Manager System

Composite role technical name: SAP_CBTA_EXE_COMPTable 228

Role Help Text ID

SAP_SMWORK_BASIC_TEST_MAN AUTH_SAP_SMWORK_BASIC_TEST_M

SAP_SMWORK_ITEST AUTH_SAP_SMWORK_ITEST

SAP_SM_SUTMAN_EDIT AUTH_SAP_SM_SUTMAN_EDIT

SAP_SM_CBTA_EDIT AUTH_SAP_SM_CBTA_EDIT

SAP_SM_CBTA_TRANSPORT AUTH_SAP_SM_CBTA_TRANSPORT

SAP_STCE_ALL AUTH_SAP_STCE_ALL

Test Coordinator (Help Text ID: TP_CBTA_TC)


Composite role technical name: SAP_CBTA_ADMIN_COMPTable 229

Role Help Text ID



SAP_SM_SUTMAN_ADMIN AUTH_SAP_SM_SUTMAN_ADMIN

SAP_SM_CBTA_ADMIN AUTH_SAP_SM_CBTA_ADMIN

SAP_SM_CBTA_TRANSPORT AUTH_SAP_SM_CBTA_TRANSPORT

362




Role Help Text ID

SAP_STCE_ALL AUTH_SAP_STCE_ALL

Test Engineer (Help Text ID: TP_CBTA_DIS)


Composite role technical name: SAP_CBTA_DISPLAY_COMPTable 230

Role Help Text ID



SAP_SM_SUTMAN_DIS AUTH_SAP_SM_SUTMAN_DIS

SAP_SM_CBTA_DIS AUTH_SAP_SM_CBTA_DIS

SAP_STCE_DIS AUTH_SAP_STCE_DIS

SUT Management Role for Managed System Users

User Roles in the Managed Systems (SUT)

Table 231

Role Help Text ID

Business Relevant Application Role

NoteIf you integrate CBTA with BPCA due to TBOMs, assign the user roles for BPCA (SAP_SM_BPCA_TBOM) to your users, see security guide for Business Process Change Analyzer in this document chapter User Description and User Roles.

Run Library Manager (RTL) Integration

The role SAP_SM_TST_RTL_DEV can be assigned to the Test Engineer user, who is allowed to use the RTL Management.

The RTL Manager is a client side tool that allows customizing the VB script libraries that CBTA uses at runtime when recording and executing test scripts. The CBTA runtime library is stored centrally in the MIME repository of the SAP Solution Manager system.SAP/PUBLIC/CBTA The folder SAP/PUBLIC/CBTA in transaction SE80 (MIME Repository) contains the official runtime library (CBASE.zip) that SAP delivers. Additional files are stored at that location when submitting the customization.

The RTL Manager provides the ability to write additional custom functions that the test scripts may need when automating the test of some business scenarios where the common approach (based on default components) is not sufficient. When executing a CBTA test script, the VB script coding corresponding to the test is sent from SAP Solution Manager MIME repository to the client computer and executed using the VB script interpreter. The Runtime Library is a set of VB scripts providing helper classes, functions and procedures that are necessary to simulate actions that are normally performed by a regular user. Default Components are components performing atomic operations against UI elements. The Runtime Library (RTL) comes with default components for all the UI Technologies that CBTA supports. With help of the RTL Manager the following is possible:




● The developer can check out the runtime library to his local file system with the purpose to modify them: he can add at the foreseen locations custom code.

● When he has finalized the custom code, then he can save the modifications back to SAP Solution Manager MIME Repository. This makes the libraries available for other testers also.

● By transporting the changes, will also be able to update the libraries on further Solution Manager Systems in the landscape.

BPCA TBOM Integration

If you integrate CBTA with BPCA due to TBOMs, assign the user roles for BPCA (SAP_SM_BPCA_TBOM) to your users, see security guide for Business Process Change Analyzer in this document chapter User Description and User Roles.


The workflow functionality is based on CRM and uses CRM Customizing such as transaction types, action profiles, and so on. SAP delivers a standard CRM customizing, which is also maintained in the individual CRM authorization objects for workflow. The following table gives you an overview of the transaction types used.


Transaction Types

Table 232

Transaction Type

Usage Remarks

TWTC Test case maintenance supported, status profile: TWTC0001 used in authorization objects


Critical Authorization Objects

S_TABU_NAM

Authorization object S_TABU_NAM allows display of table RFC_READ_TABLE (in configuration role for configuration user). This table is used to determine which scenarios are relevant in the setup.

SM_SUTMNGT

This authorization object controls access and execution for SUT Management. The activities are checked for SUT Management definitions for the explicitly listed System Data Containers:

● Execute: usage of SUT Management Test Profiles and the defined user credentials in test cases.

● Maintain: creation, modification and deletion of definitions in SUT Management

● Check: verification of definitions in SUT Management (credentials, technical destination)

● Import: enables all SDC import activities into SUT Management.

The activities do not have dependencies and can be granted independently.

364




SUT Management is integrated with CBTA capability of SAP Solution Manager, and CBTA is integrated with Test Management as external tool. It can be invoked via:

● Test Composition Environment

● Transaction STCE● Transaction SECATT● Solution Manager Projects (test configuration in transaction SOLAR02)

● Test Packages in Test Plans


Test Management refers to the phase in your product life-cycle when you test and validate your business processes by means of projects. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions, which come into play in your daily business, such as handling of problems, and so on. The following sections describe the integration of test management with other scenarios within SAP Solution Manager, and which user roles would be applicable.


Business Process Change Analyzer (BPCA)

In the business blueprint and configuration transactions of SAP Solution Manager, users (for instance the application consultant) can record TBOMs for the Business Process Change Analysis. To be able to do so, you need to assign your user the required BPCA - roles: SAP_SM_BPCA_TBOM_ALL (generating TBOMs), and SAP_SM_BPCA_RES_ALL (analyzing results).

In the managed systems, you need to assign the according application-specific authorizations to your users.

Incident Management

In the business blueprint and configuration, users can create service desk messages. To be able to do so, you need to assign user role SAP_SUPPDESK_CREATE. For processing damaged test case incidents, use composite role SAP_SUPPDESK_PROCESS_COMP.






22.6.1 Tool with BC — ECATT- Integration

You can integrate an external test tool with eCatt.

Roles for eCatt - Integration

Table 233

Role Remarks

SAP_ECET Authorization for saving and loading of test scripts with eCatt. This role is automatically assigned during technical user generation, see IMG - activity Generate User (technical name:

SOLMAN_ETEST_USER), assigned to technical user of type Service, for instance SM_ECATT

SAP_SM_ECET Authorization to use Test Automation Framework (TAF), must be assigned manually to technical user

of type Service, for instance SM_ECATT

NoteBoth roles are assigned to the generated user, for instance SM_ECATT.

Figure 103

22.6.2 Quality Center by HP

The Quality Center creates test plans and test cases for a project, and performs and monitors tests. The project structure or the documents can be transferred to it in the Blueprint phase. The Quality Center (QC) contains the tests in test projects. Each HP test project comprises a structure which contains business requirements and business test requirements.

Technical Users

Users for External Integration

366



Table 234


Integration user (customer-specific) Service User Technical user for web service; assigned role SAP_QC_INTERFACE

QCALIAS (customer-specific) System User Technical user for WSDL access; assigned role

SAP_QC_WSDL_ACCESS

End-User Roles

End-User Roles

Table 235

Name Remarks

SAP_QC_BY_HP_ADMIN

Full authorization to configure, send and receive data to/from Quality Center; needs to be assigned additionally to the relevant composite role for test management, for instance SAP_SOL_PM_COMP

SAP_QC_BY_HP_EXE Authorization to use the Requirements tab in transaction SOLAR01, needs to be assigned

additionally to the relevant composite role for test management, for instance

SAP_SOL_AC_COMP

SAP_QC_BY_HP_DISP Display authorization needs to be assigned additionally to the relevant composite role for test management, for instance SAP_SOL_RO_COMP

SAP Quality Center by HP (Defect Management)

Table 236

Name Type Remarks

SAP_SUPPDESK_INTERFACE ABAP Authorization for bi-directional interface and configuration; needs to be assigned in addition to the roles for the Service Desk scenario, for instance SAP_SUPPDESK_ADMIN

RecommendationTo restrict the services that can be accessed, maintain authorization field SRV_NAME in authorization object

S_SERVICE. Enter the following services:

● ICT_SERVICE_DESK_API*● ICT_SERVICE_DESK_API_MQC*

Quality Center integration user (Defect Management): for instance DEFECTMAN

System User Technical user for data exchange; assigned roles SAP_SUPPDESK_INTERFACE and

SAP_SUPPDESK_ADMIN




Figure 104

22.6.3 IBM Rational Test Management Tool

Configuration


Technical User

Technical User Roles

368



Table 237

Roles Remarks

SAP_TMT_INTERFACE

Authorization for technical user for web service

SAP_TMT_WSDL_ACCESS

Authorization for technical user for WSDL access, for instance TMTALIAS

User Roles

User Roles

Table 238

Roles Remarks

SAP_TMT_ADMIN Full authorization to configure, send and receive data; needs to be assigned additionally to the relevant composite role for test management, for instance SAP_SOL_PM_COMP

SAP_TMT_EXE Authorization to use the Requirements tab in transactionSOLAR01, needs to be assigned

additionally to the relevant composite role for test management, for instance

SAP_SOL_AC_COMP

SAP_TMT_DISP Display authorization; needs to be assigned additionally to the relevant composite role for test management, for instance SAP_SOL_RO_COMP



The roles contain project authorization object S_PROJ_GEN with the following values:

● GTAD: Assign the External Testing Tool project (only if you use the External Testing Tool Adapter for Solution Manager)

Use in project administration (transaction SOLAR_PROJECT_ADMIN: Edit Connection to the External Testing Tool )

● GTPU: Send data to the External Testing Tool project (only if you use the External Testing Tool Adapter for Solution Manager)

Use in Business Blueprint (transaction SOLAR01: Business Blueprint Send Data to the External Testing Tool )




23 Scenario-Specific Guide: Business Process Change Analyzer

The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). The Business Process Change Analyzer supports this implementation and upgrade process within various use cases, for instance:

● Dynamic TBOM (Technical Bill of Material) Recording

● TBOM Creation via 3rd party Test Tool /Test Cases

● Web Services for External Test Tool integration

The function allows you to evaluate the change impact on your changed business processes automatically using trace information.



Table 239


(Version)

Description

SP05 General

Business Process Change Analyzer and SAP TAO are configured using the automated guided procedure within transaction SOLMAN_SETUP or SAP Solution Manager Configuration work center. Therefore, all users defined

by SAP as default templates can be automatically created within this procedure. The following users are created:

● Scenario Configuration User: This user is created during the guided procedure of the Basic Settings in transaction SOLMAN_SETUP. For configuration, you can also choose the user SOLMAN_ADMIN . In

both cases, the system automatically assigns the necessary authorization roles. The according configuration user can be used later on for configuring the corresponding scenario in transaction SOLMAN_SETUP.

● Standard Template Users: Standard users for the process are created during the guided procedure in transaction SOLMAN_SETUP. These users can be regarded as “demo” Standard users. The system

automatically assigns the necessary authorization roles with according authorization values for the SAP standard scenario. If your processes require customizing due to a different process, and other user differentiation, you must adapt the authorizations. The template users are created in the Solution Manager system and the required managed system.

370


Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer


(Version)

Description

Due to the creation of Standard users in transaction SOLMAN_SETUP, documentation for the users and

roles is directly linked in transaction SOLMAN_SETUP. In this security guide, it is only referred to the





End-User Roles

In composite role SAP_BPCA_EXE_COMP, role SAP_SM_BPCA_RES_ALL is replaced by

SAP_SM_BPCA_RES_DIS.

● Added display CRM integration role SAP_BPCA_CRM_INTEGRATION to composite roles (does not

include CRM WebUI integration), see section on Users and Authorizations.


New composite role for integration with Change Request SAP_SM_CRMWEBUI_INT_DIS_COMP, see

according section.

Only valid for: Solution Manager |

SAP TAO Integration

● New role SAP_TAO_CRM_TAO for managed SAP CRM Systems, see section on SAP TAO integration.

● Updated role SAP_SM_TAO_RFC with new authorization object SM_TAO, for details see description tab

in the role.

● Updated role SAP_TAO_AGENT_RFC with new authorization object S_TAO_SVC and further extension

with authorization object S_TABU_DIS, for details see description tab in the role.

● New composite roles for end-user SAP_TAO_COMP and for configuration user SAP_TAO_CONF_COMP.


SP10 End-User Roles

The following roles have been adapted. For more information on authorization adaptations in roles, see MENU tab in he respective role

● SAP_BPCA_CONFIG● SAP_BPCA_RES*● SAP_BPCA_TBOM*● New additional composite roles SAP_SM_BW_BPCA_*_COMP for BW - related functions (integrated in

template creation in transaction SOLMAN_SETUP) for users Quality Expert and Business Process

Expert. For more information, see section on User Definition and Roles.

SOLMAN_SETUP Template Users

● Template Users for Solution Manager extended for BW-related functions

● Template Users introduced for Managed Systems (see step description)

SP11 General





(Version)

Description

● Added new section on Additional Security Measures

SP12 End-User Roles

The following roles have been adapted. For more information on authorization adaptations in roles, see MENU tab in the respective role

● SAP_SM_BPCA_TBOM_*● SAP_WDA_TST_RFC

SP13 End-User Roles

The following roles have been adapted. For more information on authorization adaptations in roles, see MENU tab in the respective role

● SAP_SM_BPCA_TBOM (managed systems)

, according section on critical authorization extended due to additional authorization objects S_TRANSPRT and S_DEVELOP.







● CRM Standard Customizing: find out about mandatory customizing entries delivered by SAP



372



23.3 Prerequisites


The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete scenario. The SAP Solution Manager is connected via READ - RFC, TRUSTED - RFC (alternatively LOGIN) to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. Optionally, you can attach a third party product to the SAP Solution Manager via specified connections. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.



The scenario BPCA and scenario integration SAP TAO are configured using transaction SOLMAN_SETUP.


Creating Configuration User in Basic Configuration Transaction SOLMAN_SETUP



During basic automated configuration, you can create




● a specific configuration user (default user name: SMC_BPCA_<XXXClient> for BPCA (Help Text ID: USER_CONFIG_BPCA)

● a specific configuration user (default user name: SMC_TAO_<XXXClient>) for SAP TAO (Help Text ID: USER_CONFIG_TAO)

The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.

If you create the configuration users manually, the composite roles SAP_BPCA_CONF_COMP for BPCA and SAP_TAO_CONF_COMP for SAP TAO contain all single roles which are automatically assigned to the configuration users.

NoteTo be able to create users and assign user roles, you need to assign as well role SAP_SM_USER_ADMIN.

Scenario Configuration Transaction SOLMAN_SETUP

● To configure the Business Process Change Analyzer and its Third Party Integration, you need to configure it using transaction SOLMAN_SETUP.

● To configure SAP TAO, you need to configure it using transaction SOLMAN_SETUP.During the specific guided configurations you can create Standard template users. The system automatically adds all relevant user roles, see according sections on Users and User Roles, and SAP TAO Integration.

NoteAs of SP05, you can also configure the scenario using transaction SPRO.



CautionDue to the nature of the use cases in regards to tracing information in managed systems, it is highly recommended to carefully configure SAP Solution Manager and the managed systems, as well as using only SAP recommended roles and authorizations.




Table 240




374



Communication DestinationsThe table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).



Table 241


System Number

Logon Client


Remarks


Managed System

System-specific

Customer-specific

Customer-specific

In case TRUSTED RFC is not used


Managed System

System-specific

System-specific


To read data such as business functions, transport requests, Support Packages, repository objects, and so on from the managed systems for BPCA analysis


Managed System

System-specific

System-specific

Customer-specific

Optional as Login RFC - Connection

can also be used. Needed for TBOM recording of automatic test cases (traces), and SAP TAO


Table 242


System Number

Logon Client


Use How Created



System-specific

System-specific


For recording of automated test cases to receive trace information about which functions in






System Number

Logon Client


Use How Created

which managed systems were analyzed


Table 243





Table 244


System Number


How Created



content activation








MDX PARSER (used for the

creation of semi-dynamic TBOMs)


The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the BPCA scenario.



376



Table 245









TBOM recording of automatic test cases

User for TBOM recording of automatic test cases

Table 246


TBOM recording user (name and password

customer - specific)

Technical user of type system user to record TBOM of automatic test cases,

assigned role SAP_BPCA_ECATT_COMP.

NoteTo use this function, you need to have a trusted RFC - connection in

place.

See also IMG - activity Create user for TBOM recording of automated test

cases (technical name: SOLMAN_BPCA_USERAUT)

23.4 CRM Standard Customizing

An optional use case of the BPCA scenario (TBOM Recording Work Items) is based on CRM 7.01, and uses CRM customizing such as transaction types, action profiles, and so on. We deliver a standard CRM customizing, which is also maintained in the individual CRM authorization objects for BPCA. The following table gives you an overview of the transaction types used by BPCA.

CautionIf you copy SAP standard customizing, you need to add the changed values in the according CRM - authorization objects for the scenario. See also How-to Guide on how to maintain authorization objects.




Transaction Types

Table 247

Transaction Type

Usage Remarks

SMTB Product Update The transaction type is delivered with action profile SMTB0001. All

actions that are assigned to this action profile have naming convention <SMTB>.


To enable your users to work with the application, you need to assign them authorizations in the Solution-Manager-system and in the managed systems.

When you are working in a project to implement new business processes or change existing ones, a number of project members with different tasks are involved. SAP delivers recommended user descriptions on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.


Roles for Business Process Change Analyzer (BPCA) are predefined Composite Roles (technical abbreviation: *_COMP). These composite roles contain a set of single roles that are relevant for the business tasks.


This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for BPCA. All users are assigned a composite role, which contains a number of single roles.

Work Center

The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. The view Administration is only visible for the Quality Expert. Here, authorization object S_TCODE with value SPRO is necessary. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see core security guide.

378






In case of a remote BW - connection, the user in the SAP Solution Manager system must be assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).

Authorizations in Managed Systems

All users need according application authorization in the managed system and role SAP_SM_BPCA_TBOM for recording activities.

For Business Process Change Analyzer you need to assign authorizations in the managed system depending on the application you are using in the managed system. In addition, when you are using the trusted RFC - connection, you need to assign authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL) to your user. This authorization object is not included in profile SAP_ALL.

NoteTo run TBOM recording, authorization object S_ADMI_FCD with value PADM is required. This authorization allows to perform process administration functions like the change of profile parameters. You can remove this authorization in the role, if you set the following required profile parameters in advance (see also SAP Note 2138643:

● rstr/accept_remote_trace = true: This parameter should be set on all managed systems that are potentially accessed by RFC from the primary managed system where the TBOM is recorded.





● rstr/send_global_trace = true: This parameter needs to be set only on the primary managed system where the TBOM recording starts.

Authorization Object S_TRANSPRT

BPCA must be able to look at the content of all transport requests in order to analyze it, or in order to perform the obsolescence check for TBOMs. Therefore, the field for transport type is not restricted.

Authorization Object S_DEVELOP

BPCA must to be able to gather information, such as package, ACH component, versions, for any development object in a system for TBOM recording, obsolescence check, and BPCA analysis. Therefore, the fields such as package or object type are not restricted.

Quality Expert (Help Text ID: TP_BPCA_QE)

Technical composite role name SAP_BPCA_ALL_COMP in the Solution Manager system/client

Table 248


SAP_SM_BPCA_TBOM_ALL AUTH_SAP_SM_BPCA_TBOM_ALL

SAP_SM_BPCA_RES_ALL AUTH_SAP_SM_BPCA_RES_ALL

SAP_SM_SOLUTION_ALL AUTH_SAP_SM_SOLUTION_ALL

SAP_STWB_WORK_ALL AUTH_SAP_STWB_WORK_ALL

SAP_STWB_2_ALL AUTH_SAP_STWB_2_ALL

SAP_SOL_PROJ_ADMIN_DIS AUTH_SAP_PROJ_ADMIN_DIS

SAP_SOLMAN_DIRECTORY_EDIT AUTH_SAP_SOLMAN_DIR_EDIT

SAP_SOLAR01_ALL AUTH_SAP_SOLAR01_ALL


SAP_SOL_KW_ALL AUTH_SAP_SOL_KW_ALL



SAP_BPCA_CRM_INTEGRATION AUTH_SAP_BPCA_CRM_INTEGRATION

Technical composite role name: SAP_SM_BW_BPCA_ADMIN_COMP in the BW system/client


Table 249


SAP_BI_E2E_BPCA AUTH_SAP_BI_E2E


380



Business Process Expert (Help Text ID: TP_BPCA_BPE)

Technical composite role name SAP_BPCA_EXE_COMP in the Solution Manager system/client

Table 250


SAP_SM_BPCA_TBOM_EXE AUTH_SAP_SM_BPCA_TBOM_EXE

SAP_SM_BPCA_RES_DIS AUTH_SAP_SM_BPCA_RES_DIS

SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS

SAP_STWB_WORK_ALL AUTH_SAP_STWB_WORK_ALL


SAP_SOLMAN_DIRECTORY_DISP AUTH_SAP_SOLMAN_DIR_DIS



SAP_SOL_KW_ALL AUTH_SAP_SOL_KW_ALL



Technical composite role name: SAP_SM_BW_BPCA_DISPLAY_COMP in the BW system/client


Table 251


SAP_BI_E2E_BPCA AUTH_SAP_BI_E2E


Display User (Help Text ID: TP_BPCA_DIS)

Technical composite role name SAP_BPCA_DIS_COMP in the Solution Manager system/client

Table 252


SAP_SM_BPCA_TBOM_DIS AUTH_SAP_SM_BPCA_TBOM_DIS

SAP_SM_BPCA_RES_DIS AUTH_SAP_SM_BPCA_RES_DIS


SAP_STWB_WORK_DIS AUTH_SAP_STWB_WORK_DIS









SAP_SOL_KW_DIS AUTH_SAP_SOL_KW_DIS



SAP_BPCA_CRM_INTEGRATION AUTH_SAP_BPCA_CRM_INTEGRATION

ECATT user (Help Text ID: TP_BPCA_ECAT)

Technical composite role name SAP_BPCA_ECATT_COMP in the Solution Manager system/client

Table 253


SAP_SM_BPCA_TBOM_ALL AUTH_SAP_SM_BPCA_TBOM_ALL


SAP_STWB_WORK_DIS AUTH_SAP_STWB_WORK_DIS

SAP_STWB_2_ALL AUTH_SAP_STWB_2_ALL

SAP_SOL_PROJECT_ADMIN_DIS AUTH_SAP_PROJ_ADMIN_DIS

SAP_SOL_KW_DIS AUTH_SAP_SOL_KW_DIS





Easy Test Automation

To easily use test automation, you need authorization for transaction STCE, see scenario - specific guide for Test Management.

Extended Test Automation

For the extended create test automation, you need authorization for transaction STCE, see scenario - specific guide for Test Management.

Create Test Plan

To create test plans, you need role SAP_STWB_2_ALL, for project authorization role SAP_SOL_PROJECT_ADMIN_*.

382




BPCA refers to the phase in your product life-cycle when you define and refine your business processes by means of projects, business blueprints and related activities. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions which come into play in your daily business, such as handling of problems, and so on. The following sections describe the integration of BPCA with other scenarios within SAP Solution Manager, and which user roles would be applicable.


Test Management

BPCA is used to prepare the test phase. You can create test plans. To be able to create test plans, assign single role SAP_STWB_2_ALL.

Figure 108: Integration to Testplan and Optimize Test Scope


You can run analyses for requests for change and change documents using BPCA. To see the details of documents, you can jump into the CRM WebUI directly. In addition to the basic BPCA composite roles, you require composite role SAP_SM_CRMWEBUI_INT_DIS_COMP. This composite role contains all relevant roles for this integration:

● SAP_SM_CRMUI_INTEGRATION_DIS (CRM authorizations)

● SAP_SM_CRM_UIU_SOLMANPRO (CRM Business Role without authorizations)

● SAP_SM_CRM_UIU_SOLMANPRO_CHARM (CHARM - related UIU_COMP authorizations)

● SAP_SM_CRM_UIU_FRAMEWORK (General UIU_COMP authorizations)

For more information, see scenario-specific guide for Change Request Management.

23.7 Additional Security Measures

This section gives you an overview over additional measures to prevent malicious attacks for BPCA use cases.




Restrict Trace File Access

Trace files are stored on the file system of the managed system. The application does not ensure that access to this file is only happening in an authorized way. Ensure that only an administrator on infrastructure level is able to read traces.

Restrict Data Browser Access (Transaction SE16)

Access to the Table Data Browser can allow a user to view sensitive data. If application data with sensitive information is traced, exclude the respective table from SE16 access.

RecommendationWe recommend to trace only configuration information, otherwise critical information from managed systems might be exposed.

384



24 Scenario-Specific Guide: Custom - Code Life Cycle Management



Table 254


(Version)

Description

SP05 First version

SP06 Users and Authorization

Role SAP_CCA_ALL shipped for managed system users.

SP10 General

You can configure this scenario using the automated guided procedure within transaction SOLMAN_SETUP or

SAP Solution Manager Configuration work center. Therefore all users defined by SAP as default templates can be created within this procedure. The following users are created:

● CCML Configuration User: This user is created during the guided procedure of the Basic Settings in

transaction SOLMAN_SETUP. You can also choose the user SOLMAN_ADMIN. In both cases, the system

automatically assigns the necessary authorization roles. The according configuration user can be used later on for configuring the CCML settings within the view Customer Code Management in transaction

SOLMAN_SETUP.

For more information, see adapted section Scenario Configuration User.

● Standard CCML Template Users: Standard Template users for the CCML applications are created during

the guided procedure of the CCML setup in transaction SOLMAN_SETUP. These users can be regarded

as “demo” template users for this scenario. The system automatically assigns the necessary authorization roles with according authorization values for the SAP standard scenario. If your use of the application differs from the Standard, it requires customizing due to a different process, and other user differentiation. You must adapt the authorizations. The template users are created in the Solution Manager system and the required BW system.


and roles is directly linked in transaction SOLMAN_SETUP. In this security guide it is only referred to the

according document text ID in the system.


Users and Authorization

For detailed information on the authorization changes, see the according description in the DESCRIPTION tab of the respective role.

Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Custom - Code Life Cycle Management




(Version)

Description

● Added roles SAP_SM_SOLUTION_DIS, SAP_SYSTEM_REPOSITORY_DIS and

SAP_SM_DASHBOARDS_CCM to Solution Manager composite roles.

● Analog, BW composite roles for CCM have been delivered. You find more information in section Users and

Authorizations.

● New composite for configuration user for CCM delivered SAP_CCM_CONF_COMP with new single role

SAP_SM_CCM_CONF.

● Adapted Work Center navigation role for CCLM: SAP_SMWORK_CCLM.

RFC - Connections

● Instead of READ RFC - Connection the TMW RFC - Connection is use as Batch jobs are running in the

managed system and write access is required.

SP11 End User Roles


● Adapted role SAP_SM_CCM_CONFIG

SP12 End User Roles


● Adapted roles SAP_CCLM_* (ATC Monitoring integration)

Updated sections: Technical System Landscape, Authorizations)

● Adapted role SAP_SM_CCM_CONFIG● New role SAP_SM_DASHBOARDS_DISP_ICI (for iCI Dashboard integration) added to template users





386






Custom Code Life-Cycle Management Use Cases

ATC Monitoring and Exemption Monitoring Integration

Within the CCLM infrastructure allows to extract ATC messages and exemptions for transparency on the quality dimension of custom code objects. The Development Manager needs to have central access to all kinds of exemptions within a system landscape.

24.3 Prerequisites


The graphic below gives you an overview over the basic technical system landscape that is needed to run the CCLM scenario. The SAP Solution Manager is connected via READ - RFC, to your managed systems. More information about the connection, when it is used, and which technical user is required, you can find out in the following sections.

Figure 109: CCLM Technical System Landscape




ATC and Exemption Monitoring Integration

ATC and Exemption Monitoring uses the Extractor Framework (EFWK). The ATC extractor reads the data (messages and exemptions) via the EFWK from the managed systems via RFC function modules (technical user: READ-user and READ RFC-connection). The data is then uploaded into the BW-system/client. The ATC monitoring comprises two parts:

● The ATC messages monitoring displays data read from the BW-system/client.

● The ATC Exemptions monitoring displays data read from BW-system/client, but also allows users with special authorizations to update the exemptions on the remote system via RFC-connection.




● the BW integration concept, see Core Guide chapter on BW Integration.

The scenario is configured using transaction SOLMAN_SETUP.



During the basic automated configuration, you can create a specific configuration user (default technical user name: SMC_CCM_<XXXClient>) for Custom Code Management (Help Text ID: USER_CONFIG_IM). The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.


● the composite role SAP_SUPPDESK_CONF_COMP which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.

NoteTo be able to:



● the composite role SAP_BW_SUPPDESK_ADMIN_COMP which contains all single roles that are automatically assigned to the configuration user in the BW-system.


388




You can configure the basic technical settings using transaction SOLMAN_SETUP, running the guided procedure for Incident Management for ITSAM Service Management.







Table 255







Protocol (FTP)










Table 256


System Number

Logon Client


Remarks


Managed System

System-specific

System-specific


Reads data from the managed system, such as object lists, usage information, code inspector data, version of program information, and so on


The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in this scenario.



Table 257









390





This paragraph gives an overview over users as recommended by SAP and their according user roles assignment. All users are assigned a composite role, which contains a number of single roles.

Work Center





Administrator User ID: CC_ADM_XXX (Help Text ID: TP_CC_ADMIN)

Corresponding composite role: SAP_CCLM_ALL_COMP in the Solution Manager system

Table 258


SAP_CCLM_ALL AUTH_SAP_CCLM_ALL

SAP_SMWORK_BASIC_CCLM AUTH_SAP_SMWORK_BASIC_CCLM

SAP_SMWORK_CCLM AUTH_SAP_SMWORK_CCLM



SAP_SM_DASHBOARD_DISP_ICI AUTH_SAP_SM_DASHBOARD_DISP_ICI

SAP_SM_DASHBOARDS_DISP_CCM AUTH_SAP_SM_DASHBOARDS_CCM

Technical composite role name: SAP_BW_CCLM_ADMIN_COMP in the BW system/client





Table 259


SAP_BI_E2E_CCM AUTH_SAP_BI_E2E


Managed system role

Table 260


SAP_CCA_ALL CCA full authorizations

Display User ID: CC_DIS_XXX (Help Text ID: TP_CC_DIS)

Corresponding composite role: SAP_CCLM_DISPLAY_COMP in the Solution Manager system

Table 261


SAP_CCLM_DISP AUTH_SAP_CCLM_DISP

SAP_SMWORK_BASIC_CCLM AUTH_SAP_SMWORK_BASIC_CCLM

SAP_SMWORK_CCLM AUTH_SAP_SMWORK_CCLM



SAP_SM_DASHBOARDS_DISP_CCM AUTH_SAP_SM_DASHBOARDS_CCM


Technical composite role name: SAP_BW_CCLM_DISPLAY_COMP in the BW system/client


Table 262


SAP_BI_E2E_CCM AUTH_SAP_BI_E2E


iCI Dashboard

You can use the iCI Dashboard from within the CCM work center. This requires the Dashboard role for iCI in the SAP Solution Manager system, and according BW-authorizations in the BW-system. For testing purposes, you can use the template users for this scenario. For more information, see the scenario-specific guide for Measurement Platform.

ATC Monitoring

ATC Monitoring can be used within CCM. The application authorization is included in the CCM-roles. The application can be used separately from CCM, too. If you need to separate the ATC application due to Segregation of Duty, you need to do the following:

392



1. Create a new role, and add the ATC Web Dynpro Applications to the roles.

2. Assign the new role to your user.

3. Assign the following roles in addition:

○ SAP_SMWORK_* (navigation and BASIC roles)

○ SAP_SYSTEM_REPOSITORY_*

Trusted RFC-Destination

ATC can also be used with LOGIN RFC-destination.

24.4.2 Authorizations

Custom Code Management

Relevant WebDynpro Applications

● AGS_CCL_DEFINITION● AGS_CCL_OBJECTS● AGS_CCL_SETTINGS● AGS_CUSTOM_CODE

Additionally, transaction CCLM calls the work center WDA.

Authorization Object SM_CC_AUT

The authorization object contains all relevant activities for CCLM. It is checked when the transaction (WDA) is initially called. If activities are restricted the according activity buttons in the application are disabled.

ATC and Exemption Monitoring Integration

Authorization Object SM_ATC_APP

To separate the display of ATC messages and exemptions as well as to provide change access to work with exemptions a special authorization is required.

Users with display authorization can access both, the ATC monitoring screen and the Exemption monitoring screens. However, in the Exemption monitoring screen, the buttons to validate or reject exemptions are greyed out. the user cannot click on them. Users with administration authorization can access both ATC and Exemption monitoring screens. They can use the buttons to validate or reject the exemptions. The authorization object is included in standard roles for CCLM: SAP_CCLM_*.


The following background jobs run in the Solution Manager system SM_CCL:<SID>_<INSTNO>. The job name is dynamically generated.




25 Scenario-Specific Guide: Scope and Effort Analyzer (SEA)

The business process lifecycle stretches via all phases of the lifecycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). The Scope and Effort Analyzer supports the Test Management process.

The Scope and Effort Analyzer (SEA) allows you to analyze the impact of a Support Package or Enhancement Package without installing the corresponding software. The analysis capability relies on the functions Business Process Change Analyzer (BPCA), Maintenance Optimizer, and Custom Code Management (CCM) to calculate the impact, see scenario-specific guides for both scenarios.

A SEA analysis is defined via a guided activity that is used to collect all necessary input for such an analysis. Afterwards, the analysis runs in the background. As soon, as the analysis is finished, you can display the analysis result.

This guide gives you an overview over all relevant security-related issues for the scenario.



Table 263


(Version)

Description

SP11 First version


What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. You might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.

CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any

394


Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Scope and Effort Analyzer (SEA)

specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.






25.3 Prerequisites


The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete scenario.

In general, Scope and Effort Analyzer (SEA) is based on the technical system landscape as explained in scenarios BPCA and CCM as it is based on their infrastructure.

Within SEA functionality the following systems are used:

1. Update System (system for planned update)

2. Custom Code System (system to read custom developments and modifications)

3. Statistic System (system to read usage statistics)

4. Test System (system used for test scope optimization activities)

5. Solution Manager System

6. BW-System

7. SAP Backend



The scenario relies heavily on the integration to the following scenarios:

● Maintenance Optimizer

● Custom Code Management





At least Maintenance Optimizer and Custom Code Management should be configured to run SEA successfully. For configuration information and users, see the respective scenario-specific guides for both scenarios. All scenarios are configured using transaction SOLMAN_SETUP.

SICF Report Group

The SICF-report group to activate all relevant SICF-services is SM_SEA. For more information on SICF-report groups in SAP Solution Manager, see section on ICF Services in this guide.


During the guided activity for SEA analysis, systems are selected which are used during the analysis run. For these systems RFC-connections are needed as well as access to a BW-system.





Table 264








Table 265


System Number

Logon Client


Remarks


Managed System

System-specific

Customer-specific

Customer-specific

In case TRUSTED RFC is not used


Managed System

System-specific

System-specific

Default user: SM_<SID of Solution

To read data such as business functions, transport requests, Support

396




System Number

Logon Client


Remarks

Manager system>

Packages, repository objects, and so on from the managed systems for BPCA analysis


Managed System

System-specific

System-specific

Customer-specific

Optional as Login RFC - Connection

can also be used. Needed for TBOM recording of automatic test cases (traces)


Table 266


System Number

Logon Client


Use How Created



System-specific

System-specific


For recording of automated test cases to receive trace information about which functions in which managed systems were analyzed



Table 267








Table 268


System Number


How Created



content activation








MDX PARSERfor ODBO BAPI used for the creation of semi-dynamic TBOMs)


The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the BPCA scenario.



Table 269









398



TBOM recording of automatic test cases

User for TBOM recording of automatic test cases

Table 270


TBOM recording user (name and password

customer - specific)

Technical user of type system user to record TBOM of automatic test cases,

assigned role SAP_BPCA_ECATT_COMP.

NoteTo use this function, you need to have a trusted RFC - connection in

place.

See also IMG - activity Create user for TBOM recording of automated test

cases (technical name: SOLMAN_BPCA_USERAUT)

25.4 User Descriptions and User Roles

This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for SEA. All users are assigned a composite role, which contains a number of single roles.

Work Center









Administrator


● access the Test Management work center

● create, restart, delete, display, and execute an analysis

● change an analysis result

● execute Maintenance Optimizer transactions

● execute changes in the details section for Test Management

Technical composite role name SAP_SEA_ALL_COMP in the Solution Manager system/client

Table 271


SAP_SEA_ALL run SEA functionality

SAP_SM_BPCA_RES_ALL BPCA result analysis

SAP_SM_BPCA_TBOM_EXE BPCA TBOM

SAP_SM_SOLUTION_DIS solution display

SAP_MAINT_OPT_ADMIN Maintenance Optimizer administration (no XML)

SAP_SOL_PROJ_ADMIN_ALL project administration admin

SAP_SOLMAN_DIRECTORY_DISP Solution Directory display

SAP_SOL_KW_ALL KW full authorization

SAP_SMWORK_BASIC_TEST_MAN User Interface authorizations for WC

SAP_SMWORK_ITEST WC access

SAP_BPCA_CRM_INTEGRATION BPCA CRM integration

SAP_SYSTEM_REPOSITORY_DIS System Landscape display

Technical composite role name: SAP_SM_BW_CCM_ADMIN_COMP in the BW system/client


400



Table 272


SAP_BI_E2E_CCM BI data download for CCM

SAP_SM_BI_ADMIN BI administration

Display User


● access Test Management Work Center

● start the SEA functionality

● display SEA analysis

Technical composite role name SAP_SEA_DIS_COMP in the Solution Manager system/client

Table 273


SAP_SM_BPCA_TBOM_DIS BPCA TBOM

SAP_SM_BPCA_RES_DIS BPCA result analysis display

SAP_SM_SOLUTION_DIS Solution display

SAP_SEA_DISPLAY SEA display

SAP_SOL_PROJ_ADMIN_DIS Project Administration display

SAP_SOLMAN_DIRECTORY_DISP Solution Directory display

SAP_SOL_KW_DIS KW display

SAP_SMWORK_ITEST Access to WC

SAP_SMWORK_BASIC_TEST_MAN User Interface for WC

SAP_SYSTEM_REPOSITORY_DIS System Landscape display

Technical composite role name: SAP_SM_BW_CCM_DISPLAY_COMP in the BW system/client


Table 274


SAP_BI_E2E_CCM BI data download CCM

SAP_SM_BI_DISP BI display

25.5 Authorization Objects




S_TABU_DIS

All tables and views start with prefix AGSSEA_* and are assigned to authorization group SEA.

SM_SEA

The field ACTVT of authorization object SM_SEA can have the following values:

● 01 – Create, execute and restart an analysis

● 02 – Change an analysis

● 03 – Display an analysis

● 06 – Delete an analysis


SEA refers to the phase in your product life-cycle when you analyze any changes made to your managed system to determine the scope of any test activities. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions which come into play in your daily business, such as handling of problems, and so on. The following sections describe the integration of SEA with other scenarios within SAP Solution Manager, and which user roles would be applicable.



Business Process Change Analyzer

Custom Code Management

402



26 Scenario-Specific Guide: IT Service Management

The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. During each of these phases, problems and incidents can occur, which need to be solved. The aim of incident management is to restore normal service operation as soon as possible after a breakdown while minimizing the disturbance to business operations. Incident management allows customers or employees to contact the service desk when their IT-related devices or services are not working properly, or when requesting a service. You can use the incident management function in SAP Solution Manager to support the problem and incident management. This guide gives you an overview over all relevant security-related issues for the scenario service desk.

In this guide, the scenario incident management can also be referred to as Service Desk or Help Desk.


Figure 112: Incident Management Use Cases

This security guide can be used for the use cases:

● Incident and Problem Management

● Incident Management with Third Party Integration



Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management



Table 275


(Version)

Description

SP05 General

Incident and Problem Management (sub-scenario to ITSAM Management) is configured using the automated

guided procedure within transaction SOLMAN_SETUP or SAP Solution Manager Configuration work center.

Therefore all users defined by SAP as default templates can be created within this procedure. The following users are created:

● Incident Management Configuration User: This user is created during the guided procedure of the Basic Settings in transaction SOLMAN_SETUP. You can also choose the user SOLMAN_ADMIN. In both cases,

the system automatically assigns the necessary authorization roles. The according configuration user can be used later on for configuring the Incident Management settings within ITSAM Management in transaction SOLMAN_SETUP.

● Standard Incident Management Template Users: Standard Template users for the Incident Management process are created during the guided procedure of the ITSAM Management in transaction

SOLMAN_SETUP. These users can be regarded as “demo” template users for Incident Management.

The system automatically assigns the necessary authorization roles with according authorization values for the SAP standard scenario. If your Incident Management process requires customizing due to a different process, and other user differentiation, you must adapt the authorizations. The template users are created in the Solution Manager system and the required BW system.


and roles is directly linked in transaction SOLMAN_SETUP. In this security guide it is only referred to the





User Authorization Roles

● New composite role SAP_SUPPDESK_DISPATCHER_COMP with new CRM Business Role and Service

Desk role for Dispatcher (the according user is not created via SOLMAN_SETUP), see section on Users

and Authorizations.

● Shipped changes in single roles SAP_SUPPDESK_*. For detailed information, see description tab in the

roles.

● Role SAP_SM_CRM_UIU_FRAMEWORK extended due to new CRM Business Navigation Roles..

● Extended composite role SAP_SUPPDESK_CREATE_COMP with additional CRM Business Navigation

Role and User Interface role SAP_SM_CRM_UIU_SOLMANPRO_CREA for authorization object

UIU_COMP, see section Users and Authorizations.

● CMDB - related authorization objects are added to single roles SAP_SUPPDESK_*, see description tab

in the roles. For more information on CMDB, see Core Guide.


Added value CRMC in authorization object S_TABU_DIS.

CRM Navigation Roles

404




(Version)

Description

Two additional CRM Business roles shipped:

● SAP_SM_CRM_UIU_SOLMANREQU mapped to business role SOLMANREQU● SAP_SM_CRM_UIU_SOLMANDSPTCH mapped to business role SOLMANDSPTCH

Adapted role SAP_SM_CRM_UIU_SOLMANPRO_ADMINCRM Customizing

Additional transaction types SMRQ and SMRT added to relevant roles, see section CRM Customizing.

SP06 Additional Template User

It is possible to create the Dispatcher User using transaction SOLMAN_SETUP.

SP07 CRM Customizing

Additional transaction type KNAR added to relevant roles.

SP08 End-User Roles

The following roles have been adapted regarding authorization objects and/or field values. For more information, see description tab in the roles.

● SAP_SUPPDESK_*CREATE● SAP_SM_CRM_UIU_SOLMANPRO_PROC and SAP_SM_CRM_UIU_SOLMANPRO_ADMIN● SAP_SUPPDESK_CONFIG

SP10 General

● New section on Additional Security Measures.

End-User Roles


● SAP_SUPPDESK_*

SP12 End-User Roles


● SAP_SUPPDESK_CONFIG● SAP_SMWORK_INCIDENT_MAN (Best Practice link)








● Getting Started: find out about target groups of this guide, and about documentation links for any additional components.

● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other. For other application links, see the core security guide.

● CRM WebClient UI: find out about the main aspects to be considered for the new CRM WebClient UI, such as the concept of Business Roles, User Interface authorization objects, and so on.

● CRM Standard Customizing: find out about the new transaction types for CRM, and related customizing entries which are relevant for CRM authorization objects.



● External Integration: for many scenarios, you can also integrate third-party products or other SAP products. Here, you can find out about which authorizations you need to assign to your users for these cases.

26.3 Prerequisites


The graphic below gives you an overview over the basic technical system landscape that is needed to run the Incident Management scenario. The SAP Solution Manager is connected via READ - RFC to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. To connect to SAP, the destinations SAP-OSS and SAP-OSS-LIST_O01 are used. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.

406











After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic function to send a service desk message to SAP. For more information, see Landscape Setup Guide.

During basic automated configuration, you can create a specific configuration user (default technical user name: SMC_IM_<XXXClient>) for Incident Management (Help Text ID: USER_CONFIG_IM). The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.


● the composite role SAP_SUPPDESK_CONF_COMP which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.

NoteTo be able to:






● the composite role SAP_BW_SUPPDESK_ADMIN_COMP which contains all single roles that are automatically assigned to the configuration user in the BW-system.










Table 276







Protocol (FTP)



Third Party Service Desk SOAP over HTTP (S) Data Exchange

408







Table 277


System Number


Remarks


Managed System

System-specific

System-specific


Used during setup of incident management, and during operations when generating business partners


Table 278


System Number


Use How Created



System-specific

System-specific


Generating Support Messages from managed systems (table: BCOS_CUST)


managed systems)


Table 279


System Number


How Created



content activation












System Number


How Created








remote BW -

system



BI - Reporting



Table 280

RFC Destination Name Target Host Name System Number

Logon Client


Remarks

SAP-OSS (ABAP connection)




SAP-OSS-LIST-O01 (ABAP connection)




SM_SP_<customer number>



NoteFor more information on Service Provider - specific settings, see Service Provider Guideline

Automatically created, see IMG activity Set Up

SAP Connection for Customers (technical name: SOLMAN_VAR_RFC_CUSTO)

TREX RFC Connections

Table 281


TREX_<server> (ABAP connection) Registered Server Program (program TREXRfcServer_<instance number>)

Manually in transaction SM59;

410




TREX can be administered using the

TREX admin tool, see IMG activity

Information and Configuration Prerequisites for TREX Setup

(technical name: SOLMAN_TREX_INFO)

IMSDEFAULT Start on explicit host (program: ims_server_admin.exe)

IMSDEFAULT_REG Registered Server Program (program: rfc_sapretrieval)


Table 282




26.3.4 Technical Users for RFCs




Table 283














Table 284






System User Technical user, “READ User”, for read access and extractor execution in case of BW-reporting, assigned role <namespace>_SOLMAN_READ. It is automatically generated





Table 285


BI_CALLBACK









User for Third Party Service Desk

User for Third Party Service Desk

412



Table 286


customer-specific user, for instance DEFECTMAN

Communication User Technical user for web service; assigned roles SAP_SUPPDESK_ADMIN and

SAP_SUPPDESK_INTERFACE




More Information


26.3.6 S-User Authorization for Service Desk and Expert on Demand

Your S-user needs the following authorizations for SAP Support Portal functions.

S-User Authorization

Table 287


Create message ANLEG: Create SAP message

Send messages GOSAP: Send to SAP

WAUFN: Reopen SAP message

Confirm messages QUITT: Confirm SAP message

Display/change secure area PWDISP: Display secure area

PWCHGE: Change secure area






The Incident Management scenario is based on CRM 7.01, and uses CRM customizing such as transaction types, action profiles, and so on. SAP delivers a standard CRM customizing, which is also maintained in the individual CRM authorization objects for Incident Management. The following table gives you an overview of the transaction types used.


Transaction Types (old)

RecommendationWe recommend to use the new transaction types.

Table 288

Transaction Type

Usage Remarks

SLFN Standard Service Desk supported

SIST Standard Service Desk supported

SIVA Service Request for Service Provider (VAR)

supported

SISV Service Request for Software Partners (ISV)

supported

Transaction Types (new)

Table 289

Transaction Type

Usage Remarks

SMIN CRM - Service Request supported

SMIV Service Request for Service Provider (VAR)

supported

SMIS Service Request for Software Partners (ISV)

supported

SMIT template for SMIN transaction

types

supported

SMPR Problem supported

SMPT template for problems supported

SMRQ Service Request supported

414



Transaction Type

Usage Remarks

SMRT Service Request Template supported

KNAR Knowledge Article supported


To enable your end-users to work with the application, you need to assign them authorizations in the Solution-Manager-system.

To be able to fulfill their respective tasks, an end-user (key-user) needs to be able to create incidents and display them. The processor of this message, who can be part of a local support team, needs to be able to create as well as process already created messages. SAP delivers recommended user descriptions for these user types on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.


Roles for service desk are predefined Composite Roles (technical abbreviation: *_COMP). These composite roles contain a set of single roles that are relevant for the business tasks.

Figure 114: Incident Management Process





This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for service desk (incident management). All users are assigned a composite role, which contains a number of single roles.

Work Center

The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see Core Security guide chapter on User Interface Authorizations.

Figure 115: Work Center Incident Management


Authorization for Trusted RFC between SAP Solution Manager and BW-System


Administrator (Help Text ID: TP_IM_ADMIN)

Technical composite role name: SAP_SUPPDESK_ADMIN_COMP in the Solution Manager system/client

416



Table 290


SAP_SUPPDESK_ADMIN AUTH_SAP_SUPPDESK_ADMIN


SAP_SMWORK_BASIC_INCIDENT AUTH_SAP_SMWORK_BASIC_INC




SAP_SM_CRM_UIU_SOLMANPRO_PROC AUTH_SAP_SM_CRM_UIU_PROC


Technical composite role name: SAP_BW_SUPPDESK_ADMIN_COMP in the BW system/client


Table 291


SAP_BI_E2E_SD AUTH_SAP_BI_E2E

SAP_BW_SPR_REPORTING AUTH_SAP_BW_SPR_REPORT


Processor (Help Text ID: TP_IM_PROC)

Technical composite role name: SAP_SUPPDESK_PROCESS_COMP in the Solution Manager system/client

Table 292


SAP_SUPPDESK_PROCESS AUTH_SAP_SUPPDESK_PROCESS








Technical composite role name: SAP_BW_SUPPDESK_DISPLAY_COMP in the BW system/client





Table 293





Key User (Help Text ID: USER_TP_IM_CREATE)

Technical composite role name: SAP_SUPPDESK_CREATE_COMP in the Solution Manager system/client

Table 294





SAP_SM_CRM_UIU_SOLMANPRO_CREA AUTH_SAP_SM_CRM_UIU_CREA


SAP_SM_CRM_UIU_SOLMANREQU AUTH_SAP_SM_CRM_UIU_SOLMAN

NoteIf you want the key - user to display the created message, you need to add the display user authorizations as well.

Display User (Help Text ID: TP_IM_DIS)

Technical composite role name: SAP_SUPPDESK_DISPLAY_COMP in the Solution Manager system/client

Table 295


SAP_SUPPDESK_DISPLAY AUTH_SAP_SUPPDESK_DISPLAY






SAP_SM_BI_EXTRACTOR AUTH_SAP_SM_BI_EXTACTOR

Technical composite role name: SAP_BW_SUPPDESK_DISPLAY_COMP in the BW system/client


418



Table 296





Dispatcher User (Help Text ID: TP_IM_DIS)

Technical composite role name: SAP_SUPPDESK_DISPATCHER_COMP in the Solution Manager system/client

Table 297


SAP_SUPPDESK_DISPATCH Authorization to dispatch and process messages




SAP_SM_CRM_UIU_SOLMANDSPTCH AUTH_SAP_SM_CRM_UIU_SOLMAN


26.5.2 Authorization Objects

The following section gives information of some of the main authorization objects for Incident Management. For detailed information, see SDN Wiki on Authorizations.

ITSM Reporting Links in CRM WebUI

To allow any user to see and use the ITSM Reporting and ITSM Dashboard links in the CRM WebUI, the following authorization objects must be maintained:

● Solution Manager UI authorization (contained in role SAP_SUPPDESK_*)

Authorization object SM_WD_COMP with value ITSM_REPORTING● CRM WebUI authorization (contained in role SAP_SM_UIU_COMP_SOLMANPRO_*)

Authorization object C_LL_TGT with value C (Launch Transaction) and the links for:

○ ITSM_REPORTING○ SM_ITSM_REPORTING_DASHBOARD○ SM_ITSM_REPORTING_FRAMEWORK




Authorization Object MatrixTable 298

Authorization Object Creator Processor Dispatcher Display User

B_BUPA_ATT X X

B_BUPA_FDG X X

B_BUPA_GRP X X X

B_BUPA_RLT X X X X

B_BUPR_BZT X X X X

B_BUPR_FDG X X

B_NOTIF_BC X X X X

B_USERST_T X X X X

B_USERSTAT may require

additional customizing

X X X X

COM_ASET X X X X

COM_IT X X X X

COM_PRD X X X X

S_PROJECT X X X

S_RFC X X X X

S_DATASET X X X X

S_GUI X X X X

S_APPL_LOG X X X X

S_OC_SEND X

CRM_ACT X X X X

CRM_AUTHSC X X X X

CRM_CATEGO X X X

CRM_IM_ML X X X

CRM_INCDNT X X X X

CRM_KNOART X X X X

CRM_ORD_OP X X X X

CRM_ORD_PR X X X X

CRM_PROBLM X X X X

CRM_SEO X X X X

420



Authorization Object Creator Processor Dispatcher Display User

CRM_TXT_ID If you are using the

solution database for transferring solutions into the solution database, you can assign text types. If you use this function, you need to maintain the authorization object CRM_TXT_ID in the

according roles.

X X X X

D_MD_DATA X X X

D_SOL_VSBL You find

authorization object D_SOL_VSBL with value 78. This authorization is

only required for the integration of solutions in Incident Management. This value is not active in the solution infrastructure roles SAP_SM_SOLUTION_*.

X X X X

SM_SDK_ACT X X X

SM_SDK_IBA X X X X

SM_TIMEREP X X

Support Team Search: PLOGTo allow the support team search based on PFAC rule, you must activate authorization object PLOG. The object is contained in roles SAP_SUPPDESK_*.

NoteTo be able to use this function, you need to have maintained an organizational model.


The Service Desk refers to all phases in your product life-cycle.

Various ScenariosAccording to the end-to-end business process life-cycle, this function needs to integrate with many other scenarios which come into play in your daily business, such as implementation, upgrade, monitoring, and so on. Within these scenarios, it is possible for users to create messages for the Service Desk. The integration of the Service Desk is described in the various scenario-specific guides for the individual scenarios. For more detail on each individual scenario, see the according Scenario—Specific Guide.

Change Request ManagementApart from the function of creating a service desk message within different scenarios, a service desk message can also lead to a change request. If you are using this integration, you need to assign to your user as well the role for




the user Requester: SAP_CM_REQUESTER_COMP. For more information about the change request management scenario, see the scenario-specific guide for this topic.

Figure 116: Charm Integration in the CRM WebClient UI

422




26.7.1 External Service Desk

Configuration


Roles

Service Desk Interface

Table 299

Name Type Remarks

SAP_SUPPDESK_INTERFACEExternal Service Desk integration user

ABAPSystem User

Authorization for bi - directional interface and configuration; needs to be assigned in addition to the roles for the Service Desk scenario, for instance SAP_SUPPDESK_ADMIN

User for data exchange; assigned roles SAP_SUPPDESK_ADMIN and SAP_SUPPDESK_INTERFACE

26.8 Additional Security Measures

Consider the following actions for additional measures in regard to preventing security breeches and reacting to according events:

Activate Logging of Major Configuration Tables

The activation of table logs for configuration tables allows you to determine at which time a user has changed specific values that are important for the configuration settings of your application.




RecommendationWe highly recommend logging of at least major configuration tables.

For the following tables the flag Log Data Changes is set by SAP as of SP12:

● AGS_WORK_CUSTOM (AGS: Work Centers Customizing)

● In case of external interface: ICT_CUSTOM (SM SD Interface: System Configuration)

We recommend you to activate logging for the following table:

● DNOC_USERCFG (Service Desk Customizing)

Steps to Activate Table Logging

1. Set Log Data Changes for the required tables using transaction SE13.

2. Set parameter value for parameter: rec/client.

How-to Information

For detailed information on logging, how-to activate logging of tables, and its system requirements, see on the Service Marketplace: help.sap.com/saphelp_nw74/helpdata/en/4d/b6d15036311dcee10000000a42189c/frameset.htm .

See also SAP Note 1916.

Virus Scanning for Attachments

RecommendationWe recommend to use ABAP Virus Scanning Interface (VSI) for virus scans of attachments.

In Incident Management the following default VSI profiles are used:

● /SCET/GUI_UPLOAD● /SIHTTP/HTTP_UPLOAD

In addition, attachments are scanned using standard Knowledge Warehouse profile /SCMS/KPRO_CREATE, specifically for Incidents which are created via an external interface.

424



http://help.sap.com/saphelp_nw74/helpdata/en/4d/b6d15036311dcee10000000a42189c/frameset.htm

http://help.sap.com/saphelp_nw74/helpdata/en/4d/b6d15036311dcee10000000a42189c/frameset.htm


27 Scenario-Specific Guide: Job Management

The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). This guide gives you an overview over all relevant security-related issues for the scenario Job Management.



Table 300


(Version)

Description

SP05 End-User Roles


● SAP_SM_SCHEDULER_ADMIN● SAP_SM_SCHEDULER_EXE


Added value CRMC in authorization object S_TABU_DIS in role SAP_SM_SCHEDULER_ADMIN.

SP10 New Concept for End-User Roles

● The authorizations and user/roles concept has been adapted to better represent business requirements. For more information, see section on end-user roles in this guide (old and new)

● Users can now be created in transaction SOLMAN_SETUP with the according single roles.

● Old concept can be kept next to the new concept.

● New authorization objects substitute old ones in the new concept completely.

User Role Adaptions

● SAP_SMWORK_JOB_MAN due to User Interface adaptations

● SAP_SMWORK_BASIC_JSCHED

SP11 End-User Composite Roles

The following end-user roles were changed and template users in transaction SOLMAN_SETUP adapted

accordingly. For detailed information, see the description tab of the role in transaction PFCG.

● SAP_JOBMAN_TOP_COMP

Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management




(Version)

Description

● SAP_JOBMAN_ALL_COMP

SP12 End-User Composite Roles


accordingly. For detailed information, see the description tab of the role in transaction PFCG.

● SAP_JOBMAN_CONFIG_COMP assigned role SAP_SM_JMON_CONF (Job Monitoring configuration)

● SAP_JOBMAN_BPO_COMP assigned role SAP_SM_JMON_LEVEL01 (Job Monitoring Level 1)

● SAP_JOBMAN_AM_COMP assigned role SAP_SM_JMON_LEVEL02 (Job Monitoring Level 2)

● SAP_JOBMAN_ALL_COMP assigned role SAP_SM_JMON_LEVEL02 (Job Monitoring Level 2)

SP13 End-User Roles


accordingly. For detailed information, see the description tab of the role in transaction PFCG. Role

SAP_SM_SCHEDULER_BPO: "old" authorization object SM_JOBDEF set inactive for assignment of role to

Business Process Operation Administration, in case user creates a job documentation.








426



● Solution Maintenance: find out how to maintain solutions in Work Center SAP Solution Manager Administration


● External Integration: for many scenarios, you can also integrate third-party products or other SAP products. Here, you can find out about which authorizations you need to assign to your users for these cases.

27.3 Prerequisites


The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete Job Management scenario. The SAP Solution Manager is connected via READ - RFC to your managed systems. IGS is connected via a specified RFC connection. Optionally, you can attach a third party product such as SAP CPS to the SAP Solution Manager via specified connections. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.












After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic function to send a service desk message to SAP. For more information, see Landscape Setup Guide.

During basic automated configuration, you can create a specific configuration user (default technical user name: SMC_JMON_<XXXClient>) for Job Management (Help Text ID: USER_CONFIG_JMON). The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.


● the composite role SAP_JOBMAN_CONF_COMP which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.

NoteTo be able to:



● the composite role SAP_BW_JOBMAN_ADMIN_COMP which contains all single roles that are automatically assigned to the configuration user in the BW-system.





428








Table 301






Protocol (FTP)



SAP CPS RFC See SAP Note 1037903





Table 302


System Number

Logon Client


Remarks


Managed System

System-specific

System-specific


Necessary for all functions in implementation and upgrade






Table 303




27.3.4 Technical User

The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the Job Management scenario.

User for ADS

Users for ADS

Table 304


ADSUSER (customer-specific) Service User Technical user for basic authentication ADS

ADS_AGENT (customer-specific) Service User Technical user for communication between ABAP stack and

J2EE stack on which the ADS runs, assigned roles:

● SAP_BC_FP_ICF (if double stack: AS ABAP and AS

Java (with ADS)

● SAP_BC_FPADS_ICF (if AS ABAP and AS Java on

separate systems)



Table 305









430



User for SAP CPS

Users for SAP CPS

Table 306


CPS user (for instance CPSCOMM) Communication User

Technical user for communication between SAP CPS and SAP

Solution Manager, assigned roles SAP_SM_REDWOOD_COMMUNICATION and

SAP_BC_REDWOOD_COMM_EXT_SDL; for more detail see IMG - activity Create technical user

(technical name of IMG - activity: SOLMAN_REDWOOD_COMMU)



When you are working in a project or a solution a number of persons with different tasks are involved. SAP delivers recommended user descriptions on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.


Roles for Implementation and Upgrade are predefined Composite Roles (technical abbreviation: *_COMP). These composite roles contain a set of single roles that are relevant for the business tasks.




Figure 119: Job Management Process

27.4.1 User Roles (Old)

This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for job scheduling. All users are assigned a composite role, which contains a number of single roles.

Work Center

The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. For a user to access the view Administration, you need to have authorization object S_TCODE with value SPRO assigned. This is included in the user role for the administrator. Access in the navigation panel is restricted by using the authorization object SM_WD_COMP. For more information about user interface authorizations, see core security guide.

432



Figure 120: Work Center Job Management


Administrator (technical user name: JM_ADM_XXX) )

Table 307

Single Role Help Text ID

SAP_BC_BATCH_ADMIN_REDWOOD AUTH_SAP_BC_REDWOOD

SAP_BC_REDWOOD_COMM_EXT_SDL AUTH_SAP_BC_REDWOOD

SAP_BPMJSM_BW_ALL_REPORTING AUTH_SAP_BPMJSM_REPORT

SAP_CM_SMAN_CHANGE_MANAGER AUTH_SAP_CM_SMAN_CHANGE_MANAGER

SAP_SOCM_CHANGE_MANAGER AUTH_SAP_SOCM_CHANGE_MANAGER

SAP_SM_SCHEDULER_ADMIN AUTH_SAP_SM_SCHED_ADMIN


SAP_SYSTEM_REPOSIORY_ALL AUTH_SAP_SYSTEM_REPOSIORY_ALL

SAP_SMWORK_BASIC_JSCHED AUTH_SAP_SMWORK_BASIC_JSCHED

SAP_SMWORK_JOB_MAN AUTH_SAP_SMWORK_JOB_MAN

SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAMEWORK

SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMANPRO









SAP_SM_RFC_DISP AUTH_SAP_SM_RFC_DISP

Operations User (technical role name: SAP_JOBMAN_EXE_COMP)

The operations user is allowed to:

● access Job Management work center

● execute all functions for Job Management

● execute BW - related applications

Table 308


SAP_SM_SCHEDULER_EXE Execution authorization for job scheduling

Job Requests

Job Documentation

Job Monitoring

Job Recommendation

Task Inbox

Reports

SAP_SM_SOLUTION_ALL Full authorization for solutions Infrastructure, used for all views

SAP_SMSY_DIS Display authorization for system landscape

Infrastructure, used for all views

SAP_BPMJSM_BW_ALL_REPORTING Full authorization for BW - related

applications

NoteThe same role is used in scenario Business Process Operations

BW - Reporting

SAP_BI_E2E BW - Reporting, Content activation

SAP_SMWORK_BASIC_JSCHED Authorization for work center usage

Work Center Access

SAP_SMWORK_JOB_MAN Access to work center for job scheduling

SAP_SM_CRM_UIU_FRAMEWORK General authorization for CRM Web

Client framework

CRM WebClient UI

434




SAP_SM_CRM_UIU_SOLMANPRO Business role for the CRM Web

Client

NoteThis role defines the navigation for the CRM Web Client. It

contains no authorization objects.

SAP_SM_CRM_UIU_SOLMANPRO_CHARM Contains specific (administrator-related) additional authorizations for the CRM Web Client

; contains the delta for integration to Change Request Management

SAP_SM_CRM_UIU_SOLMANPRO_PROC Contains specific (processor-related) additional authorizations for the CRM Web Client

Display User (technical role name: SAP_JOBMAN_DIS_COMP)


● access Job Management work center

● display all functions for Job Management

Table 309


SAP_SM_SCHEDULER_DIS Display authorization for job scheduling

Job Requests

Job Documentation

Job Monitoring

Job Recommendation

Task Inbox

Reports

SAP_SM_SOLUTION_DIS Display authorization for solutions Infrastructure, used for all views

SAP_SMSY_DIS Display authorization for system landscape

Infrastructure, used for all views

SAP_SMWORK_BASIC_JSCHED Authorization for work center usage

Work Center Access

SAP_SMWORK_JOB_MAN Access to work center for job scheduling





SAP_BPMJSM_BW_DIS_REPORTING Display authorization for BW -

related applications

NoteThe same role is used in scenario Business Process Operations

BW - Reporting

SAP_BI_E2E BW - Reporting, Content activation

SAP_SM_CRM_UIU_FRAMEWORK General authorization for CRM Web

Client framework

CRM WebClient UI

SAP_SM_CRM_UIU_SOLMANPRO Business role for the CRM Web

Client

NoteThis role defines the navigation for the CRM Web Client. It

contains no authorization objects.

SAP_SM_CRM_UIU_SOLMANPRO_CHARM Contains specific (administrator-related) additional authorizations for the CRM Web Client

; contains the delta for integration to Change Request Management



The common task area contains links for applications that are used. All links require SAP_SM_SCHEDULER_* as well as infrastructure roles SAP_SM_SOLUTION_* and SAP_SMSY_*.


In the related links section in the work center, you find all possible links for this work center. Still, the user is not able to run some of the applications since the according authorizations are not included in the defined user roles, but rather additional authorizations included in additional roles, see section Additional Functions. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-to section.

436



Job Analysis in Managed Systems

To execute job analysis in managed systems, you need the according authorizations in the managed system. You can use SAP_SM_SCHEDULER_*, which contain remote system transactions.

Process Scheduler Adapter

Requires authorizations for CPS Scheduler, see section External Integration.

27.4.2 User Roles (New)

This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for job scheduling as of SP10. With this Support Package the user definitions and authorizations have been adapted to required business needs. This new concept is integrated in transaction SOLMAN_SETUP and the concept of template users. In analogy, composite roles exist, which contain a number of single roles. This new concept can be used in parallel to the old concept (see section on User Roles (Old).

Administrator (technical user name: JM_ADM_XXX)

The technical name of the according composite role is SAP_JOBMAN_ALL_COMP.

Table 310


SAP_BC_BATCH_ADMIN_REDWOODSAP_BC_REDWOOD_COMM_EXT_SDL

NoteBoth roles are only needed for managing external schedulers.

AUTH_SAP_BC_REDWOOD

AUTH_SAP_BC_REDWOOD



SAP_CM_SMAN_DEVELOPER AUTH_SAP_CM_SMAN_DEVELOPER



SAP_SM_SCHEDULER_ADMIN AUTH_SAP_SM_SCHED_ADMIN


SAP_SYSTEM_REPOSITORY_ALL AUTH_SAP_SYSTEM_REPOSIORY_ALL
















SAP_TASK_INBOX_ALL AUTH_SAP_TASK_INBOX_ALL

In the BW - System

The technical name of the according composite role is SAP_SM_BW_JSCHED_ADMIN_COMP.

Table 311


SAP_BI_E2E_JSM AUTH_SAP_BI_E2E


Technical Operator (technical user name: JM_TOP_XXX)

The technical name of the according composite role is SAP_JOBMAN_TOP_COMP.

Table 312


SAP_BC_BATCH_ADMIN_REDWOODSAP_BC_REDWOOD_COMM_EXT_SDL

NoteBoth roles are only needed for managing external schedulers.

AUTH_SAP_BC_REDWOOD

AUTH_SAP_BC_REDWOOD


SAP_CM_SMAN_DEVELOPER AUTH_SAP_CM_SMAN_DEVELOPER


SAP_SM_SCHEDULER_TOP AUTH_SAP_SM_SCHED_TOP


SAP_SYSTEM_REPOSITORY_ALL AUTH_SAP_SYSTEM_REPOSITORY_ALL



438













In the BW - System

The technical name of the according composite role is SAP_SM_BW_JSCHED_DIS_COMP.

Table 313




Business Process Operation (technical user name: JM_BPO_XXX)

In the Solution Manager

The technical name of the according composite role is SAP_JOBMAN_BPO_COMP.

Table 314





SAP_SM_SCHEDULER_BPO AUTH_SAP_SM_SCHED_BPO




















In the BW - System


Table 315




Application Manager (technical user name: JM_AM_XXX)


The technical name of the according composite role is SAP_JOBMAN_AM_COMP.

Table 316



SAP_SOCM_REQUESTER AUTH_SAP_SOCM_REQUESTER

SAP_SM_SCHEDULER_AM AUTH_SAP_SM_SCHED_AM










440








In the BW - System


Table 317




Level 2 User (technical user name: JM_L2_XXX) )

The technical name of the according composite role is SAP_JOBMAN_L2_COMP.

Table 318



SAP_SM_SCHEDULER_L2 AUTH_SAP_SM_SCHED_L2


SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REPOSIORY_DIS











Level 1 User (technical user name: JM_L1_XXX)

The technical name of the according composite role is SAP_JOBMAN_L1_COMP.




Table 319



SAP_SM_SCHEDULER_L1 AUTH_SAP_SM_SCHED_L1


SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REPOSIORY_DIS











Display User (technical user name: JM_DIS_XXX)


The technical name of the according composite role is SAP_JOBMAN_DIS_COMP.

Table 320




SAP_SM_SCHEDULER_DIS AUTH_SAP_SM_SCHED_DIS









442





SAP_TASK_INBOX_DIS AUTH_SAP_TASK_INBOX_DIS

In the BW - System


Table 321




27.5 Solution Maintenance via Work Center



The following sections describe the integration of job scheduling management with other scenarios within SAP Solution Manager, and which user roles would be applicable.

Incident Management

You can integrate Incident Management with Job Scheduling by configuring the Integration with Service Desk scenario using the IMG for Job Scheduling (transaction SPRO). To use its capabilities, see scenario-specific guide for service desk.




Figure 121: Integration Incident Management/Change Request Management



You can integrate Change Request Management with Job Scheduling by configuring the Integration with Change Request Management scenario using the IMG for Job Scheduling (transaction SPRO). To use its capabilities, see scenario-specific guide for change request management.


You can integrate Business Process Operations with Job Scheduling.

444



Figure 122: Integration with Business Process Operations

Business Blueprint and Configuration

You can integrate Business Blueprint and Configuration and Job Scheduling.

Figure 123: Integration with Business Blueprint and Configuration

IT Task Inbox

You can integrate IT Task Inbox.





27.7.1 SAP CPS

You can integrate with SAP Solution Manager external products. The term External Product refers to either Third Party Products or SAP products, which can be used to complement a function within SAP Solution Manager. Using SAP CPS, you assign your end-user the user roles as described in the previous section User Descriptions and User Roles. The technical user needs to be assigned the roles as described in the table underneath.

Roles for Technical User CPSCOMM

Table 322

Name Type Remarks

SAP_SM_REDWOOD_COMMUNICATION ABAP General authorization for the technical communication user (for instance CPSCOMM)

between Solution Manager and SAP Central Process Scheduler, applied to technical user in SAP Solution Manager system

SAP_BC_REDWOOD_COMM_EXT_SDL ABAP Authorization for the technical user between SAP Solution Manager and SAP Central Process Scheduler for configuration of parameter SAP_EnableRfcServer on the process server;

applied to technical communication user in Solution Manager system

SAP_BC_REDWOOD_COMMUNICATION ABAP Authorization for the technical user between managed (target) system and SAP Central Process Scheduler

446



28 Scenario-Specific Guide: SAP Engagement and Service Delivery

The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are supported by SAP via SAP Solution Manager as the delivery platform. This guide gives you an overview over all relevant security-related issues for the scenario SAP Engagement and Service Delivery.



Table 323


(Version)

Description

SP05 Premium Engagement

● New composite role SAP_PREMIUM_ENGAGEMENT_COMP, see section on User for Service Delivery

(Premium Engagement)

CRM - based Authorizations

CRM - based authorization checks (Function Module: CRM_ORD_CHECK_AUTHORITY_ACE) added to Issue

Management, for instance CRM_ORD_OP. All Issue Management roles are adapted accordingly, see role

description tab.

SP08 End-User Roles

The following roles have been adapted according to authorization objects and/or authorization field values. For more information see the description tab of the specified roles.

● Security Optimization Roles. See the according SAP Note 69647.

● Corrected role list for composite role SAP_ISSUE_MANAGEMENT_EXE_COMP. Role

SAP_ISSUE_MANAGEMENT_ALL substituted by SAP_ISSUE_MANAGEMENT_EXE.

New user SAPSERVICE

This user is newly introduced for SAP Service Delivery. The user can be automatically created for the SAP Solution Manager and the managed systems using transaction SOLMAN_SETUP (view Basic Settings). For

more information, see in the Landscape Setup Guide section User SAPSERVICE.

SP10 New user ES_REP_<SID>

This user is newly introduced for Enterprise Service Reporting. The user can be automatically created for the SAP Solution Manager and the BW - system using transaction SOLMAN_SETUP (view Basic Settings). For

more information, see new section on Enterprise Service Reporting User.

Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery





(Version)

Description

Support Performance Platform (SPP)

For more information, see new section on Support Performance Platform (SPP).

● SAP_SM_SPP_ALL (full authorization)

● SAP_SM_SPP_DIS (display authorization)


● added integration role information for Incident creation: SAP_SUPPDESK_CREATE. For more

information, see section on Scenario Integration.

End-User Roles Changes

The following roles have been adapted according to authorization objects and/or authorization field values. For more information see the description tab of the specified roles.

● SAP_SERVICE_REQUEST_ALL● Added role SAP_SM_RFC_ADMIN to composite role SAP_SERVICE_EXE_ALL_COMP. For more

information on role SAP_SM_RFC_ADMIN, see section on Infrastructure Roles.

● SAP_SMWORK_SERVICE_DEV (due to User Interface changes)

SP12 SAP Note

● SAP Note 1405975: Transaction Code /SDF/ORADLD can be used for high security issues, in case your

security guidelines do not allow access to transactions SE80 or SA80 in your system.







448





● Security Optimization Services: find out about authorizations for these services.

● Service Delivery User: find out about the service delivery user (Premium Engagement)


28.3 Prerequisites


The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete scenario. The SAP Solution Manager is connected via READ - RFC to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.







After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions, like creating and sending an EarlyWatch Alert report.


To run the complete SAP Engagement and Service Delivery scenario, you need to configure it using the Implementation Reference Guide (IMG) in transaction SPRO.

Figure 125: Configuration SAP Engagement and Service Delivery

Configuration Roles






450




Table 324







Protocol (FTP)







Table 325


System Number

Logon Client


Remarks


Managed System

System-specific

Customer-specific

Customer-specific

In case of not using trusted

RFC


Managed System

System-specific

System-specific


To retrieve data from the managed systems for service sessions; collect information on product licence and maintenance certificates





Table 326


System Number

Logon Client


Use How Created



System-specific

System-specific


Send service data from managed systems to SAP Solution Manager



Table 327





Table 328


Logon Client


Use Remarks

SAPOSS (ABAP connection) /H/SAPROUTER/S//sapserv/H/oss001

01 001

OSS_RFC (CPIC)

Notes Assistant

Maintain technical settings in transaction OSS1

SAP-OSS (ABAP connection) /H/SAPROUTER/S//sapserv/H/oss001

01 001

S-User (Customer-specific)

Exchange problem messages with SAP (function: Service Desk),


452




Logon Client


Use Remarks

synchronize system data with Support Portal and send data about managed systems; transfer of solution, issue data; transfer feedback to SAP Service Connection, product data download

managed systems)

SAP-OSS-LIST-O01 (ABAP connection)


01 001

S-User (Customer-specific)

Retrieve information about which messages have been changed at SAP

Created in transaction SM59

SDCC_OSS (ABAP connection) See SAP Note 763561

Used by the Service Data Control Center to communicate with the SAP Support Portal

User is a copy of the SAPOSS connection to SDCC_OSS;

userSDCC_NEW with

default








Logon Client


Use Remarks

front-end system; update Service Definitions (functions: System Monitoring for EWA and Service Plan)

password: download

NoteIf SDCCN is used locally, that is Solution Manager is not Master System, SDCC_OSS is

created automatically in the managed system;

SAPNET_RFC (ABAP connection) /H/SAPROUTER/S//sapserv/H/oss001

01 001

Send EarlyWatch Alerts (functions: System Monitoring for EWA and Service Plan)

A copy of the SAPOSS connection to SAPNET_RFC

SAPNET_RTCC (ABAP connection) /H/SAPROUTER/S//sapserv/H/oss001

01 001

OSS_RFC

Service Preparation Check

Created automatically by

454




Logon Client


Use Remarks

(CPIC)

(RTCCTOOL)

RTCCTOOL, copy of

SAPOSS

CCMSPing RFC Connection

Table 329

RFC Destination Name Activation Type Logon User (Password)

Use (Scenario) Remarks

CCMSPING.<server><SystemNr.>

Registered Server Program (program ccmsping.00)

CSMREG (customer-specific)

Service Level Reporting with CCMSPING

User created during configuration of Central Monitoring (CCMS),

see IMG activity

Information and Configuration Prerequisites for setting up a central monitoring system CEN (technical name: SOLMAN_INPERF_CCMS)


The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the SAP engagement and service delivery scenario.






Table 330











Table 331









Adobe Document Server (ADS)

ADS User

Table 332


ADSUSER Service User Technical user for basic authentication in ADS

ADS_AGENT Service User Technical user for communication between ABAP stack and J2EE stack on which the ADS runs,

assigned roles:

456




● SAP_BC_FP_ICF (if double stack: AS ABAP and AS Java (with ADS)

● SAP_BC_FPADS_ICF (if AS ABAP and AS Java

on separate systems)




More Information


28.3.6 S-User Authorization for Service Desk and Expert on Demand

Your S-user needs the following authorizations for SAP Support Portal functions.

S-User Authorization

Table 333


Create message ANLEG: Create SAP message

Send messages GOSAP: Send to SAP

WAUFN: Reopen SAP message

Confirm messages QUITT: Confirm SAP message

Display/change secure area PWDISP: Display secure area

PWCHGE: Change secure area





28.3.7 S-User Authorization for Data Download from SAP

Your s-user needs the following authorizations for the SAP Support Portal functions.

S-user Authorization Download Data from SAP

Table 334


Administration ADMIN

Maintain all logon data PWCHGE

Maintain user data USER

Maintain system data INSTPROD

Request license key LICKEY

28.3.8 Business Partners Created During Configuration

When you configure the SAP Solution Manager using the automatic basic settings configuration, additional business partners are created.

For SAP Engagement and Service Delivery

The business partners are created as follows:

Table 335

First Name Last Name Remarks

SAP Technical Quality Manager Automatically assigned ID TQM or

SAPTQM

SAP Support Advisor Automatically assigned ID SAPSUPAD

SAP Engagement Architect Automatically assigned ID SAPENAR

SAP Back Office Automatically assigned ID SAPBACKO

SAP Consulting Automatically assigned ID SAPCON

Customer Program Management Automatically assigned ID CUSTPM

Customer Business Process Operations Automatically assigned ID CUSTBPM

Customer Custom Development Automatically assigned ID CUSTCD

Customer Technical Operations Automatically assigned ID CUSTTO

Customer Partner Automatically assigned ID CUSTPAR

458



NoteAn additional business partner (name: SAP Support) is automatically created for user SAPSUPPORT as soon as this user is created during the automatic basic settings configuration (see section:User SAPSUPPORT).

For SOLMAN_SETUP Template Users and Configuration Users

Users created using transaction SOLMAN_SETUP are assigned an according business partner, if the scenario requires this. The system displays the relevant Business Partner number in the log when you create the relevant user.

More Information

on how to configure the basic settings, see Configuration Guide SAP Solution Manager in the Service Marketplace: service.sap.com/instguides SAP Components SAP Solution Manager <current release> .


The Service Request and Issue Management use cases are based on CRM, and uses CRM customizing such as transaction types, action profiles, and so on. SAP delivers a standard CRM customizing, which is also maintained in the individual CRM authorization objects. The following table gives you an overview of the transaction types used.


Transaction Types Issue ManagementTable 336

Transaction Type

Usage Remarks

SLFI Issues supported

SLFT Top Issues supported

SLFE Expert on Demand supported

TASK Actions supported

Transaction Type Service RequestTable 337

Transaction Type

Usage Remarks

SLFS Service Request supported





28.5 Recommended Users and Authorizations

To enable your users to work with the application, you need to assign them authorizations in the Solution-Manager-system. This is described in section User Description and User Roles to Use the Work Center.

When you are working in a project to implement new business processes, change existing ones, operate your systems, and so on, you may need SAP support. SAP delivers recommended user descriptions on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles. These roles are described in the section User Description and User Roles for the Service Delivery User.


Roles for SAP Engagement and Service Delivery are predefined Composite Roles (technical abbreviation: *_COMP) for users. These composite roles contain a set of single roles that are relevant for the business tasks.

Figure 126: Service Delivery Process

28.5.1 User Descriptions and User Roles to Use the Work Center

This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for SAP Engagement and Service Delivery. All users are assigned a composite role, which contains a number of single roles.

460



Work Center

The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information on user interface authorizations, see core security guide.

Figure 127: SAP Engagement and Service Delivery Work Center

The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. As the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.

Manager/Administrator (technical role name: SAP_SERV_DELIVERY_COMP)

The manager/administrator is allowed to:

● access SAP Engagement and Service Delivery work center

● maintain solutions and update solution data at SAP

● create and process issues/top issues

● create and process service requests

● execute solution reporting, Early Watch Alert Reporting, Service Level Reporting

● setup and execute sessions for services

● update content for Services

● get the current service plan from SAP

Table 338


SAP_ISSUE_MANAGEMENT_EXE Authorization to execute issues Top Issue

Issues





Tasks

Reporting

SAP_SERVICE_REQUEST_ALL Authorization to use service requests

Support Requests

Services

Reporting

SAP_SMWORK_BASIC_SERVICES Authorization for work centers Work Center Access

SAP_SMWORK_SERVICE_DEV Access to work center SAP Engagement and Service Delivery

SAP_SM_SOLUTION_ALL Full authorization for solutions Solution

Business Processes

Support Requests

Services

Top Issue

Issues

Tasks

Reporting

SAP_SMSY_DIS Display authorization for transaction SMSY

Business Processes

Support Requests

Services

Top Issue

Issues

Tasks

Reporting

SAP_SV_SOLUTION_MANAGER Full authorization to setup EarlyWatch Alert and Service Level Reporting as well as other services, and execute reporting

Services

Reporting

SAP_BI_E2E Access to BW - data Reporting

Display User (technical role name: SAP_SERV_DELIVERY_DIS_COMP)


● access SAP Engagement and Service Delivery work center


● display issues and top issues

● display service requests

● display sessions for services

462



Table 339


SAP_ISSUE_MANAGEMENT_DIS Authorization to display issues Top Issue

Issues

Tasks

Reporting

SAP_SERVICE_REQUEST_DIS Authorization to display service requests

Support Requests

Services

Reporting

SAP_SMWORK_BASIC_SERVICES Authorization for work centers Work Center Access

SAP_SMWORK_SERVICE_DEV Access to work center SAP Engagement and Service Delivery

SAP_SM_SOLUTION_DIS Display authorization for solutions Solution

Business Processes

Support Requests

Services

Top Issue

Issues

Tasks

Reporting

SAP_SMSY_DIS Display authorization for transaction SMSY

Business Processes

Support Requests

Services

Top Issue

Issues

Tasks

Reporting

SAP_SV_SOLUTION_MANAGER_DISP authorization to display EarlyWatch Alert and Service Level Reporting as well as other services, and reporting

Services

Reporting

SAP_BI_E2E Access to BW - data Reporting

Note● To be able to maintain solutions in the Solution Directory (transaction SOLMAN_DIRECTORY), you need to

assign role SAP_SOLMAN_DIRECTORY_* in addition.

● to display CSA and SLR sessions separately, you can use roles in addition to role SAP_SM_SOLUTION_*:

○ SAP_SETUP_DSWP_CSA (setup CSA)

○ SAP_OP_DSWP_CSA (operations session CSA)




○ SAP_SETUP_DSWP_SLR (setup SLR)

○ SAP_OP_DSWP_SLR (operations session SLR)


Maintain System Data

To maintain system data, you need role SAP_SMSY_*.

Maintain Solution Data

To maintain solution data, you need roles SAP_SOLMAN_DIRECTORY_* and SAP_SM_SOLUTION_*.

Maintain Project Blueprint and Configuration

To maintain projects, blueprint, and configuration you may consider to add one of the composite roles used in scenario Implementation and Upgrade, see scenario-specific guide for Implementation and Upgrade. You need at least the following roles:

● SAP_SOL_PROJ_ADMIN_*● SAP_SOLAR01_*● SAP_SOLAR02_*● SAP_SOL_KW_*

Display Roadmap

To display roadmaps, you need role SAP_RMMAIN_DIS. If you want to see documents in roadmaps, you need to add role SAP_SOL_KW_DIS.

Schedule Content Update

You need role SAP_SM_SOLUTION_ALL.

Define Issue Settings

To define issue settings, you need SAP_SM_SOLUTION_ALL and SAP_ISSUE_MANAGEMENT_ALL.




Requires role SAP_SV_SOLUTION_MANAGER.

Issue Management

Requires roles SAP_SM_SOLUTION_ALL and SAP_ISSUE_MANAGEMENT_ALL.

464



28.5.2 User Description and User Roles for Service Delivery (Premium Engagement)

You can assign a composite role for SAP Support employees. This role contains a number of single roles. You should assign the composite role to the user in your system which you created for SAP Support employees. You can also execute all self-services yourself. Assign composite role SAP_PREMIUM_ENGAGEMENT_COMP.

28.5.3 Enterprise Service Reporting User - ES_REP_<SID>

Using the Enterprise Service Reporting (ESR/PSLE) self-service tool, you can generate service and support reports in the SAP Solution Manager. You can:

● generate ad-hoc reports

● generate scheduled reports

● create report chapter variants

To be able to use Enterprise Reporting, the default user ES_REP_<SID> is delivered with predefined roles. This user needs to be created in the SAP Solution Manager, and also in the BW-client, if the BW-system is remote. You can find the user description in the system using TXT ID (in transaction SE61) TP_ES_REP.

Prerequisites

Technical Users

The Technical User SM_EFWK needs to be assigned role SAP_SM_BI_ESR_EXTRACTOR for data extraction authorization. The user can be updated with this role, using transaction SOLMAN_SETUP in view: Basic Settings.

End-User Creation

To be able to use this user, you need to create it using transaction SOLMAN_SETUP. Go to View: Basic SettingsSpecify Users .

Features

The following roles are assigned to users :

In the SAP Solution Manager - ClientTable 340

Roles Help Text ID

SAP_SM_ESR_REPORTING AUTH_SAP_SM_ESR_REPORTING

SAP_SMWORK_BASIC_SERVICES AUTH_SAP_SMWORK_BASIC_SER

SAP_SMWORK_SERVICE_DEV AUTH_SAP_SMWORK_SERVICE_DEV




Roles Help Text ID



In the BW - Client

Table 341

Roles Help Text ID

SAP_BI_E2E_ESR AUTH_SAP_BI_E2E




28.5.4 Supportability Performance Platform

The goal of the Supportability Performance Platform (SPP) is to provide a database for SAP customers, that collects and reports standardized and customer specific KPI information. It allows customers to initiate explicit actions in case of deviations from the target values or in comparison to other companies in the same industry or size. This allows customer IT organizations to understand and collaborate better with the lines of business. For SAP, SPP and the derived KPI/Benchmark overview is a starting point to stabilize the SAP engagement with the customer. By benchmarking customer KPIs with related industries, transparency and follow up activities based on improving specific KPIs can be initiated by the TQMs and ESAs. Midterm, the information transferred to SAP can support SAP's service portfolio and strategy. Additionally, with the collected benchmark information SAP can provide business cases for possible improvements that can support the customer IT collaboration with the business. The quality KPIs are aligned with the IT strategy (for instance innovation driver, service, or solution provider) during an ACCOE assessment together with the customer. The KPIs are activated and a baseline measurement is performed. The initial action plan to reach the KPI target is agreed. The KPIs are in the responsibility of the quality managers (customer, partner, and SAP).

Features

Assign one of the following roles to your Service and Support User:

● SAP_SM_SPP_ALL (full authorization)

● SAP_SM_SPP_DIS (display authorization)

466



28.5.5 User Descriptions and User Integration Roles for Issue Management

This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for SAP Engagement and Service Delivery. All users are assigned a composite role, which contains a number of single roles.

The roles are primarily to be used with integrations, for instance Change Request Management, QGM, and so on. If you only require your users to be able to run Issue Management, you assign these roles in addition to the work center relevant roles.

Manager/Administrator (technical role name: SAP_ISSUE_MANAGEMENT_ALL_COMP)

The manager/administrator is allowed to:




Table 342

Single Role Remarks

SAP_ISSUE_MANAGEMENT_ALL Authorization to execute issues

SAP_SM_SOLUTION_ALL Full authorization for solutions

SAP_SOL_PROJ_ADMIN_ALL Full authorization to setup EarlyWatch Alert and Service Level Reporting as well as other services, and execute reporting

Operations (technical role name: SAP_ISSUE_MANAGEMENT_EXE_COMP)

The operations user is allowed to:




Table 343

Single Role Remarks

SAP_ISSUE_MANAGEMENT_ALL Authorization to execute issues

SAP_SM_SOLUTION_ALL Full authorization for solutions

SAP_SOL_PROJ_ADMIN_ALL Full authorization to setup EarlyWatch Alert and Service Level Reporting as well as other services, and execute reporting

Display User (technical role name: SAP_ISSUE_MANAGEMENT_DIS_COMP)



● display issues/top issues

● display sessions for services




Table 344

Single Role Remarks

SAP_ISSUE_MANAGEMENT_DIS Display authorization for issues

SAP_SM_SOLUTION_DIS Display authorization for solutions

SAP_SOL_PROJ_ADMIN_DIS Display authorization to setup EarlyWatch Alert and Service Level Reporting as well as other services, and execute reporting


This section gives you some information on the main authorization objects. For detailed information, see SDN Wiki for Authorizations.

CRM Authorization Objects

Issue Management is based on the CRM - functionality. The main CRM - objects are included in the roles for Issue Management. For more information on CRM authorizations, see in the Core Security Guide the section on CRM integration.

Authorization Object DSWP_ISSUE

This authorization object controls activities for Issues.

Authorization Object DSWP_TOPIS

This authorization object controls activities for Top Issues.

Authorization Object DSWP_EOD

This authorization object controls activities for Expert on Demand.

Authorization Object DSWP_ACTIO

This authorization object controls activities for Actions.

Authorization Object AI_SA_TAB for Issues

This section refers to specific authorization objects and their delivered maintenance in relation to scenario - specific features.

A complete overview of authorization objects used for SAP Solution Manager and related use cases, see according WIKI page for authorizations.

AI_SA_TAB regulates the access restriction for all tabs in transactions SOLAR01, SOLAR02, SOLMAN_DIRECTORY, which are mainly used in scenario Implementation and Upgrade. The authorization object is included in role SAP_ISSUE_MANAGEMENT_* due to the integration of Issue Management with scenario Quality Gate Management (QGM).

Authorization Object D_SVAS_SES

This authorization object restricts Services.

468



28.6 Security Optimization Service

For Security Optimization service, you need to assign additional authorizations. For more information, see SAP Note 69647.


SAP Engagement and Service Delivery combines a number of tools with Services, such as Issue Management or Support Request with Services. The integration with other scenarios is described in the following section.

Business Blueprint and Configuration

In the SAP Engagement and Service Delivery scenario you can display business process, but not change. To do so, you can use the links in the work center Common Task section. To be able to maintain business blueprint or configuration data, you need to assign in addition the following roles:

● SAP_SOL_PROJ_ADMIN_*● SAP_SOLAR01_*● SAP_SOLAR02_*● SAP_SOL_KW_*

Incident Management

To be able to create incidents from issues, you need to assign role SAP_SUPPDESK_CREATE.






29 Scenario-Specific Guide: Technical Administration

The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution/systems, and the optimization of productive processes in a project. All systems of a solution must be administered during all phases. This guide gives you an overview over all relevant security-related issues for the scenario technical administration of your systems in your landscape.



Table 345


(Version)

Description of Changes

SP05 User Roles and Authorization

● Additional view in Work Center, Guided Procedure, requires new role SAP_SM_GP_* with new

authorization object SM_GPACUST. See role description tab and section on Users and Authorizations.

SP10 Service Availability Management

New section on Service Availability Management, which includes new composite roles for defined user definitions:

● SAP_SAM_ADMIN_COMP● SAP_SAM_DISPLAY_COMP● SAP_SAM_CONFIG_COMP● SAP_SAM_EDIT_COMP● SAP_SAM_REVIEW_COMP

and single roles:

● SAP_SM_SAM_ALL● SAP_SM_SAM_REVIEW● SAP_SM_SAM_EDIT● SAP_SM_SAM_DIS● SAP_TSAM_CONF

IT Task Inbox and Guided Procedure

470


Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration


(Version)


New section on IT Task Inbox and Guided Procedure, which includes new composite roles for defined user definitions:

● SAP_GUIDED_PROCEDURE_ALL_COMP● SAP_TASK_PLANNING_ALL_COMP● SAP_TASK_INBOX_ALL_COMP

new single roles:

● SAP_TASK_PLANNING_ALL● SAP_TASK_PLANNING_DIS

RFC-Connection specifics, and managed system authorizations.

For more information see section User Definitions and Roles for IT Task Inbox and Guided Procedure.

Technical Administration

Added the following single roles to composite roles, see according description on the Description Tab in the roles:

● SAP_SM_SAM_*● SAP_SM_BP_DISPLAY● SAP_TASK_PLANNING_*

User Roles Changes

For more information on the specific adaptations of authorizations and authorization objects, see the Description Tab of the individual role.

● Adapted the following roles, due to new IT Task Inbox and Guided Procedure application:

○ SAP_TASK_INBOX_* (CRM authorizations and batch integration)

○ SAP_SMWORK_BASIC_TECHADMIN○ SAP_SM_GP_*

● SAP_SMWORK_SYS_ADMIN (Due to User Interface changes)

● SAP_NOTIF_ADMIN● SAP_SM_DTM_* (due to SAM)

SP11 User Roles Changes

For more information on the specific adaptations of authorizations and authorization objects, see the Description tab of the individual role.

● Adapted roles SAP_SM_GP* (Display of GPA Browser)

SP12 User Roles Adaptations due to SOLMAN_SETUP integration

For more information on the specific adaptations of authorizations and authorization objects, see the Description tab of the individual role.

● SAP_SM_GP_ADMIN● SAP_SM_GP_EXE● SAP_TASK_PLANNING_ALL





(Version)


● SAP_SM_IT_EVENTS_DISP● SAP_SMWORK_SYS_ADMIN (Best Practice Link)

IT Task Management

● New roles SAP_ITTM_CONF and SAP_ITTM_CONF_COMP for configuration of IT Task Management in

transaction SOLMAN_SETUP.





● Getting Started: find out about target groups of this guide. Links for any additional components you can find in the Core Guide.




29.3 Prerequisites


The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete technical administration scenario. The SAP Solution Manager is connected via READ - RFC, and

472



TRUSTED - RFC to your managed systems. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.



Technical administration is subdivided into several sub-scenarios, for instance Service Availability Management or IT Task Inbox. The configuration users and their authorizations are described in the individual section for the sub-scenario.











Table 346






Protocol (FTP)



Solution Manager to Exchange Server LDAP Reading distribution lists

Solution Manager to Mail Server/SMS Sever

HTTP(S)/ RFC , SMTP, For E-mail and SMS





Table 347


System Number

Logon Client


Remarks


Managed System

System-specific

System-specific


For notification management to fetch users and business partners



474





Table 348











When you are working in a project to implement new business processes or change existing ones, a number of project members with different tasks are involved. SAP delivers recommended user descriptions on which SAP delivered roles are modelled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.


Roles for Technical Administration are predefined Composite Roles (technical abbreviation: *_COMP) for users. These composite roles contain a set of single roles that are relevant for the business tasks.

29.4.1 User Descriptions and Roles for Technical Administration

This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for technical administration. All users are assigned a composite role, which contains a number of single roles.




Work Center

The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization objects SM_WC_VIEW and SM_WD_COMP. For more information about user interface authorizations, see core security guide.

Figure 129: Technical Administration Work Center

The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned. View Central Tool Access does not receive specific roles, as the links to be accessed from this application relate to basic security-relevant tools. For these applications, you need to assign the correct roles from SAP Basis.

Administrator (technical role name: SAP_TECHNICAL_ADMIN_COMP)

Table 349

Single Role Remarks

SAP_SM_DTM_ALL Full authorization for Work Mode Management, former Downtime Management

SAP_SM_ADMIN_COMPONENT_ALL MDM Administration Cockpit

SAP_NOTIF_ADMIN Full authorization for notifications

SAP_ITCALENDAR Full authorization for IT Calendar

SAP_TASK_INBOX_ALL Full authorization for Task Inbox

SAP_SM_IT_EVENTS_ADMIN Full authorization for IT Events (launched from IT Calendar)

476



Single Role Remarks

SAP_SYSTEM_REPOSITORY_ALL Full authorization for system repository (LMDB) and

system landscape (transaction SMSY)

SAP_SMWORK_BASIC_TECHADMIN Full authorization for work center

SAP_SMWORK_SYS_ADMIN Access to work center for technical administration

SAP_SM_GP_ALL Run Guided Procedure

SAP_SM_SAM_ALL Full authorization for SAM integration

SAP_SM_BP_DISPLAY Allows Business Partner display in IT Task Inbox

SAP_TASK_PLANNING_ALL Full authorization for Task Planner

Display User (technical role name: SAP_TECHNICAL_ADMIN_DISP_COMP)

Table 350

Single Role Remarks

SAP_SM_DTM_DIS Display authorization for Work Mode Management, former Downtime Management

SAP_SM_ADMIN_COMPONENT_DIS MDM Administration Cockpit

SAP_NOTIF_DIS Display authorization for notifications

SAP_ITCALENDAR Authorization for IT Calendar

SAP_SM_IT_EVENTS_DISP Display authorization for IT Event (launched from IT Calendar)

SAP_TASK_INBOX_DIS Display authorization for task inbox

SAP_SYSTEM_REPOSITORY_DISP Display authorization for system repository (LMDB) and system landscape (transaction SMSY)

SAP_SMWORK_BASIC_TECHADMIN Full authorization for work center

SAP_SMWORK_SYS_ADMIN Access to work center for technical administration

SAP_SM_GP_DIS Display Guided Procedure

SAP_SM_SAM_DIS Display authorization for SAM integration

SAP_SM_BP_DISPLAY Allows Business Partner display in IT Task Inbox

SAP_TASK_PLANNING_DIS Display authorization for Task Planner






Configuration

For the following two links, you need authorization for the work center SAP Solution Manager configuration and according roles, see the specific guide on Landscape Setup.

● Solution Manager Configuration:

● Managed System Setup

For the link CSA Setup, you need the following roles: SAP_SETUP_DSWP_CSA, SAP_SM_SOLUTION_*, and SAP_SYSTEM_REPOSITORY_*.

Administration

● Solution Manager Administration:

You need authorization for the SAP Solution Manager Administration work center and according authorizations, see scenario-specific guide for SAP Solution Manager Administration.

● Landscape Browser:

You need authorization for LMDB maintenance SAP_SYSTEM_REPOSITORY_*.

● Self-Diagnosis:

You need authorization for solutions SAP_SM_SOLUTION_*.

● My Notification Settings:

You need role SAP_NOTIF_*.

29.4.2 User Roles for IT Task Inbox and Guided Procedure

IT Task Planning allows you to plan Guided Procedures. The new IT Task Inbox shows all available tasks which are assigned to a user, to a support organization, or which are planned for certain managed objects. When a user executes a task, the system opens a related guided procedure and the task is executed via the steps and activities of the guided procedure.

This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for technical administration. Template users can be created in the SOLMAN_SETUP configuration procedure for this scenario.


You can configure the IT Task Management scenario using transaction SOLMAN_SETUP.

Work Center Access

Guided Procedure is accessible using the Work Center for Technical Administration.

RFC-Connections

RFC-connections are only used in the case of automated activities that can be used in the self-defined guided procedures. These automated activities always use trusted RFC-connections.

CRM Authorizations Integration

IT Task Inbox requires CRM-integration. Therefore, the transaction type SMOT is used.

478



RecommendationTo avoid loss of data when upgrading your system, always copy transaction types and related objects into your own name space. This requires, that you need to adapt the CRM-specific authorization objects accordingly. For more information on CRM-integration, see the according section in chapter Authorization Concept for Solution Manager.

Administration User (Technical name: TP_ITTM_ADM)

The technical role name of the corresponding composite role is: SAP_TASK_MANAGEMENT_ALL_COMP.

Table 351




SAP_SMWORK_BASIC_TECHADMIN AUTH_SAP_SMWORK_BASIC_TA

SAP_SMWORK_SYS_ADMIN AUTH_SAP_SMWORK_SYS_ADMIN

SAP_SM_GP_ADMIN AUTH_SAP_SM_GP_ADMIN

SAP_ITCALENDER_DIS AUTH_SAP_ITCALENDER_DIS

SAP_SM_IT_EVENTS_DISP AUTH_SAP_SM_IT_EVENTS_DISP


SAP_TASK_PLANNING_ALL AUTH_SAP_TASK_PLANNING_ALL

Authoring User (Technical name: TP_ITTM_AUTH)

The technical role name of the corresponding composite role is: SAP_GUIDED_PROCEDURE_ALL_COMPTable 352




SAP_SYSTEM_REPOSITORY_ALL AUTH_SAP_SYSTEM_REP_ALL



SAP_SM_GP_ADMIN AUTH_SAP_SM_GP_ADMIN

IT Manager (Technical name: TP_ITTM_ITM)

The technical role name of the corresponding composite role is: SAP_TASK_PLANNING_ALL_COMP.

Figure 130: Data Flow Task Planning




Table 353



SAP_TASK_PLANNING_ALL AUTH_SAP_TASK_PLANNING_ALL



SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DISP



SAP_SM_GP_DIS AUTH_SAP_SM_GP_DIS

SAP_ITCALENDAR_DIS AUTH_SAP_ITCALENDAR_DIS


IT Operator (Technical name: TP_ITTM_ITO)

The technical role name of the corresponding composite role is: SAP_TASK_INBOX_ALL_COMP.

Figure 131: Data Flow Task Inbox

Authorization Roles in the Solution Manager - System

Table 354







SAP_SM_GP_EXE AUTH_SAP_SM_GP_EXE

SAP_TASK_PLANNING_DIS AUTH_SAP_TASK_PLANNING_DIS

Display User (Technical name: TP_ITTM_DIS)

The technical role name of the corresponding composite role is: SAP_TASK_MANAGEMENT_DIS_COMP.

Table 355



480




SAP_TASK_PLANNING_DIS AUTH_SAP_TASK_PLANNING_DIS








29.4.3 Service Availability Management

Service Availability Management (SAM) enables downtime reporting for technical components like servers, technical systems, and other objects. These downtime entries are called “Service Outages” and can be checked and corrected by System Administrators. The final confirmation is done by an IT Manager. These confirmed Service Outages are mapped to “Agreed Service Times” (AST) and reported using dashboards.

This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for SAM. All users are assigned a composite role, which contains a number of single roles.

Configuration

The configuration of SAM is executed using transaction SOLMAN_SETUP. Here, you can also create template users for your application users.




You can configure the basic technical settings using transaction SOLMAN_SETUP, running the guided procedure for SAM.

During the specific guided configuration, you can create Template users. The system automatically adds all relevant user roles.

During the basic automated configuration, you can create a specific configuration user (default technical name: SMC_TSAM_<XXX>) for SAM (Help Text ID: USER_CONFIG_SAM). The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.

If you want to create the configuration user manually, assign:

● the composite role SAP_SAM_CONF_COMP, which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.




NoteTo be able to:

○ create users and assign user roles, assign as well role SAP_SM_USER_ADMIN.

○ use a trusted RFC connection between the Solution Manager and the managed systems, assign role SAP_SM_S_RFCACL in the Solution Manager system as well as the managed system.

Work Center Access


Administrator (Help Text-ID: TP_SAM_ADMIN)

Single Roles for Administrator (technical role name: SAP_SAM_ADMIN_COMP) in the SAP Solution Manager System

Table 356

Role Help Text-ID

SAP_SM_SAM_ALL AUTH_SAP_SM_SAM_ALL




SAP_SM_DTM_ALL AUTH_SAP_SM_DTM_ALL


SAP_SM_DASHBOARDS_DISP_SAM AUTH_SAP_SM_DASHBOARDS_DISP

Display User (Help Text-ID: TP_SAM_DISP)

Single Roles for Display User (technical role name: SAP_SAM_DISPLAY_COMP) in the SAP Solution Manager System

Table 357

Role Help Text-ID

SAP_SM_SAM_DIS AUTH_SAP_SM_SAM_DIS




SAP_SM_DTM_DIS AUTH_SAP_SM_DTM_DIS


482



Role Help Text-ID


Maintenance User (Help Text-ID: TP_SAM_AM)

Single Roles for Maintenance User (technical role name: SAP_SAM_EDIT_COMP) in the SAP Solution Manager System

Table 358

Role Help Text-ID

SAP_SM_SAM_EDIT AUTH_SAP_SM_SAM_EDIT




SAP_SM_DTM_ALL AUTH_SAP_SM_DTM_ALL



Review User (Help Text-ID: TP_SAM_CNFM)

Single Roles for Review User (technical role name: SAP_SAM_CNFM_COMP) in the SAP Solution Manager System

Table 359

Role Help Text-ID

SAP_SM_SAM_REVIEW AUTH_SAP_SM_SAM_REVIEW




SAP_SM_DTM_DIS AUTH_SAP_SM_DTM_DIS




In this section we give some information on main authorization objects. For detailed information, see SDN Wiki for Authorizations.




Notification Management Authorization Object SM_NOTI_TA

The authorization object restricts authorizations for notifications.

● Start / Read: display authorization for Notification Management

● reduce scope if not all technical scenarios are allowed for the user

● create, change, delete Recipients/Recipient Lists

Notification Management Authorization Object S_LDAP

In the administration role, the object is delivered with the authorization for assigning servers for LDAP (authorization object S_LDAP) and SMS usage.

Work Mode Management (formerly: DTM) Authorization Object SM_WMMAUTH

The authorization object SM_WMMAUTH restricts access to DTM

NoteIn the roles for Work Mode Management, the authorization object D_DMD_DATA is maintained with full authorization to execute changes on the data model. In addition, they contain authorization objects S_USER_GRP for user information and B_BUPA_RLT for Business Partner information with activity 03 (display) each.

29.5 Integration

Technical Administration refers to the maintenance of all systems in your system landscape. To run all your systems smoothly, this phase needs to integrate with handling of problems. The following sections describe the integration of technical administration with other scenarios within SAP Solution Manager, and which user roles would be applicable.


View: Central Tool Access

View Central Tool Access does not receive specific roles, as the links to be accessed from this application relate to basic security-relevant tools. For these applications, you need to assign the correct roles from SAP Basis.

Figure 132: Central Tool Administration

484




Work Mode Management provides the feature to notify users about a system downtime. E-mail addresses can be displayed by the system administrator. Changes are logged.




30 Scenario-Specific Guide: Business Process Operations

The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. You use scenario business process operations to monitor your most important business processes. This guide gives you an overview over all relevant security-related issues for this scenario.



Table 360


(Version)


SP05 General

Business Process Operations is configured using the automated guided procedure within transaction SOLMAN_SETUP or SAP Solution Manager Configuration work center. Therefore, all users defined by SAP as


● Scenario Configuration User: This user is created during the guided procedure of the Basic Settings in transaction SOLMAN_SETUP. For configuration, you can also choose the user SOLMAN_ADMIN. In both

cases, the system automatically assigns the necessary authorization roles. The according configuration user can be used later on for configuring the corresponding scenario in transaction SOLMAN_SETUP.

● Standard Users: Standard users for the individual process are created during the guided procedure in transaction SOLMAN_SETUP. These users can be regarded as “demo” Standard users. The system

automatically assigns the necessary authorization roles with according authorization values for the SAP standard scenario. If your processes require customizing due to a different process, and other user differentiation, you must adapt the authorizations. The template users are created in the Solution Manager system, the required BW - system, and managed system





● CDC single roles included in BPO composite roles.

● Adapted section on communication channels,

User Definitions

User definition for end-users is refined. See user definitions in the guided procedure step “Create Standard Users” in transaction SOLMAN_SETUP for the scenario.

486


Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations


(Version)




End-User Roles

● New single roles for Business Process Analytics for Solution Manager SAP_SM_BPOANA_* and

managed systems SAP_MANAGED_BPOANA_*.

SP07 End-User Roles

substituted role SAP_SM_DASHBOARD_*BPO with SAP_SM_DASHBOARD_ADMIN in composite role

SAP_BPO_CONF_COMP and SOLMAN_SETUP user role assignment for the configuration user.

SP10 New End-User Roles for CDC

New additional roles are shipped for CDC, see section Additional Functions. For more information on

authorization changes for the roles, see MENU tab of the respective role.

● SAP_CDC_INSTANCE_ANALYZER● SAP_CDC_INSTANCE_EXECUTER● SAP_CDC_INSTANCE_CREATOR● SAP_CDC_OBJECT_MODELER

End-User Roles Changes

For more information on authorization changes for the roles, see MENU tab of the respective role

● SAP_MANAGED_BPOANA_* (delivered with according software component ST-PI)

● SAP_SM_BPOANA_*● SAP_SETUP_DSWP_BPM and SAP_OP_DSWP_BPM adapted for new Work Center functionality based

on Extractor Framework

● SAP_SV_SOLUTION_MANAGER_DIS adapted for new Work Center functionality based on Extractor

Framework

● SAP_SM_BPMON_REPORTING adapted for new Work Center functionality based on Extractor

Framework

● SAP_BPO_CONF● SAP_SMWORK_BASIC_BPO

User - Roles Assignments

● New Work Center role SAP_SMWORK_BPO is delivered and added to all composite roles and template

users (in transaction SOLMAN_SETUP). The former Work Center role SAP_SMWORK_BPM can still be

used with the delivered composite roles.

● New role SAP_SM_BP_DISPLAY is added to all composite roles (also SOLMAN_SETUP template users)

to allow the filtering for Business Partner in queries. You can find more information on the role in section: Roles and Authorizations for Infrastructure.





(Version)


● New role SAP_SM_JMON_LEVEL01 added to composite roles for Alert user and Administration user to

allow the integration with Job Monitoring. You can find more information on the sub-scenario Job Monitoring in section: Scenario-Specific Guide for Technical Monitoring - Job Monitoring.

● Substituted role SAP_SMSY_DIS with SAP_SYSTEM_REPOSITORY_DIS for all users (and

accordingly in all composite roles) as the scenario relies on LMDB functionality

Technical Users

● Role SAP_SM_S_CSMREG for technical user SM_BPMO adapted (S_BTCH_JOB and S_TABU_DIS removed, and further authorization objects added).

● Technical User CSMREG is no longer required if you use the new BPO Work Center based on the Extractor

Framework functionality.

RFC - Connections

● Instead of READ RFC - Connection the TMW RFC - Connection is use as Batch jobs are running in the

managed system and write access is required.

SP11 Technical Users

● Corrections regarding technical users CSMREG (not required) and SM_BPMO (used in productive client).

SP12 User - Roles Assignments

● single role SAP_NOTIF_ADMIN added to the administration user (composite role:

SAP_BP_OPERATIONS_ADMIN_COMP) for integration of Notification Management

● roles SAP_SM_SYM_LEVEL01 and SAP_SM_JMON_LEVEL01 added to BPO* users (due to

integration with Interface Channel Monitoring and Job Monitoring)

● single role SAP_SM_GP_EXE added to composite roles SAP_BP_OPERATIONS_REPORT_COMP, SAP_BP_OPERATIONS_CDC_COMP, SAP_BP_OPERATIONS_ADMIN_COMP, SAP_BP_OPERATIONS_ALERT_COMP

● single role SAP_SM_GP_DIS added to composite role SAP_BP_OPERATIONS_DIS_COMP● single role SAP_BC_FDT_ADMINISTRATOR added to SAP_BP_OPERATIONS_ADMIN_COMP● adapted roles SAP_OP_DSWP_BPM, SAP_SETUP_DSWP_BPM● single role SAP_SM_SYM_LEVEL01 added to SAP_BP_OPERATIONS_ADMIN_COMP,

SAP_BP_OPERATIONS_ALERT_COMP, SAP_BP_OPERATIONS_DIS_COMP● single role SAP_SM_JMON_LEVEL01 added to SAP_BP_OPERATIONS_ADMIN_COMP,

SAP_BP_OPERATIONS_ALERT_COMP, SAP_BP_OPERATIONS_DIS_COMP● new single roles SAP_SM_DASHBOARDS_DISP_VBD, SAP_BPR_PPM,

SAP_CPR_PROJECT_ADMINISTRATOR, SAP_CPR_USER, SAP_XRPM_ADMINISTRATOR for

project-based delivery, see section Project-based Delivery

SP13 User - Roles Assignments

● assigned role SAP_MANAGED_BPOANA_DIS to user BPO_CDC.

● assigned role SAP_SM_SCHEDULER_BPO to user BPO_ADM_<SystemID> (to allow for Job

Documentation)

488










● User Roles for Additional Functions: find out about additional authorization for the work center.


30.3 Prerequisites


The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete business process operations scenario. The SAP Solution Manager is connected via READ - RFC, and TRUSTED - RFC to your managed systems. IGS is connected via a specified RFC connection. In addition, a local RFC destination is in place from your productive client to the 000 client. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.






The scenario BPO is configured using transaction SOLMAN_SETUP.



After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions, like Solution Directory (including graphics), using transaction SOLMAN_DIRECTORY.

During basic automated configuration, you can create a specific configuration user (default technical user name: SMC_BPO_<XXXClient>) for BPO (Help Text ID: USER_CONFIG_BPO). The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.


● the composite role SAP_BPO_CONF_COMP which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.

NoteTo be able to:



490



● the composite role SAP_BW_BP_OPERATION_ADMIN_COMP which contains all single roles that are automatically assigned to the configuration user in the BW-system.



To run Business Process Operations, you need to configure it using transaction SOLMAN_SETUP.During the specific guided configuration you can create Standard template users. The system automatically adds all relevant user roles, see according sections on Users and User Roles.






Table 361



Solution Manager to managed systems RFC Exchange data



Protocol (FTP)










Table 362


System Number

Logon Client


Remarks


Managed System

System-specific

Customer-specific

Customer-specific to be used instead of trusted RFC


Managed System

System-specific

System-specific

Default user: SMT<SID of Solution Manager system>

Used to read data from the managed systems such as joblists, sales organisation data, IDocs, selection help, and so on, and run batch jobs

NoteSpecific data collectors write log information and details list information into table /SSA/PTAB in the managed system.

Batch Jobs BPM_DATA_COLLECTION_1 and BPM_DATA_COLLECTION_2 are scheduled in the managed systems. The jobs allow an asynchronous execution of the data collectors in a managed system. Instead of executing the data collection in a synchronous call from the SAP Solution Manager, the task to actually execute the data collectors is given to a background job. The result of the data collection is buffered in a dedicated persistency on the managed system. In another step these results are fetched to the SAP Solution Manager system and removed from the database of the managed system. The asynchronous data collection is recommended for unfrequent long lasting data collections.

Data collection for monitoring objects that are scheduled to be collected asynchronously will not work. This may result in

492




System Number

Logon Client


Remarks

problems for lasting data collections.


Managed System

System-specific

System-specific

Customer-specific ● Mandatory for CDC functionality setup, due to necessity of code generation in managed system;

● Mandatory for Business Process Monitoring to use according value help from managed systems. Login RFC can be used instead, but then the value help must be maintained manually.


Table 363




Local Connections

Table 364

Destination Name Target Host Name

System Number

Logon Client

Logon User (Password) Remarks

BPM_LOCAL_<Client> Managing system

System-specific

000 SM_BPMO(customer-

specific)

RFC is created during

Business Process Operations setup session, see IMG activity Create

Local RFC Destination and User (technical name: SOLMAN_BPM_RFC_LOCAL)





Table 365


System Number


How Created



content activation



BI_CLNT<BWclient>, if BW is


system, for content activation










remote BW -

system



BI - Reporting,

created during SOLMAN_SETUP


The users in the following tables are created manually during configuration.

Table 366


SM_BPMO (customer-specific) Technical user (service user) in the productive client, authorized to call managed systems, assigned role: SAP_SM_BPMO_COMP



Table 367




494











Table 368


BI_CALLBACK











When you are working in a project to implement new business processes or change existing ones, a number of project members with different tasks are involved. SAP delivers recommended user descriptions on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You




need to first define which tasks the individual members in your company execute, and then adjust the according roles.


Roles for Business Process Operations are predefined Composite Roles (technical abbreviation: *_COMP). These composite roles contain a set of single roles that are relevant for the business tasks.

Figure 134: Business Process Monitoring Process


This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for business process operations. All users are assigned a composite role, which contains a number of single roles.

Work Center


The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single role is

496



absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.



● In case of a remote BW - connection, the user in the SAP Solution Manager system is additional assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).



Authorization in Managed System

In the managed system, you need to assign the according user application-specific authorizations. For more information, see the applicable security guide for the relevant application.

Administrator/Manager User (Help Text ID: TP_BPO_ADMIN)

Technical composite role name: SAP_BP_OPERATIONS_ADMIN_COMP in the SAP Solution Manager system

Table 369


SAP_BC_FDT_ADMINISTRATOR This role gives access to the BRFplus workbench, that is, the user interface for creating rule objects (like expressions or data objects) and for modeling and testing rules. Business Rule Framework plus (BRFplus) is an ABAP-based business rules modeling system that can be used by all applications that are built upon the Netweaver ABAP stack. With this rule assigned to a user profile, a user can carry out all kinds of activities in the BRFplus workbench, like creating, changing, deleting, or versioning of all kinds of objects that are supported by BRFplus. Due to the comprehensive scope of authorizations granted by this role, you should assign it only to persons who are in charge of taking over administrative tasks with BRFplus. For all other users, you can use this role as a copy template to derive more restricted roles from it.


SAP_CDC_DISPLAY AUTH_SAP_CDC_DISPLAY

SAP_OP_DSWP_BPM AUTH_SAP_OP_DSWP_BPM

SAP_SETUP_DSWP_BPM AUTH_SAP_SETUP_DSWP_BPM










SAP_SM_BPMON_REPORTING AUTH_SAP_SM_BPMON_REPORT

SAP_SM_DASHBOARDS_ADMIN SAP_SM_DASHBOARD_ADMIN

SAP_SM_BPOANA_ALL AUTH_SAP_SM_BPOANA_ALL

SAP_SMWORK_BASIC_BPO AUTH_SAP_SMWORK_BASIC_BPO

SAP_SMWORK_BPO AUTH_SAP_SMWORK_BPO

SAP_SMWORK_BPM AUTH_SAP_SMWORK_BPO

SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP






SAP_SM_SCHEDULER_BPO AUTH_SAP_SM_SCHEDULER_BPO

Technical composite role name: SAP_BW_BP_OPERATIONS_ADMIN_COMP in the BW system/client

In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system. For more information on BW user concept, see section on BW configuration in section Prerequisites.

Table 370


SAP_BI_E2E_BPO AUTH_SAP_BI_E2E


NoteFor more information on Process Chain Monitoring of an external BW system, see SAP Note 1411885.


The role must be assigned to the user with the same user ID and Password in the managed system.

Table 371


SAP_MANAGED_BPOANA_ALL AUTH_SAP_MANAGED_BPOANA_ALL

498




Analytics/Reporting User (Help Text ID: USER_TP_BPO_REP)

Technical composite role name: SAP_BP_OPERATIONS_REPORT_COMP in the SAP Solution Manager system

Table 372







SAP_SM_BPOANA_DIS AUTH_SAP_SM_BPOANA_DISP




SAP_SM_DASHBOARDS_DISP_CIO_BPO SAP_SM_DASHBOARD_BPO






Technical composite role name: SAP_BW_BP_OPERATIONS_ADMIN_COMP in the BW system/client

In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system. For more information on BW user concept, see section on BW configuration in section Prerequisites

Table 373


SAP_BI_E2E_BPO AUTH_SAP_BI_E2E


NoteFor more information on Process Chain Monitoring of an external BW system, see SAP Note 1411885.


The role must be assigned to the user with the same user ID and Password in the managed system.





Table 374


SAP_MANAGED_BPOANA_DISP AUTH_SAP_MANAGED_BPOANA_DISP

Alert User (Help Text ID: USER_TP_BPO_ALERT)

Technical composite role name: SAP_BP_OPERATIONS_ALERT_COMP) in the SAP Solution Manager system

Table 375
















SAP_SM_DASHBOARDS_DISP_CIO_BPO SAP_SM_DASHBOARD_BPO

CDC User (Help Text ID: USER_TP_BPO_CDC)

Technical composite role name: SAP_BP_OPERATIONS_CDC_COMP) in the SAP Solution Manager system

Table 376








500






SAP_CDC_DISPLAY AUTH_SAP_CDC_DISPLAY



SAP_MANAGED_BPOANA_DIS AUTH_SAP_MANAGED_BPOANA_DIS

Display User (technical role name: SAP_BP_OPERATIONS_DIS_COMP)

Table 377





SAP_SV_SOLUTION_MANAGER_DISP AUTH_SAP_SV_SM_DISP




SAP_SM_BPOANA_DIS AUTH_SAP_SM_BPOANA_DISP







In the related links section in the work center, you find all possible links for this work center. This link collection is a recommendation about which additional URLs can be called in the according scenario. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-to section.

BW authorization check

The authorization check for BW is as follows. If the system does not have any BW - data available, it can not display them. In Health Check Analysis, you may select a solution for which no BW - data are present in the system. In this case, the system does not display any solution data.




Project-based Delivery

To be able to use the function of project-based delivery the following roles must be added additionally to the according user:

● SAP_SM_DASHBOARDS_DISP_VBD● SAP_BPR_PPM (SAP NWBC navigation role, does not need to be copied into customer name space)

● SAP_CPR_PROJECT_ADMINISTRATOR● SAP_CPR_USER● SAP_XRPM_ADMINISTRATOR

NoteCheck as well SAP Note 1346050.


30.5.1 Dashboard User Roles

See section in the main guide on Dashboard roles.

30.5.2 Solution Maintenance via Work Center


30.5.3 End-User Roles for CDC

You can use these additional CDC authorization roles, which allow:

● Better segregation of duties by supporting different CDC tasks

● Each role has full authorization to create/change the respective task, but display-only authorization in the other areas

● No need to change the existing authorization objects SM_CDC_OBJ and SM_CDC_INS● SAP_CDC_INSTANCE_ANALYZER for result analysis

● SAP_CDC_INSTANCE_EXECUTER for scheduling

● SAP_CDC_INSTANCE_CREATOR for administration

● SAP_CDC_OBJECT_MODELER for development

502




Figure 135: CDC - Authorizations Overview


Business Process Operation refers to the phase in your product life-cycle when you define and refine your business processes by means of projects, business blueprints and related activities. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions which come into play in your daily business, such as handling of problems and so on. The following sections describe the integration of business process operations with other scenarios within SAP Solution Manager, and which user roles would be applicable.

NoteFor more detail on each individual scenario, see the according Scenario-Specific Guide.

Incident Management

Users can create service desk messages. To be able to do so, you need to assign user role SAP_SUPPDESK_CREATE.

NoteIn case you are a service provider, you need to assign the according service provider role SAP_SUPPDESK_SP_CREATE. For more information, see specific Service Provider Guide.




31 Scenario-Specific Guide: Data Volume Management

The Data Volume Management Work Center in SAP Solution Manager offers capabilities to gain insights into the source of data volume movements in single and especially in multisystem landscape environments. It is a SAP Net Weaver BW based solution that provides a holistic landscape based overview of your data.

This guide gives you an overview over all relevant security-related issues for the function Data Volume Management.

Figure 136: DVM Process



Table 378


(Version)

Description

SP05 General

504


Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Data Volume Management


(Version)

Description

Data Volume Management is configured using the automated guided procedure within transaction SOLMAN_SETUP or SAP Solution Manager Configuration work center. Therefore, all users defined by SAP as


● Scenario Configuration User: This user is created during the guided procedure of the Basic Settings in transaction SOLMAN_SETUP. For configuration, you can also choose the user SOLMAN_ADMIN. In both

cases, the system automatically assigns the necessary authorization roles. The according configuration user can be used later on for configuring the corresponding scenario in transaction SOLMAN_SETUP.

● Standard Users: Standard users for the individual process are created during the guided procedure in transaction SOLMAN_SETUP. These users can be regarded as “demo” Standard users. The system

automatically assigns the necessary authorization roles with according authorization values for the SAP standard scenario. If your processes require customizing due to a different process, and other user differentiation, you must adapt the authorizations. The template users are created in the Solution Manager system.








Added value SARC, BCTA in authorization object S_TABU_DIS.

Work Center Navigation

Role for Work Center DVM adapted to changes in the user interface. Changes are documented on the Description tab in the role

SP07 End-User Roles

BW integration roles delivered, see the following sections

● Scenario Configuration User

● Communication Channels and Destinations

● Technical Users

● Users and User Roles

Role SAP_DVM_CONFIG adapted, see description tab in the role for details

SP08 End-User Roles

The following roles were adapted for authorization objects and/or authorization field values. For more information, see the Description Tab of the specified role. In addition, see SAP Note 1779670.

● Composite roles SAP_DVM_ADMIN_COMP and SAP_DVM_CONFIG_COMP. Substituted single role

SAP_SYSTEM_REPOSITORY_DIS with SAP_SYSTEM_REPOSITORY_ALL● Single roles SAP_DVM_DIS, SAP_DVM_EXE and SAP_DVM_ALL






(Version)

Description

SP10 End-User Roles


● Composite roles SAP_DVM_ADMIN_COMP and SAP_DVM_CONFIG_COMP● Adapted SAP_DVM_DIS, SAP_DVM_EXE, SAP_DVM_ALL● Adapted SAP_DVM_GSS● Added role SAP_SM_BI_DISPLAY (Business Partner) to all composite roles/template users

● Added role SAP_SM_RFC_ADMIN for transaction SM59 administration to template users and composite

roles

SP12 End-User Roles


● SAP_SMWORK_DVM (Best Practice links)

● SAP_DVM_ALL and SAP_DVM_DIS● new role SAP_SM_DASHBOARDS_DISP_ICI (iCI dashboard integration) added to template users in

SOLMAN_SETUP

SP13 End-User Roles

The following roles were adapted for authorization objects and/or authorization field values. For more information, see the Description Tab of the specified role.

● SAP_DVM_CONFIG





506









31.3 Prerequisites


The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete scenario. The SAP Solution Manager is connected via READ - RFC, TRUSTED - RFC (alternatively LOGIN) to your managed systems. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.





31.3.2 Scenario Configuration User and User Roles

The scenario DVM is configured using transaction SOLMAN_SETUP.




During basic automated configuration, you can create a specific configuration user for DVM (Help Text ID: USER_CONFIG_DVM). The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.

If you create a configuration user manually, the composite role SAP_DVM_CONF_COMP contains all single roles which are automatically assigned to the configuration user.

NoteTo be able to create users and assign user roles, you need to assign as well role SAP_SM_USER_ADMIN.

The composite role SAP_BW_DVM_ADMIN_COMP which contains all single roles that are automatically assigned to the configuration user in the BW-system.



You can configure the basic technical settings using transaction SOLMAN_SETUP, running the guided procedure for Data Volume Management.







508



Table 379










Table 380


System Number

Logon Client


Remarks


Managed System

System-specific

System-specific


To read DVM statistics and analyses


Managed System

System-specific

System-specific

Customer-specific

for self-service and user authentication when starting analysis in the managed system


Table 381


System Number


How Created



content activation







System Number


How Created













remote BW -

system



BI - Reporting



The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the DVM scenario.



Table 382








510





User for TMW - Connection


Table 383








Table 384


BI_CALLBACK








SM_EFWK System User Technical user for extractor execution, assigned role: SAP_SM_DVM_EXTRACTOR


31.4.1 User and Roles

This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for Data Volume Management. All users are assigned a composite role, which contains a number of single roles.




Work Center


Figure 138: Data Volume Management


Authorization for Trusted RFCs between SAP Solution Manager, and Managed Systems

Trusted authorizations are needed between SAP Solution Manager and its managed systems. The user in the managed system and the user in the Solution Manager system receive role SAP_SM_S_RFCACL (Help Text ID: AUTH_SAP_S_SM_RFCACL) with authorization object S_RFCACL.

Note




512



Administrator User (Help Text ID: TP_DVM_ADMIN)

Technical composite role name: SAP_DVM_ADMIN_COMP in the SAP Solution Manager system

Table 385


SAP_DVM_ALL AUTH_SAP_DVM_ALL


SAP_SMWORK_BASIC_DVM AUTH_SAP_SMWORK_BASIC_DVM

SAP_SMWORK_DVM AUTH_SAP_SMWORK_DVM


SAP_SM_DASHBOARD_DISP_DVM AUTH_SAP_SM_DASHBOARD_DISP_DVM

SAP_SM_BI_DISPLAY AUTH_SAP_SM_BI_DISPLAY


Technical composite role name: SAP_BW_DVM_ADMIN_COMP in the BW system/client


Table 386


SAP_BI_E2E_DVM AUTH_SAP_BI_E2E


Technical role in managed system

Table 387


SAP_DVM_SERVICE AUTH_SAP_DVM_SERVICE

SAP_DVM_GSS AUTH_SAP_DVM_GSS

Display User (Help Text ID: TP_DVM_DIS)

Technical composite role name SAP_DVM_DISPLAY_COMP in the SAP Solution Manager system

Table 388


SAP_DVM_DIS AUTH_SAP_DVM_ALL


SAP_SMWORK_BASIC_DVM AUTH_SAP_SMWORK_BASIC_DVM

SAP_SMWORK_DVM AUTH_SAP_SMWORK_DVM






SAP_SM_DASHBOARD_DISP_DVM AUTH_SAP_SM_DASHBOARD_DISP_DVM


SAP_SM_BI_DISPLAY AUTH_SAP_SM_BI_DISPLAY

Technical composite role name: SAP_BW_DVM_DISPLAY_COMP in the BW system/client


Table 389


SAP_BI_E2E_DVM AUTH_SAP_BI_E2E


Technical role in managed system

Table 390


SAP_DVM_SERVICE AUTH_SAP_DVM_SERVICE

SAP_DVM_GSS AUTH_SAP_DVM_GSS

31.4.2 Critical Authorization Objects

The following section gives information of some of the main authorization objects for Data Volume Management. For detailed information, see SDN Wiki on Authorizations.


In user roles for Data Volume Management you find authorization object S_TABU_DIS. Authorization groups SARC, BCTA protect all relevant customizing views and customizing clusters for this scenario.


According to the end-to-end business process life-cycle, this scenario needs to integrate with a number of other functions, which come into play in your daily business. The following sections describe the integration of DVM with other scenarios within SAP Solution Manager, and which user roles would be applicable.


514



Technical Scenarios (Technical Monitoring)

Depending on the technical sub scenario, you need one of the composite roles for technical monitoring.

iCI Dashboard

You can use the iCI Dashboard from within the DVM work center. This requires the Dashboard role for iCI in the SAP Solution Manager system, and according BW-authorizations in the BW-system. For testing purposes, you can use the template users for this scenario. For more information, see the scenario-specific guide for Measurement Platform.




32 Measurement Platform and Enterprise Support Reporting (iCI - Interactive Continuous Improvement)


The purpose of the SAP Enterprise Support Report is to provide you with a holistic overview and actual status of the application and life-cycle management of your mission critical operations. The objective is to ensure that the appropriate service and support is provided for the SAP Software Solutions and that actions are taken to address any open issues that might have a negative effect on the operations of the installed application or business solutions. The data shown in the ESR is based on the information available in the customer’s SAP Solution Manager or SAP Global Support Backbone and is measured against the SAP E2E standards. The ESR Balanced Scorecard (BSC) and status overview results from the individual Top Issues that are based on the ESR chapters, which focus on the deliverables of Enterprise Support.

Based on the analyzed data the objective is to provide information on the actual status of the support engagement and the level of support needed for the SAP Software Solutions. This includes all necessary services, recommendations and actions. Key elements of the ESR SelfService are a status overview based on the referring Top Issues and the detailed chapters with the analyzed data and recommendations for each area. Strategy discussions and plannings within the customer’s IT organization as well as between customer and SAP may be based on this report. The Self-Service allows you to get an up-to-date insight of their customers from point of view of system landscape management and application lifecycle management. The partner has 3 possibilities:

● focus on one single system/installation

● focus on a group of systems/installations

● look at all systems/installations overall

Accordingly, the final report can be discussed and handed over to SAP or it can be used for customer internal plannings and optimizations.

ESR is generated at customer site in the SAP Solution Manager (not at SAP). ESR is a printable PDF document. Most data required for the report content are available within the SAP Solution Manager, few data exist only at SAP side today (typically the SLA compliance data) technology used. Data Provisioning is supported by BW technologies, the report rendering is performed by Standard ABAP functionality (Web Dynpro Applications and Smart Forms).


CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any

516


Security Guide for SAP Solution Manager 7.1Measurement Platform and Enterprise Support Reporting (iCI - Interactive

Continuous Improvement)

specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.







Table 391


(Version)

Description

SP07 BI Extractor Role for BW Extractors

delivered to SAP_SM_BI_ESR_EXTRACTOR for system user SM_BW_<SID>, and added to according user

role assignment in SOLMAN_SETUP, see section Technical Users.

SP12 With the complete rework of this functionality roles and users are also reworked.

iCI Dashboard

● Integration of iCI Dashboard into Measurement Platform, see new section on Integration

● user SAP_SUGEN removed (obsolete)

32.3 Prerequisites

32.3.1 Scenario Configuration

You can configure Measurement Platform using transaction SOLMAN_SETUP or work center SAP Solution Manager configuration.

Security Guide for SAP Solution Manager 7.1Measurement Platform and Enterprise Support Reporting (iCI - Interactive Continuous Improvement)








Table 392






Protocol (FTP)







Table 393


System Number

Logon Client

Logon User (Password) Remarks


Managed System

System-specific

System-specific


to read data form the managed system


518




Table 394


System Number

Logon Client

Logon User (Password) How Created

NONE, if BW - reporting is realized in a BW -

standard scenario, for content activation


System-specific

System-specific

System-specific during installation

BI_CLNT<BWclient>if BW is realized in remote

BW - scenario system , for content activation


System-specific

System-specific

System-specific in transaction SOLMAM_SETUP

<SolutionManagerSID>CLNT<SolutionManager– ProductiveClient> BI-Callback

RFC for reorganization of data and configuration

validation


System-specific

System-specific

BI_CALLBACK(customer

specific)

in transaction SOLMAM_SETUP





Table 395















Table 396


BI_CALLBACK





assigned role SAP_BI_CALLBACK. It is automatically during

configuration via transaction SOLMAN_SETUP

SMD_RFC / SMD_BI_RFC User for BI - Reporting

User for BW - Reporting

Table 397


SMD_RFC

NoteIn case of remote BW - scenario

SMD_BI_RFC

System User Technical user SMD_RFC is created during the automated basic

setup procedure in transaction SOLMAN_SETUP, see

Landscape Setup Guide. To run this scenario, you need to assign to the SMD_RFC user role SAP_SM_BW_ESR in addition

to its already assigned roles.

520




SM_BW_<SID> User for BI - Reporting

User for BW - Data Extraction

Table 398


SM_BW_XXX System User Technical user SM_BW_XXX is created during the automated

basic setup procedure in transaction SOLMAN_SETUP, see

Landscape Setup Guide. To run this scenario, you need to assign to the SM_BW_XXX user role

SAP_SM_BI_ESR_EXTRACTOR in addition to its already

assigned roles.

32.4 Interactive Continuous Improvement (iCI) Dashboard

The iCI Dashboard and KPI Measurement Platform comprises an automated process of KPI collection. It focuses on the following features:

● Measurement Platform 2.0

● Integration into DVM and CCM


The iCI Dashboard is called via URL from a browser. The iCI Dashboard and iCI Maintenance applications are both BSP-applications, which are located in the SAP Solution Manager. The BSP-applications call the iCI ODataService to fetch data from ST-BCO component (BW-system). The ODataService is located in ST component (Solution Manager). The ODataservice encapsulates the iCI queries based on Multiprovider 0SM_ESRSK, on basic cube 0SM_ESRSG and several iCI function modules which are responsible to fetch data from iCI tables or to create/update data in iCI tables. All function modules used in the ODataService are RFC enabled if the BW-system is configured as standalone BW-system (remote BW).

Authorizations and Roles

As iCI runs in Solution Manager and collects data in BW-system, you need authorizations in the Solution Manager to display the collected data. In addition, this users must be present in the BW-system with the correct authorization to collect the relevant data. This is possible per default with template users for DVM and CCM.

Users and Roles in Solution Manager

If you want to use the iCI Dashboard, role SAP_SM_DASHBOARDS_DISP_ICI is relevant. This role is assigned in transaction SOLMAN_SETUP to template users for DVM and CCM.

Authorization Object

Authorization object SM_ICICONF is used to restrict categories for iCI usage. The object is included in various roles for BW:

● SAP_BI_E2E_DVM● SAP_BI_E2E_CCM● SAP_BI_E2E




33 Service Provider Guidelines

This guideline gives you additional information for Service Provider specific setting you need to consider as a Service Provider. Before you start with this guide, you need to get familiar with the scenario-specific guide for the relevant scenario you are using, that is Incident Management, Maintenance Optimizer, and Implementation and Upgrade (Implementation and Upgrade includes Solution Documentation functions).

This guide adds specific information about relevant RFC - connections to be used, S-user authorizations to consider, specific user roles for you and your customers, and work center access.


To grant access to customers who connect to the work centers through the Internet, install a reverse-proxy server, such as the SAP Web Dispatcher. The reverse-proxy server routes customer requests to the Solution Manager system, and routes corresponding responses back to the customer. You can use the reverse-proxy server to restrict access to the Solution Manager, and to perform load balancing among the Solution Manager application servers. As an extra security measure, we recommend you always encrypt communication between the customer and the Solution Manager. Use HTTPS (TLS/SSL) communication for this. See the SAP NetWeaver documentation, and the documentation of your reverse-proxy server for further details.

33.2 Service Provider Customer RFC-Connections

As a service provider, you need to create specific RFC connections to SAP for your customers for the scenario Incident Management with an S-User without specific authorizations.

Service Provider Customer RFC Connections from Solution Manager to SAP

Table 399


Logon Client


Use (Scenario)

Remarks

SM_SP_<customer number>

/H/SAPROUTER/S//sapserv /H/oss001

01 001

S-User (Customer—specific, no authorization needed), see section S-

Service Provider

You automatically create customer RFCs based

on RFC SAP-OSS

522


Security Guide for SAP Solution Manager 7.1Service Provider Guidelines


Logon Client


Use (Scenario)

Remarks

User Authorizations

More Information

see IMG activity Setup SAP Connection for Customers (technical name: SOLMAN_VAR_RFC_CUSTO)

33.3 Configuration




To run Quality Gate Management, you need to configure it using the Implementation Reference Guide (IMG) in transaction SPRO.





Configuration Roles


33.4 Service Provider—Specific Authorization

As a service provider using Incident Management and Solution Documentation for your customers, you need a complete view of all data for the specified scenarios, while your customers should be able to display all data that is necessary for their specific business.

Main authorization object for this purpose is SM_SP with activities:

● 38 (perform)

● 70 (administer — to be able to activity the functionality in customizing)

Per default the authorization object is delivered with activity ACTVT 38, and is contained in the single role SAP_SM_SPC. The role itself is contained in the according composite roles for Service Providers for the relevant scenarios, see section on user roles.

More Information

see IMG activity Assign Service Provider Authorization (technical name: SOLMAN_SPC_AUTH).

33.5 Incident Management User Descriptions and User Roles for Customers

This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for incident management for Service Provider Customers. All users are assigned a composite role, which contains a number of single roles. For a detailed overview on each of the single roles and their main authorization objects, see in the Appendix section Roles Overview. Here, the main authorization objects contained in each role are explained.

NoteIf you use transaction NOTIF_CREATE to create service desk messages, you need to add as well authorizations for solutions to your users. These authorizations are included in roles for solution (infrastructure) SAP_SM_SOLUTION_*.

Administrator (technical role name: SAP_SUPPDESK_SP_ADMIN_COMP)

Table 400


SAP_SUPPDESK_SP_ADMIN Contains full authorization for service desk.

524




NoteIf you use transaction NOTIF_CREATE to create service desk

messages, you need to add as well authorizations for solutions to your users. These authorizations are included in roles for solution (infrastructure) SAP_SM_SOLUTION_*.

SAP_SM_BI_SPR_REPORTING Contains scenario-specific BW - authorizations

SAP_BI_E2E Contains BW - authorizations for Info Cubes, and so on, with general

relevance for BW - reporting

SAP_BW_SPR_REPORTING Contains authorizations to set up BW - reports, and generate views, only

used for setting up reporting

SAP_SM_BI_EXTRACTOR Extractor framework authorization

SAP_SMWORK_BASIC_INCIDENT Contains authorization for work center

SAP_SMWORK_INCIDENT_MAN_SPC Access to work center incident management

SAP_SM_CRM_UIU_FRAMEWORK General authorization for CRM Web Client framework

SAP_SM_CRM_UIU_SOLMANPRO Business role for the CRM Web Client

NoteThis role defines the navigation for the CRM Web Client. It contains

no authorization objects.


SAP_SM_CRM_UIU_SOLMANPRO_ADMIN Contains specific (administrator-related) additional authorizations for the CRM Web Client

Processor (technical role name: SAP_SUPPDESK_SP_PROCESS_COMP)Table 401


SAP_SUPPDESK_SP_PROCESS Contains authorization for creating and processing messages.



SAP_BW_SPR_REPORTING Contains authorizations to set up BW - reports, and generate views, only

used for setting up reporting





SAP_BI_E2E Contains BW - authorizations for Info Cubes, and so on, with general

relevance for BW - reporting

SAP_SM_BI_DISP Contains authorizations to display BW - reports








Key User (technical role name: SAP_SUPPDESK_SP_CREATE_COMP)

Table 402


SAP_SUPPDESK_SP_CREATE Contains authorization to create messages.





Display User (technical role name: SAP_SUPPDESK_SP_DISPLAY_COMP)

Table 403


SAP_SUPPDESK_SP_DISPLAY Contains display authorization





526






33.6 Solution Documentation User Descriptions and User Roles

This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for solution documentation. The Service Provider user is assigned a composite role, which contains a the relevant user role for the application, and the according role to see all customer systems. The user role for the customers is a single role, which contains all necessary authorizations for customers to run the scenario.

Service Provider User (technical role name: SAP_SOLDOC_SP_ADMIN_COMP)

Authorization for access and use of the work center for implementation and upgrade can be assigned if required:

● SAP_SMWORK_IMP (access to work center)

● SAP_SMWORK_BASIC_IMP (authorizations for work center)

Table 404


SAP_SM_SPC_SOLAR_ADMIN Contains full authorization for transactions SOLAR01, SOLAR02, SOLAR_EVAL, and SOLMAN_DIRECTORY.

SAP_SM_SPC Contains service provider - specific authorization

Customer User (technical role name: SAP_SM_SPC_SOLAR_ADMIN)

Contains full authorization for transactions SOLAR01, SOLAR02, SOLAR_EVAL, and SOLMAN_DIRECTORY. Authorization for access and use of the work center for implementation and upgrade can be assigned if required:

● SAP_SMWORK_IMP (access to work center)

● SAP_SMWORK_BASIC_IMP (authorizations for work center)

33.7 Work Centers for Service Provider Customers

The following work centers are available especially for customers of Service Providers. Functions that can be executed with these work centers by customers of Service Providers are:

● Service Desk (Incident Management) (technical role name: SAP_SMWORK_INCIDENT_MAN_SPC)

create and change own messages; open service connections

● Maintenance Optimizer (technical role name: SAP_SMWORK_CHANGE_MAN_SPC)

process maintenance optimizer transactions




● System Monitoring (technical role name: SAP_SMWORK_SYS_MON_SPC)

display SAP EarlyWatch Alert reports and Service Level reports

Change Management work center for customers

Mapping of Work Center Maintenance Optimizer to Authorization Roles

NoteAuthorization roles for customers need not be maintained with individual values, such as for certain systems or certain solutions. You can maintain the according fields with value '*'. The BAdI - Implementation makes sure that data separation takes place and the customers can only see their own systems and solutions.

Table 405

View Mapping of Authorization Roles (see Roles for <scenario/function>)

Overview SAP_MAINT_ADMIN_COMP

Hot News SAP_SM_SOLUTION_*

Maintenance Optimizer SAP_MAINT_ADMIN_COMP

License Management Authorization field S_ADMI_FCD in authorization object S_ADMI_FCD must contain value SLIC

Common Task SAP_MAINT_ADMIN_COMP

Incident Management work center for customers

Mapping Work Center Incident Management to Authorization Roles

For more information, see user roles for customers for this scenario, see section Incident Management User Roles for Service Provider Customers.

Table 406

View in Work Center Mapping of Authorization Roles (see Roles for <scenario/function>)

Overview SAP_SUPPDESK_SP_*_COMP

Messages SAP_SUPPDESK_SP_*_COMP

Common Tasks URL - no authorization check

SAP_SUPPDESK_SP_*_COMP

System Monitoring work center for customers

Mapping of Work Center System Monitoring to Authorization Roles

Table 407

View Link Mapping of Authorization Roles (see Roles for <scenario/function>)

Reporting Report View: SAP Early Watch Alert SAP_OP_DSWP_EWA / SAP_SM_SOLUTION_*

528



View Link Mapping of Authorization Roles (see Roles for <scenario/function>)

NoteFor customers to see all EWA —

reports for systems you need to maintain authorization object S_SMSYEDIT in role

SAP_OP_DSWP_EWA with according

authorization for systems. For instance, enter all SIDs of systems

which the customer should be able to display in field SMSYENAME.

Report View: SAP EarlyWatch Alert for Solutions

SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*, SAP_SM_BI_EXTRACTOR

NoteIf your BW client is not the Solution

Manager client, you need roles

SAP_BI_E2E and

SAP_SM_BI_EXTRACTOR.

Report View: Service Level Reporting SAP_OP_DSWP_SLR / SAP_SM_SOLUTION_*

33.8 Granting Work Center Access to Service Provider Customers

To grant access to Solution Manager work centers via HTTP, an HTTP request from a customer server must be accepted by the Solution Manager server. Your customer should install a proxy server that is enabled for cascading. This proxy should cascade requests from the customer to a proxy server on your side. You route the request directly from your proxy server to the Solution Manager server.

Integration

If you want to restrict customer access to certain services, see SAP Note 1281504 and SAP — Partner—Specific Configuration in the IMG (transaction SPRO) .





34 Appendix

34.1 HowTo Guides

34.1.1 SDN Wiki for Authorizations

All authorization objects relevant for SAP Solution Manager will be documented within the SDN Wiki for Authorizations. For each object you can find an FAQ sheet, which contains the following information:

● object description aligned with the documentation in the system (transaction SUIM)

● related documentation (for instance SAP Help, SDN, external documentations, and so on)

● related SAP Notes

● links to Use Cases (for instance how to use the object in a specific scenario or function)

Each use case consists of:

○ Motivation / Problem

describes the initial situation, problem or motivation for this use case

○ Approach / Solution

describes the procedure to solve the above described issue

○ Result

describes the final result

○ Additional Information (optional)

A scenario based list provides you with a large number of use cases. These use cases help you to understand, where certain authorization objects are checked or if there is a relationship between several authorization objects. All use cases are only related to SAP Solution Manager functions and can therefore differ from other SAP NetWeaver systems.

34.1.2 How to Create Users and Business Partners

Procedure

Issue

For all scenarios, you need to create users in your systems. For some scenarios, you may as well need to create Business Partners related to your users. The following lists give an overview of scenarios that require users in the Solution Manager system and the managed systems, and functions that require business partner users in the Solution Manager system:

Scenarios Requiring Users for SAP Solution Manager and Managed Systems

● Implementation: if you use Implementation and subsequently Customizing Distribution to centrally configure your managed systems. Implementation and Customizing Distribution use Trusted RFC connections, which always require users in both systems.

530


Security Guide for SAP Solution Manager 7.1Appendix

● Test Management: if testers have to test in managed systems. Test Management uses Trusted RFC connections, which always require users in both systems.

● Service Desk: for Key User (end user), see example below

● Technical Administration, System Monitoring, and Business Process Operations: if the system administrator needs to check transactions in managed systems via SAP Solution Manager trusted RFC connection.

● Change Request Management: if the users in the Change Request Management process log on to the managed systems via Solution Manager.

● Quality Gate Management: if the users in the Quality Gate Management process log on to the managed systems via Solution Manager.

● Root Cause Analyses: user SAPSUPPORT is automatically created in the Solution Manager system as well as the managed systems during Root Cause Analysis configuration.

Scenarios Requiring Business Partners Based on Users in SAP Solution Manager

● SAP Engagement and Service Delivery: if you use Issue Management.

● Service Desk: for Key User (end users) and processors of service desk messages



● Test Management for CRM - based workflow

● Job Scheduling Management

● Change Control: functionality Maintenance Optimizer

How to?

Create Users Using Transaction SU01

All human users who work in an SAP system need to be made known to this system by having their own user ID in this system. This section tells you which area in User Management (transaction SU01) needs attention, and why.

1. Create your user in transaction SU01.

2. Enter the required data and save.

Note to add the following information.

Address Data

● First Name and Last Name

○ Digital Signature

● E-Mail

○ Business Process Operations and Monitoring

○ Issue Management

○ Service Desk

○ E-Learning Management

The user can receive and send e-mails. This e-mail address can be any address, as long as it is known to the mail server.

NoteBusiness Process Operations: for use of auto-reaction methods.




Create Users from Reference Users Using Report AI_SDK_SP_GENERATE_BP

You can create users quickly by using a reference user. The system copies the user and attaches roles to the users. The report is documented as an IMG - activity for scenario Service Desk for Service Provider.

Figure 140: Report Documentation - Transaction SPRO - Create Business Partner as Person Automatically

Caution● The system copies all single roles from the Reference User, except for CRM navigation role

SAP_SM_CRM_UIU_SOLMANPRO. You need to assign this role manually.

● SAP Easy Access menu entries are not visible for the dialog user who is based on the reference user.

Create Business Partners Using Transaction BP_GEN

You can easily create Business Partners for your users in the SAP Solution Manager system, but also users from managed system, for instance for scenario Incident Management. The system copies the user IDs to Solution Manager and creates the according Business Partners.

1. Choose User list -> Add system.

2. Select a system from which you want to create business partners.

3. Select users.

4. Choose Edit -> Create Business Partner.

5. Confirm your entries.

What Next?

Assign your roles.

532



34.1.3 How to Administer Passwords

Procedure

Changing Passwords within UME

Prerequisites

The J2EE engine is running. You have a user ID with administrator rights, for example: Administrator.

Procedure

1. Start the UME user administration management console: http://localhost:50000/useradmin.

2. Log on as your administrator user.

The User Management screen appears.

3. In Users, choose Create User.

4. Enter the data for the user.

Changing Passwords within ABAP transaction SU01

Prerequisites

The ABAP system is running. You have a user ID with administrator rights.

Procedure

1. Start the transaction SU01 to have access to the ABAP user account maintenance.

2. Log on as your administrator user.

The Maintain User screen appears.

3. On the first screen, fill in the user name and choose Maintain.

4. Go to tab Logon, and change the password.

5. Save the user settings.

34.1.4 How to Create a User Role

Issue

You need to grant authorizations for which SAP does not ship template roles, in the Solution Manager and managed systems. To be able to assign the correct authorizations you can create a dedicated role yourself. This section describes how to create your own roles, using the example of critical authorizations of transactions SU01 (User Management) and PFCG (Role Management).

How To?

Adding ABAP transactions



2. Enter a role name in your namespace, for instance: ZSU01_PFCG, and choose Single Role.




3. Enter a description for your role, for instance: Full authorization for SU01 and PFCG.

4. Go to tab Menu and enter transactions SU01 and PFCG.

NoteThe authorization objects required in role creation are maintained using transactions. When you enter a transaction in the menu tab in your role, the system traces all authorization objects required for this transaction.

5. Save your role.


Adding ABAP WebDynpro



2. Enter a role name in your namespace, for instance: ZWD_SOLUTION, and choose Single Role.

3. Enter a description for your role, for instance: Full authorization for WD Solution.

4. Go to tab Menu and choose Default Authorizations.

Figure 141: Add ABAP WD as TADIR Service

5. Save your role.


534



The system adds authorization object S_SERVICE with the service ID.

What Next?

You can now maintain the authorizations for the transactions entered, see section HowTo Maintain Authorizations.

34.1.5 How to Maintain Authorizations in Authorization Objects

Procedure

Issue

You have created a role, copied a role, uploaded a role, or want to change the authorizations for an existing role. In all cases, you need to maintain the values for authorizations in the authorization objects. That you have to maintain authorization objects, or to generate a profile can be indicated by the yellow traffic light on the tab Authorizations in the role in transaction PFCG.

Figure 142: Yellow traffic light on tab Authorizations

NoteDefault authorization objects delivered by SAP contain only minimal authorizations. To grant full authorization to authorization objects, you must edit them. For additional information, see SAP Note 1000004.

How To?

Maintain Full Authorization for All Yellow/Empty Authorization Objects

1. Go to transaction PFCG and choose your role.

2. Choose the Authorizations tab in the Role Maintenance.

3. Choose Change.

The role appears with a yellow traffic light, and some authorization objects appear with a yellow traffic light. The yellow traffic light indicates, that the according authorization object contains an authorization field with no values entered.





Figure 143: Yellow traffic lights for authorizations

You need to enter values in all fields, otherwise the authorization restriction will not work.

4. To maintain all authorization fields with full authorization, double-click the traffic light for the role.

Alternatively you can double-click the traffic light for each authorization object, or choose the asterisks icon for the authorization object.

NoteThis method of entering full authorization for all fields, that are not maintained, should only be done with SAP Standard roles, if you decide to use them as described in the scenario - specific guides. Otherwise choose the procedure as described underneath.

Maintain Single Specific Authorizations for Authorization Objects


2. Choose Change.

3. Maintain all values per authorization object according to your needs, for instance if you want to grant full authorization, always choose all activities.

Figure 144: Maintain specific values for authorizations

Choose the icon for editing for the authorization. The system displays a list of values you can choose from, or you need to use the value help to find the correct value. For some authorizations value helps are missing. This is for instance possible for many authorization objects of class CRM. In this case, you need to know the value, or read the CRM security guide for information. For example, the authorization object UIU_COMP does not

536



have a value help, therefore we recommend to not change the values of the standard role for this authorization object, see also in the Core Guide the section on User Interface Authorizations.

If you have copied a standard role and want to maintain the authorizations according to your requirements, you need to evaluate the authorization values with green traffic lights.

CautionAll authorization objects need to have a green traffic light when you are finished. If you are not sure about the function of the authorization object, double-click the green line. The system opens the documentation for this object in a separate window.

Figure 145: Performance Assistant Help for Authorization Objects

Maintain Multiple Specific Authorization Values for one Authorization Object

In some cases it can be necessary to maintain one authorization object for several combinations of authorization values. This can be the case for authorization objects with more than one authorization. For instance, for solutions you want a user to be able to display all solutions, but only be able to maintain one specific solution.


2. Choose Change.

3. In our example, authorization object D_SOL_VSBL needs to be maintained for two use cases (one user):

○ display all solutions

○ maintain one specific solution

4. To be able to maintain two use cases, copy the authorization object to maintain it twice and maintain the authorizations according to the use cases.




Figure 146: Multiple Authorizations

NoteIn our case, the user can not create solutions, and:

○ display (ACTVT 03) all (*) solutions

○ maintain one specific solution

. If we wanted the user to be able to create solutions, we would add ACTVT 01 (create) for the first use case, as the solution ID is not known to us. The solution ID is created by the system when the solution is created.

Activating and/or Deactivating Authorization Objects

In some Standard roles you find authorization objects, which are set inactive. These authorization objects have the status of being Standard. This means, that these authorization objects are automatically entered by the system, when you have entered a transaction or ABAP WebDynpro application in the menu tab. The system traces all relevant authorizations for this transaction. It enters automatically all those authorization objects, which are maintained in transaction SU24 in your system. For information on transaction SU24, see the according HowTo.

The standard roles concept (see Core Guide for concept information) restricts which authorization objects are available in one role, for instance due to the modular approach or the segregation of duty approach. Therefore, in the standard roles, all authorization objects which are not required in this role are set inactive. This allows you to know which authorizations are maintained for a transaction, and it prevents the system from overwriting the authorization object if you maintain it.

RecommendationWe recommend to leave all authorization objects that are set inactive in this status for all standard roles.

Sometimes you may as well have to set authorization objects inactive. For instance, there exists no standard display role for role SAP_BI_E2E. If you want to create your own display role, we recommend to copy role SAP_BI_E2E, to set the batch authorization object inactive, and adapt field ACTVT for all authorization objects to 03 (display).

1. Choose the according authorization object, for instance S_BTCH_NAM.

2. Choose the icon “delete” to set the authorization object inactive.

538



Figure 147: Role SAP_BI_E2E with object S_BTCH_NAM set inactive

What Next?

You generate the profile for your authorization settings, see section HowTo Generate an Authorization Profile.

34.1.6 How to Generate a Profile

Procedure

Issue

When you have maintained the authorization objects for a new role or changed those for an existing role, you need to generate the profile for this role. Otherwise, the authorization restrictions do not work.

How To?

In the maintenance for authorizations screen, choose the icon for Generate.

The system automatically saves your settings and generates the profile for your authorization objects.




Figure 148: Profile Generation

On the tab Authorizations, the system enters the generated profile name and text.

CautionEven if the system has entered the name of a profile, always note the Status line for the profile to see if it is generated.

What Next?

You can now execute the user comparison, see section HowTo Assign Roles to Users.

34.1.7 How to Assign Roles to Users

Procedure

Issue

After you have generated profiles from roles, assign the role to your users in one of the two ways explained below.

How To?

Using Transaction SU01

If you want to assign more than one role to many user:

1. Choose transaction SU01.

2. Enter the user and choose edit.

540



3. Go to Roles tab.

4. Enter your role.

5. Save.

The system automatically executes a user comparison for the user.

Using Transaction PFCG

If you want to assign many users to one role:


2. Enter your role and choose edit.

3. Go to Users tab.

4. Enter the user name.

5. Choose the button User Comparison.

NoteFor more information on User Comparison, see SAP Note 1272331.

NoteAs of SAP_BASIS 7.02 when you call a role in transaction PFCG, the traffic light on tab User contains the following information:

○ green: user comparison is not necessary due to no valid user assignment, no authorization data

○ yellow: profile generation and user comparison required due to no generated profile

○ red: requires user comparison due to changed authorization and profile

6. Save.

34.1.8 How to Create Scenario Configuration Roles

Procedure

Issue

As of the current release of SAP Solution Manager, we do not deliver specific standard roles for the configuration of specific scenarios. The configuration should be done using profiles SAP_ALL and SAP_NEW. If your security policy does not allow for these overall authorization profiles, you can create your own configuration roles for SAP Solution Manager scenarios documented in transaction SPRO.

How To?

Create a project IMG for the Specific Scenario

Call transaction SPRO_ADMIN, and create a project (with title). On the tab Scope, choose the button Specify Scope, and select the scenario, you would like to create the role for. In our case, we want to create a configuration role for scenario Implementation and Upgrade.





Figure 149: Creating a Project IMG

You may as well create a project view for the Project IMG. This can be useful if you need to upgrade the configuration at some point and need to update the necessary authorizations as well.

Figure 150: Creating a Project IMG View

Create a Role Using the IMG project

The IMG project forms the basis on which you can create your configuration role.

542



Figure 151: Creating a Configuration Role

1. In transaction PFCG, create a new role.

2. In the menu, go to Utilities Customizing auth.

3. Choose your IMG project or IMG project view, if you have created one.

Figure 152: Role Menu




The system automatically adds all transactions from the IMG activities into the role menu.

4. Maintain the role with full authorizations. Nevertheless, note all critical authorizations.

What Next?

Check your critical authorizations, maintain the authorizations.

34.1.9 How to Upgrade Authorizations after Release Upgrade or Support Package Upgrade

Procedure

Issue

After the new installation and an update of your SAP Solution Manager system, you need to update your tables with new default field values for authorization objects, in transaction SU25. This is especially relevant for all new authorization objects delivered with an update.

CautionWhen you update your system, you must import new roles and profiles from client 000 into your productive client.

How to?

1. Call transaction SU25.

2. Choose Information.

The dialog explains in detail what you need to do.

RecommendationPerform at least the first step.

544



Figure 153: Transaction SU25

34.1.10 How to Use an ST01 Trace

Procedure

Issue

In case of authorization errors, you may need to find out, which authorizations are checked by the system for a specific procedure, for instance pressing a button or choosing a link. Especially, when you are working in a Web Dynpro Application, you need to use a trace to do so. This is done using transaction ST01.

How to?

Before you trace a particular authorization issue, make sure, that you only trace the part of the process in which the error occurs, so you do get specific results for it.

1. Choose transaction ST01.

2. In the screen, mark that you want to trace Authorizations.

3. For a better result, enter the user ID, with which user you run through the application.

4. Save your settings.




Figure 154: Transaction ST01 - Prepare Trace

5. Choose the button Trace On.

6. Execute the part of the application again, in which the issue occurred.

7. Go back to transaction ST01.

8. Stop the trace by choosing the button Trace Off.

9. Choose Analysis.

Figure 155: Transaction ST01 - Call Trace Analysis

10. Execute the analysis for the user you ran the application with.

NoteCheck the time interval, that it fits to the time when you have traced the application.

The system displays a list of all authorization objects that were checked during the trace with the according authorization values that were checked as well.

546



Figure 156: Transaction ST01 - Analysis

Errors are displayed by RC=12 for the according authorization object.

CautionAn ST01 trace displays all authorization object that are traced by the system. It may therefore display authorization objects, which are actually not checked by the application. Such authorization objects may be S_DEVELOP with value DEBUG or S_CTS_SADM.

In addition, for instance for authorization object UIU_COMP the system returns all authorization values for this object, although only a certain number are used by Solution Manager. For more information on UI Authorizations, see Core Guide.

It may also be the case that the trace displays authorization object SM_WD_COMP with RC = 4. Here, you need to be aware that this is an authorization object for the UI. The RC=4 for this object does not necessarily mean that this authorization is missing, it might actually not be needed. For instance, if you use Technical Monitoring, but do not use the Dashboard functionality for BW - Reporting, the authorization object SM_WD_COMP with value *DASHBOARD* is displayed with RC=4. You can then ignore it. If you nevertheless use dashboards and get this authorization object RC=4, you simply need to add the dashboard authorization role to your user. For more information on the authorization object SM_WD_COMP, see the UI authorization section in the Core Guide.

What next?

Adapt your authorizations.

34.1.11 How to User Transaction SU24

Procedure

You can deactivate the checking of specific authorizations in your system.

Issue

You would like to deactivate the checking of specific authorization objects in your system.




How To?

1. Choose transaction SU24.

2. Enter the transaction code for the transaction in which you want to deactivate the authorization.

3. For the according authorization object, set the Check Indicator to Do Not Check.

NoteYou can only deactivate authorization objects which do not start with S_*. These authorizations are mandatory to be checked.

34.1.12 How to Translate Your Own Customizing Entries

For some configuration tasks, you create your own modified entries and you need to translate them. Use the following procedure to translate your own customizing entries in customizing tables.

Prerequisites

You have installed all required languages.

Procedure

1. Log on to your SAP Solution Manager system in your original language.

2. Choose the transaction and enter the customizing table:

○ SM30 for table/view

○ SM34 for view cluster

3. Choose Maintain.

4. Choose the line of the object you want to translate.

5. In the menu, choose: Goto Translate .

6. In the dialog box, choose the language into which you want to translate the object.

7. Translate the object.

8. Save your settings.

Example

In function Job Scheduling Management, you maintain the following tables AGS_REGION_CUST and AGS_ORGUNIT_CUST.

548



More Information

about how to translate object types in the system, see the Help Portal: help.sap.com , search for SE63.

34.2 Additional Information

Here, you find:

● links to documentation about SAP Solution Manager-relevant additional components.

● a list of all SAP Notes that are included in the IMG.

Additional Notes

Creating or Editing Roadmap documents

When you create or change documents in the SAP Solution Manager Roadmap and you use MS Office 2010, see SAP Note 1699667.

34.2.1 Links for Additional Components on Service Marketplace

Your Solution Manager system is the platform for administrative tasks in implementing, operating and upgrading systems in your system landscape. It relies heavily on mandatory and optional components implemented in addition to SAP Solution Manager. The following table gives you an overview of these additional components.

RecommendationTo ensure a smooth integration of these components, familiarize yourself with their installation, configuration, and operation.

Additional Components

Table 408



service.sap.com/sld

or sdn.sap.com SAP NetWeaver Capabilities Lifecycle Management Application

Management System Landscape Directory

Software Life-Cycle Manager (SLM)

service.sap.com/slm and help.sap.com/nw70 Functional View Solution Life Cycle

Management Software Life Cycle Management

Adobe Document Services (ADS)

service.sap.com/adobe

Business Warehouse(BW) service.sap.com/bi

SAP Quality Center by HP service.sap.com/solutionmanager SAP Quality Center by HP




http://help.sap.com


http://service.sap.com/sld

http://sdn.sap.com

http://service.sap.com/slm


http://service.sap.com/adobe

http://service.sap.com/bi



SAP Redwood Job Scheduling

service.sap.com/job-scheduling

TREX help.sap.com/nw2004s

SAP TAO service.sap.com/saptao

Master Data Management (MDM) – MDM Administration

Cockpit

service.sap.com/mdm and service.sap.com/installmdm

SAP NetWeaver Administrator

service.sap.com/nwa

Adaptive Controlling (ACC) ● for general information sdn.sap.com/irj/sdn/adaptive

● for application help, such as starting and stopping an application service:

help.sap.com

● for installation information service.sap.com/instguides

Information on Technical Usages

service.sap.com/~sapidb/011000358700001166742007E

Business Process Blueprinting Tool

The Business Process Blueprinting Tool (BPB) is used for modeling SAP and non-SAP processes based on existing functionality and proven content from SAP Solution Manager according to the requirement of the company.

If you want to learn more about the Business Process Blueprinting Tool see the

corresponding guides, at service.sap.com/instguides SAP Components SAP Solution

Manager <current release> 6 Additional Guides .

More Information

For a comprehensive overview and to find out which additional components are relevant for the configuration of your scenarios, see master guide for SAP Solution Manager service.sap.com/instguides SAP ComponentsSAP Solution Manager <current release> .

34.2.2 SAP Notes as Mentioned in the IMG

Summary of all relevant SAP Notes mentioned in the IMG for SAP Solution Manager (transaction SPRO) per basic settings, cross-scenario settings, scenario-specific settings and Service Provider-specific settings.

RecommendationDuring configuration via IMG, these notes appear in the relevant IMG-activity. We recommend to consider reading the according SAP note, when you configure an IMG-activity. The list underneath collects all SAP notes mentioned in the IMG.

List of SAP Notes in SAP Solution Manager IMG

550



http://service.sap.com/job-scheduling

http://help.sap.com/nw2004s


http://service.sap.com/mdm

http://service.sap.com/installmdm

http://service.sap.com/nwa

http://sdn.sap.com/irj/sdn/adaptive

http://help.sap.com


http://service.sap.com/~sapidb/011000358700001166742007E



Table 409

IMG SAP Note Number SAP Note Title ST Support Package Relevant for:

READ ME (preparing configuration)

199123 Word Settings X (all)

948871 Solution Manager: Cross-Scenario SAP Notes

X

539977 Release strategy for Add-On ST-PI X

69455 Service tools for Applications ST-A/PI X

560630 ST-PI: Solution Tools plug-in –

prerequisite not met

X

900000 NetWeaver Business Client – FAQ X

1029940 Release restrictions for the NetWeaver Business Client

X

Central Correction Note 797147 Wily Introscope Installation for SAP Customers

X

TECHNICAL SETTINGS

Solution Manager Enhancements

588364 Prerequisites for activating extensions X

Client Copy 806819 sap* logon not available (problems with client copies)

X

LMDB 935245 Importance of “Object Server” SLD parameter

X

Document Management 368861 Knowledge Warehouse and security levels under MS Office

X

368963 Use signed macros in Knowledge Warehouse

X

710711 Solution Manager: Using a Content Server X

777089 Creating a business blueprint document/configuration Guide

X

510007 Setting-up SSL on the Web Application

Server ABAPX

612670 SSOfor local BSP calls using SAP GUI HTML Control

X

436430 Prerequisites for the Document Modeling Workbench

X

350535 Knowledge Warehouse – modeling Work Center

X





314568 SAP GUI for HTML functionality /

Limitations / SP / Behaviour

X

918236 WD ABAP ALV create print version X

Internet Graphics Server (IGS)

458731 Internet Graphics Server X

454042 IGS: Installing and Configuring theIGS X

Adobe Documentation Services (ADS) Setup

944221 Troubleshooting of problems in forms X

Adaptive Computing 1008828 ACC 7.1 PI / Adaptive Computing

Controller tool Collective Note

X

Work Center 918236 WD ABAP ALV – creating print version X

1098009 Limitations for WebDynpro ABAP X

System Availability with CCMSPING

1175058 Problems with CCMSPING with SAP

Solution Manager

X

SAP Connect 455140 Configuration of e-mail, fax, paging or SMS using SMTP

X

455142 SAPconnect: Configuration paging / SMS viaHTTP

X

CAPABILITIES (OPTIONAL)

Implementation 949220 Solution Manager: Implementation Scenario-Related SAP Notes Tabs

X

1244713 Installation of Custom Development Management Cockpit

X

Test Management 1027579 Extend SAP Solution Manager to Manage New Object Types Testing

X

CATTs and eCATTS 519858 Setting Up SAP Systems to Use eCATT X

Service Desk 949292 Solution Manager: Service Desk Related SAP Notes Service Desk

X

830882 DSWPNOTIFCREATE URL initialization

parameters

X

1050148 Troubleshooting for Service Desk configuration

X

Technical Administrationand Technical Monitoring

949293 Solution Manager: Solution Monitoring-Related SAP Note

X

199123 Word settings X

552




420213 Composite SAP note: Central monitoring of mySAP.components

X

1223266 CCMSBI Reporting X

Downtime Management 1096782 CCMS: Configuration of monitoring pauses X

823941 SAP Start Service on Unix X

Job Scheduling Management

1111310 Job Scheduling Management: Extended Configuration

X

1225906 Customizing of the Job Request application

X

1230837 Creating a custom schedule documentation application

X

1225976 Creating custom print forms for Job Documentation

X

Change Request Management Standard Configuration

903527 Solution Manager Change Management: BC sets

X

1384598 Harmonizing RFCcommunication

infrastructure in ChaRM /QGMX

Change Control 1137683 Maintenance Optimizer and SLM X

THIRD PARTY INTEGRATION

SAP Central Process Scheduling by Redwood

1111310 Job Scheduling Management: Extended Configuration

X

1118440 Copy default change transaction to a customer name space

X

1161405 Accumulative Note forSAP CPS for SAP NetWeaver

X

BMC AppSight for SAP Client Diagnostics

1034901 Installation of BMC AppSight for SAP Client Diagnostics

X

1034902 FAQ: BMC AppSight for SAP Client Diagnostics

X

IBM Rational Tools 1254821 SAML authentication for Web services in

AS ABAP

1319507 Overview: Analysis of ABAP Web Service

Configuration

1480768 Test and Incident Management withIBM Rational Tools

X





SERVICE PROVIDER-SPECIFIC SETTINGS

Service Desk for Service Provider

616946 Support Desk: support team determination using SAP Components Service Provider

X

903530 Solution Manager: Customizing for corporate function

X

Software Partner 951145 DuplicateKB entries – Clear inconsistent

data

X

34.3 Glossary

34.3.1 Terminology: System Landscape and Related Terms

The Solution Manager is based on a system in a system landscape. Different terms are used to refer to this, depending on how the system landscape is viewed. There are two semantic levels:

● A) overall view of systems and their role in the system landscape, and

● the technical level, referring to the technical attributes of a system, not its purpose in the system landscape.

It depends on whether the focus is on a system's purpose or on its technical properties. There are several possible perspectives:

● general perspective

Term: System

● Solution Manager perspective (Solution Manager as the central management platform)

Terms: Managing System, Managed System

554



Figure 157

● business process—oriented perspective (business process as main focus)

Term: Business System

Figure 158

● technical perspective (technical attributes as main focus)




Term: System Type, Technical System

Figure 159

Features

The following table contains definitions of how these term are used in documentation.

Definitions Infrastructure: System

Table 410

Term Definition Additional Remarks

System Neutral definition from a general perspective. The name of the system is based on the SAP product definition. It can be defined more closely (see above), for example, managed system, business system and/or technical system.

Used in general documentation, in overviews and so on.

ExampleIn your system landscape you maintain several systems.

Managing System The central managing system, usually the Solution Manager system, from the Solution Manager perspective. A managing system usually manages other systems, which are called managed systems.

Used in general Solution Manager scenario and function documentation in the system landscape.

Synonym: Central System (CCMS-related)

ExampleYour managing system is SAP Solution Manager.

556




Managed System Any system that is managed by another system, usually the central Solution Manager system platform, from the Solution Manager perspective. In this sense, the Solution Manager system can also be a managed system.

Used in general Solution Manager scenario and function documentation in the system landscape. Synonym: Remote System (CCMS-related)

ExampleYou monitor your managed systems regularly, using SAP Solution Manager.

Business System Any system used in a business scenario, from a business perspective.

Used in general Business Suite and Solution Manager documentation, for Business Suite—related topics.

ExampleYou monitor all business systems on which the business process steps run, regularly.

System Type The type which the system can be, from a technical perspective:

● ABAP● Java

● ABAP and Java

● Trex

● MDM● LiveCache

● ...

Used in general Solution Manager system landscape documentation, with reference to the general system architecture.

ExampleThe SAP Solution Manager system is based on system types AS ABAP and AS

Java.

Technical System A technical unit based on one or more instances, from a technical perspective. Product instances can be installed in one system, but also as independent (technical) systems with independent system IDs. It is

defined by technical attributes, such as:

● System ID

● Installation Number

● ...

ExampleSAP Solution Manager is running on (technical) system: SMP Client 200

Solution Manager Diagnostics is running on (technical) system: SMD




34.3.2 Terminology: Solution and Related Terms

The life-cycle of a product comprises different phases, such as implementation, operation, and optimization, which are all supported by SAP Solution Manager. In the operational phase, SAP Solution Manager uses the technical unit Solution to bundle systems according to various criteria:

● related business process steps

● related systems by administration purpose

The term is related to another primary concept, the Logical Component. Technical systems are stored in logical components, which are then referenced in the solution. The solution is uniquely defined by its Leading System Role.

Features

The following table contains definitions of how these term are used in documentation.

Definitions Infrastructure: Solution

Table 411


Solution A group of systems administered in SAP Solution Manager, which are managed together. Solutions are independent of one another, e.g. all systems of one subsidiary.

Used in general documentation, in overviews and so on. The solution is defined in the Solution Directory (transaction SOLMAN_DIRECTORY). Here, all information

about included systems and business processes running on these systems is stored. It forms the basis for subsequent applications, such as Monitoring, Job Scheduling Management or Issue Management.

ExampleSee document SAP Solution Manager – Solution Concept and Design on SAP Service Marketplace at:

service.sap.com/solutionmanager

Media Library Technical Information .

Logical Component A set of technical systems with the same SAP product release and main instance, to be able to use these systems in a system landscape uniformly in various SAP Solution Manager use scenarios, i.e. in implementation, operational processing, and permanent optimization. It separates the abstract component level from the physical system level, allowing system-independent business process definition.

Used in general documentation.

558





Leading system role The system role of the business processes documented in a solution, for instance production system or development system. The default system role is production, so all business processes defined for this solution run in systems with the system role: productive system.

Used primarily in documentation for Solution Directory.

Navigation role Used only for business process operations: specifies the system role used for navigation (checks, display) to objects in managed systems.

Used in relation to business process operations documentation.

NoteChange of navigation role is user-specific and valid for all solutions in the Solution Directory.

ExampleUser <XY> wants to check objects in the

development systems. The leading role of the solution is production system. The user specifies development system as navigation role.




A Reference

A.1 The Main SAP Documentation Types

The following is an overview of the most important documentation types that you need in the various phases in the life cycle of SAP software.

Cross-Phase Documentation

SAPterm is SAP’s terminology database. It contains SAP-specific vocabulary in over 30 languages, as well as many glossary entries in English and German.

● Target group:

○ Relevant for all target groups

● Current version:

○ On SAP Help Portal at help.sap.com Glossary

○ In the SAP system in transaction STERMSAP Library is a collection of documentation for SAP software covering functions and processes.

● Target group:

○ Consultants

○ System administrators

○ Project teams for implementations or upgrades


○ On SAP Help Portal at help.sap.com (also available as documentation DVD)

The security guide describes the settings for a medium security level and offers suggestions for raising security levels. A collective security guide is available for SAP NetWeaver. This document contains general guidelines and suggestions. SAP applications have a security guide of their own.

● Target group:


○ Technology consultants

○ Solution consultants


○ On SAP Service Marketplace at service.sap.com/securityguide

Implementation

The master guide is the starting point for implementing an SAP solution. It lists the required installable units for each business or IT scenario. It provides scenario-specific descriptions of preparation, execution, and follow-up of an implementation. It also provides references to other documents, such as installation guides, the technical infrastructure guide and SAP Notes.

● Target group:


560


Security Guide for SAP Solution Manager 7.1Reference

http://help.sap.com

http://help.sap.com

http://service.sap.com/securityguide

○ Project teams for implementations


○ On SAP Service Marketplace at service.sap.com/instguides

The installation guide describes the technical implementation of an installable unit, taking into account the combinations of operating systems and databases. It does not describe any business-related configuration.

● Target group:





Configuration Documentation in SAP Solution Manager – SAP Solution Manager is a life-cycle platform. One of its main functions is the configuration of business scenarios, business processes, and implementable steps. It contains Customizing activities, transactions, and so on, as well as documentation.

● Target group:





○ In SAP Solution Manager

The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system. The Customizing activities and their documentation are structured from a functional perspective. (In order to configure a whole system landscape from a process-oriented perspective, SAP Solution Manager, which refers to the relevant Customizing activities in the individual SAP systems, is used.)

● Target group:


○ Project teams for implementations or upgrades


○ In the SAP menu of the SAP system under Tools Customizing IMG

Production Operation

The technical operations manual is the starting point for operating a system that runs on SAP NetWeaver, and precedes the application operations guides of SAP Business Suite. The manual refers users to the tools and documentation that are needed to carry out various tasks, such as monitoring, backup/ restore, master data maintenance, transports, and tests.

● Target group:




The application operations guide is used for operating an SAP application once all tasks in the technical operations manual have been completed. It refers users to the tools and documentation that are needed to carry out the various operations-related tasks.

● Target group:












Upgrade

The upgrade master guide is the starting point for upgrading the business scenarios and processes of an SAP solution. It provides scenario-specific descriptions of preparation, execution, and follow-up of an upgrade. It also refers to other documents, such as upgrade guides and SAP Notes.

● Target group:


○ Project teams for upgrades



The upgrade guide describes the technical upgrade of an installable unit, taking into account the combinations of operating systems and databases. It does not describe any business-related configuration.

● Target group:





Release notes are documents that contain short descriptions of new features in a particular release or changes to existing features since the previous release. Release notes about ABAP developments are the technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide (IMG).

● Target group:

○ Consultants



○ On SAP Service Marketplace at service.sap.com/releasenotes

○ In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)

562






http://service.sap.com/releasenotes

Typographic Conventions

Table 412

Example Description

<Example> Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your <User Name>”.

Example Example Arrows separating the parts of a navigation path, for example, menu options

Example Emphasized words or expressions

Example Words or characters that you enter in the system exactly as they appear in the documentation

www.sap.com Textual cross-references to an internet address

/example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web

123456 Hyperlink to an SAP Note, for example, SAP Note 123456

Example ● Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options.

● Cross-references to other documentation or published works

Example ● Output on the screen following a user action, for example, messages

● Source code or syntax quoted directly from a program

● File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools

EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE

EXAMPLE Keys on the keyboard

Security Guide for SAP Solution Manager 7.1Typographic Conventions



http://www.sap.com



www.sap.com

© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE's or its affiliated companies' strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

http://www.sap.com

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

Date post:	21-Dec-2015
Category:	Documents
Upload:	ajaysapbasis
View:	271 times
Download:	12 times