Date post: | 21-Dec-2015 |
Category: |
Documents |
Upload: | ajaysapbasis |
View: | 271 times |
Download: | 12 times |
Document version: 2014-07-31
Security Guide for SAP Solution Manager 7.1
CUSTOMER
Document History
CautionBefore you start the implementation and configuration of SAP Solution Manager, make sure you have the latest version of this document. You can find the latest version at the following location: service.sap.com/instguides
SAP Components SAP Solution Manager <current release> .
The following table provides an overview of the most important document changes.
Table 1
Support Package Stacks
(Version)
Description
SP10 General
Role enhancements for Infrastructure Roles: SAP_SYSTEM_REPOSITORY_*, and SAP_SM_RFC_*, see
section Authorization and Roles for Infrastructure.
Guide structure enhancement to the following individual sections:
● Secure System Configuration (specifically relating to system configuration issues in regard to security)
● SAP Solution Manager Authorization Concept
User Interface (SAP NWBC 4.0 not supported)
● Landscape Setup Guide
● Scenario-specific Guides
● Overviews
● User Authentication and Administration Tools:
○ new section about Solution Manager User Administration (SMUA) mass tool
○ enhanced section on Automatic User Creation in SOLMAN_SETUP (new fields User Group,
Namespace, Role Upload)
○ new section on password policy for SAP Solution Manager default users
● Roles and Authorizations for Infrastructure and LMDB usage, see section on Roles for Infrastructure and LMDB
New single roles SAP_SM_BP_* for Business Partner and Product assignment in LMDB and related
queries.
New single role for LMDB Dashboard SAP_SM_DASHBOARDS_DISP_LMDBNew authorization object check for LMDB Remote Access AI_LMDB_RE (included in roles
SAP_SYSTEM_REPOSITORY_*)
Adapted role SAP_SM_SOLUTION_ALLAdapted role SAP_SOLMAN_DIRECTORY_*Adapted role SAP_SM_RFC_ADMIN (added authorization object S_RFC_TT)
Adapted roles SAP_SYSTEM_REPOSITORY_* (primarily for authorization object S_RFC)
2
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Document History
Support Package Stacks
(Version)
Description
Scenario-Specific Guides
Check out changes in the Document History for the following scenarios:
● Custom-Code Life Cycle Management (CCA, CCML)
● Business Process Operations
● Business Process Change Analyser
● Change Request Management
● Incident Management
NoteAuthorizations for ST-ICC are described in the according ST-ICC Configuration Guide.
● Solution Documentation Assistant
● Test Management
● Implementation (cProject ITPPM integration)
● Solution Manager Administration
● Technical Monitoring
● Technical Administration (IT Task Inbox and Guided Procedure)
● Quality Gate Management
● SAP Engagement and Service Delivery
● Job Management
Important SAP Notes
● 1812046 (Role Updates in case of CUA)
● 1830640 (Roles for READ, TMW, and Back RFC Users)
● 1908051 (Roles for ST-PI (managed systems))
SAP TAO
● Section on SAP TAO has been transferred to the SAP TAO Administrator’s Guide, see on the Service
Marketplace at: service.sap.com/saptao .
SP11 General
● Authorization object S_ICF for temporary RFC - connections during configuration using transaction
SOLMAN_SETUP implemented. Role enhancement for all configuration users and SOLMAN_ADMIN in
SAP Solution Manager required. See update flag for roles in transaction SOLMAN_SETUP after update
for the following roles:
SAP_SM_BASIC_SETTINGS, SAP_BPCA_CONFIG, SAP_BPO_CONFIG, SAP_CHARM_CONFIG, SAP_DVM_CONFIG, SAP_SM_BIM_CONF, SAP_SM_CBTA_CONFIG, SAP_SM_CCM_CONFIG, SAP_SM_EEM_CONF, SAP_SM_IC_CONF, SAP_SM_ITMO_CONF, SAP_SM_JMON_CONF, SAP_SM_PIM_CONF, SAP_SM_SCHEDULER_CONFIG, SAP_SM_SYM_CONF, SAP_SUPPDESK_CONFIG, SAP_TAO_CONFIG, SAP_TSAM_CONF
Scenario-Specific Guides
Security Guide for SAP Solution Manager 7.1Document History
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 3
Support Package Stacks
(Version)
Description
Check out changes in the Document History for the following scenarios:
● new scenario-specific guide: Effort and Scope Analyzer (SEA)
● Implementation and Upgrade (SEA integration)
● Change Request Management (Import Authorizations; CSOL RFC-connection; CTS)
● Job Management
● Quality Gate Management
● Landscape Setup Guide (Enhancement of SLD - related section)
● Technical Monitoring
● Test Management (CBTA)
● Custom Code Management
● Technical Administration (Guided Procedures)
● Business Process Operations
● IT Service Management (new section: Additional Security Measures)
● BPCA (new section: Additional Security Measures)
SP12 General
● Enhanced: Overview of Function Integration
● Enhanced: User Authentication and Administration Tools
○ Automatic user update using Automated Managed System Configuration
○ Storage of multiple users in SMUA
○ Expert mode for user creation and RFC creation
○ Additional user types (Reference User for Template/Demo user, Service User)
● Enhanced: Additional Security Measures (Documents: Virus Scan - automatic VSI check, use of Firefox Browser; Reject callback parameter settings)
Scenario-Specific Guides
Check out changes in the Document History for the following scenarios:
● Landscape Setup Guide (Automatic User Update using Automated Managed System Configuration, SOLMAN_SETUP Configuration Administration)
● Guided Procedure Framework (Chapter: Authorization Concept for SAP Solution Manager)
● Business Process Operations (integration Notification Management, Job Monitoring, and Interface Channel Monitoring, Project-based Delivery)
● Technical Administration (integration of IT Task Management configuration in transaction SOLMAN_SETUP)
● Incident Management
● Change Request Management
● Technical Monitoring (Job Monitoring, individual roles for Message Flow Monitoring; CSU)
● Data Volume Management (iCI Dashboard)
● Custom Code Management (ATC integration, iCI Dashboard)
4
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Document History
Support Package Stacks
(Version)
Description
● Business Process Change Analyzer (and TAO)
● Test Management (Redesign CBTA user and roles)
● Implementation (CDMC; Roadmap)
● SAP Solution Manager Administration (Enhancement due to Archive Log and Role Comparison Tool)
● Measurement Platform (iCI Dashboard)
● SAP Service Delivery and Engagement
Important SAP Notes
● 1830640 (Roles for READ, TMW, and Back RFC Users)
● 1968406 (ST-PI: Authorization changes in roles for SAP-BASIS < 700)
SP13 Authorization Concept Sections
● Guided Procedure Administration Authorizations (Authorization for transaction SE61 must be assigned
manually due to security reasons)
Scenario-Specific Guides
Check out changes in the Document History for the following scenarios:
● Landscape Setup Guide (Template Management for Mass System Configuration, Role adaptations for various users)
● Business Process Change Analyzer
● Test Management
● SAP Engagement and Service Delivery
● Business Process Operations (Business Process Analysis)
● Technical Monitoring (System Monitoring)
● Job Scheduling Management
● Technical Monitoring
● Data Volume Management
Important SAP Notes
● 1830640 (Roles for READ, TMW, and Back RFC Users)
● 1560717 (Roles for SAP Solution Manager and managed systems)
● 2039434 (ChaRM: extended authorization check become mandatory since ST 710 SP10)
Security Guide for SAP Solution Manager 7.1Document History
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 5
Content
1 Security Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.1 Target Group of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.3 How to Use this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.4 Links for Additional Components on the Service Marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.5 Using SAP Solution Manager as a Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3 Terminology as Used in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4 Quick Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5 Overviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355.1 Overview: Capabilities/Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355.2 Overview: Solution Manager Functions Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365.3 Overview: Solution Manager Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385.4 Overview: Solution Manager Technical RFC - Users per Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . 395.5 Overview: Third Party Products to Be Used with Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6 System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426.1 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437.1 Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437.2 Communication Channels and Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437.3 Internet Communication Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447.4 Secure Socket Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467.5 HTTP Connect Service for SAP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477.6 File Transfer Protocol (FTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477.7 Use of Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
8 User Administration and Authentication Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498.1 Basic SAP User Management Tools and User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498.2 Automatic User Creation using Transaction SOLMAN_SETUP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528.3 Automatic Managed System Configuration Update using Transaction SOLMAN_SETUP . . . . . . . . . . 558.4 Automatic Mass User Creation/Update using “Solution Manager User Administration”
(SMUA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568.5 Passwords for Solution Manager Default Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578.6 Secure Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588.7 Integration into Single Sign-On Environments (SSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
9 Authorization Concept for SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609.1 User Definitions in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Content
9.2 End - User Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619.3 Configuration User Roles for SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699.4 Integration of Functions/Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719.5 Authorizations and Roles for Infrastructure (LMDB, BP, Projects, Solutions, Directory) . . . . . . . . . . . 739.6 Guided Procedure Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749.7 Work Center Navigation Role Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759.8 Using SAP Solution Manager with Customer Relationship Management (CRM) . . . . . . . . . . . . . . . . . 839.9 Using SAP Solution Manager with Business Warehouse (BW) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
General Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 BI - Reporting Data Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Configuration of BW and Activation of BW - Content (Step by Step) . . . . . . . . . . . . . . . . . . . . . . 86 Diagnostics Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 BI - Reporting Authorizations and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Using BI - Dashboards for BI - Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
9.10 Using the Help Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929.11 Authorizations for User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939.12 Critical RFC Connections and Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Generated RFC - Connection <SM_<SIDofManSystem>CLNT<ClientofManSystem>_TRUSTED> . . . . . . . . . . . . . . . . . . . . . . 98
Authorization Objects S_RFCACL and S_RFC_TT for Trusted RFCs . . . . . . . . . . . . . . . . . . . . . . . 99 Generated RFC - Connections READ, TMW and BACK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Authorization Object S_RFC and S_DEV_REMO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Authorization Object S_TABU_DIS and S_TABU_CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Authorization Object S_TABU_NAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Authorization Object S_DEVELOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
9.13 How to Build Your Own Authorization Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
10 Using Central User Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10710.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10710.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10910.3 Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11110.4 Configuration Integration in Transaction SOLMAN_SETUP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
11 Additional Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
12 Data Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
13 Landscape Setup, Configuration, and Root Cause Analysis Guide . . . . . . . . . . . . . . . . . . . . . . 11913.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11913.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12413.3 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12513.4 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12913.5 Required TCP/IP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13213.6 SAP Solution Manager Configuration Work Center / Transaction SOLMAN_SETUP . . . . . . . . . . . . . 13513.7 Root Cause Analysis Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13713.8 SOLMAN_SETUP Configuration Administration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13813.9 Users Created During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Database User SAP<SID>DB [MANAGED.DB.USER] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 OS Engine User [MANAGED.OS.SIDADM] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Security Guide for SAP Solution Manager 7.1Content
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 7
OS User Dedicated to the Diagnostics Agent <SID>ADMIN [MANAGED.OS.AGTSIDADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
13.10 Users and Authorizations for SAP Solution Manager Configuration/Operation . . . . . . . . . . . . . . . . 140 Password Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Configuration and Administration User SOLMAN_ADMIN [SOLMAN.DUAL.ADMIN] . . . . . . . . . . . 141 Technical User SM_AMSC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Technical User SMD_AGT [SOLMAN.DUAL.AGTCOM] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Technical User SOLMAN_BTC [SOLMAN.DUAL.BTC] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Technical User SM_EXTERN_WS [SOLMAN.DUAL.EXTERN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Technical User SM_INTERN_WS [SOLMAN.DUAL.EXTERN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Dialog User SAPSUPPORT [SOLMAN.DUAL.SAPSUPPORT][SOLMAN.BI.SUPPORT] . . . . . . . . . 148 Dialog User SAPSERVICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Technical User SMD_RFC [SOLMAN_DOUBLE_SMDRFC] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Technical User SEP_WEBSRV [SOLMAN.ABAP.WEBSRV] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Technical User CONTENTSERV [SOLMAN.ABAP.CONTSERV] . . . . . . . . . . . . . . . . . . . . . . . . . 150 Technical User for RFC - connection BACK
<SMB_<SIDofManagedSystem>>[MANAGING.ABAP.RFC] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 User Wily Guest [SOLMAN.WILY.GUEST] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
13.11 Users and Authorizations for Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 NGAP - Based Managed Systems Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Administrator User in ABAP: SM_ADMIN [MANAGED.JAVA.ABAP.ADMIN] . . . . . . . . . . . . . . . . 152 Administrator User in Java: SM_ADMIN_<SolManSID> [MANAGED.JAVA.ADMIN] . . . . . . . . . . . 153 Technical User SMDAGENT_<SolManID> for Wily Host Agent
[MANAGED.ABAP.WILYAGT] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Technical Users for RFC - Connections READ and TMW [MANAGED.ABAP.RFC] . . . . . . . . . . . . . 154 SAPSUPPORT User [MANAGED.DUAL.SAPSUPPORT] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Dialog User SAPSERVICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Technical User SM_COLL_<SIDof SolMan> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 J2EE Administrator J2EE_ADMIN [MANAGED.J2EE.ADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Administrator OS User [MANAGED.OS.ADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Technical Users for CTC Configuration and Runtime Activation . . . . . . . . . . . . . . . . . . . . . . . . . 159
13.12 Users and Authorizations for BW Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 BW Administrator User SM_BW_ADMIN [SOLMAN.BI.ADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . 160 Technical User SM_BW_ACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Technical User SM_EFWK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Technical User SMD_BI_RFC [SOLMAN.BI.RFC] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Technical User SM_BW_<SID> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Dialog User SAPSUPPORT [SOLMAN.DUAL.SAPSUPPORT][SOLMAN.BI.SUPPORT] . . . . . . . . . 148 Dialog User SAPSERVICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Technical User BI_CALLBACK [SOLMAN.BI.CALLBACK] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Diagnostics Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
13.13 Users and Authorizations for SLD and LMDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Technical User SLD_CS_USER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Technical User SLDAPIUSER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Technical User SLDDSUSER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Technical User for CTC Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
13.14 S-Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 S-User for SAP Backend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 S-User for Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
13.15 Landscape Modelling and Infrastructure Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
8
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Content
User Roles for System Landscape Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 User Roles for Solutions, Projects, Solution Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 User Roles for System Landscape Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
13.16 User Role for TREX Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17413.17 Configuration User Roles for SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6913.18 Business Partners Created During Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17713.19 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
14 Scenario-Specific Guide: Solution Manager Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 17914.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17914.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18014.3 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
15 Scenario-Specific Guide: Technical Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18515.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18515.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19015.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Scenario Configuration Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
15.4 Work Center Technical Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19715.5 User Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19815.6 User Roles for System, Database, Host Monitoring, and Self - Monitoring . . . . . . . . . . . . . . . . . . . . 199
First Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Second Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
15.7 User Roles for Process Integration - Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 First Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Second Level Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
15.8 User Roles for Message Flow Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 First Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Second Level Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Function Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
15.9 User Roles for End-User Experience Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 First Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Second Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
15.10 User Roles for Business Intelligence Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 First Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Second Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
15.11 User Roles for Interface (Channel) Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 First Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Second Level Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
15.12 End-User Roles for Job Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 First Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Second Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
15.13 User Roles for Infrastructure Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 First Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Second Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Security Guide for SAP Solution Manager 7.1Content
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 9
15.14 Integration Visibility in Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21915.15 Role for Technical Monitoring Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22015.16 Role for Technical Monitoring Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22015.17 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22115.18 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22215.19 Background Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
16 Scenario-Specific Guide: Maintenance Optimizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22516.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22516.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22516.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Scenario Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER) . . . . . . . . . . . . . . . . . . 230 S-User Authorization for Maintenance Optimizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
16.4 CRM Standard Customizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23116.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 User Roles in Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
16.6 System Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
17 Scenario-Specific Guide: Change Request Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23617.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23617.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23917.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
17.4 CRM Standard Customizing for Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24717.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Users and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Best Practice: Manage Import Authorizations in Managed Systems . . . . . . . . . . . . . . . . . . . . 256 User Roles for Additional Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
17.6 System Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23517.7 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
18 Scenario-Specific Guide: Quality Gate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26418.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26418.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26618.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
18.4 CRM Standard Customizing for Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
10
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Content
18.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 User Descriptions and User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . 271 User Descriptions and User Roles in the Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Central CTS-Integration User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . 274 Critical Authorization Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
18.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
19 Scenario-Specific Guide: Configuration Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27719.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27719.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27819.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27819.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
User Descriptions and User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . 27919.5 Critical Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28219.6 System Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
20 Scenario-Specific Guide: Implementation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28420.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28420.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28520.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
20.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 User Descriptions and User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . 292 User Descriptions and User Roles in Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
20.5 User Roles for Additional Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 User Roles for Roadmap Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 User Roles for Activation of Business Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 User Roles for Custom Development Management Cockpit (CDMC) . . . . . . . . . . . . . . . . . . . . . 310 User Roles for Upgrade Dependency Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 User Roles for Customizing Comparison and Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 User Roles for BC-Set Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Solution Maintenance via Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
20.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31320.7 External Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Business Process Management Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Enterprise Service Repository within Process Integration (PI) . . . . . . . . . . . . . . . . . . . . . . . . . . 318 SAP Productivity Pak by RWD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Business Process Blueprinting Tool (BPB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
20.8 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
21 Scenario-Specific Guide: Solution Documentation Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . 32121.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32121.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32221.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Security Guide for SAP Solution Manager 7.1Content
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 11
Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
21.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
21.5 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33221.6 Background Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
22 Scenario-Specific Guide: Test Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33422.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33422.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Technical Users for RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
22.3 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
22.4 User Roles for Additional Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 User Roles for Test Workbench Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 User Roles for Extended Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 User Roles for CBTA (Component-Based Test Automation) . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
22.5 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36522.6 External Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Tool with BC — ECATT- Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Quality Center by HP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 IBM Rational Test Management Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
23 Scenario-Specific Guide: Business Process Change Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . 37023.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37023.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37223.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
23.4 CRM Standard Customizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37723.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37823.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38323.7 Additional Security Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
24 Scenario-Specific Guide: Custom - Code Life Cycle Management . . . . . . . . . . . . . . . . . . . . . . 38524.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38524.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38624.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
24.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
12
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Content
User Descriptions and User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . 391 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
24.5 Background Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
25 Scenario-Specific Guide: Scope and Effort Analyzer (SEA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 39425.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39425.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39425.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
25.4 User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39925.5 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40125.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
26 Scenario-Specific Guide: IT Service Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40326.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40326.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40526.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Technical Users for RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER) . . . . . . . . . . . . . . . . . . 230 S-User Authorization for Service Desk and Expert on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . 413
26.4 CRM Standard Customizing for Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41426.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
26.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42126.7 External Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
External Service Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42326.8 Additional Security Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
27 Scenario-Specific Guide: Job Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42527.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42527.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42627.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Technical User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
27.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 User Roles (Old) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 User Roles (New) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
27.5 Solution Maintenance via Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31327.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44327.7 External Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
SAP CPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Security Guide for SAP Solution Manager 7.1Content
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 13
28 Scenario-Specific Guide: SAP Engagement and Service Delivery . . . . . . . . . . . . . . . . . . . . . . 44728.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44728.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44828.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER) . . . . . . . . . . . . . . . . . . 230 S-User Authorization for Service Desk and Expert on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . 413 S-User Authorization for Data Download from SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Business Partners Created During Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
28.4 CRM Standard Customizing for Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45928.5 Recommended Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
User Descriptions and User Roles to Use the Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 User Description and User Roles for Service Delivery (Premium Engagement) . . . . . . . . . . . . . . 465 Enterprise Service Reporting User - ES_REP_<SID> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 Supportability Performance Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 User Descriptions and User Integration Roles for Issue Management . . . . . . . . . . . . . . . . . . . . . 467 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
28.6 Security Optimization Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46928.7 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
29 Scenario-Specific Guide: Technical Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47029.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47029.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47229.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
29.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 User Descriptions and Roles for Technical Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 User Roles for IT Task Inbox and Guided Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Service Availability Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
29.5 Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48429.6 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
30 Scenario-Specific Guide: Business Process Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48630.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48630.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48930.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
30.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
30.5 User Roles for Additional Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
14
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Content
Dashboard User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 Solution Maintenance via Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 End-User Roles for CDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
30.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
31 Scenario-Specific Guide: Data Volume Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50431.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50431.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50631.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Scenario Configuration User and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
31.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 User and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 Critical Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
31.5 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
32 Measurement Platform and Enterprise Support Reporting (iCI - Interactive Continuous Improvement) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
32.1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51632.2 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51732.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Scenario Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
32.4 Interactive Continuous Improvement (iCI) Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
33 Service Provider Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52233.1 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52233.2 Service Provider Customer RFC-Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52233.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52333.4 Service Provider—Specific Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52433.5 Incident Management User Descriptions and User Roles for Customers . . . . . . . . . . . . . . . . . . . . . 52433.6 Solution Documentation User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52733.7 Work Centers for Service Provider Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52733.8 Granting Work Center Access to Service Provider Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
34 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53034.1 HowTo Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
SDN Wiki for Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 How to Create Users and Business Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 How to Administer Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 How to Create a User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 How to Maintain Authorizations in Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535 How to Generate a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 How to Assign Roles to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540 How to Create Scenario Configuration Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 How to Upgrade Authorizations after Release Upgrade or Support Package Upgrade . . . . . . . . . 544 How to Use an ST01 Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Security Guide for SAP Solution Manager 7.1Content
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 15
How to User Transaction SU24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 How to Translate Your Own Customizing Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
34.2 Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 Links for Additional Components on Service Marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 SAP Notes as Mentioned in the IMG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
34.3 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 Terminology: System Landscape and Related Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 Terminology: Solution and Related Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
A Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560A.1 The Main SAP Documentation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
16
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Content
1 Security Guide
CautionUsage Rights for SAP Solution Manager Enterprise Edition
The extent of the usage of the software package „SAP Solution Manager 7.1“ depends upon the type of maintenance contract you have signed. If you have a signed contract for:
● SAP Enterprise Support
● Product Support for Large Enterprises
● SAP Premium Support
● SAP MaxAttention
you are authorized to use all functions in the software package, without any restrictions.
If you have signed exclusively standard support contracts, you are allowed to install this software package, but you are only allowed to use a restricted functionality. You are not allowed to use the following Enterprise Edition functions:
● Business Process Change Analyzer
● Quality Gate Management
● Custom Development Management Cockpit
This Security Guide is updated in the SAP Service Marketplace at: service.sap.com/instguides SAP ComponentsSAP Solution Manager <current release> ) with every Support Package.
For any issues with security, authorizations, roles, and user management for SAP Solution Manager use SV-SMG-AUT.
Integration
Security topics are relevant for the following phases:
● Installation and Upgrade
● Configuration
● Operation
RecommendationUse this guide during all phases. For a detailed overview of which documentation is relevant for each phase, see guides reference on the Service Marketplace at: service.sap.com/instguides SAP Components SAP Solution Manager 7.1 .
More Information
For a complete list of the available SAP Security Guides, see the SAP Service Marketplace: service.sap.com/securityguides
Security Guide for SAP Solution Manager 7.1Security Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 17
2 Introduction
2.1 Target Group of This Guide
The purpose of SAP Solution Manager is to provide an administration, and implementation environment, to allow for better managing your systems and business processes in a transparent way.
The target groups of this guide are readers who are familiar with SAP Solution Manager and configuration procedures in an implementation and/or upgrade project, that is technical consultants, system administrators and/or application consultants.
● technology consultants: working with technical processes supported by SAP software during implementation, when deciding which settings to make
● system administrators: optimizing the SAP Solution Manager system during and after implementation
● application consultants: mapping a company’s actual business processes to the processes and functions supported by SAP software during implementation, and when deciding which settings to make
● SAP Security Professionals: securing the system landscape settings
2.2 Getting Started
This security guide provides you with an overview of the security-relevant information that applies to SAP Solution Manager 7.1 as of SP01 and higher. Since SAP Solution Manager covers several scenarios, this document first provides general security recommendations for SAP Solution Manager in a so called Core Guide followed by specific security guidelines for the individual capabilities.
In other words, this guide consists of a main guide, the core guide, containing general information on how to execute on authorizations and roles within SAP Solution Manager, such as authorizations concept and integration as well as user management functions. The Specific Scenario Guides are descriptions of the delivered scenarios in analogy to the work centers and configuration view structure in transaction SOLMAN_SETUP.
The SAP Solution Manager IMG comprises several nodes for configuration, see configuration guide for SAP Solution Manager for more information. Scenario configuration is done during Capabilities configuration. This graphic references the IMG as delivered with SAP Solution Manager 7.1 as of SP02. The structure can change when delivered with further SPs, due to changes or additions in capabilities. Therefore, this graphic only represents an example for IMG structure.
Authorization assignments or specific user creation for scenarios are described in the according IMG activities, which are referenced as well in the scenario - specific security guides.
The initial configuration, or Basic Configuration, references to the automated basic configuration using transaction SOLMAN_SETUP or Solution Manager Configuration work center.
RecommendationWe recommend to always use this security guide in combination with transaction SOLMAN_SETUP and the Implementation Reference Guide (IMG) for configuration.
18
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Introduction
Which topics are covered in the core guide
The following topics are covered in this core security guide:
● Target Group: Who should use this guide
● How to use this guide: How should different user groups use this guide effectively?
● Links to additional components: Where can you find further information for functions, tools, and third party product which are not covered in this guide?
● Using Solution Manager as Service Provider: How to use this guide as a Service Provider?
● Terminology: How are specific terms to be understood in this guide?
● System Landscape
● Security Dependencies: Which additional dependencies have to be taken into account?
● Network and Communication Security: How should your network be built up?
● User Management Tools: Which tools are used within SAP Solution Manager to create users?
● Central User Administration: How to set up CUA in Solution Manager?
● Secure Storage
● Integration into Single Sign-On Environments
● Authorization Integration Concept: How is the authorization concept for SAP Solution Manager defined?
● User Definitions: How do we define users?
● User Roles: How do we define user roles?
● Data Storage
What should you know in advance
If you have little or no knowledge concerning security and authorization concepts, start with reading the general documentation for authorizations at SAP. This topic is not covered in this guide and is regarded as a prerequisite. In addition, before using this guide you should familiarize yourself with the respective Master Guide for SAP Solution Manager, and general user and authorization information for SAP NetWeaver systems:
Transaction SPRO SAP Customer Reference Guide SAP NetWeaver Application Server System Administration User and Authorization.
2.3 How to Use this Guide
Setting up an authorization concept for your own company for SAP Solution Manager is not simple. It requires approaching the topic from a technical as well as content - oriented perspective.
Authorizations are strongly tied to configuration topics for certain scenarios, as well as security relevant technical information. The knowledge for these sectors is seldom found within one department at the customer's side, as technical and application components must be aligned for a successful concept. Especially with SAP Solution Manager this is important, as the product is aimed at the support for the life - cycle of systems (maintained by technical staff), but also the life - cycle of solutions (maintained by application - oriented staff).
Therefore, as described in the former section, this guide is directed to differing groups with different focus on SAP Solution Manager. These groups can be organizationally divided.
This guide addresses the resulting differing ways of approaching authorizations and their maintenance from a content oriented view (for instance application consultant), and a technically oriented view (for instance system administrator).
Security Guide for SAP Solution Manager 7.1Introduction
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 19
RecommendationTo set up a stable authorization concept, both views are to be considered, and involved.
The following sections give you a short guidance to how to use this guide, depending on your main tasks when setting up an authorization concept or authorization roles for SAP Solution Manager.
How to use the guide from a technically - oriented perspective
What do we mean by technical perspective? The technical perspective means, that you should know how to apply an authorization concept in an SAP system effectively. You know how to handle transactions PFCG, SU01, and roles and profile generation. This implies that you are familiar with the SAP role concept and its specifics, such as for instance profiles SAP_ALL and SAP_NEW.
It also includes a basic technical background knowledge of the SAP Solution Manager system and its landscape structure, such as Business Warehouse (BW) integration or the handling of the System Landscape Directory (SLD) specifics. The maintenance of roles and authorizations depends on this knowledge.
In addition, you should have a basic idea about the basic configuration of the SAP Solution Manager system, and its managed systems.
From a Technical Perspective (Recommendation)
Table 2
Step Section Remark
1 Core Guide This guide includes all relevant information to know about the SAP Solution Manager authorization concept, overall topics such as clients to be used, setup information, and so on.
2 Setup Landscape Guide If the system is initially installed or upgraded, most users and authorizations need to be adapted. This guide contains all information on basic system landscape setup, users, and authorizations needed to run SAP Solution Manager
3 Scenario-specific Guides Each scenario-specific guide contains roles for users, which can be assigned to users. These roles are recommendations of SAP. For each scenario, or function a so called ALL or ADMIN (administration) role is delivered. This
role contains full authorization for a specific scenario. In addition, SAP delivers a so called DISP (display) role, which contains only display
authorizations for the respective scenario. If your company's business processes are different to the recommended SAP process, these roles need to be adapted. Your application consultant should define the applicable roles to be used. If the definition differs, according authorization objects must be maintained.
4 Glossary in this guide, Transaction SUIM in the
system, WIKI for
Authorizations
If you need to maintain authorization objects, you may check the mentioned information sources on individual authorization objects, and how they relate to functions.
The glossary gives you an overview of all roles mentioned in this guide with the main authorization objects included in these roles.
In transaction SUIM, you can search for individual authorization objects and read their documentation.
The new WIKI page for authorizations in SAP Solution Manager covers many of the relevant authorization objects for Solution Manager with
20
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Introduction
Step Section Remark
according use cases, such as how should the authorization object be maintained to restrict certain functions. The use cases are more or less taken from customer situations.
5 HowTo section This section covers how-to guides for technical as well as content - oriented tasks.
How to use the guide from a content - oriented perspective
What do we mean by content - oriented perspective? The SAP Solution Manager is an SAP product that supports your business. Roles and authorization objects are delivered to allow your end - users to work within the limits of their tasks. In other words, they should only be allowed to execute and see what they need in their daily work. These tasks depend on your specific business processes. As a logical consequence, the authorizations and roles assigned to your users depend heavily on the business processes you deploy, and are depending on the configuration of your system accordingly. The concept of your configuration needs to be considered for the concept of your authorizations. Although we deliver template roles for your use, they can hardly ever be applied without modification to your business. Therefore, before tailoring authorizations or using SAP template roles, you need to consider your business processes, the content of your business.
From a Content - Oriented Perspective (Recommendation)
Table 3
Step Section Remark
1 Core Guide This guide includes all relevant information to know about the SAP Solution Manager authorization concept, overall topics such as clients to be used, setup information, and so on.
2 Setup Landscape Guide If the system is initially installed or upgraded, most users and authorizations need to be adapted. This guide contains all information on basic system landscape setup, users, and authorizations needed to run SAP Solution Manager. It gives you an overview on which scenarios should be running “out-of-the-box” after the setup is done.
3 Scenario-specific Guides Each scenario-specific guide contains roles for users, which can be assigned to users. These roles are recommendations of SAP. If the definition differs, according authorization objects must be maintained. You need to discuss which authorizations must be maintained in these cases with the person responsible for the technical implementation of the authorization concept.
All roles are delivered according to a specific user definition. This user definition gives you an overview of which tasks the user is authorized if the SAP delivered template roles are used.
4 HowTo section This section covers how-to guides for technical as well content - oriented tasks.
How to use this guide when upgrading from Release 7.0 to 7.1
1. Read the SAP Solution Manager Upgrade Guide first, for information see section Additional Links.
2. Check out the Document History for the specific scenarios you are using.
3. Check for updates in transaction SOLMAN_SETUP.
Security Guide for SAP Solution Manager 7.1Introduction
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 21
4. Activate the Release Note info button in the IMG to display all information icons for new release features for the configuration of the specific scenarios.
5. If required, read additional guides for additional functions and tools.
NoteIf you are already acquainted with the authorization concept in SAP Solution Manager, we strongly recommend to read the Document History for changes in roles and authorization objects, and in addition the Operations Guide for SAP Solution Manager on the Service Marketplace at: service.sap.com/instguidesSAP Components SAP Solution Manager. .
2.4 Links for Additional Components on the Service Marketplace
Your Solution Manager system is the platform for administrative tasks in implementing, operating and upgrading systems in your system landscape. It relies heavily on mandatory and optional components implemented in addition to SAP Solution Manager. This guide cannot describe all relevant details for integrated components, like third party product or other SAP components. We refer therefore to the applicable guides, Service Marketplace links, or IMG - activities as relevant information sources.
The following table gives you an overview of these additional components, where to find more details, and what they are used for in connection with SAP Solution Manager.
RecommendationTo ensure a smooth integration of these components, familiarize yourself with their installation, configuration, and operation if needed.
Additional Information on SAP Solution Manager
Table 4
Component Where in the Service Marketplace? And Additional Sources
Master Guide for SAP Solution Manager
service.sap.com/instguides SAP Components SAP Solution Manager 7.1
Upgrade Guide for SAP Solution Manager
service.sap.com/instguides SAP Components SAP Solution Manager 7.1
Operations Guide for SAP Solution Manager
service.sap.com/instguides SAP Components SAP Solution Manager 7.1
Installation Guide for SAP Solution Manager
service.sap.com/instguides SAP Components SAP Solution Manager 7.1
Implementation Reference Guide for SAP Solution Manager
no link, see transactions SOLMAN_SETUP and SPRO in the SAP Solution Manager system
Solution Manager Diagnostics service.sap.com/diagnostics
22
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Introduction
Component Where in the Service Marketplace? And Additional Sources
IMG projects and project
IMGs
How to Create Customizing Projects and Project IMGs on the Service Marketplace:
service.sap.com/solutionmanager Media Library Technical Papers.
Additional Information on InfrastructureTable 5
Component Where in the Service Marketplace?
Guide Landscape Management Database
service.sap.com/instguides SAP Components SAP Solution Manager Release 7.1
Additional Guides
System Landscape Directory (SLD)
service.sap.com/sld
or sdn.sap.com SAP NetWeaver Capabilities Lifecycle Management Application
Management System Landscape Directory
NoteTransaction SOLMAN_SETUP in the SAP Solution Manager system
Software Life-Cycle Manager (SLM)
service.sap.com/slm and help.sap.com/nw70 Functional View Solution Life Cycle
Management Software Life Cycle Management
NoteInformation and Configuration Prerequisites Change Control scenario (technical name: SOLMAN_MOPZ_SLM_INFO)
Adobe Document Services (ADS)
service.sap.com/adobe
NoteInformation and Configuration Prerequisites ADS setup (technical name: SOLMAN_ADS_INFO)
One Transport Order service.sap.com/solutionmanager Media Library Technical Papers
TREX help.sap.com/nw2004s
NoteInformation and Configuration Prerequisites TREX (technical name:
SOLMAN_TREX_INFO)
Master Data Management (MDM) — MDM Administration
Cockpit
service.sap.com/mdm and service.sap.com/installmdm
SAP NetWeaver Administrator
service.sap.com/nwa
Adaptive Controlling (ACC) ● for general information sdn.sap.com/irj/sdn/adaptive
Security Guide for SAP Solution Manager 7.1Introduction
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 23
Component Where in the Service Marketplace?
● for application help, such as starting and stopping an application service:
help.sap.com
● for installation information service.sap.com/instguides
Application help for security topics connected to ICF services
help.sap.com/nw07
System security for SAP NetWeaver ABAP and Java
(Help setting up system security for ABAP and Java)
service.sap.com/security Media Library Literature
Current list of ports used by SAP
service.sap.com/security Infrastructure Security TCP/IP Ports Used by SAP
Applications or wiki.scn.sap.com/wiki/display/TCPIP/Home+of+TCP-IP+Ports .
Diagnostics service.sap.com diagnostics .
Authorization object S_RFCACL
help.sap.com/nw70
Auditing and Logging help.sap.com Search Documentation , search for Auditing and Logging.
Web Dispatcher See according Help documentation for Web Dispatcher step in transaction SOLMAN_SETUP
Additional Information on Business Warehouse Integration
Table 6
Component Where in the Service Marketplace?
Business Warehouse (BW) service.sap.com/bi
NoteInformation and Configuration Prerequisites BW (technical name:
SOLMAN_BI_CLIENT_INF)
Additional Information on Third Party
Table 7
Component Where in the Service Marketplace?
SAP Quality Center by HP service.sap.com/solutionmanager SAP Quality Center by HP
NoteInformation and Configuration Prerequisites Third Party (technical name: SOLMAN_THIRDPARTY_IN)
SAP Redwood Job Scheduling
service.sap.com/job-scheduling
24
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Introduction
Component Where in the Service Marketplace?
NoteInformation and Configuration Prerequisites Third Party (technical name: SOLMAN_THIRDPARTY_IN)
SAP TAO service.sap.com/saptao
Wily Introscope User Administration
Introscope Installation for SAP Introscope® Version 8.0 Installation Guide for SAP.
NoteSee SAP Note 797147
Used in Root Cause Analysis and Technical Monitoring Work Center
Additional Information on User Management
Table 8
Component Where in the Service Marketplace?
User Management Engine (UME)
help.sap.com/saphelp_nw04
/helpdata/6a/d39b3e09cdf313e10000000a114084/frameset.htm
Central User Administration (CUA)
help.sap.com/saphelp_nw73
/helpdata/en /23/cbce3b1bc7fa20e10000000a114084/frameset.htm
NoteYou can find the complete CUA configuration guide on the Service Marketplace at:
help.sap.com
Single Sign-On service.sap.com/sso-smp.
Additional Information on other SAP Product
Table 9
Component Where in the Service Marketplace?
PI Security Guide help.sap.com/saphelp_nw04 /helpdata/en/58 /
d22940cbf2195de10000000a1550b0/frameset.htm
Additional Information on Roles Management
Table 10
Component Where in the Service Marketplace?
SAP NW Guide for PFCG general PFCG link
Details about OBN navigation in SAP NWBC wiki.wdf.sap.corp/wiki/display /NWBC/Documentation .
on roles for SAP Change and Transport Analysis Sessions
SAP Note 1074808
Security Guide for SAP Solution Manager 7.1Introduction
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 25
2.5 Using SAP Solution Manager as a Service Provider
As a Service Provider, you provide services to your customers using SAP Solution Manager. The Service Provider scenario extends the SAP Solution Manager standard scenario setup for specific customer contexts.
Figure 1: Customer Contexts
If your SAP Solution Manager is used for one of the above contexts, you can use it as a Service Provider. For this purpose you would also need to add some additional configuration and specific authorizations for you, as the Service Provider, and your customers/subsidiaries.
See the section Service Provider and Service Provider Customer Specification.
For more information on Service Provider scenarios and definition, see the master guide for SAP Solution Manager in the Service Marketplace: service.sap.com/instguides SAP Components SAP Solution Manager <current release> .
26
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Introduction
3 Terminology as Used in SAP Solution Manager
This section gives you an overview of the main terms used in this security guide. It refers only to terminology specifically used in regard to SAP Solution Manager. It does not cover overall SAP terminology. For more detail on SAP terminology, refer to the SAPterm.
General SAP Solution Manager Guide Terminology
Table 11
Term Definition as Used in This Guide Synonyms as Could be Used by Other Sources
Core Security Guide In the Core Security Guide you find all sections referring to conceptual issues concerning the security for SAP Solution Manager. In contrast to the more specific scenario guides, it outlines prerequisites for dealing with the landscape setup or operation of SAP Solution Manager in this regard.
Main Guide, Main Security Guide
Scenario - Specific Guide In analogy to the configuration structure in transaction SPRO, each capability is regarded as a separate
scenario. For each scenario, you find the according information for RFC connections, users,
configuration, and so on in the scenario - specific guides. Due to the nature of SAP Solution Manager as an end-to-end platform, you find as well sections for scenario integrations, and the integration with external products.
Scenario Guides
User Management
Table 12
Term Definition as Used in This Guide Synonyms as Could be Used by Other Sources
User A user is a person working in the system with a user ID. human user, end - user
Technical User The technical user is the overall term for users which are not dialog users in the system. They can be service users, system users, or communication users. The user types are explained in more detail in the core guide section for User Management.
service user, system user, RFC - user, communication
user
CUA CUA, Central User Management
User Master Record User Master Records defines all data which belongs to a user with user ID in the system.
SU01 data,
Security Guide for SAP Solution Manager 7.1Terminology as Used in SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 27
Term Definition as Used in This Guide Synonyms as Could be Used by Other Sources
Consumer ID PI - specific term, user ID: SOLMAN_<SIDofSM>, see
scenario - specific guide for Technical Monitoring
Roles and Authorization
Table 13
Term Definition as Used in This Guide Synonyms as Could be Used by Other Sources
Authorization Concept An authorization concept defines the structure of how authorizations are bundled and assigned to users in a system. According to the nature of the system's application this can vary extensively from one SAP product to another.
Segregation of Duty Separation of duties (SoD) is the concept of having more than one person required to complete a task. In business, the separation by sharing of more than one individual in one single task shall prevent fraud and error. (www.wikipedia.org)
Separation of Duty
Business Role The term Business Role is used to define, that the role is used for segregation of duty. It contains authorization objects that are used for restricting specific business tasks.
In the context of CRM is defines a CRM role. This
definition is not used within SAP Solution Manager, see core guide section on the integration of CRM with SAP
Solution Manager.
Role, User role
Standard SAP Roles The Standard SAP Role is a role shipped by SAP as a template recommendation for use by customers. It is modeled according to the recommended process of a business task by SAP. Customer requirements need to be adapted nevertheless.
Template role, Technical roles
CRM Role A CRM role is used to define a role that only contains
CRM authorization objects.
Standard CRM role
Template Roles see Standard SAP Roles
Technical Roles The term Technical Role is used to define that the according role contains mainly authorization objects to allow a technical component of the system to run, for instance Extractor Framework.
Standard SAP Roles
Reporting Roles The Reporting Role defines a role that is used for BI -
reporting. It contains primarily BW related authorization
objects.
Standard SAP Roles
28
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Terminology as Used in SAP Solution Manager
Term Definition as Used in This Guide Synonyms as Could be Used by Other Sources
Composite Role Composite roles simplify the user administration within an ABAP SAP system. They consist of a defined number
of single roles. Users who are assigned a composite role are automatically assigned the associated single roles during the compare activity. Composite roles do not contain authorization data. Setting up composite roles is useful for example if some of your staff need authorization for several roles. You can create a composite role and assign it to the users instead of putting each user in each required single role.
In the description tab of the composite role, you find a short instruction on how to further handle the delivered SAP Standard role. All roles shipped by SAP are only templates. You may use them 1:1 if they fit exactly your requirements. For a user and role description, see the relevant scenario-specific security guide. In most cases, your requirements will not fit the SAP delivered role. Therefore, you have to adapt either complete single roles or individual authorization objects. Make sure you have built up an appropriate authorization concept for your users in advance.
Collective Role,
Single Role Single roles are collections of activities which allow a user to use one or more business scenarios of an organization. This is basically an enumeration of credentials which can be applied to one or several users within an SAP System. After a system administrator assigns a role to a user, the SAP system displays a specialized user menu for that user (SAP Gui - relevant). In addition, the user role also assigns the authorizations the user requires for these activities. The standard SAP system contains a large number of template roles. You can use these as is, or copy them and change them. The integrity of business data is also ensured by the assignment of roles.
Assignment of a role requires the system administrator to generate a profile for this role. This so-called authorization profile is generated to restrict the activities of users in the SAP System, depending on the maintained authorization objects in the roles.
NoteAs of release 7.1, no single profiles are shipped anymore, only roles.
Security Guide for SAP Solution Manager 7.1Terminology as Used in SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 29
Term Definition as Used in This Guide Synonyms as Could be Used by Other Sources
Profile A profile of a role defines the maintained authorization objects. Without a profile and a profile generation authorization restriction does not work for the specified user. You can generate more than one profile for one role, depending on the authorization values you maintain.
As of release 7.1, single profiles are not shipped anymore. A profile must always be generated by the customer him/herself.
Authorization Object An authorization object is defined by authorization values. The object is checked in the coding by AUTHORITY-CHECK for its values. An authorization
object can be maintained according to the specific requirements of the customer.
Authorization (Field) An authorization field is defined by authorization values, that can be entered for it. In general, the authorization values can be selected using Value Help.
Authorization Value Authorization values are defined in value tables for the authorization object.
Roles for Infrastructure Infrastructure comprises all entities that are the basis for scenarios. Infrastructure roles contain all necessary authorization objects for it. For more information, see in the Landscape Setup Guide section on User roles for Infrastructure.
SAP Standard Role
Scenarios, Core Business Processes, Capabilities, FunctionsTable 14
Term Definition as Used in This Guide Synonyms as Could be Used by Other Sources
Scenario SAP Solution Manager is a tool which supports the entire product life-cycle of your business processes and systems, within a system/platform. The product life-cycle can be regarded as a set of scenarios. A scenario is a group of business process - related functions which support the sequential and logical relationships of processes within the life - cycle of the product. We differentiate between scenarios (for instance: Implementation/Upgrade of SAP Solutions or Test Managerment), processes relating to these scenarios (for instance: Roadmap), and functions that can be used in one or more of them (for example, the function Document Management can be used inImplementation and/or Test Management).
Capabilities
30
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Terminology as Used in SAP Solution Manager
Term Definition as Used in This Guide Synonyms as Could be Used by Other Sources
NoteUsage data about the functions and scenarios used by the customer is sent to SAP. See: SAP Note 939897 (How to prevent this transfer).
IT Service Management Used as synonym for Incident Management, Problem Management, Request Management, Service Desk, Support Desk
Service Desk, Support Desk, Incident Management, Incident Application Management
Solution Manager InfrastructureTable 15
Term Definition as Used in This Guide Synonyms as Could be Used by Other Sources
Configuration The configuration of SAP Solution Manager consists of two main parts, the basic settings of the SAP Solution Manager configuration in transaction SOLMAN_SETUP (thirst three views), and the scenario configuration which is done for Technical Monitoring in transaction SOLMAN_SETUP and for other scenarios in transaction
SPRO.
Installation, Infrastructure
Infrastructure Before you can work with a scenario/function in the Solution Manager systems, you need to make all relevant systems, databases, and servers known, and maintain primary units such as solutions and logical components, and your business processes. This guide refers to all these as infrastructure.
Configuration, Installation
Operations Operations refers to the tasks executed in a system, after it is installed, and configured.
Business Intelligence (BI) BW
Business Warehouse (BW) BI
Dashboard Framework The dashboard framework integrates dashboards in applications of the Solution Manager and allows the usage and presentation of data from the Business Warehouse in the Solution Manager. The dashboard framework enables the flexible configuration of dashboards by the help of business apps.
Dashboard Type A dashboard type is a template for dashboard instances.
Security Guide for SAP Solution Manager 7.1Terminology as Used in SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 31
Term Definition as Used in This Guide Synonyms as Could be Used by Other Sources
Dashboard - Instance A dashboard instance is the representation of a dashboard type. It is a container for a collection of business app instances and/or dashboard instances.
App - Instances An app instance is the representation of an app type. With the help of business apps users can compose their individual dashboards. A business app instance is the user interface for the visualization of KPI data.
App - Type An app type is a template for business app instances.
Child system Child system
used in connection with CUATarget system
Central system Central system
used in connection with CUASource system
Client system Client system
used in connection with CUA
Business system Managed system managed system, if the focus is set on the use of the system for the business of the costumer
32
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Terminology as Used in SAP Solution Manager
4 Quick Guide
This section provides you with a number of steps, you should perform to secure your SAP Solution Manager system.
Procedure
Table 16
Step
What to Do? Further Information in Source/Section in This Guide, See...
Phase: Setup SAP Solution Manager (Installation)
Check Security Settings according to Installation Guide
0 Check Security Settings according to Installation Guide
1 Network 7.1
2 SSL 7.4
3 Apply all relevant Security Patches function System Recommendations and check the Online Documentation for SAP Solution Manager
Phase: Configuration Preparation of SAP Solution Manager
Check steps in System Preparation view in transaction SOLMAN_SETUP
4 ICF Services (change default settings if you do not use HTTPS) 7.3
5 Step 2: Check Recommended Profile Parameters according activity documentation
6 Step 4.1: Check Web Dispatcher Configuration documentation link in the HELP text
7 Step 4.2: Authentication Types for Web Services according activity documentation
8 Step 4.4: Set Authentication Policy for Agents according activity documentation
9 Step 4.5: Gateway Configuration (optional) ● 7. 7
● recommended documentation in the HELP text
Phase: Configuration of SAP Solution Manager
Check steps in Basic Settings view in transaction SOLMAN_SETUP
10 Step 3.2: Configure SAProuter (optional) ● 7. 6
● recommended documentation in the HELP text
Security Guide for SAP Solution Manager 7.1Quick Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 33
Step
What to Do? Further Information in Source/Section in This Guide, See...
Phase: Configuration of Managed Systems
Check steps in Managed Systems view in transaction SOLMAN_SETUP
11 Step 3: RFC - Connections 9.10
Phase: Additional Activities
12 HTTP Connect Service 7.5
Phase: User and Roles Management
13 SSO / SNC ● 7.6
● 8.4
● SAP Note 1121248
14 Familiarize with SAP Solution Manager Authorization Concept 9
15 Check the scenario-specific Security Guides
34
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Quick Guide
5 Overviews
5.1 Overview: Capabilities/Functions
The following table gives you an overview over the functions covered in this guide and which work center/scenario/specific guide they belong to.
Table 17
Specific Functions Work Center / Scenario/Specific Guide Remark
System, Host, Database Monitoring Technical Monitoring see scenario guide
PI Monitoring
BI Monitoring
End-User Experience Monitoring
Connection Monitoring
Self Monitoring
Infrastructure Monitoring
Message Flow Monitoring
BI - Reporting Technical Monitoring
Test Management
Incident Management
Solution Manager Administration
Business Process Operations
Change Management / Change Request Management
Described in section BI Integration
Dashboards Technical Monitoring
Test Management
Incident Management
Business Process Operations
Change Request Management
Described in section BI Integration
Maintenance Transactions Maintenance Optimizer see scenario guide
Road maps Implementation and Upgrade
Business Blueprint/Configuration
Project Administration Implementation and Upgrade
Solution Manager Administration
Business Blueprint/Configuration Implementation and Upgrade
Security Guide for SAP Solution Manager 7.1Overviews
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 35
Specific Functions Work Center / Scenario/Specific Guide Remark
Business Functions
Upgrade Dependency Analyzer
Customizing Distribution
BC-Set Activities
Help Center
Learning Maps
Digital Signature
Document Management Implementation and Upgrade
Test Management
Solution Documentation Assistant
Change Management / Change Request Management
Implementation and Upgrade scenario guide
Solution Directory Implementation and Upgrade Described in section Infrastructure Roles
Test Automation Test Management see scenario guide
Test Plans, Test Packages
Test Information
Testing
Test Workbench Workflow
Extended Capabilities
Solution Documentation Assistant Solution Documentation Assistant
TBOMs Test Management / Business Process Change Analyzer
Change Analyzer Test Management / Business Process Change Analyzer
Incident Management Incident Management In addition, described in section CRM Integration
5.2 Overview: Solution Manager Functions Integration
This section gives you an overview about integration of functions. Only those functions are listed which rely on cross-work center usage. For instance; Upgrade Dependency Analyzer is not mentioned as it does not integrate with functions in other work centers than Implementation and Upgrade. But, Business Blueprint and Configuration are mentioned as they are used in work centers Implementation and Upgrade and Solution Documentation Management.
36
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Overviews
More details are described in the scenario-specific guides.
How to read the table
The header determines in which function the integration is placed. For instance, the integration of TBOMs into Business Blueprint/Configuration can be done in transaction SOLAR01/02. In this case read: Header Line for Business Blueprint/Configuration number 1 and check the integration with vertical number for Business Process Change Analyzer number 7.
1. Business Blueprint and Configuration
2. CDMC
3. Customizing Distribution
4. Document Management
5. Solution Directory
6. Solution Documentation Assistant
7. Business Process Change Analyzer
8. Incident Management
9. Issue Management
10. Test Management
11. Business Process Monitoring
12. Change Request Management
13. Job Management
14. SAP Engagement and Service Delivery
15. Root Cause Analysis
16. Technical Monitoring
17. Notification Management
18. Quality Gate Management
19. Configuration Validation
20. Data Volume Management
21. Exception Management
22. Guided Procedure Browser
23. CBTA24. cProject
25. Project Administration
26. Message Flow Monitoring
Table 18
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
1 X X X X
2 X
3 X
4 X
5 X X X X
Security Guide for SAP Solution Manager 7.1Overviews
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 37
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
6 X
7 X X X X
8 X X X X X X X X
9 X X
10 X X X X
11 X X X
12 X X X X X X X
13 X X
14
15 X X
16 X X X
17 X X X X
18 X
19 X
20
21 X X X X X X
22 X X
23 X X
24 X X
25 X X
26 X X X
5.3 Overview: Solution Manager Configuration
This section gives you an overview on which functions are configured using transactions SOLMAN_SETUP:
● All Technical Monitoring scenarios
● Incident Management (ITSM)
● Change Request Management (ITSM)
● Business Process Change Analyzer
● Business Process Monitoring and Analytics
● SAP TAO
● Data Volume Management
● Measurement Platform (ESR)
38
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Overviews
● Service Availability Management (SAM)
● EWA Management
● CBTA
All other scenarios can be configured using transaction SPRO.
5.4 Overview: Solution Manager Technical RFC - Users per Scenario
This section gives you an overview about which users are necessary pro scenario. An X in a column determines whether the user is necessary for this scenario. Detailed information about the RFC - destination used can be found in the according scenario - specific guides.
Scenarios
● Implementation = A
● Solution Documentation Assistant = B
● Test Management = C
● Business Process Change Analyzer = D
● Incident Management = E
● Change Request Management = F
● Quality Gate Management = G
● Technical Monitoring = H
● Business Process Operation = I
● Job Management = J
● SAP Engagement and Service Delivery = K
● Technical Administration = L
● Data Volume Management = M
● Root Cause Analysis = N
● Maintenance Optimizer = O
● Custom Code Lyfe - Cycle Management = P
● IT Task Inbox and Guided Procedures = R
Table 19
User and/or RFC
A B C D E F G H I J K L M N O P R
READ RFC (X)9 (X)9 X X X (X)9 (X)9 X (X)9 X X X X X X (X)9
TMW RFC X 1 X X 2 X X X
BACK RFC X 3 X X X X
TRUSTED RFC
X 4 X 8 X 5 X11 X 6 X8 X
10
Security Guide for SAP Solution Manager 7.1Overviews
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 39
User and/or RFC
A B C D E F G H I J K L M N O P R
SMD_RFC User
X 7 X 7 X
BI_CALLBACK User
X X X X X
SM_EFWK User
X X X X X X X
SMD_BI_RFC User
X X X X X X X
OSS_RFC User
X x X
1 for CDMC2 for creating and releasing of transport request
3 for EWA data transfer
4 for Customizing Distribution; Customizing Synchronization, BC-SetsCDMC5 for Task List Framework
6 for CDC, value help for BP Monitoring
7 Java - related
8 Alternatively Login RFC - Connection can be used
9 if a TMW connection is in place, the TMW connection user has all required authorizations as the READ connection user plus batch and write authorizations. If you have a TMW connection in place, you do not necessarily need a READ connection.
10 in case of automatic activities (only in customer owned settings)
11 for Message Flow Monitoring
5.5 Overview: Third Party Products to Be Used with Solution Manager
In this section you find an overview over Third Party Integration with individual scenarios. For more details see the scenario-specific guide section External Integration. For more information on security for external tools, see the according documentation for the tool.
1. Implementation
2. Incident Management
3. Test Management
4. Business Process Change Analyzer
5. Job Management
40
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Overviews
Table 20
1 2 3 4 5
Business Process Management Suite (NW CE)
X
Enterprise Service Repository (PI)
X
SAP Productivity Pak by RWD
X
Service Desk X
HP QC X
ECatt X
Test Tools X
IBM Rational Test Management Tool
X
SAP TAO X
SAP CPS X
Security Guide for SAP Solution Manager 7.1Overviews
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 41
6 System Landscape
6.1 Technical System Landscape
SAP Solution Manager is based on AS ABAP and AS Java. To use SAP Solution Manager you need either client: SAP GUI, Web Browser or SAP NetWeaver Business Client (NWBC) (for work center functionality). Communication with other systems is via RFC technology and web services.
You find explanations for scenario - specific technical system landscapes within each scenario - specific guide.
More Information
For a detailed view of the overall system architecture of SAP Solution Manager, see master guide for SAP Solution Manager in the Service Marketplace: service.sap.com/instguides SAP Components SAP Solution Manager <current release>. .
42
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1System Landscape
7 Network and Communication Security
As part of its basic functions, SAP NetWeaver offers several interfaces to the network. This includes remote function call (RFC) - enabled function modules or services offered using the Internet Communication Framework (ICF). A standard function available from the ICF is the Simple Object Access Protocol (SOAP) - based RFC interface allowing RFC requests over HTTP. This interface is activated for use by another application.
This section gives an overview of the communications concept for SAP Solution Manager, including sections on topics related to HTTP connections and RFC connections.
7.1 Network Topology
Your network infrastructure must protect your system. It needs to support the communication necessary for your business and your needs, without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the back-end system’s database or files. Additionally, if users are able to connect to the server LAN (local area network), they can exploit well-known bugs and security holes in network services on the server machines. The network topology for the Solution Manager is based on the topology used by the SAP NetWeaver platform.
RecommendationThe security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the Solution Manager.
7.2 Communication Channels and Communication Destinations
SAP Solution Manager's task is to manage your system landscape. To do so, you need to configure various connections to/from your managed systems.
All required communication channels and destinations are explained in the landscape setup guide and the various scenario-specific guides.
Trusted RFC
In the web of your system landscape, SAP Solution Manager receives data from all the systems you have connected to it via various RFC - connection. The most security relevant RFC- connection is the trusted RFC, which allows for immediate access to/from your managed systems without any additional login. The RFC is required for several scenarios within SAP Solution Manager, but not all.
Security Guide for SAP Solution Manager 7.1Network and Communication Security
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 43
READ RFC
The RFC for Read access is an RFC- connection with a specific RFC user of type system. It is required to read information from managed systems in many scenarios.
TMW RFC
An additional RFC, which may be used for some scenarios, is TMW RFC. This RFC allows for read access as well as batch authorizations in the managed system. If you require TMW, you have all authorization for READ access included.
BACK RFC
The BACK RFC allows the managed system to send data to SAP Solution Manager for further usage. This is required for Services and Incidents.
RFCs to SAP
Apart from the communication to its managed systems, SAP Solution Manager needs connections to SAP. Many of Solution Managers scenarios rely on a close communication with its backbone. In addition to SAPOSS RFC, Solution Manager requires two further RFCs, which are copied from SAPOSS RFC.
Users
This setup of Solution Manager with its connections to many managed systems and SAP requires a number of RFC users and S-user with specified authorizations.
7.3 Internet Communication Framework
Most functions in SAP Solution Manager use either BSP or Web Dynpro technology. They are based on HTTP protocol.
The Internet Communication Framework (ICF) provides the infrastructure for handling HTTP requests in work processes in an SAP system (server and client). It enables you to use standard protocols (HTTP, HTTPS, and SMTP) for communication between systems through the Internet. You do not need any additional SAP program libraries. The only condition is that your system platform is Internet-compliant. This gives you a maximum amount of flexibility in responding to varying communication requirements.
Communication through the ICF has the following benefits:
● Increased security: The HTTPS protocol guarantees secure data transmission at the same level as modern security standards for RFC/SNC communication and other interfaces. You can change default settings for services if you do not maintain an HTTPS - connection and you are required to enter your user and password (message in the logon screen: No Switch to HTTPS occurred, so it is not secure to send a password):
1. Choose transaction SICF and the according service (/default_host/sap/bc/webdynpro).
2. Select tab Error Pages and choose the button Configuration.
3. Change the protocol selection.
4. Save.
44
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Network and Communication Security
Figure 2: SICF Service System Logon Configuration
● Increased flexibility: Using the ICF, the user can open a connection to an SAP system across the Internet from any location.
CautionSAP delivers all ICF services inactive, for security reasons.
To activate a single service, choose the service in transaction SICF. Choose right mouse click, and Activate Service.
● Reduced technological barriers: The open HTTP standard is used worldwide, which makes it efficient to install and configure.
ICF - Service Reports
In the SAP Solution Manager setup, the system activates services in different configuration scenarios. Most of the services are activated in the Basic Configuration view, Step 5 (Configure Automatically). Services are grouped and can be activated together by running the report in transaction SICF_INST. One group can contain up to 100 services.
The following ICF - Service Reports are activated during SOLMAN_SETUP:
● SM_BASIC_SETTINGS*● WEB DYNPRO ABAP● SM_DTM● SM_CRM_UI● SM_MONITORING● SM_CROSS_SCENARIO● SM_JOB_SCHEDULING● SM_BPO_DASHBOARD● SM_SDA
Security Guide for SAP Solution Manager 7.1Network and Communication Security
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 45
● SM_IMPLEMENTATION● SM_BW
If you decide to deactivate a service, proceed as follows:
1. Check the SICF path of the application (service).
2. Go to transaction SICF, and enter the path name.
3. Using the right mouse click, choose the activity Deactivate in the menu.
4. Deactivate the service.
The service is greyed out in the SICF host tree.
7.4 Secure Socket Layer (SSL)
The Secure Sockets Layer (SSL) protocol is a protocol layer placed between a reliable connection-oriented network-layer protocol (for example TCP/IP) and the application protocol layer (for example HTTP). SSL provides secure communication between a client and server by allowing mutual authentication, the use of digital signatures for integrity, and encryption for privacy. Secure Socket Layer (SSL) allows you to create secure connections for HTTP.
CautionYou must set - up SSL for SAP NetWeaver ABAP and Java (for instance: Diagnostics Agents, Maintenance Optimizer and SLM), see SAP Note 1138061. SSL only provides a secure channel between partners communicating directly in a network. SSL protects the messages only while in transit, but offers no security for (XML) data in storage.
To set - up SSL in your system, follow the procedure described in SAP Note 510007, and for the Diagnostics Agent the according step in transaction SOLMAN_SETUP later on. See also the installation guide for SAP Solution Manager in the Service Marketplace: service.sa.com/instguides SAP Components SAP Solution Manager <current release> .
NoteTo check if SAP Cryptolib has been successfully implemented, run program SSF02. Set the flag get version and choose execute. The system displays the current version of SAP Cryptolib.
More Information
on: Maintenance Optimizer (SLM), see IMG activity Information and Configuration Prerequisites for Maintenance Optimizer and SLM (technical name: SOLMAN_MOPZ_SLM_INFO).
Further Information on SSL
46
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Network and Communication Security
Table 21
Information Source Remarks
SAP Note 510007 Setting Up SSL on the Web Application Server (Procedure
to set up SSL)
SAP Note 1000000 Web Dynpro ABAP FAQ (General authorization checks for
services and application are available over the ICF)
SAP Note 938809 Web Dynpro ABAP checklist for creating problem messages
(If you create an error message for Web Dynpro ABAP under
component BC-WD-ABA, see the checklist in SAP Note)
SAP Note 810159 Subsequent installation of SAP JAVA CRYPTO TOOLKIT
Application help for security topics connected to ICF services
help.sap.com/nw07
Installation guides service.sap.com//instguides SAP Components SAP
Solution Manager <current release>
System security for SAP NetWeaver ABAP and Java (Help
setting up system security for ABAP and Java)
service.sap.com/security Media Library Literature
7.5 HTTP Connect Service for SAP Support
Due to the fire wall between customer and SAP systems, it is not possible to display pages of BSPs or Web Dynpro applications in SAP Solution Manager using standard service or support connections. To receive support from SAP for these technology types, you need to set - up an HTTP Connect Service. To do so, follow the descriptions in SAP Note 1072324. You need to maintain this connection for on site and remote support. Make this HTTP secure for remote support with HTTPS.
7.6 File Transfer Protocol (FTP)
FTP is a network protocol used to send data from one computer to another through a network such as the Internet. You use FTP for SAProuter permission table.
RecommendationWe recommend protecting FTP communication with SAPFTP, using Secure Socket Shell (SSH). For more information, see SAP Note 795131.
Security Guide for SAP Solution Manager 7.1Network and Communication Security
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 47
7.7 Use of Gateway
In transaction SOLMAN_SETUP, view System Preparation, Step 4.5, you can configure Gateway settings for Solution Manager applications on mobile devices. You can either configure it in the Solution Manager system or a separate system.
RecommendationWe recommend a separate system.
If you configure Gateway in the same system as Solution Manager, assign role SAP_SM_GATEWAY_ACTIVATION to your administration user, for instance SOLMAN_ADMIN.
For more information, read the HELP section for the according step in transaction SOLMAN_SETUP and read the security guide for Gateway on: help.sap.com/saphelp_gateway20sp03 .
48
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Network and Communication Security
8 User Administration and Authentication Tools
The SAP Solution Manager uses the user management and authentication mechanisms provided by the SAP NetWeaver platform, in particular the SAP NetWeaver ABAP. If you use Root Cause Analysis, the user management and authentication mechanisms provided by SAP NetWeaver Java are used, so the security recommendations and guidelines for user administration and authentication, as described in the SAP NetWeaver ABAP Security Guide and the SAP NetWeaver Java Security Guide, also apply to SAP Solution Manager. We also provide a list of the standard users required to operate the Solution Manager for each scenario. As the mechanisms provided by the SAP NetWeaver Java only apply for Diagnostics, see according information in the Service Marketplace: service.sap.com/diagnostics .
8.1 Basic SAP User Management Tools and User Types
A user in a computing context refers to a human person who uses a computer. Users may need to identify themselves for the purposes of accounting, security, logging and resource management.
In an SAP system, users must be created, and roles containing authorizations and a user menu must be assigned to user master records. A user can only log on to the system if he or she has a user master record. It contains user data such as e-mail address, language and password. It can be changed by an administrator or the user.
Creating and changing user master records is done in the User Management. The User Management for SAP Solution Manager uses the mechanisms provided by the SAP NetWeaver ABAP, and Java tools, user types, and password policies. Since SAP Solution Manager is based on SAP NetWeaver ABAP and Java, the User Management Engine (UME) of the Java stack is to be configured against the ABAP stack. This is done during automated basic settings configuration, see Landscape Setup Guide.
The users created in the User Management tool are typically assigned user types which follow specific demands regarding their password policy.
You can also use external applications for the User Management by using technologies like LDAP, Active Directory (Microsoft OS only), or NIS (Linux). For more information regarding any external User Management solutions like the LDAP scenario, see the documentations available on the SAP Service Market Place.
CautionThe ABAP stack is the User Management tool for users / roles / profiles, which are fetched on the Java UME storage. However, in some cases, some Java users have to be stored and maintained within the Java stack. This is for example the case for the SLD users (SLD is a Java application).
The following sections give you an overview over the User Management tools used by SAP Solution Manager as well as the user types used.
User Management
Tools Overview
Security Guide for SAP Solution Manager 7.1User Administration and Authentication Tools
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 49
Table 22
Object Recommended Tool Remarks
Users Transaction SU01 User Management in the ABAP system(s)
CautionFor password security information, see SAP Note 862989
PFCG roles Transaction PFCG Note
User Comparison feature was corrected, see SAP Note 1272331
J2EE security
roles and UME roles (only applies to Java application, for instance Root Cause Analysis)
UME and the Visual
Administrator
Administration console to manage UME roles, and administration tool of
the Java Server, to manage J2EE security roles. Both of these tools are
part of SAP NetWeaver Java. To integrate the Java-based authorizations supplied by J2EE security roles and UME roles with PFCG roles, you can
integrate PFCG roles as groups in SAP NetWeaver Java.
More information on UME conversion, see IMG activity: Convert UME
(technical name: SOLMAN_CHANGE_UME)
Automatic creation of SAP Solution Manager - specific default users and assignment of relevant roles
Transaction SOLMAN_SETUP
see section on Automatic User Creation in transaction SOLMAN_SETUP
Mass Maintenance for automatic creation of SAP Solution Manager - specific default users and assignment of relevant roles
Work Center SAP Solution Manager Administration
see section on Automatic User Creation in Solution Manager User Administration (SMUA)
For more information how to create roles, how to maintain authorizations and authorization profiles, and how to execute the user comparison, see How-to section in this guide.
User Types
When speaking about user types, we mean users in a system, which are created for various purposes. This is necessary to specify different security policies for different types of users. For example, your policy may specify that human users (end users) who perform tasks interactively must change their passwords regularly, whereas users who run jobs in the background need not do so. In this guide we differentiate between human users, who are represented in the system by dialog users, and technical users who perform tasks on behalf of other users in the system. These are represented in the system by the type of system user, service users, or reference users. In transaction SU01, tab Logon Data, you can determine the user type for your user.
50
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1User Administration and Authentication Tools
During the SAP Solution Manager configuration, any user can be created automatically and manually, depending whether they are created during basic Solution Manager configuration, technical monitoring setup, or during scenario–specific setup.
Dialog User
A dialog user represents human users, also called end users. It is required for individual, interactive sessions in the SAP system. An end user requires this user type.
With dialog users, it is possible to check for expired/initial passwords, to change passwords, and the system checks for multiple logons. You should assign to a dialog user exactly the authorizations that he or she requires to perform his or her tasks, in accordance with an established roles concept and authorization concept.
SAP Solution Manager ships composite template roles for predefined end users for each scenario, see according scenario-specific guides. This means, that we deliver template roles with authorization objects in roles that are maintained according to a specified authorization concept. This authorization concept is a recommendation by SAP, which you can use. Since your requirements may differ, you need to adapt these delivered templates. In the scenario- specific guides you find a user description relevant for the specific template role.
In case of a dialog user using ABAP stack and Java stack UI, an assigned role (for instance SAP_J2EE_ADMIN) can be propagated to user groups of the user management engine (UME), which are then assigned to security roles for Java applications by using the Security Provider service of the Visual Administrator. These roles include no authorization objects.
Dialog users are maintained in the ABAP stack. A session-based single sign-on is supported.
NoteIf you use SAP NWBC as front-end client, you can only logon with a dedicated dialog user.
Service User
A service user is available to a larger user community that is anonymous for the moment, and allows interactive system access. Although a service user does not log on interactively, it is authenticated and the attributes contain a valid ticket. This user type is used, for example, for guest accesses, or to connect to a remote system with certain rights. With this user type, the system does not check for expired or initial passwords, only a user administrator can change the password, and multiple logons are permissible. Since it is security–relevant, these users should be assigned exactly the authorizations that are required by a large number of users of equal status. In the IMG, it is explicitly mentioned, if a user should be of user type Service.
System User
A system user does not allow interactive system access. This user is used to be able to perform certain system activities, such as background processing, ALE, workflow, and so on. The system excludes a user of this type from the expiry date of passwords. Therefore, the password of these users can only be changed by user administrators in transaction SU01. You should also ensure for users of this type that you assign only the rights that are required in the system. If, for example, users of type system users for RFC connections have too many authorizations, RFC administrators from the calling system can easily log on to the called system and abuse the technical user’s authorizations. SAP Solution Manager ships according predefined standard roles for such users. This user type is used for user SOLMAN_BTC or RFC - users. All technical users created by the automated basic settings configuration via SOLMAN_SETUP are of type system.
Reference User
Instead of assigning roles to each user individually, a reference user is created for a selection of roles that are to be assigned to a larger group of users, and the selected roles are assigned to this user. The reference user must
Security Guide for SAP Solution Manager 7.1User Administration and Authentication Tools
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 51
now be assigned to the dialog users in the roles tab of the user master record. This minimizes administration costs and improves performance. This method is used when you need to create a high number of users in your system with the same authorizations assigned. For instance in Application Incident Management the report AI_SDK_SP_GENERATE_BP is used to create users as well as additional business partners.
Figure 3: Report: AI_SDK_SP_GENERATE_BP
With this report, you can use a reference user to create users and according business partners.
8.2 Automatic User Creation using Transaction SOLMAN_SETUP
Configuration Users and Template/Standard Users
Configuration Users
In transaction SOLMAN_SETUP, you can create specific configuration users for all scenarios that are configured automatically in a guided procedure in transaction SOLMAN_SETUP. These users are created during the Basic Settings Configuration. They allow you to provide one specific configuration user per scenario.
You can as well provide an existing user. In this case, the system adds the according missing roles to this user. For instance, you can provide user SOLMAN_ADMIN.
The configuration user contains all necessary authorizations for configuring the scenario using the guided procedure. It also contains authorizations to check system prerequisites and run the application.
Template/Standard Users
Within each guided procedure for scenarios it is possible to create so-called Template/Standard Users. These users contain authorizations/roles to allow exactly only those activities in the according application, which are
52
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1User Administration and Authentication Tools
defined in the user description by SAP. Therefore, these users can be considered as DEMO users. To create those users is an optional activity.
The template users contain only authorizations for the main functions of the scenario. They do not include authorizations for additional functions (see sections on Additional Functions per scenario- specific guide), or authorizations for integration purposes with other scenarios/functions (see section on Scenario Integration per scenario – specific guide). In both cases, you need to manually add the according authorizations.
The roles assigned to a specified user are also available as composite roles, see section on Users and Authorizations in the scenario–specific guides.
User Description and Role Descriptions
For all users created in transaction SOLMAN_SETUP, and all roles assigned, a documentation is provided through a link in the according user creation step. The user description states which tasks are allowed for this user in the specific application. The role description describes for which functions authorizations are provided.
The roles are listed in the according scenario–specific guides and the system HELP Text ID is mentioned. This HELP Text ID can be checked directly in transaction SE61.
For authorization object descriptions, see the SDN Wiki on the topic or check transaction SUIM for this authorization object.
User Types
You can create users of the following user types:
● Dialog User
This option should only be used for System Preparation, Basic Settings, and Managed System Configuration. In these configuration procedures users must be created as displayed in the screen. Otherwise, a change of user type can lead to errors during configuration. After configuration, the user type for administration users such as SOLMAN_ADMIN, managed system administrator, or BW administrator can be changed to Service User in transaction SU01 to disable active logon.
● System User
This option is always used for technical users, and should not be changed if it is suggested in the guided procedure for this user.
● Reference User
This option allows you to create reference users if required.
RecommendationWe recommend to use this option for the creation of template/demo users in the guided procedure.
● Service User
User Creation and Update
Create Users
When you create a user, the system tells you if an according user already exists. Use field Action to create a new user. The system provides you with the default name for this user. You can change this user name. The system then automatically creates the user and assigns the roles which are displayed in the column Copy from SAP Role. Navigation roles and CRM Business Roles are not copied (see section on Navigation Roles). The system then does not provide any suggestion for a role copy.
Security Guide for SAP Solution Manager 7.1User Administration and Authentication Tools
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 53
Update Users
You need to update your users, when roles/authorizations need to be updated. In addition, you can choose to update/enhance an existing users with additional role assignments using the update functionality. For instance, you can update/enhance user SOLMAN_ADMIN with configuration roles for scenario-specific guided procedures in SOLMAN_SETUP.
Business Partners
Some scenarios, like CRM - based scenarios or Technical Monitoring, require that the user is assigned a Business Partner (BP). When you create a new user using transaction SOLMAN_SETUP an additional business partner is created as well. The system does not create a Business Partner when you update existing users.
Roles Assignment and Update
Role Assignment
All roles assigned to automatically created users in transaction SOLMAN_SETUP are fully maintained. This means, that for authorization fields which cannot be prefilled by SAP with default values, an asterisk (*) is maintained, which allows full authorization for this field. For instance, the Solution ID field in authorization object D_SOL_VSBL cannot be prefilled by SAP due to its generic nature.
RecommendationIf you would like to use these users in productive environment, we recommend to check the roles manually and assign specific values to all fields containing an asterisk.
Update of Role Assignment
When you update a user with new SAP roles, for instance if adapted roles are shipped with a new Support Package, the system indicates which roles need to be updated. Technically, when updating a role, the existing copied role is deleted and a new copy of the SAP role is created by the system. Therefore, if you have manually changed any authorization values for authorization objects in your copied roles, you need to be aware of this. In addition, in case you have manually created a role in the Z name space, such as ZSAP_SUPPDESK_CREATE, the system will not update the role as it detects that the copied role had been created manually.
NoteWhen roles need to be updated, you must at least run transaction SU25 points 2a) and 2b). Alternatively, follow SAP Note 368496.
Role Upload into Managed Systems
You can upload the authorization roles for the READ - User and the TMW - User from the SAP Solution Manager - system into the managed systems.
CautionThis function is only available for the upload of roles for the above-mentioned users. You should only upload the relevant roles into managed systems, which are not productive. We recommend to upload the roles into your development system and transport them into your productive system. Alternatively, you can download/upload the roles manually.
54
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1User Administration and Authentication Tools
Expert Mode
The Expert Mode allows you to use the following features in regard to user creation and role creation as well as assignment:
● Define name space for roles
● Define and assign the user to a specified user group
Name Space for Roles
You can set a specified name space for the roles, which the system assigns to one user. The default name space is *Z*.
NoteAll roles assigned to the predefined user SAPSERVICE receive name space *SD*. This name space is set, because the authorizations for this user are predefined by SAP Support. For more information on this default user SAPSERVICE, see the according section in the scenario-specific guide for SAP Engagement and Service Delivery.
User Group
You can define a user group for the users you create. The user is assigned to this user group.
Recommendationwe recommend to group users in user group. You can then easily search for then and restrict access to them using authorization object S_USER_GRP.
BW Scenarios
Depending on your scenario setup for BW, the system detects in which system/client you run BW. It determines in which system the according BW user needs to be created and displays this in the User Interface. In case of a standard BW scenario, all BW roles are added to the user created in the Solution Manager system.
In case of a remote BW, a separate user is created in the BW system/client. This last setup requires that both users, in the SAP Solution Manager system as well as in the BW system, receive the additional authorization for trusted RFC destinations, authorization object S_RFCACL. The roles for trusted RFC - destination are explicitly explained in the User Interface HELP. Also check section Users and Authorizations in each scenario - specific guide.
If you run BW in a remote scenario, user names and passwords of the created users in the Solution Manager system and in the BW - system must be identical.
8.3 Automatic Managed System Configuration Update using Transaction SOLMAN_SETUP
In case of update to your managed systems, the Managed System Setup in transaction SOLMAN_SETUP can be run automatically. This can also require the automatic update of users in your managed system.
Security Guide for SAP Solution Manager 7.1User Administration and Authentication Tools
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 55
In Case of SLD Changes
Use Case
In case of system updates in the System Landscape Directory (SLD), a configuration update job runs in the Solution Manager with a dedicated technical user SM_AMSC.
Technical User SM_AMSC
The update job of the managed system configuration is run by the technical user SM_AMSC in the Solution Manager system. This user is created during Basic Settings Configuration in the Solution Manager system. For more details, see the Landscape Setup Guide section on Technical User SM_AMSC.
In Case of Mass System Updates with Templates
Use Case
Mass Configuration is a feature to run the Managed System Setup in the background with already provided variables. You can use this option to update a number of similar managed systems (technical systems) on the basis of a predefined template. This update runs independent of any System Landscape Directory (SLD) changes. It is triggered in the Solution Manager system, and runs in the managed system with the managed system administration user.
Authorization Objects
SM_SETUP
The access to mass update in transaction SOLMAN_SETUP is controlled by authorization object SM_SETUP activity mass Update (A8). The object is contained in role SAP_SM_BASIC_SETTINGS, assigned by default to user SOLMAN_ADMIN in transaction SOLMAN_SETUP.
SM_MASS_UP
To access and use the Template Management for the Mass System Update, authorization object SM_MASS_UP is required. It is contained in roles SAP_SM_MS_TMPL_UPDATE*, which is assigned as optional to user SOLMAN_ADMIN in transaction SOLMAN_SETUP. For more details, see the Landscape Setup Guide section on User SOLMAN_ADMIN.
8.4 Automatic Mass User Creation/Update using “Solution Manager User Administration” (SMUA)
The Solution Manager User Administration (SMUA) allows you to maintain all users (technical users as well as dialog users), which can be created automatically using transaction SOLMAN_SETUP, in one application.
In general, the functionality reflects the same technical aspects as the user creation using transaction SOLMAN_SETUP. SMUA allows you to see all created users in one table for Solution Manager users, managed system users, BW-system users.
For all individual Solution Manager - specific default users, you can:
● display users and their user roles per system landscape relevance (used in Solution Manager - system, used in managed system, used in BW-system)
● create and update users and their user roles
● create users in mass maintenance
56
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1User Administration and Authentication Tools
● set passwords (For more information on passwords, see the according section)
● upload user roles for Read-User (Read - Connection) and TMW - User (TMW - Connection) into the managed system (for more information, see the according section on these RFC - Connections).
Tool Access
To access the application, your user needs to have:
● authorizations for the work center Solution Manager Administration assigned (see Scenario-Specific Guide for Solution Manager Administration). In the view navigation in the work center Solution Manager Administration, choose Users. This allows you to access and use SMUA.
● authorization object SM_SMUA assigned. This object is contained in the new single role SAP_SM_SMUA_*. The role SAP_SM_SMUA_* is contained in the composite roles for SAP Solution Manager Administration (see the according scenario-specific guide for reference).
For more information on the features of the application itself, see the Online Help for SAP Solution Manager.
Additional Authorizations
You can use the user creation and update in SMUA only if:
● general user management and role assignment authorizations are granted. These authorizations are contained in role SAP_SM_USER_*.
● RFC - connections related to specific technical users can only be displayed if authorizations for transaction SM59 is granted. These authorizations are contained in role SAP_SM_RFC_*.
Multiple Storage of Users
The system stores all dialog users created within transaction SOLMAN_SETUP and in SMUA. For technical users, it stores the last user created.
8.5 Passwords for Solution Manager Default Users
You can create a number of SAP Solution Manager default users using transaction SOLMAN_SETUP or the Solution Manager User Administration (SMUA) in the work center SAP Solution Manager Administration.
Set Initial Passwords
When creating these users, the system automatically:
● sets an automatically generated password to all users of type system user.
● requires of you to set an initial password for all users of type dialog users, with the exception of the following user:
○ SAPSUPPORT user, because this user is used only for the purpose of support by SAP, and should be usable immediately after generation.
Within SMUA, you can set a password for a number of dialog users in one User Interface. Users of type system user are not displayed in the User Interface. For more information, see Online Documentation for SMUA.
Security Guide for SAP Solution Manager 7.1User Administration and Authentication Tools
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 57
NoteSAP-wide default users such as DDIC, SAP*, and so on, are not considered. For those users, the general SAP policy for passwords is relevant. After configuration, change the password for these users, or deactivate them. For more information, check the SAP NetWeaver Security Guide.
Update Passwords
If you update/change the password of users of type system user which are used in RFC - Connections (such as READ or TMW users) in user management (transaction SU01), you need to change the password for these users in the RFC - Destination in the Solution Manager system as well.
8.6 Secure Storage
The secure storage stores encoded data, for instance access data of systems, SLD, SAP Portal connection, and so on. The system uses the installation number of the system and the system ID when creating the key for the secure storage.
CautionIf one or more of these values change, the system can no longer read the data in the secure storage.
More Information
SAP Note 816861 and SAP Note 1027439.
8.7 Integration into Single Sign-On Environments (SSO)
The Solution Manager supports the Single Sign-On (SSO) mechanisms provided by the SAP NetWeaver. It uses various front ends (SAP GUI, SAP NWBC, and Web browser, in this case an HTML Control). The system opens several sessions on the server, that require, for example, a second logon. The user uses SAP GUI to log on to a system, the application uses the SAP GUI for HTML Control to call another application, and the system then prompts the user to re-enter the logon data.
CautionIf you are using external SSO with SAP Solution Manager, see SAP Note 1153116.
The supported mechanisms are:
● Secure Network Communications (SNC) : SNC authenticates users and provides an SSO environment when using the SAP GUI for Windows or Remote Function Calls.
● SAP logon tickets: The Solution Manager supports the use of logon tickets for SSO when using a Web browser to access Solution Manager documents via URLs from outside. Users can be issued a logon ticket after they have authenticated themselves with the Solution Manager system. The ticket can then be submitted to the
58
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1User Administration and Authentication Tools
system as an authentication token, each time the users access documents via URLs from within the same Browser session. The user does not need to enter a user ID or password for authentication, he can access the system directly after the system has checked the logon ticket.
More Information
● on SNC, see Secure Network Communications (SAP Library) in the SAP NetWeaver Application Server ABAP Security Guide.
● on how to use Single Sign-On, see Service Marketplace: service.sap.com/sso-smp.
Security Guide for SAP Solution Manager 7.1User Administration and Authentication Tools
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 59
9 Authorization Concept for SAP Solution Manager
The following sections provide a general overview on which roles are delivered and how the principle of segregation of duty is mapped.
Users and User Composite Roles
Since SAP Solution Manager release 7.1 roles for end users are defined by a user definition according SAP processes. According to the user definition a roles concept is assigned, which is a composite role. Since one composite role can contain a high number of single roles with differing purposes, the purpose of the roles is explained in more detail. For instance, User Interface roles for the work center and the CRM user interface with its corresponding authorization objects; as well as the integrated use of BW roles, with BW - related authorization objects, and so on.
Authorization Dependencies
SAP Solution Manager is based on several SAP components, such as SAP NetWeaver, SAP CRM, and Business Warehouse, for more information see the master guide for SAP Solution Manager on the Service Marketplace
service.sap.com/instguides SAP Components SAP Solution Manager <current release> . Each of these components has its own configuration options, which must be set correctly to provide an appropriate overall level of security. The tasks include not only configuration during normal operation but also activities to be performed before, during, and after installation (such as providing secure passwords during installation, changing default passwords after installation, or performing customizing activities). Read the appropriate configuration and security guides for each component. Since SAP NetWeaver integrates the ABAP and Java stacks, both stacks need proper configuration.
In addition, several external components at the network level, such as routers and fire walls, influence the overall security of the system landscape.
RFC - Authorizations
Apart from user authorizations, a quintessential part for SAP Solution Manager to function are its RFC connections to and from other systems (managed systems). For many scenarios they form the basis for a successful built up. In SAP Solution Manager we have different RFC - connections for different purposes. In the following sections, these RFC connections are explained in more detail.
For each RFC connection a technical user is created who receives the corresponding authorizations. In the following, main critical authorizations for these users are explained in more detail.
9.1 User Definitions in SAP Solution Manager
Within the context of business processes users are relevant. These users represent human users within a business scenario, who are mapped in a system such as SAP Solution Manager by a user ID, in transaction SU01 (User Management). Each user in a business scenario has specified tasks to execute. These may vary from company to company. For instance, in a financial environment you find accountants and controllers.
60
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
These user definitions do not contain the full range of functions which are possible for one scenario, but rather the core business. For instance, using Implementation and Upgrade requires a specific number of roles to execute the main transactions/applications which are absolutely necessary for the process, such as project administration, business blueprint, document management, and so on. The delivered composite roles do not contain authorizations for BC-set execution, as this is a specific function, which is not considered to be part of the core process by SAP. The roles required for these additional functions are described in a section for Additional Roles for Functions in each scenario - specific guide.
Using SAP Solution Manager, a number of business scenarios exist, see scenario - specific guides. Therefore, we deliver defined users for explicit tasks. For instance, in Incident Management you always have a number of so called key users, users in business systems who create messages for errors or insufficient functions within the systems they are working in. In addition, we have a so called processor who solves the Incident messages or sends them to SAP for solving. This business process and the according user definition is clearly defined.
Figure 4: Example: business users in a business process
Due to these user definitions it is possible to deliver according authorization roles, which map the defined tasks. This is done for all scenarios and user definitions within SAP Solution Manager. Therefore, in the scenario - specific guides you find a chapter for user definitions and their according user roles as defined by SAP. The user definitions delivered cannot display the business as done by varying companies. Therefore, the user definitions as well as the user roles can only be regarded as templates for your own authorization concepts.
9.2 End - User Roles in SAP Solution Manager
As described in the previous chapter, users are defined by a specific set of tasks/processes they have to fulfil in their company.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 61
User Differentiation
Considering SAP Solution Manager as a management platform for other systems (system landscape), and business solutions (application cycle), we differentiate between:
1. users who administer the SAP Solution Manager system itself, and
2. the users who use SAP Solution Manager to manage other systems.
This differentiation of tasks can overlap. For instance the user responsible for the setup, administration, and operation of the SAP Solution Manager system may also be able to administer other systems in the landscape. Another user may only be responsible for the configuration of one of the systems in the landscape:
● Administrator of SAP Solution Manager
The user responsible for the tasks area of setup, configuration, and operation of the SAP Solution Manager system is called SAP Solution Manager Administrator, with user ID by default SOLMAN_ADMIN. The administrator user is first created during the automated basic settings configuration via transaction SOLMAN_SETUP. We differentiate between different roles for this user when setting up the basic system landscape, and roles for scenario-specific setup .
During automated basic setup (in transaction SOLMAN_SETUP or SAP Solution Manager configuration work center) the Solution Manager administration user is authorized to automatically create users and assign roles. Due to the automatic assignment, the authorization values in these roles are delivered with predefined authorization values. All fields which could not be determined by SAP, because they can only be restricted to certain values by the customers, are delivered with value '*' (asteriks defines full authorization). If you want to restrict authorizations during setup, you need to do this manually. We recommend using the delivered Standard SAP roles as displayed in the User Interface by the guided procedure in the system.
RecommendationThere are specific administration users for the scenario - specific setup in transaction SOLMAN_SETUP. Roles for scenario - specific configuration in transaction SPRO are not delivered. For these configurations, we recommend creating so called configuration roles from projects. The procedure is described in the How-To document on how to create configuration users in this guide. Alternatively, you can use SAP profiles SAP_ALL and SAP_NEW.
● Users of SAP Solution Manager
For each scenario, we deliver user definitions and according composite roles with the technical name ending *_COMP according to the principle of segregation of duty. For each scenario more than one user definition is delivered. There is always a user with full administration authorization and a user with display authorization delivered (see multilevel separation). All delivered composite roles contain an appropriate number of single roles. The single roles represent individual functions in the system (see modular separation), Software Components (see software component separation), whereas these two overlap in most cases. A further differentiation relates to the roles usage as defining the navigation and related authorizations (see navigation/UI/backend separation). This definition can vary according to your own needs. Therefore, all roles shipped by SAP are only template roles for you to copy and adapt.
62
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
Figure 5: Composite User Roles
○ Business Roles = ST related roles for business tasks (scenario - related)
○ Technical Roles= ST related authorization roles for technical frameworks like Extractor Framework, and so on
○ CRM roles = roles related to CRM 7.01○ Reporting roles = roles related to BW - reporting
All roles are delivered in the SAP name space starting with SAP_*. The technical role name represents the scenario it is used for, the level of authorizations it contains, and the technical information whether it is a composite role or a single role. For instance, the technical role name SAP_SUPPDESK_PROCESS_COMP represents the following information: It is delivered by SAP <SAP>, used for scenario Service Desk <SUPPDESK>, user definition is processor <PROCESS>, and it is the composite role <COMP>.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 63
Figure 6: Example: Incident Management Processor Role
The following sections explain in more detail the multilevel segregation, the module/software component segregation, and navigation/UI/back-end separation for all roles:
Composite Roles
According to the user definitions, composite roles are shipped, which contain all relevant single roles needed to fulfil the required tasks.
NoteThe composite roles are not shipped with a menu included. If more than one navigation role is contained in such a composite role, the system cannot handle both navigation structures and can only display the first navigation role in the list.
Multilevel Separation
The principle of segregation of duty requires that each user in a system has exactly the authorizations he/she requires for the tasks they are to execute. In this respect, we deliver according user roles. The definition of the users varies from scenario to scenario, for instance in technical administration a user may be required who has authorizations for all system administration tasks with technical name *ADMIN* in addition to a display user. In Incident Management or Change Request Management, the scenario is defined by a sequential process, a key user creates incidents, a processor processes the incident, and an administrator is allowed to create business partners and other configuration tasks. Here, the roles are defined for the user purpose, for instance with the technical role name *PROCESS*. All roles are build on top of each other. This means, that the authorizations for a display user are included in the authorizations for an operations user, and in turn the authorizations for the operations user are included in the authorizations for the administration user.
64
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
Figure 7: Example: Incident Management Roles
Module Separation
SAP Solution Manager roles are composite roles, which contain a number of single roles, which easily allow a further restriction of authorizations for a user. Each single role defines the authorization for one specific function/module/transaction, for instance technical role name *SOLAR01*. The composite roles then contain all relevant authorization for one user in a scenario. This may include roles for work center navigation, work center authorization, BW - related authorizations, CRM - related authorizations, function - related authorizations and so on. The composite roles can therefore be easily extended or reduced with authorizations. The clear demarcation simplifies the role maintenance and prevents the unintentional assignment of authorizations that are not required. Even though, some authorization objects may appear in more than one single role in different scenarios, see section Integration of Functions/Capabilities. They are then maintained only for the purpose within the scenario. For instance, authorization object S_PROJECTS may occur in roles for Implementation, but also for Quality Gate Management. The authorization fields for this object allow a clear demarcation for the authority check, and are maintained accordingly.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 65
Figure 8: Module Separation of Processor Role of Incident Management
In this case, role:
● SAP_BI_E2E contains all authorization for BW activation
● SAP_SUPPDESK_PROCESS contains all authorization to run the application as a processor in SAP Solution Manager
● SAP_SMWORK_* contain all authorizations to run the work center
● SAP_SM_CRM_UIU_* contain all authorizations to run the application in the new CRM WebClient UI
Software Component Separation
SAP Solution Manager uses in its applications a variety of different Software Components, which also demand a mapping in the authorization concept. Therefore, we differentiate between them by defined single roles, for instance BW - related roles contain BW - related authorization objects, because they are delivered with Software Component ST_BCO. The following Software Components are used within SAP Solution Manager:
● SAP_BASIS● CRM● ST_BCO
As of SP02, authorization roles for BW - reporting for SAP Solution Manager are delivered in Software Component ST_BCO (before BI_CONT).
● ST● ST-PI
66
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
Figure 9: BW Component ST_BCO and SAP Solution Manager Component ST separation
For instance, a clear - cut differentiation between roles for BW is necessary due to the possibility to run BW in different scenarios. Depending whether the BW runs in SAP Solution Manager or separate, roles must be assigned to users. For this to be realized, some roles must be deliverable for SAP BW systems, which can deploy software component ST_BCO. Therefore, roles for BW- reporting that must be present in a remote BW system are delivered with ST_BCO. Roles which are relevant for BW- reporting in the SAP Solution Manager system, for instance for displaying BW - reports, are delivered with software component ST.
These roles can be present in one composite role.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 67
Figure 10: Software Component Separation within Processor Role for Incident Management
In this case, roles:
● SAP_BI_E2E for BW activation is delivered with ST_BCO● SAP_SM_CRM_UIU_* are relevant for CRM component CRM WebClient UI, delivered with ST● SAP_SUPPDESK_PROCESS and SAP_SMWORK_* are relevant for SAP Solution Manager component delivered
with STFor more information, see sections on Using SAP Solution Manager with CRM and Using SAP Solution Manager with BW in this guide.
Navigation/UI/Backend
Due to the use of different clients and the concept of work centers, we differentiate between navigation roles and back-end roles, which contain authorizations. For more information, see section on Work Center Navigation Role Concept. In this respect, we consider User Interface authorizations separately. For more information, see section Authorization for User Interfaces.
68
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
Figure 11: Navigation/UI/Backend Authorization Separation for Processor Role for Incident Management
In this case, roles:
● SAP_BI_E2E, SAP_SUPPDESK_PROCESS contain back-end authorizations
● SAP_SMWORK_INCIDENT_MAN, SAP_SM_CRM_UIU_SOLMANPRO are navigation roles for work center and CRM WebClient UI. These roles contain no authorization objects and are solely defined by their menu.
● SAP_SMWORK_BASIC_INCIDENT, SAP_SM_CRM_UIU_SOLMANPRO_PROC, SAP_SM_CRM_UIU_FRAMEWORK are UI roles and contain authorization objects which define the UI for the work center and the CRM WebClient UI.
9.3 Configuration User Roles for SAP Solution Manager
There are:
● specified roles for the automated basic settings configuration (transaction SOLMAN_SETUP)
● dedicated authorization roles for scenario-specific configuration done in transaction SOLMAN_SETUP● no dedicated authorization roles for scenario-specific configuration done in transaction SPRO
This section tells you how to create your own roles for the configuration of scenarios.
NoteConfiguration of scenario—specific functions can involve configuration of cross-scenario settings. For these functions, additional configuration roles may be needed (if you do not use profiles SAP_ALL and SAP_NEW). They are specified in the IMG activity for cross-scenario functions.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 69
To be able to create authorization roles for scenario—specific configuration, you have created an IMG project in transaction SPRO_ADMIN. For more information, see configuration guide for SAP Solution Manager.
Procedure
NoteThis procedure is based on the example customizing project in the How-to document How to Create Customizing Projects and Project IMGs.
1. Create an IMG Project (See section More Information)
Before you can create a role for scenario-specific configuration, you need to create an IMG project. This project is the basis for role configuration as it contains all transactions you run later on.
2. Create a Role in Transaction PFCG
1. Choose transaction PFCG.
2. Enter a role name in your name space, for instance: ZROLE_IMG_MYPROJECT and choose button Single Role.
3. Enter a description for your role, for instance: IMG project: Implementation/Upgrade as of ST SP15.
4. Save your role.
NoteYou are asked for a transport request.
3. Define Configuration Transactions for Your IMG Project
In role creation, transactions form the basis to easily maintain all necessary authorization objects. When you enter a transaction in the menu tab in your role, the system traces all authorization objects required for this transaction.
1. To receive all transactions which are contained in the customizing project, choose in the menu:Utilities Customizing auth.
2. In the appearing dialog box, choose button Add to attach your customizing project or customizing project view. In our case, we choose the customizing view that was created.
3. In the various dialog boxes, choose your customizing project or customizing project view, in our case myproject.
The system automatically assigns all relevant transactions and authorization objects for your customizing project or customizing project view.
4. Confirm your project assignment.
4. Maintain Authorization Objects
Authorization object defaults delivered by SAP contain minimal authorizations. To grant full authorization for the according authorization objects you need to maintain these objects.
1. In the Role Maintenance, choose tab Authorizations.
2. Choose button Change.
3. Maintain all activity values per authorization object according to your needs, for instance if you want to grant full authorization, always choose all activities.
70
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CautionAll authorization objects need to receive a green traffic light. Beware, that the authorization trace does not trace values for critical authorization objects S_RFC and S_TABU_DIS.
4. Generate the profile.
5. To assign this profile to a user, choose tab User, add your user in the table and execute the user comparison.
6. Save.
Result
You have now created a role for your specific IMG configuration project.
CautionIf a project or a project view was assigned to a role, you cannot manually assign any transactions to this role and vice versa. You should therefore only use the role to generate and assign Customizing authorizations.
More Information
● on: configuration and on how to create an IMG project, see:
○ Document: How to Create Customizing Projects and Project IMGs on the Service Marketplace: service.sap.com/solutionmanager Media Library Technical Papers.
○ Configuration Guide for SAP Solution Manager on the Service Marketplace: service.sap.com/instguides SAP Components Solution Manager <current release>.
9.4 Integration of Functions/Capabilities
The life cycle of a product comprises various phases, such as implementation, operation, upgrade, and so on. Tools can be used to realize a process within these phases. The tools integrate strongly with each other to support seamless document and information flow over the whole life cycle. The work center approach demonstrates this integration. To realize this integrated approach and at the same time allow you the freedom to build and configure according to your company's needs, configuration and SAP template roles are function/capability - related. Configuration and authorizations for integrated functions are based on a modular approach.
The integration of functions and scenarios within SAP Solution Manager is an integral part of its value as end - to - end business process platform. Due to this heavy integration of functions and scenarios, according authorizations are affected as well. Therefore, you might find authorizations in roles which belong too a different function than the one you are using, but then with a specific maintenance.
The two following examples demonstrate the integration of authorizations due to the end-to-end integration processes within SAP Solution Manager. You can find more examples within the appropriate section for Scenario Integration in the scenario - specific guides.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 71
Example: Authorization object AI_SA_TAB
Authorization object AI_SA_TAB is used to restrict tabs in transactions SOLAR01 (Business Blueprint), SOLAR02 (Configuration), and SOLMAN_DIRECTORY (Solution Directory). This object is needed for the roles restricting access to the mentioned transactions for scenario Implementation and Upgrade. Still, the authorization object is also included in roles for Issue Management (scenario SAP Engagement and Service Delivery), due to the integration between both scenarios. You can assign issues to a project when using Implementation transactions or using Issue Management. Since the authorization object is primarily used for the implementation transactions, it is specifically maintained in the Issue Management roles.
Figure 12: Authorization object AI_SA_TAB in role SAP_ISSUE_MANAGEMENT_*
The authorization object is maintained only with activity 02 for Change authorization for the Issue tab in transaction SOLAR01 (Business Blueprint).
CautionIf a user simultaneously has the task of using Issue Management with the authorization to assign Issues to Projects, but is restricted to display only for the complete transaction SOLAR01, then the authorization values in role SAP_ISSUE_MANAGEMENT_* for authorization object AI_SA_TAB override the display authorization for this object in the business blueprint role SAP_SOLAR01_DIS.
Example: Authorization object S_PROJ_GEN
Similar to the case described above, authorization object S_PROJ_GEN is maintained in various user roles for different scenarios. This authorization object contains an overall restriction on project maintenance for specific purposes. Here, the authorizations are maintained in a way that they are specifically designed for certain functions within a scenario. The authorization object is primarily used in its main context Project Administration. Still, using Quality Gate Management (QGM), an overall project maintenance must be possible for the users. Therefore, the authorization object is contained in roles for QGM and project management, Change Request Management, and others.
Figure 13: Authorization object S_PROJ_GEN in role SAP_SM_QGM_CHANGE
The authorization values for field Project Management Authorizations are restricting project maintenance to a Quality Gate Management user only. Contrary to the above described case of authorization object AI_SA_SAB, the authorization object S_PROJ_GEN can never overlap for two different scenarios due to the fact that functions are explicitly restricted within one field of the object.
72
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
9.5 Authorizations and Roles for Infrastructure (LMDB, BP, Projects, Solutions, Directory)
In the context of the SAP Solution Manager, we use the term Infrastructure for all entities related to systems, hosts, databases, solutions, and projects. These units form the bases for all scenarios.
Still, whereas systems are needed in all scenarios, solutions and projects are used in specific scenarios. Which of the two units is used depends on the “position” of the scenario in the end-to-end process of your solution's life cycle, relative to whether you are in preparation of going life, or whether you are already life. If you are preparing for going life with your solution, using Business Blueprint, Test Management, and so on, you are primarily using projects for your basis. If you are already life with your solution, you are primarily using solutions or only systems, such as in Business Process Operations. Nevertheless, some scenarios can also use both units, depending on the nature of the functions.
Project information can be transferred to solution information and vice versa. This can be done using the Solution Directory. The Solution Directory can be regarded as a repository for your solution information, as it allows for a smooth hand-over of information in your life cycle process.
Given the basic nature of these entities, solution authorizations, project authorizations, and system authorizations are needed in different scenarios. It must be possible to maintain these authorizations in a way, that hey are only to be maintained once, even if used for different functions. Therefore, we have extrapolated these authorizations into specific user roles for infrastructure:
● Systems (SAP_SYSTEM_REPOSITORY_*, SAP_SMSY_*, SAP_SM_DASHBOARDS_DISP_LMDB)
● RFC Maintenance (SAP_SM_RFC_*)
● Solutions (SAP_SM_SOLUTION_*), for solution transfer SAP_SOLUTION_TRANSFER.
● Projects (SAP_SOL_PROJ_ADMIN_*)
● Solution Directory (SAP_SOLMAN_DIRECTORY_*)
● Business Partner Assignment SAP_SM_BP_*
NoteIf this role (or the corresponding authorization objects) are not assigned to a user, this user will not be able to display the Business Partner tab in transaction LMDB, or be able to filter in the POWL queries SMWORK_TSYS_DIAG_REL and SMWORK_DIAG_ALL is not available.
Within transaction LMDB, you are able to go to the Business Partner detail screen of the CRM WebClient application. To be able to do so, you need to additionally assign the following two roles to your user:
○ SAP_SM_CRM_UIU_SOLMANPRO (do not copy into your name space) for navigation access
○ SAP_SM_CRM_UIU_SOLMANPRO_PROC (do copy into your name space) for authorization access
System Landscape
Table 23
Role Included Authorization Objects
SAP_SYSTEM_REPOSITORY_DIS
The role contains all relevant authorizations for systems AI_LMDB_*, as well as:
● SM_CMDB_OB● SM_SETUP manually entered
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 73
Role Included Authorization Objects
SAP_SYSTEM_REPOSITORY_ALL
Additional to all authorization objects for SAP_SYSTEM_REPOSITORY_DIS the role
includes as well:
● AI_LMDB_AD● S_TCODE; TCD value LMDB
RFC MaintenanceTable 24
Role Included Authorization Objects
SAP_SM_RFC_* ● S_RFC_ADM● S_ADMI_FCD● S_RFC_TT manually added
Additionally authorization objects S_TCODE and S_SERVICE
Business PartnerTable 25
Role Included Authorization Objects
SAP_SM_BP_* The role contains all relevant authorizations for business partner and product assignment for POWL queries SMWORK_TSYS_DIAG_REL and SMWORK_DIAG_ALL● B_BUPA_RLT● COM_IL
All additional authorization objects for business partners can, but must not necessarily be used.
Critical Authorization Objects
AI_LMDB_OB
This authorization object allows you restrict your users for systems to display, edit, and so on. It is contained in role SAP_SYSTEM_REPOSITORY_*. If you restrict AI_LMDB_OB, do not allow System Landscape Directory (SLD) authorizations at the same time. Minimal SLD authorizations have complete read access. For more information, see SLD security guide.
9.6 Guided Procedure Framework
Guided Procedures can run in any application of SAP Solution Manager. They are based on the Guided Procedures Framework (GP Framework). We differentiate between the GP Framework and the GP Content. The GP Content is provided by the individual application running and using the GP Framework.
Authorization Roles for GP Framework
Composite role SAP_SM_GP_FRAMEWORK_COMP allows you to access the Guided Frameworks. The following single roles are necessary for any Guided Framework to run:
74
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
● SAP_SM_GP_PLUGIN (Guided Procedure SAP Note PlugIn)
CautionThe role contains authorization object S_RFC_ADM with value 36 (extended maintenance) for SAP-OSS RFC.
● SAP_SM_GP_EXE (Guided Procedure execution)
● SAP_SYSTEM_REPOSITORY_DIS (System display access)
● SAP_SUPPDESK_CREATE (Incident creation)
NoteIf you want to customize your own Guided Procedure, assign SAP_SM_GP_ADMIN. This role contains critical authorization object S_SYS_RWBO with ACTVT 01, 02, 03 , and authorization object S_TRANSPRT with ACTVT 01, 02, 03, 07 for Workbench Requests and Customizing Requests. If you do not want to allow the user to create, change, delete or display transports then you need to deactivate these objects. Additionally, authorization object S_CTS_ADMI with value TABL is included in the role. It should not be assigned in combination with transaction codes SE80 or STMS, as it allows super user authorizations in ABAP development environment and transport environment.
In case you need to maintain SAPscript documentation using transaction SE61, you need to assign the following authorization objects to the role:
● S_TCODE with value SE61● S_DEVELOP with ACTVT 03 (display) for all object types
Authorizations Roles for GP Content
The authorizations for the GP content are provided by the applications. These are explained in the individual scenario-specific guides:
● Application roles
● Work Center navigation roles
9.7 Work Center Navigation Role Concept
When using SAP Solution Manager you work within the frame of so called Work Centers. The work centers are ABAP WebDynpro applications. They provide the user with a user interface that easily allows the user to access all necessary tools for his/her tasks. Therefore, the important factor of a Work Center is the navigation structure it provides.
To be able to access the work centers, you need to be assigned to so called work center navigation roles. For each work center one navigation role exists.
All composite user roles contain the according navigation role(s): SAP_SMWORK_<WorkCenter> needed for the user to execute tasks. In addition, all relevant authorizations for the work center frame work are contained in authorization role SAP_SMWORK_BASIC_<WorkCenter>. Each work center navigation role has a dedicated SAP_SMWORK_BASIC_<WorkCenter> role with the UI authorization for the work centers assigned. For instance, navigation role for work center Incident Management with the technical role name SAP_SMWORK_INCIDENT_MAN
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 75
needs to be assigned together with the authorization role for the work center with the technical role name SAP_SMWORK_BASIC_INCIDENT. The following sections explain technical details for both roles.
Navigation Roles (Technical Role Names: SAP_SMWORK_<WorkCenter>)
General Information
Work center navigation roles (naming convention: SAP_SMWORK_<WorkCenter>) are based on the concept of authorization roles (transaction PFCG). In the description tab, you can find a first introduction and most important information about the navigation role.
Figure 14: Role Description Tab
Folder Hierarchy in the Menu
The defining factor of the navigation roles is the menu. The menu information in the role can be found on the tab Menu in the role. Therefore, you do not need to generate any profiles, but you need to execute a user comparison.
76
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
Figure 15: Role Menu Structure
The menu always consists of a two - folder hierarchy. It displays the menu hierarchy/entries in the SAP NetWeaver Business Client (NWBC).
CautionSAP NWBC 4.0 and higher is not supported.
The first level is the home page or default page Web Dynpro application (WDA) of the work center (for instance Incident Management). The second level consists of several related links, such as Service Marketplace or Help Portal.
Adaptation of Related Links in the Navigation Panel
We recommend to use the delivered navigation roles. But you can also define them for your own purposes. This means, you can add new folders with applications in the Related Links area in the work center navigation panel. You can also delete defined folders. You cannot change entries in the work center areas Common Tasks or Navigation Panel Views in the role. You can adapt these areas using authorization object SM_WC_VIEW.
Inactive Authorization Objects
In contrast to authorization roles, which contain a number of authorization objects for authorization purposes, work center navigation roles are only relevant for the navigation in the work center via menu options. They do not contain active authorization objects, except for authorization object S_TCODE with value SOLMAN_WORKCENTER.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 77
Figure 16: S_TCODE for work center Incident Management
Nevertheless, in some navigation role menus you find additional transactions. These transactions must be present in the menu tab, as they define the transaction navigation in the work center User Interface. Having transactions in the menu tab allows the system to automatically trace all relevant authorization objects, which are connected to this transaction. Authorization objects for these transactions are set inactive. Do not activate inactive authorization objects in the navigation roles, as this may override your existing authorization concept. For instance, work center Implementation and Upgrade contains transactions. The according authorization objects are set inactive.
Figure 17: S_TCODE for work center Implementation and Upgrade
Clients to Run Work Centers
You can run the work centers in three clients: SAPGui, Internet Browser, and SAP NWBC.
NoteTo define how the work centers are called in the SAPGUI (either in SAPGUI or opening the Browser) for certain users or user groups, see IMG - entries for SAP Solution Manager (Technical settings - work centers).
● SAP GUI: using transaction SOLMAN_WORKCENTERAs of SAP Solution Manager Release 7.1 (SAP_BASIS 7.02), the SAP Easy Access menu can be hidden by setting the according flag Hide Menu from SAP Easy Access in the navigation role. In transaction PFCG,
78
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
choose tab Menu for the role, then go to button Menu Options. Here, you can set the flag to hide the menu in the SAP Easy Access menu. The roles are delivered with the flag set. Therefore, by default transaction entries do not appear in the SAP Easy Access menu. Nevertheless, you can call the work centers in the SAPGUI by entering transaction SOLMAN_WORKCENTER in the command field. Transaction SOLMAN_WORKCENTER is contained in all work center navigation roles.
Figure 18: Transaction PFCG Default - Hide Menu from SAP Easy Access
● Browser: using either the URL itself or calling transaction SM_WORKCENTER in the SAP Easy Access menu.
● SAP NWBC 3.0The SAP NWBC is an additional client you can use. It needs a so called Control Sequence in the navigation role (see figure Role Menu Structure). You may encounter a URL NWBC Control Sequence. This URL is only relevant for the use of work centers in the SAP NetWeaver Business Client (SAP NWBC).
NoteThe folder display in the SAP NWBC is different to SAPGui and Internet Browser. The Related Links section can be found underneath the upper menu.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 79
Figure 19: Change Management Work Center in SAP NWBC
Authorization Role for Navigation in the UI (Technical Role Name: SAP_SMWORK_BASIC_<WorkCenter>)
General Information
Each user who works within work centers needs the authorization role SAP_SMWORK_BASIC_<WorkCenter> in addition to the navigation role. With Release 7.1 we deliver a master role SAP_SMWORK_BASIC, which contains authorization objects that are relevant for all work centers. Authorization object SM_WC_VIEW is maintained individually for each work center ID.
80
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
Figure 20: Authorization object SM_WC_VIEW in role SAP_SMWORK_BASIC
It does not contain authorization objects that are required for individual work centers.
These roles are also contained in the composite roles for users, and must be fully maintained, including profile generation and user comparison. Due to the nature of the role, governing all User Interface authorizations for the work center navigation, its menu is not required to be displayed to the user. It is therefore hidden in the SAP Easy Access menu, see previous section on how to hide the Easy Access Menu.
User Interface (UI) Authorization Objects for POWL and Navigation Panel
All relevant authorizations that are related to the work center User Interface are contained in role SAP_SMWORK_BASIC_<WorkCenter> . This role needs to be assigned to the user together with the navigation role.
NoteProfile S_SMWC_BA contains the same authorizations. It is delivered for SAPSUPPORT user for RCA.
The following authorization objects are relevant:
● Authorization object CA_POWL
Authorizations for Personal Object Work List (POWL)
● Authorization object S_DEVELOP
If you use function PDF Print, you need authorization object S_DEVELOP (activity: 03, object type OBJTYPE: SMIM) to be able to display icons in the document. This authorization must be added manually to the role.
● Authorization object SM_WC_VIEW
You can define the views in a work center navigation panel by adapting the authorization object SM_WC_VIEW in the SAP_SMWORK_BASIC_<WorkCenter> role attached to the work center. For instance, if you only want
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 81
to see the views for the Maintenance Optimizer in the work center for Change Management, you can do so by selecting the according views.
NoteIn addition, for the following work centers you can also hide links, transactions, and buttons in the User Interface:
○ Technical Monitoring
○ Technical Administration
○ SAP Solution Manager Administration
○ SAP Solution Manager Configuration
○ Root Cause Analysis
○ Data Volume Management
○ Custom Code Management
This adaptation requires the restriction of two additional authorization objects, which are included in the main authorization roles for the according scenarios. In these roles the authorization objects are maintained according to the user definition of the composite role. The authorization objects and the according framework are explained in more detail in section Authorizations for User Interface.
Object Based Navigation (OBN) Targets for Client SAP NWBC 3.0
The roles SAP_SMWORK_BASIC_<WorkCenter> contain Object Based Navigation (OBN) targets. The OBN targets are defined by BOR object: SolManNavigation.
Figure 21: OBN Targets
Since the system always refers to the first OBN target to be found in the role assignment for a user, do not enter any OBN targets in one of the navigation roles for work centers.
82
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CautionWhen working with the SAP NWBC, only ONE OBN target entry should be assigned within the roles. Therefore, if you have two work centers assigned to your users, and also two SAP_SMWORK_BASIC_<WorkCenter> roles, you need to delete the OBN target entries at least from one SAP_SMWORK_BASIC_<WorkCenter> role. Proceed as follows:
1. Choose transaction PFCG.
2. Choose theSAP_SMWORK_BASIC_<WorkCenter> role for which you want to delete the OBN target navigation.
3. Go to tab Menu.
4. Choose button Other Node Details.
The system displays in a column all links which have an OBN target entry.
5. Delete the OBN target entry.
For further details about OBN navigation in SAP NWBC see: wiki.wdf.sap.corp/wiki/display/NWBC/Documentation .
9.8 Using SAP Solution Manager with Customer Relationship Management (CRM)
In Solution Manager, the concept of authorizations and navigation for this integration is similar to the work center navigation and authorization concept. We deliver one navigation role and several User Interface authorization roles.
As of Release 7.1, SAP Solution Manager is based on CRM 7.0 EhP1. In CRM 7.01, so called business roles are introduced, which define the navigation of any CRM UI screen, the CRM WebClient UI.
CRM WebClient UI Navigation Role
In SAP Solution Manager, the scenarios Incident Management, Change Request Management, and Issue Management use the CRM WebClient UI. Therefore, additional CRM UI navigation roles are required for any user for these scenarios. All roles that refer to the CRM WebClient UI have the naming convention SAP_SM_CRM_UIU_*.
As with work center navigation roles for SAP Solution Manager, the CRM navigation is defined by specific roles: SAP_SM_CRM_UIU_SOLMANPRO, which are included in all relevant composite roles. In SAP Solution Manager only these roles are needed. They do not contain any authorization objects, and need only be assigned to the user by user comparison.
CRM UI authorization roles contain the authorization object CRM_UIU. This authorization object defines which CRM components can be called by the application.
By default, they are specifically maintained, which gives unique access to CRM components needed for the required CRM WebClient UI screens for the required scenarios.
● SAP_SM_CRM_UIU_FRAMEWORK: This role contains all UIU_COMP authorization necessary in all scenarios
● Additional SAP_SM_CRM_UIU_SOLMANPRO_*: These roles contain specifically maintained UIU_COMP authorizations. The roles are complimentary.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 83
Figure 22: SAP_SM_CRM_UIU_* Role for Administrator for Incident Management
The roles for CRM - specific navigation are also contained in the respective composite roles for a scenario.
New Transaction Types
With the introduction of the CRM WebClient UI, we deliver new transaction types for Incident Management, Change Request Management, and Issue Management. The maintenance of most authorization objects of authorization class CRM are affected. If you customize your own transaction types, you need to add them to the according objects.
The standard roles are delivered with standard transaction types. If you modify the transaction types you use, you need to adapt the according authorization objects in CRM - related roles. This concerns many authorization objects of class CRM, as well as authorization objects B_USERSTAT and B_USERST_T.
9.9 Using SAP Solution Manager with Business Warehouse (BW)
9.9.1 General Information
Scenario Differentiation
The setup of BW for use with SAP Solution Manager is based on the so called Extractor Framework (EFWK). The EFWK is used to collect data, for instance from SAP Solution Manager and Introscope Enterprise Manager, for Business Warehouse by means of various extractors.
Within the automated basic settings configuration of the SAP Solution Manager system landscape, we differentiate between two possible setup scenarios for Business Warehouse (BW) integration. You run either:
Standard Scenario
● BW within Solution Manager system on the same client as the Solution Manager application
Remote BW Scenario
84
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
● BW within Solution Manager system in another client
● BW in another system
Most BW - related authorizations and roles are shipped with software component ST-BCO.The configuration of the BW - related tasks is divided into two parts, in analogy to the setup of the SAP Solution Manager system. Here, we first run a basic system configuration after which all mandatory scenarios must run. This configuration is done mostly automated. After this basic setup, all required scenarios can be set up. The same principle applies to the BW - setup. During the basic configuration of Solution Manager you execute the basic configuration for its integration with the BW. This initial configuration is a mandatory prerequisite to run the scenario - specific configuration for BW - reporting.
The following sections give you an overview on the respective configuration of the BW scenarios in regard to the authorizations, users, and RFC - connections, as well as the reporting dashboards based on BI - data.
BW Setting in Transaction SOLMAN_SETUP
For the system to be able to configure the data extraction correctly, you need to specify the setup scenario. In transaction SOLMAN_SETUP, you specify the system and the client in which your data extraction runs.
9.9.2 BI - Reporting Data Extraction
The BI reporting role concept is based on the existing role concept of the SAP Solution Manager 7.1. The BI reporting is integrated in the SAP Solution Manager Work Centers for the different applications. At present, we differentiate between two types of use cases in the area of BI based reporting:
● Reporting data is stored in the SAP Solution Manager system
● Reporting data is stored in the managed systems
● Reporting data is stored in the BW-system
Reporting data extracted from the SAP Solution Manager system
The first type is a combination of a Solution Manager system and a BI system. Here, the data for the reporting is stored in the SAP Solution Manager. The BI - based reporting delivered with the SAP Solution Manager 7.1 contains at the present the following applications:
● Incident Management Reporting (work center Incident Management)
● Test Workbench Reporting (work center Test Management)
● Enterprise Support Reporting
Reporting data extracted from a managed systems
The second type is extracting data from a managed system outside of the SAP Solution Manager system. Managed systems reporting applications:
● End - User Experience Monitoring Reporting (work center Technical Monitoring)
● Process Integration Monitoring Reporting (work center Technical Monitoring)
● Connection Monitoring Reporting (work center Technical Monitoring)
● Root Cause Analysis Reporting (work center Root Cause Analysis)
● Alert Management (work center Technical Monitoring)
● Early Watch Alert (work center Technical Monitoring)
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 85
● Database Performance (work center Technical Monitoring)
● Business Process Monitoring Reporting (work center Business Process Operations)
● Job Monitoring Reporting (work center Job Management)
● Data Base Performance Reporting (work center Technical Monitoring)
● Data Volume Management Reporting (work center Data Volume Management)
Reporting data extracted from a managed systems
The third type is extracting data from the BW-system. BW-system reporting applications:
● ES-Reporting
● Monitoring and Alerting
9.9.3 Configuration of BW and Activation of BW - Content (Step by Step)
NoteSee also SAP Note 1487626.
.
In this section, the configuration and operation process for BW-data extraction and reporting is explained for both main setup scenarios. All users mentioned and their assigned roles are explained in more detail in the chapter on users for BW in the Landscape Setup Guide.
Table 26
Standard Scenario Remote Scenario Additional Remarks
Configure BW and Activate Content
To use Business Warehouse (BW), you need to initially configure it. This includes the activation of all technical content and
the source system in the according BW - client. The system executes the initial configuration via transaction
SOLMAN_SETUP (work center SAP Solution Manager configuration) in a number of configuration steps.
The configuration is done by user SM_BW_ACT, who is authorized to plan
activation job CCMS_BI_SETUP to activate
the BW - content. The user activating the
technical content is also user SM_BW_ACT.
Since BW runs in the same client as the
productive Solution Manager, the SOLMAN_ADMIN user is used as the BW administration user. Since BW - client and
Solution Manager client are the same, RFC –
destination NONE is used to connect them.
The configuration is done by a dedicated BW -
Administration user in the BW - system, for
instance SM_BW_ADMIN, who is authorized to
plan activation job CCMS_BI_SETUP to
activate the BW content. The user activating
the technical content is also the SM_BW_ADMIN user. The RFC - destination
used is SAP_BID.
All necessary RFC -
destinations are created and written in table E2E_WA_CONFIG:
● SAP_BID: a write RFC -
destination BI_CLNT<BWClient> with RFC - user
SMD_BI_RFC (in case
of its use for content activation, a user parameter BATCH_USER_ID
86
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
Standard Scenario Remote Scenario Additional Remarks
requires the administration user)
● SAP_BIEX: a read RFC - destination BW_SM_<BI_SID>CLNT<BIClient> with
RFC - user
BW_SM_<SolManSID>
● SAP_BILO: a trusted
RFC for end-users
2 Start Extractors in the Managed System, the SAP Solution Manager System, and the BW System
The job EFWK RESOURCE MANAGER is scheduled by user SOLMAN_ADMIN.
SOLMAN_ADMIN has the authorization to allow that another technical user SM_EFWK can
run the program E2E_EFWK_RESOURCE_MGR, which is called in the step of the job. In the
step, the program is started, and run by user SM_EFWK.
The program starts the framework for the extractors. It starts extractors in the local system (Solution Manager) for instance for CRM - related data, TWB - related data and ESR - related
data, in the managed systems for KPI - related data, and the BW - system for ESR - related
data.
For each extractor the user SM_EFWK is assigned separate authorization roles.
Table E2E_ACTIVE_WLI contains all extractors which have been started.
3 Run Extractors in the Managed System, the SAP Solution Manager System, and the BW System
Extractors in the local system are started by technical user SM_EFWK.
Extractors in the managed systems are run by the READ user as the READ RFC destination is used.
Extractors in the local system are started by technical user SM_EFWK.
Extractors in the managed systems are run by the READ user as the READ RFC destination
is used.
Extractors in the BW - system are run by the
technical user SM_BW_<SolManSID> via
RFC connection
SM_BW_<BI_SID>CLNT<BIClient>.
4 Load Data in the BW System
The data, extracted from the various systems into SAP Solution Manager, is downloaded into the BW - system.
The data in the SAP Solution Manager client are pushed to the BW component in SAP
Solution Manager using RFC NONE. The
same user as for executing the extractor program, SM_EFWK, is used to load data
into the BI cubes.
The data in the SAP Solution Manager client are pushed to the BW - system from Solution
Manager using RFC BI_CLNT<BI_Client>. User
SMD_BI_RFC is used in this RFC.
Data extracted in the BW -
system for ESR are send to
SAP.
Data extracted in the BW -
system for MAI are pushed
into MAI in the Solution
Manager system.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 87
Standard Scenario Remote Scenario Additional Remarks
5 Display BW -Content
According to the individual scenarios, user roles (composite roles) are provided as templates. These composite roles include BW - reporting roles (single roles) for the
appropriate user. These reporting roles contain all relevant authorizations for displaying BW - content. To fetch the data,
the RFC NONE is needed for the according
dialog user.
According to the individual scenarios, user roles (composite roles) are provided as templates. These composite roles include a BW - reporting roles (single roles) for the
appropriate user. These reporting roles contain all relevant authorizations for displaying BW - content.
BI - reporting uses Web Templates. In the BW - system a query is executed. To fetch the data, an HTTP call is made and a trusted RFC destination SAP_BILO is used to read data.
This requires, that the dialog user in the Solution Manager system has a corresponding user in the BW system/client. Both users have
trusted authorizations, same User ID and Password.
The RFC - destination
SAP_BILO is also used for
the Monitoring and Alerting Infrastructure (in the Alert Inbox, it is possible to display the Metric Monitor application), and all dashboards which have data in the BW - system.
6 Reorganize BW Data (Not RCA) and Validate Configuration
For the triggering of reorganization of BW - data and configuration validation, a BW - Callback
RFC - destination <SolutionManager-client>CLNT<SolutionManager– ProductiveClient> with technical user BI_CALLBACK is needed in the SAP Solution
Manager.
The same RFC - destination is
used for enriching LMDB -
data.
9.9.4 Diagnostics Center
The Diagnostics Center is a tool to check your configuration of BI - Reporting by executing checks.
1. A dialog user starts the diagnostic center from the Solution Manager Administration work center Infrastructure BW Reporting .
2. The checks in the managed system are running with system user SM_<Client>_READ.
3. The checks in the Solution Manager system are running via the logged on dialog user.
4. The checks for the BI are running via RFC destination NONE (dialog user). In the case of a remote scenario, RFC destination BI_CLNT<client> (user SMD_BI_RFC).
9.9.5 BI - Reporting Authorizations and Roles
Using BW - reporting requires that the user has BW - authorizations (Authorization object class RS) assigned. In general, these authorizations are included in the relevant BW - composite roles. As BI - reporting is based on the extractor framework, the user needs to have the according BW - reporting authorizations as well as extractor authorizations. For more information, see according scenario - specific guides.
88
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
Software Components Containing Authorization Objects
With each of the software components ST and ST-BCO functionality for the SAP Solution Manager is delivered.
Authorization Check
The authorization check for BW is as follows: If the system does not have any BW - data available, it can not display them. For instance in Business Process Operations for Health Check Analysis, you may select a solution for which no BW - data are present in the system. In this case, the system does not display any solution data.
Display Authorization for Role SAP_BI_E2E
Role SAP_BI_E2E contains activation authorizations for all BI - reporting scenarios as well as batch authorizations. It is not delivered as a display role, as such a use case would be very specific. For instance, if you want to display performance data in the Alerting Framework in work center SAP Solution Manager Administration, you need to add role SAP_BI_E2E as well.
If you want to restrict the role for display purposes, do as follows:
1. Copy role SAP_BI_E2E.
2. Restrict the activity field ACTVT for all authorizations to display (usually 03).
3. The authorization objects S_BTCH_* should be set inactive.
9.9.6 Using BI - Dashboards for BI - Reporting
BI - reporting is implemented in several work centers of the SAP Solution Manager. Recently, it became more and more important to aggregate data for several business areas. Dashboards provide an adequate type of display of BI data in a compressed way, filtered for different user groups. Therefore, it is necessary to limit the access to different information for different users.
BI - reporting is implemented for various scenarios, see section BI - Reporting Scenarios. BI - dashboards are based on the BI - reporting function for some of these scenarios.
Dashboard Framework
The dashboard framework integrates dashboards in applications of the Solution Manager and allows the usage and presentation of data from the Business Warehouse in the Solution Manager. It enables the flexible configuration of dashboards by the help of business apps.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 89
Dashboard View
Figure 23: Dashboard View
Authorization Concept
BI - reporting dashboards are integrated in the Dashboard Framework.
During runtime the system creates a dashboard - instance from a dashboard type. A dashboard - instance contains one or more app - instances and/or dashboard - instances. The app - instances are derived from app - type.
The following areas are restricted:
● Activities for existing dashboard (instance): Authorization object SM_DSBINSTThe content of dashboards is restricted at the same time. Individual app - instances are not explicitly restricted.
● Data suppliers are restricted implicitly by according app - type. Authorization object SM_APPTYPE● Activities for existing app - types, including dashboard types: Authorization object SM_APPTYPE● Extended administrative activities on framework level, such as registration and transport, creation of new
dashboard: Authorization object SM_DSBFWKIn addition, we introduce an attribute authorization group, which differentiates instances and types in authorization groups. This enables the administrator to restrict instances with one authorization. A restriction on an individual instance can be done by assigning one authorization group to it. We deliver the default authorization group Public. The entity can be locked when the authorization group is explicitly changed.
Required Tables
Authorization for the creation and usage of dashboards and apps has to be assigned on the type and instance level. Consider the following table entries:
● The differentiation between dashboard and app can be found in field APP_TYPE of table DSH_APPTYPE.
● For the categorization of types and instances, the tables DSH_APPTYPE and DSH_APP_INSTANCE contain the field AUTH_GROUP.
● The field AUTH_GROUP is maintained in tables DSH_APP_INSTANCE and DSH_APPTYPE. In table DSH_AUTHGROUPS the valid values are stored.
90
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
Authorization Objects
The following authorization objects are used in the delivered roles:
● SM_DSBINST: Solution Manager Dashboard Instance
● SM_APPTYPE: Solution Manager App Type
● SM_DSBFWK: Solution Manager Dashboard Framework
Figure 24: Authorization Objects in Role SAP_SM_DASHBOARD_DISP
For the control of these authorizations the components of the framework are responsible, not the apps or the dashboards. Apps and dashboards are publishing their authorization groups only.
Authorization Roles
According to the overall authorization concept of SAP Solution Manager three roles are delivered:
● SAP_SM_DASHBOARDS_DISPYou assign this role to a standard dashboard user who is not maintaining the existing dashboards. The user is able to display dashboard instances attributed with the value public for the authorization group field. All embedded app instances and dashboard instances are visible.
All necessary roles for displaying dashboards in scenarios are included in the according composite roles for users. They have the naming convention SAP_SM_DASHBOARDS_DISP_<scenario> or SAP_SM_DASHBOARD_DISP_CIO_<scenario>, for instance SAP_SM_DASHBOARDS_DISP_EEM for scenario End User Experience Monitoring in work center Technical Monitoring, see scenario - specific guides.
● SAP_SM_DASHBOARDS_PROCESSYou assign this role to a dashboard user maintaining the existing dashboard instances. The user can create, copy and configure existing app instances within an existing dashboard.
● SAP_SM_DASHBOARDS_ADMINYou assign this role to a dashboard user administrating the Dashboard Framework. Furthermore, the role contains all necessary authorizations to perform all governance tasks concerning dashboards. In a development environment, this role is assigned to dashboard developers.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 91
Figure 25: Authorization roles for Dashboards
In addition, the following dashboard roles are delivered:
● SAP_SM_DASHBOARDS_DISP_PUB This roles allows you to create your own dashboards. In addition to this role, you always need to assign either SAP_SM_DASHBOARDS_ADMIN or SAP_SM_DASHBOARDS_PROCESS as well as scenario - related end-user roles (see according scenario - specific guides).
● SAP_SM_DASHBOARDS_DISP_CIO_MGT (Role for management reporting on KPIs)
● SAP_SM_DAHSBOARDS_DISP_CIO_TOP (The role for technical operations does not contain any authorization values. It can be customized. For information, see according online documentation.)
9.10 Using the Help Center
You have the option to use the help center functionality, which resides in SAP Solution Manager as well in the managed systems.
If you want to maintain/administer the help center you need to have additional authorization. In the following paragraphs we outline, which additional user roles and authorizations you need to assign to your users.
Roles and Authorizations
Roles for Using and Administering Help Center in SAP Solution Manager and Managed Systems
Roles for Help Center in managed systems can also be applied to SAP Solution Manager itself, if you want to maintain the Help Center for SAP Solution Manager.
Table 27
Name Remarks
SAP_BC_WDHC_ADMINISTRATOR Authorization to administer Help Center
SAP_BC_WDHC_POWERUSER Authorization to use Help Center
Prerequisite
On configuring and connecting Help Center of a managed system, see IMG - activity: Information and Configuration Prerequisites (technical name: SOLMAN_HC_INFO)
92
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
9.11 Authorizations for User Interfaces
Since SAP Solution Manager is based on a variety of software components, its user interface technologies are also varied. SAP Solution Manager uses the following technologies, which are integrated with each other:
● ABAP WebDynpro
● BSP based technology (CRM 7.01 WebClient UI)
● ABAP SAPGUI transactions
● Java WebDynpro (Java stack)
All user interfaces can be called via the different clients. The following sections give an overview of the varying authorizations that determine the user interfaces.
ABAP WebDynpro Authorizations
ABAP WebDynpro is used for most applications in SAP Solution Manager. Especially, newly developed functions are developed in ABAP WebDynpro.
Start Authorization Object: S_SERVICE
The maintenance of authorization objects for ABAP WebDynpro in transaction PFCG is mainly done manually, due to former restrictions for this type of technology in transaction PFCG.
Since Release 7.1 is based on component SAP_BASIS 7.02, it is possible to maintain the application in transaction PFCG.
Figure 26: Enter a service as authorization default in a role in transaction PFCG
The system uses the SU22 trace and adds authorization objects automatically into the profile with status Standard. It is therefore possible to add or delete individual application IDs. This technique is only used in SAP Solution Manager for completely new functions and roles, for instance Notification Administration. For all other
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 93
roles, manually maintained authorization objects are still existing. The maintenance of applications in transaction PFCG on tab Menu involves authorization object S_SERVICE. For each application entered in the menu tab of a role, the system enters the application as a service in this object. The authorization object is therefore always included in the authorizations roles for the function as the start authorization. In this function it resembles authorization object S_TCODE for SAPGUI transactions.
Figure 27: Authorization object S_SERVICE
The service appears as an ID in the authorization object.
Work Center Navigation View Panel Authorization Object: SM_WC_VIEW
All work center home page applications are ABAP WebDynpro based. Work center views, if required subviews, and the common task level can be restricted by the authorization object SM_WC_VIEW. This authorization object is contained in the role SAP_SMWORK_BASIC_<WorkCenter>.
You may need to adapt this authorization object for instance in scenarios in which the user can select copied transaction types in subviews or views, such as Incident Management or Change Request Management. To be able to adapt, proceed as follows:
1. Choose transaction SM30.
2. Choose table AGS_WORK_VIEW.
3. Copy the according entry for the transaction type.
4. Adapt the copied entry.
Table AGS_WORK_VIEW is used as the value help for the authorization object. You can add views and tasks to your work centers and control them using this authorization object. Activate the BAdI Implementation in the IMG for SAP Solution Manager in transaction SPRO.
The BAdI implementation fills the value help table for the authorization object. To use the trace, you must activate the BAdI and go to the work center. The system enters the work center IDs in the value help table AGS_WORK_VIEW. You can then adjust the authorization object in the role.
In a nutshell:
1. Activate BAdI: AGS_WORK_AUTH_SM_WC_VIEW in Enhancement EHN_AGS_WORK_AUTH_UI (activate via transaction SOLMAN_SETUP)
2. Activate BAdI: AGS_WORK_AUTH_F4_TRACE in Enhancement EHN_AGS_WORK_AUTH_TRACE (activate via transaction SPRO).
3. Go to transaction PFCG, and call role SAP_SMWORK_BASIC_<work center>.
4. Change the values in the authorization object, for instance only add those views which you want to see, leave out those you do not want to see.
5. Generate the profile, and assign the role to the user.
URL Framework: SM_WD_COMP and SM_APP_ID
Specific applications can be restricted by the authorization objects SM_SW_COMP and SM_APP_ID. It is used in the following work centers in SAP Solution Manager:
94
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
● Technical Administration
● Technical Monitoring
● SAP Solution Manager Configuration
● Solution Manager Administration
● Root Cause Analysis
Both authorization objects restrict views, subviews, URL links, transactions, or buttons leading to separate screens. For all roles delivered as default template roles by SAP, these objects are already maintained according to the user definition by SAP. The authorization objects are included in the applicable core single authorization roles for the application.
For instance, for End-user experience monitoring (EEM), the core single role is SAP_SM_EEM_*.
Figure 28: EEM core single role with UI authorization objects SM_APP_ID and SM_WD_COMP
The role contains all relevant application IDs for the relevant EEM user role. It does not contain the application ID for the dashboard application for EEM though. This ID is included in the core authorization role dashboards for EEM: SAP_SM_DASHBOARDS_DISP_EEM.
Figure 29: EEM Dashboard role with UI authorization objects SM_APP_ID and SM_WD_COMP
Both authorization objects SM_WC_VIEW and SM_WD_COMP are used to define the User Interface of the above mentioned work centers.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 95
Figure 30: Integration of authorization objects SM_WC_VIEW and SM_WC_COMP
CautionThe use of user interface authorizations can lead to misleading ST01 traces. If you trace one application due to authorization error messages, the analysis of the trace displays all authority checks executed by the system. This also includes user interface authorizations. In case of restrictions to user interfaces by the above-mentioned objects any missing authorizations for them are marked with return - code (RC) = 4. If you are not tracing for the user interface element, you can ignore this entry.
You can adapt the authorization objects, and therefore the user interface for all scenarios of these work centers. To do so, you need to apply the so called URL - framework. Here, you can find the according values for the application you want to restrict. Proceed as follows:
1. Call URL: <server.domain>:<HTTPport>/sap/bc/webdynpro/sap/urlapi_app_manager .
2. Open the links for the work center you want to adapt.
3. Check the application view.
The authorization object is displayed on the same page.
96
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
Figure 31: URL Framework
NoteWe recommend not to change the delivered SAP roles.
BSP CRM WebClient
BSP based technology is used within the CRM WebClient User Interface, which is called from within the work centers ABAP WebDynpro applications for Incident Management and Change Request Management. Similar to the work center navigation role concept, a CRM navigation role is delivered with the according authorization roles for the authorizations for the user interface. For more information, see section Using SAP Solution Manager with CRM.
The authorization object for the user interface for CRM is UIU_COMP. It restricts authorizations for CRM components and its used applications. The authorization object controls which components can be called by the user.
Figure 32: Authorization Object UIU_COMP
We deliver specific roles for this authorization object, which are again contained in the respective composite roles. All roles for the UIU_COMP authorization object have the naming convention SAP_SM_CRM_UIU_*. They are layered according to the user definition they are defined for. They are additive. For instance, if you use the administrator role for Incident Management, you find two UIU_COMP roles included, as UIU_COMP authorizations
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 97
in both roles add up. The Incident Management role for the processor includes only one UIU_COMP role. We recommend not to change the delivered SAP roles.
CautionAn ST01 trace always displays all possible values for this authorization object. Only the objects included in the above-mentioned roles are relevant for SAP Solution Manager applications. For instance, a trace may result in about 500 checks for the authorization object UIU_COMP of which only about 20 checks are relevant for SAP Solution Manager use. We recommend not to change the delivered SAP roles.
ABAP SAPGUI Transactions
SAP GUI transactions are still called from within ABAP WebDynpro in the work centers. The start authorization for ABAP transactions is contained in authorization object: S_TCODE.
9.12 Critical RFC Connections and Authorization Objects
9.12.1 Generated RFC - Connection <SM_<SIDofManSystem>CLNT<ClientofManSystem>_TRUSTED>
In a heterogeneous system landscape with SAP Solution Manager as the managing platform, you need RFC connections between SAP Solution Manager and the managed systems.
The most critical RFC - connection in SAP Solution Manager with it's managed systems is the so called Trusted RFC - connection. This connection allows for a seamless integration of both systems involved. This means, that if the according configuration is done, you can log on to one system and work within the other system without logging on again. Therefore, this connection is only used in defined cases in which such an integration is absolutely necessary.
For more information about which scenarios require a trusted RFC - connection, see scenario-specific guides.
NoteUsing SAP router between Solution Manager and managed systems may cause problems in some functions, for instance BSP applications. To solve these, see SAP Note 555162.
Trusted RFC - connection configuration
The Trusted RFC connection can be set up in transaction SOLMAN_SETUP (SAP Solution Manager configuration work center) in view Managed Systems. How to set up this RFC - connection is described in the Help section for this step in the system.
98
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
Figure 33: Transaction SOLMAN_SETUP: Setting up RFC connections
9.12.2 Authorization Objects S_RFCACL and S_RFC_TT for Trusted RFCs
The trusting RFC destination has the Current User settings, and Trust Relationship Yes in transaction SM59.
Figure 34: Trusted RFC Logon Settings
Authorization errors in the use of an RFC destination flagged as a Trusted System cause the following message to be sent: No Authorization to logon as Trusted System (Trusted RC = #).
Every authorization error when using an RFC destination flagged as a Trusted System, is a RABAX (ABAP exception). The RABAX contains detailed error information. To analyze the error:
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 99
1. Choose transaction ST22 and the selection period.
2. Choose the entry under the user SAPSYS and the program name CALL_FUNCTION_SYSCALL_ONLY. The paragraph Troubleshooting, contains the information necessary to correct the error.
Return Code
Table 28
Return Code Explanation To Do
0 Invalid logon data (user and client) for the trusting system
Create a corresponding user in the client system for the user in the server system (trusting system)
1 The calling system is not a trusted system, or the system security ID is invalid.
Create the trusted RFC connection
again.
2 The user has no authorization containing the authorization object S_RFCACL, or is logged on as the
protected user DDIC or SAP*.
Give the user the authorization, or do not use the protected users DDIC or
SAP* (see: profile parameter and value:
login/no_automatic_user_sapstar = 0)
3 The timestamp of the logon data is invalid. Check the system time in the client and in the server, and the validity date of the logon data.
Synchronize the system times
Authorization Object S_RFCACL
To use the trusted RFC connection, you need to have the authorization object S_RFCACL in the Solution Manager and in the managed system assigned to your user. This authorization object is not contained in profile SAP_ALL due to its highly critical nature.
NoteThe roles SAP_SM_S_RFCACL and SAP_SM_BW_S_RFCACL for Template users created in transaction SOLMAN_SETUP contain the authorization object S_RFCACL, which consists of a number of authorization fields to allow a trusting trusted relationship between SAP Solution Manager and any managed system. In addition, the authorization object is included in role SAP_SM_BASIC_SETTINGS for automated basic configuration of Solution Manager. If your security rules do not allow the use of this authorization object, deassign the user role and/or deactivate the authorization object in the role after basic settings configuration.
Authorization Object S_RFC_TT
Authorization object S_RFC_TT is only required for creating trusted authorization for managed systems as of SAP_BASIS_7.02 SP03 and higher, see SAP Note 1734607.
More Information
● on authorization object S_RFCACL see: help.sap.com/nw70
100
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
● on role SAP_SM_BASIC_SETTINGS, see Landscape Setup Guide
9.12.3 Generated RFC - Connections READ, TMW and BACK
Apart from the trusted RFC, three core RFC connections for the SAP Solution Manager are:
● READ RFC● TMW RFC● BACK RFC
All three RFC - connections are automatically generated in transaction SOLMAN_SETUP (work center SAP Solution Manager configuration). The system automatically:
1. creates the RFC connection
2. creates the RFC - user in the specific system
3. assigns the RFC user to the created RFC4. copies user roles from predefined SAP roles
5. assigns the according user roles to the RFC - user
The following section explains the PFCG templates and the creation of the user roles in more detail. You will find detailed information about the individual RFC connections, assigned user roles (according to PFCG templates), and the users in the Landscape Setup Guide.
RFC - connection configuration
Figure 35: Transaction SOLMAN_SETUP: Setting up RFC connections
9.12.4 Authorization Object S_RFC and S_DEV_REMO
Authorization Object S_RFC
A remote function call (RFC) calls a function module in another system. Due to the nature of SAP Solution Manager, the number of RFC calls to and from other systems is high. Therefore, a high number of function modules are affected. In the context of security of RFC calls we have to look at three areas:
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 101
● Authentification
Incoming RFC connections must authenticate in the system. For instance, the READ RFC call is an incoming RFC call in the managed system. Therefore, a user must be present in the managed system to authenticate the RFC call. Here, user of type system is used. From the SAP Solution Manager system's point of view, the READ RFC connection is an outgoing RFC. Outgoing RFC connections are maintained in transaction SM59 in the present system. In the RFC itself, the user is maintained. During the Solution Manager setup of managed systems, most RFCs are automatically created, as well as the user in the managed system, and the assignment of according authorizations for this user. The RFCs are added automatically to transaction SM59. For their evaluation and monitoring, RFC traces (transaction ST05) can be used as well as the Security Audit Log.
● System profile parameter
The RFC authorization check can be activated / deactivated with the system profile parameter auth/rfc_authority_check. This parameter must not be set to the value ‘0’. For more information, see SAP Note 931252.
● Authorization objects
The authorization object S_RFC is used to check, whether the called RFC user is authorized to execute RFC function modules. The authorization object is delivered with dedicated values.
ExampleThe SYST function group is needed to call SM59. If it is missing, the remote logon in transaction SM59 causes the RFC_NO_AUTHORITY ABAP runtime error in the target system.
For S_RFC value changes for the technical RFC - users for READ and TMW RFC connection, see SAP Note 1572183.
Since SAP_BASIS 7.02, you can maintain the authorization object for certain function groups but also function modules. Within SAP Solution Manager, you may find the authorization object maintained according to this differentiation.
Authorization object S_RFC can be traced with audit log trace in transaction SM19 and SM20. To protect the deletion of traces, maintain field ACTVT with value 36 of authorization object S_RFC_ADM.
CautionCurrently, RFC - function modules in function group /SSF/INTRFC have no own authorization checks.
Authorization Object S_DEV_REMO
In managed systems as of SAP_BASIS 8.03 and higher, function group RFC1 is additionally protected by authorization object S_DEV_REMO. Therefore, all relevant roles for the setup of managed systems using transaction SOLMAN_SETUP include authorization object S_DEV_REMO.
9.12.5 Authorization Object S_TABU_DIS and S_TABU_CLI
In many scenarios for SAP Solution Manager, the system needs to read table entries. The direct access to tables should be limited wherever possible, because a huge number of changes might be executed this way. In some
102
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
cases, users need to look at data directly. To look at data in a table, users use these transaction codes most frequently: SE16, SE16N, or SE17, SM30, SM34, SM31 or "proxy"-transactions.
S_TABU_DIS
Authorization object S_TABU_DIS is used to control table access. It determines, what table someone can look at when they use any of the transaction codes above. The authorization object S_TABU_DIS controls complete accesses during standard table maintenance (transaction SM31), advanced table maintenance (transaction SM30) or the Data Browser (transaction SE16).
You can assign a table to a specified group. Group assignments are defined in table TDDAT (transaction SE54). For Solution Manager, we deliver dedicated authorization groups for specific functions, for instance authorization group SDA for Solution Documentation Assistant. All relevant delivered tables for Solution Documentation Assistant are assigned this group.
The following authorization groups are used in SAP Solution Manager:
Table 29
Authorization Group Remarks
CRMC For all CRM - related customizing views as CRM - based scenarios can refer to the
same tables
AISU For all S-USER - related tables
BI* (Remodeling, Repartitioning,
Warehouse)
For all BI - related tables
CHRM For other than CRM - related tables for Change Request Management
SDCO For all other than CRM - related tables for Incident Management
LMDB For all LMDB and SMSY - related tables
SMAN For Implementation and Upgrade - related tables
SDA For Solution Documentation Assistant -related tables
BPCA For Business Process Change Analyzer - related tables
TSTM For Test Management - related tables
SISE For Solution Manager Basic Configuration (transaction SOLMAN_SETUP) - related
tables
DFWK For Dashboard Framework - related tables
SMAL For Monitoring and Alerting (Technical Monitoring) – related tables
SGEN For ES-Reporting and SUGEN - related tables
BUFU For Business Functions - related tables
SARC, BCTA For Data Volume Management
BCSV For CRM: Status Profile Maintenance
DNO For CRM: Basis Message
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 103
Authorization Group Remarks
SS RS: SAP Control
NoteAuthorization object S_TABU_DIS is delivered with value asterisk (*) for roles assigned to prominent users in SOLMAN_SETUP as SOLMAN_ADMIN and SOLMAN_BTC.
The majority of users in a production environment do not need direct access to tables. They view data through transaction codes. However, a few users might need access. When providing direct access to tables, you should use transaction SM30. Extra precautions should be taken for the selected users who require access to transaction SE16, because powerful access to a variety of data might be incorporated. You can make SE16 safer by creating a custom transaction code. With a custom transaction code, the user executes SE16 with a view of the table they require. This means they do not enter the table name, instead the custom transaction code takes them into transaction SE16 and directly into the table.
S_TABU_CLI
Authorization object S_TABU_CLI grants authorization to maintain cross-client tables with the standard table maintenance transaction SM31, extended table maintenance transaction SM30, the Data Browser. It acts as an additional security measure for cross-client tables and enhances the general table maintenance authorization S_TABU_DIS.
9.12.6 Authorization Object S_TABU_NAM
CautionIf your managed systems are on SAP_BASIS 7.03, 7.3 or higher, you need to add this authorization object to your managed system roles for SAP Solution Manager, as the authorization check for this authorization object is included in the normal shipment. For all lower SAP_BASIS releases the introduction of this object is optional.
NoteSee SAP Note 1481950, SAP Note 1500054 and SAP Note 1434284.
As of SAP_BASIS 7.0 release, authorization object S_TABU_NAM for generic table access is delivered as an additional optional authorization concept.
Prerequisites
The existing SAP table authorization concept is mainly based on the group assignment of tables and the authorization object S_TABU_DIS, see section on Authorization Object S_TABU_DIS and S_TABU_LIN. But, authorization object S_TABU_DIS might not always be sufficient.
Run report SUSR_TABLES_WITH_AUTH (see SAP Note 1500054) for analyzing table authorizations for a user or a single role. You can use this program to selectively determine the authorizations for the object S_TABU_DIS or S_TABU_NAM with regard to the tables that can be accessed using it. Transaction SU24_S_TABU_NAM reduces the
104
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
effort required for maintaining authorization default values during the introduction of an authorization concept with S_TABU_NAM.
Authorization Object S_TABU_NAM
The authorization object contains the fields:
● ACTVT: display and change access similar to S_TABU_DIS● TABLE: table name
With this object, the system checks the view names or table names directly so that an exact authorization check is possible. In the function module VIEW_AUTHORITY_CHECK, the system checks S_TABU_NAM only if the authorization check on S_TABU_DIS was unsuccessful.
9.12.7 Authorization Object S_DEVELOP
S_DEVELOP is the general authorization object for ABAP Workbench objects. You use it to grant access authorizations for all ABAP Workbench components, which include the following:
● ABAP development tools
● ABAP Dictionary and Data Modeler
● Screen Painter and Menu Painter
● Function Builder
● Repository Browser and Info System
● SAP SmartForm
From a production perspective, be aware of everyone who has S_DEVELOP authorization object assigned. In general, authorization object S_DEVELOP with more than display access (ACTVT 03) is not required by anyone in production.
NoteThe authorization object is assigned for maintaining transaction SNOTE during the SAP Solution Manager basic setup to the SOLMAN_ADMIN user in role SAP_SM_BASIC_SETTINGS. After implementing all required SAP Notes into the system, you can set the according authorization object inactive. Documentation is given in the guided procedure for the automated setup.
9.13 How to Build Your Own Authorization Concept
Since there is no general authorization configuration that fits all possible use scenarios, we recommend that you design an authorization concept tailored to your specific use scenario.
How you maintain authorization objects and bundle them depends on your company's security concept. You customize/maintain your roles according to your company's concept. Each company has different priorities, departments and so on. As each business requires a different authorization concept, the template roles delivered by SAP are only templates. Before you grant authorizations to your end users, you must have a clear concept of who is to receive which authorizations, because you need to adjust your authorizations over time due to company
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 105
changes or extended use of Solution Manager functions. Here is what you should consider when designing your authorization concept.
NoteAll the authorization mechanisms must be configured (and configured consistently) to provide appropriate security.
Procedure
1. Identify which functions/capabilities of Solution Manager scenarios you use.
2. Create a menu matrix according to these functions/capabilities.
3. Identify your roles.
4. Populate your menu matrix.
5. Create your roles from SAP template roles. Use a unique naming convention.
6. Maintain your roles.
7. Test your roles.
106
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Authorization Concept for SAP Solution Manager
10 Using Central User Administration
10.1 Introduction
You can use CUA with SAP Solution Manager to manage all users and roles in one central system. Central User Administration (CUA) enables central administration of the user data for all back-end systems, like a Solution Manager system, a managed PI system, and so on. That means, you administer users for all systems of the CUA and their authorizations in the central system. With an active CUA, you can only create and delete users in the central system and not in the connected child systems. You can lock and unlock users, assign roles to users, and so on, from the central system, in accordance with the settings that you have chosen in transaction SCUM for the distribution of the data.
This documentation regarding the integration of CUA in the automated basic configuration for SAP Solution Manager does not replace CUA configuration guide. It supplements the usage of central user administration (CUA) in combination with SAP Solution Manager configuration. During the automated basic setup (in transaction SOLMAN_SETUP or SAP Solution Manager configuration work center) numerous technical users and dialog users are automatically created. In former releases you had to create these users manually on SAP Solution Manager and its managed systems as soon as the effected system was connected to a CUA.
As of SAP Solution Manager 7.1 SP01 the automated basic setup is able to communicate with the CUA central system, so that no more manual effort is necessary.
Possible CUA scenarios
Central User Administration can be activated on every SAP NetWeaver system (as a CUA client or central system). Since every SAP NetWeaver system in your landscape can be candidate for CUA central system, the following three scenarios exist in the SAP Solution Manager environment:
1. Standalone CUA central system
2. SAP Solution Manager as CUA central system
3. Managed System as CUA central system
Figure 36: Possible CUA scenarios in your landscape
Security Guide for SAP Solution Manager 7.1Using Central User Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 107
RecommendationWe recommend you configuring the CUA on a high availability solution. In case you want to install the CUA central system on SAP Solution Manager, consider the required maintenance windows of the system.
Steps for configuration of CUA:
If the CUA is already in place within your system landscape you can skip the following step:
1. Decide which system in your landscape should become the CUA central system.
2. Configure your CUA as described in the SAP help documentation.
These configuration steps have to be considered in order to link SAP Solution Manager to CUA:
1. the configuration for user CUA_<SID> (example: CUA_ADM) on the CUA central system, see section Prerequisites.
2. Verify which RFC scenario you are using for your CUA configuration, see section Configuration.
NoteIf your preceding check shows that you are using Trusted RFC destinations, you still need to create a system user on the CUA client system.
3. Finally, we recommend you running report PFCG_TIME_DEPENDENCY, see section Prerequisites.
Example
The subsequent sections explain the configuration based on the following example scenario:
● System SM7 (SAP Solution Manager with Solution Manager client and local BI client)
● System SAT (managed system with one productive client, which is connected to SAP Solution Manager)
● CUA system ADM (Central User Administration central system)
Figure 37: Example
108
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Using Central User Administration
10.2 Prerequisites
CUA should be configured as described in the SAP help documentation, see section Additional Links.
SLD Configuration
Ensure that software component LMTOOLS 702 SP6 Patch Level 6 is applied on your SAP Solution Manager Java stack. This ensures that the local SLD configuration can be performed when SAP Solution Manager is connected to CUA.
NoteIn case the SLD is in a CUA environment, you have to manually add the parameter &CUA=true at the end of the URL called by the SLD Local Configuration and Central SLD Configuration in transaction SOLMAN_SETUP in System Preparation for SLD.
You need to apply SAP Note 1572856 and SAP Note 1577918 in your SAP Solution Manager system in advance.
RFC Destinations, Users and Authorizations
As a prerequisite, you define the logical systems for all effected systems. The RFC - destinations have the same names (like logical systems), and must exist in each direction:
● from the CUA central system to the CUA client system (for example: SM7CLNT300, SM7CLNT100, SATCLNT100)
● from the CUA client system to the CUA central system (for example: ADMCLNT200)
In the CUA central system the user CUA_<SID> (for example: CUA_ADM) is assigned the following ABAP single roles:
Roles for user CUA_<SID>
Table 30
Technical Role Name Remarks
SAP_BC_USR_CUA_CENTRAL Authorization for the CUA central system user to maintain user master data and
distribute changes to the CUA client systems.
SAP_BC_USR_CUA_CENTRAL_BDIST All users in the central system require this role if CUA field attributes are set to
redistribution.
SAP_BC_USR_CUA_CLIENT This role contains authorizations for user administration in the child systems. For calling the CUA central system, and initiate the user creation in transaction
SOLMAN_SETUP, the CUA central system user requires this permission. For
more information, see notes below.
This user is assigned in all RFC destinations in direction of the CUA central system (for example: ADMCLNT200).
NoteRole SAP_BC_USR_CUA_CLIENT contains extensive authorizations for user administration in the child systems. If you do not allow this ABAP role on the CUA central system, use the following alternative: Copy ABAP role SAP_BC_USR_CUA_CENTRAL_EXTERN in your name space according to SAP Note 492589 section 2, and maintain the following minimum authorizations:
Security Guide for SAP Solution Manager 7.1Using Central User Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 109
Minimum Authorizations
Table 31
Authorization Object Field Value Remarks
S_USER_GRP ACTVT 01, 03 no remarks
CLASS full authorization
S_USER_AGR ACTVT 02 (22) If you set the customizing switch ASSIGN_ROLE_AUTH to
the value ASSIGN in your
CUA central system
according to SAP Note 312682, set in field ACTVT value 22, otherwise value
02.
ACT_GROUP full authorization
S_USER_PRO ACTVT 22 no remarks
PROFILE full authorization
S_USER_SYS ACTVT 78 no remarks
SUBSYSTEM *
NoteIf you activated the authorization check on object S_USER_SAS according to SAP Note 536101 (customizing switch CHECK_S_USER_SAS), assign the following authorization to the ABAP role: S_USER_SAS with activity ACTVT 01, 06, 22. In field SUBSYSTEM, enter the logical systems that you would like to connect to your SAP Solution Manager. Consider that you might need to change this authorization later as soon as you need to connect a new system.
User Master Data Reconciliation
If you assign roles to users for a limited period of time only, you must perform a comparison at the beginning and at the end of the validity period. We recommend that you schedule the background job PFCG_TIME_DEPENDENCY in such cases.
CautionDo not enter generated profiles directly into the user master record in transaction SU01. During a user comparison, the system removes generated profiles from the user masters if they are not among the roles that are assigned to the user.
Proceed as follows:
1. Start transaction PFUD.
For the system to consider all roles, do not specify any roles and leave the fields empty.
2. Choose action Schedule or check job for the full comparison.
Here, you can start the report PFCG_TIME_DEPENDENCY by specifying the time when the job is to start. The overview displays the status of background jobs that have already been scheduled.
110
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Using Central User Administration
If you schedule the report PFCG_TIME_DEPENDENCY daily before the start of business as a total comparison and it runs error-free, the authorization profiles in the user master are up-to-date every morning.
10.3 Configuration Scenarios
You can configure the CUA with two options:
● RFC - destination with defined system user
● Trusted RFC - destination
RFC - destination with defined system user
This CUA variant requires RFC - destinations to CUA client systems with defined system users named CUA_<SID>_<Client>. The user requires the following role: SAP_BC_USR_CUA_CLIENT. This role contains extended authorizations for the user administration in the child systems. This division is only useful for background processing.
The following graphic shows the example scenario with the corresponding users and RFC - destinations with the default naming convention:
Figure 38: Example
Trusted RFC - destination
CUA configuration using trusted RFC - destinations to the CUA client systems needs a user in the CUA client with role SAP_BC_USR_CUA_CLIENT, and the additional authorization object S_RFCACL (for trusting permission). According to the SAP Solution Manager configuration the user administrator is the CUA central system user CUA_<SID> (for example: CUA_ADM).
To complete the CUA configuration for the SAP Solution Manager integration this user must exist on the CUA client systems with the following role :SAP_BC_USR_CUA_CLIENT.
NoteFor trusted systems, the authorization object S_RFCACL is checked and therefore required in child systems. This ensures that only particular applications (such as transaction SU01) can access the child system by RFC.
Security Guide for SAP Solution Manager 7.1Using Central User Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 111
You cannot use trusted systems with the current user settings for data distribution from the child to the central system (redistribution with distribution parameters) as the users could change their own user data with transaction SU3 and distribute it to the central system by redistribution. This means that all users would require change authorization for the user administration in the central system and could also change all other user data.
The following graphic shows an example scenario with the corresponding users and RFC - destinations with the default naming convention:
Figure 39: Example
10.4 Configuration Integration in Transaction SOLMAN_SETUP
Whenever a user (in our example: on the Managed System) is created or changed by the automated basic setup from SAP Solution Manager the user master data is changed as follows:
1. On SAP Solution Manager an administrative user (for example: user SOLMAN_ADMIN) creates or changes a user. For this the corresponding administrative user on the target system (for example: user SOLMAN_ADMIN) is called.
112
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Using Central User Administration
Figure 40: Example
2. The administrative user on the target system (for example: user SOLMAN_ADMIN) automatically calls RFC - destination to the CUA central system (for example: ADMCLNT200) with CUA central system user CUA_<SID> (for example: CUA_ADM).
3. CUA central system user CUA_<SID> (for example: CUA_ADM) now changes the user master records on the central system.
4. Finally, the CUA central system user CUA_<SID> (for example: CUA_ADM) distributes the changes to the CUA client system using RFC - destination <SID>_CLNT_<Client>.
The user master data changes on the client system are executed by either the user defined in the RFC destination (for example: CUA_SAT_100), or the CUA central system user (for example: CUA_ADM).
Figure 41: Example
Security Guide for SAP Solution Manager 7.1Using Central User Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 113
11 Additional Security Issues
This section covers a range of additional security - related issues.
SAPUI5 Security
SAPUI5 offers an enhanced user experience. Standard SAPUI5 applications use OData/Gateway services for data provision.
Profile Parameter rfc/reject_callback
Within an synchronous ABAP-ABAP RFC connection the preconfigured internal RFC destination ‘BACK’ can be used to call back into the callers system and execute an arbitrary RFC enabled function module. This callback is executed in the caller's context, the RFC authority of the caller is performed, and if the authorization object S_RFC right to execute the function module is available the function module is executed. The callback is done on the already existing RFC connection. A deactivated RFC callback prevents the communication using an internal RFC connection BACK.
The call back function poses a security risk for instance if managed systems are owned by customers in a Service Provider scenario
For more information, see SAP Notes 1992755 and 1515925.
Using Web Browsers as Clients
Active X
The execution of active code in web browsers (for example: ActiveX, Java, JavaScript, VB Script) can pose a security problem. Active code is therefore only used on pages if it is absolutely necessary. You can disable ActiveX without impacting the functionality of the according applications.
Using Firefox Browser
If you use Firefox Browser, make sure that the following security settings in the browser apply. If they don’t apply, you might encounter issues with JNET graphs, for instance in Change Request Management:
● Enable Java Plugin (by default it is disabled)
● Open the Java Control Panel, switch to the Security tab, and set the security level to Medium.
● Allow cookies
Securing Third–Party Applications
For cases where the use or configuration of third-party products is necessary, we refer to the products documentation for the appropriate instructions.
Displaying Internal System Information
Internal system information can be available for SAP Solution Manager users in many work centers concerning system landscape, administration, or monitoring as well as in Service Desk messages, and so on. IP address, host address that are necessary for SAPGUI - logon, can be avoided if only HTTP access over reverse proxy or SAP web dispatcher is used.
114
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Additional Security Issues
There exist as well error messages with specific data like user name, S - user, installation number, or missing authorizations. This information is typical for an administration tool such as SAP Solution Manager.
Session Keeping for Work Centers
Work Center Framework Time Out
Session keeping is active for all work centers by default. It is possible, that the default session keeping can be deactivated by setting a specific parameter. For more information, see the Implementation Reference Guide (IMG) for SAP Solution Manager SAP Solution Manager Technical Settings Work Center .
Figure 42: IMG: Work Center Time Out Activation
Individual Application Time Out
Some applications offer an auto-refresh option.
The following section lists the applications that do not time out due to the implementation of an auto-refresh. If the auto-refresh is set to value Never, these applications will time - out. If a value, like 5 minutes, 10 minutes, and so on, is set, the applications do not time - out.
work center Technical Monitoring
● Alert Inbox
Security Guide for SAP Solution Manager 7.1Additional Security Issues
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 115
Figure 43: Auto-Refresh Configuration
● System Monitoring
● Connection Monitoring
● PI Monitoring (Overview and Message Monitor)
Figure 44: Auto Refresh Configuration
● BI Monitoring
● End-User Enterprise Monitoring
work center Technical Administration
● IT Calendar
Figure 45: Auto Refresh Configuration
● Work Mode Management
116
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Additional Security Issues
● MDM Administration
Security Guide for SAP Solution Manager 7.1Additional Security Issues
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 117
12 Data Storage
All data is stored in the database.
More Information
Data Storage to database in general is described in the SAP NetWeaver Installation Guides.
118
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Data Storage
13 Landscape Setup, Configuration, and Root Cause Analysis Guide
13.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 32
Support Package Stacks
(Version)
Description
SP05 General
● During Basic Settings configuration and Managed System Setup, you have the option to create Configuration Users for the scenario-relevant guided procedures in transaction SOLMAN_SETUP, for
instance Incident Management, Change Request Management, Business Process Operations, Business Process Change Analyzer, Data Volume Management, and Technical Monitoring. For more information, see scenario-specific guides in section Prerequisites -> Scenario Configuration.
● Support for NGAP - based systems, see section on NGAP - based systems
● Access authorization for transaction SOLMAN_SETUP extended to optional display activity for
authorization object SM_SETUP.
Infrastructure Roles
● All roles for infrastructure are required for users created during system setup and scenario setup in transaction SOLMAN_SETUP. They are therefore delivered with complete authorizations, see description
tab in the specific roles.
● extended role SAP_SOL_PROJ_ADMIN_ALL, see description tab in the role
● extended role SAP_SYSTEM_REPOSITORY_*, see description tab in the role
SM_BW_ADMIN User
Changes are documented on the DESCRIPTION tab in the role
● roles SAP_SM_BW_ADMIN and SAP_BI_E2E extended
● new role SAP_SM_BW_USER_ADMIN for user administration in BWSAPSUPPORT User
Changes are documented on the DESCRIPTION tab in the role
● extended role SAP_DBA_DIS● extended role SAP_RCA_DISP● added role SAP_CV_DIS for Configuration Validation
● new role for Exception Management SAP_EM_DISPLAYSM_EFWK User
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 119
Support Package Stacks
(Version)
Description
New user for executing report E2E_EFWK_RESOURCE_MGR, see section on SM_EFWK User. Consequently,
user roles for users SMD_RFC and SMD_BI_RFC changed as well depending on which BW scenario is in place,
see Core Guide on the concept of BW integration.
SOLMAN_ADMIN User
Changes are documented on the DESCRIPTION tab in the role
● extended role SAP_SM_BASIC_SETTINGS● extended role SAP_SM_USER_ADMIN
SOLMAN_BTC User
Changes are documented on the DESCRIPTION tab in the role
● extended role SAP_SM_BATCHSMDAGENT_<SID> User
Changes are documented on the DESCRIPTION tab in the role
● extended role SAP_IS MONITOR
SP06 SOLMAN_ADMIN User
Role SAP_SM_CONF_SEC with specific authorization object S_DEVELOP deleted from role assignment. The
authorization object is included in role SAP_SM_BASIC_SETTINGS (see description tab of the role)
SM_BW_<SID> User
New user for collecting extractor data for ESR and MAI in a remote BW - system, see section on Technical
User SM_BW_<SID>. See also Core Guide on the concept of BW integration.
SP07 SM_EFWK User
● Role SAP_SM_DVM_EXTRACTOR added
SM_BW_<SID> User
● Role SAP_SM_BW_ESR_EXTRACTOR added
Role Adaptions
For detailed information, see the description tab of the specified role
● SAP_SM_EXTERN_WS● SAP_RCA_AGT_ADM_VIA_SLD to perform protected “Agent Candidate Management” operations
SP08 New SAPSERVICE User
A new user SAPSERVICE is introduced for SAP Service Delivery. See section on SAPSERVICE User.
Roles Update for Set Users
As these roles are adapted, you need to update the according users in transaction SOLMAN_SETUP. Check
the Update Flag in the step for the user. For more information on which authorization objects and authorization fields have been adapted, see the Description Tab in the specified roles. (See also SAP Note 1560717
● SAP_SM_BATCH (User SOLMAN_BTC)
● SAP_SM_BASIC_SETTINGS (User SOLMAN_ADMIN)
120
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
Support Package Stacks
(Version)
Description
● SAP_SM_EXTERN_WS (User SM_EXTERN_WS)
● SAP_BI_E2E (Users SMD_BI_RFC or SM_EFWK, depending on BW landscape)
● SAP_SM_BI_ADMIN (Users SMD_BI_RFC, SM_EFWK, or SM_BW_ADMIN depending on BW landscape)
● SAP_SM_BI_ESR_EXTRACTOR (User SM_BW_<SID>)
● SAP_SM_BW_USER_ADMIN (user SM_BW_ADMIN) in case of a remote BW
● READ RFC and READ-RFC User
● See SAP Note 1572183
SP10 User Creation Steps in SOLMAN_SETUP
● Steps for user creation are optional for Template users and configuration users, but not for default users. For more information, see section on Solution Manager Configuration Work Center.
Roles Update
As these roles are adapted, you need to update the according users in transaction SOLMAN_SETUP. Check
the Update Flag in the step for the user. For more information on which authorization objects and authorization fields have been adapted, see the Description Tab in the specified roles. (See also SAP Note 1560717)
● extended SAP_SM_BI_EXTRACTOR● adapted navigation role SAP_SMWORK_DIAG due to User Interface changes
● adapted role SAP_BI_E2E● adapted role SAP_BI_CALLBACK
New Mass User Creation for SAP Solution Manager Users
You can create all users for SAP Solution Manager using the tool Solution Manager User Administration. See section on Solution Manager User Administration (SMUA) in chapter for User Authentication and Administration.
New Concept for READ RFC User and /TWM RFC User
● The PFCG template concept has been removed in favor of a role concept for READ - User and TMW User.
New authorization roles are introduced:
○ SAP_SOLMAN_READ*○ SAP_SOLMAN_TMW○ SAP_SOLMAN_BACK
● New roles are shipped in Software Component ST. They can be distributed into managed systems client (see transaction SOLMAN_SETUP)
● Authorizations for authorization object S_RFC in the READ user roles have been redesigned.
Configuration Service Delivery Enablement
● Due to Service Delivery Enablement, a READ - RFC into the 000 client of the managed system is
required. If Service Delivery Enablement is chosen in transaction SOLMAN_SETUP, the RFC - User in the
000 client of the managed system receives the additional role SAP_SM_BATCH_SD to allow scheduling
of background job SAP_COLLECTOR_FOR_PERFMONITOR. For more information, see section on
Technical Users READ and TMW.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 121
Support Package Stacks
(Version)
Description
SOLMAN_BTC User
● Adapted role SAP_SM_BATCHSOLMAN_ADMIN User
● Added role SAP_SM_DASHBOARDS_DISP_LMDB to display LMDB Dashboard added.
● Adapted role SAP_SM_BASIC_SETTINGS● Adapted role SAP_SM_USER_ADMIN● Adapted role SAP_SMWORK_CONFIG due to User Interface changes
● Adapted role SAP_SMWORK_BASIC_CONFIG● Added role SAP_RCA_ADMIN_CONFIG to allow the configuration of SAP Solution Manager as a
managed system
● Removed authorizations for BW-content activation due to new user SM_BW_ACT for BW-content
activation
● Removed role SAP_SM_CONF_SEC as according authorizations are included in role
SAP_SM_BASIC_SETTINGSSM_EXTERN_WS User
● SAP_SM_EXTERN_WS (User SM_EXTERN_WS)
SMD_BI_RFC User
● SAP_BI_E2E (Users SMD_BI_RFC or SM_EFWK, depending on BW landscape)
● SAP_SM_BI_ADMIN (Users SMD_BI_RFC, SM_EFWK, or SM_BW_ADMIN depending on BW landscape)
SM_EFWK User
● extended SAP_BI_E2E (Users SMD_BI_RFC or SM_EFWK, depending on BW landscape)
● extended SAP_SM_BI_ESR_EXTRACTOR● adapted SAP_SM_TWB_EXTRACTOR● Added new roles SAP_SM_BATCH_RELE and SAP_SM_MAI_EXTRACTOR● Added new role SAP_SMPI_AUTH_EXTRACTOR containing /SDF/* authorizations delivered with
Software Component ST-PI, see also SAP Note 1899598
SM_BW_ADMIN User
● SAP_SM_BI_ADMIN (Users SMD_BI_RFC, SM_EFWK, or SM_BW_ADMIN depending on BW landscape)
SM_ADMIN_<SolManID> User
● Extended section in regard to which users are created by user SM_ADMIN_<SolManID> depending on
whether the managed system is of type double stack, ABAP single stack, or Java single stack
● Adapted role SAP_RCA_CONF_ADMINSMD_ADMIN User (rename: SMD_AGT)
● Renamed user SMD_ADMIN to SMD_AGT● Substituted Java security role SAP_J2EE_ADMIN with SAP_RCA_AGT_CONN
SAPSUPPORT User
122
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
Support Package Stacks
(Version)
Description
● Adapted role SAP_DBA_DISP● Adapted role SAP_RCA_DISP● Adapted role SAP_EM_DISPLAY
New User for BW-activation: SM_BW_ACT
For more information, see section on User SM_BW_ACT
SM_COLL_<SolManID> User
For detailed information, see the according section for this user.
● UME security role SAP_BPM_Solution Manager is required for new BPM extractors.
● New J2EE user roles for function Integration Visibility.
SMD_RFC User
● Adapted role SAP_SOLMANDIAG_E2ESM_ADMIN_<SolManSID> user for Java Administration
● Added additional section for the required Administration User in a Java stack for a managed system.
Only valid for: Solution Manager |
New Mass Update Configuration for Managed Systems
You can update the configuration for your managed systems using the function Mass Update in the managed system setup procedure. See section on Mass Update Configuration in chapter SAP Solution Manager Configuration Work Center / Transaction SOLMAN_SETUP.
End of: Solution Manager |
SP11 SMDAGENT_<SID> User
Changes are documented on the DESCRIPTION tab in the role
● extended role SAP_IS MONITORSM_EFWK User
Changes are documented on the DESCRIPTION tab in the role
● enhanced role SAP_SM_MAI_EXTRACTORSOLMAN_ADMIN User
Changes are documented on the DESCRIPTION tab in the role
● enhanced role SAP_SM_BASIC_SETTINGS
SP12 SM_EFWK User
Changes are documented on the DESCRIPTION tab in the role
● enhanced role SAP_SM_ICI_EXTRACTORSOLMAN_BTC User
Changes are documented on the DESCRIPTION tab in the role
● Adapted role SAP_SM_BATCHSOLMAN_ADMIN User
Changes are documented on the DESCRIPTION tab in the role
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 123
Support Package Stacks
(Version)
Description
● Adapted role SAP_SM_BASIC_SETTINGS● Assigned role SAP_SM_S_RFCACL for use of trusted RFC
● Assigned role for Roles Comparison Tool, see according subsection
New SM_AMSC User
● For the new automatic managed system update user SM_AMSC is automatically created. See section on
this user
SP13 SOLMAN_ADMIN User
Changes are documented on the DESCRIPTION tab in the role
● Adapted role SAP_SM_BASIC_SETTINGSSOLMAN_BTC User
Changes are documented on the DESCRIPTION tab in the role
● Adapted role SAP_SM_BATCHSAPSERVICE user
Changes are documented on the DESCRIPTION tab in the role
● Added new role SAP_SM_ST14● To allow for the integration of ITPPM projects
○ SAP_SM_DASHBOARDS_DISP_VBD○ SAP_BPR_PPM○ SAP_CPR_PROJECT_ADMINISTRATOR○ SAP_CPR_USER○ SAP_XRPM_ADMINISTRATOR
13.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. You need to setup the SAP Solution Manager first, and make your system landscape known. This is done during SAP Solution Manager setup. Subsequently, you setup the specific scenarios you want to use. For more information, see scenario-specific security guides per scenario which cover all relevant information.
CautionBefore you start using this system landscape setup guide, you must read the core information about security issues in SAP Solution Manager. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
Setting up the system landscape includes to configure the basic SAP Solution Manager scenarios, that is enable Solution Manager to run Maintenance Optimizer, Root Cause Analysis, Services, and simple Incident Management. This requires, the setup of the Solution Manager itself, the connection to its managed systems, the
124
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
integration of BW functionality, and basic CRM functionality. It requires the setup of dedicated users for the setup and the assignment of specific authorizations in roles. To be able to run the setup, you must know how the setup of all these components is realized in your landscape. That is, you should know how you setup the SLD, remote or local, how you setup BW, standard or remote, and so on.
Therefore, this guide covers the following topics:
Technical System Landscape
Due to the complexity of the setup of SAP Solution Manager, we give you an overview of specific aspects of the technical system landscape for SAP Solution Manager, which are relevant for security aspects, such as the setup of managed systems and their RFC connections, the integration of BW depending on your system landscape, and the technical overview over the new system landscape repository, its integration with SLD and transaction SMSY. To get to know the different aspects helps you setting up the SAP Solution Manager successfully.
Communication Channels and Destinations
Here, you find an overview of all channels and destinations created during the automated basic setup. Note, that in the process of setting up individual scenarios, you may need to create other RFC connection or communication channels. Each scenario-specific guide contains all relevant RFCs needed for the scenario. For instance, even if you can setup all RFC connections to the managed system during basic setup, you might not need all of them, when you run just one scenario.
Users and Authorizations
Users and authorizations are divided into a number sections, which are semantically divided into the following categories:
● Users Created During Installation
● SAP Solution Manager specific
● Managed system specific
● BW specific
● LMDB and SLD specific
● S-users
In each category, you find one section specifically for one user. The users can be of type dialog, like user SOLMAN_ADMIN, or of type system (technical user), such as SOLMAN_BTC. The role assignment for all of these users is documented in the system in the guided procedure in transaction SOLMAN_SETUP. Here, you find the according Help ID texts, which you can call separately in the system and also adapt to your own needs.
A number of users that are relevant in any other system like user DDIC or the J2EE Administration users, are not explicitly explained in this guide. For more information refer to the NW guides security relevant sections. If necessary the users are mentioned in relation to the setup of SAP Solution Manager.
Any users and authorizations for other than Solution Manager or managed systems, like Wily Introscope, are mentioned, but not explained in detail. For more information refer to the according guides.
13.3 Technical System Landscape
The following sections give you an overview of the technical system landscape of your system landscape setup and Root Cause Analysis, focusing on various aspects:
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 125
● connection between SAP Solution Manager and its managed systems after the setup
● BW - related infrastructure according to all possible options after the setup
● LMDB/SLD infrastructure after the setup
SAP Solution Manager and Managed Systems
The following graphic displays the technical setup after you have executed the basic configuration of SAP Solution Manager and attached the managed systems to it. The attachment of managed systems includes the RFC generation as well as the integration for Root Cause Analysis.
Figure 46: Technical Infrastructure after the automated basic settings configuration (transaction SOLMAN_SETUP)
The overall system landscape includes your SAP Solution Manager double stack system, your managed systems, and SAP. SAP Solution Manager has several connections to SAP, and to your managed systems. When setting up your system landscape, you set up all relevant connections for your scenario. All required connections need technical users, which require specific authorizations.
To run Root Cause Analysis, you need to implement additional components in SAP Solution Manager (for instance Introscope Enterprise Manager) as well as the managed systems (for instance Diagnostics Agent)
BW System/Client
The following graphic displays the integration of SAP Solution Manager with BW after the setup of SAP Solution Manager is done. During the setup, you have to choose whether you run the standard scenario for BW, or the remote scenario. Options 2 and 3 display the remote scenario setup.
126
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
Figure 47: BI-setup after the automated basic settings configuration (transaction SOLMAN_SETUP)
As outlined in the core Security Guide, we differentiate between three possible options to use BW with SAP Solution Manager. According to which option you choose, the BW setup differs in which connections and technical users are required.
● Option 1: Standard Scenario
● Option 2: Remote BW, whereas the system is SAP Solution Manager, but not the productive client
● Option 3: Remote BW, whereas the system is a dedicated BW system
You find more information on which connections are used and which technical users are required for BW - setup in the individual scenario-specific guides.
System Landscape Repository
The following graphic gives you an overview of the technical landscape setup focusing on the new system repository, the Landscape Management Data Base (LMDB). The LMDB is tightly integrated with the System Landscape Directory (SLD) and the transaction SMSY. As of Release 7.1, all three components are tightly integrated. You find more information about this integration in the Online Documentation for LMDB.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 127
Figure 48: SLD/LMDB landscape configuration after the automated basic settings configuration (transaction SOLMAN_SETUP)
Root Cause Analysis
The following graphic gives you an overview of the technical landscape setup focusing on the scenario Root Cause Analysis.
Figure 49: RCA system landscape
128
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
13.4 Communication Channels and Destinations
The tables below show the communication channels and destinations created during system landscape setup (transaction SOLMAN_SETUP)
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Table 33
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages, retrieval of services
Solution Manager to managed systems and back
RFC Reading information from managed systems
Solution Manager to remote BW -
system
RFC Reading information from remote BW -
system
Solution Manager to managed systems within customer network
FTP Update route permission table, content: IP addresses, see section File Transfer
Protocol (FTP)
Solution Manager to SAP Service Marketplace
HTTP(S) Search for notes
Third Party SOAP over HTTP (S) Third Party Data
Communication RFC Destinations
SAP Solution Manager to OSS
For your RFC connections to SAP, the system enters an S-user into each RFC. This S-user information must be given before the system creates the RFC connection. In this respect, you are asked to enter the S-user for your RFC communication for RFCs, and in addition the S-user for the SAP Backend to be used, for instance to be entered in table AISUSER. More information on S-users, their passwords, and authorizations, see the according sections in this guide.
The system then creates the according RFC connections as copies from SAPOSS RFC.
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems). If not specified differently, passwords are customer - specific.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 129
Table 34
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User
SM_<SID>CLNT<Client>_LOGIN (ABAP connection)
Managed System
System-specific
Customer-specific
Customer-specific
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution Manager system>
SM_<SID>CLNT<Client>_TRUSTED (ABAP connection)
Managed System
System-specific
System-specific
Customer-specific
SM_<SID>CLNT<Client>_TMW (ABAP connection)
Managed System
System-specific
System-specific
Default user: SMTW<SID of Solution Manager system>
RFC Connection from Managed System to SAP Solution Manager
Table 35
RFC Destination Name Target Host Name
System Number
Logon Client Logon User
SM_<SID>CLNT<Client>_BACK (ABAP connection)
Solution Manager System
System-specific
System-specific SMB_<managed system ID>
Internet Graphics Server (IGS) RFC Connection
Table 36
RFC Destination Name Activation Type
ITS_RFC_DEST Registered Server program (program: IGS.<SID>)
RFC Connection for BW integration
Table 37
RFC Destination Name Target Host Name
Connection Type Authentication Remark
SAP_BILO remote BW -
system
(source: SAP Solution Manager)
RFC trusted Dialog user Used to read data from remote BW for BI -
Reporting
, created during SOLMAN_SETUP
BI_CLNT<BWclient> remote BW -
system
(source: SAP Solution Manager)
RFC trusted Dialog User
130
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
RFC Destination Name Target Host Name
Connection Type Authentication Remark
NONE, if BW - reporting is realized in
a BW - standard scenario, for
content activation
Solution Manager productive client
Dialog User
<SolutionManagerSID>CLNT <SolutionManager– ProductiveClient> BI-
Callback RFC for reorganization of
data and configuration validation
Solution Manager productive client
BI_CALLBACK (customer specific)
in transaction SOLMAM_SETUP
SLD - LMDB DestinationTable 38
RFC Destination Name Target Host Name
Connection Type Authentication Remark
SLD_UC (Unicode) - analogous to
SLD_NUC (Non-Unicode)
System Landscape Directory (SLD)
RFC destination
(type T; Registered Server program: SLD_UC) Java
Connector (JCo)
Gateway Used by the SLD data
supplier (ABAP)
configured in transaction RZ70 of the managed
system
Connection for SLD data supplier
(Java stack)
System Landscape Directory (SLD)
(source: managed system Java stack)
Java HTTP(s) port
(for instance 5xx00) or web
dispatcher
SLDDSUSER Used by the SLD data
supplier (Java) configured in the Visual Administrator or NetWeaver Administrator of the managed system
LMDB_SyncDest<n> System Landscape Directory (SLD),
(source: SAP Solution Manager)
RFC destination
(type G; Java HTTP[s] port, e.g.
5xx00, or web
dispatcher)
User with read permission (for instance: SLD_CS_USER)
Used for content synchronization created in transaction SOLMAN_SETUP or the
SAP Solution Manager Configuration work center
Connections relevant for Root Cause Analysis (also relevant for SLD-LMDB data flow)Table 39
RFC Destination Name Target Host Name
Connection Type Authentication Remark
WEBADMIN SAP Solution Manager (ABAP Stack), (souce:
Java Connector (JCo)
SMD_(BI)_RFC WEBADMIN is an internal
connection in SAP Solution Manager used
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 131
RFC Destination Name Target Host Name
Connection Type Authentication Remark
SAP Solution Manager (Java Stack))
for the communication between ABAP and Java.
WEBADMIN SAP Solution Manager (Java Stack), (source: SAP Solution Manager (ABAP Stack))
RFC destination
(type T; Registered Server program: WEBADMIN)
Gateway
Connection for Diagnostics Agent to SAP Solution Manager
SAP Solution Manager, (source: Diagnostics Agent (on Managed System)
P4 port / Message Server port
SMD_AGT /
Password authentification
Used for outside discovery; created in transaction SOLMAN_SETUP or the
SAP Solution Manager Configuration work center
13.5 Required TCP/IP Ports
The following ports have to be opened up in your fire wall, prior to installation. The connections listed in the below section Ports for Communication to SAP Solution Manager, allow for example Root Cause Analysis users to connect to the Java managed system to access so called Expert Tools (System Information page, and so on). This access is normally performed using the credentials of the SAPSUPPORT read-only user. Generally speaking, the tables below allow to understand also that the Non-RFC type connections (HTTP, P4 and other TCP/IP) are established by the Diagnostics Agent, running on the (productive) managed system host to connect either locally to the managed system itself, or to the Solution Manager System and the Introscope Enterprise Manager Server. Note that this chapter does not address the classical RFC connectivity, which is setup between the Solution Manager System and the ABAP managed systems.
NoteOnly in case you have a business requirement to register the Diagnostics Agents in a central SLD, pay attention to the following. For further details see SAP Note 1365123.
Ports for Communication to SAP Solution Manager
Ports for Communication to SAP Solution Manager
132
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
Table 40
Established Connection Service on Destination Host (Protocol)
Format (example)
From Hosts/Source Host To Host/Destination Host
SAP Support All Solution Manager Instances
J2EE engine (HTTP) 5<instance no.>00(50100)
SAP Support All Solution Manager Instances
ITS (HTTP) 80<instance no.>(8000)
SAP Support All Solution Manager Instances
Introscope Manager (HTTP) Default: 8081
Diagnostics Server All Solution Manager Instances
IGS (HTTP) 4<instance no.>80(40180)
Diagnostics Agent (managed system Host)
All Solution Manager Instances
J2EE engine (P4) 5<instance no.>04(50104)
Diagnostics Agent (managed system Host)
Solution Manager Java Message Server
Message Server (HTTP) 81<instance no.>(8101)
Diagnostics Agent (managed system Host)
Relevant Introscope Enterprise Manager Host
Introscope Enterprise Manager (TCP/IP)
Default: 6001
Consider the following lines when operating a SAP Solution Manager system 7.1 SP03 or higher, setup with a Web Dispatcher, especially when having multiple dual-stack instances.
Table 41
From Host/Source Host To Hosts/Destination Hosts Service on Destination Hosts (Protocol)
Format (example)
All Solution Manager Instances
Web Dispatcher Web Service (HTTP) (80)
Diagnostics Agent (managed system host)
Web Dispatcher Web Service (HTTP) (80)
Web Dispatcher (forwarded HTTP requests
All Solution Manager Instances
Web Service via ICM (HTTP)
80<instance no.>(8000)
Consider the following line when operating a Solution Manager system 7.1 SP03 or higher, having one single dual-stack instance and setup without a Web Dispatcher
Table 42
From Host/Source Host To Hosts/Destination Hosts Service on Destination Hosts (Protocol)
Format (example)
Diagnostics Agent (managed system host)
Solution Manager Single Instance
Web Service via ICM (HTTP)
80<instance no.>(8000)
Consider the following line when operating a Solution Manager system prior to 7.1 SP03.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 133
Table 43
From Host/Source Host To Hosts/Destination Hosts Service on Destination Hosts (Protocol)
Format (example)
Diagnostics Agent (managed system host)
All Solution Manager Instances
Web Service via ABAP Message Server (HTTP)
81<instance no.>(8100)
Additional communications performed LOCALLY on Solution Manager host (requiring in general no special security settings)
Consider also following line when operating a SAP Solution Manager system 7.1 SP03 or higher, having one single dual-stack instance and setup without a Web Dispatcher.
Table 44
From Host/Source Host To Hosts/Destination Hosts Service on Destination Hosts (Protocol)
Format (example)
Solution Manager single Instance (ABAP stack)
Solution Manager Single Instance (Java Stack and ABAP stack)
Web Service via ICM (HTTP)
80<instance no.>(8000)
Consider also following lines when operating a SAP Solution Manager system prior to 7.1 SP03.
Table 45
From Host/Source Host To Hosts/Destination Hosts Service on Destination Hosts (Protocol)
Format (example)
Solution Manager Instance(s) (ABAP stack(s))
All Solution Manager Instances (Java Stack and ABAP stack)
Web Service via Message Server (HTTP)
81<instance no.>(8100)
Ports for Communication with Managed Systems
Ports for Communication with Managed Systems
Table 46
Established Connection Service on Destination Hosts (Protocol)
Format (example)
From Host/Source Hot To Hosts/Destination Hosts
SAP Support All managed systems J2EE engine (HTTP) 5<instance no.>00 (50200)
SAP Support All managed systems ITS (HTTP) 80<instance no.> (8000)
Additional communications are performed LOCALLY on managed system hosts (requiring in general no special security settings)Table 47
From Host/Source Host To Hosts/Destination Hosts Service on Destination Hosts (Protocol)
Format (example)
Diagnostics Agent (managed system host)
Associated managed systems
J2EE engine (P4) 5<instance no.>04 (50204)
134
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
From Host/Source Host To Hosts/Destination Hosts Service on Destination Hosts (Protocol)
Format (example)
Diagnostics Agent (managed system host)
Associated managed systems
Java Message Server (internal port)
36<instance no.> (3601) or 39<instance no.> (3901)
Diagnostics Agent (managed system host)
Associated SAP Host Agent (applies when using SAP Solution Manager 7.0 EhP1 SP20 and higher, and
Diagnostics Agents 7.11 and higher)
SAP Host Agent Web Service (HTTP)
1128 (standard)
More Information
on the current list of ports used by SAP, in the SAP Service Marketplace: service.sap.com/securityInfrastructure Security TCP/IP Ports Used by SAP Applications .
13.6 SAP Solution Manager Configuration Work Center / Transaction SOLMAN_SETUP
You can execute the automated basic configuration using transaction SOLMAN_SETUP.
The application is also the home application for work center SAP Solution Manager configuration. Therefore, to set up your SAP Solution Manager and update it, you can either use the transaction or the work center. When you initially set up an SAP Solution Manager system, the system automatically guides you to the transaction. At a later stage, you can lock the transaction and work within the SAP Solution Manager configuration work center.
The following graphic gives you an overview of the work center and its authorizations.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 135
Figure 50: SAP Solution Manager configuration work center as of SP05
In general, the authorizations for this work center are automatically assigned during the configuration process to the users, which are created during the setup. These users are explained in more detail in the next sections of this guide.
User Creation Steps
Steps for creating template/standard users and configuration users are optional. They are mandatory for default users for Basic Settings Configuration and Managed System Configuration.
The optional flag works at activity level. An optional activity is an activity for which the end-users are not forced to execute the corresponding configuration. The status of this activity is not taken into account in the status consolidation at step level. If a step contains only optional activities, the step itself is considered as optional. The step is then grayed out.
Log Upload
NoteThe logs of any guided procedure in transaction SOLMAN_SETUP can be attached to an Incident message and download for the purpose of error reference. Any user data or other data in this respect are visible in these HTML reports. Reports are only available for download if the current user has access to SOLMAN_SETUP or the SAP Solution Manager Configuration work center.
Mass Configuration Update for Managed Systems
You can update your configurations of managed systems (productive and others) to all clients except client 000 using the function Mass Update in the guided procedure for Managed Systems. This allows you to update the configuration for more than one system at the time using templates.
CautionMake sure that only specified users are allowed to automatically update any configuration settings in your managed system via SAP Solution Manager.
136
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
Authorization
The mass update is allowed by default for user SOLMAN_ADMIN by authorization object SM_SETUP and activity 79 (Mass Update). This authorization object is included in role SAP_SM_BASIC_SETTINGS. The activity should be removed from the user after the update has been completed.
RFC — Connection Trusted
The mass update configuration needs a trusted RFC - Connection between SAP Solution Manager and the Managed System.
CautionMake sure that this Trusted RFC - Connection is removed again after the mass update has been executed.
13.7 Root Cause Analysis Work Center
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for Root Cause Analysis.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WD_COMP. For more information about user interface authorizations, see core security guide.
Figure 51: Root Cause Analysis Work Center
The tables underneath give you a further overview. During automated setup, the user SAPSUPPORT automatically receives all relevant roles, see section on SAPSUPPORT user. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 137
Related Links in the Work Center
In the related links section in the work center, you find all possible links for this work center. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-to section.
Analysis
All links require at least role SAP_RCA_DISP.
Configuration
For the following two links, you need authorization for the work center SAP Solution Manager configuration and according roles, see the specific guide on Landscape Setup.
● Solution Manager Configuration
● Managed System Setup
Administration
● Solution Manager Administration:
You need authorization for the SAP Solution Manager Administration work center and according authorizations, see scenario-specific guide for SAP Solution Manager Administration.
● Landscape Browser:
You need authorization for LMDB maintenance SAP_SYSTEM_REPOSITORY_*.
● Self-Diagnosis:
You need authorization for solutions SAP_SM_SOLUTION_*.
● My Notification Settings:
You need role SAP_NOTIF_*.
Documentation
There are no authorization checks for URL links.
13.8 SOLMAN_SETUP Configuration Administration Tool
You can use transaction SOLMAN_SETUP_ADMIN to administer the configuration done in transaction SOLMAN_SETUP.
The transaction SOLMAN_SETUP_ADMIN contains the following views:
● Overview
● Generic Storage Admin
This view contains the data which is stored during the execution of transaction SOLMAN_SETUP. The view of the steps is controlled by authorization object SM_SETUP (similar to the use of the object within transaction SOLMAN_SETUP).
● Data Storage
138
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
This view contains log information of the changes executed during configuration in transaction SOLMAN_SETUP, which are stored as well in the SOLMAN_SETUP log tables.
● Solman Setup Migration
This view displays logs of the migrations related to SOLMAN_SETUP.
● Log Archiving
Roles and Authorizations
The transaction is not integrated in any work center. You have to assign the following roles to a dedicated user, manually:
Roles allowing access to all views, but Log Archiving are:
● SAP_SOLMAN_SETUP_ADMIN_ALL● SAP_SOLMAN_SETUP_ADMIN_DIS
Role allowing access to Log Archiving only: SAP_SM_ARCHIVE_LOG_ALL
Log Archiving
Log Archiving can be accessed from the following applications:
● any step in transaction SOLMAN_SETUP, see section on user SOLMAN_ADMIN in Landscape Setup Guide
● transaction SOLMAN_SETUP_ADMIN● work center SAP Solution Manager Administration view Users: within application Solution Manager User
Management (SMUA), see Scenario-specific Guide for SAP Solution Manager Administration
13.9 Users Created During Installation
13.9.1 Database User SAP<SID>DB [MANAGED.DB.USER]
This database administrator user (situated in the database server) is created during the SAP engine installation of the managed system, and it is the owner of the database schema created for the system needs. The user store is the database server, group: database administrators. This user is required during the SAP Engine installation and also for some Diagnostics tools like:
● DBA Cockpit
● In case of JDBC connection problems, you are able to retrieve the full JDBC configuration by using the Diagnostics Config Tool available by running the following script: /usr/sap/<SID>/Shortcuts/configtool .
NoteIf you require a dedicated user for Root Cause Analysis with the corresponding credentials, it is possible to create a user with read access to the database schema.
Password change
It is strongly recommended not to update this user. If necessary, this user's password can be updated in the database administration tool. The password change has to be applied accordingly within the configtool in the secStore part.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 139
13.9.2 OS Engine User [MANAGED.OS.SIDADM]
This OS user is created with the installation of the SAP Engine on the Windows platform of the managed system. This user is required to restart the managed system to take into account the Java parameter updates performed by Diagnostics.
Note that on UNIX systems the user <SID>adm must have an unmask like 027 as well as make sure that the group sapsys has at least a read access to the managed system engine files. On Windows, the recommended value for the user is SAPService<SID>adm in group administrators.
This user's password can be upgraded according to the local user policy.
13.9.3 OS User Dedicated to the Diagnostics Agent <SID>ADMIN [MANAGED.OS.AGTSIDADMIN]
This OS user is created during the Diagnostics Agent installation on the managed system. The default user name is: <SID>ADMIN. Therefore, for the UNIX system, this user has to have the required credentials to read data from the managed system, and to write them to the agent directory. It is mandatory to restart for instance Diagnostics Agent. The following platform families may be considered:
● Managed system based on a Microsoft Windows Server
Using Microsoft OS which involves having a user part of the administrators group OS● Managed system based on a UNIX OS
On UNIX system, this user must be a member of the sapsys group. The Diagnostics agent temp directory must have the read, write and execute permissions for the group. This allows users belonging to sapsys group to have full access to it. The permission must be equal to the result of the command chmod g+rwx on the Diagnostics agent temp directory. This user must have the mask equal to 027 (umask).
Note● If your system owns a daemon task to check and restore automatically your default permissions access,
you may have to adapt this daemon to remain compliant with the requirements described above.
● see SAP Note 1163751 for solution check
13.10 Users and Authorizations for SAP Solution Manager Configuration/Operation
You need to create users during system preparation and during basic setup.
Described UsersIn this section, all users created in the SAP Solution Manager system are described. Not described are users created in the managed systems, BW - users, SLD users, and S - users.
Roles DescriptionsThe assigned roles are not described in detail. All role descriptions are linked in the setup screen when you create the according users in transaction SOLMAN_SETUP or the SAP Solution Manager Configuration work center. This
140
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
help text can also be called using transaction SE61. In the following sections, only the technical ID of the help text is given. For more information on any specific role, call transaction SE61 or check in the according step for user creation in transaction SOLMAN_SETUP. If you check in transaction SE61, proceed as follows:
1. Call transaction SE61.
2. Choose Document Class General text (TX).
3. Choose your language.
4. Enter the technical ID of the help text as given in the tables underneath.
5. Choose button Display. The system displays the text, which is also linked in the setup screen.
All documents for authorization roles description have the naming convention <AUTH_*>Role updates are mentioned in the description tab of the according role and in the Document History of this security guide.
13.10.1 Password Changes
When you have changed passwords for users or deleted them, you need to readjust via transaction SOLMAN_SETUP to do so, use the function Update Password or Provide Credentials for updating the password for a user.
13.10.2 Configuration and Administration User SOLMAN_ADMIN [SOLMAN.DUAL.ADMIN]
When you configure your Solution Manager initially, you need to create your configuration/administration user (user type: dialog user) during system preparation. Per default this user is called SOLMAN_ADMIN. You can use the default user name, but you can also use any other user name. You can use this user for:
● Configuration of the basic settings, managed system settings, and Early Watch Alert Management of SAP Solution Manager
● Update of the configuration of the basic settings managed system settings, and Early Watch Alter Management of SAP Solution Manager
Configuration
The user SOLMAN_ADMIN is created by the system automatically during the automated configuration procedure in transaction SOLMAN_SETUP (work center SAP Solution Manager Configuration). It is assigned a number of different roles for various purposes.
SAP delivers all roles in SAP name space (SAP roles). When assigning the roles, the system automatically detects which roles need to be copied in a customer name space <Z> (customer roles). For instance, navigation roles for work center usage (SAP_SMWORK_<work center>) do not need to be copied into the customer names space, as they do not contain any relevant authorization objects, but only menu options. The user interface shows you which roles should be copied into a name space. Before copying the roles, you can choose your own name space for the roles that are automatically copied by the system. To do that, enter your name space instead of the <Z> - name space in the column for Copy from SAP Role before you create the roles.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 141
NoteNot all roles need to be copied into your own name space, for instance role SAP_J2EE_ADMIN must not be copied as it is just a “connecting” role between ABAP and Java stacks. In addition, navigation roles for work centers should not be copied, as the menu can then be easily overwritten by a new SAP delivery with a new interface navigation, see section on work center navigation role concept in the core security guide.
The system automatically assigns the selected roles to the SOLMAN_ADMIN user, and generates the according profiles. This allows the user to immediately function as all authorization values in the mentioned roles are delivered with dedicated values. For all fields that are generic, the value asterisk (*) is delivered.
Therefore, if you want to change delivered values, you still need to maintain the authorization objects for the according role manually. For more information, read the Role Description for the according role. The role description is provided in the according screen in the user interface of the guided procedure.
The following table gives you an overview over the roles assigned to this user.
Default Roles Assigned to User SOLMAN_ADMIN (Help Text ID: USER_SOLMAN_ADMIN)
Table 48
Assigned Roles Help Text — ID
for Basic Configuration
SAP_J2EE_ADMIN
NoteYou may also assign role SAP_RCA_AGT_ADM.
AUTH_SAP_J2EE_ADMIN
SAP_SM_BASIC_SETTINGS AUTH_SAP_SM_BASIC_SETTINGS
SAP_SM_USER_ADMIN AUTH_SAP_SM_USER_ADMIN
SAP_SM_BI_ADMIN AUTH_SAP_SM_BI_ADMIN
SAP_PI_CCMS_SETUP AUTH_SAP_PI_CCMS_SETUP
SAP_SM_BI_EXTRACTOR AUTH_SAP_SM_BI_EXTRACTOR
SAP_SMWORK_BASIC AUTH_SAP_SMWORK_BASIC
SAP_SMWORK_CONFIG AUTH_SAP_SMWORK_CONF
SAP_SMWORK_INCIDENT_MAN AUTH_SAP_SMWORK_INCIDENT_MAN
SAP_SMWORK_DIAG AUTH_SAP_SMWORK_DIAG
SAP_SMWORK_SM_ADMIN AUTH_SAP_SMWORK_ADMIN
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SMWORK_SYS_ADMIN AUTH_SAP_SMWORK_SYS_ADM
SAP_SMWORK_CHANGE_MAN AUTH_SAP_SMWORK_CHANGE_MAN
SAP_SMWORK_SERVICE_DEV AUTH_SAP_SMWORK_SERVICE_DEV
SAP_SM_DASHBOARDS_DISP_LMDB AUTH_SAP_SM_DASHBOARDS_DISP_LMDB
142
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
Assigned Roles Help Text — ID
for Basic Configuration
SAP_RCA_ADMIN_CONFIG AUTH_SAP_RCA_ADMIN_CONFIG
SAP_SM_S_RFCACL AUTH_SAP_SM_S_RFCACL
Optional: End-User Experience Monitoring Configuration
SAP_SM_EEM_CONF AUTH_SAP_SM_EEM_CONF
Optional: Mass Update with Template Management
SAP_SM_MS_TMPL_UPDATE_ALL AUTH_SAP_MS_TMPL_UPDATE
Optional: Role Comparison Tool
SAP_SM_ROLECMP_ALL AUTH_SAP_SM_ROLECMP_ALL
After creating the SOLMAN_ADMIN user, you continue configuring your SAP Solution Manager system using this user. Therefore, this user creates other users you need in the system, such as user SMD_RFC, SAPSUPPORT, and so on. These users are described in more detail in the following sections.
Template Management for Mass System Configuration
You can use Template Management to mass configure managed systems by using one template for a number of similar systems. The configuration of the managed systems is done in the background. You can use SOLMAN_ADMIN user for it. You can also create a specific user for this task manually. You need to assign this user the following authorizations/roles:
● SAP_SM_MS_TMPL_UPDATE_ALLThe role contains authorization for Template Management SM_MASS_UP.
NoteTo allow the user to access transaction SOLMAN_SETUP and the Mass Update Application, you need to manually assign authorization object SM_SETUP with ACTVT 03 (Display) and ACTVT A8 (Mass Update).
● SAP_SYSTEM_REPOSITORY_ALL● SAP_SM_RFC_ADMIN
Role Comparison Tool: Role Adjust
CautionThe use of this tool can be critical as it allows manipulation of any customer roles if authorization is given.
You can use SOLMAN_ADMIN user to use the Role Comparison Tool for comparing your own customer roles with updated SAP Standard roles in transaction SOLMAN_SETUP per user. You can also create a specific user for this task, manually. You need to assign this user the following authorizations/roles:
● SAP_SM_ROLECMP_ALLThe role contains authorization for role adjustment SM_ROLECMP.
● SAP_SM_USER_ADMIN
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 143
● In addition, you need to assign authorization objects S_TCODE (for SOLMAN_SETUP) and SM_SETUP with ACTVT 03 to access transaction SOLMAN_SETUP.
NoteRole SAP_SM_ROLECMP_ALL is assigned to all configuration users, created in step 8 of Basic Configuration in transaction SOLMAN_SETUP, technical names: SMC_***.
Incident Management Integration
To allow the SOLMAN_ADMIN user to create Incidents, you need to assign role SAP_SUPPDESK_CREATE additionally.
Update
NoteWhen you update your Solution Manager, you need to check the user authorizations for this user again, and update its authorizations. This is described in the according screen in transaction SOLMAN_SETUP.
Administration
After the configuration of SAP Solution Manager, you can restrict authorizations for the user SOLMAN_ADMIN, if needed. For instance, role SAP_J2EE_ADMIN allows administration authorization for all areas of J2EE. To separate and/or restrict this authorization, you can de-assign this role to user SOLMAN_ADMIN and assign the relevant restrictive roles. In addition, the following roles can be de-assigned after configuration is done, without status change in SOLMAN_SETUP:
● SAP_SM_USER_ADMIN● SAP_SM_CONF_SEC● SAP_SM_S_RFCACL● SAP_SM_GATEWAY_ACTIVATION● SAP_SM_MS_TMPL_UPDATE_ALL
Restricting Roles for User SOLMAN_ADMIN
Table 49
Assigned Roles Restricting roles Help Text - ID
SAP_J2EE_ADMIN SAP_RCA_AGT_ADM AUTH_SAP_RCA_AGT_ADM
SAP_JAVA_NWADMIN_CENTRAL_READONLY
no Help Text ID, see the according security guide for NW Java
SAP_RCA_AGT_ADM_VIA_SLD This role allows to use the Expert User Interface in Java for the Agent Candidate Management. It should only be assigned to specified users.
sap.com/tc~monitoring~systeminfo*sap_monitoring/SystemInfo_Support_Role
no Help Text ID, see the according security guide for NW Java
144
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
Assigned Roles Restricting roles Help Text - ID
sap.com/SQLTrace*OpenSQLMonitors / OpenSQLMonitorLogonRole
no Help Text ID, see the according security guide for NW Java
SAP_SLD_GUEST Read access to SLD
CautionIf you restrict access to technical systems in the ABAP stack, using
authorization object AI_LMDB_OB,
a user with access to SLD and role
SAP_SLD_GUEST can read all
system information in SLD.
Restrict Access to SOLMAN_SETUP (Authorization Object SM_SETUP)
The authorization object SM_SETUP controls, if a user can access transaction SOLMAN_SETUP. In addition, it controls which functions can be used by SOLMAN_ADMIN with this transaction, such as:
● editing steps (ACTVT 02),
● using the archiving functionality (ACTVT 24)● allow automatic mass configuration for managed systems (ACTVT A8)
The object is contained in role SAP_SM_BASIC_SETTINGS.
Authorization to Unlock Users
SOLMAN_ADMIN user role SAP_SM_BASIC_SETTINGS contains authorization object S_USER_GRP with ACTVT 05 (unlock). This authorization is used to unlock locked users during the configuration of users (create, update).
13.10.3 Technical User SM_AMSC
This technical user is used during the Automated Managed System Configuration to run the update job in the Solution Manager - system. The user is assigned role SAP_SM_MS_SETTINGS.
the following use cases are handled by this user:
● Read RFC destination update
● Java Server Node removed
● Java Server Node added
● ABAP client removed
● Delete, add, remove Instance
● Instance moved to different physical host
● Product Version/Instance upgraded
● Product Version/Instance added, removed
● Update SLD Content
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 145
NoteThe LMDB notification job runs with user SOLMAN_BTC.
Specific Authorization Objects
S_ADMI_FCD
The role contains authorization object S_ADMI_FCD with value DBA. One use case of AMSC is the automatic adoption to rename a host name. For this purpose, the user calls the DBA Cockpit setup and provides the new host name. All configuration steps for the remote connection in DBA Cockpit require S_ADMI_FCD authorization with value DBA.
SM_SMUA
One use case of AMSC is the possibility to upgrade an ABAP stack. In this situation, the system checks if the roles for the RFC users (such as READ user) need to be updated, too. The update of these users is restricted by authorization object SM_SMUA.
13.10.4 Technical User SMD_AGT [SOLMAN.DUAL.AGTCOM]
You need to create a user (user type: system user) to connect the Diagnostics Agent to your SAP Solution Manager Java stack during system preparation. The default name of this user is SMD_AGT. The user is mandatory to register the SMD - agent during startup of the agent with the Java Stack via P4 connection. Be aware that if some agents are not connected during the password maintenance, the system does not update those agents and therefore they are not able to connect anymore. In that case, a manual update operation is mandatory as described within the Diagnostics Agent Setup Guide.
Role Assignment to User SMD_AGT (Help Text ID: USER_SMD_ADMIN)
Table 50
Assigned Role Help Text-ID
SAP_RCA_AGT_CONN AUTH_SAP_RCA_AGT_CONN
NoteRole SAP_RCA_AGT_CONN must not be copied into the customer name space, as this role does not contain authorizations. It refers to its security role in the Java stack.
13.10.5 Technical User SOLMAN_BTC [SOLMAN.DUAL.BTC]
During system preparation, you create this technical user (user type: system user) to run all batch jobs (see table SMCONFIGJOBS), that are relevant for the basic configuration including the update of the MAI -configuration after an upgrade to a new Support Package (authorization object SM_MOAL_TC). The default name for the user is SOLMAN_BTC. This user must receive role SAP_SM_BATCH which contains all relevant authorizations. For changes per Support Package, (see also SAP Note 1314587).
146
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
If you set up BW as standard scenario (local), you also need to assign role SAP_BI_E2E for the user to execute all BW - related batch jobs.
User Roles for User SOLMAN_BTC (Help Text ID: USER_SOLMAN_BTC)
Table 51
Assigned Role Help Text-ID
SAP_SM_BATCH AUTH_SAP_SM_BATCH
SAP_BI_E2E AUTH_SAP_BI_E2E
List of Background Jobs
All background jobs that run with this user can be found in SAP Note 894279.
If your system is marked as non-productive, the following jobs are not running in your system:
13.10.6 Technical User SM_EXTERN_WS [SOLMAN.DUAL.EXTERN]
To ease support (user tracing) and a potential user locking, the technical user SM_EXTERN_WS is used for external web services communication between Diagnostics Agents and SAP Solution Manager.
User Role for SM_EXTERN_WS (Help Text ID: USER_SM_EXTERN_WS)
Table 52
Assigned Roles Help Text-ID
SAP_SM_EXTERN_WS AUTH_SAP_SM_EXTERN_WS
SAP_J2EE_ADMIN AUTH_SAP_J2EE_ADMIN
13.10.7 Technical User SM_INTERN_WS [SOLMAN.DUAL.EXTERN]
The technical user SM_INTERN_WS is used for internal web services communication between the ABAP and Java stack of SAP Solution Manager.
Roles Assigned to User SM_INTERN_WS (Help Text ID: USER_SM_INTERN_WS)
Table 53
Assigned Roles Help Text-ID
SAP_SM_INTERN_WS AUTH_SAP_SM_INTERN_WS
SAP_J2EE_ADMIN AUTH_SAP_J2EE_ADMIN
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 147
13.10.8 Dialog User SAPSUPPORT [SOLMAN.DUAL.SAPSUPPORT][SOLMAN.BI.SUPPORT]
The SAPSUPPORT user is a Read User for Root Cause Analysis of type Dialog. The user SOLMAN_ADMIN automatically creates this user in the SAP Solution Manager system, the managed systems, and as well the BW - client/system. This user is the main user to log on to Diagnostics.
In the SAP Solution Manager System: Standard BW Scenario (Help Text ID: USER_SAPSUPPORT)Table 54
Assigned Roles Help Text-ID
SAP_BI_E2E
NoteNote role: SAP_BI_E2E_DISP
AUTH_SAP_BI_E2E
SAP_RCA_DISP
NoteThis role allows only for read access to all tools. If you want to allow your SAPSUPPORT user to be able to change
settings, you need to adapt the role. How to adapt the role, see How-to Section.
AUTH_SAP_RCA_DISP
SAP_DBA_DISP AUTH_SAP_DBA_DISP
SAP_CV_DIS AUTH_SAP_CV_DIS
SAP_EM_DISPLAY
NoteRole SAP_EM_COCKPIT allows the usage of the cockpit
with the authorization to display total of records, including payload.
AUTH_SAP_EM_DISPLAY
SAP_SMWORK_BASIC AUTH_SAP_SMWORK_BASIC
SAP_SMWORK_CONFIG AUTH_SAP_SMWORK_CONFIG
SAP_SMWORK_DIAG AUTH_SAP_SMWORK_DIAG
SAP_SMWORK_SM_ADMIN AUTH_SAP_SMWORK_ADMIN
NoteIn the display role for RCA, the authorization object D_SM_S_DIA is delivered with activities 02 (change) and 03 (display). This is due to the nature of the function of self diagnosis and its configuration possibilities. It has no impact on data changes, but on data display.
148
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
In the BW Client / System: Remote Scenario (Help Text ID: USER_SAPSUPPORT_MS)
Table 55
Assigned Roles Help Text-ID
SAP_BI_E2E AUTH_SAP_BI_E2E
13.10.9 Dialog User SAPSERVICE
The user is used for Service Delivery for SAP. It is present in all relevant system in your system landscape. You can create this user during Basic Settings Configuration for SAP Solution Manager and BW, and in the Managed Systems Configuration for the specified managed system.
● SAP Solution Manager
● Managed Systems
● BW System
In general, this user retains all authorizations of SAPSUPPORT user (read access). In addition, it receives further authorizations in the SAP Solution Manager system and the managed systems.
Trusted RFC Authorizations
The authorization for trusted RFCs should be assigned, in case trusted RFCs are created between SAP Solution Manager and managed systems, and in case BW is remote, in the BW-system and the SAP Solution Manager. The according role in Solution Manager and managed systems would be SAP_SM_S_RFCACL. In the BW-system the role is called SAP_SM_BW_S_RFCACL.
Specific Role Namespace
Due to the nature of the user as being a set user which should not be changed in its authorizations, all roles in the SAP Solution Manager system and BW system (in case it is remote), are copied automatically into their own namespace ZSD*.
In the SAP Solution Manager
For all roles assigned to the SAPSERVICE user in the SAP Solution Manager system, check the according entry in step 2.4 Create Users in the view Basic Settings. If you are not sure about the roles assigned by the system, check out the documentation link behind the according role. The single roles are also shipped with composite role SAP_SERVICE_EXE_ALL_COMP.
In the Managed System
In the managed systems the user is not created automatically due authorizations which depend on the business contexts. Check SAP Note 1405975 for appropriate roles.
In the BW Client / System: Remote Scenario (Help Text ID: USER_SAPSERVICE)
Table 56
Assigned Roles Help Text-ID
SAP_BI_E2E AUTH_SAP_BI_E2E
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 149
ITPPM Project Integration
The following roles are required for the ITPPM Project integration:
● SAP_SM_DASHBOARDS_DISP_VBD● SAP_BPR_PPM● SAP_CPR_PROJECT_ADMINISTRATOR● SAP_CPR_USER● SAP_XRPM_ADMINISTRATOR
13.10.10Technical User SMD_RFC [SOLMAN_DOUBLE_SMDRFC]
The SMD_RFC user is created by user SOLMAN_ADMIN during runtime for communication between Root Cause Analysis/Java and SAP Solution Manager /ABAP.
Role Assignment to User SMD_RFC (Help Text ID: USER_SMD_RFC)
Table 57
Assigned Role Remarks
SAP_SM_WEBSERVICE_ADMIN ABAP authorization role, full authorization for Java stack
SAP_SOLMANDIAG_E2E ABAP authorization role, for diagnostics
13.10.11Technical User SEP_WEBSRV [SOLMAN.ABAP.WEBSRV]
The technical user SEP_WEBSERV is used for the BMC Appsight License Check Service in the Internet Communication Framework (ICF).
Role Assigned to User SEP_WEBSRV (Help Text ID: SEP_WEBSRV)
Table 58
Assigned Role Help Text-ID
SAP_APPSIGHT_INTERFACE AUTH_SAP_APPSIGHT_INTERFACE
13.10.12Technical User CONTENTSERV [SOLMAN.ABAP.CONTSERV]
The technical user CONTENTSERV is used for services in the Internet Communication Framework (ICF).
User roles for CONTENTSERV (Help Text ID: USER_CONTENTSERV)
150
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
Table 59
Assigned Role Help Text-ID
SAP_SOL_LEARNING_MAP_DIS AUTH_SAP_SOL_LEARNING_MAP_DI
13.10.13Technical User for RFC - connection BACK <SMB_<SIDofManagedSystem>>[MANAGING.ABAP.RFC]
The technical user is used for the BACK - RFC connection from the managed system to the SAP Solution Manager system. It is created during managed system setup by user SOLMAN_ADMIN. The default name of this user is SMB_<SIDofManagedSystem>. The password can either be customer-specific or generated by the system.
The RFC is used to send SDCCN data or messages from a managed system to the SAP Solution Manager system, lock customizing objects against changes in Customizing Distribution, integrate Change Request Management into the Service Desk, and so on.
NoteIf you change the password of this user in user management (transaction SU01, you need to change the password for this user in the RFC destination in the Solution Manager system as well.
The user is automatically assigned a generated role: <name space>SAP_SOLMAN_BACK.
13.10.14User Wily Guest [SOLMAN.WILY.GUEST]
This application user Guest is a built-in user of the Introscope Enterprise Manager (EM). By default it is used to open the proprietary JDBC connection between SAP Solution Manager and the Introscope Enterprise Manager to extract the collected performance data. The user and password is maintained in two places:
● Within Root Cause Analysis
● Within Introscope Enterprise Manager use store (XML files: users.xml, domains.xml)
13.11 Users and Authorizations for Managed Systems
You need to create users during the configuration of the managed systems.
Described Users
All users created in the managed system are described.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 151
In addition, the system creates users in the UME of a managed system, if this system is Java system or double stack. Also, CTC runtime users are automatically created. These users are mentioned in the protocol of the configuration setup, but not explicitly on the UI.
Roles Descriptions
The assigned roles are not described in detail. All role descriptions are linked in the setup screen when you create the according users in transaction SOLMAN_SETUP or the SAP Solution Manager Configuration work center. This help text can also be called using transaction SE61. In the following sections, only the technical ID of the help text is given. For more information on any specific role, call transaction SE61 or check in the according step for user creation in transaction SOLMAN_SETUP. If you check in transaction SE61, proceed as follows:
1. Call transaction SE61.
2. Choose Document Class General text (TX).
3. Choose your language.
4. Enter the technical ID of the help text as given in the tables underneath.
5. Choose button Display. The system displays the text, which is also linked in the setup screen.
All documents for authorization roles description have the naming convention <AUTH_*>
13.11.1 NGAP - Based Managed Systems Support
In NGAP - based systems you differentiate between application client and administration/system client. In the administration/system client you can see all cross-client data. Therefore, this client is used for system monitoring, and so on. This requires for instance for system monitoring, that the relevant connections between SAP Solution Manager and the managed NGAP - system are done towards the administration/system client.
In general, all required actions that need to be executed to connect managed systems, apply to NGAP - based systems.
13.11.2 Administrator User in ABAP: SM_ADMIN [MANAGED.JAVA.ABAP.ADMIN]
When you set up the managed systems with SAP Solution Manager, the system creates a configuration user SM_ADMIN_<Solution Manager SID> of type system user with specific authorizations in the managed system. This user is allowed to create other users in the managed system, assign roles, and run some Diagnostics self - check activities.
This user creates the following users in the managed systems of type Double Stack:
● SAPSUPPORT (dialog user in ABAP)
● SM_COLL_<SolManID> (technical user - relevant for Diagnostics Agent in Java)
● SMDAGENT<SolManID> (technical user for JCo/RFC - relevant for Diagnostics Agent in ABAP)
This user creates the following users in an ABAP Single Stack of the managed systems:
● SAPSUPPORT (dialog user in ABAP)
● SMDAGENT<SolManID> (technical user for JCo/RFC - relevant for Diagnostics Agent in ABAP)
152
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
Roles Assigned to Configuration User SM_ADMIN_<SolutionManager SID>
Table 60
Assigned Roles Help Text — ID Additional Remarks
for Basic Configuration
SAP_RCA_CONF_ADMIN AUTH_SAP_RCA_CONF_ADMIN Main configuration authorization for managed system, including SDCCN
SAP_SM_USER_ADMIN AUTH_SAP_SM_USER_ADMIN ABAP authorization role,
authorizations for transaction SU01 and PFCG to allow the creation of,
change, and deletion of users and roles. If your security policy does not allow this, you need to create all users manually.
SAP_J2EE_ADMIN AUTH_SAP_J2EE_ADMIN in case of double stack or single Java, must be manually added
Operations/Upgrade Mode
RecommendationThe user can be locked after finished configuration tasks. In case of upgrade configuration, you need to unlock it again.
13.11.3 Administrator User in Java: SM_ADMIN_<SolManSID> [MANAGED.JAVA.ADMIN]
When you set up the managed systems with SAP Solution Manager, you need to create an administration user for Java manually. This user must be allowed to create other users in the managed system, assign roles, and run some Diagnostics self - check activities.
This user creates the following users in the managed systems of type Double Stack:
● SAPSUPPORT● SM_COLL_<SolManID> (technical user - relevant for Diagnostics Agent in Java)
This user creates the following users in a Java Single Stack of the managed systems:
● SAPSUPPORT● SM_COLL_<SolManID> (technical user - relevant for Diagnostics Agent)
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 153
13.11.4 Technical User SMDAGENT_<SolManID> for Wily Host Agent [MANAGED.ABAP.WILYAGT]
The user SMDAGENT_<SOLMANSID> connects Wily Host agent to the managed system. This is an ABAP user who is used by the Wily Host agent. It is automatically created during runtime during the managed system setup.
The user is used to run dedicated extractors on the managed systems, which are delivered with the ABAP Add-On ST/A-PI. The Wily Host Applications running within the Diagnostics Agent use this user for managed ABAP systems to open a JCo connection, and collect application - specific performance data.
For self monitoring purposes, this user should also exist on the SAP Solution Manager, and the actual ST/A-PI should be installed there as well. The name of the user SMDAGENT_<SOLMANSID> is fixed and must not be changed.
Role Assigned to User SMDAGENT_<SolManID>
Table 61
Role Text ID Remarks
SAP_IS_MONITOR AUTH_SAP_IS_MONITOR ABAP
More Information
For further details regarding Wily Introscope user administration, read the Introscope Installation for SAP Introscope® Version 8.0 Installation Guide for SAP.
13.11.5 Technical Users for RFC - Connections READ and TMW [MANAGED.ABAP.RFC]
In the managed system, you create two technical users (user type: system user) for RFC - connections, the READ user, or the TMW user.
Role Upload from SAP Solution Manager to the Managed System
You can upload the roles for the READ user and TMW user using the function “Upload”. This function allows you to upload the roles for the individual users from SAP Solution Manager into your respective client of the managed system. To be able to upload the roles, the system requires you to enter an administration user of your managed system into a pop-up beforehand, which has the authorizations to upload roles in your managed system. The system opens a temporary trusted RFC connection in order to be able to upload the role.
NoteThe function can only be used if:
● the client in the managed system is not a productive client. We recommend to upload the role into your development client and transport it into your productive client.
● your user in the SAP Solution Manager system has authorization object SM_SMUA assigned. This authorization object is included in role SAP_SM_SMUA* for user SOLMAN_ADMIN.
154
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
Read RFC - Connection (technical name: SM_<SIDofSolManSystem>CLNT<Clientof SolManSystem>_READ)
The READ - RFC connection is used to read data from the managed system, to run a set of extractors and enable the E2E tracing in the managed systems (for instance initial E2E checks on the managed systems run E2E extractors). It is mandatory for each managed system, as it enables basic SAP Solution Manager functions.
NoteIf the SAP Solution Manager system is set up as a managed system, the default RFC destination is NONE. You have to replace the RFC destination NONE and create a standard RFC READ destination.
User and Password
The default name of the user is SM_<SIDofSolutionManagerSystem>.
The password for this user can either be customer-specific or generated by the system. If you change the password of this user in user management (transaction SU01), you need to change the password for this user in the RFC destination in the Solution Manager system as well.
Authorization Roles
For these RFC users, the system assigns authorization roles. Which roles are assigned to the individual user is determined by the SAP_BASIS level of the managed systems required. The technical role names are visible in the configuration screen of the system.
The system assigns the following roles to the RFC user:
● role <namespace>SAP_SOLMAN_READ for all authorizations as of SAP_BASIS < 7.0
CautionTo be able to generate this RFC connection during automatic configuration, you need at least ST-PI 2008_1_700 SP08. If you have not this specified ST-PI applied, please see the same section in security guide for SP08. We strongly recommend to have the latest ST-PI Support Package applied to SAP Solution Manager and managed systems.
● role <namespace>SAP_SOLMAN_READ_70 for all authorizations as of SAP_BASIS => 7.0
● role <namespace>SAP_SOLMAN_BI_READ; PFCG template: SAP_SOLMAN_BI_READ (template for BW - authorizations, only available, if the managed system contain software component BI_CONT as of SP04)
NoteIf you configure your managed system in transaction SOLMAN_SETUP for Service Delivery Enablement, a READ RFC - connection to the 000 client of your managed system is required. In addition, role SAP_SM_BATCH_SD is assigned to the READ user to schedule the collection job: SAP_COLLECTOR_FOR_PERFMONITOR. As this job is a collective job, authorizations are not definitely determined. Therefore, the job is run by user DDIC in the managed system client 000. This user has full SAP system permission with profiles SAP_ALL and SAP_NEW.
TMW RFC - Connection (technical name: SM_<SID>CLNT<Client>_TMW)
The TMW RFC - connection consists of all authorizations of READ RFC - connection and additional authorizations for Change Request Management (remote creation of transport requests with tasks for designed developers in the development systems), and batch job authorizations. The default name for this user is SMTM_<SID of
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 155
Solution Manager system>, whereas the SID refers to the connected managed system. The password can either be customer-specific or generated by the system.
NoteIf you change the password of this user in user management (transaction SU01), you need to change the password for this user in the RFC destination in the Solution Manager system as well.
For this RFC, the system uses all three roles for the READ RFC - connection, and an additional role for TMW RFC - connection. The roles are then assigned to the RFC user. The additional role:
● role <namespace>SAP_SOLMAN_TMW for all authorizations regarding Change Request Management and batch job authorization
13.11.6 SAPSUPPORT User [MANAGED.DUAL.SAPSUPPORT]
The SAP Support user is a dialog user automatically created during the managed system setup. By default, the system proposes the user-ID SAPSUPPORT, which is the SAP recommended user name.
SAPSUPPORT User (Help Text ID: USER_SAPSUPPORT_MS)
Table 62
Role Text ID
SAP_RCA_SAT_DISP AUTH_SAP_RCA_SAT_DISP
XI roles UME roles:AUTH_XI_ROLE_SAPSUPPORT,
see also SAP Note 1042450
J2EE roles UME roles:AUTH_J2EE_ROLES_SAPSUPPORT
SLD roles UME roles:AUTH_SLD_ROLES_SAPSUPPORT
NoteOnly those UME roles are assigned to the user which are relevant for the according Java system version.
13.11.7 Dialog User SAPSERVICE
The user is used for Service Delivery for SAP. It is present in all relevant system in your system landscape. You can create this user during Basic Settings Configuration for SAP Solution Manager and BW, and in the Managed Systems Configuration for the specified managed system.
● SAP Solution Manager
● Managed Systems
● BW System
In general, this user retains all authorizations of SAPSUPPORT user (read access). In addition, it receives further authorizations in the SAP Solution Manager system and the managed systems.
156
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
Trusted RFC Authorizations
The authorization for trusted RFCs should be assigned, in case trusted RFCs are created between SAP Solution Manager and managed systems, and in case BW is remote, in the BW-system and the SAP Solution Manager. The according role in Solution Manager and managed systems would be SAP_SM_S_RFCACL. In the BW-system the role is called SAP_SM_BW_S_RFCACL.
Specific Role Namespace
Due to the nature of the user as being a set user which should not be changed in its authorizations, all roles in the SAP Solution Manager system and BW system (in case it is remote), are copied automatically into their own namespace ZSD*.
In the SAP Solution Manager
For all roles assigned to the SAPSERVICE user in the SAP Solution Manager system, check the according entry in step 2.4 Create Users in the view Basic Settings. If you are not sure about the roles assigned by the system, check out the documentation link behind the according role. The single roles are also shipped with composite role SAP_SERVICE_EXE_ALL_COMP.
In the Managed System
In the managed systems the user is not created automatically due authorizations which depend on the business contexts. Check SAP Note 1405975 for appropriate roles.
In the BW Client / System: Remote Scenario (Help Text ID: USER_SAPSERVICE)
Table 63
Assigned Roles Help Text-ID
SAP_BI_E2E AUTH_SAP_BI_E2E
ITPPM Project Integration
The following roles are required for the ITPPM Project integration:
● SAP_SM_DASHBOARDS_DISP_VBD● SAP_BPR_PPM● SAP_CPR_PROJECT_ADMINISTRATOR● SAP_CPR_USER● SAP_XRPM_ADMINISTRATOR
13.11.8 Technical User SM_COLL_<SIDof SolMan>
This user is created for data collection in the managed system.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 157
Table 64
Role Text ID
NoteThe documentation texts (see column Text ID), include information on which roles are being assigned according to the SAP BASIS release of the system. Therefore, the system assigns only those roles which are available per SAP Basis release.
XI roles AUTH_XI_ROLES_SM_COLL
NoteIf you do not use XI roles, you do not need to assign the according roles to this user.
J2EE roles AUTH_J2EE_ROLES_SM_COLL
NoteThe Java role SAP_XI_API_DISPLAY_J2EE is only
available, if the Software Component SAP_XI_TOOLS is
installed.
SAP_BPM_SolutionManager This role is required for the BPM Workflow Monitoring
extractor (see scenario-specific guide for Technical Monitoring: BPM), which extracts BPM processes and task
instance statistics from the managed system (UME action
bpm.solutionmanager). It is only applicable for NW CE 7.31 and higher.
INTEGRATION_VISIBILITY_DATA_COLLECTOR_EVENT_CONSUMER
These J2EE user roles are required for the function
Integration Visibility, see scenario-specific guide for Technical Monitoring: Process Integration.INTEGRATION_VISIBILITY_CONSUMER
CautionThe CCDB CTC Extractor and CCDB DB Extractor need SAP_J2EE_ADMIN rights to run. The role SAP_J2EE_ADMIN allows administration rights for the complete Java Stack, including UME (user administration).
13.11.9 J2EE Administrator J2EE_ADMIN [MANAGED.J2EE.ADMIN]
This user exists on any SAP dual stack system. However, SAP recommends to provide the SMD_AGT_ADM user credential during RCA setup. This user account can be useful for administration like manual user creation or UME
158
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
role / J2EE security role assignment. It could be also used for SLD configuration and validation procedures. The role assigned is SAP_J2EE_ADMIN.
13.11.10Administrator OS User [MANAGED.OS.ADMIN]
The user is an OS user with administrator permissions. It is mandatory to perform the Root Cause Analysis Agent installation. This administrator user is mandatory to perform some tasks like:
● Creating OS user dedicated to the Diagnostics
● Restarting Java processes
On UNIX the user belongs to group root, and on Windows the user belongs to group administrator.
13.11.11 Technical Users for CTC Configuration and Runtime Activation
The users underneath are created automatically for CTC configuration and activation.
User for CTC Configuration and Activation
Table 65
User User Type Remarks
SM2CTC<Solution Manager ID><client> (automatically created)
System User Technical user for CTC templates, automatically created
whenCTC runtime is activated. User is responsible for
communication from Solution Manager to CTC, if the
CTC runtime of the Solution Manager J2EE stack is
called for the initial automatic basic configuration of Solution Manager; automatically assigned role in the related ABAP stack: SAP_J2EE_ADMIN
13.12 Users and Authorizations for BW Configuration
The following section give you an overview of all users and authorizations for BW based on the configuration of the scenario, standard or remote. You may find here descriptions of users, which are already mentioned in the sections for users and authorizations for Solution Manager system and managed systems.
For information about the BW / Extractor Framework - concept, see in Core Guide section on BW - Integration.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 159
13.12.1 BW Administrator User SM_BW_ADMIN [SOLMAN.BI.ADMIN]
You create a BW - administration user when you use a remote BW system/client during the basic settings setup. The default name for this user is SM_BW_ADMIN.
NoteIf the BW runs in the standard scenario, these roles are assigned to user SOLMAN_ADMIN.
Roles Assigned to User SM_BW_ADMIN
Table 66
Assigned Roles Help Text — ID
for Basic Configuration
SAP_SM_BI_ADMIN AUTH_SAP_SM_BI_ADMIN
SAP_PI_CCMS_SETUP AUTH_SAP_PI_CCMS_SETUP
SAP_SM_BI_EXTRACTOR AUTH_SAP_SM_BI_EXTRACTOR
SAP_SM_USER_ADMIN AUTH_SAP_SM_USER_ADMIN
13.12.2 Technical User SM_BW_ACT
Due to the „divided“ activation of BW content (job CCMS_BI_SETUP) in Basic Settings and in various scenario-related configurations, it becomes necessary to introduce another new user: SM_BW_ACT (type: system user). The user is assigned single role SAP_BI_E2E.
Table 67
Role Help TXT ID
SAP_BI_E2E AUTH_SAP_BI_E2E
13.12.3 Technical User SM_EFWK
The SM_EFWK user is created by user SOLMAN_ADMIN in the Solution Manager system during the BW setup. The user is used to run the step report E2E_EFWK_RESOURCE_MGR in the Job EFWK RESOURCE MANAGER (Extractor Resource Manager). The job itself is scheduled by the batch user SOLMAN_BTC. Which roles the user is assigned depends on two major factors:
● In which system runs BW?
Depending on whether BW runs in the same client as the productive Solution Manager (local), or in a remote BW scenario, the user receives a dedicated set of roles. If BW runs local, then, apart from running the program for the extractors the SM_EFWK also takes over the loading of data into BW.
160
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
● For which scenarios is BW - reporting required?
Depending on the scenario-specific dedicated BW - roles need to be assigned to the user for executing the program E2E_EFWK_RESOURCE_MGR and for loading data into BW.
The following sections describe which roles are assigned to the user for which task and scenario:
Executing program E2E_EFWK_RESOURCE_MGR
Automatic Role Assignment to User SM_EFWK for running program E2E_EFWK_RESOURCE_MGR
Table 68
Assigned Role Help Text ID Scenario-relevance
SAP_SM_BI_EXTRACTOR AUTH_SAP_SM_BI_EXTRACTOR for all scenarios
SAP_SOLMANDIAG_E2E AUTH_SAP_SOLMANDIAG_E2E Root Cause Analysis
SAP_SM_TWB_EXTRACTOR AUTH_SAP_SM_TWB_EXTRACTOR Test Management
SAP_SM_ICI_EXTRACTOR AUTH_SAP_SM_ICI_EXTRACTOR Ici Dashboards
SAP_SM_INC_EXTRACTOR AUTH_SAP_SM_INC_EXTRACTOR Incident Management
SAP_SM_CHARM_EXTRACTOR
AUTH_SAP_SM_CHARM_EXTRACTOR Change Request Management
SAP_SM_BI_ESR_EXTRACTOR
AUTH_SAP_SM_BI_ESR_EXTRACTOR Enterprise Reporting
SAP_SM_CCDB_EXTRACTOR AUTH_SAP_SM_CCDB_EXTRACTOR CCDB
SAP_SM_DVM_EXTRACTOR AUTH_SAP_SM_DVM_EXTRACTOR Data Volume Management
SAP_SM_CV_EXTRACTOR AUTH_SAP_SM_CV_EXTRACTOR Configuration Validation
SAP_SM_MAI_EXTRACTOR AUTH_SAP_SM_MAI_EXTRACTOR MAI Framework
SAP_SM_BATCH_RELE AUTH_SAP_SM_BATCH_RELE Batch job release authorization for BPO Data Collectors to run
SAP_SMPI_AUTH_EXTRACTOR
AUTH_SAP_SMPI_AUTH_EXTRACTOR The role contains authorizations (/SDF/*)
delivered with Software Component ST-PI,
which are required in the Solution Manager system for extractor usage.
NoteSee also SAP Note 1899598
In case of local BW, loading data
NoteIf BW runs remote, loading of data is executed by technical user SMD_BI_RFC in the BW system.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 161
13.12.4 Technical User SMD_BI_RFC [SOLMAN.BI.RFC]
The SMD_BI_RFC user is only created by user SM_BW_ADMIN if you use a remote BW system/client.
Role Assignment to User SMD_BI_RFC
Table 69
Assigned Role Help Text ID
SAP_BI_E2E AUTH_SAP_BI_E2E
13.12.5 Technical User SM_BW_<SID>
The SM_BW_<SID> user is created by user SM_BW_ADMIN if you use a remote BW system/client. The user is assigned to RFC-destination: SM_BW_<SID>CLNT<Client>_READ.
Role Assignment to User SM_BW_<SID>
Table 70
Assigned Role Help Text ID
SAP_SM_BI_ESR_EXTRACTOR
AUTH_SAP_SM_BI_ESR_EXTRACTOR
SAP_SM_BI_MAI_EXTRACTOR
AUTH_SAP_SM_BI_MAI_EXTRACTOR
SAP AUTH_SAP_
Usage
Allow Extractor Data to be Read
The user authorization contains extractor authorization for scenarios ESR and Technical Monitoring (MAI). For more information, see scenario-specific guides for ESR and Technical Monitoring.
Check User Status in BW - System
The user authorization allows to check the status for all users created in the BW-system by transaction SOLMAN_SETUP. If this authorization is not given, the system is not able to display the status of BW-users in transaction SOLMAN_SETUP. Status check is triggered by using the Refresh link.
NoteFor first installation and configuration of SAP Solution Manager, the user status check can only be displayed by the system when the complete configuration is finished. This is due to the creation of users before creation of RFC-destinations. As soon as you have created the RFC-destination and the users, the system can check the user status automatically.
162
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
13.12.6 Dialog User SAPSUPPORT [SOLMAN.DUAL.SAPSUPPORT][SOLMAN.BI.SUPPORT]
The SAPSUPPORT user is a Read User for Root Cause Analysis of type Dialog. The user SOLMAN_ADMIN automatically creates this user in the SAP Solution Manager system, the managed systems, and as well the BW - client/system. This user is the main user to log on to Diagnostics.
In the SAP Solution Manager System: Standard BW Scenario (Help Text ID: USER_SAPSUPPORT)Table 71
Assigned Roles Help Text-ID
SAP_BI_E2E
NoteNote role: SAP_BI_E2E_DISP
AUTH_SAP_BI_E2E
SAP_RCA_DISP
NoteThis role allows only for read access to all tools. If you want to allow your SAPSUPPORT user to be able to change
settings, you need to adapt the role. How to adapt the role, see How-to Section.
AUTH_SAP_RCA_DISP
SAP_DBA_DISP AUTH_SAP_DBA_DISP
SAP_CV_DIS AUTH_SAP_CV_DIS
SAP_EM_DISPLAY
NoteRole SAP_EM_COCKPIT allows the usage of the cockpit
with the authorization to display total of records, including payload.
AUTH_SAP_EM_DISPLAY
SAP_SMWORK_BASIC AUTH_SAP_SMWORK_BASIC
SAP_SMWORK_CONFIG AUTH_SAP_SMWORK_CONFIG
SAP_SMWORK_DIAG AUTH_SAP_SMWORK_DIAG
SAP_SMWORK_SM_ADMIN AUTH_SAP_SMWORK_ADMIN
NoteIn the display role for RCA, the authorization object D_SM_S_DIA is delivered with activities 02 (change) and 03 (display). This is due to the nature of the function of self diagnosis and its configuration possibilities. It has no impact on data changes, but on data display.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 163
In the BW Client / System: Remote Scenario (Help Text ID: USER_SAPSUPPORT_MS)
Table 72
Assigned Roles Help Text-ID
SAP_BI_E2E AUTH_SAP_BI_E2E
13.12.7 Dialog User SAPSERVICE
The user is used for Service Delivery for SAP. It is present in all relevant system in your system landscape. You can create this user during Basic Settings Configuration for SAP Solution Manager and BW, and in the Managed Systems Configuration for the specified managed system.
● SAP Solution Manager
● Managed Systems
● BW System
In general, this user retains all authorizations of SAPSUPPORT user (read access). In addition, it receives further authorizations in the SAP Solution Manager system and the managed systems.
Trusted RFC Authorizations
The authorization for trusted RFCs should be assigned, in case trusted RFCs are created between SAP Solution Manager and managed systems, and in case BW is remote, in the BW-system and the SAP Solution Manager. The according role in Solution Manager and managed systems would be SAP_SM_S_RFCACL. In the BW-system the role is called SAP_SM_BW_S_RFCACL.
Specific Role Namespace
Due to the nature of the user as being a set user which should not be changed in its authorizations, all roles in the SAP Solution Manager system and BW system (in case it is remote), are copied automatically into their own namespace ZSD*.
In the SAP Solution Manager
For all roles assigned to the SAPSERVICE user in the SAP Solution Manager system, check the according entry in step 2.4 Create Users in the view Basic Settings. If you are not sure about the roles assigned by the system, check out the documentation link behind the according role. The single roles are also shipped with composite role SAP_SERVICE_EXE_ALL_COMP.
In the Managed System
In the managed systems the user is not created automatically due authorizations which depend on the business contexts. Check SAP Note 1405975 for appropriate roles.
In the BW Client / System: Remote Scenario (Help Text ID: USER_SAPSERVICE)
Table 73
Assigned Roles Help Text-ID
SAP_BI_E2E AUTH_SAP_BI_E2E
164
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
ITPPM Project Integration
The following roles are required for the ITPPM Project integration:
● SAP_SM_DASHBOARDS_DISP_VBD● SAP_BPR_PPM● SAP_CPR_PROJECT_ADMINISTRATOR● SAP_CPR_USER● SAP_XRPM_ADMINISTRATOR
13.12.8 Technical User BI_CALLBACK [SOLMAN.BI.CALLBACK]
The BI_CALLBACK user is created manually. This user is relevant for reorganization of BW - data in the SAP Solution Manager and configuration validation.
Role Assignment to User BI_CALLBACK
Table 74
Assigned Role Help Text ID Remarks
SAP_BI_CALLBACK AUTH_SAP_BI_CALLBACK ABAP authorization role
13.12.9 Diagnostics Center
The Diagnostics Center is a tool to check your configuration of BI - Reporting by executing checks.
1. A dialog user starts the diagnostic center from the Solution Manager Administration work center Infrastructure BW Reporting .
2. The checks in the managed system are running with system user SM_<Client>_READ.
3. The checks in the Solution Manager system are running via the logged on dialog user.
4. The checks for the BI are running via RFC destination NONE (dialog user). In the case of a remote scenario, RFC destination BI_CLNT<client> (user SMD_BI_RFC).
13.13 Users and Authorizations for SLD and LMDB
The SLD and LMDB configuration is done by the system automatically in one step during SOLMAN_SETUP. All necessary users are created during this step. They are explained in more detail in the following sections.
The Landscape Management Database (LMDB) serves as a central directory for system landscape data in SAP Solution Manager. It is used by Root Cause Analysis and in the Technical Monitoring work center scenarios. LMDB integrates with the System Landscape Directory (SLD) in productive or non - productive landscape, transaction SMSY, and the Landscape Verification Tool to gather landscape data and provide it to client applications in the SAP Solution Manager. For more information on its configuration, see the LMDB Setup Guide: service.sap.com/instguides SAP Components SAP Solution Manager 7.1 Additional Guides .
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 165
Technical System Landscape SLD, LMDB, and transaction SMSY
In SAP Solution Manager Release 7.1, the System Landscape Directory (SLD) is the primary data provider for LMDB. Technically, LMDB is the ABAP complement of SLD in Java. SLD and LMDB cooperate via a connection to synchronize contents, using the same principle as the synchronization between two SLD systems. The data contained in transaction SMSY provides data for several applications of SAP Solution Manager (e.g. Change Request Management or Application Incident Management). LMDB and SMSY contain redundant data like technical system information. These data is synchronized from LMDB to SMSY. The Maintenance possibilities of data in SMSY are limited in SAP Solution Manager release 7.1. Therefore, authorizations/roles for LMDB contain authorizations for SMSY.
The managed systems send their system information directly via data suppliers to the SLD which is later synchronized with the LMDB. In the LMDB the systems are recognized as technical systems.
Diagnostics Agents are usually installed on each application and database server (of managed systems or SAP Solution Manager) in a system landscape and are additional data providers (of system information) for LMDB. The Diagnostics Agents are connected directly to SAP Solution Manager and constantly send technical system information to LMDB. This process is called Outside Discovery and can be configured using transaction SOLMAN_SETUP or the SAP Solution Manager Configuration work center.
Figure 52: Technical System Landscape
NoteCommunication Channels are covered in section Communication Channels and Destinations in this guide.
166
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
13.13.1 Technical User SLD_CS_USER
For collecting system landscape information from the SLD, a user with read permission (for instance SLD_CS_USER) is required on the Java stack of the remote or local SLD. In case the SLD system is a dual stack system it is defined as a system user in transaction SU01 of the ABAP stack.
When connecting the SLD to SAP Solution Manager the user credentials are required in transaction SOLMAN_SETUP.
User Creation
The user must exist on the SLD system.
In case of local SLD
If the local SLD on SAP Solution Manager is activated, the user is created automatically.
In case of remote SLD
If you connect a remote SLD (central or productive) to SAP Solution Manger the user, you need to create the user manually on the SLD system.
User Authorizations
The user requires following authorizations:
● UMErole: SAP_SLD_CONTENT_SYNC (SAP NetWeaver 7.1 or higher)
● UME role: SAP_SLD_GUEST (SAP NetWeaver 7.0, update the support package stack to at least SPS 12)
13.13.2 Technical User SLDAPIUSER
The SLDAPIUSER user is created during installation of the Solution Manager system. In case of a central SLD exists in the central SLD. The credentials of the user are needed by the system to configure the SLD Data Supplier and CIM Client.
When connecting the SLD to SAP Solution Manager the user credentials are required in transaction SOLMAN_SETUP.
User Creation
The user must exist on the SLD system.
In case of local SLD
If the local SLD on SAP Solution Manager is activated, the user is created automatically.
In case of remote SLD
If you connect a remote SLD (central or productive) to SAP Solution Manger the user, you need to create the user manually on the SLD system.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 167
User Authorizations
The user requires following authorizations:
● UMErole: SAP_SLD_CONTENT_SYNC (SAP NetWeaver 7.1 or higher)
● UME role: SAP_SLD_GUEST (SAP NetWeaver 7.0, update the support package stack to at least SPS 12)
13.13.3 Technical User SLDDSUSER
The user SLDDSUSER in the SAP Solution Manager is required by the SLD data suppliers to write technical system information into SLD. The user exists in the Java stack of the SLD system and is automatically created during the SLD activation. In case the SLD system is a dual stack system it is defined as a system user in transaction SU01.
User Authorizations
The user requires UME role: SAP_SLD_DATA_SUPPLIER to create, modify, and delete CIM instances of the landscape description subset as a data supplier without access to the SLD User Interface.
NoteYou need to create he role SAP_SLD_DATA_SUPPLIER manually before you can assign it to the user. For more information, see the SLD Configuration Guide.
13.13.4 Technical User for CTC Usage
User for CTC Configuration
Table 75
User (Password) Type Remarks
SM2CTCand CTC2SM
System User Technical user for CTC templates; automatically
created when CTC runtime is activated; responsible
for communication from Solution Manager to CTC, if
the CTC runtime is called; automatically assigned role
in related ABAP stack: SAP_J2EE_ADMIN
13.14 S-Users
The S-user is a customer user stored within SAP office. It is used by the SAP customer in the following scenarios:
● Exchange problem messages with SAP
● Synchronize system data with Support Portal and send data about satellite systems
● Service connection
● Retrieve information about which messages have been changed at SAP
168
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
● To send an up-to-date version of the component ST-SER for delivery of services by SAP Active Global Support
● Get some user documentation from SAP Market Place used by the Help Center within Diagnostics
13.14.1 S-User for SAP Backend
The S-user is needed to access SAP-internal systems via RFC destinations such as SAP-OSS and SAP-OSS-LIST-O01. The S-user entered in these RFC - connections requires a password and has to be assigned to your customer number. For security reasons it should have no authorizations since it could be misused for direct logon.
13.14.2 S-User for Communication
The S-user for communication is used in various scenarios. According to these scenarios, the user needs certain authorizations. These authorizations are listed in the different scenario-specific guides.
NoteIf a user has sufficient authorization and is assigned correctly to the appropriate S-user in transaction AISUSER, this user can display the same personal contact data (name, phone number) for a system as in SAP Support Portal, as this data is replicated from there to the Solution Manager system. Displaying this data is not logged.
13.15 Landscape Modelling and Infrastructure Roles
13.15.1 User Roles for System Landscape Infrastructure
SAP Solution Manage relies heavily on the use of systems, hosts, and databases. It manages them and monitors them. In this respect, these entities are the basis for all scenarios in SAP Solution Manager.
Roles
The roles for systems are:
● SAP_SYSTEM_REPOSITORY_ALL (contains full authorization for LMDB and transaction SMSY)
● SAP_SYSTEM_REPOSITORY_DIS (contains display authorization for LMDB and transaction SMSY)
● SAP_SMSY_ALL (contains full authorization for transaction SMSY)
● SAP_SMSY_DIS (contains display authorization for transaction SMSY)
Authorization Objects AI_LMDB_*
The Landscape Management Database (LMDB) uses the following authorization objects:
● AI_LMDB_OB for LMDB objects
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 169
NoteIn general, the object is designed as every SAP authorization object – using the explicit authorization concept. Only in transaction LMDB the concept differs in that if you restrict on a certain level, the system restricts the next level underneath, too. This level is then displayed by default, but cannot be changed. For instance, a restriction on a Technical System also shows the host, the restriction on a Product System also shows the Technical Systems.
● AI_LMDB_AD for administration tasks in LMDB● AI_LMDB_PS for Product System restriction
● AI_LMDB_RE for remote access
The purpose of authorization object AI_LMDB_OB is to define authorizations dealing with objects like technical systems or hosts. The purpose of authorization object AI_LMDB_AD is to define authorizations dealing with administrative tasks in the context of LMDB. A detailed description of the authorization objects can be found directly in the system. It can be accessed using the F1 help of the corresponding authorization object.
Figure 53: LMDB Authorization Objects
How to Maintain LMDB Authorization Objects
When you maintain the authorization values for these objects, you need to take into consideration that the values help for the fields is generated dynamically depending on the values you choose.
170
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
Figure 54: LMDB Objects Maintenance
In the above picture, we attempted to maintain the activity field. Automatically a screen appears, in which we can maintain all fields for this object.
CautionYou should always start to maintain the Main Entity Types first. According to your choice, you get a selection of depending Entity Subtypes.
Authorization Objects S_SMSYSYST and S_SMSYEDIT
Figure 55: SMSY Authorization Objects
In authorization object S_SMSYEDIT, you restrict on possible entities to be edited. In authorization object S_SMSYSYST, you restrict on specific product systems.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 171
13.15.2 User Roles for Solutions, Projects, Solution Directory
Solutions
Solutions form the basis infrastructure for many scenarios. A solution combines a number of systems (logical components) due to the business processes they are referring to. For a detailed information, see the Glossary.
Roles
The roles for solutions are:
● SAP_SM_SOLUTION_ALL (full authorization)
● SAP_SM_SOLUTION_DIS (display authorization)
Authorization Object D_SOL_VSBL
The main authorization object for solution restriction is D_SOL_VSBL. The obsolete authorization object D_SOLUTION is only used for solution reporting purposes. In addition, authorization object D_SOLM_ACT is needed.
Figure 56: D_SOL_VSBL
Authorization Objects for Solution Copy
If you want to copy a solution, you need to activate the authorization objects D_SOL_VIEW and D_SVAS_SES. While D_SOL_VIEW only restricts sessions setup or operations, D_SVAS_SES restricts the complete session. Both objects are needed as sessions are copied as well when you copy a solution.
If you want to run the copy process in the background, the authorization objects S_BTCH_ADM and S_BTCH_JOB with value RELE are required.
Projects
Projects form the basis for those scenarios which deal with a solution before it goes life. Like a solution, a project contains a number of systems (logical components) due to the business processes they are referring to.
Roles
The roles are:
● SAP_SOL_PROJ_ADMIN_ALL (full authorization)
● SAP_SOL_PROJ_ADMIN_DIS (display authorization)
172
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
Figure 57: Role SAP_SOL_PROJ_ADMIN_ALL
All three important authorization objects are explained in more detailed underneath. The authorizations restrict separate entities, but need to be considered in connection with each other. In the individual sections, examples of possible integrations are given.
Authorization Object S_PROJ_GEN
The authorization object S_PROJ_GEN protects general project functions for individual scenarios, such as system landscape, Change Request Management or Quality Gate Management.
● Problem: Restrict System Landscape
The system administrator creates the system landscape for your project. The project manager maintains all other data for the project, in the project administration. Your system administrator should not have access to other project data than the system landscape information.
Solution: In role SAP_SOL_PROJ_ADMIN_*, the user should have the value 03 (display) for authorization object S_PROJECT, and the value SYST (access to system landscape maintenance in a project) for authorization object S_PROJ_GEN.
Authorization Object S_PROJECT
Authorization object S_PROJECT allows the maintenance of projects within the functions of Business Blueprint and Configuration. This authorization can be combined with authorization AI_SA_TAB for tab restriction.
Authorization Object S_PROJECTS
Authorization object S_PROJECTS allows for super authorization for projects in connection with other scenarios and the project type used, such as Maintenance Projects in Quality Gate Management. Therefore, you can find the authorization object as well in user roles for Quality Gate Management with a dedicated maintenance. The delivered defaults are specified.
Solution Directory
Roles
The roles are:
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 173
● SAP_SOLMAN_DIRECTORY_ADMIN (full authorization)
● SAP_SOLMAN_DIRECTORY_EDIT (edit authorization for business processes, but not solution settings)
● SAP_SOLMAN_DIRECTORY_DISP (display authorization)
Authorization Object AI_SOL_DIR
Figure 58: Authorization Object AI_SOL_DIR in Role SAP_SOLMAN_DIRECTORY_ADMIN
This authorization object controls whether you can change or display elements of a solution, for instance business processes. The display or change of a solution in general is controlled by authorization object D_SOL_VSBL (contained in roles SAP_SM_SOLUTION_*). Therefore, both authorization objects complement each other. Without solution authorization you cannot edit the solution in the Solution Directory. ACTVT 36 of authorization object AI_SOL_DIR controls tab Solution Settings. If this activity is granted, the user can change solution settings on this tab. This is only available in the administration role.
13.15.3 User Roles for System Landscape Verification
The user roles are necessary to verify system landscape data, to read and to write in tables relevant for transaction SMSY.
User Roles
Table 76
Roles Remarks
SAP_SMSY_LV_ALL
Full authorization
SAP_SMSY_LV_DIS
Display authorization
13.16 User Role for TREX Administration
TREX can be administered using the TREX Admin Tool.
TREX
174
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
Table 77
Name Type Remarks
SAP_BC_TREX_ADMIN ABAP For TREX configuration using the TREX Admin tool
More Information
see IMG activity Information and Configuration Prerequisites (technical name: SOLMAN_TREX_INFO)
13.17 Configuration User Roles for SAP Solution Manager
There are:
● specified roles for the automated basic settings configuration (transaction SOLMAN_SETUP)
● dedicated authorization roles for scenario-specific configuration done in transaction SOLMAN_SETUP● no dedicated authorization roles for scenario-specific configuration done in transaction SPRO
This section tells you how to create your own roles for the configuration of scenarios.
NoteConfiguration of scenario—specific functions can involve configuration of cross-scenario settings. For these functions, additional configuration roles may be needed (if you do not use profiles SAP_ALL and SAP_NEW). They are specified in the IMG activity for cross-scenario functions.
To be able to create authorization roles for scenario—specific configuration, you have created an IMG project in transaction SPRO_ADMIN. For more information, see configuration guide for SAP Solution Manager.
Procedure
NoteThis procedure is based on the example customizing project in the How-to document How to Create Customizing Projects and Project IMGs.
1. Create an IMG Project (See section More Information)
Before you can create a role for scenario-specific configuration, you need to create an IMG project. This project is the basis for role configuration as it contains all transactions you run later on.
2. Create a Role in Transaction PFCG
1. Choose transaction PFCG.
2. Enter a role name in your name space, for instance: ZROLE_IMG_MYPROJECT and choose button Single Role.
3. Enter a description for your role, for instance: IMG project: Implementation/Upgrade as of ST SP15.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 175
4. Save your role.
NoteYou are asked for a transport request.
3. Define Configuration Transactions for Your IMG Project
In role creation, transactions form the basis to easily maintain all necessary authorization objects. When you enter a transaction in the menu tab in your role, the system traces all authorization objects required for this transaction.
1. To receive all transactions which are contained in the customizing project, choose in the menu:Utilities Customizing auth.
2. In the appearing dialog box, choose button Add to attach your customizing project or customizing project view. In our case, we choose the customizing view that was created.
3. In the various dialog boxes, choose your customizing project or customizing project view, in our case myproject.
The system automatically assigns all relevant transactions and authorization objects for your customizing project or customizing project view.
4. Confirm your project assignment.
4. Maintain Authorization Objects
Authorization object defaults delivered by SAP contain minimal authorizations. To grant full authorization for the according authorization objects you need to maintain these objects.
1. In the Role Maintenance, choose tab Authorizations.
2. Choose button Change.
3. Maintain all activity values per authorization object according to your needs, for instance if you want to grant full authorization, always choose all activities.
CautionAll authorization objects need to receive a green traffic light. Beware, that the authorization trace does not trace values for critical authorization objects S_RFC and S_TABU_DIS.
4. Generate the profile.
5. To assign this profile to a user, choose tab User, add your user in the table and execute the user comparison.
6. Save.
Result
You have now created a role for your specific IMG configuration project.
CautionIf a project or a project view was assigned to a role, you cannot manually assign any transactions to this role and vice versa. You should therefore only use the role to generate and assign Customizing authorizations.
176
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
More Information
● on: configuration and on how to create an IMG project, see:
○ Document: How to Create Customizing Projects and Project IMGs on the Service Marketplace: service.sap.com/solutionmanager Media Library Technical Papers.
○ Configuration Guide for SAP Solution Manager on the Service Marketplace: service.sap.com/instguides SAP Components Solution Manager <current release>.
13.18 Business Partners Created During Configuration
When you configure the SAP Solution Manager using the automatic basic settings configuration, additional business partners are created.
For SAP Engagement and Service Delivery
The business partners are created as follows:
Table 78
First Name Last Name Remarks
SAP Technical Quality Manager Automatically assigned ID TQM or
SAPTQM
SAP Support Advisor Automatically assigned ID SAPSUPAD
SAP Engagement Architect Automatically assigned ID SAPENAR
SAP Back Office Automatically assigned ID SAPBACKO
SAP Consulting Automatically assigned ID SAPCON
Customer Program Management Automatically assigned ID CUSTPM
Customer Business Process Operations Automatically assigned ID CUSTBPM
Customer Custom Development Automatically assigned ID CUSTCD
Customer Technical Operations Automatically assigned ID CUSTTO
Customer Partner Automatically assigned ID CUSTPAR
NoteAn additional business partner (name: SAP Support) is automatically created for user SAPSUPPORT as soon as this user is created during the automatic basic settings configuration (see section:User SAPSUPPORT).
For SOLMAN_SETUP Template Users and Configuration Users
Users created using transaction SOLMAN_SETUP are assigned an according business partner, if the scenario requires this. The system displays the relevant Business Partner number in the log when you create the relevant user.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 177
More Information
on how to configure the basic settings, see Configuration Guide SAP Solution Manager in the Service Marketplace: service.sap.com/instguides SAP Components SAP Solution Manager <current release> .
13.19 Traces and Logs
This section provides an overview of the trace and log files that contain, for example, security-relevant information, so that you can reproduce activities if a security breach does occur.
See the Auditing and Logging on the Service Marketplace at: help.sap.com Search Documentation , search for Auditing and Logging.
Service Connection
If a user has sufficient authorization and is assigned correctly to the appropriate S-user in transaction AISUSER, this user can display the same personal contact data (name, phone number) for a system as in SAP Support Portal, as this data is replicated from there to the Solution Manager system. Displaying this data is not logged.
System Landscape
● Update logs
● RFC logs
● Data save logs
Solution Manager Implementation:
● All tabs can be traced. Each change on a tab is recorded.
● No changes of the assigned object are logged (except documents).
● You can specify which project and tab can be traced.
● Documentation can get different versions when changed.
Customizing Distribution
● Each distribution is logged.
● Each distributed object is logged.
Solution Manager Operations
● Traces are available in “Solution Directory”.
● All tabs can be traced. Each change on a tab can be recorded.
● No changes of the assigned object are logged (except documents).
● You can specify which solution is traced.
● Documentation can get different versions when changed
178
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Landscape Setup, Configuration, and Root Cause Analysis Guide
14 Scenario-Specific Guide: Solution Manager Administration
The business process life cycle stretches via all phases of the life cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system. To be able to run the SAP Solution Manager system itself with optimal performance, fulfilling all required tasks, you can use the SAP Solution Manager Administration work center. Here, you find all necessary tools to administer the SAP Solution Manager on a daily basis.
14.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 79
Support Package Stacks
(Version)
Description
SP08 End-User Roles
● Added single role SAP_SM_CMDB_EXE for CMDB access to composite role
SAP_SOLMAN_ADMIN_COMP.
SP10 End-User Roles
● Added new single roles SAP_SM_SMUA_* for SMUA access to composite role
SAP_SOLMAN_ADMIN_*_COMP. For more information on new application for Solution Manager User
Administration SMUA, see section User Administration and Authentication Tools.
● Added LMDB dashboard role SAP_SM_DASHBOARDS_DISP_LMDB to composite roles
SAP_SOLMAN_ADMIN*COMP.
● Adapted role SAP_SMWORK_BASIC_SMADMIN● Adapted role SAP_SMWORK_SM_ADMIN due to User Interface changes
SP12 End-User Roles
● Adapted role SAP_SM_SMUA_ALL
New: Archive Log
For more information, see sub-section Archive Log in Users and Authorizations
● new role SAP_SM_ARCHIVE_LOG_* added to SAP_SOLMAN_ADMIN_*_COMP
New: Role Comparison Tool
For more information, see sub-section Role Comparison Tool in Users and Authorizations
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Manager Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 179
Support Package Stacks
(Version)
Description
● new role SAP_SM_ROLECMP_* added to SAP_SOLMAN_ADMIN_*_COMP
14.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. To run them, the Solution Manager system must perform well. This guide covers all aspects for users and authorizations for the work center SAP Solution Manager Administration. In principle, the work center is closely connected to the configuration of SAP Solution Manager.
RecommendationUse this guide together with the Landscape Setup Guide, as most users, technical prerequisites, and so on are used for both.
14.3 Users and Authorizations
The SAP Solution Manager administration work center is used to manage the SAP Solution Manager system. Therefore, it is primarily used by system administrators.
The user roles delivered in the composite roles underneath contain all necessary single roles.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WD_COMP. For more information on user interface authorizations, see core security guide.
180
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Manager Administration
Figure 59: SAP Solution Manager Administration Work Center
The table underneath gives you an overview, which single roles are included in the composite roles. An additional column indicates, for which section of the navigation panel the according single role is absolutely necessary. As the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Administrator (technical role name: SAP_SOLMAN_ADMIN_COMP)
The administrator user is allowed to:
● Access the work center SAP Solution Manager Administration
● Run Root Cause Analysis due to Self Diagnosis and Self Monitoring of the Solution Manager system
● Maintain solutions, projects, and systems (infrastructure) in the SAP Solution Manager system
● Access CMDB● Access SMUA● Access Archive Log link Archive
● Allow role comparison
● Call LMDB Dashboard
Table 80
Single role Remarks Mapping to Navigation Panel of Work Center
SAP_RCA_AGT_ADM Agent Administration authorization Self Diagnosis
Self MonitoringSAP_RCA_DISP Root Cause Analysis authorization
SAP_SERVICE_CONNECT Service Connect authorizations Related Link: Service Connection
NoteThe related links are contains links to other work centers. If
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Manager Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 181
Single role Remarks Mapping to Navigation Panel of Work Center
you want to allow access to these work centers, you need to check the according scenario - specific security guide for the relevant scenario.
Authorizations for notifications are included in roles: SAP_NOTIF_ADMIN
SAP_SM_SOLUTION_ALL Full authorization for solutions Solutions
SAP_SMWORK_BASIC_SMADMIN Contains full authorization for work center - related functions.
Work Center
SAP_SMWORK_SM_ADMIN Allows access to the change management work center.
SAP_SM_SYM_CONF Configuration Authorization for System Database Host Monitoring
Self Diagnosis
Self Monitoring
SAP_SOL_PROJ_ADMIN_ALL Full authorization for projects Projects
SAP_SYSTEM_REPOSITORY_ALL Full authorization for LMDB Infrastructure
NoteAuthorizations for infrastructure are needed in all sections, as this role includes authorizations on systems.
SAP_SM_CMDB_EXE CMDB Access
SAP_SM_SMUA_ADMIN Access SMUA application User
SAP_SM_DASHBOARDS_DISP_LMDB Access LMDB Dashboard Infrastructure
SAP_SM_ARCHIVE_LOG_ALL Access Archive Log Link: Archive in view: User
SAP_SM_ROLECMP_ALL Access to Role Comparison Tool Link: Adjust Roles
Solution Manager User Administration (SMUA)
This tool provides you with the possibility to manage all users that are created in transaction SOLMAN_SETUP at once. For more information, see Online Documentation.
The role SAP_SM_SMUA_* is used to access the SMUA tool in view Users. Authorization object SM_SMUA is contained in this role.
You can assign the authorization for SMUA to a dedicated user. In this case, you need to additionally assign the following roles to your user:
● SAP_SMWORK_BASIC_SMADMIN● SAP_SMWORK_SM_ADMIN
182
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Manager Administration
● SAP_SM_USER_ADMIN● SAP_SYSTEM_REPOSITORY_ALL
NoteIn case of technical users, the user interface of SMUA allows you to display in one table users and RFC-Destinations. You can only see RFC-Destination displayed, if the according end-user has authorization for transaction SM59. Otherwise the system does not display RFC-Destinations. The according authorizations are contained in roles SAP_SM_RFC_*.
Archive Log
The role SAP_SM_ARCHIVE_LOG_ALL for Archive Log contains authorization object SM_SETUP with ACTVT 24 (Archive).
RecommendationWe recommend to limit scenario visible for which archive log should be accessible in SM_SETUP.
You can assign the authorization for Archive Log to a dedicated user. In this case, you need to additionally assign the following roles to your user:
● SAP_SMWORK_BASIC_SMADMIN● SAP_SMWORK_SM_ADMIN● SAP_SYSTEM_REPOSITORY_ALL● SAP_SM_SMUA_DIS
Role Comparison Tool: Role Adjust
The role SAP_SM_ROLECMP_* allows the user to adjust already customized roles with newly shipped values, or value changes, from SAP Standard roles. Access to the application is restricted by authorization object SM_ROLECMP. As the link to Adjust Roles is situated within SMUA, the role contains authorization object SM_WC_VIEW for the view USER.
You can assign the authorization for the role comparison tool to a dedicated user. In this case, you need to additionally assign the following roles to your user:
● SAP_SMWORK_BASIC_SMADMIN● SAP_SMWORK_SM_ADMIN● SAP_SM_USER_ADMIN● SAP_SM_SMUA_DIS
Display User (technical role name: SAP_SOLMAN_ADMIN_DISP_COMP)
The display user is allowed to:
● Access the work center SAP Solution Manager Administration
● Display Root Cause Analysis due to Self Diagnosis and Self Monitoring of the Solution Manager system
● Display solutions, projects, and systems (infrastructure) in the SAP Solution Manager system
● Display LMDB Dashboard
● Display SMUA● Display role comparison
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Manager Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 183
Table 81
Single role Remarks Mapping to Navigation Panel of Work Center
SAP_RCA_DISP Root Cause Analysis authorization Self Diagnosis
Self Monitoring
SAP_SERVICE_CONNECT Service Connect authorizations Related Link: Service Connection
NoteThe related links are contains links to other work centers. If you want to allow access to these work centers, you need to check the according scenario - specific security guide for the relevant scenario.
Authorizations for notifications are included in roles: SAP_NOTIF_ADMIN_DISP
SAP_SM_SOLUTION_DIS Authorization for solutions Solutions
SAP_SMWORK_BASIC_SMADMIN Contains full authorization for work center - related functions.
Work Center
SAP_SMWORK_SM_ADMIN Allows access to the change management work center.
SAP_SM_SYM_LEVEL01 Level one authorization for System, Database Host Monitoring
Self Diagnosis
Self Monitoring
SAP_SOL_PROJ_ADMIN_DIS Display authorization for projects Projects
SAP_SYSTEM_REPOSITORY_DIS Display authorization for LMDB Infrastructure
NoteAuthorizations for infrastructure are needed in all sections, as this role includes authorizations on systems.
SAP_SM_DASHBOARDS_DISP_LMDB Display LMDB Dashboard Infrastructure
SAP_SM_ROLECMP_DISPLAY Display Role Comparison Tool Link: Adjust Roles
SAP_SM_ROLECMP_DIS Display SMUA
184
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Manager Administration
15 Scenario-Specific Guide: Technical Monitoring
The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution/systems, and the optimization of productive processes in a project. All systems, databases, and host should be monitored during all phases. This guide gives you an overview over all relevant security-related issues for the scenario technical monitoring of your systems in your landscape.
NoteTechnical Monitoring substitutes the System Monitoring scenario. Nevertheless, System Monitoring is still supported. The work center System Monitoring and the work center Technical Monitoring are intended to be used alternatively and not in parallel. While System Monitoring is completely relying on central CCMS running on the context of product systems, Technical Monitoring is based on end-to-end Monitoring and Alerting running on the context of technical systems. All selection capabilities are built appropriately.
In the current guide, you find a general section on prerequisites for all scenarios, such as additional links or technical users. User descriptions and their according roles are described in more detail per scenario. The scenarios are clearly differentiated.
15.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 82
Support Package Stacks
(Version)
Description
SP05 General
Technical Monitoring is configured using the automated guided procedure within transaction SOLMAN_SETUP or SAP Solution Manager Configuration work center. Therefore, all users defined by SAP as
default templates can be automatically created within this procedure. The following users are created:
● Scenario Configuration Users for each sub-scenario: These users are created during the guided procedure of the Basic Settings in transaction SOLMAN_SETUP. For configuration, you can also choose
the user SOLMAN_ADMIN. In both cases, the system automatically assigns the necessary authorization
roles. The according configuration user can be used later on for configuring the corresponding sub-scenario for Technical Monitoring in transaction SOLMAN_SETUP. The configuration user for System
Monitoring can also be used for Connection Monitoring, and Self Monitoring.
● Standard Users: Standard users for the individual process are created during the guided procedure of the according sub-scenario in transaction SOLMAN_SETUP. These users can be regarded as “demo”
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 185
Support Package Stacks
(Version)
Description
Standard users. The system automatically assigns the necessary authorization roles with according authorization values for the SAP standard scenario. If your processes require customizing due to a different process, and other user differentiation, you must adapt the authorizations. The template users are created in the Solution Manager system and the required BW - system.
● Due to the creation of Standard users in transaction SOLMAN_SETUP, documentation for the users and
roles is directly linked in transaction SOLMAN_SETUP. In this security guide it is only referred to the
according document Text ID in the system.
For more information, see specific Landscape Setup Guide in section User Generation.
● New section on background jobs.
SAP IT Infrastructure Management and IT Infrastructure Monitoring
To be able to display views for SAP IT Infrastructure Management and IT Infrastructure Monitoring in the appropriate work centers for configuration and Technical Monitoring, you need to deploy the relevant Add-On, and add the relevant authorization for the views in the authorization object SM_WC_VIEW for roles
SAP_SMWORK_BASIC_CONFIG and SAP_SMWORK_BASIC_TECH_MON, see also the help text in the
system, specifically in transaction SOLMAN_SETUP when configuring the scenario.
Scenario Configuration
Adaptation according to guided procedure in transaction SOLMAN_SETUP.
User Roles and Authorization
● Support Tool role SAP_SM_TECH_MON_TOOL delivered.
● Added role SAP_SM_DTM_ALL to EEM configuration composite role.
● New BW - related composite roles delivered with Software Component ST-BCO for Level 2 users, see
section Users and Authorizations for sub- scenarios.
● Updated all PI - Monitoring roles SAP_SM_PI_*.
● Additional display role for Technical Monitoring work center SAP_TECHMON_DISPLAY_COMP, see new
section on display user.
Sub-scenario Interface Monitoring
Roles for System Monitoring are also relevant for new sub-scenario Interface Monitoring. According authorization objects are adapted: SM_WC_VIEW, SM_WD_COMP, SM_MOAL_OB, and SM_WD_APP.
Sub-scenario Infrastructure Monitoring
● Roles for Infrastructure Monitoring, see section Users for Infrastructure Monitoring, and Prerequisites.
● New main authorization object SM_CMDB_OB, included in Infrastructure roles, see Core Guide and
Landscape Setup Guide.
Sub-scenario System Monitoring
Role SAP_SM_SYM_CONF extended for Content Delivery Synchronization (see description tab in the role for
extensions and new authorization objects)
SP07 Sub-scenario System Monitoring
adapted roles: see description tab in the specified role for extensions and new authorization objects
186
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
Support Package Stacks
(Version)
Description
● SAP_SM_SYM_CONF● SAP_SM_SYM_LEVEL02● SAP_SM_CONF_COMP as well as SOLMAN_SETUP configuration user role assignment (added new role:
SAP_SM_SYM_TRANSPORT containing critical authorization object S_TRANSPRT for changing
Consumer settings data (Incidents/Notifications/Third Party) at SAP Template level, creating a Custom template and saving it in a valid package, as well as changing data in a Custom template which had been saved in a valid package)
SP08 Sub-scenario End-User Experience Monitoring
adapted roles: see description tab in the specified role for extensions and new authorization objects
● SAP_SM_EEM_*Sub-scenario PI - Monitoring
adapted roles: see description tab in the specified role for extensions and new authorization objects
● SAP_SM_PIM_*Sub-scenario System - Monitoring
adapted roles: see description tab in the specified role for extensions and new authorization objects
● Added new single role SAP_SM_SYM_TRANSPORT to configuration composite role, and to
configuration user for System Monitoring in transaction SOLMAN_SETUP.
● SAP_SM_SYM_*● For SP08 only, single role SAP_ICMON_DELTA is shipped, for the usage of Interface and Channel
Monitoring. This role needs to be added to the L1 user roles (composite role SAP_SM_L1_COMP) if
needed. There will be complete composite roles dedicated for Interface and Channel Monitoring with the next SP.
Sub-scenario BI - Monitoring
adapted roles: see description tab in the specified role for extensions and new authorization objects
● SAP_SM_BIM_*Sub-scenario Infrastructure - Monitoring
Corrected technical name of Infrastructure Monitoring composite roles in the according sections to SAP_IT_L2_COMP and SAP_IT_L1_COMP.
SP10 General
See description tab in the specified role for extensions and new authorization objects
● Adapted work center role navigation menu SAP_SMWORK_TECH_MON to new requirements
● Adapted single role for Support Tool Usage SAP_SM_TECH_MON_TOOL.
Sub-scenario Interface (Channel) - Monitoring
Roles for Interface Monitoring: see description tab in the specified role for extensions and new authorization objects
● in transaction SOLMAN_SETUP● composite roles SAP_IC_*COMP with new single roles SAP_SM_IC_*
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 187
Support Package Stacks
(Version)
Description
● removed single role SAP_ICMON_DELTA from composite role SAP_SM_L1_COMP● new role SAP_SMWORK_BASIC_IC and adapted role SAP_SMWORK_BASIC_TECHMON
Sub-scenario Job - Monitoring
Roles for new scenario Job Monitoring: see description tab in the specified role for extensions and new authorization objects
● in transaction SOLMAN_SETUP● composite roles SAP_JMON_*COMP with new single roles SAP_SM_JMON_* (Note, that role
SAP_SM_JMON_LEVEL01 is also included in composite roles for Business Process Operations and Job
Management, see according scenario-specific section.)
● new role SAP_SMWORK_BASIC_JMON and adapted role SAP_SMWORK_BASIC_TECHMONSub-scenario System - Monitoring
See description tab in the specified role for extensions and new authorization objects
● Removed in roleSAP_SM_SYM_CONF all authorizations for Content Delivery Synchronization (see
description tab in the role for extensions and new authorization objects)
● Adapted authorization objects in roles SAP_SM_SYM_* due to new roles for Interface Channel
Monitoring, for more information see section on sub-scenario Interface Channel Monitoring, see description tab in the specified role for extensions and new authorization objects.
● Added Business Partner roles SAP_SM_BP_* to composite roles and SOLMAN_SETUP template user
roles.
● Adapted role SAP_SMWORK_BASIC_SM due to User Interface changes
Sub-scenario Infrastructure - Monitoring
See description tab in the specified role for extensions and new authorization objects
● Adapted role SAP_SM_ITMO_CONF in regard to User Interface changes in transaction SOLMAN_SETUPSub-scenario PI - Monitoring and Message Flow - Monitoring
Message Flow Monitoring (MFM) allows to monitor message-based processes and extends Exception Management.
See description tab in the specified role for extensions and new authorization objects.
● If you use Message Flow - Monitoring, the same user roles are required as for PI - Monitoring. All single roles SAP_SM_PIM_* and role SAP_SMWORK_BASIC_PIM for PI - Monitoring have been adapted
accordingly.
● Added Business Partner roles SAP_SM_BP_* to composite roles and SOLMAN_SETUP template user
roles.
● See description tab in the specified role for extensions and new authorization objects for SAP_SM_PIM_*
● Adapted role SAP_SMWORK_BASIC_PIM due to User Interface changes
Sub-scenario BI - Monitoring
● Added Business Partner roles SAP_SM_BP_* to composite roles and SOLMAN_SETUP template user
roles.
188
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
Support Package Stacks
(Version)
Description
● See description tab in the specified role for extensions and new authorization objects for SAP_SM_BIM_*
● Adapted role SAP_SMWORK_BASIC_BIM due to User Interface changes
Sub-scenario End - User Experience Monitoring
● Added Business Partner roles SAP_SM_BP_* to composite roles and SOLMAN_SETUP template user
roles.
● See description tab in the specified role for extensions and new authorization objects for SAP_SM_EEM_*
● Adapted role SAP_SMWORK_BASIC_EEM due to User Interface changes
Additional Function: Integration Visibility in Managed Systems (IV)
Roles for the integration of Integration Visibility with SAP Solution Manager are delivered for all managed systems: SAP_*IV*. For an overview, see new section on Integration Visibility in this document.
SP11 Sub-scenario System - Monitoring
See description tab in the specified role for extensions and new authorization objects
● Enhanced roles SAP_SM_SYM_CONF and SAP_SM_SYM_LEVEL02
SP12 Sub - scenario Job Monitoring
See description tab in the specified role for extensions and new authorization objects
● enhanced composite role SAP_JMON_L2_COMP with single role SAP_SM_SCHEDULER_BPO (integration Job Scheduling Management - Job Documentation)
Sub-scenario System Monitoring
Role SAP_SM_SYM_CONF extended for Content Delivery Synchronization (see description tab in the role for
extensions and new authorization objects)
Sub-scenario End-User Experience Monitoring
Role SAP_SM_EEM_CONF extended (see description tab in the role for extensions and new authorization
objects)
New scenario Message Flow Monitoring
● see new section Message Flow Monitoring
SP13 See description tab in the specified role for extensions and new authorization objects
Sub-scenario System Monitoring
● SAP_SM_SYM_LEVEL02● SAP_SM_SYM_CONF
Sub-scenario Interface (Channel) Monitoring
● SAP_SM_IC_LEVEL01● SAP_SM_IC_LEVEL02● SAP_SM_IC_CONF
Sub-scenario IT Monitoring
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 189
Support Package Stacks
(Version)
Description
● SAP_ITTM_CONFSub-scenario Business Intelligence Monitoring
● SAP_SM_BIM_CONFSub-scenario End-User Experience Monitoring
● SAP_SM_EEM_CONFSub-scenario Job Monitoring
● SAP_SM_JMON_CONFSub-scenario Message Flow Monitoring
● SAP_SM_MFM_LEVEL01● SAP_SM_MFM_LEVEL02● SAP_SM_MFM_CONF
15.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations section that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other. Additional links can be found in the core guide.
● Users and Authorizations: find out, which users we recommend, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.
190
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
15.3 Prerequisites
15.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete Technical Monitoring. The SAP Solution Manager is connected via READ - RFC, Trusted - RFC (alternatively LOGIN) to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.
Figure 60: Infrastructure
NoteThe PI Monitoring depends on the version of the PI-system used. It is currently only available as of PI 7.11 Support Package 6, and PI 7.30.
15.3.2 Scenario Configuration Users
NoteFor conceptual information on:
● configuration users in SAP Solution Manager, see Core Guide chapter Configuration Users.
● the BW integration concept, see Core Guide chapter on BW integration.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 191
You configure the technical monitoring scenarios using the automated guided procedure in the SAP Solution Manager Configuration work center or the transaction SOLMAN_SETUP.
To configure the scenarios, proceed as follows:
Creating Configuration User in Basic Configuration transaction SOLMAN_SETUP
After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions.
During basic automated configuration, you can create specific configuration users (default technical user name: SMC_<sub—scenario>_<XXXclient> ) for the individual sub-scenarios:
● System Monitoring including SolMan Self-Monitoring, Connection Monitoring, and Interface Monitoring (default user name: SMC_SM_<SMclient>)
● End-User Experience (default user name: SMC_EEM_<SMclient>)
● PI Monitoring (default user name: SMC_PI_<SMclient>)
● BI Monitoring (default user name: SMC_BIMN_<SMclient>)
● IC Monitoring (default user name: SMC_IC_<SMclient>)
● Message Flow Monitoring (default user name: SMC_MFM_<SMclient>)
● Infrastructure Monitoring including SAP IT Infrastructure Management (default user name: USER_SMC_ITMO and USER_SMC_ITMA)
NoteTo be able to use Infrastructure Monitoring, you need to configure:
1. SAP IT Infrastructure Management
2. Infrastructure Monitoring
As a prerequisite you need to have applied the according Add-On.
The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.
If you want to create the configuration users manually, you need to assign:
● the composite roles SAP_<sub-scenario>_CONF_COMP which contain all single roles that are automatically assigned to the configuration users in the SAP Solution Manager system.
NoteTo be able to:
○ create users and assign user roles, you need to assign as well role SAP_SM_USER_ADMIN.
○ use a trusted RFC connection between the Solution Manager and the managed systems, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system as well as the managed system.
● the composite role SAP_SM_BW_<sub-scenario>_CONF_COMP which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.
NoteTo be able to use a trusted RFC connection between the Solution Manager and the BW-system, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system and role SAP_SM_BW_S_RFCACL in the BW-system.
192
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
Scenario Configuration transaction SOLMAN_SETUP
To configure the individual scenarios, you need to configure it using transaction SOLMAN_SETUP.During the specific guided configurations you can create Standard template users. The system automatically adds all relevant user roles, see according sections on Users and User Roles.
15.3.3 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager for all technical Monitoring scenarios.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Table 83
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages, retrieval of services
Solution Manager to managed systems and back
RFC Reading information from managed systems
Solution Manager to remote BW -
system
RFC
Solution Manager to managed systems HTTP
Solution Manager to managed systems Web Service
Solution Manager to managed systems within customer network
FTP Update route permission table, content: IP addresses, see section File Transfer
Protocol (FTP)
Solution Manager to SAP Service Marketplace
HTTP(S) Search for notes
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 193
Table 84
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution Manager system> Customer-specific
to read data from the managed system (pullmetrics: availability, exceptions, performance, configuration —> visible in the Repository Tool
RFC Connection from Managed System to SAP Solution Manager
Table 85
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
Use How Created
SM_<SID>CLNT<Client>_BACK (ABAP connection)
Solution Manager System
System-specific
System-specific
Default user: SMB_<managed system ID>(Customer-specific)
pushmetrics: visible in the Repository Tool
Automatically created via transaction SOLMAN_SETUP (view:
managed systems)
BW- Reporting RFC Connection
Table 86
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
NONE, if BW - reporting is realized
in a BW - standard scenario, for
content activation
Solution Manager productive client
System-specific System-specific System-specific
BI_CLNT<BWclient>if BW is
realized in remote BW - scenario
system , for content activation
Managed System or Solution Manager System
System-specific System-specific in transaction SOLMAN_SETUP
<SolutionManagerSID>CLNT<SolutionManager– ProductiveClient> BI-
Callback RFC for reorganization
of data and configuration validation
Solution Manager productive client
System-specific System-specific BI_CALLBACK(customer specific)
in transaction SOLMAN_SETUP
194
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
Trusted RFC to remote BW systemSAP_BILO
remote BW -
system
(source: SAP Solution Manager)
System-specific System-specific Dialog User Used to read data from remote BW for
BI - Reporting
, created during SOLMAN_SETUP
Internet Graphics Server (IGS) RFC Connection
Table 87
RFC Destination Name Activation Type How Created
ITS_RFC_DEST Registered Server program (program: IGS.<SID>)
Manually in transaction SM59
CCMSPing RFC Connection
Table 88
RFC Destination Name Activation Type Logon User (Password) Use (Scenario) Remarks
CCMSPING.<server><SystemNr.>
Registered Server Program (program ccmsping.00)
CSMREG (customer-
specific)
Service Level Reporting with CCMSPING;
system availability overview in System Monitoring work center; IT Performance Reporting
User created during configuration of Central Monitoring (CCMS),
see IMG activity
Information and Configuration Prerequisites for setting up a central monitoring system CEN (technical name: SOLMAN_INPERF_CCMS)
15.3.4 Technical Users
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the technical monitoring scenarios.
User for READ - access in Managed Systems
Users for RFC connection READ
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 195
Table 89
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
CautionDuring automated basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
CautionIf your managed system runs on SAP_BASIS 7.31 or higher, you need to add the following authorization object to your READ user for PI Monitoring purposes (in particular for PI Message Alerting): S_XMB_ALERT with activity ACTVT: 33 and CONSUMER ID: full authorization. The PI Consumer should be set to full authorization to allow it for all Solution Managers. You can restrict it also to specific consumers. The consumer is usually named: SOLMAN_<SIDof SolMan>.
Process Integration Monitoring: Technical user SM_COLL_<SIDof SolMan>In general, this user is used for connecting into the Java Stack and collecting data from there. This means, the SMD agent connects to the Java Managed System via this user. In addition, the SAP Solution Manager system uses this user for Web Service connections into the managed systems of type Java.
This technical user is automatically created during automated basic configuration (managed system configuration), and used for collecting CCDB data and PI Monitoring data via agent (by means of a managed system servlet) and Solution Manager (by means of a managed web service). It is only used for managed systems of type Java-only. All role assignment information can be found in the Landscape Setup Guide section for Users for Managed Systems.
User for BW - Reporting (Reorganization of Data and Configuration Validation)User for BW - Reporting (Reorganization of Data and Configuration Validation)
Table 90
User User Type Remarks
BI_CALLBACK
CautionDuring automatic basic configuration, the system automatically generates a user
System User Technical user BI_CALLBACK for reorganization of BW - data
assigned role SAP_BI_CALLBACK. It is automatically
generated during configuration via transaction SOLMAN_SETUP
196
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
User User Type Remarks
password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
SMD_BI_RFC, in case of remote BW System User Technical user for data lownload
SM_EFWK System User Technical user for extractor execution
15.4 Work Center Technical Monitoring
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users.
Figure 61: Infrastructure
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Related Links
In the related links section in the work center, you find all possible links for this work center. This means for instance, even if your user is an L1 or L2 user, the link for configuration is visible. Still, the user is not able to run the application since the according authorizations are not included in the defined user roles. This link collection is
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 197
a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-To section.
Monitoring
Introscope: For more information, see the Additional Link section in the core guide.
Configuration
You cannot run the applications with L1 and L2 user authorizations.
● Solution Manager and managed system configuration require authorizations for the configuration user (technical role name: SAP_*_CONF_COMP)
Administration
● Solution Manager Administration: Requires authorizations for the work center SAP Solution Manager Administration, see scenario-specific guide for SAP Solution Manager Administration
● Landscape Browser: You can only display the landscape with all three defined users. If you want to allow for change authorization, you need to add role SAP_SYSTEM_REPOSITORY_ALL.
● Self-Diagnosis
● My Notifications Settings
Documentation
Here, no specific authorization is needed.
15.5 User Descriptions
To enable your users to work with the application, you need to assign them authorizations in the Solution Manager system and in the managed systems.
When you are operating the SAP Solution Manager and its managed system, you need to monitor your system landscape. We deliver recommended user descriptions on which SAP delivered roles are modeled. In general, technical monitoring distinguishes three different types of users for all scenarios.
The according user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.
CautionThe roles delivered by SAP can only be regarded as models for adjustment to your company's needs.
Roles for Technical Monitoring are predefined Composite Roles (technical abbreviation: *_COMP) for users. These composite roles contain a set of single roles that are relevant for the business tasks. In this section, we give a short overview over the general expectations of the three user types for all technical monitoring scenarios. They are described in more detail in later sections in this guide.
Level 1 Users
Level 1 users assigned to a level 1 role have access to all display activities, and are able to distribute incoming events and alerts to other users. The assigned users are not allowed to do central or local Root Cause Analysis, or
198
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
to change the configuration of the different monitoring capabilities. These users are also not allowed to confirm alerts.
Level 2 Users
Level 2 users assigned to a level 2 role can be considered as a second level for a particular topic. They have all authorizations as level 1 users for a this topic. In addition, they have access to all end-to-end Root Cause Analysis capabilities provided by SAP Solution Manager as well as to all local Root Cause Analysis capabilities provided by the managed systems. The assigned users are not allowed to change the configuration of the different monitoring capabilities.
Configuration Users
Configuration users assigned to a configuration role can be considered as a kind of third level for a particular topic. They have all authorizations as level 1 users and level 2 users for a certain topic. In addition, they have access to setup and configuration capabilities of the different monitoring capabilities. Setup and configuration of Technical Monitoring capabilities is available in SAP Solution Manager Configuration Work Center.
15.6 User Roles for System, Database, Host Monitoring, and Self - Monitoring
15.6.1 First Level User Description and User Role
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
First Level User (Help Text ID: TP_SM_L1)
Technical composite role SAP_SM_L1_COMP in SAP Solution Manager system
Table 91
Included Single Roles Remarks Mapping to Navigation Panel of Work Center
SAP_SM_SYM_LEVEL01 AUTH_SAP_SM_SM_LEVEL01 Alert Inbox
System Monitoring
Connection Monitoring
SAP_SMWORK_BASIC_TECHMON AUTH_SAP_SMWORK_BASIC_TECHMO Work Center
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS Infrastructure
NoteAuthorizations for infrastructure are needed in all sections, as this role includes
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 199
Included Single Roles Remarks Mapping to Navigation Panel of Work Center
authorizations on systems.
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider, you need to assign SAP_SUPPDESK_SP_CREATE instead.
AUTH_SAP_SUPPDESK_CREATE Alert Inbox
SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN Alert Inbox
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY Infrastructure
NoteAuthorizations for infrastructure are needed in all sections, as this role includes authorizations on systems.
15.6.2 Second Level User Description and User Role
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Authorization for Trusted RFC between SAP Solution Manager and BW - System
In case of a remote BW - connection, the user in the SAP Solution Manager system is additional assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
Second Level User (Help Text ID: TP_SM_L2)
Technical composite role SAP_SM_L2_COMP in SAP Solution Manager system
Table 92
Single Roles Help Text ID
SAP_SM_SYM_LEVEL02 AUTH_SAP_SM_SYM_LEVEL02
SAP_SMWORK_BASIC_DIAG AUTH_SAP_SMWORK_BASIC_DIAG
200
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
Single Roles Help Text ID
SAP_SMWORK_BASIC_TECHMON AUTH_SAP_SMWORK_BASIC_TECHMO
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SMWORK_DIAG AUTH_SAP_SMWORK_DIAG
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS
SAP_RCA_DISP AUTH_SAP_RCA_DISP
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE
AUTH_SAP_SUPPDESK_CREATE
SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN
Technical composite role name: SAP_SM_BW_SM_L2_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system. For more information on BW user concept, see section on BW configuration in section Prerequisites.
Table 93
Single Roles Help Text ID
SAP_BI_E2E_SM AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
15.7 User Roles for Process Integration - Monitoring
15.7.1 First Level User Role
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
The views EEM or System Monitoring are visible, because Interactive Reporting can also be called via these views. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.
First Level User (Help Text ID: TP_PIM_L1)
Technical composite role SAP_PIM_L1_COMP in SAP Solution Manager system
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 201
Table 94
Single Roles Remarks Mapping to Navigation Panel of Work Center
SAP_SM_PIM_LEVEL01 AUTH_SAP_SM_PIM_LEVEL01 Alert Monitoring
System Monitoring
PI Monitoring
SAP_SMWORK_BASIC_TECHMON AUTH_SAP_SMWORK_BASIC_TECHMO Work Center
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS Infrastructure
NoteAuthorizations for infrastructure are needed in all sections, as this role includes authorizations on systems.
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE instead.
AUTH_SAP_SUPPDESK_CREATE Alert Inbox
SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY Infrastructure
NoteAuthorizations for infrastructure are needed in all sections, as this role includes authorizations on systems.
15.7.2 Second Level Roles in SAP Solution Manager
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
202
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
The views EEM or System Monitoring are visible, because Interactive Reporting can also be called via these views. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.
Authorization for Trusted RFC between SAP Solution Manager and BW - System
In case of a remote BW - connection, the user in the SAP Solution Manager system is additional assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
Second Level User (Help Text ID: TP_PIM_L2)
Technical composite role name SAP_PIM_L2_COMP in SAP Solution Manager system
Table 95
Single Roles Help Text ID
SAP_SM_PIM_LEVEL02 AUTH_SAP_SM_PIM_LEVEL02
SAP_SMWORK_BASIC_DIAG AUTH_SAP_SMWORK_BASIC_DIAG
SAP_SMWORK_BASIC_TECHMON AUTH_SAP_SMWORK_BASIC_TECHMO
SAP_SMWORK_DIAG AUTH_SAP_SMWORK_DIAG
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS
SAP_RCA_DISP AUTH_SAP_RCA_DISP
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE instead.
AUTH_SAP_SUPPDESK_CREATE
SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN
SAP_SM_DASHBOARDS_DISP_ALM AUTH_SAP_SM_DASHBOARD_ALM
SAP_SM_BI_BILO AUTH_SAP_SM_BI_BILO
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
Technical composite role name: SAP_SM_BW_PIM_L2_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 96
Single Roles Help Text ID
SAP_BI_E2E_PIM AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
Roles in the PI managed system
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 203
Table 97
UME role/group Remarks
SAP_XI_RWB_SERV_USER Used for adapter engine PING and self-test DC
SAP_XI_RWB_SERV_USER_MAIN
XI_AF_CHANNEL_ADMIN Used for channel status DC
15.8 User Roles for Message Flow Monitoring
15.8.1 Technical System Landscape
The technical system landscape of MFM is oriented on the overall technical system landscape of Technical Monitoring, specifically PI Monitoring. Nevertheless, some functions offered have an impact on the managed system:
● Restart or cancel of PI Message
● Process or delete Idoc
Since these functions are changing data in the managed system, it is required to use a specific user for data collection, which is not the standard user for it. This is achieved by using Trusted RFC-destinations or, in case of Web Service communication, logical ports with ticket based authentication.
RFC-communication is used between SAP Solution Manager (ABAP stack) and managed system of type ABAP. Web Service communication is used between SAP Solution Manager (ABAP stack) and managed system of type Java. All connections are created during the managed system configuration. They have usually the following names:
● RFC: SM_<SIDofMgmtSys>CLNT<Client>_TRUSTED● Logical Port: E2E_SOLMAN_<SIDofMgmtSys>DIALOG
15.8.2 First Level User Role
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
The views EEM or System Monitoring are visible, because Interactive Reporting can also be called via these views. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.
First Level User (Help Text ID: TP_MFM_L1)
Technical composite role SAP_MFM_L1_COMP in SAP Solution Manager system
204
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
Table 98
Single Roles Remarks
SAP_SM_MFM_LEVEL01 AUTH_SAP_SM_MFM_LEVEL01
SAP_SMWORK_BASIC_TECHMON AUTH_SAP_SMWORK_BASIC_TECHMO
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE instead.
AUTH_SAP_SUPPDESK_CREATE
SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
Authorizations in the Managed System
If the current user is used to logon to managed system via trusted relationship (RFC) or assertion ticket (Web Service call), the following authorizations are required for this user in the managed system:
● S_RFCACL (trusted)
● S_XMB_MONI, S_XMB_AUTH, S_XMB_DSP (PI message handling) with ACTVT 03 (display), 16 (execute), and A3 (read)
● S_IDOCCTRL (Idoc handling) with ACTVT 10
15.8.3 Second Level Roles in SAP Solution Manager
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
The views EEM or System Monitoring are visible, because Interactive Reporting can also be called via these views. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.
Authorization for Trusted RFC between SAP Solution Manager and BW - System
In case of a remote BW - connection, the user in the SAP Solution Manager system is additional assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 205
Authorizations in the Managed System
If the current user is used to logon to managed system via trusted relationship (RFC) or assertion ticket (Web Service call), the following authorizations are required for this user in the managed system:
● S_RFCACL (trusted)
● S_XMB_MONI, S_XMB_AUTH, S_XMB_DSP (PI message handling) with ACTVT 03 (display), 16 (execute), and A3 (read)
● S_IDOCCTRL (Idoc handling) with ACTVT 10
Second Level User (Help Text ID: TP_MFM_L2)
Technical composite role name SAP_MFM_L2_COMP in SAP Solution Manager system
Table 99
Single Roles Help Text ID
SAP_SM_MFM_LEVEL02 AUTH_SAP_SM_MFM_LEVEL02
SAP_SMWORK_BASIC_DIAG AUTH_SAP_SMWORK_BASIC_DIAG
SAP_SMWORK_BASIC_TECHMON AUTH_SAP_SMWORK_BASIC_TECHMO
SAP_SMWORK_DIAG AUTH_SAP_SMWORK_DIAG
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS
SAP_RCA_DISP AUTH_SAP_RCA_DISP
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE instead.
AUTH_SAP_SUPPDESK_CREATE
SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN
SAP_SM_DASHBOARDS_DISP_ALM AUTH_SAP_SM_DASHBOARD_ALM
SAP_SM_BI_BILO AUTH_SAP_SM_BI_BILO
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
Technical composite role name: SAP_SM_BW_PIM_L2_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 100
Single Roles Help Text ID
SAP_BI_E2E_PIM AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
Roles in the PI managed system
206
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
Table 101
UME role/group Remarks
SAP_XI_RWB_SERV_USER Used for adapter engine PING and self-test DC
SAP_XI_RWB_SERV_USER_MAIN
XI_AF_CHANNEL_ADMIN Used for channel status DC
15.8.4 Authorization Objects
Authorizations for MFM are based on restricting access to flow groups. A flow group corresponds to a technical scenario.
SM_MFM_FG
This authorization object restricts the display of flow groups for users.
Payload Display in MFM and PI-Monitoring
MFM: SM_MFM_PYL
This authorization object controls if the payload information for a flow group is visible or not.
CautionThe object is actively shipped for user L2 for Message Flow Monitoring.
In this context, payload information refers to User Defined Search (UDS) attributes. The business user can decide which values from Payload should also be UDA attributes. These are typically 1-10 attributes from Payload. Therefore, payload in Solution Manager displays the self-defined attributes of Payload. Per default the system does not display any UDS attributes. UDS attributes can only be displayed when the features is activated in the PI-system.
Central User-Defined Search)
In PI-Monitoring, SAP Solution Manager displays the Central User-Defined Search (cUDS). With this function, you can centrally choose a search criteria in Solution Manager, and thus trigger a UDS in your PI-Systems. The result is displayed in Solution Manager. The user is able to navigate from here into the according PI-system to view the individual messages. The search function itself is started centrally on the SAP Solution Manager side. It runs directly on the various selected PI-systems. The RFC-destination used in these case is Trusted or a logical port for Web Service (Java). This supports the concept that a named user is running the search. The system searches only for the payload data previously defined by customizing or set to being sensitive in the individual PI-system. The search result is not saved within the SAP Solution Manager. Within MFM UDS attributes are saved nevertheless, but this function is secured by the authorization object mentioned above.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 207
Use Case CombinationsTable 102
User Flow Group SM_MFM_FG (Flow group visible)
SM_MFM_PYL (Payload visible)
Action
A 1 yes yes
B 2 yes not
C 3 schiefff
D 4
X 5
15.8.5 Function Integration
Within the Message Flow Monitoring Application, you can create incidents and notifications. You can also use Guided Procedures. For each integration authorization check the individual function information:
● Incidents: Scenario-specific guide for IT Service Management
● Notification and Guided Procedure: Scenario-specific guide for Technical Administration
15.9 User Roles for End-User Experience Monitoring
15.9.1 First Level User Description and User Role
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
The view System Monitoring is visible, because EEM Monitoring can also be called via this view. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.
First Level User (Help Text ID: TP_EEM_L1)
Technical composite role name SAP_EEM_L1_COMP in SAP Solution Manager system
Table 103
Single Roles Help Text ID Mapping to Navigation Panel of Work Center
SAP_SM_EEM_LEVEL01 AUTH_SAP_SM_EEM_LEVEL01 Alert Monitoring
System Monitoring
End User Experience Monitoring
208
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
Single Roles Help Text ID Mapping to Navigation Panel of Work Center
SAP_SMWORK_BASIC_TECHMON AUTH_SAP_SMWORK_BASIC_TECHMO Work Center
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS Infrastructure
NoteAuthorizations for infrastructure are needed in all sections, as this role includes authorizations on systems.
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE instead
AUTH_SAP_SUPPDESK_CREATE Alert Monitoring
SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN Alert Monitoring
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY Authorizations for infrastructure are needed in all sections, as this role includes authorizations on Business Partner.
15.9.2 Second Level User Description and User Role
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
The view System Monitoring is visible, because EEM Monitoring can also be called via this view. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.
Authorization for Trusted RFC between SAP Solution Manager and BW - System
In case of a remote BW - connection, the user in the SAP Solution Manager system is additional assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 209
Second Level User (Help Text ID: TP_EEM_L2)
Technical composite role SAP_EEM_L2_COMP in SAP Solution Manager system
Table 104
Single Role Remarks
SAP_SM_EEM_LEVEL02 AUTH_SAP_SM_EEM_LEVEL02
SAP_SMWORK_BASIC_DIAG AUTH_SAP_SMWORK_BASIC_DIAG
SAP_SMWORK_BASIC_TECHMON AUTH_SAP_SMWORK_BASIC_TECHMO
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SMWORK_DIAG AUTH_SAP_SMWORK_DIAG
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS
SAP_RCA_DISP AUTH_SAP_RCA_DISP
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE instead.
AUTH_SAP_SUPPDESK_CREATE
SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN
SAP_SM_DASHBOARDS_DISP_EEM AUTH_SAP_SM_DASHBOARD_EEM
SAP_SM_DASHBOARDS_DISP_ALM AUTH_SAP_SM_DASHBOARD_ALM
SAP_SM_BI_BILO AUTH_SAP_SM_BI_BILO
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
Technical composite role name: SAP_SM_BW_EEM_L2_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 105
Single Roles Help Text ID
SAP_BI_E2E_EEM AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
15.10 User Roles for Business Intelligence Monitoring
15.10.1 First Level User Description and User Role
The table underneath gives you an overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the
210
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
The view System Monitoring is visible, because BI Monitoring can also be called via this view. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.
First Level User (Help Text ID: TP_BIM_L1)
Technical composite role name SAP_BIM_L1_COMP in the SAP Solution Manager system/client
Table 106
Single Roles HELP Text ID
SAP_SM_BIM_LEVEL01 AUTH_SAP_SM_BIM_LEVEL01
SAP_SMWORK_BASIC_BIM AUTH_SAP_SMWORK_BASIC_TECHMO
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider, you need to assign roleSAP_SUPPDESK_SP_CREATE instead.
AUTH_SAP_SUPPDESK_CREATE
SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
15.10.2 Second Level User Description and User Role
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
The view System Monitoring is visible, because BI Monitoring can also be called via this view. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.
Authorization for Trusted RFC between SAP Solution Manager and BW - System
In case of a remote BW - connection, the user in the SAP Solution Manager system is additional assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
Second Level User (Help Text ID: TP_BIM_L2)
Technical composite role SAP_BIM_L2_COMP in SAP Solution Manager system
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 211
Table 107
Single Role Remarks
SAP_SM_BIM_LEVEL02 SAP_SM_BIM_LEVEL02
SAP_SMWORK_BASIC_DIAG SAP_SMWORK_BASIC_DIAG
SAP_SMWORK_BASIC_TECHMON SAP_SMWORK_BASIC_TECHMON
SAP_SMWORK_TECH_MON SAP_SMWORK_TECH_MON
SAP_SMWORK_DIAG SAP_SMWORK_DIAG
SAP_SYSTEM_REPOSITORY_DISP SAP_SYSTEM_REPOSITORY_DISP
SAP_RCA_DISP SAP_RCA_DISP
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE
SAP_SUPPDESK_CREATE
SAP_NOTIF_ADMIN SAP_NOTIF_ADMIN
SAP_SM_DASHBOARDS_DISP_ALM SAP_SM_DASHBOARDS_DISP_ALM
SAP_SM_BI_BILO SAP_SM_BI_BILO
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
Technical composite role name: SAP_SM_BW_BIM_L2_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 108
Single Roles Help Text ID
SAP_BI_E2E_EEM AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
15.11 User Roles for Interface (Channel) Monitoring
15.11.1 First Level User Role
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
212
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.
First Level User (Help Text ID: IC_L1_XXX)
Technical composite role SAP_IC_L1_COMP in SAP Solution Manager system
Table 109
Single Roles Help TXT ID
SAP_EM_DISPLAY AUTH_SAP_EM_DISPLAY
SAP_SMWORK_BASIC_IC AUTH_SAP_SMWORK_BASIC_TECHMO
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE instead.
AUTH_SAP_SUPPDESK_CREATE
SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN
SAP_SM_IC_LEVEL01 AUTH_SAP_SM_IC_LEVEL01
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
15.11.2 Second Level Roles in SAP Solution Manager
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.
Authorization for Trusted RFC between SAP Solution Manager and BW - System
In case of a remote BW - connection, the user in the SAP Solution Manager system is additional assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
Second Level User (Help Text ID: IC_L2_XXX)
Technical composite role SAP_IC_L1_COMP in SAP Solution Manager system
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 213
Table 110
Single Roles Help TXT ID
SAP_EM_DISPLAY AUTH_SAP_EM_DISPLAY
SAP_RCA_DISP AUTH_SAP_RCA_DISP
SAP_SMWORK_BASIC_IC AUTH_SAP_SMWORK_BASIC_TECHMO
SAP_SMWORK_BASIC_DIAG AUTH_SAP_SMWORK_BASIC_TECHMO
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SMWORK_DIAG AUTH_SAP_SMWORK_DIAG
SAP_SM_BI_BILO AUTH_SAP_SM_BI_BILO
SAP_SM_DASHBOARDS_DISP_ALM AUTH_SAP_SM_DASHBOARD_ALM
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE instead.
AUTH_SAP_SUPPDESK_CREATE
SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN
SAP_SM_IC_LEVEL02 AUTH_SAP_SM_IC_LEVEL01
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
Technical composite role name: SAP_SM_BW_SM_L2_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 111
Single Roles Help Text ID
SAP_BI_E2E_SM AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
15.12 End-User Roles for Job Monitoring
15.12.1 First Level User Role
The table underneath gives you an overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
214
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.
First Level User (Help Text ID: TP_JMON_L1)
Technical composite role name SAP_JMON_L1_COMP in the SAP Solution Manager system/client
Table 112
Single Roles HELP Text ID
SAP_SM_JMON_LEVEL01 AUTH_SAP_SM_JMON_LEVEL01
SAP_SMWORK_BASIC_JMON AUTH_SAP_SMWORK_BASIC_TECHMO
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider, you need to assign roleSAP_SUPPDESK_SP_CREATE instead.
AUTH_SAP_SUPPDESK_CREATE
SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
15.12.2 Second Level User Role
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW, and the authorizations for the URL framework. For more information about user interface authorizations, see core security guide.
Authorization for Trusted RFC between SAP Solution Manager and BW - System
In case of a remote BW - connection, the user in the SAP Solution Manager system is additional assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
Second Level User (Help Text ID: TP_JMON_L2)
Technical composite role SAP_JMON_L2_COMP in SAP Solution Manager system
Table 113
Single Role Remarks
SAP_SM_JMON_LEVEL02 AUTH_SAP_SM_JMON_LEVEL02
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 215
Single Role Remarks
SAP_SMWORK_BASIC_DIAG SAP_SMWORK_BASIC_DIAG
SAP_SMWORK_BASIC_JMON SAP_SMWORK_BASIC_TECHMON
SAP_SMWORK_TECH_MON SAP_SMWORK_TECH_MON
SAP_SMWORK_DIAG SAP_SMWORK_DIAG
SAP_SYSTEM_REPOSITORY_DISP SAP_SYSTEM_REPOSITORY_DISP
SAP_RCA_DISP SAP_RCA_DISP
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE
SAP_SUPPDESK_CREATE
SAP_NOTIF_ADMIN SAP_NOTIF_ADMIN
SAP_SM_DASHBOARDS_DISP_ALM SAP_SM_DASHBOARDS_DISP_ALM
SAP_SM_BI_BILO SAP_SM_BI_BILO
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
SAP_SM_SCHEDULER_BPO AUTH_SAP_SM_SCHEDULER_BPO
Technical composite role name: SAP_SM_BW_JMON_L2_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 114
Single Roles Help Text ID
SAP_BI_E2E_JMON AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
15.13 User Roles for Infrastructure Monitoring
To be able to use SAP IT Infrastructure Management and Infrastructure Monitoring you have to:
1. deploy the required Add-On.
2. check if the following authorization values are contained in the mentioned roles:
- in role SAP_SMWORK_BASIC_CONFIG in authorization object SM_WC_VIEW (values Work Center ID: WD_SISE_MAIN, Text: View - IT Infrastructure Management)
- in role SAP_SMWORK_BASIC_CONFIG in authorization object SM_WC_VIEW (values Work Center ID: WD_SISE_MAIN, Sub View - Infrastructure)
- in role SAP_SM_ITMA_CONF in authorization object SM_SETUP (value: CMDB_INF_MAN)
216
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
- in role SAP_SM_ITMO_CONF in authorization object SM_SETUP (value: E2E_MAI_SETUP5)
Before you are able to configure Infrastructure Monitoring, you need to configure IT Infrastructure Management.
15.13.1 First Level User Description and User Role
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
First Level User (Help Text ID: TP_IT_L1)
Technical composite role SAP_IT_L1_COMP in SAP Solution Manager system
Table 115
Included Single Roles Remarks
SAP_SM_SYM_LEVEL01 AUTH_SAP_SM_SM_LEVEL01
SAP_SMWORK_BASIC_ITMO AUTH_SAP_SMWORK_BASIC_TECHMO
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SUPPDESK_CREATE
CautionIf you are Service Provider, you need to assign SAP_SUPPDESK_SP_CREATE instead.
AUTH_SAP_SUPPDESK_CREATE
SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN
Related Links
In the related links section in the work center, you find all possible links for this work center. This means for instance, even if your user is an L1 or L2 user, the link for configuration is visible. Still, the user is not able to run the application since the according authorizations are not included in the defined user roles. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-To section.
Monitoring
Introscope: For more information, see the Additional Link section in this guide
Configuration
You cannot run the applications with L1 and L2 user authorizations
● Solution Manager and managed system configuration require authorizations for the configuration user (technical role name: SAP_ITMO_CONF_COMP)
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 217
Administration
● Solution Manager Administration: Requires authorizations for the work center SAP Solution Manager Administration, see scenario-specific guide for SAP Solution Manager Administration
● Landscape Browser: You can only display the landscape with all three defined users. If you want to allow for change authorization, you need to add role SAP_SYSTEM_REPOSITORY_ALL.
● Self-Diagnosis
● My Notifications Settings
Documentation
Here, no specific authorization is needed.
15.13.2 Second Level User Description and User Role
The table underneath gives you an overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Authorization for Trusted RFC between SAP Solution Manager and BW - System
In case of a remote BW - connection, the user in the SAP Solution Manager system is additional assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
Second Level User (Help Text ID: TP_IT_L2)
Technical composite role SAP_IT_L2_COMP in SAP Solution Manager system
Table 116
Single Roles Help Text ID
SAP_SM_SYM_LEVEL02 AUTH_SAP_SM_SYM_LEVEL02
SAP_SMWORK_BASIC_DIAG AUTH_SAP_SMWORK_BASIC_DIAG
SAP_SMWORK_BASIC_ITMO AUTH_SAP_SMWORK_BASIC_TECHMO
SAP_SMWORK_TECH_MON AUTH_SAP_SMWORK_TECH_MON
SAP_SMWORK_DIAG AUTH_SAP_SMWORK_DIAG
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DIS
SAP_RCA_DISP AUTH_SAP_RCA_DISP
SAP_SUPPDESK_CREATE AUTH_SAP_SUPPDESK_CREATE
218
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
Single Roles Help Text ID
CautionIf you are Service Provider use role SAP_SUPPDESK_SP_CREATE
SAP_NOTIF_ADMIN AUTH_SAP_SUPPDESK_CREATE
Technical composite role name: SAP_SM_BW_SM_L2_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 117
Single Roles Help Text ID
SAP_BI_E2E_SM AUTH_SAP_BI_E2E
SAP_SM_BI_DIS AUTH_SAP_SM_BI_DIS
15.14 Integration Visibility in Managed Systems
Integration Visibility is a technical foundation that discovers message flows and enables consumer applications to subscribe and consume monitoring events for a selected set of discovered message flows in PI. This includes all A2A and B2B in the monitored landscape. It can be used with SAP Solution Manager. Then, Solution Manager is used as User Interface to correlate the data collected from different sources.
NoteThis documentation only describes the necessary roles if you use Integration Validation with SAP Solution Manager. For more information on the scenario and the UME roles for it, see the online documentation for Integration Visibility in PI.
Technical System Landscape
Figure 62: Data Flow
User Roles
In the overall Integration Visibility landscape proposed roles are needed for following positions:
Table 118
Single Role User Type Remarks
SAP_IV_DC_SUBSCRIBE System User position 3 in the data flow graphic: distribute flow subscriptions and message filter criteria. It is used for subscription and query handling, when request arrives from Subscription Manager.
SAP_IV_EVENT_CONSUMER position 5 in the data flow graphic: In terms of Solution Manager: Integration Visibility Consumer acts as Managing system
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 219
Single Role User Type Remarks
SAP_IV_DC_EXECUTE It is used to run the data collector, generate, and persist events
SAP_IV_DC_CONFIG Dialog User Corresponds to Integration Architect and is used to manage data collector configuration. Users assigned to this role will be able to:
● configure IV Discovery settings and to manage flow definitions
● navigate to whole “Integration Visibility” User Interface
● configure Data Collector execution
SAP_IV_DC_SUPPORTER Corresponds to Technical Supporter. Users assigned to this role, will be able to:
● read data from all Integration Visibility tables in NWA Open SQL Data Browser (without BC_IV_DC_EVENT – contains
business sensitive information)
● navigate to whole “Integration Visibility” User Interface with read-only rights
● have full access to: WS Navigator/ Log Viewer/Log Configurator/ WS Log Viewer/ WS Log Configurator/ GET operations from all IV web services
SAP_IV_DC_ADMIN Composite role. Includes:
● SAP_IV_DC_SUBSCRIBE● SAP_IV_DC_EXECUTE● SAP_IV_EVENT_CONSUMER● SAP_IV_DC_CONFIG
15.15 Role for Technical Monitoring Display
For display usage of Technical Monitoring, composite role SAP_TECHMON_DISPLAY_COMP is delivered. The role contains authorization for displaying the complete technical monitoring applications.
15.16 Role for Technical Monitoring Support
For the support of Technical Monitoring, the single role SAP_SM_TECH_MON_TOOL is delivered. The role contains authorization object SM_SP_TOOL for access to various support tools.
220
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
15.17 Main Authorization Objects
The following section describes the main authorization object for Technical Monitoring. For more detail, see the SDN Wiki on Authorizations.
Authorization Object SM_MOAL_TC
This authorization object defines on the application level which contexts the user is allowed to work in, for instance Problem Context Configuration should be possible for Level 2 and configuration users.
Figure 63: SM_MOAL_TC in role SAP_SM_SYM_CONF for System, Host, Database Monitoring
The authorizations for the object are maintained differently for all user roles for the technical monitoring scenarios. For instance, activity 02 (change) allows for start, stop, ping (button: Manage) in Channel Monitoring for configuration user and level 2 user in PI Monitoring roles.
Authorization Object SM_SETUP
This authorization object restricts the access to the configuration for the technical monitoring scenario. Only the configuration users are allowed to access this transaction.
Figure 64: SM_SETUP in role SAP_SM_SYM_CONF for System, Host, Database Monitoring
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 221
In this case, the configuration user is allowed to access the edit mode for the setup of technical monitoring data.
Authorization Object S_TRANSPRT
Authorization object S_TRANSPRT is only relevant and maintained in the configuration user roles for the scenarios as the configuration application requests creating, changing, releasing a transport and request.
Authorization Object SM_BWDEST
This authorization object is included in role SAP_SM_BI_BILO to protect the usage of a trusted RFC that is generated per user, who displays BW - content (specifically dashboards and the metrics monitor). The user must have both, authorization for the trusted RFC and authorization for the BW-destination. The object is requested for the button Reports in the Alert Inbox.
Authorization Object SM_CMDB_OB
The authorization object is relevant for Infrastructure Monitoring.
Content Delivery Synchronization
CSU_PACK
This objects controls if the user is allowed to create and maintain registration details, as well as create content packages and maintain content packages related information. Change authorization refers to the following activities:
● Create a new delivery package type in Content Delivery tool.
● Edit delivery package related information like Service Marketplace Place Link, Notification Status type in Content Delivery tool.
● Download a “local” Delivery Package.
● Send Notification to the SAP Backend on the availability of a new content package.
● Create or Register a new content type in Content Delivery tool.
● Edit and delete a content type related details in Content Delivery tool.
CSU_UNPACK
This objects controls if the user is allowed to download and install content packages on SAP Solution Manager. Change authorization refers to the following activities:
● Maintain configuration details like Service Market Place user information, SAP Backend user information, frequency to check for content updates and the user to be notified.
● Download content package from Service Market Place into local store.
● Install content in case of framework delivery type.
15.18 Scenario Integration
Technical Monitoring refers to the phase in your product life-cycle when you operate your systems, and you have to monitor them. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions which come into play in your daily business, such as handling of problems and so on. The following sections describe the integration of technical monitoring with other scenarios within SAP Solution Manager, and which user roles are applicable.
222
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
NoteFor more detail on each individual scenarios, see the according Scenario—Specific Guide.
Incident Management
In technical monitoring users can create service desk messages. You can create Incidents for an alert from the Alert Inbox, Connection Monitoring. The according user role SAP_SUPPDESK_CREATE is included in the user roles. If you want your users to also check for their Incident messages, you should assign composite role SAP_SUPPDESK_PROCESS_COMP.
Note● A key user can only display his/her own messages, when the key user is the reporter.
● For a key user to see messages created by other users, see SAP Note 1256661 (1. Substitution).
NoteIn case you are a Service Provider, you need to assign the according service provider roles. For more information, see specific Service Provider Guide.
Root Cause Analysis
Technical Monitoring is highly integrated with Root Cause Analysis. The according role SAP_RCA_DISP is included in the user roles.
Notification Management (Technical Administration)
You can create notifications. The according role SAP_NOTIF_ADMIN is included in the user roles. You can create notifications from Alert Inbox, Connection Monitoring
Figure 65: Create Notification from Alert Inbox
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 223
EarlyWatch Alert / Service Report Generated Documents
To view generated documents for EarlyWatch Alert, you need to assign role SAP_OP_DSWP_EWA to your user.
Figure 66: EarlyWatch Alert and Service Reporting from Generated Documents
15.19 Background Jobs
The following background jobs run:
● SAP_ALERT_CALCULATION_ENGINE● SAP_ALERT_HOUSEKEEPING● SAP_METRIC_STORE_CLEANUP
All jobs run with system user SOLMAN_BTC.
Details on the jobs can be found in work center Solution Manager Administration in view Self-Monitoring (Description).
224
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Monitoring
16 Scenario-Specific Guide: Maintenance Optimizer
The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization and upgrade of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). Using the Maintenance Optimizer, you are able to easily upgrade your managed systems via SAP Solution Manager as the managing platform. This guide gives you an overview over all relevant security-related issues for using Maintenance Optimizer.
16.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 119
Support Package Stacks
(Version)
Description
SP05 User Roles and Authorization
● Single role SAP_MAINT_OPT_ADMIN extended due to new LMDB authorization object AI_LMDB_PS.
● Composite role SAP_MAINT_ADMIN_COMP adapted: substituted single role
SAP_SYSTEM_REPOSITORY_DIS with single role SAP_SYSTEM_REPOSITORY_ALLCommunication Channels
Added additional information on RFC usage
SP08 End-User Roles
The following roles have been adapted for authorization objects and/or authorization field values. For more information, see the Description Tab for the specified role.
● Single roles adapted due to obsolete authorization object D_MOPZSYSI (since SP03 of Solution
Manager 7.1). According section in chapter Users and Authorization has been deleted.
16.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Maintenance Optimizer
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 225
Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Getting Started: find out about target groups of this guide. Links for any additional components can be found in the Core Guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles, which represent them. Here, you also find information on the relevant work center(s).
● User Roles for Additional Functions:: find out about additional roles for users that must execute special functions within the scenario.
16.3 Prerequisites
16.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the Maintenance Optimizer. For more information on Service Provider - specific settings, see the Service Provider Guidelines. The SAP Solution Manager is connected via READ - RFC to your managed systems, and do have the connection SAP-OSS to SAP in place. More information on these RFCs, and required technical users is explained in more detail in the following sections.
226
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Maintenance Optimizer
Figure 67: Infrastructure
16.3.2 Scenario Configuration
When you run the automated basic setup for Solution Manager, the system automatically configures Maintenance Optimizer for use. This means, after the basic configuration and the attachment of the according managed systems, you are able to use the Maintenance Optimizer.
NoteAll required system information for your managed system must be up-to-date.
For configuration, you can use all users and authorizations as described in the Landscape Setup Guide.
16.3.3 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Maintenance Optimizer
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 227
Table 120
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages, retrieval of services
Solution Manager to managed systems RFC Reading information from managed systems
Solution Manager to managed systems within customer network
FTP Update route permission table, content: IP addresses, see section File Transfer
Protocol (FTP)
Solution Manager to SAP Service Marketplace
HTTP(S) Search for notes
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Table 121
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution Manager system>
Read all necessary information from the managed systems, such as the activation status of the installed switchable framework software components, and the activation status of the installed country specific HR Support
Packages
RFC Connections from SAP Solution Manager to SAP
228
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Maintenance Optimizer
Table 122
RFC Destination Name
Target Host Name System Number
Logon Client
Logon User (Password)
Use Remarks
SAP-OSS (ABAP connection)
/H/SAPROUTER/S//sapserv/H/oss001
01 001 S-User (Customer-specific)
Exchange problem messages with SAP, Service Connection, product data download. The following calculation service is performed on the SAP backbone systems:
● system identification
● compatibility check
● Support Package calculation
NoteFor more information on Service Provider - specific settings, see Service Provider Guidelines.
Created in transaction SOLMAN_SETUP
16.3.4 Technical Users
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the implementation and upgrade scenario.
User for SAP Connection
User General Infrastructure
Table 123
User (Password) Remarks
OSS_RFC (CPIC) Notes Assistant; Update Service Definitions; Service Preparation Check (RTCCTOOL)
User for READ - access in Managed Systems
Users for RFC connection READ
Table 124
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Maintenance Optimizer
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 229
User User Type Remarks
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
16.3.5 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER)
Users who communicate with SAP Support Portal via RFC destination SAP-OSS need an SAP Support Portal contact to SAP Solution Manager. You maintain the contact in table AISUSER (transaction AISUSER). This contact corresponds to the S-user in the SAP Support Portal, without the initial S.
CautionThe S-User for the SAP Support Portal must be requested via service.sap.com; see section S-User Authorizations
More Information
see IMG activity: Assign S-User for SAP Support Portal functionality (SOLMAN_PROFILE_PARAM)
16.3.6 S-User Authorization for Maintenance Optimizer
Your S-user needs the following authorization in the SAP Support Portal, for the Maintenance Optimizer function.
Features
S-user Authorization for Maintenance Optimizer
230
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Maintenance Optimizer
Table 125
Activity Authorization
Execute Maintenance Optimizer SWCATALOG Order Software in Software Catalog
16.4 CRM Standard Customizing
Transaction TypesTable 126
Transaction Type
Usage Remarks
SDMO Product Update not productive
SLMO Product Maintenance supported
16.5 Users and Authorizations
To enable your end-users to work with the application, you need to assign them authorizations in the Solution-Manager-system.
SAP delivers recommended user descriptions on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. For Maintenance Optimizer the executing user should have administration authorization and in some cases as well additional authorizations for XML file upload. SAP also delivers a display user for the function.
CautionThe roles delivered by SAP can only be regarded as models for adjustment to your company's needs.
Roles for Maintenance Optimizer are predefined Composite Roles (technical abbreviation: *_COMP). These composite roles contain a set of single roles that are relevant for the business tasks.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Maintenance Optimizer
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 231
Figure 68: Maintenance Optimizer Process
16.5.1 User Descriptions and User Roles
This paragraph gives you an overview over users as recommended by SAP and their according user roles assignment for the Maintenance Optimizer. All users are assigned a composite role, which contains a number of single roles. For a detailed overview on each of the single roles and their main authorization objects.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. The work center for Change Management is relevant for more than one scenario:
● Maintenance Optimizer
● Change Request Management
It includes as well additional function for Change Management, such as System Recommendations, License Management, or Configuration Validation. If you want to restrict the access and/or the authorizations for a particular user you can easily do so. Access in the navigation panel is restricted by using the authorization object SM_WD_COMP. For more information about user interface authorizations, see core security guide.
232
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Maintenance Optimizer
Figure 69: Work Center Change Management
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
In the column for Mapping to Navigation Panel of Work Center, we only those views and tasks, which are relevant for Maintenance Optimizer. Authorizations for additional functions are included in additional single roles, which are explained in more detail in the section for Additional Functions in this guide.
Administrator (technical role name: SAP_MAINT_ADMIN_COMP)
The administrator user is allowed to:
● access Change Management work center
● execute maintenance optimizer transactions
NoteIf this user should be allowed to upload XML files, you must assign user role SAP_MAINT_OPT_ADD in addition.
Mapping: Roles and Navigation Panel
Table 127
Single role Remarks Mapping to Navigation Panel of Work Center
SAP_MAINT_OPT_ADMIN Authorization for Maintenance Optimizer
Maintenance Optimizer
New Maintenance Transaction in the Common Task List
SAP_SM_SOLUTION_DIS Authorization for solutions Infrastructure in general
SAP_SYSTEM_REPOSITORY_ALL Authorization for systems
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Maintenance Optimizer
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 233
Single role Remarks Mapping to Navigation Panel of Work Center
SAP_SMWORK_BASIC_CHANGE_MAN Contains full authorization for work center - related functions.
Work Center
SAP_SMWORK_CHANGE_MAN Allows access to the change management work center.
Display User (technical role name: SAP_MAINT_DIS_COMP)
The display user is allowed to:
● access Change Management work center
● display maintenance optimizer transactions
Mapping: Roles and Navigation Panel
Table 128
Single role Remarks Mapping to Navigation Panel of Work Center
SAP_MAINT_OPT_DIS Authorization for displaying Maintenance Optimizer
Maintenance Optimizer
SAP_SM_SOLUTION_DIS Authorization for displaying solutions
Infrastructure in general
SAP_SYSTEM_REPOSITORY_DIS Authorization for systems
SAP_SMWORK_BASIC_CHANGE_MAN Contains full authorization for work center - related functions.
Work Center
SAP_SMWORK_CHANGE_MAN Allows access to the change management work center.
16.5.2 User Roles in Managed Systems
In the managed system, your user needs authorization for transactions such as SPAM, SPAU, SNOTE and so on. For more information, see the SAP NetWeaver Security Guide.
16.5.3 Main Authorization Objects
This section gives some information on the main authorization objects. For detailed information, see SDN Wiki for Authorizations.
Authorization Object SM_DPL_EFF
The authorization object controls the access to the Deployment Effort Recording function (create, change, lock = close). It is only contained in role SAP_MAINT_OPT_ADMIN.
234
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Maintenance Optimizer
16.6 System Recommendations
The view in the work center allows you to:
● see a list of SAP Notes relevant for a dedicated technical system
● create a Maintenance Transaction from it
● integrate with Maintenance Optimizer, Change Request Management, and Configuration Validation
The single tabs for SAP Notes can be restricted (authorization object SM_FUNCS).
The following additional roles are needed in addition to the existing composite roles for Change Request Management, Maintenance Optimizer, or Configuration Validation:
Administrator (technical role name: SAP_SYSTEM_RECOMMEND_COMP)
Security Notes can only be displayed if the user has this role and authorizations. The administrator user is allowed to:
● access Change Management work center
● edit System Recommendations tabs
Mapping: Roles and Navigation Panel
Table 129
Single role Remarks Mapping to Navigation Panel of Work Center
SAP_SYSREC_ALL Authorization for System Recommendations tab
System Recommendations
SAP_SM_SOLUTION_ALL Authorization for solutions
SAP_SYSTEM_REPOSITORY_ALL Authorization for systems, host, and so on
SAP_SMWORK_BASIC_CHANGE_MAN Contains full authorization for work center - related functions.
Work Center
SAP_SMWORK_CHANGE_MAN Allows access to the change management work center.
NoteIn addition, a display role is shipped, but currently not supported.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Maintenance Optimizer
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 235
17 Scenario-Specific Guide: Change Request Management
The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). This guide gives you an overview over all relevant security-related issues for the scenario Change Request Management.
17.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 130
Support Package Stacks
(Version)
Document Adaptations
SP05 General
Change Request Management (sub-scenario to ITSAM Management) is configured using the automated
guided procedure within transaction SOLMAN_SETUP or SAP Solution Manager Configuration work center.
Therefore all users defined by SAP as default templates can be created within this procedure. The following users are created:
● CHARM Configuration User: This user is created during the guided procedure of the Basic Settings in transaction SOLMAN_SETUP. For configuration, you can also choose the user SOLMAN_ADMIN. In both
cases, the system automatically assigns the necessary authorization roles. The according configuration user can be used later on for configuring the Change Request Management settings within ITSAM Management in transaction SOLMAN_SETUP.
● Standard CHARM Template Users: Standard Template users for the Change Request Management process are created during the guided procedure of the ITSAM Management in transaction
SOLMAN_SETUP. These users can be regarded as “demo” template users for Change Request
Management. The system automatically assigns the necessary authorization roles with according authorization values for the SAP standard scenario. If your Change Request Management process requires customizing due to a different process, and other user differentiation, you must adapt the authorizations, specifically CRM-related authorizations. The template users are created in the Solution Manager system.
Due to the creation of Standard Template users in transaction SOLMAN_SETUP, documentation for the users
and roles is directly linked in transaction SOLMAN_SETUP. In this security guide, it is only referred to the
according document Text ID in the system.
For more information, see specific Landscape Setup Guide in section User Generation.
236
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
Support Package Stacks
(Version)
Document Adaptations
Scenario Configuration
Adaptation according to guided procedure in transaction SOLMAN_SETUP.
Authorization Objects
Added value CRMC in authorization object S_TABU_DIS in all relevant roles.
End-User Roles
● User Roles have been adapted according to SU22 default values, see section on Authorization Objects.
● Roles SAP_CM_SMAN_* have been extended due to additional status change values and extended
functionality (for instance Downgrade Protection). For detailed information, see the description tab of the relevant roles.
● Additional role SAP_CM_MANAGED_DEVELOPER_RETRO for developer for retrofit functionality in
managed systems, see section on Users and Authorizations.
Additional Functions and User Roles
● Additional role SAP_CM_MANAGED_DEVELOPER_RETRO for developer for retrofit functionality in
managed systems, see section on User Roles for Additional Functions.
● Only valid for: Solution Manager |
New roles SAP_BC_CCTS_CHARM_<user definition>_TMPL for Central CTS Administration, see
section on User Roles for Additional Functions.
End of: Solution Manager |
● Roles for the communication system, see section on User Roles for Additional Functions.
Scenario Integration
Integration possibility with scenario BPCA, see section Scenario Integration.
BW - Reporting Integration
You can use the BW-reporting functionality with Change Request Management, see section Users and
Authorizations for BW - roles, and section BW integration in the Core Guide for detailed information on the BW -
concept.
Communication Channels/Technical Users
Adapted due to BW RFC - connections
SP06 Scenario Configuration User
Additional role assignment to the configuration user SAP_SM_CONF_SEC which contains authorization object
S_DEVELOP with full authorization to execute transaction SNOTE.
SP07 End-User Roles
for details on the adapted roles changes, see the description tab of the specified role
● SAP_SOCM_CHANGE_MANAGER● SAP_CM_SMAN_*
SP08 End-User Roles
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 237
Support Package Stacks
(Version)
Document Adaptations
for details on the adapted roles changes, see the description tab of the specified role
● SAP_SOCM_TESTER● SAP_CHARM_CONFIG
SP10 End-User Roles
for details on the adapted roles changes, see the description tab of the specified role
● SAP_SOCM_*● SAP_CM_SMAN_*● SAP_CHARM_CONFIG● SAP_SOL_PROJ_ADMIN_ALL (adapted with ChaRM relevant values for authorization objects)
● SAP_CM_MANAGED_ADMIN, SAP_CM_MANAGED_OPERATOR, and
SAP_CM_MANAGED_CHANGEMAN● New role SAP_CM_MANAGED_IMPORT for import authorization, for details see new section on Best
Practice: Import Authorization.
SOLMAN_SETUP creation of Template Users
● A step for creating Template Users on Managed Systems has been integrated into the Change Request Management configuration procedure.
● Added role SAP_ITCALENDAR_DIS to all Template users for Solution Manager to view the IT Calendar
(adapted respective composite roles)
● Added role SAP_CPR_USER to Change Management template user for cPro application integration
(adapted respective composite role)
● Added role SAP_SYSTEM_REPOSITORY_DISP for LMDB usage (adapted respective composite role)
● Added role SAP_SM_RFC_ADMIN for transaction SM59 administration
SP11 Import Authorizations
Managed system roles have been adapted to requirement of import authorizations and secure role concept. For details on the adapted roles changes, see the description tab of the specified role in transaction PFCG. For
more information on the concept, see section Best Practice: Import Authorization in Managed Systems:
● SAP_CM_MANAGED_TESTER● SAP_CM_MANAGED_DEVELOPER● SAP_CM_MANAGED_CHANGEMAN● SAP_CM_MANAGED_OPERATOR
CSOL Back-Destination
● added information on CSOL Back-Destination for cross-system lock function, see sections on Technical
Users and Communication Channels.
● adapted role SAP_SOLMANTMWCOL accordingly.
CTS Integration in Change Request Management
● see section User Role for CTS Integration
238
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
Support Package Stacks
(Version)
Document Adaptations
SP12 End-User Roles
for details on the adapted roles changes, see the description tab of the specified role
● SAP_CHARM_CONFIG● SAP_SMWORK_CHANGE_MAN (Best Practice link)
17.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Getting Started: find out about target groups of this guide. Links for any additional components can be found in the Core Guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
● CRM Standard Customizing for Solution Manager: find out about Standard CRM customizing delivered by SAP, and how to adapt roles if you copy transaction types, and so on.
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
● System Recommendation: find out about additional roles for the view System Recommendation.
● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.
Additional Important Information Sources
● Check general SAP Note 1574224.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 239
17.3 Prerequisites
17.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete change request management scenario. The SAP Solution Manager is connected via READ - RFC, TRUSTED - RFC, TMW – RFC to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. A SAPOSS connection to SAP is in place. In addition, between managed systems RFC connections exist, for instance for retrofit purposes. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.
Figure 70: Infrastructure
17.3.2 Scenario Configuration User
NoteFor conceptual information on:
● configuration users in SAP Solution Manager, see Core Guide chapter Configuration Users.
● the BW integration concept, see Core Guide chapter on BW integration.
The scenario CHARM is configured using transaction SOLMAN_SETUP.
To configure the scenario proceed as follows:
240
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
Creating Configuration User in Basic Configuration transaction SOLMAN_SETUP
After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions.
During basic automated configuration, you can create a specific configuration user (default technical name: SMC_CHRM_<XXXClient>) for CHARM (Help Text ID: USER_CONFIG_CHARM). The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.
If you want to create the configuration user manually, you need to assign:
● the composite role SAP_CM_CONF_COMP which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.
NoteTo be able to:
○ create users and assign user roles, you need to assign as well role SAP_SM_USER_ADMIN.
○ use a trusted RFC connection between the Solution Manager and the managed systems, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system as well as the managed system.
● the composite role SAP_SM_BW_CHARM_ADMIN_COMP which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.
NoteTo be able to use a trusted RFC connection between the Solution Manager and the BW-system, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system and role SAP_SM_BW_S_RFCACL in the BW-system.
Scenario Configuration transaction SOLMAN_SETUP
You can configure the basic technical settings using transaction SOLMAN_SETUP, running the guided procedure for Change Request Management for ITSAM Service Management.
During the specific guided configuration you can create Standard template users. The system automatically adds all relevant user roles, see according sections on Users and User Roles.
17.3.3 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 241
Table 131
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to managed systems RFC Reading information from managed systems
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Table 132
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution Manager system>
This RFC is
generally needed for reading data in connection with transports (transport infrastructure), such as tracking reporting or object changes, read status of transports.
SM_<SID>CLNT<Client>_TRUSTED (ABAP connection)
Managed System
System-specific
System-specific
Customer-specific
The RFC -
connection is mandatory for all tasks that involve system changes due to transports. Within the tasklist framework the Login Prompt is avoided.
SM_<SID>CLNT<Client>_TMW (ABAP connection)
Managed System
System-specific
System-specific
Default user: SMTW<SID of Solution Manager system>
Only necessary when transport management is in place; allows for creating and releasing of
242
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
transport requests via remote pattern
RFC Connection from Managed System to SAP Solution Manager
Table 133
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
Use How Created
SM_<SID>CLNT<Client>_BACK (ABAP connection)
Solution Manager System
System-specific
System-specific
Default user:SMB_<managed system ID>
Automatically created via transaction SOLMAN_SETUP (view:
managed systems)
SM_<SID>CLNT<Client>_BACK_CSOL (ABAP connection)
Solution Manager System
System-specific
System-specific
Customer-specific
For function Cross System Object Lock CSOL
NoteSAP Solution Manager manages the lock information.
Manually created
BW- Reporting RFC Connection
Table 134
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
NONE, if BW - reporting is realized
in a BW - standard scenario, for
content activation
Solution Manager productive client
System-specific System-specific System-specific
BI_CLNT<BWclient>,if BW is
realized in remote BW - scenario
system , for content activation and data download
Managed System or Solution
System-specific System-specific System-specific in transaction SOLMAN_SETUP
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 243
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
Manager System
<SolutionManagerSID>CLNT<SolutionManager– ProductiveClient> BI-
Callback RFC for reorganization
of data and configuration validation
Solution Manager productive client
System-specific System-specific BI_CALLBACK(customer specific)
in transaction SOLMAN_SETUP
Trusted RFC to remote BW system SAP_BILO
remote BW -
system
(source: SAP Solution Manager)
System-specific System-specific Dialog User Used to read data from remote BW for
BI - Reporting
, created during SOLMAN_SETUP
Retrofit RFC - Connections
Table 135
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User Remarks
RETRO_<SID>_<CLNT> Managed system, development system (Implementation landscape)
System-specific System-specific
Customer-specific
Trusted RFC -
connection, For transport of copies
CWBADM_<SID>_<CLNT> Managed System, development system (Maintenance landscape)
System-specific System-specific
Customer-specific
Trusted RFC -
connection, for comparison and merge of coding according to ToDo list in correction workbench
TMS CI RFC - Connections
As of SAP Solution Manager 7.1, instead of TMS CI RFC - connections you can use the Trusted RFC - connection. For more information, see SAP Note 1384598.
Internet Graphics Server (IGS) RFC Connection
Table 136
RFC Destination Name Activation Type How Created
ITS_RFC_DEST Registered Server program (program: IGS.<SID>)
Manually in transaction SM59
244
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
17.3.4 Technical Users
NoteCheck SAP Note 807228.
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the Change Request Management scenario.
User for READ - Access in Managed Systems
Users for RFC connection READ
Table 137
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide.
User for Back-Destination in SAP Solution Manager System
User for Back-destination
Table 138
User (Password) Type Remarks
SMB_<managed system ID> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for
System User Technical user “Back User”; assigned role <namespace>_SOLMAN_BACK. It is automatically created
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 245
User (Password) Type Remarks
this user in its RFC destination in
the Solution Manager system as well.
User for CSOL Back-Destination in SAP Solution Manager SystemUser for CSOL Back-destination
Table 139
User (Password) Type Remarks
Customer-specific user
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in its RFC destination in
the Solution Manager system as well.
Service User Technical user manually created (See documentation in IMG or transaction SOLMAN_SETUP) assigned role
<namespace>SAP_SOLMANTMWCOL.
User for TMW - Connection for Read Authorization and Batch Authorization in Managed SystemsUser for Change Management Connection in managed systems
Table 140
User User Type Remarks
SMTM<SID of Solution Manager system>(system-specific)
System User Technical User “TMW User”, assigned role: <namespace>_SOLMAN_TMW. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide.
User for BW - Reporting (Reorganization of Data and Configuration Validation)User for BW - Reporting (Reorganization of Data and Configuration Validation)
Table 141
User User Type Remarks
BI_CALLBACK
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the
System User Technical user BI_CALLBACK for reorganization of BW - data
assigned role SAP_BI_CALLBACK. It is automatically
generated during configuration via transaction SOLMAN_SETUP
246
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
User User Type Remarks
password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
SMD_BI_RFC, in case of remote BW System User Technical user for data download
SM_EFWK System User Technical user for extractor execution
17.4 CRM Standard Customizing for Solution Manager
The Change Request Management scenario is based on CRM 7.0 EHP1, and uses CRM customizing such as transaction types, action profiles, and so on. SAP delivers a standard CRM customizing, which is also maintained in the individual CRM authorization objects for Change Request Management. The following table gives you an overview of the transaction types used.
CautionIf you copy SAP standard customizing you need to add the changed values in the according CRM - authorization objects for the scenario. See also How-to Guide on how to maintain authorization objects.
Transaction Types
Table 142
Transaction Type
Usage Remarks
SDAD Administration not supported in Release 7.1
NoteNew transaction type for this usage: SMAD.
SDCD Job Request Change Document
SDCR Change Request not supported in Release 7.1
NoteNew transaction type for this usage: SMCR.
SDDV Project Cycle not supported in Release 7.1
NoteNew transaction type for this usage: SMDV.
SMDV Project Cycle supported
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 247
Transaction Type
Usage Remarks
NoteNew with Release 7.1
SDHF Urgent Correction not supported in Release 7.1
NoteNew transaction type for this usage SMHF.
SMHF Urgent Change supported
NoteNew with Release 7.1
SDMI Normal Correction with transport of copies
not supported in Release 7.1
NoteNew transaction type for this usage SMMJ.
SDMJ Normal Correction with transport of copies
not supported in release 7.1
NoteNew transaction type for this usage SMMJ.
SMMJ Normal Change (Standard) supported
NoteNew with Release 7.1
SDMM Maintenance Cycle not supported in Release 7.1
NoteNew transaction type for this usage SMMM.
SMMM Maintenance Cycle supported
NoteNew with Release 7.1
SDMN Maintenance Cycle not supported in Release 7.1
NoteNew transaction type for this usage SMMN.
SMMN Maintenance Cycle supported
248
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
Transaction Type
Usage Remarks
NoteNew with Release 7.1
SDTM Test Message not supported in Release 7.1
NoteNew transaction type for this usage SMTM.
SMTM Defect Correction supported
NoteNew with Release 7.1
SMCG General Change supported
NoteNew with Release 7.1
SMCR Request for Change supported
NoteNew with Release 7.1
SMCT Request for ChangeTemplate supported
NoteNew with Release 7.1
SMAD Administration supported
NoteNew with Release 7.1
17.5 Users and Authorizations
To enable your end-users to work with the application, you need to assign them authorizations in the Solution-Manager-system and in the managed systems.
When you are working in a project to implement new business processes or change existing ones, a number of project members with different tasks is involved. SAP delivers recommended user descriptions on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 249
CautionThe roles delivered by SAP can only be regarded as models for adjustment to your company's needs.
Roles for Change Request Management are predefined Composite Roles (technical abbreviation: *_COMP). These composite roles contain a set of single roles that are relevant for the business tasks.
Figure 71: Example: Urgent Correction Process
17.5.1 Users and Roles
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for Change Request Management. All users are assigned a composite role, which contains a number of single roles.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see core security guide.
250
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
Figure 72: Change Management Work Center
The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single role is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Authorization for Trusted RFCs between SAP Solution Manager, Managed Systems, and BW - System
Trusted authorizations are needed between SAP Solution Manager and its managed systems, as well as SAP Solution Manager and a remote BW - system.
● In case of a remote BW - connection, the user in the SAP Solution Manager system is additionally assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
● The user in the managed system receives role SAP_SM_S_RFACL (Help Text ID: AUTH_SAP_S_SM_RFCACL) with authorization object S_RFCACL.
Both roles are not contained in the respective composite roles, due to their highly security-relevant character.
Requester (Help Text-ID: TP_CM_REQ)
Single Roles for Requester (technical composite role name: SAP_CM_REQUESTER_COMP) in the SAP Solution Manager System
Table 143
Role Help Text-ID
SAP_SMWORK_BASIC_CHANGE_MAN AUTH_SAP_SMWORK_BASIC_CHARM
SAP_SMWORK_CHANGE_MAN AUTH_SAP_SMWORK_CHANGE_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAME
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 251
Role Help Text-ID
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMAN
SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM
SAP_SOCM_REQUESTER AUTH_SAP_SOCM_REQ
SAP_ITCALENDER_DIS AUTH_SAP_ITCALENDER
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
Change Manager (Help Text-ID: TP_CH_CM)
Single Roles for Change Manager (technical role name: SAP_CM_CHANGE_MANAGER_COMP) in the SAP Solution Manager System
Table 144
Role Help Text-ID
SAP_CM_SMAN_CHANGE_MANAGER AUTH_SAP_CM_SMAN_CM
SAP_SMWORK_BASIC_CHANGE_MAN AUTH_SAP_SMWORK_BASIC_CHARM
SAP_SMWORK_CHANGE_MAN AUTH_SAP_SMWORK_CHANGE_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAME
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMAN
SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM
SAP_SOCM_CHANGE_MANAGER AUTH_SAP_SOCM_CM
SAP_SOLAR01_DIS AUTH_SAP_SOLAR01_DIS
SAP_ITCALENDER_DIS AUTH_SAP_ITCALENDER
SAP_CPR_USER AUTH_SAP_CPR_USER
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SM_BI_BILO AUTH_SAP_SM_BI_BILO
SAP_SM_BI_EXTRACTOR AUTH_SAP_SM_BI_EXTRACTOR
Technical composite role name: SAP_SM_BW_CHARM_DISPLAY_COMP in the BW system
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID in the BW system.
Table 145
Single Roles Help Text ID
SAP_BI_E2E_CHARM AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
Role in the Managed System
The role must be assigned to the user with the same user ID in the managed system.
252
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
Table 146
Assigned Role Help Text-ID
SAP_CM_MANAGED_CHANGE_MANAGER AUTH_SAP_CM_MANAGED_CHANGE
SAP_CM_MANAGED_IMPORT AUTH_SAP_CM_MANAGED_IMPORT
Developer (Help Text-ID: TP_CM_DEV)
NoteFor import authorizations, see SAP Note 807228.
Single Roles for Developer (technical role name: SAP_CM_DEVELOPER_COMP) in the SAP Solution Manager System
Table 147
Role Help Text-ID
SAP_CM_SMAN_DEVELOPER AUTH_SAP_CM_SMAN_DEVELOP
SAP_SMWORK_BASIC_CHANGE_MAN AUTH_SAP_SMWORK_BASIC_CHARM
SAP_SMWORK_CHANGE_MAN AUTH_SAP_SMWORK_CHANGE_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAME
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMAN
SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM
SAP_SOCM_DEVELOPER AUTH_SAP_SOCM_DEVELOPER
SAP_ITCALENDER_DIS AUTH_SAP_ITCALENDER
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
Role in the Managed System
The role must be assigned to the user with the same user ID in the managed system.
Table 148
Assigned Role Help Text-ID
SAP_CM_MANAGED_DEVELOPER AUTH_SAP_CM_MANAGED_DEVELOP
SAP_CM_MANAGED_DEVELOPER_RETRO Additional role for functionality of Retrofit. Needs to be assigned manually.
SAP_CM_MANAGED_IMPORT AUTH_SAP_CM_MANAGED_IMPORT
Tester (Help Text-ID: USER_TP_CH_TESTER)
NoteFor import authorizations, see SAP Note 807228.
Single Roles for Tester (technical role name: SAP_CM_TESTER_COMP) in the SAP Solution Manager System
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 253
Table 149
Role Help Text-ID
SAP_CM_SMAN_TESTER AUTH_SAP_CM_SMAN_TESTER
SAP_SMWORK_BASIC_CHANGE_MAN AUTH_SAP_SMWORK_BASIC_CHARM
SAP_SMWORK_CHANGE_MAN AUTH_SAP_SMWORK_CHANGE_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAME
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMAN
SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM
SAP_SOCM_TESTER AUTH_SAP_SOCM_TESTER
SAP_ITCALENDER_DIS AUTH_SAP_ITCALENDER
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
Role in the Managed System
The role must be assigned to the user with the same user ID in the managed system.
Table 150
Assigned Role Help Text-ID
SAP_CM_MANAGED_TESTER AUTH_SAP_CM_MANAGED_TESTER
SAP_CM_MANAGED_IMPORT AUTH_SAP_CM_MANAGED_IMPORT
IT-Operator (Help Text-ID: TP_CM_OPERATOR)
Single Roles for IT-Operator (technical role name: SAP_CM_OPERATOR_COMP) in the SAP Solution Manager System
Table 151
Role Help Text-ID
SAP_CM_SMAN_OPERATOR AUTH_SAP_CM_SMAN_OPERATOR
SAP_SMWORK_BASIC_CHANGE_MAN AUTH_SAP_SMWORK_BASIC_CHARM
SAP_SMWORK_CHANGE_MAN AUTH_SAP_SMWORK_CHANGE_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAME
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMAN
SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM
SAP_SOCM_IT_OPERATOR AUTH_SAP_SOCM_OPERATOR
SAP_ITCALENDER_DIS AUTH_SAP_ITCALENDER
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SM_BI_BILO AUTH_SAP_SM_BI_BILO
SAP_SM_BI_EXTRACTOR AUTH_SAP_SM_BI_EXTRACTOR
254
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
Technical composite role name: SAP_SM_BW_CHARM_DISPLAY_COMP in the BW system
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID in the BW system.
Table 152
Single Roles Help Text ID
SAP_BI_E2E_CHARM AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
Role in the Managed System
The role must be assigned to the user with the same user ID in the managed system.
Table 153
Assigned Role Help Text-ID
SAP_CM_MANAGED_OPERATOR AUTH_SAP_CM_MANAGED_OPERATOR
Administrator (Help Text-ID: TP_CH_ADMIN)
Single Roles for Administrator (technical role name: SAP_CM_ADMINISTRATOR_COMP) in the SAP Solution Manager System
Table 154
Role Help Text-ID
SAP_CM_SMAN_ADMINISTRATOR AUTH_SAP_CM_SMAN_ADMIN
SAP_CPR_PROJECT_ADMINISTRATOR AUTH_SAP_CPR_PROJECT_ADMIN
SAP_CPR_USER AUTH_SAP_CPR_USER
SAP_SMWORK_BASIC_CHANGE_MAN AUTH_SAP_SMWORK_BASIC_CHARM
SAP_SMWORK_CHANGE_MAN AUTH_SAP_SMWORK_CHANGE_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAME
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMAN
SAP_SM_CRM_UIU_SOLMANPRO_ADMIN AUTH_SAP_SM_CRM_UIU_ADMIN
SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM
SAP_SOCM_ADMIN AUTH_SAP_SOCM_ADMIN
SAP_SOLAR01_DIS AUTH_SAP_SOLAR01_DIS
SAP_SOL_PROJ_ADMIN_ALL AUTH_SAP_PROJ_ADMIN_ALL
SAP_ITCALENDER_DIS AUTH_SAP_ITCALENDER
SAP_SM_BI_BILO AUTH_SAP_SM_BI_BILO
SAP_SM_BI_EXTRACTOR AUTH_SAP_SM_BI_EXTRACTOR
Technical composite role name: SAP_SM_BW_CHARM_ADMIN_COMP in the BW system
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 255
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID in the BW system.
Table 155
Single Roles Help Text ID
SAP_BI_E2E_CHARM AUTH_SAP_BI_E2E
SAP_SM_BI_ADMIN AUTH_SAP_SM_BI_ADMIN
Role in the Managed System
The role must be assigned to the user with the same user ID in the managed system.
Table 156
Assigned Role Help Text-ID
SAP_CM_MANAGED_ADMIN AUTH_SAP_CM_MANAGED_ADMIN
17.5.2 Best Practice: Manage Import Authorizations in Managed Systems
Import Authorizations are necessary in the Change Management process. It allows Business users to being able to automatically create transport requests and import transports from a source system into a target systems. The authorization object required is S_CTS_ADMI. If you use cluster or non-ABAP systems in TMS communication systems, we recommend to use the equivalent authorization object S_CTS_SADM instead. Authorization object S_CTS_SADM allows you to additionally restrict on systems and domains.
Prerequisites
You are using delivered Standard Roles SAP_CM_MANAGED_* for users in your managed systems. These roles contain specific security-critical authorizations for the individual Business users, which should be handled separately.
Procedure
We recommend two alternatives for handling these security-critical authorizations, depending on your level of security protection for your systems:
● a) Use Existing Standard Roles for Managed Systems (assigned import authorization)
● b) Use Delivered Import Role SAP_CM_MANAGED_IMPORT
Use Existing Standard Roles
Use the existing roles for users with additional import authorizations.
256
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
Use Delivered Import Role SAP_CM_MANAGED_IMPORT
This practice allows you to use role SAP_CM_MANAGED_IMPORT for any Business User required. This role contains all required import authorizations needed.
CautionThe above roles should only be assigned to the following users in the respectively mentioned systems, but never in production systems or security relevant systems:
● Developers in consolidation systems
● Testers in all test systems
● Change Managers in consolidation systems
A combination of authorization object S_DATASET and S_CTS_ADMI with value IMPA and EPS1 can jeopardize security in your system. You should only use this practice if you require a smooth Change Request Management process.
17.5.3 User Roles for Additional Functions
17.5.3.1 User Roles for Retrofit
To be able to execute retrofit functionality the developer needs additional authorizations in the managed system. You need to assign role SAP_CM_MANAGED_DEVELOPER_RETRO to the “developer” user. Check the user definition for the developer in your Solution Manager system, transaction SOLMAN_SETUP, guided procedure for Change Request Management.
17.5.3.2 User Roles for Communication Systems
In the communication systems, you require the same roles as for your managed systems. See section Users and Authorizations.
17.5.3.3 CTS-Integration User Roles in the SAP Solution Manager
You can use CTS with Change Request Management. To be able to use this integration, assign the following roles to your SAP Solution Manager users.
RFC - Destinations
You require:
● TMW — RFC Destination
● TMS Deploy Destination ([email protected])
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 257
Developer - Transport Authorization (technical role name: SAP_BC_CCTS_CHARM_DEVELOP_TMPL)
This role allows the user to:
● create projects in CTS (system-specific and cluster-specific)
● create and delete import locks (system-specific and cluster-specific)
● trigger imports (system-specific and cluster-specific)
● create, change, delete, and release collections (system-specific and cluster-specific)
IT Operator - Transport Authorization (technical role name: SAP_BC_CCTS_CHARM_OPERAT_TMPL)
This role allows the user to:
● create projects in CTS (system-specific and cluster-specific)
● create and delete import locks (system-specific and cluster-specific)
● trigger imports (system-specific and cluster-specific)
● create, change, delete, and release collections (system-specific and cluster-specific)
● change import queues
Change Manager - Transport Authorization (technical role name: SAP_BC_CCTS_CHARM_CH_MGR_TMPL)
This role allows the user to:
● create projects in CTS (system-specific and cluster-specific)
● create and delete import locks (system-specific and cluster-specific)
● trigger imports (system-specific and cluster-specific)
● create, change, delete, and release collections (system-specific and cluster-specific)
● change import queues
Administrator - Transport Authorization (technical role name: SAP_BC_CCTS_CHARM_ADMIN_TMPL)
This role allows the user to:
● create projects in CTS (system-specific and cluster-specific)
● create and delete import locks (system-specific and cluster-specific)
● trigger imports (system-specific and cluster-specific)
● create, change, delete, and release collections (system-specific and cluster-specific)
● change import queues
Tester - Transport Authorization (technical role name: SAP_BC_CCTS_CHARM_TESTER_TMPL)
This role allows the user to:
● create projects in CTS (system-specific and cluster-specific)
● create and delete import locks (system-specific and cluster-specific)
● trigger imports (system-specific and cluster-specific)
● create, change, delete, and release collections (system-specific and cluster-specific)
258
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
17.5.4 Main Authorization Objects
This section gives you an overview over the main authorization objects. For detailed information, see SDN Wiki for Authorizations.
General Information
Roles SAP_SOCM_* and SAP_CM_SMAN_* are maintained according to profile generator default values for all ST - relevant transactions. The following transactions contain values according to Software Component SAP_ABA and BBPCRM: SCMA, CRMD_ORDER, CRM_DNO_MONITOR. Therefore, all CRM - objects, TMWFLOW - objects and authorization object S_PROGRAM appear in status manual within the roles.
Roles SAP_CM_SMAN_* contain a number of /TMWFLOW/ - authorization objects with status MANUAL due to transaction SCMA. Authorization object B_BUPA_RTL and CRM authorizations are set inactive in SAP_CM_SMAN* as all BP authorization are contained in roles SAP_SOCM_*. The roles SAP_CM_SMAN* contain all additional authorizations for solutions and projects (Note: For Change Request Management solution and project authorizations are not separated into infrastructure roles), RFC authorizations, and table access authorizations.
In SAP_SOCM_* roles, development environment authorizations are set inactive. SAP_SOCM_* roles contain BP authorizations, product master authorizations, status change authorizations, HR authorizations such as authorization object PLOG, and all relevant CRM - authorizations.
As Change Request Management is highly integrated into CRM, please see section on CRM integration in the Core Guide.
CRM Authorization Objects
Roles for Change Request Management contain CRM - authorizations. For more information on CRM - authorization objects, see Core Security Guide, section on CRM integration.
Authorization Objects B_USERST_T and B_USERSTAT (status change)
In the roles for Change Request Management the authorization object B_USERST_T (status of a previous change document can only be set by the system) is used instead of B_USERSTAT (The status of the change document is influenced by the user).
Authorization Object S_RFC (RFC access)
Roles for the managed system contain authorization object S_RFC. The authorization object contains values with added asterisk (*), because the field length of the authorization field for these function groups is not efficient with SAP_BASIS Release 4.6C.
Authorization Object S_TABU_DIS (table access)
In user roles for Change Management you find authorization object S_TABU_DIS. Authorization group CRMC protects all relevant customizing views and customizing clusters for this scenario.
17.6 System Recommendations
The view in the work center allows you to:
● see a list of SAP Notes relevant for a dedicated technical system
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 259
● create a Maintenance Transaction from it
● integrate with Maintenance Optimizer, Change Request Management, and Configuration Validation
The single tabs for SAP Notes can be restricted (authorization object SM_FUNCS).
The following additional roles are needed in addition to the existing composite roles for Change Request Management, Maintenance Optimizer, or Configuration Validation:
Administrator (technical role name: SAP_SYSTEM_RECOMMEND_COMP)
Security Notes can only be displayed if the user has this role and authorizations. The administrator user is allowed to:
● access Change Management work center
● edit System Recommendations tabs
Mapping: Roles and Navigation Panel
Table 157
Single role Remarks Mapping to Navigation Panel of Work Center
SAP_SYSREC_ALL Authorization for System Recommendations tab
System Recommendations
SAP_SM_SOLUTION_ALL Authorization for solutions
SAP_SYSTEM_REPOSITORY_ALL Authorization for systems, host, and so on
SAP_SMWORK_BASIC_CHANGE_MAN Contains full authorization for work center - related functions.
Work Center
SAP_SMWORK_CHANGE_MAN Allows access to the change management work center.
NoteIn addition, a display role is shipped, but currently not supported.
17.7 Scenario Integration
Change Request Management refers to the phase in your product life-cycle when you define and refine your business processes by means of projects, business blueprints and related activities. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions which come into play in your daily business, such as handling of problems, and so on. The following sections describe the integration of Change Request Management with other scenarios within SAP Solution Manager, and which user roles would be applicable.
NoteFor more detail on each individual scenario, see the according Scenario—Specific Guide.
260
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
Customizing Synchronization
Customizing Synchronization is part of scenario Implementation and Upgrade, for more information see the scenario - specific guide for Implementation and Upgrade and SAP Note 1061644.
Incident Management
A change request can result from an incident (a service desk message). Service desk messages can be created by any user and also by the requester. To be able to do so, you need to assign the user role SAP_SUPPDESK_CREATE_COMP..
Figure 73: Integration with Incident Management
NoteIn case you are a service provider, you need to assign the according service provider roles. For more information, see specific Service Provider Guide.
Test Management
● As of Release 7.1, in the assignment block Test Management, you can maintain test plans and test packages. This requires authorization object S_TWB for test management. You can either assign this authorization with required field values to your user or you can assign the role for test plans SAP_STWB_2_*
● Testing normal corrections and urgent corrections requires test management role for the tester: SAP_STWB_WORK_ALL.
Document Management
As of Release 7.1, in the assignment block Documents, you can maintain documents. This requires authorization object S_IWB for document management. The user, having authorization object S_IWB assigned is able to select any documents that are maintained in transactions SOLAR01, SOLAR02, and SOLMAN_DIRECTORY for the required project or solution. Therefore, the authorization is not included in the change request management roles, as this constellation may pose a security problem within your company. If you want to use assignment block Documents, you need to assign this authorization explicitly to your users. You can restrict this authorization to folder groups. To do this, go to transaction SPRO in your SAP Solution Manager system and execute IMG - activity Definition of
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 261
Folder Groups under node SAP Solution Manager Technical Settings Document ManagementAuthorizations .
Quality Gate Management (QGM)
You can integrate QGM with Change Request Management. When integrating assign the respective roles for QGM to your users according to the tasks they have to perform. See scenario-specific guide for QGM.
Figure 74: Integration QGM
Maintenance Optimizer
You can integrate with Maintenance Optimizer. When integrating assign the respective roles to your users according to the tasks they have to perform. See scenario-specific guide for Maintenance Optimizer.
Solutions and Solution Directory
If you want to work with the solution directory, and create change request from here, you need to assign additionally the role SAP_SOLMAN_DIRECTORY_EDIT or SAP_SOLMAN_DIRECTORY_ADMIN to your user.
262
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
Figure 75: Integration with Solution Directory
Business Process Change Analyzer
For BPCA integration, you need to add additional BPCA roles, depending on which BPCA functionality, see scenario-specific guide for Business Process Change Analyser.
Configuration Validation
See scenario - specific guide for Configuration Validation
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Change Request Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 263
18 Scenario-Specific Guide: Quality Gate Management
The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). All processes need quality assurance. This guide gives you an overview over all relevant security-related issues for the function Quality Gate Management.
Figure 76: Quality Gate Management Process
18.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
264
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Quality Gate Management
Table 158
Support Package Stacks
(Version)
Document Adaptations
SP05 Authorization Objects
Added values TSTM, CRMC in authorization object S_TABU_DIS in role SAP_STWB_SET_ALL.
End-User Roles
Added role SAP_SOL_KW_ALL to all composite roles.
The following end-user roles were changed. For detailed information, see the description tab of the role in transaction PFCG.
● SAP_SM_QGM_ALL● SAP_SM_QGM_CHANGE● SAP_SM_QGM_TRANSPORT● SAP_SM_QGM_STATUS_QM● SAP_SM_QGM_STATUS_QAB
SP07 Added section on CRM Customizing
SP10 End-User Roles
The following end-user roles were changed. For detailed information, see the description tab of the role in transaction PFCG.
● SAP_SM_QGM_ALL● SAP_SM_QGM_CHANGE● SAP_SM_QGM_TRANSPORT● SAP_SM_QGM_STATUS_QM● SAP_SM_QGM_STATUS_QAB● SAP_SM_QGM_CM_ALL● SAP_SM_QGM_CM_TRANSPORT● all composite roles, due to integration of roles SAP_ITCALENDER_DIS (IT calendar integration) and
SAP_SYSTEM_REPOSITORY_DIS (LMDB integration)
Additional Roles
● For the integration of QGM with CTS in SAP Solution Manager the following roles are
delivered:SAP_BC_CCTS_QGM_*_TMPL. For more information, see new section on CTS Integration
Roles.
SP11 End-User Roles
The following end-user roles were changed. For detailed information, see the Description tab of the role in transaction PFCG.
● SAP_SM_QGM_CM_ALL● SAP_SM_QGM_CM_TRANSPORT● SAP_SM_QGM_STATUS_QM
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Quality Gate Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 265
Support Package Stacks
(Version)
Document Adaptations
● SAP_SM_QGM_STATUS_QAB
18.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Getting Started: find out about target groups of this guide. Links for any additional components can be found in the Core Guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.
18.3 Prerequisites
18.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete implementation and upgrade scenario. The SAP Solution Manager is connected via READ - RFC, TRUSTED - RFC (alternatively LOGIN), TMW – RFC to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.
266
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Quality Gate Management
Figure 77: Infrastructure
18.3.2 Configuration
Basic Configuration transaction SOLMAN_SETUP
After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions.
Scenario Configuration transaction SPRO
To run Quality Gate Management, you need to configure it using the Implementation Reference Guide (IMG) in transaction SPRO.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Quality Gate Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 267
Figure 78: Transaction SPRO
Configuration Roles
There are no specific configuration roles when using transaction SPRO. Nevertheless, you can use the possibility in creating your own configuration roles. For more information, see the according How-to Guide.
18.3.3 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Table 159
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to managed systems RFC Reading information from managed systems
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
268
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Quality Gate Management
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Table 160
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution Manager system>
reads data from the managed system, see scenario-specific guide for Change Request Management
SM_<SID>CLNT<Client>_TMW (ABAP connection)
Managed System
System-specific
System-specific
Default user: SMTW<SID of Solution Manager system>
Used for specific Change Management authorization, see scenario-specific guide for Change Request Management
Internet Graphics Server (IGS) RFC Connection
Table 161
RFC Destination Name Activation Type How Created
ITS_RFC_DEST Registered Server program (program: IGS.<SID>)
Manually in transaction SM59
18.3.4 Technical Users
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the Quality Gate Management scenario.
User for READ - Access in Managed Systems
Users for RFC connection READ
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Quality Gate Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 269
Table 162
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
User for TMW - Connection for Read Authorization and Batch Authorization in Managed Systems
User for Change Management Connection in managed systems
Table 163
User User Type Remarks
SMTM<SID of Solution Manager system>(system-specific)
System User Technical User “TMW User”, assigned role: <namespace>_SOLMAN_TMW. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide.
18.4 CRM Standard Customizing for Solution Manager
The Quality Gate Management scenario is based on CRM, and uses CRM customizing such as transaction types, action profiles, and so on. SAP delivers a standard CRM customizing, which is also maintained in the individual CRM authorization objects. The following table gives you an overview of the transaction types used.
CautionIf you copy SAP standard customizing you need to add the changed values in the according CRM - authorization objects for the scenario. See also How-to Guide on how to maintain authorization objects.
270
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Quality Gate Management
Transaction Type
Table 164
Transaction Type
Usage Remarks
SMQC Quality Gate Management supported
18.5 Users and Authorizations
18.5.1 User Descriptions and User Roles in the SAP Solution Manager
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for Quality Gate Management. All users are assigned a composite role, which contains a number of single roles.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see core security guide.
Figure 79: Change Management Work Center
The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single role is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Quality Gate Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 271
IT Operator (technical role name: SAP_QGM_TRANSPORT_COMP)
The IT-operator creates transport requests, assigns them to the developers, and releases the transports after finishing the development work. He triggers the import into the different systems.
Table 165
Single Roles Remarks Mapping to Navigation Panel Views
SAP_SM_QGM_TRANSPORT Quality Gate Management authorizations
Projects
SAP_SMWORK_BASIC_CHANGE_MAN Basic authorizations for work centers Work Center Access
SAP_SMWORK_CHANGE_MAN Access to work center Change Management
Development Lead (technical role name: SAP_QGM_CHANGE_MANAGER_COMP)
The development lead manages changes within the QGM project (for instance: create, edit, delete, status).
Table 166
Single Roles Remarks Mapping to Navigation Panel Views
SAP_SM_QGM_CHANGE Quality Gate Management authorizations
Projects
SAP_SMWORK_BASIC_CHANGE_MAN Basic authorizations for work centers Work Center Access
SAP_SMWORK_CHANGE_MAN Access to work center Change Management
SAP_SM_BUSINESS_PARTNER Authorization for creating Business Partner
Projects
Quality Manager (technical role name: SAP_QGM_QM_COMP)
The quality manager processes messages, and makes one of the two status assignments in Quality Gate Management to initiate a phase switch.
Table 167
Single Roles Remarks Mapping to Navigation Panel Views
SAP_SM_QGM_STATUS_QM Quality Gate Management authorizations
Projects
SAP_SMWORK_BASIC_CHANGE_MAN Basic authorizations for work centers Work Center Access
SAP_SMWORK_CHANGE_MAN Access to work center Change Management
SAP_SM_BUSINESS_PARTNER Authorization for creating Business Partner
Projects
Quality Advisory Board Member (technical role name: SAP_QGM_QAB_COMP)
A member of the quality advisory board makes the second status assignment for the phase switch (segregation of duties).
272
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Quality Gate Management
Table 168
Single Roles Remarks Mapping to Navigation Panel Views
SAP_SM_QGM_STATUS_QAB Quality Gate Management authorizations
Projects
SAP_SMWORK_BASIC_CHANGE_MAN Basic authorizations for work centers Work Center Access
SAP_SMWORK_CHANGE_MAN Access to work center Change Management
SAP_SM_BUSINESS_PARTNER Authorization for creating Business Partner
Projects
QGM Project Administrator (technical role name: SAP_QGM_ADMIN_COMP)
The project manager is responsible for managing projects.
Table 169
Single Roles Remarks Mapping to Navigation Panel Views
SAP_CPR_PROJECT_ADMINISTRATOR cProject administration authorization cProjects authorization
SAP_CPR_USER cProject user authorization
SAP_SM_QGM_ALL Quality Gate Management full authorization
Projects
SAP_SMWORK_BASIC_CHANGE_MAN Basic authorizations for work centers Work Center Access
SAP_SMWORK_CHANGE_MAN Access to work center Change Management
SAP_SOL_PROJ_ADMIN_ALL Full authorization for project management
Projects
SAP_SM_BUSINESS_PARTNER Authorization for creating Business Partner
Projects
Common Task Panel in the Work Center
The common task area contains links for applications that are often used:
New Request for Change
See scenario - specific guide for Change Request Management.
New Defect Correction
See scenario - specific guide for Change Request Management.
New Maintenance Transaction
See scenario - specific guide for Maintenance Optimizer.
IT Service Management
See scenario - specific guide for Change Request Management.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Quality Gate Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 273
Related Links in the Work Center
In the related links section in the work center, you find all possible links for this work center. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-to section.
Schedule Manager
See scenario - specific guide for Change Request Management.
Configuration Validation
See scenario - specific guide for Configuration Validation.
18.5.2 User Descriptions and User Roles in the Managed Systems
For some of the users working in the SAP Solution Manager, you need to assign authorizations in the according managed systems:
● QGM Project Administrator (technical role name: SAP_CM_MANAGED_ADMIN)
● QGM Quality Manager (technical role name: SAP_CM_MANAGED_TESTER)
● QGM Quality Advisory Board Member (technical role name: SAP_CM_MANAGED_TESTER)
● QGM IT-Operator (technical role name: SAP_CM_MANAGED_OPERATOR)
NoteAll users need authorization object S_RFCACL additionally assigned to be able to use the trusted - connection between systems.
18.5.3 Central CTS-Integration User Roles in the SAP Solution Manager
You can use CTS with QGM. To be able to use this integration, assign the following roles to your SAP Solution Manager users.
RFC - Destinations
You require:
● TMW — RFC Destination
● TMS Deploy Destination ([email protected])
274
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Quality Gate Management
Change Manager - Transport Authorization (technical role name: SAP_BC_CCTS_QGM_CH_MGR_TMPL)
This role allows the user to:
● create projects in CTS (system-specific and cluster-specific)
● create and delete import locks (system-specific and cluster-specific)
● changes in regard to previous Support Packages
The main critical authorization object is S_CTS_ADMI with value PROJ.
IT Operator - Transport Authorization (technical role name: SAP_BC_CCTS_QGM_OPERAT_TMPL)
This role allows the user to:
● create projects in CTS (system-specific and cluster-specific)
● create and delete import locks (system-specific and cluster-specific)
● changes in regard to previous Support Packages
● trigger imports (system-specific and cluster-specific)
● create, change, delete, and release collections (system-specific and cluster-specific)
● change import queues
The main critical authorization object is S_CTS_ADMI with value PROJ.
QA Manager and Advisory Board - Transport Authorization (technical role name: SAP_BC_CCTS_QGM_QA_MGR_TMPL)
This role allows the user to:
● create projects in CTS (system-specific and cluster-specific)
● create and delete import locks (system-specific and cluster-specific)
● changes in regard to previous Support Packages
● trigger imports (system-specific and cluster-specific)
● create, change, delete, and release collections (system-specific and cluster-specific)
Administrator - Transport Authorization (technical role name: SAP_BC_CCTS_QGM_ADMIN_TMPL)
This role allows the user to:
● create projects in CTS (system-specific and cluster-specific)
● create and delete import locks (system-specific and cluster-specific)
● changes in regard to previous Support Packages
● trigger imports (system-specific and cluster-specific)
● create, change, delete, and release collections (system-specific and cluster-specific)
● change import queues
The main critical authorization object is S_CTS_ADMI with value PROJ.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Quality Gate Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 275
18.5.4 Critical Authorization Object
This section gives you an overview over the main authorization objects. For detailed information, see SDN Wiki for Authorizations.
Authorization Object S_PROJ_GEN
The QGM roles contain authorization object S_PROJ_GEN with QGM specific values.
Authorization Object S_TABU_DIS
In user roles for QGM you find authorization object S_TABU_DIS. Authorization group CRMC protects all relevant customizing views and customizing clusters for this scenario.
18.6 Scenario Integration
QGM refers to the phase in your product life-cycle when you approve the quality of your past activities. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions which come into play in your daily business. The following sections describe the integration of QGM with other scenarios within SAP Solution Manager, and which user roles would be applicable.
NoteFor more detail on each individual scenarios, see the according Scenario-Specific Guide.
Change Request Management
If Q-Gates and phases are managed in QGM, the process is managed in Change Request Management, you need additionally to the QGM role SAP_QGM_ADMIN_COMP, the Change Request Management role SAP_CM_ADMINISTRATOR_COMP.
Issue Management
You need to assign role SAP_ISSUE_MANAGEMENT_*_COMP in addition for your Administrator, Quality Manager, and Quality Advisory Board.
276
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Quality Gate Management
19 Scenario-Specific Guide: Configuration Validation
The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). The configuration validation supports the processes. It enables you to determine whether the systems in your landscape are configured consistently and in accordance with your requirements. This guide gives you an overview over all relevant security-related issues for the function Validation Configuration.
Configuration Validation can run as stand - alone application using work center change management, but also with user SAPSUPPORT immediately after the finished configuration of the managed systems, see Landscape Setup Guide.
Figure 80: Configuration Validation Process
19.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Configuration Validation
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 277
Table 170
Support Package Stacks
(Version)
Description
SP05 Technical System Landscape
● Added graphical overview
SP10 End-User Roles
● Adapted role SAP_CV_ALL (with authorization object S_TCODE: CCDB)
19.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Getting Started: find out about target groups of this guide. Links for any additional components can be found in the Core Guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.
19.3 Prerequisites
To use configuration validation, you need to have Root Cause Analysis configured, see Landscape Setup Guide.
278
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Configuration Validation
Technical System Landscape
Figure 81: Technical Landscape Overview
19.4 Users and Authorizations
19.4.1 User Descriptions and User Roles in the SAP Solution Manager
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for Change Request Management. All users are assigned a composite role, which contains a number of single roles.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WD_COMP. For more information about user interface authorizations, see core security guide.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Configuration Validation
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 279
Figure 82: Change Management Work Center
The tables underneath give you a further overview, which single roles are included in the respective composite roles. In the work center, you find the configuration validation function in section Related Links.
Administrator (technical role name: SAP_CV_ADMIN_COMP)
The administration user:
● has access to work center Change Management
● has access to the Report Directory
● if active, can read user data in the User ConfigStore
● display BI - reports
Table 171
Single Roles Remarks
SAP_CV_ALL Full authorization for Configuration Validation, especially Report Directory
NoteAuthorization object AI_CCDB_SC is set inactive in the role. The
authorization restricts access to the User ConfigStores, and therefore security-relevant data. If you allow your administration user to read these data, set the authorization object active in this role.
SAP_SYSTEM_REPOSITORY_DIS Display authorization for System Repository (LMDB)
SAP_SMWORK_BASIC_CHANGE_MAN Basic authorizations for work centers
SAP_SMWORK_CHANGE_MAN Access to work center Change Management
SAP_BI_E2E BI - Reporting authorizations.
SAP_SM_BI_ADMIN
280
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Configuration Validation
Single Roles Remarks
CautionIf the BI - scenario is remote, these roles have to be assigned to the BI -
user in the remote system in addition with authorization object S_RFCACL.
Display User (technical role name: SAP_CV_DISPLAY_COMP)
The display user
● has access to work center Change Management
● has display access to the Report Directory
● display BI - reports
Table 172
Single Roles Remarks
SAP_CV_DIS Display authorization for Configuration Validation, especially Report Directory
SAP_SYSTEM_REPOSITORY_DIS Display authorization for System Repository (LMDB)
SAP_SMWORK_BASIC_CHANGE_MAN Basic authorizations for work centers
SAP_SMWORK_CHANGE_MAN Access to work center Change Management
SAP_BI_E2E BI - Reporting authorizations.
CautionIf the BI - scenario is remote, these roles have to be assigned to the BI -
user in the remote system in addition with authorization object S_RFCACL.
SAP_SM_BI_DISP
Common Task Panel in the Work Center
The common task area contains links for applications that are used:
New Request for Change
See scenario - specific guide for Change Request Management.
New Defect Correction
See scenario - specific guide for Change Request Management.
New Maintenance Transaction
See scenario - specific guide for Maintenance Optimizer.
IT Service Management
See scenario - specific guide for Change Request Management.
Related Links in the Work Center
In the related links section in the work center, you find all possible links for this work center. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Configuration Validation
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 281
work center navigation role accordingly. For more information about how to adapt the related links section, see the How-to section.
Schedule Manager
See scenario - specific guide for Change Request Management.
Configuration Validation
You need one of the stated composite roles, depending on the user description of the user.
19.5 Critical Authorizations
The following authorization objects are checked for Configuration Validation:
AI_CCDB_SC (Store Content)
The Configuration Change Database (CCDB), transaction CCDB, contains configuration data of the managed systems in so called ConfigStores. The authorization object AI_CCDB_SC controls which protected ConfigStore content can be accessed by a user. Only ConfigStores which are defined to be protected are checked. All other not protected ConfigStores are available for all users. Refer to the documentation how to protect a ConfigStore of CCDB.
NoteIf you use RFC BI_CALLBACK with scenario Configuration Validation, please activate authorization object AI_CCDB_SC to be able to read data from the User ConfigStore
AI_CCDB_CU
There are a few ConfigStores having a customizing which influence the content of a ConfigStore. This authorization object restricts customizing access.
19.6 System Recommendations
The view in the work center allows you to:
● see a list of SAP Notes relevant for a dedicated technical system
● create a Maintenance Transaction from it
● integrate with Maintenance Optimizer, Change Request Management, and Configuration Validation
The single tabs for SAP Notes can be restricted (authorization object SM_FUNCS).
The following additional roles are needed in addition to the existing composite roles for Change Request Management, Maintenance Optimizer, or Configuration Validation:
Administrator (technical role name: SAP_SYSTEM_RECOMMEND_COMP)
Security Notes can only be displayed if the user has this role and authorizations. The administrator user is allowed to:
282
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Configuration Validation
● access Change Management work center
● edit System Recommendations tabs
Mapping: Roles and Navigation Panel
Table 173
Single role Remarks Mapping to Navigation Panel of Work Center
SAP_SYSREC_ALL Authorization for System Recommendations tab
System Recommendations
SAP_SM_SOLUTION_ALL Authorization for solutions
SAP_SYSTEM_REPOSITORY_ALL Authorization for systems, host, and so on
SAP_SMWORK_BASIC_CHANGE_MAN Contains full authorization for work center - related functions.
Work Center
SAP_SMWORK_CHANGE_MAN Allows access to the change management work center.
NoteIn addition, a display role is shipped, but currently not supported.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Configuration Validation
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 283
20 Scenario-Specific Guide: Implementation and Upgrade
The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). This guide gives you an overview over all relevant security-related issues for the scenario Implementation and Upgrade, and additional functions such as business functions, customizing distribution and so on.
20.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 174
Support Package Stacks
(Version)
Description
SP05 End User Roles
Shipped changes in role SAP_CDMC_MASTER. For detailed information, see description tab in the roles.
External Integration
● New integration with Business Process Blueprinting Tool (BPB), see section on External Integration.
Authorization Objects
Authorization object S_CTS_ADMI is set inactive in all roles, see section on Authorization Objects.
Configuration
Check SAP Note 1699667 if you use Roadmaps and MS Office 2010.
SP06 CDMC
Shipped new role SAP_SM_CDMC_INT for integration with BPCA authorization object SM_BPCA. For detailed
information, see description tab in the roles.
SP08 CDMC
Roles SAP_CDMC_MASTER and SAP_CDMC_USER were adapted due to authorization object value changes.
For more information, see Description Tab in the specified roles.
SP10 End User Roles
For detailed information, see description tab in the roles.
284
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
Support Package Stacks
(Version)
Description
● added role SAP_CPR_USER in composite role SAP_SOL_PM_COMP (Project Manager) for cPro
integration. If you require your user to use project administration, role SAP_CPR_PROJECT_LEAD must
be added.
CDMC
● adapted CDMC - Authorization Roles
● new roles for critical authorizations for CDMC result list usage: SAP_CDMC_CRITICAL_AUTH, see
section on Additional Function: CDMC.
SP11 Scenario Integration
● SEA integration into Work Center
SP12 CDMC
● adapted CDMC - Authorization Roles for managed systems for systems with SAP_BASIS =>7.00:
SAP_CDMC_MASTER and SAP_CDMC_USER (delivered with ST-PI)
Roadmap
● Roadmap is delivered with SAPUI5 application. Adapted role SAP_RMMAIN_* (see description in the
role). For more information on SAPUI5, see section on Additional Security Issues.
20.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Getting Started: find out about target groups of this guide. Additional links you find in the core guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
● Users and Authorizations: find out, which users we recommend, and which user roles we delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 285
● Roles for Additional Functions: find out about roles and authorizations for functions which complete the core functions and authorizations.
● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.
● External Integration: find out about prerequisites, users, and roles for external functions such as HP Quality Center, and so on.
20.3 Prerequisites
20.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete implementation and upgrade scenario. The SAP Solution Manager is connected via READ - RFC, TRUSTED - RFC, TMW – RFC to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. TREX is connected to the ABAP stack, as well as IGS via specified RFC connections. Optionally, you can attach a third party product such as SAP Productivity Pak to the SAP Solution Manager via specified destinations. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.
Figure 83: Implementation and Upgrade
286
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
20.3.2 Configuration
Basic Configuration SOLMAN_SETUP
After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions for the implementation and upgrade scenario, like:
● Project Administration
● Business Blueprint (including graphics)
● Configuration (including graphics)
● using Solution Directory (including graphics)
NoteCheck SAP Note 1699667 if you use Roadmaps and MS Office 2010.
Scenario Configuration SPRO
If you want to add other functions for Implementation, you can configure them using the Implementation Reference Guide (IMG) in transaction SPRO.
Figure 84: Transaction SPRO
Roles
There are no specific configuration roles when using transaction SPRO. Nevertheless, you can use the possibility in creating your own configuration roles. For more information, see the according How-to Guide.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 287
20.3.3 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Table 175
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages, retrieval of services
Solution Manager to managed systems and back
RFC Reading information from managed systems
Solution Manager to managed systems within customer network
FTP Update route permission table, content: IP addresses, see section File Transfer
Protocol (FTP)
Solution Manager to SAP Service Marketplace
HTTP(S) Search for notes
SAP Productivity Pak by RWD SOAP over HTTP (S) External Integration: Document Management
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Table 176
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_LOGIN (ABAP connection)
Managed System
Customer-specific
Customer-specific
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of
To read data of assigned objects in transactions
288
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
Solution Manager system>
SOLAR*;read BC
Set activation log;
SM_<SID>CLNT<Client>_TRUSTED (ABAP connection)
Managed System
System-specific
System-specific
Customer-specific
Necessary for CDMC,
Customizing Synchronization; BC Set content activation; IMG project/view creation
SM_<SID>CLNT<Client>_TMW (ABAP connection)
Managed System
System-specific
System-specific
Default user: SMTW<SID of Solution Manager system>
Used only for the integration of Custom Development Management Cockpit connection to productive systems (CDMC), see
section on additional functions
RFC Connection from Managed System to SAP Solution Manager
Table 177
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Use How Created
SM_<SID>CLNT<Client>_BACK (ABAP connection)
Solution Manager System
System-specific
System-specific
SMB_<managed system ID>
For Help Center Function
Automatically created via transaction SOLMAN_SETUP (view: managed systems)
HELP_CENTER_TO_SOLMAN Solution Manager System
Customer-specific
Customer-specific
Customer-specific For write access to Knowledge Warehouse in Solution Manager
Transaction SU01
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 289
TREX RFC Connections
Table 178
RFC Destination Name Activation Type How Created
TREX_<server> (ABAP connection) Registered Server Program (program TREXRfcServer_<instance number>)
Manually in transaction SM59;
TREX can be administered using the
TREX admin tool, see IMG activity
Information and Configuration Prerequisites for TREX Setup
(technical name: SOLMAN_TREX_INFO)
IMSDEFAULT Start on explicit host (program: ims_server_admin.exe)
IMSDEFAULT_REG Registered Server Program (program: rfc_sapretrieval)
Internet Graphics Server (IGS) RFC Connection
Table 179
RFC Destination Name Activation Type How Created
ITS_RFC_DEST Registered Server program (program: IGS.<SID>)
Manually in transaction SM59
20.3.4 Technical Users
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the implementation and upgrade scenario.
User for READ - access in Managed Systems
Users for RFC connection READ
Table 180
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
290
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
User for SAP RWD Info Pak
User for SAP RWD Info Pak
Table 181
User (Password) Type Remarks
RWD InfoPak integration user Communication User Technical user for web service; assigned role SAP_RWD_INTERFACE
User for Access in Managed Systems for CDMC
You use the TMW RFC - connection for CDMC productive systems. For other than the productive system in CDMC, quality acceptance systems (QA systems), development systems (DEV systems) or test and upgrade system ( sandbox / reference systems) analysis activities are executed via TRUSTED RFC - connection.
User for Change Management Connection in managed systems
Table 182
User User Type Remarks
SMTM<SID of Solution Manager system>(system-specific)
System User Technical User “TMW User”, assigned role: <namespace>_SOLMAN_TMW. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide.
20.4 Users and Authorizations
To enable your users to work with the application, you need to assign them authorizations in the Solution-Manager-system and in the managed systems.
When you are working in a project to implement new business processes or change existing ones, a number of project members with different tasks are involved. SAP delivers recommended user descriptions on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.
CautionThe roles delivered by SAP can only be regarded as models for adjustment to your company's needs.
Roles for Implementation and Upgrade are predefined Composite Roles (technical abbreviation: *_COMP) for users such as Project Manager (technical abbreviation: *_PM_*) or Technical Consultant (technical abbreviation: *_TC_*). These composite roles contain a set of single roles that are relevant for the business tasks.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 291
Figure 85: Implementation Process
20.4.1 User Descriptions and User Roles in the SAP Solution Manager
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for implementation and upgrade. All users are assigned a composite role, which contains a number of single roles.
NoteApart from implementation-relevant authorizations, each composite role also contains authorizations for Test Management. These roles are explained in more detail in the scenario-specific guide for Test Management.
The suggested users are restricted to all additional authorizations, like upgrade dependency analyzer or customizing distribution, BC-set related activities, manage issues, create service messages, execute CDMC-related activities, and so on. For additional authorization, see sections on Additional Authorizations, Scenario Integration, and External Integration.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WD_COMP. For more information on user interface authorizations, see core security guide.
292
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
Figure 86: Work Center Implementation and Upgrade
The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. As the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Project Manager (technical role name: SAP_SOL_PM_COMP)
The Project Manager is responsible for organization and project planning, for the realization of the desired project results and the daily management of the project. They anticipate deviations from the project direction and carry out the necessary corrective measures immediately. Project Managers should understand the integration of the business processes within the enterprise. They are also members of the steering committee, and have decision-making authority in matters concerning the program and budget. The Project Manager forwards strategic questions to the sponsor to make joint decisions. Project Managers are allowed to:
● access the Implementation work center and Test Management work center
● set up projects
● maintain roadmaps
● maintain system landscape data
● maintain solutions
● maintain business blueprint and business configuration
● execute all test-related activities
● create transport requests
● maintain training materials
● create a service desk message
● use cPro integration
Single roles included in composite role
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 293
Table 183
Single Role Remarks Mapping to Navigation Panel of Work Center
SAP_RMMAIN_EXE Contains authorization for roadmap maintenance
Plan
Reports
SAP_SMSY_ALL Contains full authorizations you need for maintaining the system landscape in transaction SMSY that includes logical
components.
All views
SAP_SM_SOLUTION_ALL Contains full authorization for solutions. You use solutions in transaction SOLMAN_DIRECTORY, for instance using
check out/check in function (solution to maintenance project and maintenance project to solution)
Evaluate
Build
Going Live Preparation
Reports
SAP_SOLMAN_DIRECTORY_ADMIN Contains full authorization for the Solution Directory (transaction SOLMAN_DIRECTORY) and the
maintenance of solutions on the solution settings tab.
Evaluate
Build
Going Live Preparation
Reports
SAP_SOLAR01_ALL Contains full authorization for business blueprint (transaction SOLAR01). Allows
you to build your business processes and steps.
Projects
Plan
Build
Reports
SAP_SOLAR02_ALL Contains full authorization for business configuration (transaction SOLAR02).
Allows you to add all necessary configuration information your business processes and steps.
Projects
Plan
Build
Reports
SAP_SOL_KW_ALL Contains full authorization for Document Management within transactions SOLAR01, SOLAR02, and
SOLMAN_DIRECTORY (Knowledge
Warehouse folders)
Projects
Plan
Build
Reports
SAP_SOL_PROJ_ADMIN_ALL Contains full authorization for project management.
NoteProject administration provides the possibility to enter e-mail address and phone number without separate authorization for user management.
Projects
Evaluate
Plan
Reports
294
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
Single Role Remarks Mapping to Navigation Panel of Work Center
SAP_SOL_TRAINING_ALL Contains full authorization for Learning Maps access.
Build
Reports
SAP_SOL_TRANSPORT_EXE Contains authorization to create transport requests.
Only necessary if an IMG project is created in the managed system from within Project Administration
SAP_CPR_USER Contains cPro integration authorizations Projects
SAP_SMWORK_BASIC_IMP Contains full authorization for work center - related functions for implementation.
Work Center Access
SAP_SMWORK_IMPL Allows access to the implementation and upgrade work center.
SAP_STCE_ALL Caution
Only relevant for Test Management
SAP_STWB_2_ALL Caution
Only relevant for Test Management
SAP_STWB_INFO_ALL Caution
Only relevant for Test Management
SAP_STWB_SET_ALL Caution
Only relevant for Test Management
SAP_STWB_WORK_ALL Caution
Only relevant for Test Management
SAP_SMWORK_BASIC_TEST_MAN Caution
Only relevant for Test Management
SAP_SMWORK_ITEST Caution
Only relevant for Test Management
SAP_SUPPDESK_CREATE Authorization to create a service desk message
If the following functions are used:
● Roadmap
● Business Blueprint
● Configuration
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 295
Application Consultant (technical role name: SAP_SOL_AC_COMP)
Application consultants are responsible for making sure that the Business Blueprint and software configuration are tailored to the business processes and that analysis and report requirements are fulfilled. They use their knowledge of proven business procedures to support them in these tasks. Application consultants also function as advisers and work closely with the rest of the project team. They also work in close cooperation with legacy system experts, when extraction of legacy data is necessary. The application consultant is allowed to:
● access the Implementation work center and Test Management work center
● display projects
● maintain roadmaps
● display system landscape data
● maintain solutions
● maintain business blueprint and business configuration
● execute all test-related activities
● create transport requests
● maintain training materials
● create a service desk message
● display BW - reports for Test Management
Single roles included in composite role
Table 184
Single Role Remarks Mapping to Navigation Panel of Work Center
SAP_RMMAIN_EXE Contains authorization for roadmap maintenance
Plan
Reports
SAP_SMSY_DIS Contains display authorizations for the system landscape in transaction SMSY,
that includes logical components.
All views
SAP_SM_SOLUTION_ALL Contains full authorization for solutions. You use solutions in transaction SOLMAN_DIRECTORY, for instance using
check out/check in function (solution to maintenance project and maintenance project to solution)
Evaluate
Build
Going Live Preparation
Reports
SAP_SOLMAN_DIRECTORY_ADMIN Contains full authorization for the Solution Directory (transaction SOLMAN_DIRECTORY) and the
maintenance of solutions on the solution settings tab.
Evaluate
Build
Going Live Preparation
Reports
SAP_SOLAR01_ALL Contains full authorization for business blueprint (transaction SOLAR01). Allows
you to build your business processes and steps.
Projects
Plan
Build
Reports
296
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
Single Role Remarks Mapping to Navigation Panel of Work Center
SAP_SOLAR02_ALL Contains full authorization for business configuration (transaction SOLAR02).
Allows you to add all necessary configuration information to your business processes and steps.
Projects
Plan
Build
Reports
SAP_SOL_KW_ALL Contains full authorization for Document Management within transactions SOLAR01, SOLAR02, and
SOLMAN_DIRECTORY (Knowledge
Warehouse folders)
Projects
Plan
Build
Reports
SAP_SOL_PROJ_ADMIN_DIS Contains display authorization for project management.
Projects
Evaluate
Plan
Reports
SAP_SOL_TRAINING_EDIT Contains full authorization for Learning Maps access.
Build
Reports
SAP_SOL_TRANSPORT_EXE Contains authorization to create transport requests.
Only necessary if an IMG project is created in the managed system from within Project Administration
SAP_STCE_ALL Caution
Only relevant for Test Management
SAP_STWB_2_ALL Caution
Only relevant for Test Management
SAP_STWB_INFO_ALL Caution
Only relevant for Test Management
SAP_STWB_SET_ALL Caution
Only relevant for Test Management
SAP_STWB_WORK_ALL Caution
Only relevant for Test Management
SAP_SMWORK_BASIC_IMP Contains full authorization for work center - related functions for implementation.
Work Center Access
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 297
Single Role Remarks Mapping to Navigation Panel of Work Center
SAP_SMWORK_IMPL Allows access to the implementation and upgrade work center.
SAP_SMWORK_BASIC_TEST_MAN Caution
Only relevant for Test Management
SAP_SMWORK_ITEST Caution
Only relevant for Test Management
SAP_SUPPDESK_CREATE Full authorization to create a service desk message
If the following functions are used:
● Roadmap
● Business Blueprint
● Configuration
Technical Consultant (technical role name: SAP_SOL_TC_COMP)
Technical consultants plan the technical requirements for a project with the project manager and the manager of the technical team and then carry out the required technical tasks in the system. Depending on the scope and complexity of the implementation, technical consultants may work in several areas, for example, system administration, database administration, network administration, operating system administration, development of cross-application components, or ABAP development. The technical consultant is allowed to:
● access the Implementation work center
● display projects
● maintain roadmaps
● maintain system landscape data
● display solutions
● create transport requests
Single roles included in composite role
Table 185
Single Role Remarks Mapping to Navigation Panel of Work Center
SAP_RMMAIN_EXE Contains authorization for roadmap maintenance
Plan
Reports
SAP_SMSY_ALL Contains full authorizations you need for maintaining the system landscape in transaction SMSY, that includes logical
components.
All views
SAP_SMSY_ACC_RFC Adapting Computing role
SAP_SM_SOLUTION_DIS Contains display authorization for solutions.
Evaluate
Build
298
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
Single Role Remarks Mapping to Navigation Panel of Work Center
Going Live Preparation
Reports
SAP_SOLMAN_DIRECTORY_DISP Contains display authorization for the Solution Directory (transaction SOLMAN_DIRECTORY).
Evaluate
Build
Going Live Preparation
Reports
SAP_SOL_PROJ_ADMIN_DIS Contains display authorization for project management.
Projects
Evaluate
Plan
Reports
SAP_SOL_TRANSPORT_EXE Contains authorization to create transport requests.
Only necessary if an IMG project is created in the managed system from within Project Administration
SAP_SMWORK_BASIC_IMP Contains full authorization for work center - related functions.
Work Center Access
SAP_SMWORK_IMPL Allows access to the implementation and upgrade work center.
Basis/Development Consultant (technical role name: SAP_SOL_BC_COMP)
Development consultants work with the project manager and the application consultant on the planning and organization of the authorization concept. They also perform developmental tasks and customer-specific developments.
● access the Implementation work center and Test Management work center
● display projects
● maintain roadmaps
● display system landscape data
● display solutions
● maintain business blueprint and business configuration
● execute test-related activities, except for administrative task
● create transport requests
● create a service desk message
Single roles included in composite role
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 299
Table 186
Single Role Remarks Mapping to Navigation Panel of Work Center
SAP_RMMAIN_EXE Contains authorization for roadmap maintenance
Plan
Reports
SAP_SMSY_DIS Contains display authorizations for the system landscape in transaction SMSY,
that includes logical components.
All views
SAP_SM_SOLUTION_DIS Contains display authorization for solutions.
Evaluate
Build
Going Live Preparation
Reports
SAP_SOLMAN_DIRECTORY_DISP Contains display authorization for the Solution Directory (transaction SOLMAN_DIRECTORY).
Evaluate
Build
Going Live Preparation
Reports
SAP_SOLAR01_EXE Contains full authorization for business blueprint (transaction SOLAR01). Allows
you to build your business processes and steps.
Projects
Plan
Build
Reports
SAP_SOLAR02_EXE Contains full authorization for business configuration (transaction SOLAR02).
Allows you to add all necessary configuration information to your business processes and steps.
Projects
Plan
Build
Reports
SAP_SOL_KW_ALL Contains full authorization for Document Management within transactions SOLAR01, SOLAR02, and
SOLMAN_DIRECTORY (Knowledge
Warehouse folders)
Projects
Plan
Build
Reports
SAP_SOL_PROJ_ADMIN_DIS Contains display authorization for project management.
Projects
Evaluate
Plan
Reports
SAP_SOL_TRANSPORT_EXE Contains authorization to create transport requests.
Only necessary if an IMG project is created in the managed system from within Project Administration
300
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
Single Role Remarks Mapping to Navigation Panel of Work Center
SAP_STWB_2_DIS Caution
Only relevant for Test Management
SAP_STWB_INFO_DIS Caution
Only relevant for Test Management
SAP_STWB_WORK_DIS Caution
Only relevant for Test Management
SAP_SMWORK_BASIC_IMP Contains full authorization for work center - related functions for implementation.
Work Center Access
SAP_SMWORK_IMPL Allows access to the implementation and upgrade work center.
SAP_SMWORK_BASIC_TEST_MAN Caution
Only relevant for Test Management
SAP_SMWORK_ITEST Caution
Only relevant for Test Management
SAP_SUPPDESK_CREATE Full authorization to create a service desk message
If the following functions are used:
● Roadmap
● Business Blueprint
● Configuration
Display User (technical role name: SAP_SOL_RO_COMP)
The display user is allowed to display:
● access the Implementation work center and Test Management work center
● projects
● roadmaps
● system landscape data
● solutions
● business blueprint and business configuration
● display BW-reports for Test Management
Single roles included in composite role
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 301
Table 187
Single Role Remarks Mapping to Navigation Panel of Work Center
SAP_RMMAIN_DIS Contains authorization for displaying roadmaps.
Plan
Reports
SAP_SMSY_DIS Contains display authorizations for the system landscape in transaction SMSY,
that includes logical components.
All views
SAP_SM_SOLUTION_DIS Contains display authorization for solutions.
Evaluate
Build
Going Live Preparation
Reports
SAP_SOLMAN_DIRECTORY_DISP Contains display authorization for the Solution Directory (transaction SOLMAN_DIRECTORY).
Evaluate
Build
Going Live Preparation
Reports
SAP_SOLAR01_DIS Contains display authorization for business blueprint (transaction SOLAR01). Allows you to display business
processes and steps.
Projects
Plan
Build
Reports
SAP_SOLAR02_DIS Contains display authorization for business configuration (transaction SOLAR02). Allows you to display all
necessary configuration information for your business processes and steps.
Projects
Plan
Build
Reports
SAP_SOL_KW_DIS Contains display authorization for Document Management within transactions SOLAR01, SOLAR02, and
SOLMAN_DIRECTORY (Knowledge
Warehouse folders)
Projects
Plan
Build
Reports
SAP_SOL_PROJ_ADMIN_DIS Contains display authorization for project management.
Projects
Evaluate
Plan
Reports
SAP_STCE_DIS Caution
Only relevant for Test Management
SAP_STWB_INFO_DIS Caution
Only relevant for Test Management
302
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
Single Role Remarks Mapping to Navigation Panel of Work Center
SAP_STWB_2_DIS Caution
Only relevant for Test Management
SAP_SMWORK_BASIC_IMP Contains full authorization for work center - related functions for implementation.
Work Center Access
SAP_SMWORK_IMPL Allows access to the implementation and upgrade work center.
SAP_SMWORK_BASIC_TEST_MAN Caution
Only relevant for Test Management
SAP_SMWORK_ITEST Caution
Only relevant for Test Management
Read-Only User (According to Document Status) (technical role name: SAP_SOL_RE_COMP)
The read-only user is allowed to display:
● access the Implementation work center and Test Management work center
● projects
● roadmaps
● system landscape data
● solutions
● business blueprint and business configuration
● test-related activities
NoteIn contrast to the display user, the read - user can access documents according to the customizing of the document status.
Single roles included in composite role
Table 188
Single Role Remarks Mapping to Navigation Panel of Work Center
SAP_RMMAIN_READ Contains authorization for roadmap according to the document status.
Plan
Reports
SAP_SMSY_DIS Contains display authorizations for the system landscape in transaction SMSY,
that includes logical components.
All views
SAP_SM_SOLUTION_DIS Contains display authorization for solutions.
Evaluate
Build
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 303
Single Role Remarks Mapping to Navigation Panel of Work Center
Going Live Preparation
Reports
SAP_SOLMAN_DIRECTORY_DISP Contains display authorization for the Solution Directory (transaction SOLMAN_DIRECTORY).
Evaluate
Build
Going Live Preparation
Reports
SAP_SOLAR01_DIS Contains display authorization for business blueprint (transaction SOLAR01). Allows you to display business
processes and steps.
Projects
Plan
Build
Reports
SAP_SOLAR02_DIS Contains display authorization for business configuration (transaction SOLAR02). Allows you to display all
necessary configuration information for your business processes and steps.
Projects
Plan
Build
Reports
SAP_SOL_KW_READ Contains authorization for Document Management within transactions SOLAR01, SOLAR02, and
SOLMAN_DIRECTORY (Knowledge
Warehouse folders) according to the document status
Projects
Plan
Build
Reports
SAP_SOL_PROJ_ADMIN_DIS Contains display authorization for project management.
Projects
Evaluate
Plan
Reports
SAP_STWB_INFO_READ Caution
Only relevant for Test Management
SAP_STWB_2_READ Caution
Only relevant for Test Management
SAP_SMWORK_BASIC_IMP Contains full authorization for work center - related functions for implementation.
Work Center Access
SAP_SMWORK_IMPL Allows access to the implementation and upgrade work center.
SAP_SMWORK_BASIC_TEST_MAN Caution
Only relevant for Test Management
304
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
Single Role Remarks Mapping to Navigation Panel of Work Center
SAP_SMWORK_ITEST Caution
Only relevant for Test Management
Common Task Panel in the Work Center
The common task area contains links for applications that are often used:
NoteThe authorizations for system landscape maintenance must always be assigned. These authorizations are contained in role SAP_SMSY_*. If you jump from the main application to another application, you need to assign additional roles, depending on the application which is integrated.
Show Roadmap
To show road maps. you need roadmap authorizations contained in role SAP_RMMAIN_*, project authorizations contained in role SAP_SOL_PROJ_ADMIN_*, documentation management authorizations contained in SAP_SOL_KW_*
Maintain Project
To maintain projects, you need project authorizations SAP_SOL_PROJ_ADMIN_*
Maintain Business Blueprint
To maintain Business Blueprint, you need authorization for transaction SOLAR01 contained in role SAP_SOLAR01_*. In addition, you need project authorization contained in role SAP_SOL_PROJ_ADMIN_*, and document management authorization contained in role SAP_SOL_KW_*.
Configure Business Processes
To configure Business Processes, you need authorization for transaction SOLAR02 contained in role SAP_SOLAR02_*. In addition, you need project authorization contained in role SAP_SOL_PROJ_ADMIN_*, and document management authorization contained in role SAP_SOL_KW_*.
Manage Issues
See section Scenario Integration
Related Links in the Work Center
In the related links section in the work center, you find all possible links for this work center. Still, the user is not able to run some of the applications since the according authorizations are not included in the defined user roles, but rather additional authorizations included in additional roles, see section Additional Functions. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-To section.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 305
System Data, System Transfer
Requires system landscape infrastructure authorizations included in role SAP_SMSY_*.
Project Administration
Requires authorizations for project management included in role SAP_SOL_PROJ_ADMIN_*
Copy Projects and Solutions
Requires authorizations for project management included in role SAP_SOL_PROJ_ADMIN_*, and authorizations for solutions concluded in role SAP_SM_SOLUTION_*
Learning Maps
Requires authorizations for project management included in role SAP_SOL_PROJ_ADMIN_*, authorizations for solutions concluded in role SAP_SM_SOLUTION_*, and authorization for learning maps included in role SAP_SOL_TRAINING_*
Custom Development Management Cockpit
See section User Roles for Additional Functions
20.4.2 User Descriptions and User Roles in Managed Systems
In the managed system, you need to assign the according user application-specific authorizations. For more information, see the applicable security guide for the relevant application.
20.4.3 Main Authorization Objects
The following section gives you information about main authorization objects. For detailed information, see SDN Wiki for Authorizations.
Blueprint/Configuration Authorization Object AI_SA_TAB
Authorization Object AI_SA_TAB allows you to restrict change access to the individual tabs. If you want to make tabs generally invisible for users, you need to set this feature in the project administration transaction SOLAR_PROJECT_ADMIN for tab access. You can also restrict members for a project in this transaction. The combination of assignment of users in the project administration with authorization object S_PROJECT (general restriction on projects) and authorization object AI_SA_TAB allows you to fine tune authorizations.
You can also set user specific settings for individual users in transaction SU01.
Blueprint/Configuration Authorization Object AGS_BOATTR
This object allows to control the locking of business object attributes.
306
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
Roadmap Authorization Object S_AIRMTAB
Similar to the authorization object AI_SA_TAB for transactions SOLAR01 and SOLAR02, authorization object S_AIRMTAB restricts access to the tabs in transaction RMMAIN.
NoteTab Service Plan only appears with node type Service Session.
Document Management Authorization Object S_IWB
The main authorization object which restricts access to documents is S_IWB. Important fields which are prefilled by default are areas IWB_AREA: IWBASAP (AcceleratedSAP) and IWBSOLAR (Solution Manager) as well as the folder group IWB_FLDGRP. For which function documents are restricted is defined by the according folder group. In the role SAP_SOL_KW_*, you will find that the object has many versions with only two active:
● no folder group assigned
● 'SAP' enhancement assigned
Figure 87: S_IWB in role SAP_SOL_KW_ALL
The active maintenance of the object allows for full authorization for all folders. If you want to restrict the usage, you should deactivate this maintenance and activate the respective other one. Here, you'll find the various usage of the S_IWB object that are set inactive in the template role:
● Authorization for folder group BPRFOLDERS for the Business Process Repository
● Authorization for folder groups SAPTWBTESTNOTES and TEMPLATES for Test Management functions
● Authorization for folder group HELP_CENTER for Help center functionality
The system saves Solution Manager documents in folders. You can control the access rights to documents in the project by assigning authorizations for groups of documents in the Knowledge Warehouse of SAP Solution
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 307
Manager, for instance you can specify that only the project management can change documentation templates. The system saves Solution Manager documents in folders.
Figure 88: IMG transaction SPRO
Example Problem: Document Management: Unlock Documents
You want to allow a user to unlock documents which are locked by a status schema.
This can be controlled with the authorization object S_IWB and the activity 95.
Documents remain locked during signature procedure.
Example Problem: Document Management: Restrict Project
You want users who are assigned to a project to only be able to search for, edit or display the documents for this project.
This can be done with the combination of folder group and project authorizations. When documents are created for a project, the system puts them in a folder group which is assigned to the project, and its name, for instance the folder group with the name XYZ, is assigned to the project. You restrict the following authorization objects:
● S_PROJECT with field PROJECT_ID● S_IWB and S_IWB_ATTR with field IWB_FLDGRP
Digital Signature C_SIGN_BRG
NoteIn the system, users can maintain their Own Data via Menu System User Profile . This includes the maintenance of SSF settings on tab Address button Other Communication. If you use Digital Signature, you should restrict authorization to maintain these data for all relevant users (authorization object S_TCODE transaction SU3).
Example Problem: Digital Signature: Restrict by Authorization Group
User A can sign for the authorization group PROD (production), but not for the authorization group QUAL (quality assurance).
308
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
Solution: In role SAP_SOL_KW_*, the user has the authorization value PROD for field SIGNAUTH, in authorization object C_SIGN_BGR.
Authorization Object S_CTS_ADMI
The authorization object is set inactive in all roles due to its critical nature. If you need to allow changes in transaction SCCA you must activate this authorization object.
20.5 User Roles for Additional Functions
20.5.1 User Roles for Roadmap Definition
Before defining your business process in a project, you can define a roadmap for your project or adapt a roadmap that was delivered by SAP to your purposes. To do this, you need to have implementation authorization as described earlier, and additional authorizations. In the following table we outline, which additional user roles and authorizations you need to use the functionality for roadmap definition.
User roles for roadmap definition
Table 189
Roles Remarks
SAP_RMDEF_RMAUTH_EXE For administration: change roadmaps
SAP_RMDEF_RMAUTH_DIS For display : display roadmaps
20.5.2 User Roles for Activation of Business Functions
Within the implementation and upgrade, you have the option to evaluate business functions residing in the managed systems and also activate the business function from within the SAP Solution Manager. To do this, you need to have implementation authorization as described earlier, and additional authorizations. In the following tables we outline, which additional user roles and authorizations, you need to use the functionality for business functions.
Authorizations in SAP Solution Manager System
You can use the user roles for implementation and upgrade, which include authorization object AI_SA_TAB with authorization for tab Business Functions. This authorization object restricts access to any of the tabs for the business blueprint and configuration in transactions SOLAR01, SOLAR02, and SOLMAN_DIRECTORY.
In addition, you need to assign authorization object S_SWITCH to the users in both systems, the SAP Solution Manager and the managed system. This authorization allows to activate a business function, and should only be assigned to dedicated users. This authorization object is not included in any of the roles delivered by SAP Solution Manager. Therefore, see section in How-to Guides on how-to create your own role for this object.
Authorizations in the Managed System
If you want to activate business functions in the managed system, you need to assign authorization object S_SWITCH to the users in both systems, the SAP Solution Manager and the managed system. This authorization
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 309
allows to activate a business function, and should only be assigned to dedicated users. This authorization object is not included in any of the roles delivered by SAP Solution Manager. Therefore, see section in How-to Guides on how-to create your own role for this object. We would also advise to assign roles for switch framework transactions SFW*.
In addition, you must also assign role SAP_SM_BUSINESS_FUNCTION to the users. This role contains authorizations to read access necessary function groups as test work bench. objects.
20.5.3 User Roles for Custom Development Management Cockpit (CDMC)
Configuration
See SAP Note 1244713
Users and Authorizations
Custom Development Management Cockpit can be accessed from the Implementation and Upgrade work centers. It contains two use cases:
● Clearing Analysis
● Upgrade/Change Impact Analysis
NoteSee use case description in the Application Help for SAP Solution Manager in the Help Portal:
help.sap.com SAP Solution Manager .
Both use cases involve several systems. The systems are connected by RFC.
You must have TMW RFC - connection in place for the connection to the productive systems. For the other projects, like Clearing Analysis or Upgrade Change Impact Analysis TRUSTED RFC - connection is used.
CautionIf you useTRUSTED RFC - destination, you need to assign to your user in the managed system user role SAP_CDMC_MASTER (with full authorization) or SAP_CDMC_STAT_SYST(with restricted authorization).
Custom Development Management Cockpit
Table 190
Name Type Remarks
SAP_CDMC_USER ABAP Execution authorization for CDMC
SAP_CDMC_MASTER ABAP Administration authorization for CDMC including maintaining global settings and deleting CDMC projects
SAP_CDMC_STAT_SYSTEM ABAP Restricted authorization for the statistics system in Clearing Analysis. It contains only the authorizations necessary for the tasks carried out on
310
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
Name Type Remarks
the statistics system. These tasks are activation of statistics collection, import of the collected statistics to the control center, determination of empty tables, syntax check for source code objects.
SAP_SM_CDMC_INT ABAP Integration with BPCA authorization object SM_BPCA.
NoteTo be able to work with the result list, assign an additional role SAP_CDMC_CRITICAL_AUTH which contains all relevant critical authorizations for execution. For more information, see the Description Tab in the role in the system (transaction PFCG).
In the Solution Manager, you need also assign the authorization object SM_BPCA to your roles for the user.
20.5.4 User Roles for Upgrade Dependency Analyzer
Within the implementation and upgrade, you have the option to use the Upgrade Dependency Analyzer in accordance with its analog function on the SAP Portal. To use this function within SAP Solution Manager, you need to have implementation authorization as described earlier, and additional authorizations. In the following table we outline, which additional user roles and authorizations you need to use the functionality for business functions.
NoteMain authorization object is SM_UDA_PRJ, which controls if a user is allowed to create, change, or delete UDA - projects.
Upgrade Dependency Analyzer
Table 191
Name Remarks
SAP_SM_UDA_ALL Role allows full authorization for Upgrade Dependency Analyzer
SAP_SM_UDA_DIS Role allows display authorization for Upgrade Dependency Analyzer
Authorization Object SM_UDA_PRJ
Main authorization object is SM_UDA_PRJ, which controls if a user is allowed to create, change, or delete UDA - projects.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 311
20.5.5 User Roles for Customizing Comparison and Distribution
Within the implementation and upgrade, you have the option to use the function of customizing distribution. To use this, you need to have implementation authorization as described earlier, and additional authorizations. For customizing comparison and distribution SAP delivers composite roles for administrator tasks and display user. These composite roles contain a number of single roles, which are outlined underneath.
Administrator (technical role name: SAP_CUSTDIST_ALL_COMP)
NoteThis role should be assigned in addition to one of the following implementation user roles: SAP_SOL_PM_COMP, SAP_SOL_AC_COMP, or SAP_SOL_TC_COMP.
Table 192
Single Role Remarks
SAP_SCOUT_ALL Contains full authorization for customizing scout
SAP_SCDT_ALL Contains full authorization for customizing distribution (transaction SCDT)
SAP_SCIDM_ALL Contains full authorization for customizing ID-mapping
Display User (technical role name: SAP_CUSTDIST_DIS_COMP)
NoteThis role should be assigned in addition to one of the following implementation user roles: SAP_SOL_RO_COMP, or SAP_SOL_RE_COMP.
Table 193
Single Role Remarks
SAP_SCOUT_DIS Contains display authorization for customizing scout
SAP_SCDT_DIS Contains display authorization for customizing distribution (transaction SCDT)
SAP_SCIDM_DIS Contains display authorization for customizing ID-mapping
Authorization Objects S_CD_SYNC and S_CD_SYSAC
Important authorization objects are:
● S_CD_SYNCauthorization for synchronizer and scout
● S_CD_SYSACcontrols system access for customizing distribution
312
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
20.5.6 User Roles for BC-Set Activities
Within the implementation and upgrade, you have the option to use BC-Sets.
You can activate BC-Sets in the SAP Solution Manager system, and in the managed system. To be able to use this function in either system your users need one of the following roles:
User roles for BC-Set Activities
Table 194
Single Role Remarks
SAP_BCS_ACTIV Activate BC-Sets
Notesee SAP Note 505603 Activate BC Sets.
SAP_BCS_CREATE Create BC-Sets
SAP_BCS_ADMIN Administration of BC-Sets
20.5.7 Solution Maintenance via Work Center
As of SAP Solution Manager Release 7.1 SP01, transactions GSAP (SAP Global Service Access Point) and SOLUTION_MANAGER, SOLUTION_MANAGER_BSP, alternatively DSWP, DSWP_MOVE, DSMOP, are obsolete. All references to these transactions are deleted in the relevant user roles for Issue Management, Solution Operations, Solution Documentation Assistant, Solution Reporting, Solution Directory. Solutions can be created in Work Center Solution Manager Administration.
20.6 Scenario Integration
Implementation and Upgrade refers to the phase in your product life-cycle when you define and refine your business processes by means of projects, business blueprints and related activities. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions, which come into play in your daily business, such as the handling of problems, and so on. The following sections describe the integration of implementation and upgrade with other scenarios within SAP Solution Manager, and which user roles would be applicable.
NoteFor more detail on each individual scenario, see the according Scenario - Specific Guide.
Business Process Change Analyzer (BPCA)
In the business blueprint and configuration transactions of SAP Solution Manager, users (for instance the application consultant) can record TBOMs for the Business Process Change Analysis. To be able to do so, you need
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 313
to assign your user the required BPCA - roles: SAP_SM_BPCA_TBOM_ALL (generating TBOMs), and SAP_SM_BPCA_RES_ALL (analyzing results).
In the managed systems, you need to assign the according application-specific authorizations to your users.
Figure 89: Transaction SOLAR02 - Tab: Transactions
Incident Management
In the business blueprint and configuration, users can create service desk messages.
Figure 90: Transaction SOLAR02 - Tab: Service Messages
To be able to do so, you need to assign user role SAP_SUPPDESK_CREATE if you are using transaction type SLFN. If you are using the new transaction types for Service Desk (Incident Management), you need to assign the according composite role: SAP_SUPPDESK_*_COMP, see scenario-specific guide for Incident Management.
314
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
NoteIn case you are a service provider, you need to assign the according service provider roles. For more information, see specific Service Provider Guide.
Issue Management
In the business blueprint and configuration, users can create issue messages. To be able to do so, you need to assign user role SAP_ISSUE_MANAGEMENT_EXE_COMP
Job Management
You can also integrate Job Scheduling within your business blueprint and configuration transactions. If you assign Job Scheduling related objects, you need to assign user roles SAP_SM_SCHEDULER_EXE and SAP_SM_SOLUTION_ALL to your users.
Figure 91: Transaction SOLAR02 - Tab: Transactions
Test Management
You need to use the according test management relevant roles in the user roles.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 315
Figure 92
Business Process Operation
When transferring a project into the Solution Directory, the business process can be set to “Production” and then allow for Business Process Monitoring.
Figure 93: Business Process Monitoring Integration
To be able to monitor business processes, you need to assign role SAP_OP_DSWP_BPM and SAP_SM_SOLUTION_* to your user. Alternatively, you can assign the appropriate composite role for Business Process Operations, see the according scenario - specific guide.
Change Request Management
When you have a project transferred into the Solution Directory, you can switch on the check out / check in functionality and use it with Change Requests.
316
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
Figure 94: Change Request Management Integration
You need to assign in addition user role SAP_SOCM_REQUESTER.
Scope and Effort Analyzer (SEA)
You can access the SEA functionality from view PLAN in the Implementation work center. To use the functionality use either of the two composite roles (administration authorization or display authorization) relevant for SEA end-users: SAP_SEA_*_COMP. For more information on SEA, see the scenario-specific guide for Effort and Scope Analyzer.
20.7 External Integration
You can integrate with SAP Solution Manager external products. The term External Product refers to either Third Party Products or SAP products, which can be used to complement a function within SAP Solution Manager.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 317
Figure 95: Configuration of Integration with External Products
20.7.1 Business Process Management Suite
The Business Process Management Suite is based on SAP NetWeaver Composition Environment (CE). Integrating this function, allows you to easily model business processes and document them in the business blueprint of your Solution Manager project.
To use this integration, you need to assign in the managed system the User Management (UME) role SAP_BPM_Solution Manager. In SAP Solution Manager, your users should be assigned the user roles for implementation and upgrade as described above.
20.7.2 Enterprise Service Repository within Process Integration (PI)
Enterprise Service Repository (ESR) resides on the SAP product SAP NW Process Integration (PI). It allows you to document in the business blueprint processes, activities, and interfaces in more detail. To use this integration, you need to assign in the managed system the User Management (UME) roles for this environment as described in the according process integration security guide. In SAP Solution Manager, your users should be assigned the user roles for implementation and upgrade as described above.
318
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
20.7.3 SAP Productivity Pak by RWD
The SAP Productivity Pak by RWD allows you to document in more detail you business processes. To be able to run this integration, you need to create a technical user (type: service user) RWD_ALIAS for web service access. This user needs to be assigned role SAP_RWD_INTERFACE. Your end-users should be assigned the user role roles for implementation and upgrade as described above.
20.7.4 Business Process Blueprinting Tool (BPB)
The BPB Tool is supported by an integration between the SAP Solution Manager and the Solution Composer. The Solution Composer allows data exchange between Solution Manager and Business Process Blueprinting. It synchronizes data between the client and server. SAP Solution Manager stores content of the offered SAP solutions in form of realized business scenarios, business processes and process steps in the Business Process Repository (BPR).
Additional Information
See the according guides for the BPB Tool on the Service Marketplace: service.sap.com/instguides SAP Components SAP Solution Manager Additional Guides .
Relevant Authorization Object AI_SA_TAB
If you use this tool in combination with Business Blueprint functionality in SAP Solution Manager, you need to extend the authorization object AI_SA_TAB for value EBB in roles SAP_SOLAR01_*. This allows you, to see the relevant tab for it.
20.8 Traces and Logs
This section provides an overview of the trace and log files that contain, for example, security-relevant information, so that you can reproduce activities if a security breach does occur.
See the Auditing and Logging on the Service Marketplace at: help.sap.com Search Documentation , search for Auditing and Logging.
Service Connection
If a user has sufficient authorization and is assigned correctly to the appropriate S-user in transaction AISUSER, this user can display the same personal contact data (name, phone number) for a system as in SAP Support Portal, as this data is replicated from there to the Solution Manager system. Displaying this data is not logged.
System Landscape
● Update logs
● RFC logs
● Data save logs
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 319
Solution Manager Implementation:
● All tabs can be traced. Each change on a tab is recorded.
● No changes of the assigned object are logged (except documents).
● You can specify which project and tab can be traced.
● Documentation can get different versions when changed.
Customizing Distribution
● Each distribution is logged.
● Each distributed object is logged.
Solution Manager Operations
● Traces are available in “Solution Directory”.
● All tabs can be traced. Each change on a tab can be recorded.
● No changes of the assigned object are logged (except documents).
● You can specify which solution is traced.
● Documentation can get different versions when changed
320
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Implementation and Upgrade
21 Scenario-Specific Guide: Solution Documentation Assistant
The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). The Solution Documentation Assistant supports this implementation and upgrade process. The function allows you to analyze your business processes automatically, to prepare upgrade projects, to evaluate new functionality, and to analyze your own developments. This guide gives you an overview over all relevant security-related issues for the scenario Solution Documentation Assistant. For more information, see the Application Help on the Service Marketplace at:
help.sap.com
CautionThe Solution Documentation Assistant should only be made accessible for dedicated users by the system administrator, and only for a dedicated time as the usage of Solution Manager Assistant may have impacts on the managed systems. Users need to have extended knowledge of the definition of check steps and its use in analysis projects.
21.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 195
Support Package Stacks
(Version)
Description
SP05 Adapted sections:
● Prerequisites
● Technical System Landscape
● Communication Channels and Destinations
● Technical Users
Additional section on Background Jobs
SP10 End-User Roles
Role SAP_SMWORK_BASIC_SDA has been adapted. For detailed information, see the description text in the
according role.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Documentation Assistant
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 321
21.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Getting Started: find out about target groups of this guide. Links for any additional components you can find in the Core Guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.
● Background Jobs: lists all related background jobs
21.3 Prerequisites
Solution Documentation Assistant can analyze business processes running on ABAP and Java stacks of one or more managed systems.
Most data (for instance transactions, reports) for the analysis is requested from Early Watch Alert for the managed systems. Nevertheless, other data can be retrieved using the Diagnostics agents in the managed systems.
Workload data can be retrieved via:
● Early Watch Alerts
● RFC● Business Warehouse
UPL data can be retrieved via Business Warehouse.
All prerequisites need to be fulfilled as described for the scenario of Root Cause Analysis. All prerequisites for Root Cause Analysis apply as well for Solution Documentation Assistant. When using the Diagnostics agents for data information, you must also set up your SAP Solution Manager in connection with a Business Warehouse (BW).
For more information on the BW - authorization concept, see the section on BW - authorizations in the Core Guide).
322
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Documentation Assistant
The following paragraphs give you an overview over all required prerequisites for running the Solution Documentation Assistant scenario.
21.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the Solution Documentation Assistant scenario. The SAP Solution Manager is connected via TMW – RFC to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. IGS is connected to the ABAP stack via specified RFC connection. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.
Figure 96: Infrastructure
21.3.2 Configuration
Basic Configuration transaction SOLMAN_SETUP
After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions, like:
● Business Blueprint (including graphics), using transaction SOLAR01● Configuration (including graphics), using transaction SOLAR02
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Documentation Assistant
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 323
Scenario Configuration transaction SPRO
To run Solution Documentation Assistant, you need to configure it using the Implementation Reference Guide (IMG) in transaction SPRO.
Configuration Roles
There are no specific configuration roles when using transaction SPRO. Nevertheless, you can use the possibility in creating your own configuration roles. For more information, see the according How-to Guide.
Authorization Object S_TABU_DIS
SDA table views and view clusters AGSRBE* are protected by Authorization Group SDA.
21.3.3 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Table 196
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages, retrieval of services
Solution Manager to managed systems and back
RFC Exchange information with managed systems
Solution Manager to managed systems within customer network
FTP Update route permission table, content: IP addresses, see section File Transfer
Protocol (FTP)
Solution Manager to SAP Service Marketplace
HTTP(S) Search for notes
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
324
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Documentation Assistant
Table 197
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_LOGIN (ABAP connection)
Managed System
Customer-specific
Customer-specific
Can be used instead of Trusted RFC
SM_<SID>CLNT<Client>_TRUSTED (ABAP connection)
Managed System
System-specific
System-specific
Customer-specific
Optional, can be used to jump directly into the managed system; Used for instance for managed systems jump in if required in transactions SOLAR01 or SOLAR02
SM_<SID>CLNT<Client>_TMW (ABAP connection)
Managed System
System-specific
System-specific
Default user: SMTW<SID of Solution Manager system>
Named as RFC for Change Manager in transaction SOLMAN_SETUP. Contains
batch job authorization; Used to push data, for instance which check steps should be executed, and control data, for instance when jobs should run, or configuration data; Used to read check step results, for instance workload data (object data such as object name, and so on)
RFC Connection from Managed System to SAP Solution Manager
Table 198
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Use How Created
SM_<SID>CLNT<Client>_BACK (ABAP connection)
Solution Manager System
System-specific
System-specific
SMB_<managed system ID>
For EarlyWatch Alert data from the managed systems
Automatically created via transaction SOLMAN_SETUP (view:
managed systems)
Business Warehouse RFC - Connections
Table 199
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
NONE, if BW - reporting is realized
in a BW - standard scenario, for
content activation
Solution Manager
System-specific System-specific System-specific
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Documentation Assistant
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 325
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
productive client
BI_CLNT<BWclient>if BW is
realized in remote BW - scenario
system , for content activation and data download
Managed System or Solution Manager System
System-specific System-specific in transaction SOLMAN_SETUP
MDX PARSER
Internet Graphics Server (IGS) RFC Connection
Table 200
RFC Destination Name Activation Type How Created
ITS_RFC_DEST Registered Server program (program: IGS.<SID>)
Manually in transaction SM59
21.3.4 Technical Users
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the implementation and upgrade scenario.
CautionIf you use diagnostics agent for data retrieval, please refer to section technical users in the Scenario-Specific Guide for Root Cause Analysis.
User for TMW - connection for Read Authorization and Batch Authorization in Managed Systems
User for batch authorization in managed systems
Table 201
User User Type Remarks
SMTM<SID of Solution Manager system>(system-specific)
System User Technical User “TMW User”, assigned role <namespace>_SOLMAN_TMW. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide.
User for Back-Destination in SAP Solution Manager System
User for Back-destination
326
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Documentation Assistant
Table 202
User (Password) Type Remarks
SMB_<managed system ID> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in its RFC destination in
the Solution Manager system as well.
System User Technical user “Back User”; assigned role <namespace>_SOLMAN_BACK. It is automatically created
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
Users for Business Warehouse
Users for BW - Reporting
Table 203
User User Type Remarks
SMD_BI_RFC, in case of remote BW System User Technical user for data download
SM_EFWK System User Technical user for extractor execution
21.4 Users and Authorizations
Target group for the Solution Documentation Assistant are business experts, which need to perform an analysis for business processes running in the company. To enable these end-users to work with the application, you need to assign them authorizations in the Solution-Manager-system and in the managed systems.
When you are working in a Solution Documentation Assistant analysis project to analyze new business processes or change existing ones, you need to have full authorization for all your tasks. Therefore, SAP delivers recommended user descriptions for an administration user and a display user on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.
CautionThe roles delivered by SAP can only be regarded as models for adjustment to your company's needs.
Roles for Solution Documentation Assistant are predefined Composite Roles (technical abbreviation: *_COMP). These composite roles contain a set of single roles that are relevant for the business tasks.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Documentation Assistant
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 327
21.4.1 User Descriptions and User Roles
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for the Solution Documentation Assistant. All users are assigned a composite role, which contains a number of single roles.
NoteThe suggested users are allowed to execute/display tasks in the Solution Documentation Assistant. For additional authorizations, for instance for implementation and upgrade, see section on Scenario Integration.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see core security guide.
Figure 97: Solution Documentation Assistant Work Center
The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single roles is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Administration User (technical role name: SAP_SODOCA_ALL_COMP)
The administration user is allowed to:
● access Solution Documentation Assistant work center and Implementation work center
● execute all functions of Solution Documentation Assistant
● maintain Business Blueprint
328
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Documentation Assistant
● maintain Solution Manager projects
● display Service Data Control Center
NoteIf this user should be allowed to maintain/display solutions and system landscape data, you need to assign additional roles. These roles are not included in the composite roles, as Solution Documentation Assistant should be based on an existing system landscape with already created projects and solutions.
● SAP_SMSY_* (full or display authorization for system landscape data maintenance)
● SAP_SOLMAN_DIRECTORY_* (full or display authorization for solution maintenance)
Single roles included in composite role
Table 204
Single Role Remarks Mapping to Navigation Panel Views
SAP_SDA_ALL Contains full authorization for executing tasks in the Solution Documentation Assistant.
Analysis Projects
Analyses
Rule Database
Content Interface
SAP_SOLAR01_ALL Contains full authorization for business blueprint (transaction SOLAR01). Allows you to update
your business processes and steps with information retrieved from your analysis projects.
Analysis Projects
SAP_SOL_PROJ_ADMIN_ALL Contains full authorization for project management.
Allows you to create analysis projects from Solution Manager projects and to update them.
Analysis Projects
SAP_SM_SOLUTION_ALL Contains full authorization for solutions.
Allows you to create analysis projects from solutions and to update them.
Analysis Projects
SAP_SDCCN_DIS Display of Service Data Control Center; allows batch job execution for analysis
SAP_SMWORK_BASIC_IMP Contains full authorization for work center - related function for Implementation and Upgrade.
Work center Access
SAP_SMWORK_BASIC_SDA Contains full authorization for work center - related function for SDA.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Documentation Assistant
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 329
Single Role Remarks Mapping to Navigation Panel Views
SAP_SMWORK_SDA Allows access to the Solution Documentation Assistant work center.
SAP_SMWORK_IMPL Allows access to the implementation and upgrade work center.
CautionAuthorization for trusted RFC - connections S_RFCACL is required, if your users should be able to connect to the managed systems without separate log on.
Display User (technical role name: SAP_SODOCA_DIS_COMP)
The display user is allowed to:
● access Solution Documentation Assistant work center
● display all functions of Solution Documentation Assistant
● display Business Blueprint
● display Solution Manager project data
NoteIf this user should be allowed to display solutions and system landscape data, you need to assign additional. These roles are not included in the composite roles, as Solution Documentation Assistant should be based on an existing system landscape with already created projects and solutions.
● SAP_SMSY_DISP (display authorization for system landscape data maintenance)
● SAP_SOLMAN_DIRECTORY_* (full or display authorization for solution maintenance)
Single roles included in composite role
Table 205
Single Role Remarks Mapping to Navigation Panel Views
SAP_SDA_DIS Contains display authorization for executing tasks in the Solution Documentation Assistant.
Analysis Projects
Analyses
Rule Database
Content Interface
SAP_SOLAR01_DIS Contains display authorization for business blueprint (transaction SOLAR01). Allows you to update
your business processes and steps with information retrieved from your analysis projects.
Analysis Projects
SAP_SOL_PROJ_ADMIN_DIS Contains display authorization for project management.
Analysis Projects
330
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Documentation Assistant
Single Role Remarks Mapping to Navigation Panel Views
SAP_SM_SOLUTION_DISP Contains display authorization for solutions.
Analysis Projects
SAP_SMWORK_BASIC_SDA Contains access authorization for work center - related functions.
Work Center Access
SAP_SMWORK_SDA Allows access to the Solution Documentation Assistant work center.
Common Task Panel in the Work Center
The common task panel contains links for applications that are often used:
Create Analysis Project
To create analysis projects, you need SDA authorizations contained in role SAP_SDA_*, project authorizations or / and solution authorization contained in roles SAP_SOL_PROJ_ADMIN_* and SAP_SM_SOLUTION_*. In addition, if you want to update your project business blueprint, you need business blueprint authorizations contained in role SAP_SOLAR01_*.
Create Analysis and Create Check Step
To create an analysis from an analysis project and to create check steps, you need SDA authorizations contained in role SAP_SDA_*
Related Links in the Work Center
In the related links section in the work center, you find all possible links for this work center. Still, the user is not able to run some of the applications since the according authorizations are not included in the defined user roles, but rather additional authorizations included in additional roles, see section Additional Functions. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-to section.
Business Process Repository
There is no authorization check available for this application.
Project Administration
Requires authorizations for project management included in role SAP_SOL_PROJ_ADMIN_*. If system maintenance authorization is required in addition, role SAP_SMSY_* must be assigned.
Business Blueprint
Requires authorizations for business blueprint contained in role SAP_SOLAR01_*, project management included in role SAP_SOL_PROJ_ADMIN_*, and authorizations for solutions concluded in role SAP_SM_SOLUTION_*. In addition, document management authorization can be required which is contained in role SAP_SOL_KW_*.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Documentation Assistant
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 331
Solutions
Requires authorizations for solutions included in role SAP_SM_SOLUTION_*, and authorization for SAP_SOLMAN_DIRECTORY_*
Solution Manager System Landscape
Requires authorizations contained in role SAP_SMSY_*.
Authorizations in the Managed SystemsTable 206
Roles Remarks
Authorization object S_RFCACL
Authorization for trusted RFC - connections, if your users should be able to connect to the
managed systems without separate log on.
Application - specific roles
Authorizations for certain tasks in the managed systems, for instance SQL queries
21.5 Scenario Integration
Solution Documentation Assistant refers to the phase in your product life-cycle when you analyze and evaluate your business processes. According to the end-to-end business process life-cycle, this phase needs to integrate with other functions which come into play in your daily business, such as defining business processes, changing them, and so on. Therefore, Solution Documentation Assistant mainly integrates with the implementation and upgrade of business processes within SAP Solution Manager. Here, additional implementation user roles apply: SAP_SOL_*_COMP.
332
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Documentation Assistant
Figure 98: Business Blueprint and Solution Manager Project Administration Integration
NoteFor more detail on the implementation and upgrade scenario and the users, see the according Scenario—Specific Guide.
21.6 Background Jobs
The following background jobs are run in the Solution Manager system:
● RBE_* (main jobs)
● <GUID> (create Solution Manager project)
● SDA_BI*● SDA_UPL*● SDA_E2E*
NoteThe number of jobs depends on the settings for the application Creation of Analysis for each managed system. This can result in a very high workload.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Solution Documentation Assistant
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 333
22 Scenario-Specific Guide: Test Management
The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. After having implemented new business processes or changed existing ones, you need to test if your implementation can successfully applied to your productive system. This guide gives you an overview over all relevant security-related issues for the scenario Test Management.
22.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 207
Support Package Stacks
(Version)
Description
SP05 Authorization Objects
Added value TSTM in authorization object S_TABU_DIS in role SAP_STWB_SET_ALL.
End User Roles
The following end user roles were changed. For detailed information, see the description tab of the role in transaction PFCG.
● SAP_STWB_SET_ALL● SAP_SMWORK_BASIC_TEST_MAN (new view)
Test Management Dashboard
Test Management Dashboard role SAP_SM_DASHBOARDS_DISP_TWB delivered
SP07 CBTA
● Added new use case function CBTA, see new section in User Roles for Additional Functions. This includes
new roles for the use case: SAP_*TST*. The roles are shipped with Software Component ST-TST.
Adapted End User Roles
● SAP_SMWORK_BASIC_TEST_MAN
SP10 Adapted End User Roles
For more details on changes, please see the description tab of the role.
● SAP_STWB_WORK_*● SAP_STWB_SET_ALL
CBTA User Creation in SOLMAN_SETUP
334
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
Support Package Stacks
(Version)
Description
A new guided procedure in transaction SOLMAN_SETUP for CBTA is available, for more information see
section on User Roles for CBTA.
The following roles are shipped:
● SAP_SM_CBTA_CONF● SAP_CBTA_CONFIG_COMP● SAP_CBTA_COMP
SP11 Adapted End User Roles
For more details on changes, please see the description tab of the role.
● SAP_SM_TCE_RFC● SAP_TST_AGENT_RFC
SP12 Redesign of CBTA roles
● adapted roles and users, see according section. For more details on changes, please see the description tab of the role.
● added single role SAP_STCE_* (contains authorization object S_DEVELOP with execution
authorization)
● Added new single role SAP_SM_TST_RTL_DEV
SP13 Adapted End User Roles
For more details on changes, please see the description tab of the role.
● SAP_STWB_2_ALL
22.2 Prerequisites
22.2.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete test management scenario. The SAP Solution Manager is connected via READ - RFC, TRUSTED - RFC (alternatively LOGIN) to your managed systems. Optionally, you can attach a third party product to the SAP Solution Manager via specified connections. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 335
Figure 99: Infrastructure
22.2.2 Scenario Configuration User
NoteFor conceptual information on:
● configuration users in SAP Solution Manager, see Core Guide chapter Configuration Users.
● the BW integration concept, see Core Guide chapter on BW integration.
Basic Configuration using transaction SOLMAN_SETUP
After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions, like:
● Business Blueprint (including graphics), using transaction SOLAR01● Configuration (including graphics), using transaction SOLAR02
Scenario Configuration using transaction SOLMAN_SETUP
You can use the scenario configuration via transaction SOLMAN_SETUP for CBTA. For more information, see section on CBTA.
Scenario Configuration using transaction SPRO
To run Test Management, you need to configure it using the Implementation Reference Guide (IMG) in transaction SPRO.
336
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
BI - Reporting
To use BI - Reporting for Test Management, you need to run additionally the BI - content activation in the basic automated setup view Technical Monitoring Interactive Reporting
Configuration roles
There are no specific configuration roles when using transaction SPRO. Nevertheless, you can use the possibility in creating your own configuration roles. For more information, see the according How-to Guide.
NoteIn the work center view Administration you find links for configuration purposes. This view contains links to configuration transactions which are necessary for daily operational use of the work center, such as creating business partners or checking RFC connections. The view can only be accessed using the administration role for the scenario (see later section on user description and user roles), as the view is restricted by authorization object S_TCODE with value SPRO.
22.2.3 Communication Channels and Destinations
The tables below show the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Table 208
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages, retrieval of services
Solution Manager to managed systems and back
RFC Reading information from managed systems
Solution Manager to SAP Service Marketplace
HTTP(S) Search for notes
Solution Manager to/from Quality Center by HP
SOAP over HTTP (S) Test requirements (send and receive data)
Third - Party Test Tools SOAP over HTTP (S) Depends on the individual application
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 337
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
RFC Connections from SAP Solution Manager to Managed Systems
Table 209
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_LOGIN (ABAP connection)
Managed System
System-specific
Customer-specific
Customer-specific
can be used instead of TRUSTED connection
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution Manager system> (automatically generated, can be defined by customer via transaction SMSY)
To read data from the managed system
SM_<SID>CLNT<Client>_TRUSTED (ABAP connection)
Managed System
System-specific
System-specific
current user You have the same user ID in the managed system
Internet Graphics Server (IGS) RFC Connection
Table 210
RFC Destination Name Activation Type How Created
ITS_RFC_DEST Registered Server program (program: IGS.<SID>)
Transaction SM59
BW- Reporting RFC Connection
Table 211
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
NONE, if BW - reporting is realized
in a BW - standard scenario, for
content activation
Solution Manager productive client
System-specific System-specific System-specific
338
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
BI_CLNT<BWclient>,if BW is
realized in remote BW - scenario
system , for content activation and data download
Managed System or Solution Manager System
System-specific System-specific in transaction SOLMAN_SETUP
<SolutionManagerSID>CLNT<SolutionManager– ProductiveClient> BI-
Callback RFC for reorganization
of data and configuration validation
Solution Manager productive client
System-specific System-specific BI_CALLBACK(customer specific)
in transaction SOLMAN_SETUP
Trusted RFC to remote BW system SAP_BILO
remote BW -
system
(source: SAP Solution Manager)
System-specific System-specific Dialog User Used to read data from remote BW for
BI - Reporting
, created during SOLMAN_SETUP
22.2.4 Technical Users for RFCs
The users in the following tables are created, automatically or manually, during configuration. The overviews are structured according to main functions/scenarios. Some users are relevant for more than one scenario and are therefore mentioned more than once.
User for READ - Access in Managed Systems
Users for RFC - Connection READ
Table 212
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 339
User User Type Remarks
this user in the RFC destination in
the Solution Manager system as well.
User for BW - Reporting (Reorganization of Data and Configuration Validation)
User for BW - Reporting (Reorganization of Data and Configuration Validation)
Table 213
User User Type Remarks
BI_CALLBACK
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user BI_CALLBACK for reorganization of BW - data
assigned role SAP_BI_CALLBACK. It is automatically
generated during configuration via transaction SOLMAN_SETUP
SMD_BI_RFC, in case of remote BW System User Technical user for data download
SM_EFWK System User Technical user for extractor execution
22.3 Users and Authorizations
To enable your end-users to work with the application, you need to assign them authorizations in the Solution-Manager-system and in the managed systems.
When the implementation team has finished working in a project to implement new business processes or change existing ones, the tests need to be organized and testers need to test, if the implemented changes work correctly in a production-like environment. SAP delivers recommended user descriptions for users such as test organizer or tester on which SAP delivered roles are modelled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.
CautionThe roles delivered by SAP can only be regarded as models for adjustment to your company's needs.
340
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
Figure 100: Test Management Process
22.3.1 User Descriptions and User Roles
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for test management. All users are assigned a composite role, which contains a number of single roles.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. The view Administration is only visible for the Quality Expert. Here, authorization object S_TCODE with value SPRO is necessary. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see core security guide.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 341
Figure 101: Test Management Work Center
The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Authorization for Trusted RFCs between SAP Solution Manager, Managed Systems, and BW - System
Trusted authorizations are needed between SAP Solution Manager and its managed systems, as well as SAP Solution Manager and a remote BW - system.
● In case of a remote BW - connection, the user in the SAP Solution Manager system is additionally assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
● The user in the managed system receives role SAP_SM_S_RFACL (Help Text ID: AUTH_SAP_S_SM_RFCACL) with authorization object S_RFCACL.
Both roles are not contained in the respective composite roles, due to their highly security-relevant character.
Application - Specific Authorizations in Managed Systems
For Test Management, you need to assign authorizations in the managed system depending on the application you are using in the managed system. In addition, when you are using the trusted RFC - connection, you need to assign authorization object S_RFCACL to your user. This authorization object is not included in profile SAP_ALL.
Tester (technical role name: SAP_SOL_TESTER_COMP)
The Tester is responsible for executing test cases. Testers are allowed to:
● access the Implementation work center and Test Management work center
● display projects
● display system landscape data
342
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
● maintain business configuration
● display business blueprint
● display test plan information
● display test workbench information
● execute tests
● execute eCATs
Single roles included in composite role
Table 214
Single Role Remarks Mapping to Navigation Panel Views
SAP_SMSY_DIS Display the system landscape Execution
Reports
Test Preparation
SAP_SOLAR01_DIS Display business blueprint information
Reports
Test Preparation
SAP_SOLAR02_EXE Maintain configuration information for test cases
Reports
Test Preparation
Execution
SAP_SOL_KW_DIS Display all relevant documents Reports
Test Preparation
Execution
SAP_SOL_PROJ_ADMIN_DIS Display project information Reports
Test Evaluation
Test Preparation
Execution
SAP_STCE_EXE Test Automation See Common Task section
SAP_STWB_2_DIS Display test plan and test packages Reports
Test Evaluation
Test Plan Management
Execution
SAP_STWB_INFO_DIS Display information relating to tests
Reports
Test Evaluation
Test Plan Management
Execution
SAP_STWB_WORK_ALL Maintain tests Reports
Tester Worklist
Execution
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 343
Single Role Remarks Mapping to Navigation Panel Views
SAP_SMWORK_BASIC_TEST_MAN Contains full authorization for test management work center - related functions and user interface
Work Center Access
SAP_SMWORK_ITEST Access to work center for test management
Project Manager/Test Organizer
The Project Manager is responsible for organization and project planning, for the realization of the desired project results and the daily management of the project. They anticipate deviations from the project direction and carry out the necessary corrective measures immediately. Project Managers should understand the integration of the business processes within the enterprise. They are also members of the steering committee, and have decision-making authority in matters concerning the program and budget. The user forwards strategic questions to the sponsor to make joint decisions. Project Managers are allowed to:
● access the Implementation work center and Test Management work center
● set up projects
● maintain roadmaps
● maintain system landscape data
● maintain solutions
● maintain business blueprint and business configuration
● create transport requests
● maintain training materials
● maintain test plans
● process mass data for test plans
● execute test workbench info
● maintain test workbench settings
● execute tests
● display BW - reports
● execute and administer eCats
● execute BW-reports
Single roles included in composite role (technical role name: SAP_SOL_PM_COMP)
in SAP Solution Manager system
Table 215
Single Role Remarks Mapping to Navigation Panel Views
SAP_RMMAIN_EXE Contains authorization for roadmap maintenance
CautionOnly relevant for Implementation and Upgrade
344
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
Single Role Remarks Mapping to Navigation Panel Views
SAP_SMSY_ALL Contains full authorizations you need for maintaining the system landscape in transaction SMSY,
which includes logical components.
Reports
Test Preparation
Execution
SAP_SM_SOLUTION_ALL Contains full authorization for solutions. You use solutions in transaction SOLMAN_DIRECTORY, for
instance using check out/check in function (solution to maintenance project and maintenance project to solution)
Test Plan Management
Tester Worklist
Test Evaluation
Reports
Execution
SAP_SOLMAN_DIRECTORY_ADMIN Contains full authorization for the Solution Directory (transaction SOLMAN_DIRECTORY) and the
maintenance of solutions on the solution settings tab.
Test Evaluation
Reports
Execution
SAP_SOLAR01_ALL Contains full authorization for business blueprint (transaction SOLAR01). Allows you to build
your business processes and steps.
Reports
Test Preparation
Execution
SAP_SOLAR02_ALL Contains full authorization for business configuration (transaction SOLAR02). Allows
you to add all necessary configuration information your business processes and steps.
Reports
Test Preparation
Execution
SAP_SOL_KW_ALL Contains full authorization for Document Management within transactions SOLAR01, SOLAR02, and
SOLMAN_DIRECTORY (Knowledge Warehouse folders)
Reports
Test Preparation
Execution
SAP_SOL_PROJ_ADMIN_ALL Contains full authorization for project management.
Reports
Test Evaluation
Test Preparation
Execution
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 345
Single Role Remarks Mapping to Navigation Panel Views
SAP_SOL_TRAINING_ALL Contains full authorization for Learning Maps access.
CautionOnly relevant for Implementation and Upgrade
SAP_SOL_TRANSPORT_EXE Contains authorization to create transport requests.
CautionOnly relevant for Implementation and Upgrade
SAP_STCE_ALL Test Automation See Common Task section
SAP_STWB_2_ALL Maintain test plan and test packages, including eCATT authorization for background job usage and foreground execution.
CautionThis role contains S_DEVELOP execution and administration authorization.
Execution
Reports
Test Evaluation
Test Plan Management
SAP_STWB_INFO_ALL Maintain information relating to tests
Execution
Reports
Test Evaluation
Test Plan Management
SAP_STWB_SET_ALL Maintain central test workbench settings
Execution
Reports
Test Evaluation
Test Plan Management
SAP_STWB_WORK_ALL Maintain tests Execution
Reports
Tester Worklist
SAP_SMWORK_BASIC_IMP Contains full authorization for implementation work center - related functions and user interface.
Work Center Access
SAP_SMWORK_BASIC_TEST_MAN Contains full authorization for test management work center - related functions and user interface
SAP_SMWORK_IMPL Allows access to the implementation and upgrade work center
346
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
Single Role Remarks Mapping to Navigation Panel Views
SAP_SMWORK_ITEST Allows access to the test management work center
SAP_SM_BI_EXTRACTOR Extractor Framework authorization In case of BW - Reporting
SAP_SM_BI_BILO Authorization to restrict BI -
reporting Access in case of remote BW scenario
BW - reporting
SAP_SUPPDESK_CREATE To create Service Desk messages Indirectly required in view Test Preparation
NoteIf you want to use the Test Management Dashboard, you need to assign additionally single role SAP_SM_DASHBOARDS_DISP_TWB.
Technical composite role name: SAP_SOL_BW_AC_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 216
Single Roles Help Text ID Mapping to Navigation Panel Views
SAP_BI_E2E_TWB AUTH_SAP_BI_E2E Reports
SAP_BI_TWB AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DIS
Application Consultant/Test Organizer
Application consultants are responsible for making sure that the Business Blueprint and software configuration are tailored to the business processes and that analysis and report requirements are fulfilled. They use their knowledge of proven business procedures to support them in these tasks. Application consultants also function as advisers and work closely with the rest of the project team. They also work in close cooperation with legacy system experts, when extraction of legacy data is necessary. The application consultant is allowed to:
● access the Implementation work center and Test Management work center
● display projects
● maintain roadmaps
● display system landscape data
● maintain solutions
● maintain business blueprint and business configuration
● create transport requests
● maintain training materials
● maintain test plans
● process mass data for test plans
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 347
● execute test workbench info
● maintain test workbench settings
● execute tests
● set up BW - reports, generate views and display BW - reports
● execute and administer eCats
● execute BW - reports
Single roles included in composite role (technical role name: SAP_SOL_AC_COMP)
Table 217
Single Role Remarks Mapping to Navigation Panel Views
SAP_RMMAIN_EXE Contains authorization for roadmap maintenance
CautionOnly relevant for Implementation and Upgrade
SAP_SMSY_DIS Contains display authorizations for the system landscape in transaction SMSY, that includes
logical components.
Execution
Reports
Test Preparation
SAP_SM_SOLUTION_ALL Contains full authorization for solutions. You use solutions in transaction SOLMAN_DIRECTORY, for
instance using check out/check in function (solution to maintenance project and maintenance project to solution)
Test Plan Management
Tester Worklist
Test Evaluation
Execution
Reports
SAP_SOLMAN_DIRECTORY_ADMIN Contains full authorization for the Solution Directory (transaction SOLMAN_DIRECTORY) and the
maintenance of solutions on the solution settings tab.
Test Evaluation
Execution
Reports
SAP_SOLAR01_ALL Contains full authorization for business blueprint (transaction SOLAR01). Allows you to build
your business processes and steps.
Execution
Reports
Test Preparation
SAP_SOLAR02_ALL Contains full authorization for business configuration (transaction SOLAR02). Allows
you to add all necessary configuration information to your business processes and steps.
Execution
Reports
Test Preparation
348
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
Single Role Remarks Mapping to Navigation Panel Views
SAP_SOL_KW_ALL Contains full authorization for Document Management within transactions SOLAR01, SOLAR02, and
SOLMAN_DIRECTORY (Knowledge Warehouse folders)
Execution
Reports
Test Preparation
SAP_SOL_PROJ_ADMIN_DIS Contains display authorization for project management.
Execution
Reports
Test Evaluation
Test Preparation
SAP_SOL_TRAINING_EDIT Contains full authorization for Learning Maps access.
CautionOnly relevant for Implementation and Upgrade
SAP_SOL_TRANSPORT_EXE Contains authorization to create transport requests.
CautionOnly relevant for Implementation and Upgrade
SAP_STWB_2_ALL Maintain test plan and test packages including eCATT authorization for background job usage and foreground execution.
CautionThis role contains S_DEVELOP execution and administration authorization.
Execution
Reports
Test Evaluation
Test Plan Management
SAP_STWB_INFO_ALL Maintain information relating to tests
Execution
Reports
Test Evaluation
Test Plan Management
SAP_STWB_SET_ALL Maintain central test workbench settings
Execution
Reports
Test Evaluation
Test Plan Management
SAP_STWB_WORK_ALL Maintain tests Execution
Reports
Tester Worklist
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 349
Single Role Remarks Mapping to Navigation Panel Views
SAP_STCE_ALL Execute and administer eCats See Common Task section
SAP_SMWORK_BASIC_IMP Contains full authorization for implementation work center - related functions and user interface
Work Center Access
SAP_SMWORK_BASIC_TEST_MAN Contains full authorization for test management work center - related functions and user interface
SAP_SMWORK_IMPL Allows access to the implementation and upgrade work center.
SAP_SMWORK_ITEST Allows access to the test management work center.
SAP_SM_BI_EXTRACTOR Relevant for BI - reporting for Test
Management
BW - reporting
SAP_SM_BI_BILO Authorization to restrict BI -
reporting Access in case of remote BW scenario
SAP_SUPPDESK_CREATE To create Service Desk messages Indirectly required in view Test Preparation
NoteIf you want to use the Test Management Dashboard, you need to assign additionally single role SAP_SM_DASHBOARDS_DISP_TWB.
Technical composite role name: SAP_SOL_BW_RO_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 218
Single Roles Help Text ID Mapping to Navigation Panel Views
SAP_BI_E2E_TWB AUTH_SAP_BI_E2E Reports
SAP_BI_TWB_REPORTING AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DIS
Basis/Development Consultant (technical role name: SAP_SOL_BC_COMP)
Development consultants work with the project manager and the application consultant on the planning and organization of the authorization concept. They also perform developmental tasks and customer-specific developments.
350
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
● access the Implementation work center and Test Management work center
● display projects
● maintain roadmaps
● display system landscape data
● display solutions
● maintain business blueprint and business configuration
● create transport requests
● display test plans
● display test workbench info
● display test cases
Single roles included in composite role
Table 219
Single Role Remarks Mapping to Navigation Panel Views
SAP_RMMAIN_EXE Contains authorization for roadmap maintenance
CautionOnly relevant for Implementation and Upgrade
SAP_SMSY_DIS Contains display authorizations for the system landscape in transaction SMSY, that includes
logical components.
Execution
Reports
Test Preparation
SAP_SM_SOLUTION_DIS Contains display authorization for solutions.
Test Plan Management
Tester Worklist
Test Evaluation
Execution
Reports
SAP_SOLMAN_DIRECTORY_DISP Contains display authorization for the Solution Directory (transaction SOLMAN_DIRECTORY).
Test Evaluation
Execution
Reports
SAP_SOLAR01_EXE Contains full authorization for business blueprint (transaction SOLAR01). Allows you to build
your business processes and steps.
Execution
Reports
Test Preparation
SAP_SOLAR02_EXE Contains full authorization for business configuration (transaction SOLAR02). Allows
you to add all necessary configuration information to your business processes and steps.
Execution
Reports
Test Preparation
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 351
Single Role Remarks Mapping to Navigation Panel Views
SAP_SOL_KW_ALL Contains full authorization for Document Management within transactions SOLAR01, SOLAR02, and
SOLMAN_DIRECTORY (Knowledge Warehouse folders)
Execution
Reports
Test Preparation
SAP_SOL_PROJ_ADMIN_DIS Contains display authorization for project management.
Execution
Reports
Test Evaluation
Test Preparation
SAP_SOL_TRANSPORT_EXE Contains authorization to create transport requests.
CautionOnly relevant for Implementation and Upgrade
SAP_STWB_2_DIS Display test plan and test packages Log
Reports
Test Evaluation
Test Plan Management
SAP_STWB_INFO_DIS Display information related to tests Log
Reports
Test Evaluation
Test Plan Management
SAP_STWB_WORK_DIS Display tester's worklist Log
Reports
Tester Worklist
SAP_SMWORK_BASIC_IMP Contains full authorization for work center - related functions and user interface
Work Center Access
SAP_SMWORK_BASIC_TEST_MAN Contains full authorization for test management work center - related functions and user interface
SAP_SMWORK_IMPL Allows access to the implementation and upgrade work center.
SAP_SMWORK_ITEST Allows access to the test management work center.
SAP_SUPPDESK_CREATE To create Service Desk messages Indirectly required in view Test Preparation
352
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
Display User
The display user is allowed to display:
● access the Implementation work center and Test Management work center
● projects
● roadmaps
● system landscape data
● solutions
● business blueprint and business configuration
● display test-related activities
● display BW - reports
● display eCats
Single roles included in composite role (technical role name: SAP_SOL_RO_COMP)
Table 220
Single Role Remarks Mapping to Navigation Panel Views
SAP_RMMAIN_DIS Contains authorization for displaying roadmaps.
CautionOnly relevant for Implementation and Upgrade
SAP_SMSY_DIS Contains display authorizations for the system landscape in transaction SMSY, that includes
logical components.
Execution
Reports
Test Preparation
SAP_SM_SOLUTION_DIS Contains display authorization for solutions.
Test Plan Management
Tester Worklist
Test Evaluation
Execution
Reports
SAP_SOLMAN_DIRECTORY_DISP Contains display authorization for the Solution Directory (transaction SOLMAN_DIRECTORY).
Test Evaluation
Execution
Reports
SAP_SOLAR01_DIS Contains display authorization for business blueprint (transaction SOLAR01). Allows you to display
business processes and steps.
Execution
Reports
Test Preparation
SAP_SOLAR02_DIS Contains display authorization for business configuration (transaction SOLAR02). Allows you to display
all necessary configuration information for your business processes and steps.
Execution
Reports
Test Preparation
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 353
Single Role Remarks Mapping to Navigation Panel Views
SAP_SOL_KW_DIS Contains display authorization for Document Management within transactions SOLAR01, SOLAR02, and
SOLMAN_DIRECTORY (Knowledge Warehouse folders)
Execution
Reports
Test Preparation
SAP_SOL_PROJ_ADMIN_DIS Contains display authorization for project management.
Execution
Reports
Test Evaluation
Test Preparation
SAP_STWB_INFO_DIS Display information related to tests Execution
Reports
Test Evaluation
Test Plan Management
SAP_STWB_2_DIS Display test plan and test packages Execution
Reports
Test Evaluation
Test Plan Management
SAP_STCE_DIS Display eCats See Common Task section
SAP_SMWORK_BASIC_IMP Contains full authorization for implementation work center - related functions and user interface
Work Center Access
SAP_SMWORK_BASIC_TEST_MAN Contains full authorization for test management work center - related functions and user interface
SAP_SMWORK_IMPL Allows access to the implementation and upgrade work center.
SAP_SMWORK_ITEST Allows access to the test management work center.
SAP_SM_BI_EXTRACTOR Relevant for BI - reporting for Test
Management
In case of BW - reporting
SAP_SM_BI_BILO Authorization to restrict BI -
reporting Access in case of remote BW scenario
354
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
NoteIf you want to use the Test Management Dashboard, you need to assign additionally single role SAP_SM_DASHBOARDS_DISP_TWB.
Technical composite role name: SAP_SOL_BW_AC_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 221
Single Roles Help Text ID Mapping to Navigation Panel Views
SAP_BI_E2E_TWB AUTH_SAP_BI_E2E Reporting
SAP_BI_TWB AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DIS
Read-Only User (According to Document Status) (technical role name: SAP_SOL_RE_COMP)
The read-only user is allowed to display:
● access the Implementation work center and Test Management work center
● projects
● roadmaps
● system landscape data
● solutions
● business blueprint and business configuration
● test-related activities
NoteIn contrast to the display user, the read - user can access documents according to the customizing of the document status.
Single roles included in composite role
Table 222
Single Role Remarks Mapping to Navigation Panel Views
SAP_RMMAIN_READ Contains authorization for roadmap according to the document status.
CautionOnly relevant for Implementation and Upgrade
SAP_SMSY_DIS Contains display authorizations for the system landscape in transaction SMSY, that includes
logical components.
Execution
Reports
Test Preparation
SAP_SM_SOLUTION_DIS Contains display authorization for solutions.
Test Plan Management
Tester Worklist
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 355
Single Role Remarks Mapping to Navigation Panel Views
Test Evaluation
Execution
Reports
SAP_SOLMAN_DIRECTORY_DISP Contains display authorization for the Solution Directory (transaction SOLMAN_DIRECTORY).
Test Evaluation
Execution
Reports
SAP_SOLAR01_DIS Contains display authorization for business blueprint (transaction SOLAR01). Allows you to display
business processes and steps.
Execution
Reports
Test Preparation
SAP_SOLAR02_DIS Contains display authorization for business configuration (transaction SOLAR02). Allows
you to display all necessary configuration information for your business processes and steps.
SAP_SOL_KW_READ Contains authorization for Document Management within transactions SOLAR01, SOLAR02, and
SOLMAN_DIRECTORY (Knowledge Warehouse folders) according to the document status
SAP_SOL_PROJ_ADMIN_DIS Contains display authorization for project management.
Execution
Reports
Test Evaluation
Test Preparation
SAP_STWB_INFO_READ Display information related to tests
SAP_STWB_2_READ Display test plan and test packages
SAP_SMWORK_BASIC_IMP Contains full authorization for implementation work center - related functions and user interface.
Work Center Access
SAP_SMWORK_BASIC_TEST_MAN Contains full authorization for test management work center - related functions and user interface
SAP_SMWORK_IMPL Allows access to the implementation and upgrade work center.
SAP_SMWORK_ITEST Allows access to the test management work center.
356
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
Common Task Panel in the Work Center
The common task area contains links for applications that are used:
Easy Test Automation
To easily use test automation, you need authorization for transaction STCE: role SAP_STCE_*.
Extended Test Automation
For the extended create test automation, you need authorization for transaction SECATT.
Create Test Plan
To create test plans, you need role SAP_STWB_2_ALL, for project authorization role SAP_SOL_PROJECT_ADMIN_*.
22.3.2 Main Authorization Objects
In this section the main authorization objects are explained. For detailed information, see the SDN Wiki for Authorizations.
Authorization Object S_TWB
Authorization object S_TWB is the main authorization for Test Management. In the relevant roles for Test Management the authorization object is specifically maintained. The authorization object must always be assign in addition to project and document management authorizations.
Figure 102: S_TWB in Role SAP_STWB_2_ALL
The first maintenance is relevant for test cases, the second maintenance with value TWB3T for eCatt.
22.4 User Roles for Additional Functions
22.4.1 User Roles for Test Workbench Workflow
The workflow functionality can specify and start actions at specified events in the test management process or during testing.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 357
User Roles
The user role for test workbench workflow needs to be assigned to the user in addition to the respective composite role.
Test Workbench Workflow
Table 223
Role Remark
SAP_STWB_WORKFLOW_ADMIN Full authorization
SAP_STWB_WORKFLOW_CREATE Authorization to create actions
SAP_STWB_WORKFLOW_DIS Display authorization
CRM Standard Customizing
The workflow functionality is based on CRM, and uses CRM Customizing such as transaction types, action profiles, and so on. SAP delivers a standard CRM customizing, which is also maintained in the individual CRM authorization objects for workflow. The following table gives you an overview of the transaction types used.
CautionIf you copy SAP standard customizing you need to add the changed values in the according CRM - authorization objects for the scenario. See also How-to Guide on how to maintain authorization objects.
Transaction Types
Table 224
Transaction Type
Usage Remarks
TWSQ Test Sequence Procedure (Test Organizer)
supported, status profile: TWSQ0001 used in authorization object
B_USERSTAT and B_USERST_T
TWTP Test Plan Tester Procedure (Test Organizer)
supported, status profile: TWTP0001 used in authorization object
B_USERSTAT and B_USERST_T
Authorization Objects
The main CRM - authorization objects are included in the according roles. For details see Core Security Guide, section on CRM integration. PICCCCC
22.4.2 User Roles for Extended Capabilities
You use test case work items to assign incorrect or unfinished test cases for further maintenance to a responsible person. This person can display these test cases as so called work items in the inbox.
358
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
User RolesTable 225
Role Remark
SAP_STWB_WITC_CREATE Authorization to create or maintain work items
SAP_STWB_WITC_EXE Authorization to maintain work items as responsible person, but not to create new ones
SAP_STWB_WITC_ADMIN Administration authorization
SAP_STWB_WITC_DIS Display authorization
CRM Standard Customizing
The workflow functionality is based on CRM. and uses CRM Customizing such as transaction types, action profiles, and so on. SAP delivers a standard CRM customizing, which is also maintained in the individual CRM authorization objects for workflow. The following table gives you an overview of the transaction types used.
CautionIf you copy SAP standard customizing you need to add the changed values in the according CRM - authorization objects for the scenario. See also How-to Guide on how to maintain authorization objects.
Transaction Types
Table 226
Transaction Type
Usage Remarks
TWTC Test case maintenance supported, status profile: TWTC0001 used in authorization object
B_USERSTAT and B_USERST_T
Authorization Objects
CRM - Authorization Objects
The standard CRM - authorization objects are used. For details, see Core Security Guide, section on CRM integration
Authorization object SM_TSTMGNT
This authorization object controls, if a Test Case work item can be created or changed.
22.4.3 User Roles for CBTA (Component-Based Test Automation)
Component Based Test Automation is an optional SAP Software Component which can be installed on SAP Solution Manager. It allows creation, usage and maintenance of automated Tests. Such tests can execute on various SUT (Systems under Test). Kinds of supported SUTs by CBTA:
● SAP SUT based on ABAP technology, like e.g. SAP GUI, CRM Web UI, Web Dynpro ABAP, and so on.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 359
● SAP SUT running non-ABAP technology, like Web Dynpro Java, BSP, and so on.
● SAP SUT running a mix of ABAP and non-ABAP technology, like Java-ABAP double Stacks, Portal, and so on.
● Non-SAP SUT, like 3rd party servers running Web technology, and so on.
You use: CBTA use cases:
● without TBOM creation (BPCA integration)
● with TBOM creation
Configuration
You can configure CBTA in transaction SOLMAN_SETUP. The configuration can be executed using user SMC_CBTA_>SID>, which you can create in the Basic Settings Step Create Configuration User.
NoteThe systems under test must not be production systems.
CautionRole SAP_SM_CBTA_CONFIG contains transaction SM30 with authorization object S_TABU_DIS value &NC& (no authorization group). The table that is maintained is ECCUST_ET, which is used for registering the CBTA tool. See SAP NOTE 1976897 to maintain a specific authorization group for the table.
Used RFC - Connections and Users
NoteFor detailed information, see SAP Note 1763697.
In general, the scenario is using the RFCs as defined in SOLMAN_SETUP, see transaction SOLMAN_SETUP.
In order to enable automated testing, information needs to be persisted on SAP Solution Manager in order to enable the CBTA application to communicate with the SUT. For this purpose, the SUT Management Application allows to define:
1. System under Test which is subject of the test
○ The SUT based on ABAP technology: RFC-destination is used having a technical user maintained
○ SUT not based on ABAP technology: URL is to be provided in order to identify the SUT2. User ID for the scenario execution
○ SUT based on ABAP technology: the provision is mandatory
○ SUT not based on ABAP technology: the provision is optional
User credentials are persisted in the Secure Password Storage.
Disregarding of which scenario you use, between your SAP Solution Manager system (TCE) and your managed system (SUT), the following RFC connections are in place:
● READ RFC: SM_<SID>_CLNT<Client>_READ with technical user SM_<SID>● RFC: TST_<SUTSID>_CLNT<Client> with technical user TST_SUT_<SolutionManagerSID>● Trusted (can also be Login) RFC destination as defined in the Target System of the SDC● BACK RFC with BACK RFC user
360
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
Data Flow Information
Creation / Maintenance of Test Profiles (Design Time) - user: Test Coodinator/Administrator
1. Selection of the System Data Container (SDC) to be used
2. Import of chosen SDC definition into SUT Management Application.
This creates an enhance-able structure SDC – SDC Target Systems – System Roles.
3. Definition of SDC Enhancements in SUT Management per available System Role.
Usage of Test Profiles in Test Scripts (Runtime)
1. Creation of tests in Test Composition Environment (TCE).
○ Selection of underlying SDC and Target System
○ Selection of appropriate Test Profile
○ Execution of Recording Wizard
(records the business scenario processed on the SUT, creates automatically the Test Script components out of the recorded scenario, persists in the Test Repository)
2. Execution of previously created tests from within TCE.
3. Maintenance of previously created tests from within TCE.
NoteFor both recording- and execution scenarios, the opening of sessions on the SUT is necessary. For this session opening, data from tables of SUT Management Application are retrieved. Execution authorization is required for accessing that data at runtime.
Technical System User on the managed system: TST_SUT_<SolutionManagerSID> (SUT)
To be able to work with CBTA, you need to have a system user TST_SUT_<SolutionManagerSID> in place for the respective RFC TST_<SUTSID>_CLNT<Client>. This user needs the following roles:
Technical User Roles
Table 227
Role Help Text ID
SAP_TST_AGENT_RFC AUTH_SAP_TST_AGENT_RFC
SAP_CRM_TST_RFC (optional)
NoteIf your managed system is a CRM-based system,
you need to add role SAP_CRM_TST_RFC.
Download this role from your SAP Solution Manager system onto your PC, then upload it in your CRM system. You need to maintain the
authorization objects, generate the profile, and execute the user comparison.
AUTH_SAP_CRM_TST_RFC
SAP_SM_TCE_RFC AUTH_SAP_SM_TCE_RFC
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 361
Role Help Text ID
NoteSee SAP Note 1907764
SAP_WDA_TST_RFC
NoteIf your managed system is a WD-ABAP-based
system
AUTH_SAP_WDA_TST_RFC
Authorization for Trusted RFC between SAP Solution Manager and Managed System (SUT)
In case of BPCA integration, the end-user on the Solution Manager system and in the managed system are assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
Test Engineer (Help Text ID: TP_CBTA_TE)
User Roles in the SAP Solution Manager System
Composite role technical name: SAP_CBTA_EXE_COMPTable 228
Role Help Text ID
SAP_SMWORK_BASIC_TEST_MAN AUTH_SAP_SMWORK_BASIC_TEST_M
SAP_SMWORK_ITEST AUTH_SAP_SMWORK_ITEST
SAP_SM_SUTMAN_EDIT AUTH_SAP_SM_SUTMAN_EDIT
SAP_SM_CBTA_EDIT AUTH_SAP_SM_CBTA_EDIT
SAP_SM_CBTA_TRANSPORT AUTH_SAP_SM_CBTA_TRANSPORT
SAP_STCE_ALL AUTH_SAP_STCE_ALL
Test Coordinator (Help Text ID: TP_CBTA_TC)
User Roles in the SAP Solution Manager System
Composite role technical name: SAP_CBTA_ADMIN_COMPTable 229
Role Help Text ID
SAP_SMWORK_BASIC_TEST_MAN AUTH_SAP_SMWORK_BASIC_TEST_M
SAP_SMWORK_ITEST AUTH_SAP_SMWORK_ITEST
SAP_SM_SUTMAN_ADMIN AUTH_SAP_SM_SUTMAN_ADMIN
SAP_SM_CBTA_ADMIN AUTH_SAP_SM_CBTA_ADMIN
SAP_SM_CBTA_TRANSPORT AUTH_SAP_SM_CBTA_TRANSPORT
362
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
Role Help Text ID
SAP_STCE_ALL AUTH_SAP_STCE_ALL
Test Engineer (Help Text ID: TP_CBTA_DIS)
User Roles in the SAP Solution Manager System
Composite role technical name: SAP_CBTA_DISPLAY_COMPTable 230
Role Help Text ID
SAP_SMWORK_BASIC_TEST_MAN AUTH_SAP_SMWORK_BASIC_TEST_M
SAP_SMWORK_ITEST AUTH_SAP_SMWORK_ITEST
SAP_SM_SUTMAN_DIS AUTH_SAP_SM_SUTMAN_DIS
SAP_SM_CBTA_DIS AUTH_SAP_SM_CBTA_DIS
SAP_STCE_DIS AUTH_SAP_STCE_DIS
SUT Management Role for Managed System Users
User Roles in the Managed Systems (SUT)
Table 231
Role Help Text ID
Business Relevant Application Role
NoteIf you integrate CBTA with BPCA due to TBOMs, assign the user roles for BPCA (SAP_SM_BPCA_TBOM) to your users, see security guide for Business Process Change Analyzer in this document chapter User Description and User Roles.
Run Library Manager (RTL) Integration
The role SAP_SM_TST_RTL_DEV can be assigned to the Test Engineer user, who is allowed to use the RTL Management.
The RTL Manager is a client side tool that allows customizing the VB script libraries that CBTA uses at runtime when recording and executing test scripts. The CBTA runtime library is stored centrally in the MIME repository of the SAP Solution Manager system.SAP/PUBLIC/CBTA The folder SAP/PUBLIC/CBTA in transaction SE80 (MIME Repository) contains the official runtime library (CBASE.zip) that SAP delivers. Additional files are stored at that location when submitting the customization.
The RTL Manager provides the ability to write additional custom functions that the test scripts may need when automating the test of some business scenarios where the common approach (based on default components) is not sufficient. When executing a CBTA test script, the VB script coding corresponding to the test is sent from SAP Solution Manager MIME repository to the client computer and executed using the VB script interpreter. The Runtime Library is a set of VB scripts providing helper classes, functions and procedures that are necessary to simulate actions that are normally performed by a regular user. Default Components are components performing atomic operations against UI elements. The Runtime Library (RTL) comes with default components for all the UI Technologies that CBTA supports. With help of the RTL Manager the following is possible:
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 363
● The developer can check out the runtime library to his local file system with the purpose to modify them: he can add at the foreseen locations custom code.
● When he has finalized the custom code, then he can save the modifications back to SAP Solution Manager MIME Repository. This makes the libraries available for other testers also.
● By transporting the changes, will also be able to update the libraries on further Solution Manager Systems in the landscape.
BPCA TBOM Integration
If you integrate CBTA with BPCA due to TBOMs, assign the user roles for BPCA (SAP_SM_BPCA_TBOM) to your users, see security guide for Business Process Change Analyzer in this document chapter User Description and User Roles.
CRM Standard Customizing
The workflow functionality is based on CRM and uses CRM Customizing such as transaction types, action profiles, and so on. SAP delivers a standard CRM customizing, which is also maintained in the individual CRM authorization objects for workflow. The following table gives you an overview of the transaction types used.
CautionIf you copy SAP standard customizing you need to add the changed values in the according CRM - authorization objects for the scenario. See also How-to Guide on how to maintain authorization objects.
Transaction Types
Table 232
Transaction Type
Usage Remarks
TWTC Test case maintenance supported, status profile: TWTC0001 used in authorization objects
B_USERSTAT and B_USERST_T
Critical Authorization Objects
S_TABU_NAM
Authorization object S_TABU_NAM allows display of table RFC_READ_TABLE (in configuration role for configuration user). This table is used to determine which scenarios are relevant in the setup.
SM_SUTMNGT
This authorization object controls access and execution for SUT Management. The activities are checked for SUT Management definitions for the explicitly listed System Data Containers:
● Execute: usage of SUT Management Test Profiles and the defined user credentials in test cases.
● Maintain: creation, modification and deletion of definitions in SUT Management
● Check: verification of definitions in SUT Management (credentials, technical destination)
● Import: enables all SDC import activities into SUT Management.
The activities do not have dependencies and can be granted independently.
364
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
Scenario Integration
SUT Management is integrated with CBTA capability of SAP Solution Manager, and CBTA is integrated with Test Management as external tool. It can be invoked via:
● Test Composition Environment
● Transaction STCE● Transaction SECATT● Solution Manager Projects (test configuration in transaction SOLAR02)
● Test Packages in Test Plans
22.5 Scenario Integration
Test Management refers to the phase in your product life-cycle when you test and validate your business processes by means of projects. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions, which come into play in your daily business, such as handling of problems, and so on. The following sections describe the integration of test management with other scenarios within SAP Solution Manager, and which user roles would be applicable.
NoteFor more detail on each individual scenario, see the according Scenario—Specific Guide.
Business Process Change Analyzer (BPCA)
In the business blueprint and configuration transactions of SAP Solution Manager, users (for instance the application consultant) can record TBOMs for the Business Process Change Analysis. To be able to do so, you need to assign your user the required BPCA - roles: SAP_SM_BPCA_TBOM_ALL (generating TBOMs), and SAP_SM_BPCA_RES_ALL (analyzing results).
In the managed systems, you need to assign the according application-specific authorizations to your users.
Incident Management
In the business blueprint and configuration, users can create service desk messages. To be able to do so, you need to assign user role SAP_SUPPDESK_CREATE. For processing damaged test case incidents, use composite role SAP_SUPPDESK_PROCESS_COMP.
NoteIn case you are a service provider, you need to assign the according service provider roles. For more information, see specific Service Provider Guide.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 365
22.6 External Integration
22.6.1 Tool with BC — ECATT- Integration
You can integrate an external test tool with eCatt.
Roles for eCatt - Integration
Table 233
Role Remarks
SAP_ECET Authorization for saving and loading of test scripts with eCatt. This role is automatically assigned during technical user generation, see IMG - activity Generate User (technical name:
SOLMAN_ETEST_USER), assigned to technical user of type Service, for instance SM_ECATT
SAP_SM_ECET Authorization to use Test Automation Framework (TAF), must be assigned manually to technical user
of type Service, for instance SM_ECATT
NoteBoth roles are assigned to the generated user, for instance SM_ECATT.
Figure 103
22.6.2 Quality Center by HP
The Quality Center creates test plans and test cases for a project, and performs and monitors tests. The project structure or the documents can be transferred to it in the Blueprint phase. The Quality Center (QC) contains the tests in test projects. Each HP test project comprises a structure which contains business requirements and business test requirements.
Technical Users
Users for External Integration
366
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
Table 234
User (Password) Type Remarks
Integration user (customer-specific) Service User Technical user for web service; assigned role SAP_QC_INTERFACE
QCALIAS (customer-specific) System User Technical user for WSDL access; assigned role
SAP_QC_WSDL_ACCESS
End-User Roles
End-User Roles
Table 235
Name Remarks
SAP_QC_BY_HP_ADMIN
Full authorization to configure, send and receive data to/from Quality Center; needs to be assigned additionally to the relevant composite role for test management, for instance SAP_SOL_PM_COMP
SAP_QC_BY_HP_EXE Authorization to use the Requirements tab in transaction SOLAR01, needs to be assigned
additionally to the relevant composite role for test management, for instance
SAP_SOL_AC_COMP
SAP_QC_BY_HP_DISP Display authorization needs to be assigned additionally to the relevant composite role for test management, for instance SAP_SOL_RO_COMP
SAP Quality Center by HP (Defect Management)
Table 236
Name Type Remarks
SAP_SUPPDESK_INTERFACE ABAP Authorization for bi-directional interface and configuration; needs to be assigned in addition to the roles for the Service Desk scenario, for instance SAP_SUPPDESK_ADMIN
RecommendationTo restrict the services that can be accessed, maintain authorization field SRV_NAME in authorization object
S_SERVICE. Enter the following services:
● ICT_SERVICE_DESK_API*● ICT_SERVICE_DESK_API_MQC*
Quality Center integration user (Defect Management): for instance DEFECTMAN
System User Technical user for data exchange; assigned roles SAP_SUPPDESK_INTERFACE and
SAP_SUPPDESK_ADMIN
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 367
Figure 104
22.6.3 IBM Rational Test Management Tool
Configuration
Figure 105: Transaction SPRO
Technical User
Technical User Roles
368
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
Table 237
Roles Remarks
SAP_TMT_INTERFACE
Authorization for technical user for web service
SAP_TMT_WSDL_ACCESS
Authorization for technical user for WSDL access, for instance TMTALIAS
User Roles
User Roles
Table 238
Roles Remarks
SAP_TMT_ADMIN Full authorization to configure, send and receive data; needs to be assigned additionally to the relevant composite role for test management, for instance SAP_SOL_PM_COMP
SAP_TMT_EXE Authorization to use the Requirements tab in transactionSOLAR01, needs to be assigned
additionally to the relevant composite role for test management, for instance
SAP_SOL_AC_COMP
SAP_TMT_DISP Display authorization; needs to be assigned additionally to the relevant composite role for test management, for instance SAP_SOL_RO_COMP
Authorization Objects
Authorization Object S_PROJ_GEN
The roles contain project authorization object S_PROJ_GEN with the following values:
● GTAD: Assign the External Testing Tool project (only if you use the External Testing Tool Adapter for Solution Manager)
Use in project administration (transaction SOLAR_PROJECT_ADMIN: Edit Connection to the External Testing Tool )
● GTPU: Send data to the External Testing Tool project (only if you use the External Testing Tool Adapter for Solution Manager)
Use in Business Blueprint (transaction SOLAR01: Business Blueprint Send Data to the External Testing Tool )
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Test Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 369
23 Scenario-Specific Guide: Business Process Change Analyzer
The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). The Business Process Change Analyzer supports this implementation and upgrade process within various use cases, for instance:
● Dynamic TBOM (Technical Bill of Material) Recording
● TBOM Creation via 3rd party Test Tool /Test Cases
● Web Services for External Test Tool integration
The function allows you to evaluate the change impact on your changed business processes automatically using trace information.
23.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 239
Support Package Stacks
(Version)
Description
SP05 General
Business Process Change Analyzer and SAP TAO are configured using the automated guided procedure within transaction SOLMAN_SETUP or SAP Solution Manager Configuration work center. Therefore, all users defined
by SAP as default templates can be automatically created within this procedure. The following users are created:
● Scenario Configuration User: This user is created during the guided procedure of the Basic Settings in transaction SOLMAN_SETUP. For configuration, you can also choose the user SOLMAN_ADMIN . In
both cases, the system automatically assigns the necessary authorization roles. The according configuration user can be used later on for configuring the corresponding scenario in transaction SOLMAN_SETUP.
● Standard Template Users: Standard users for the process are created during the guided procedure in transaction SOLMAN_SETUP. These users can be regarded as “demo” Standard users. The system
automatically assigns the necessary authorization roles with according authorization values for the SAP standard scenario. If your processes require customizing due to a different process, and other user differentiation, you must adapt the authorizations. The template users are created in the Solution Manager system and the required managed system.
370
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
Support Package Stacks
(Version)
Description
Due to the creation of Standard users in transaction SOLMAN_SETUP, documentation for the users and
roles is directly linked in transaction SOLMAN_SETUP. In this security guide, it is only referred to the
according document Text ID in the system.
For more information, see specific Landscape Setup Guide in section User Generation.
Scenario Configuration
Adaptation according to guided procedure in transaction SOLMAN_SETUP.
End-User Roles
In composite role SAP_BPCA_EXE_COMP, role SAP_SM_BPCA_RES_ALL is replaced by
SAP_SM_BPCA_RES_DIS.
● Added display CRM integration role SAP_BPCA_CRM_INTEGRATION to composite roles (does not
include CRM WebUI integration), see section on Users and Authorizations.
Scenario Integration
New composite role for integration with Change Request SAP_SM_CRMWEBUI_INT_DIS_COMP, see
according section.
Only valid for: Solution Manager |
SAP TAO Integration
● New role SAP_TAO_CRM_TAO for managed SAP CRM Systems, see section on SAP TAO integration.
● Updated role SAP_SM_TAO_RFC with new authorization object SM_TAO, for details see description tab
in the role.
● Updated role SAP_TAO_AGENT_RFC with new authorization object S_TAO_SVC and further extension
with authorization object S_TABU_DIS, for details see description tab in the role.
● New composite roles for end-user SAP_TAO_COMP and for configuration user SAP_TAO_CONF_COMP.
End of: Solution Manager |
SP10 End-User Roles
The following roles have been adapted. For more information on authorization adaptations in roles, see MENU tab in he respective role
● SAP_BPCA_CONFIG● SAP_BPCA_RES*● SAP_BPCA_TBOM*● New additional composite roles SAP_SM_BW_BPCA_*_COMP for BW - related functions (integrated in
template creation in transaction SOLMAN_SETUP) for users Quality Expert and Business Process
Expert. For more information, see section on User Definition and Roles.
SOLMAN_SETUP Template Users
● Template Users for Solution Manager extended for BW-related functions
● Template Users introduced for Managed Systems (see step description)
SP11 General
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 371
Support Package Stacks
(Version)
Description
● Added new section on Additional Security Measures
SP12 End-User Roles
The following roles have been adapted. For more information on authorization adaptations in roles, see MENU tab in the respective role
● SAP_SM_BPCA_TBOM_*● SAP_WDA_TST_RFC
SP13 End-User Roles
The following roles have been adapted. For more information on authorization adaptations in roles, see MENU tab in the respective role
● SAP_SM_BPCA_TBOM (managed systems)
, according section on critical authorization extended due to additional authorization objects S_TRANSPRT and S_DEVELOP.
23.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Getting Started: find out about target groups of this guide. Links for any additional components can be found in the Core Guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
● CRM Standard Customizing: find out about mandatory customizing entries delivered by SAP
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.
372
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
23.3 Prerequisites
23.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete scenario. The SAP Solution Manager is connected via READ - RFC, TRUSTED - RFC (alternatively LOGIN) to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. Optionally, you can attach a third party product to the SAP Solution Manager via specified connections. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.
Figure 106: Infrastructure
23.3.2 Scenario Configuration User
The scenario BPCA and scenario integration SAP TAO are configured using transaction SOLMAN_SETUP.
To configure the scenario proceed as follows:
Creating Configuration User in Basic Configuration Transaction SOLMAN_SETUP
After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions, like:
● Business Blueprint (including graphics), using transaction SOLAR01● Configuration (including graphics), using transaction SOLAR02
During basic automated configuration, you can create
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 373
● a specific configuration user (default user name: SMC_BPCA_<XXXClient> for BPCA (Help Text ID: USER_CONFIG_BPCA)
● a specific configuration user (default user name: SMC_TAO_<XXXClient>) for SAP TAO (Help Text ID: USER_CONFIG_TAO)
The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.
If you create the configuration users manually, the composite roles SAP_BPCA_CONF_COMP for BPCA and SAP_TAO_CONF_COMP for SAP TAO contain all single roles which are automatically assigned to the configuration users.
NoteTo be able to create users and assign user roles, you need to assign as well role SAP_SM_USER_ADMIN.
Scenario Configuration Transaction SOLMAN_SETUP
● To configure the Business Process Change Analyzer and its Third Party Integration, you need to configure it using transaction SOLMAN_SETUP.
● To configure SAP TAO, you need to configure it using transaction SOLMAN_SETUP.During the specific guided configurations you can create Standard template users. The system automatically adds all relevant user roles, see according sections on Users and User Roles, and SAP TAO Integration.
NoteAs of SP05, you can also configure the scenario using transaction SPRO.
23.3.3 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
CautionDue to the nature of the use cases in regards to tracing information in managed systems, it is highly recommended to carefully configure SAP Solution Manager and the managed systems, as well as using only SAP recommended roles and authorizations.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Table 240
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to managed systems and back
RFC Reading information from managed systems
374
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
Communication DestinationsThe table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Table 241
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_LOGIN (ABAP connection)
Managed System
System-specific
Customer-specific
Customer-specific
In case TRUSTED RFC is not used
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution Manager system>
To read data such as business functions, transport requests, Support Packages, repository objects, and so on from the managed systems for BPCA analysis
SM_<SID>CLNT<Client>_TRUSTED (ABAP connection)
Managed System
System-specific
System-specific
Customer-specific
Optional as Login RFC - Connection
can also be used. Needed for TBOM recording of automatic test cases (traces), and SAP TAO
RFC Connection from Managed System to SAP Solution Manager
Table 242
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Use How Created
SM_<SID>CLNT<Client>_BACK (ABAP connection)
Solution Manager System
System-specific
System-specific
SMB_<managed system ID>
For recording of automated test cases to receive trace information about which functions in
Automatically created via transaction SOLMAN_SETUP (view: managed systems)
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 375
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Use How Created
which managed systems were analyzed
Internet Graphics Server (IGS) RFC Connection
Table 243
RFC Destination Name Activation Type How Created
ITS_RFC_DEST Registered Server program (program: IGS.<SID>)
Manually in transaction SM59
Business Warehouse RFC - Connections
Table 244
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
NONE, if BW - reporting is realized
in a BW - standard scenario, for
content activation
Solution Manager productive client
System-specific System-specific System-specific
BI_CLNT<BWclient>if BW is
realized in remote BW - scenario
system , for content activation and data download
Managed System or Solution Manager System
System-specific System-specific in transaction SOLMAN_SETUP
MDX PARSER (used for the
creation of semi-dynamic TBOMs)
23.3.4 Technical Users
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the BPCA scenario.
User for READ - access in Managed Systems
Users for RFC connection READ
376
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
Table 245
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
TBOM recording of automatic test cases
User for TBOM recording of automatic test cases
Table 246
User (Password) Remarks
TBOM recording user (name and password
customer - specific)
Technical user of type system user to record TBOM of automatic test cases,
assigned role SAP_BPCA_ECATT_COMP.
NoteTo use this function, you need to have a trusted RFC - connection in
place.
See also IMG - activity Create user for TBOM recording of automated test
cases (technical name: SOLMAN_BPCA_USERAUT)
23.4 CRM Standard Customizing
An optional use case of the BPCA scenario (TBOM Recording Work Items) is based on CRM 7.01, and uses CRM customizing such as transaction types, action profiles, and so on. We deliver a standard CRM customizing, which is also maintained in the individual CRM authorization objects for BPCA. The following table gives you an overview of the transaction types used by BPCA.
CautionIf you copy SAP standard customizing, you need to add the changed values in the according CRM - authorization objects for the scenario. See also How-to Guide on how to maintain authorization objects.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 377
Transaction Types
Table 247
Transaction Type
Usage Remarks
SMTB Product Update The transaction type is delivered with action profile SMTB0001. All
actions that are assigned to this action profile have naming convention <SMTB>.
23.5 Users and Authorizations
To enable your users to work with the application, you need to assign them authorizations in the Solution-Manager-system and in the managed systems.
When you are working in a project to implement new business processes or change existing ones, a number of project members with different tasks are involved. SAP delivers recommended user descriptions on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.
CautionThe roles delivered by SAP can only be regarded as models for adjustment to your company's needs.
Roles for Business Process Change Analyzer (BPCA) are predefined Composite Roles (technical abbreviation: *_COMP). These composite roles contain a set of single roles that are relevant for the business tasks.
23.5.1 User Descriptions and User Roles
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for BPCA. All users are assigned a composite role, which contains a number of single roles.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. The view Administration is only visible for the Quality Expert. Here, authorization object S_TCODE with value SPRO is necessary. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see core security guide.
378
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
Figure 107: Test Management Work Center
The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Authorization for Trusted RFC between SAP Solution Manager and BW - System
In case of a remote BW - connection, the user in the SAP Solution Manager system must be assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
Authorizations in Managed Systems
All users need according application authorization in the managed system and role SAP_SM_BPCA_TBOM for recording activities.
For Business Process Change Analyzer you need to assign authorizations in the managed system depending on the application you are using in the managed system. In addition, when you are using the trusted RFC - connection, you need to assign authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL) to your user. This authorization object is not included in profile SAP_ALL.
NoteTo run TBOM recording, authorization object S_ADMI_FCD with value PADM is required. This authorization allows to perform process administration functions like the change of profile parameters. You can remove this authorization in the role, if you set the following required profile parameters in advance (see also SAP Note 2138643:
● rstr/accept_remote_trace = true: This parameter should be set on all managed systems that are potentially accessed by RFC from the primary managed system where the TBOM is recorded.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 379
● rstr/send_global_trace = true: This parameter needs to be set only on the primary managed system where the TBOM recording starts.
Authorization Object S_TRANSPRT
BPCA must be able to look at the content of all transport requests in order to analyze it, or in order to perform the obsolescence check for TBOMs. Therefore, the field for transport type is not restricted.
Authorization Object S_DEVELOP
BPCA must to be able to gather information, such as package, ACH component, versions, for any development object in a system for TBOM recording, obsolescence check, and BPCA analysis. Therefore, the fields such as package or object type are not restricted.
Quality Expert (Help Text ID: TP_BPCA_QE)
Technical composite role name SAP_BPCA_ALL_COMP in the Solution Manager system/client
Table 248
Single Roles Help Text ID
SAP_SM_BPCA_TBOM_ALL AUTH_SAP_SM_BPCA_TBOM_ALL
SAP_SM_BPCA_RES_ALL AUTH_SAP_SM_BPCA_RES_ALL
SAP_SM_SOLUTION_ALL AUTH_SAP_SM_SOLUTION_ALL
SAP_STWB_WORK_ALL AUTH_SAP_STWB_WORK_ALL
SAP_STWB_2_ALL AUTH_SAP_STWB_2_ALL
SAP_SOL_PROJ_ADMIN_DIS AUTH_SAP_PROJ_ADMIN_DIS
SAP_SOLMAN_DIRECTORY_EDIT AUTH_SAP_SOLMAN_DIR_EDIT
SAP_SOLAR01_ALL AUTH_SAP_SOLAR01_ALL
SAP_SOLAR02_ALL AUTH_SAP_SOLAR02_ALL
SAP_SOL_KW_ALL AUTH_SAP_SOL_KW_ALL
SAP_SMWORK_BASIC_TEST_MAN AUTH_SAP_SMWORK_BASIC_TEST_M
SAP_SMWORK_ITEST AUTH_SAP_SMWORK_ITEST
SAP_BPCA_CRM_INTEGRATION AUTH_SAP_BPCA_CRM_INTEGRATION
Technical composite role name: SAP_SM_BW_BPCA_ADMIN_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 249
Single Roles Help Text ID
SAP_BI_E2E_BPCA AUTH_SAP_BI_E2E
SAP_SM_BI_ADMIN AUTH_SAP_SM_BI_ADMIN
380
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
Business Process Expert (Help Text ID: TP_BPCA_BPE)
Technical composite role name SAP_BPCA_EXE_COMP in the Solution Manager system/client
Table 250
Single Roles Help Text ID
SAP_SM_BPCA_TBOM_EXE AUTH_SAP_SM_BPCA_TBOM_EXE
SAP_SM_BPCA_RES_DIS AUTH_SAP_SM_BPCA_RES_DIS
SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS
SAP_STWB_WORK_ALL AUTH_SAP_STWB_WORK_ALL
SAP_SOL_PROJ_ADMIN_DIS AUTH_SAP_PROJ_ADMIN_DIS
SAP_SOLMAN_DIRECTORY_DISP AUTH_SAP_SOLMAN_DIR_DIS
SAP_SOLAR01_ALL AUTH_SAP_SOLAR01_ALL
SAP_SOLAR02_ALL AUTH_SAP_SOLAR02_ALL
SAP_SOL_KW_ALL AUTH_SAP_SOL_KW_ALL
SAP_SMWORK_ITEST AUTH_SAP_SMWORK_ITEST
SAP_SMWORK_BASIC_TEST_MAN AUTH_SAP_SMWORK_BASIC_TEST_M
Technical composite role name: SAP_SM_BW_BPCA_DISPLAY_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 251
Single Roles Help Text ID
SAP_BI_E2E_BPCA AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
Display User (Help Text ID: TP_BPCA_DIS)
Technical composite role name SAP_BPCA_DIS_COMP in the Solution Manager system/client
Table 252
Single Roles Help Text ID
SAP_SM_BPCA_TBOM_DIS AUTH_SAP_SM_BPCA_TBOM_DIS
SAP_SM_BPCA_RES_DIS AUTH_SAP_SM_BPCA_RES_DIS
SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS
SAP_STWB_WORK_DIS AUTH_SAP_STWB_WORK_DIS
SAP_SOL_PROJ_ADMIN_DIS AUTH_SAP_PROJ_ADMIN_DIS
SAP_SOLMAN_DIRECTORY_DISP AUTH_SAP_SOLMAN_DIR_DIS
SAP_SOLAR01_DIS AUTH_SAP_SOLAR01_DIS
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 381
Single Roles Help Text ID
SAP_SOLAR02_DIS AUTH_SAP_SOLAR02_DIS
SAP_SOL_KW_DIS AUTH_SAP_SOL_KW_DIS
SAP_SMWORK_ITEST AUTH_SAP_SMWORK_ITEST
SAP_SMWORK_BASIC_TEST_MAN AUTH_SAP_SMWORK_BASIC_TEST_M
SAP_BPCA_CRM_INTEGRATION AUTH_SAP_BPCA_CRM_INTEGRATION
ECATT user (Help Text ID: TP_BPCA_ECAT)
Technical composite role name SAP_BPCA_ECATT_COMP in the Solution Manager system/client
Table 253
Single Roles Help Text ID
SAP_SM_BPCA_TBOM_ALL AUTH_SAP_SM_BPCA_TBOM_ALL
SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS
SAP_STWB_WORK_DIS AUTH_SAP_STWB_WORK_DIS
SAP_STWB_2_ALL AUTH_SAP_STWB_2_ALL
SAP_SOL_PROJECT_ADMIN_DIS AUTH_SAP_PROJ_ADMIN_DIS
SAP_SOL_KW_DIS AUTH_SAP_SOL_KW_DIS
SAP_SMWORK_ITEST AUTH_SAP_SMWORK_ITEST
SAP_SMWORK_BASIC_TEST_MAN AUTH_SAP_SMWORK_BASIC_TEST_M
Common Task Panel in the Work Center
The common task area contains links for applications that are used:
Easy Test Automation
To easily use test automation, you need authorization for transaction STCE, see scenario - specific guide for Test Management.
Extended Test Automation
For the extended create test automation, you need authorization for transaction STCE, see scenario - specific guide for Test Management.
Create Test Plan
To create test plans, you need role SAP_STWB_2_ALL, for project authorization role SAP_SOL_PROJECT_ADMIN_*.
382
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
23.6 Scenario Integration
BPCA refers to the phase in your product life-cycle when you define and refine your business processes by means of projects, business blueprints and related activities. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions which come into play in your daily business, such as handling of problems, and so on. The following sections describe the integration of BPCA with other scenarios within SAP Solution Manager, and which user roles would be applicable.
NoteFor more detail on each individual scenario, see the according Scenario—Specific Guide.
Test Management
BPCA is used to prepare the test phase. You can create test plans. To be able to create test plans, assign single role SAP_STWB_2_ALL.
Figure 108: Integration to Testplan and Optimize Test Scope
Change Request Management
You can run analyses for requests for change and change documents using BPCA. To see the details of documents, you can jump into the CRM WebUI directly. In addition to the basic BPCA composite roles, you require composite role SAP_SM_CRMWEBUI_INT_DIS_COMP. This composite role contains all relevant roles for this integration:
● SAP_SM_CRMUI_INTEGRATION_DIS (CRM authorizations)
● SAP_SM_CRM_UIU_SOLMANPRO (CRM Business Role without authorizations)
● SAP_SM_CRM_UIU_SOLMANPRO_CHARM (CHARM - related UIU_COMP authorizations)
● SAP_SM_CRM_UIU_FRAMEWORK (General UIU_COMP authorizations)
For more information, see scenario-specific guide for Change Request Management.
23.7 Additional Security Measures
This section gives you an overview over additional measures to prevent malicious attacks for BPCA use cases.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 383
Restrict Trace File Access
Trace files are stored on the file system of the managed system. The application does not ensure that access to this file is only happening in an authorized way. Ensure that only an administrator on infrastructure level is able to read traces.
Restrict Data Browser Access (Transaction SE16)
Access to the Table Data Browser can allow a user to view sensitive data. If application data with sensitive information is traced, exclude the respective table from SE16 access.
RecommendationWe recommend to trace only configuration information, otherwise critical information from managed systems might be exposed.
384
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Change Analyzer
24 Scenario-Specific Guide: Custom - Code Life Cycle Management
24.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 254
Support Package Stacks
(Version)
Description
SP05 First version
SP06 Users and Authorization
Role SAP_CCA_ALL shipped for managed system users.
SP10 General
You can configure this scenario using the automated guided procedure within transaction SOLMAN_SETUP or
SAP Solution Manager Configuration work center. Therefore all users defined by SAP as default templates can be created within this procedure. The following users are created:
● CCML Configuration User: This user is created during the guided procedure of the Basic Settings in
transaction SOLMAN_SETUP. You can also choose the user SOLMAN_ADMIN. In both cases, the system
automatically assigns the necessary authorization roles. The according configuration user can be used later on for configuring the CCML settings within the view Customer Code Management in transaction
SOLMAN_SETUP.
For more information, see adapted section Scenario Configuration User.
● Standard CCML Template Users: Standard Template users for the CCML applications are created during
the guided procedure of the CCML setup in transaction SOLMAN_SETUP. These users can be regarded
as “demo” template users for this scenario. The system automatically assigns the necessary authorization roles with according authorization values for the SAP standard scenario. If your use of the application differs from the Standard, it requires customizing due to a different process, and other user differentiation. You must adapt the authorizations. The template users are created in the Solution Manager system and the required BW system.
Due to the creation of Standard Template users in transaction SOLMAN_SETUP, documentation for the users
and roles is directly linked in transaction SOLMAN_SETUP. In this security guide it is only referred to the
according document text ID in the system.
For more information, see specific Landscape Setup Guide in section User Generation.
Users and Authorization
For detailed information on the authorization changes, see the according description in the DESCRIPTION tab of the respective role.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Custom - Code Life Cycle Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 385
Support Package Stacks
(Version)
Description
● Added roles SAP_SM_SOLUTION_DIS, SAP_SYSTEM_REPOSITORY_DIS and
SAP_SM_DASHBOARDS_CCM to Solution Manager composite roles.
● Analog, BW composite roles for CCM have been delivered. You find more information in section Users and
Authorizations.
● New composite for configuration user for CCM delivered SAP_CCM_CONF_COMP with new single role
SAP_SM_CCM_CONF.
● Adapted Work Center navigation role for CCLM: SAP_SMWORK_CCLM.
RFC - Connections
● Instead of READ RFC - Connection the TMW RFC - Connection is use as Batch jobs are running in the
managed system and write access is required.
SP11 End User Roles
For detailed information on the authorization changes, see the according description in the DESCRIPTION tab of the respective role.
● Adapted role SAP_SM_CCM_CONFIG
SP12 End User Roles
For detailed information on the authorization changes, see the according description in the DESCRIPTION tab of the respective role.
● Adapted roles SAP_CCLM_* (ATC Monitoring integration)
Updated sections: Technical System Landscape, Authorizations)
● Adapted role SAP_SM_CCM_CONFIG● New role SAP_SM_DASHBOARDS_DISP_ICI (for iCI Dashboard integration) added to template users
24.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
386
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Custom - Code Life Cycle Management
● Getting Started: find out about target groups of this guide. Links for any additional components can be found in the Core Guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
Custom Code Life-Cycle Management Use Cases
ATC Monitoring and Exemption Monitoring Integration
Within the CCLM infrastructure allows to extract ATC messages and exemptions for transparency on the quality dimension of custom code objects. The Development Manager needs to have central access to all kinds of exemptions within a system landscape.
24.3 Prerequisites
24.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the CCLM scenario. The SAP Solution Manager is connected via READ - RFC, to your managed systems. More information about the connection, when it is used, and which technical user is required, you can find out in the following sections.
Figure 109: CCLM Technical System Landscape
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Custom - Code Life Cycle Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 387
ATC and Exemption Monitoring Integration
ATC and Exemption Monitoring uses the Extractor Framework (EFWK). The ATC extractor reads the data (messages and exemptions) via the EFWK from the managed systems via RFC function modules (technical user: READ-user and READ RFC-connection). The data is then uploaded into the BW-system/client. The ATC monitoring comprises two parts:
● The ATC messages monitoring displays data read from the BW-system/client.
● The ATC Exemptions monitoring displays data read from BW-system/client, but also allows users with special authorizations to update the exemptions on the remote system via RFC-connection.
24.3.2 Scenario Configuration User
NoteFor conceptual information on:
● configuration users in SAP Solution Manager, see Core Guide chapter Configuration Users.
● the BW integration concept, see Core Guide chapter on BW Integration.
The scenario is configured using transaction SOLMAN_SETUP.
To configure the scenario proceed as follows:
Creating Configuration User in Basic Configuration Transaction SOLMAN_SETUP
During the basic automated configuration, you can create a specific configuration user (default technical user name: SMC_CCM_<XXXClient>) for Custom Code Management (Help Text ID: USER_CONFIG_IM). The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.
If you want to create the configuration user manually, you need to assign:
● the composite role SAP_SUPPDESK_CONF_COMP which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.
NoteTo be able to:
○ create users and assign user roles, you need to assign as well role SAP_SM_USER_ADMIN.
○ use a trusted RFC connection between the Solution Manager and the managed systems, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system as well as the managed system.
● the composite role SAP_BW_SUPPDESK_ADMIN_COMP which contains all single roles that are automatically assigned to the configuration user in the BW-system.
NoteTo be able to use a trusted RFC connection between the Solution Manager and the BW-system, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system and role SAP_SM_BW_S_RFCACL in the BW-system.
388
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Custom - Code Life Cycle Management
Scenario Configuration Transaction SOLMAN_SETUP
You can configure the basic technical settings using transaction SOLMAN_SETUP, running the guided procedure for Incident Management for ITSAM Service Management.
During the specific guided configuration you can create Standard template users. The system automatically adds all relevant user roles, see according sections on Users and User Roles.
24.3.3 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Table 255
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages, retrieval of services
Solution Manager to managed systems and back
RFC Reading information from managed systems
Solution Manager to managed systems within customer network
FTP Update route permission table, content: IP addresses, see section File Transfer
Protocol (FTP)
Solution Manager to SAP Service Marketplace
HTTP(S) Search for notes
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Custom - Code Life Cycle Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 389
Table 256
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution Manager system>
Reads data from the managed system, such as object lists, usage information, code inspector data, version of program information, and so on
24.3.4 Technical Users
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in this scenario.
User for READ - Access in Managed Systems
Users for RFC connection READ
Table 257
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
390
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Custom - Code Life Cycle Management
24.4 Users and Authorizations
24.4.1 User Descriptions and User Roles in the SAP Solution Manager
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment. All users are assigned a composite role, which contains a number of single roles.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see core security guide.
The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single role is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Authorization for Trusted RFC between SAP Solution Manager and BW - System
In case of a remote BW - connection, the user in the SAP Solution Manager system must be assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
Administrator User ID: CC_ADM_XXX (Help Text ID: TP_CC_ADMIN)
Corresponding composite role: SAP_CCLM_ALL_COMP in the Solution Manager system
Table 258
Single Roles Help Text ID
SAP_CCLM_ALL AUTH_SAP_CCLM_ALL
SAP_SMWORK_BASIC_CCLM AUTH_SAP_SMWORK_BASIC_CCLM
SAP_SMWORK_CCLM AUTH_SAP_SMWORK_CCLM
SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SM_DASHBOARD_DISP_ICI AUTH_SAP_SM_DASHBOARD_DISP_ICI
SAP_SM_DASHBOARDS_DISP_CCM AUTH_SAP_SM_DASHBOARDS_CCM
Technical composite role name: SAP_BW_CCLM_ADMIN_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Custom - Code Life Cycle Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 391
Table 259
Single Roles Help Text ID
SAP_BI_E2E_CCM AUTH_SAP_BI_E2E
SAP_SM_BI_ADMIN AUTH_SAP_SM_BI_ADMIN
Managed system role
Table 260
Single Roles Remarks
SAP_CCA_ALL CCA full authorizations
Display User ID: CC_DIS_XXX (Help Text ID: TP_CC_DIS)
Corresponding composite role: SAP_CCLM_DISPLAY_COMP in the Solution Manager system
Table 261
Single Roles Help Text ID
SAP_CCLM_DISP AUTH_SAP_CCLM_DISP
SAP_SMWORK_BASIC_CCLM AUTH_SAP_SMWORK_BASIC_CCLM
SAP_SMWORK_CCLM AUTH_SAP_SMWORK_CCLM
SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SM_DASHBOARDS_DISP_CCM AUTH_SAP_SM_DASHBOARDS_CCM
SAP_SM_DASHBOARD_DISP_ICI AUTH_SAP_SM_DASHBOARD_DISP_ICI
Technical composite role name: SAP_BW_CCLM_DISPLAY_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 262
Single Roles Help Text ID
SAP_BI_E2E_CCM AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
iCI Dashboard
You can use the iCI Dashboard from within the CCM work center. This requires the Dashboard role for iCI in the SAP Solution Manager system, and according BW-authorizations in the BW-system. For testing purposes, you can use the template users for this scenario. For more information, see the scenario-specific guide for Measurement Platform.
ATC Monitoring
ATC Monitoring can be used within CCM. The application authorization is included in the CCM-roles. The application can be used separately from CCM, too. If you need to separate the ATC application due to Segregation of Duty, you need to do the following:
392
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Custom - Code Life Cycle Management
1. Create a new role, and add the ATC Web Dynpro Applications to the roles.
2. Assign the new role to your user.
3. Assign the following roles in addition:
○ SAP_SMWORK_* (navigation and BASIC roles)
○ SAP_SYSTEM_REPOSITORY_*
Trusted RFC-Destination
ATC can also be used with LOGIN RFC-destination.
24.4.2 Authorizations
Custom Code Management
Relevant WebDynpro Applications
● AGS_CCL_DEFINITION● AGS_CCL_OBJECTS● AGS_CCL_SETTINGS● AGS_CUSTOM_CODE
Additionally, transaction CCLM calls the work center WDA.
Authorization Object SM_CC_AUT
The authorization object contains all relevant activities for CCLM. It is checked when the transaction (WDA) is initially called. If activities are restricted the according activity buttons in the application are disabled.
ATC and Exemption Monitoring Integration
Authorization Object SM_ATC_APP
To separate the display of ATC messages and exemptions as well as to provide change access to work with exemptions a special authorization is required.
Users with display authorization can access both, the ATC monitoring screen and the Exemption monitoring screens. However, in the Exemption monitoring screen, the buttons to validate or reject exemptions are greyed out. the user cannot click on them. Users with administration authorization can access both ATC and Exemption monitoring screens. They can use the buttons to validate or reject the exemptions. The authorization object is included in standard roles for CCLM: SAP_CCLM_*.
24.5 Background Jobs
The following background jobs run in the Solution Manager system SM_CCL:<SID>_<INSTNO>. The job name is dynamically generated.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Custom - Code Life Cycle Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 393
25 Scenario-Specific Guide: Scope and Effort Analyzer (SEA)
The business process lifecycle stretches via all phases of the lifecycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). The Scope and Effort Analyzer supports the Test Management process.
The Scope and Effort Analyzer (SEA) allows you to analyze the impact of a Support Package or Enhancement Package without installing the corresponding software. The analysis capability relies on the functions Business Process Change Analyzer (BPCA), Maintenance Optimizer, and Custom Code Management (CCM) to calculate the impact, see scenario-specific guides for both scenarios.
A SEA analysis is defined via a guided activity that is used to collect all necessary input for such an analysis. Afterwards, the analysis runs in the background. As soon, as the analysis is finished, you can display the analysis result.
This guide gives you an overview over all relevant security-related issues for the scenario.
25.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 263
Support Package Stacks
(Version)
Description
SP11 First version
25.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. You might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any
394
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Scope and Effort Analyzer (SEA)
specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Getting Started: find out about target groups of this guide. Links for any additional components can be found in the Core Guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.
25.3 Prerequisites
25.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete scenario.
In general, Scope and Effort Analyzer (SEA) is based on the technical system landscape as explained in scenarios BPCA and CCM as it is based on their infrastructure.
Within SEA functionality the following systems are used:
1. Update System (system for planned update)
2. Custom Code System (system to read custom developments and modifications)
3. Statistic System (system to read usage statistics)
4. Test System (system used for test scope optimization activities)
5. Solution Manager System
6. BW-System
7. SAP Backend
Figure 110: Infrastructure
25.3.2 Scenario Configuration User
The scenario relies heavily on the integration to the following scenarios:
● Maintenance Optimizer
● Custom Code Management
● Business Process Change Analyzer
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Scope and Effort Analyzer (SEA)
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 395
At least Maintenance Optimizer and Custom Code Management should be configured to run SEA successfully. For configuration information and users, see the respective scenario-specific guides for both scenarios. All scenarios are configured using transaction SOLMAN_SETUP.
SICF Report Group
The SICF-report group to activate all relevant SICF-services is SM_SEA. For more information on SICF-report groups in SAP Solution Manager, see section on ICF Services in this guide.
25.3.3 Communication Channels and Destinations
During the guided activity for SEA analysis, systems are selected which are used during the analysis run. For these systems RFC-connections are needed as well as access to a BW-system.
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Table 264
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to managed systems and back
RFC Reading information from managed systems
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Table 265
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_LOGIN (ABAP connection)
Managed System
System-specific
Customer-specific
Customer-specific
In case TRUSTED RFC is not used
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution
To read data such as business functions, transport requests, Support
396
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Scope and Effort Analyzer (SEA)
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
Manager system>
Packages, repository objects, and so on from the managed systems for BPCA analysis
SM_<SID>CLNT<Client>_TRUSTED (ABAP connection)
Managed System
System-specific
System-specific
Customer-specific
Optional as Login RFC - Connection
can also be used. Needed for TBOM recording of automatic test cases (traces)
RFC Connection from Managed System to SAP Solution Manager
Table 266
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Use How Created
SM_<SID>CLNT<Client>_BACK (ABAP connection)
Solution Manager System
System-specific
System-specific
SMB_<managed system ID>
For recording of automated test cases to receive trace information about which functions in which managed systems were analyzed
Automatically created via transaction SOLMAN_SETUP (view: managed systems)
Internet Graphics Server (IGS) RFC Connection
Table 267
RFC Destination Name Activation Type How Created
ITS_RFC_DEST Registered Server program (program: IGS.<SID>)
Manually in transaction SM59
Business Warehouse RFC - Connections
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Scope and Effort Analyzer (SEA)
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 397
Table 268
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
NONE, if BW - reporting is realized
in a BW - standard scenario, for
content activation
Solution Manager productive client
System-specific System-specific System-specific
BI_CLNT<BWclient>if BW is
realized in remote BW - scenario
system , for content activation and data download
Managed System or Solution Manager System
System-specific System-specific in transaction SOLMAN_SETUP
MDX PARSERfor ODBO BAPI used for the creation of semi-dynamic TBOMs)
25.3.4 Technical Users
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the BPCA scenario.
User for READ - access in Managed Systems
Users for RFC connection READ
Table 269
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
398
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Scope and Effort Analyzer (SEA)
TBOM recording of automatic test cases
User for TBOM recording of automatic test cases
Table 270
User (Password) Remarks
TBOM recording user (name and password
customer - specific)
Technical user of type system user to record TBOM of automatic test cases,
assigned role SAP_BPCA_ECATT_COMP.
NoteTo use this function, you need to have a trusted RFC - connection in
place.
See also IMG - activity Create user for TBOM recording of automated test
cases (technical name: SOLMAN_BPCA_USERAUT)
25.4 User Descriptions and User Roles
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for SEA. All users are assigned a composite role, which contains a number of single roles.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see core security guide.
Figure 111: Test Management Work Center
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Scope and Effort Analyzer (SEA)
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 399
The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Authorization for Trusted RFC between SAP Solution Manager and BW - System
In case of a remote BW - connection, the user in the SAP Solution Manager system must be assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
Administrator
The administrator user is allowed to:
● access the Test Management work center
● create, restart, delete, display, and execute an analysis
● change an analysis result
● execute Maintenance Optimizer transactions
● execute changes in the details section for Test Management
Technical composite role name SAP_SEA_ALL_COMP in the Solution Manager system/client
Table 271
Single Roles Remarks
SAP_SEA_ALL run SEA functionality
SAP_SM_BPCA_RES_ALL BPCA result analysis
SAP_SM_BPCA_TBOM_EXE BPCA TBOM
SAP_SM_SOLUTION_DIS solution display
SAP_MAINT_OPT_ADMIN Maintenance Optimizer administration (no XML)
SAP_SOL_PROJ_ADMIN_ALL project administration admin
SAP_SOLMAN_DIRECTORY_DISP Solution Directory display
SAP_SOL_KW_ALL KW full authorization
SAP_SMWORK_BASIC_TEST_MAN User Interface authorizations for WC
SAP_SMWORK_ITEST WC access
SAP_BPCA_CRM_INTEGRATION BPCA CRM integration
SAP_SYSTEM_REPOSITORY_DIS System Landscape display
Technical composite role name: SAP_SM_BW_CCM_ADMIN_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
400
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Scope and Effort Analyzer (SEA)
Table 272
Single Roles Remarks
SAP_BI_E2E_CCM BI data download for CCM
SAP_SM_BI_ADMIN BI administration
Display User
The display user is allowed to:
● access Test Management Work Center
● start the SEA functionality
● display SEA analysis
Technical composite role name SAP_SEA_DIS_COMP in the Solution Manager system/client
Table 273
Single Roles Remarks
SAP_SM_BPCA_TBOM_DIS BPCA TBOM
SAP_SM_BPCA_RES_DIS BPCA result analysis display
SAP_SM_SOLUTION_DIS Solution display
SAP_SEA_DISPLAY SEA display
SAP_SOL_PROJ_ADMIN_DIS Project Administration display
SAP_SOLMAN_DIRECTORY_DISP Solution Directory display
SAP_SOL_KW_DIS KW display
SAP_SMWORK_ITEST Access to WC
SAP_SMWORK_BASIC_TEST_MAN User Interface for WC
SAP_SYSTEM_REPOSITORY_DIS System Landscape display
Technical composite role name: SAP_SM_BW_CCM_DISPLAY_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 274
Single Roles Remarks
SAP_BI_E2E_CCM BI data download CCM
SAP_SM_BI_DISP BI display
25.5 Authorization Objects
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Scope and Effort Analyzer (SEA)
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 401
S_TABU_DIS
All tables and views start with prefix AGSSEA_* and are assigned to authorization group SEA.
SM_SEA
The field ACTVT of authorization object SM_SEA can have the following values:
● 01 – Create, execute and restart an analysis
● 02 – Change an analysis
● 03 – Display an analysis
● 06 – Delete an analysis
25.6 Scenario Integration
SEA refers to the phase in your product life-cycle when you analyze any changes made to your managed system to determine the scope of any test activities. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions which come into play in your daily business, such as handling of problems, and so on. The following sections describe the integration of SEA with other scenarios within SAP Solution Manager, and which user roles would be applicable.
NoteFor more detail on each individual scenario, see the according Scenario—Specific Guide.
Maintenance Optimizer
Business Process Change Analyzer
Custom Code Management
402
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Scope and Effort Analyzer (SEA)
26 Scenario-Specific Guide: IT Service Management
The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. During each of these phases, problems and incidents can occur, which need to be solved. The aim of incident management is to restore normal service operation as soon as possible after a breakdown while minimizing the disturbance to business operations. Incident management allows customers or employees to contact the service desk when their IT-related devices or services are not working properly, or when requesting a service. You can use the incident management function in SAP Solution Manager to support the problem and incident management. This guide gives you an overview over all relevant security-related issues for the scenario service desk.
In this guide, the scenario incident management can also be referred to as Service Desk or Help Desk.
NoteIn case you are a service provider, you need to assign the according service provider roles. For more information, see specific Service Provider Guide.
Figure 112: Incident Management Use Cases
This security guide can be used for the use cases:
● Incident and Problem Management
● Incident Management with Third Party Integration
26.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 403
Table 275
Support Package Stacks
(Version)
Description
SP05 General
Incident and Problem Management (sub-scenario to ITSAM Management) is configured using the automated
guided procedure within transaction SOLMAN_SETUP or SAP Solution Manager Configuration work center.
Therefore all users defined by SAP as default templates can be created within this procedure. The following users are created:
● Incident Management Configuration User: This user is created during the guided procedure of the Basic Settings in transaction SOLMAN_SETUP. You can also choose the user SOLMAN_ADMIN. In both cases,
the system automatically assigns the necessary authorization roles. The according configuration user can be used later on for configuring the Incident Management settings within ITSAM Management in transaction SOLMAN_SETUP.
● Standard Incident Management Template Users: Standard Template users for the Incident Management process are created during the guided procedure of the ITSAM Management in transaction
SOLMAN_SETUP. These users can be regarded as “demo” template users for Incident Management.
The system automatically assigns the necessary authorization roles with according authorization values for the SAP standard scenario. If your Incident Management process requires customizing due to a different process, and other user differentiation, you must adapt the authorizations. The template users are created in the Solution Manager system and the required BW system.
Due to the creation of Standard Template users in transaction SOLMAN_SETUP, documentation for the users
and roles is directly linked in transaction SOLMAN_SETUP. In this security guide it is only referred to the
according document text ID in the system.
For more information, see specific Landscape Setup Guide in section User Generation.
Scenario Configuration
Adaptation according to guided procedure in transaction SOLMAN_SETUP.
User Authorization Roles
● New composite role SAP_SUPPDESK_DISPATCHER_COMP with new CRM Business Role and Service
Desk role for Dispatcher (the according user is not created via SOLMAN_SETUP), see section on Users
and Authorizations.
● Shipped changes in single roles SAP_SUPPDESK_*. For detailed information, see description tab in the
roles.
● Role SAP_SM_CRM_UIU_FRAMEWORK extended due to new CRM Business Navigation Roles..
● Extended composite role SAP_SUPPDESK_CREATE_COMP with additional CRM Business Navigation
Role and User Interface role SAP_SM_CRM_UIU_SOLMANPRO_CREA for authorization object
UIU_COMP, see section Users and Authorizations.
● CMDB - related authorization objects are added to single roles SAP_SUPPDESK_*, see description tab
in the roles. For more information on CMDB, see Core Guide.
Authorization Objects
Added value CRMC in authorization object S_TABU_DIS.
CRM Navigation Roles
404
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
Support Package Stacks
(Version)
Description
Two additional CRM Business roles shipped:
● SAP_SM_CRM_UIU_SOLMANREQU mapped to business role SOLMANREQU● SAP_SM_CRM_UIU_SOLMANDSPTCH mapped to business role SOLMANDSPTCH
Adapted role SAP_SM_CRM_UIU_SOLMANPRO_ADMINCRM Customizing
Additional transaction types SMRQ and SMRT added to relevant roles, see section CRM Customizing.
SP06 Additional Template User
It is possible to create the Dispatcher User using transaction SOLMAN_SETUP.
SP07 CRM Customizing
Additional transaction type KNAR added to relevant roles.
SP08 End-User Roles
The following roles have been adapted regarding authorization objects and/or field values. For more information, see description tab in the roles.
● SAP_SUPPDESK_*CREATE● SAP_SM_CRM_UIU_SOLMANPRO_PROC and SAP_SM_CRM_UIU_SOLMANPRO_ADMIN● SAP_SUPPDESK_CONFIG
SP10 General
● New section on Additional Security Measures.
End-User Roles
The following roles have been adapted regarding authorization objects and/or field values. For more information, see description tab in the roles.
● SAP_SUPPDESK_*
SP12 End-User Roles
The following roles have been adapted regarding authorization objects and/or field values. For more information, see description tab in the roles.
● SAP_SUPPDESK_CONFIG● SAP_SMWORK_INCIDENT_MAN (Best Practice link)
26.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 405
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Getting Started: find out about target groups of this guide, and about documentation links for any additional components.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other. For other application links, see the core security guide.
● CRM WebClient UI: find out about the main aspects to be considered for the new CRM WebClient UI, such as the concept of Business Roles, User Interface authorization objects, and so on.
● CRM Standard Customizing: find out about the new transaction types for CRM, and related customizing entries which are relevant for CRM authorization objects.
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.
● External Integration: for many scenarios, you can also integrate third-party products or other SAP products. Here, you can find out about which authorizations you need to assign to your users for these cases.
26.3 Prerequisites
26.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the Incident Management scenario. The SAP Solution Manager is connected via READ - RFC to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. To connect to SAP, the destinations SAP-OSS and SAP-OSS-LIST_O01 are used. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.
406
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
Figure 113: Infrastructure
26.3.2 Scenario Configuration User
NoteFor conceptual information on:
● configuration users in SAP Solution Manager, see Core Guide chapter Configuration Users.
● the BW integration concept, see Core Guide chapter on BW Integration.
The scenario is configured using transaction SOLMAN_SETUP.
To configure the scenario proceed as follows:
Creating Configuration User in Basic Configuration Transaction SOLMAN_SETUP
After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic function to send a service desk message to SAP. For more information, see Landscape Setup Guide.
During basic automated configuration, you can create a specific configuration user (default technical user name: SMC_IM_<XXXClient>) for Incident Management (Help Text ID: USER_CONFIG_IM). The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.
If you want to create the configuration user manually, you need to assign:
● the composite role SAP_SUPPDESK_CONF_COMP which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.
NoteTo be able to:
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 407
○ create users and assign user roles, you need to assign as well role SAP_SM_USER_ADMIN.
○ use a trusted RFC connection between the Solution Manager and the managed systems, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system as well as the managed system.
● the composite role SAP_BW_SUPPDESK_ADMIN_COMP which contains all single roles that are automatically assigned to the configuration user in the BW-system.
NoteTo be able to use a trusted RFC connection between the Solution Manager and the BW-system, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system and role SAP_SM_BW_S_RFCACL in the BW-system.
Scenario Configuration Transaction SOLMAN_SETUP
You can configure the basic technical settings using transaction SOLMAN_SETUP, running the guided procedure for Incident Management for ITSAM Service Management.
During the specific guided configuration you can create Standard template users. The system automatically adds all relevant user roles, see according sections on Users and User Roles.
26.3.3 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Table 276
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages, retrieval of services
Solution Manager to managed systems and back
RFC Reading information from managed systems
Solution Manager to managed systems within customer network
FTP Update route permission table, content: IP addresses, see section File Transfer
Protocol (FTP)
Solution Manager to SAP Service Marketplace
HTTP(S) Search for notes
Third Party Service Desk SOAP over HTTP (S) Data Exchange
408
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Table 277
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution Manager system>
Used during setup of incident management, and during operations when generating business partners
RFC Connection from Managed System to SAP Solution Manager
Table 278
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
Use How Created
SM_<SID>CLNT<Client>_BACK (ABAP connection)
Solution Manager System
System-specific
System-specific
SMB_<managed system ID>
Generating Support Messages from managed systems (table: BCOS_CUST)
Automatically created via transaction SOLMAN_SETUP (view:
managed systems)
BW- Reporting RFC Connection
Table 279
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
NONE, if BW - reporting is realized
in a BW - standard scenario, for
content activation
Solution Manager productive client
System-specific System-specific System-specific
BI_CLNT<BWclient>if BW is
realized in remote BW - scenario
system , for content activation and data download
Managed System or Solution Manager System
System-specific System-specific in transaction SOLMAN_SETUP
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 409
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
<SolutionManagerSID>CLNT<SolutionManager– ProductiveClient> BI-
Callback RFC for reorganization
of data and configuration validation
Solution Manager productive client
System-specific System-specific BI_CALLBACK(customer specific)
in transaction SOLMAN_SETUP
Trusted RFC to remote BW systemSAP_BILO
remote BW -
system
(source: SAP Solution Manager)
System-specific System-specific Dialog User Used to read data from remote BW for
BI - Reporting
, created during SOLMAN_SETUP
RFC Connections from SAP Solution Manager to SAP
Table 280
RFC Destination Name Target Host Name System Number
Logon Client
Logon User (Password)
Remarks
SAP-OSS (ABAP connection)
/H/SAPROUTER/S//sapserv/H/oss001
01 001 S-User (Customer-specific)
in transaction SOLMAN_SETUP
SAP-OSS-LIST-O01 (ABAP connection)
/H/SAPROUTER/S//sapserv/H/oss001
01 001 S-User (Customer-specific)
in transaction SOLMAN_SETUP
SM_SP_<customer number>
/H/SAPROUTER/S//sapserv/H/oss001
01 001 S-User (Customer-specific)
NoteFor more information on Service Provider - specific settings, see Service Provider Guideline
Automatically created, see IMG activity Set Up
SAP Connection for Customers (technical name: SOLMAN_VAR_RFC_CUSTO)
TREX RFC Connections
Table 281
RFC Destination Name Activation Type How Created
TREX_<server> (ABAP connection) Registered Server Program (program TREXRfcServer_<instance number>)
Manually in transaction SM59;
410
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
RFC Destination Name Activation Type How Created
TREX can be administered using the
TREX admin tool, see IMG activity
Information and Configuration Prerequisites for TREX Setup
(technical name: SOLMAN_TREX_INFO)
IMSDEFAULT Start on explicit host (program: ims_server_admin.exe)
IMSDEFAULT_REG Registered Server Program (program: rfc_sapretrieval)
Internet Graphics Server (IGS) RFC Connection
Table 282
RFC Destination Name Activation Type How Created
ITS_RFC_DEST Registered Server program (program: IGS.<SID>)
Manually in transaction SM59
26.3.4 Technical Users for RFCs
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the implementation and upgrade scenario.
User for Back-Destination in SAP Solution Manager System
User for Back-destination
Table 283
User (Password) Type Remarks
SMB_<managed system ID> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in its RFC destination in
the Solution Manager system as well.
System User Technical user “Back User”; assigned role <namespace>_SOLMAN_BACK. It is automatically created
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
User for READ - access in Managed Systems
Users for RFC connection READ
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 411
Table 284
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user, “READ User”, for read access and extractor execution in case of BW-reporting, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
Users for BW - Reporting
Users for BW - Reporting
Table 285
User User Type Remarks
BI_CALLBACK
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user BI_CALLBACK for reorganization of BW - data
assigned role SAP_BI_CALLBACK. It is automatically
generated during configuration via transaction SOLMAN_SETUP
SMD_BI_RFC, in case of remote BW System User Technical user for data lownload
SM_EFWK System User Technical user for extractor execution
User for Third Party Service Desk
User for Third Party Service Desk
412
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
Table 286
User (Password) Type Remarks
customer-specific user, for instance DEFECTMAN
Communication User Technical user for web service; assigned roles SAP_SUPPDESK_ADMIN and
SAP_SUPPDESK_INTERFACE
26.3.5 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER)
Users who communicate with SAP Support Portal via RFC destination SAP-OSS need an SAP Support Portal contact to SAP Solution Manager. You maintain the contact in table AISUSER (transaction AISUSER). This contact corresponds to the S-user in the SAP Support Portal, without the initial S.
CautionThe S-User for the SAP Support Portal must be requested via service.sap.com; see section S-User Authorizations
More Information
see IMG activity: Assign S-User for SAP Support Portal functionality (SOLMAN_PROFILE_PARAM)
26.3.6 S-User Authorization for Service Desk and Expert on Demand
Your S-user needs the following authorizations for SAP Support Portal functions.
S-User Authorization
Table 287
Activity Authorization
Create message ANLEG: Create SAP message
Send messages GOSAP: Send to SAP
WAUFN: Reopen SAP message
Confirm messages QUITT: Confirm SAP message
Display/change secure area PWDISP: Display secure area
PWCHGE: Change secure area
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 413
26.4 CRM Standard Customizing for Solution Manager
The Incident Management scenario is based on CRM 7.01, and uses CRM customizing such as transaction types, action profiles, and so on. SAP delivers a standard CRM customizing, which is also maintained in the individual CRM authorization objects for Incident Management. The following table gives you an overview of the transaction types used.
CautionIf you copy SAP standard customizing you need to add the changed values in the according CRM - authorization objects for the scenario. See also How-to Guide on how to maintain authorization objects.
Transaction Types (old)
RecommendationWe recommend to use the new transaction types.
Table 288
Transaction Type
Usage Remarks
SLFN Standard Service Desk supported
SIST Standard Service Desk supported
SIVA Service Request for Service Provider (VAR)
supported
SISV Service Request for Software Partners (ISV)
supported
Transaction Types (new)
Table 289
Transaction Type
Usage Remarks
SMIN CRM - Service Request supported
SMIV Service Request for Service Provider (VAR)
supported
SMIS Service Request for Software Partners (ISV)
supported
SMIT template for SMIN transaction
types
supported
SMPR Problem supported
SMPT template for problems supported
SMRQ Service Request supported
414
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
Transaction Type
Usage Remarks
SMRT Service Request Template supported
KNAR Knowledge Article supported
26.5 Users and Authorizations
To enable your end-users to work with the application, you need to assign them authorizations in the Solution-Manager-system.
To be able to fulfill their respective tasks, an end-user (key-user) needs to be able to create incidents and display them. The processor of this message, who can be part of a local support team, needs to be able to create as well as process already created messages. SAP delivers recommended user descriptions for these user types on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.
CautionThe roles delivered by SAP can only be regarded as models for adjustment to your company's needs.
Roles for service desk are predefined Composite Roles (technical abbreviation: *_COMP). These composite roles contain a set of single roles that are relevant for the business tasks.
Figure 114: Incident Management Process
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 415
26.5.1 User Descriptions and User Roles
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for service desk (incident management). All users are assigned a composite role, which contains a number of single roles.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see Core Security guide chapter on User Interface Authorizations.
Figure 115: Work Center Incident Management
The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single role is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Authorization for Trusted RFC between SAP Solution Manager and BW-System
In case of a remote BW - connection, the user in the SAP Solution Manager system is additional assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
Administrator (Help Text ID: TP_IM_ADMIN)
Technical composite role name: SAP_SUPPDESK_ADMIN_COMP in the Solution Manager system/client
416
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
Table 290
Single Roles Help Text ID
SAP_SUPPDESK_ADMIN AUTH_SAP_SUPPDESK_ADMIN
SAP_SM_BI_BILO AUTH_SAP_SM_BI_BILO
SAP_SMWORK_BASIC_INCIDENT AUTH_SAP_SMWORK_BASIC_INC
SAP_SMWORK_INCIDENT_MAN AUTH_SAP_SMWORK_INCIDENT_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAME
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMAN
SAP_SM_CRM_UIU_SOLMANPRO_PROC AUTH_SAP_SM_CRM_UIU_PROC
SAP_SM_CRM_UIU_SOLMANPRO_ADMIN AUTH_SAP_SM_CRM_UIU_ADMIN
Technical composite role name: SAP_BW_SUPPDESK_ADMIN_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 291
Single Roles Help Text ID
SAP_BI_E2E_SD AUTH_SAP_BI_E2E
SAP_BW_SPR_REPORTING AUTH_SAP_BW_SPR_REPORT
SAP_SM_BI_ADMIN AUTH_SAP_SM_BI_ADMIN
Processor (Help Text ID: TP_IM_PROC)
Technical composite role name: SAP_SUPPDESK_PROCESS_COMP in the Solution Manager system/client
Table 292
Single Roles Help Text ID
SAP_SUPPDESK_PROCESS AUTH_SAP_SUPPDESK_PROCESS
SAP_SM_BI_BILO AUTH_SAP_SM_BI_BILO
SAP_SM_BI_EXTRACTOR AUTH_SAP_SM_BI_EXTRACTOR
SAP_SMWORK_BASIC_INCIDENT AUTH_SAP_SMWORK_BASIC_INC
SAP_SMWORK_INCIDENT_MAN AUTH_SAP_SMWORK_INCIDENT_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAME
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMAN
SAP_SM_CRM_UIU_SOLMANPRO_PROC AUTH_SAP_SM_CRM_UIU_PROC
Technical composite role name: SAP_BW_SUPPDESK_DISPLAY_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 417
Table 293
Single Roles Help Text ID
SAP_BW_SPR_REPORTING AUTH_SAP_BW_SPR_REPORT
SAP_BI_E2E_SD AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
Key User (Help Text ID: USER_TP_IM_CREATE)
Technical composite role name: SAP_SUPPDESK_CREATE_COMP in the Solution Manager system/client
Table 294
Single Roles Help Text ID
SAP_SUPPDESK_CREATE AUTH_SAP_SUPPDESK_CREATE
SAP_SMWORK_BASIC_INCIDENT AUTH_SAP_SMWORK_BASIC_INC
SAP_SMWORK_INCIDENT_MAN AUTH_SAP_SMWORK_INCIDENT_MAN
SAP_SM_CRM_UIU_SOLMANPRO_CREA AUTH_SAP_SM_CRM_UIU_CREA
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAME
SAP_SM_CRM_UIU_SOLMANREQU AUTH_SAP_SM_CRM_UIU_SOLMAN
NoteIf you want the key - user to display the created message, you need to add the display user authorizations as well.
Display User (Help Text ID: TP_IM_DIS)
Technical composite role name: SAP_SUPPDESK_DISPLAY_COMP in the Solution Manager system/client
Table 295
Single Roles Help Text ID
SAP_SUPPDESK_DISPLAY AUTH_SAP_SUPPDESK_DISPLAY
SAP_SMWORK_BASIC_INCIDENT AUTH_SAP_SMWORK_BASIC_INC
SAP_SMWORK_INCIDENT_MAN AUTH_SAP_SMWORK_INCIDENT_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAME
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMAN
SAP_SM_BI_BILO AUTH_SAP_SM_BI_BILO
SAP_SM_BI_EXTRACTOR AUTH_SAP_SM_BI_EXTACTOR
Technical composite role name: SAP_BW_SUPPDESK_DISPLAY_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
418
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
Table 296
Single Roles Help Text ID
SAP_BI_E2E_SD AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
SAP_BW_SPR_REPORTING AUTH_SAP_BW_SPR_REPORT
Dispatcher User (Help Text ID: TP_IM_DIS)
Technical composite role name: SAP_SUPPDESK_DISPATCHER_COMP in the Solution Manager system/client
Table 297
Single Roles Help Text ID
SAP_SUPPDESK_DISPATCH Authorization to dispatch and process messages
SAP_SMWORK_BASIC_INCIDENT AUTH_SAP_SMWORK_BASIC_INC
SAP_SMWORK_INCIDENT_MAN AUTH_SAP_SMWORK_INCIDENT_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAME
SAP_SM_CRM_UIU_SOLMANDSPTCH AUTH_SAP_SM_CRM_UIU_SOLMAN
SAP_SM_CRM_UIU_SOLMANPRO_PROC AUTH_SAP_SM_CRM_UIU_PROC
26.5.2 Authorization Objects
The following section gives information of some of the main authorization objects for Incident Management. For detailed information, see SDN Wiki on Authorizations.
ITSM Reporting Links in CRM WebUI
To allow any user to see and use the ITSM Reporting and ITSM Dashboard links in the CRM WebUI, the following authorization objects must be maintained:
● Solution Manager UI authorization (contained in role SAP_SUPPDESK_*)
Authorization object SM_WD_COMP with value ITSM_REPORTING● CRM WebUI authorization (contained in role SAP_SM_UIU_COMP_SOLMANPRO_*)
Authorization object C_LL_TGT with value C (Launch Transaction) and the links for:
○ ITSM_REPORTING○ SM_ITSM_REPORTING_DASHBOARD○ SM_ITSM_REPORTING_FRAMEWORK
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 419
Authorization Object MatrixTable 298
Authorization Object Creator Processor Dispatcher Display User
B_BUPA_ATT X X
B_BUPA_FDG X X
B_BUPA_GRP X X X
B_BUPA_RLT X X X X
B_BUPR_BZT X X X X
B_BUPR_FDG X X
B_NOTIF_BC X X X X
B_USERST_T X X X X
B_USERSTAT may require
additional customizing
X X X X
COM_ASET X X X X
COM_IT X X X X
COM_PRD X X X X
S_PROJECT X X X
S_RFC X X X X
S_DATASET X X X X
S_GUI X X X X
S_APPL_LOG X X X X
S_OC_SEND X
CRM_ACT X X X X
CRM_AUTHSC X X X X
CRM_CATEGO X X X
CRM_IM_ML X X X
CRM_INCDNT X X X X
CRM_KNOART X X X X
CRM_ORD_OP X X X X
CRM_ORD_PR X X X X
CRM_PROBLM X X X X
CRM_SEO X X X X
420
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
Authorization Object Creator Processor Dispatcher Display User
CRM_TXT_ID If you are using the
solution database for transferring solutions into the solution database, you can assign text types. If you use this function, you need to maintain the authorization object CRM_TXT_ID in the
according roles.
X X X X
D_MD_DATA X X X
D_SOL_VSBL You find
authorization object D_SOL_VSBL with value 78. This authorization is
only required for the integration of solutions in Incident Management. This value is not active in the solution infrastructure roles SAP_SM_SOLUTION_*.
X X X X
SM_SDK_ACT X X X
SM_SDK_IBA X X X X
SM_TIMEREP X X
Support Team Search: PLOGTo allow the support team search based on PFAC rule, you must activate authorization object PLOG. The object is contained in roles SAP_SUPPDESK_*.
NoteTo be able to use this function, you need to have maintained an organizational model.
26.6 Scenario Integration
The Service Desk refers to all phases in your product life-cycle.
Various ScenariosAccording to the end-to-end business process life-cycle, this function needs to integrate with many other scenarios which come into play in your daily business, such as implementation, upgrade, monitoring, and so on. Within these scenarios, it is possible for users to create messages for the Service Desk. The integration of the Service Desk is described in the various scenario-specific guides for the individual scenarios. For more detail on each individual scenario, see the according Scenario—Specific Guide.
Change Request ManagementApart from the function of creating a service desk message within different scenarios, a service desk message can also lead to a change request. If you are using this integration, you need to assign to your user as well the role for
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 421
the user Requester: SAP_CM_REQUESTER_COMP. For more information about the change request management scenario, see the scenario-specific guide for this topic.
Figure 116: Charm Integration in the CRM WebClient UI
422
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
26.7 External Integration
26.7.1 External Service Desk
Configuration
Figure 117: Transaction SPRO
Roles
Service Desk Interface
Table 299
Name Type Remarks
SAP_SUPPDESK_INTERFACEExternal Service Desk integration user
ABAPSystem User
Authorization for bi - directional interface and configuration; needs to be assigned in addition to the roles for the Service Desk scenario, for instance SAP_SUPPDESK_ADMIN
User for data exchange; assigned roles SAP_SUPPDESK_ADMIN and SAP_SUPPDESK_INTERFACE
26.8 Additional Security Measures
Consider the following actions for additional measures in regard to preventing security breeches and reacting to according events:
Activate Logging of Major Configuration Tables
The activation of table logs for configuration tables allows you to determine at which time a user has changed specific values that are important for the configuration settings of your application.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 423
RecommendationWe highly recommend logging of at least major configuration tables.
For the following tables the flag Log Data Changes is set by SAP as of SP12:
● AGS_WORK_CUSTOM (AGS: Work Centers Customizing)
● In case of external interface: ICT_CUSTOM (SM SD Interface: System Configuration)
We recommend you to activate logging for the following table:
● DNOC_USERCFG (Service Desk Customizing)
Steps to Activate Table Logging
1. Set Log Data Changes for the required tables using transaction SE13.
2. Set parameter value for parameter: rec/client.
How-to Information
For detailed information on logging, how-to activate logging of tables, and its system requirements, see on the Service Marketplace: help.sap.com/saphelp_nw74/helpdata/en/4d/b6d15036311dcee10000000a42189c/frameset.htm .
See also SAP Note 1916.
Virus Scanning for Attachments
RecommendationWe recommend to use ABAP Virus Scanning Interface (VSI) for virus scans of attachments.
In Incident Management the following default VSI profiles are used:
● /SCET/GUI_UPLOAD● /SIHTTP/HTTP_UPLOAD
In addition, attachments are scanned using standard Knowledge Warehouse profile /SCMS/KPRO_CREATE, specifically for Incidents which are created via an external interface.
424
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: IT Service Management
27 Scenario-Specific Guide: Job Management
The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are realized in the SAP Solution Manager system using such units as projects (for implementation and optimization) and solutions (for productive operations). This guide gives you an overview over all relevant security-related issues for the scenario Job Management.
27.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 300
Support Package Stacks
(Version)
Description
SP05 End-User Roles
The following end-user roles were changed. For detailed information, see the description tab of the role in transaction PFCG.
● SAP_SM_SCHEDULER_ADMIN● SAP_SM_SCHEDULER_EXE
Authorization Objects
Added value CRMC in authorization object S_TABU_DIS in role SAP_SM_SCHEDULER_ADMIN.
SP10 New Concept for End-User Roles
● The authorizations and user/roles concept has been adapted to better represent business requirements. For more information, see section on end-user roles in this guide (old and new)
● Users can now be created in transaction SOLMAN_SETUP with the according single roles.
● Old concept can be kept next to the new concept.
● New authorization objects substitute old ones in the new concept completely.
User Role Adaptions
● SAP_SMWORK_JOB_MAN due to User Interface adaptations
● SAP_SMWORK_BASIC_JSCHED
SP11 End-User Composite Roles
The following end-user roles were changed and template users in transaction SOLMAN_SETUP adapted
accordingly. For detailed information, see the description tab of the role in transaction PFCG.
● SAP_JOBMAN_TOP_COMP
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 425
Support Package Stacks
(Version)
Description
● SAP_JOBMAN_ALL_COMP
SP12 End-User Composite Roles
The following end-user roles were changed and template users in transaction SOLMAN_SETUP adapted
accordingly. For detailed information, see the description tab of the role in transaction PFCG.
● SAP_JOBMAN_CONFIG_COMP assigned role SAP_SM_JMON_CONF (Job Monitoring configuration)
● SAP_JOBMAN_BPO_COMP assigned role SAP_SM_JMON_LEVEL01 (Job Monitoring Level 1)
● SAP_JOBMAN_AM_COMP assigned role SAP_SM_JMON_LEVEL02 (Job Monitoring Level 2)
● SAP_JOBMAN_ALL_COMP assigned role SAP_SM_JMON_LEVEL02 (Job Monitoring Level 2)
SP13 End-User Roles
The following end-user roles were changed and template users in transaction SOLMAN_SETUP adapted
accordingly. For detailed information, see the description tab of the role in transaction PFCG. Role
SAP_SM_SCHEDULER_BPO: "old" authorization object SM_JOBDEF set inactive for assignment of role to
Business Process Operation Administration, in case user creates a job documentation.
27.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Getting Started: find out about target groups of this guide. Links for any additional components can be found in the Core Guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
426
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
● Solution Maintenance: find out how to maintain solutions in Work Center SAP Solution Manager Administration
● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.
● External Integration: for many scenarios, you can also integrate third-party products or other SAP products. Here, you can find out about which authorizations you need to assign to your users for these cases.
27.3 Prerequisites
27.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete Job Management scenario. The SAP Solution Manager is connected via READ - RFC to your managed systems. IGS is connected via a specified RFC connection. Optionally, you can attach a third party product such as SAP CPS to the SAP Solution Manager via specified connections. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.
Figure 118: Infrastructure
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 427
27.3.2 Scenario Configuration User
NoteFor conceptual information on:
● configuration users in SAP Solution Manager, see Core Guide chapter Configuration Users.
● the BW integration concept, see Core Guide chapter on BW Integration.
The scenario is configured using transaction SOLMAN_SETUP.
To configure the scenario proceed as follows:
Creating Configuration User in Basic Configuration Transaction SOLMAN_SETUP
After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic function to send a service desk message to SAP. For more information, see Landscape Setup Guide.
During basic automated configuration, you can create a specific configuration user (default technical user name: SMC_JMON_<XXXClient>) for Job Management (Help Text ID: USER_CONFIG_JMON). The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.
If you want to create the configuration user manually, you need to assign:
● the composite role SAP_JOBMAN_CONF_COMP which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.
NoteTo be able to:
○ create users and assign user roles, you need to assign as well role SAP_SM_USER_ADMIN.
○ use a trusted RFC connection between the Solution Manager and the managed systems, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system as well as the managed system.
● the composite role SAP_BW_JOBMAN_ADMIN_COMP which contains all single roles that are automatically assigned to the configuration user in the BW-system.
NoteTo be able to use a trusted RFC connection between the Solution Manager and the BW-system, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system and role SAP_SM_BW_S_RFCACL in the BW-system.
Scenario Configuration Transaction SOLMAN_SETUP
You can configure the basic technical settings using transaction SOLMAN_SETUP, running the guided procedure for Incident Management for ITSAM Service Management.
During the specific guided configuration you can create Standard template users. The system automatically adds all relevant user roles, see according sections on Users and User Roles.
428
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
27.3.3 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Table 301
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages, retrieval of services
Solution Manager to managed systems RFC Reading information from managed systems
Solution Manager to managed systems within customer network
FTP Update route permission table, content: IP addresses, see section File Transfer
Protocol (FTP)
Solution Manager to SAP Service Marketplace
HTTP(S) Search for notes
SAP CPS RFC See SAP Note 1037903
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Table 302
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution Manager system>
Necessary for all functions in implementation and upgrade
Internet Graphics Server (IGS) RFC Connection
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 429
Table 303
RFC Destination Name Activation Type How Created
ITS_RFC_DEST Registered Server program (program: IGS.<SID>)
Manually in transaction SM59
27.3.4 Technical User
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the Job Management scenario.
User for ADS
Users for ADS
Table 304
User (Password) Type Remarks
ADSUSER (customer-specific) Service User Technical user for basic authentication ADS
ADS_AGENT (customer-specific) Service User Technical user for communication between ABAP stack and
J2EE stack on which the ADS runs, assigned roles:
● SAP_BC_FP_ICF (if double stack: AS ABAP and AS
Java (with ADS)
● SAP_BC_FPADS_ICF (if AS ABAP and AS Java on
separate systems)
User for READ - access in Managed Systems
Users for RFC connection READ
Table 305
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
430
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
User for SAP CPS
Users for SAP CPS
Table 306
User User Type Remarks
CPS user (for instance CPSCOMM) Communication User
Technical user for communication between SAP CPS and SAP
Solution Manager, assigned roles SAP_SM_REDWOOD_COMMUNICATION and
SAP_BC_REDWOOD_COMM_EXT_SDL; for more detail see IMG - activity Create technical user
(technical name of IMG - activity: SOLMAN_REDWOOD_COMMU)
27.4 Users and Authorizations
To enable your end-users to work with the application, you need to assign them authorizations in the Solution-Manager-system and in the managed systems.
When you are working in a project or a solution a number of persons with different tasks are involved. SAP delivers recommended user descriptions on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.
CautionThe roles delivered by SAP can only be regarded as models for adjustment to your company's needs.
Roles for Implementation and Upgrade are predefined Composite Roles (technical abbreviation: *_COMP). These composite roles contain a set of single roles that are relevant for the business tasks.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 431
Figure 119: Job Management Process
27.4.1 User Roles (Old)
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for job scheduling. All users are assigned a composite role, which contains a number of single roles.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. For a user to access the view Administration, you need to have authorization object S_TCODE with value SPRO assigned. This is included in the user role for the administrator. Access in the navigation panel is restricted by using the authorization object SM_WD_COMP. For more information about user interface authorizations, see core security guide.
432
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
Figure 120: Work Center Job Management
The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Administrator (technical user name: JM_ADM_XXX) )
Table 307
Single Role Help Text ID
SAP_BC_BATCH_ADMIN_REDWOOD AUTH_SAP_BC_REDWOOD
SAP_BC_REDWOOD_COMM_EXT_SDL AUTH_SAP_BC_REDWOOD
SAP_BPMJSM_BW_ALL_REPORTING AUTH_SAP_BPMJSM_REPORT
SAP_CM_SMAN_CHANGE_MANAGER AUTH_SAP_CM_SMAN_CHANGE_MANAGER
SAP_SOCM_CHANGE_MANAGER AUTH_SAP_SOCM_CHANGE_MANAGER
SAP_SM_SCHEDULER_ADMIN AUTH_SAP_SM_SCHED_ADMIN
SAP_SM_SOLUTION_ALL AUTH_SAP_SM_SOLUTION_ALL
SAP_SYSTEM_REPOSIORY_ALL AUTH_SAP_SYSTEM_REPOSIORY_ALL
SAP_SMWORK_BASIC_JSCHED AUTH_SAP_SMWORK_BASIC_JSCHED
SAP_SMWORK_JOB_MAN AUTH_SAP_SMWORK_JOB_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAMEWORK
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMANPRO
SAP_SM_CRM_UIU_SOLMANPRO_ADMIN AUTH_SAP_SM_CRM_UIU_ADMIN
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 433
Single Role Help Text ID
SAP_SM_CRM_UIU_SOLMANPRO_PROC AUTH_SAP_SM_CRM_UIU_PROC
SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM
SAP_SM_JMON_LEVEL01 AUTH_SAP_SM_JMON_LEVEL01
SAP_SM_RFC_DISP AUTH_SAP_SM_RFC_DISP
Operations User (technical role name: SAP_JOBMAN_EXE_COMP)
The operations user is allowed to:
● access Job Management work center
● execute all functions for Job Management
● execute BW - related applications
Table 308
Single Role Remarks Mapping to Navigation Panel Views
SAP_SM_SCHEDULER_EXE Execution authorization for job scheduling
Job Requests
Job Documentation
Job Monitoring
Job Recommendation
Task Inbox
Reports
SAP_SM_SOLUTION_ALL Full authorization for solutions Infrastructure, used for all views
SAP_SMSY_DIS Display authorization for system landscape
Infrastructure, used for all views
SAP_BPMJSM_BW_ALL_REPORTING Full authorization for BW - related
applications
NoteThe same role is used in scenario Business Process Operations
BW - Reporting
SAP_BI_E2E BW - Reporting, Content activation
SAP_SMWORK_BASIC_JSCHED Authorization for work center usage
Work Center Access
SAP_SMWORK_JOB_MAN Access to work center for job scheduling
SAP_SM_CRM_UIU_FRAMEWORK General authorization for CRM Web
Client framework
CRM WebClient UI
434
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
Single Role Remarks Mapping to Navigation Panel Views
SAP_SM_CRM_UIU_SOLMANPRO Business role for the CRM Web
Client
NoteThis role defines the navigation for the CRM Web Client. It
contains no authorization objects.
SAP_SM_CRM_UIU_SOLMANPRO_CHARM Contains specific (administrator-related) additional authorizations for the CRM Web Client
; contains the delta for integration to Change Request Management
SAP_SM_CRM_UIU_SOLMANPRO_PROC Contains specific (processor-related) additional authorizations for the CRM Web Client
Display User (technical role name: SAP_JOBMAN_DIS_COMP)
The display user is allowed to:
● access Job Management work center
● display all functions for Job Management
Table 309
Single Role Remarks Mapping to Navigation Panel Views
SAP_SM_SCHEDULER_DIS Display authorization for job scheduling
Job Requests
Job Documentation
Job Monitoring
Job Recommendation
Task Inbox
Reports
SAP_SM_SOLUTION_DIS Display authorization for solutions Infrastructure, used for all views
SAP_SMSY_DIS Display authorization for system landscape
Infrastructure, used for all views
SAP_SMWORK_BASIC_JSCHED Authorization for work center usage
Work Center Access
SAP_SMWORK_JOB_MAN Access to work center for job scheduling
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 435
Single Role Remarks Mapping to Navigation Panel Views
SAP_BPMJSM_BW_DIS_REPORTING Display authorization for BW -
related applications
NoteThe same role is used in scenario Business Process Operations
BW - Reporting
SAP_BI_E2E BW - Reporting, Content activation
SAP_SM_CRM_UIU_FRAMEWORK General authorization for CRM Web
Client framework
CRM WebClient UI
SAP_SM_CRM_UIU_SOLMANPRO Business role for the CRM Web
Client
NoteThis role defines the navigation for the CRM Web Client. It
contains no authorization objects.
SAP_SM_CRM_UIU_SOLMANPRO_CHARM Contains specific (administrator-related) additional authorizations for the CRM Web Client
; contains the delta for integration to Change Request Management
SAP_SM_CRM_UIU_SOLMANPRO_PROC Contains specific (processor-related) additional authorizations for the CRM Web Client
Common Task Panel in the Work Center
The common task area contains links for applications that are used. All links require SAP_SM_SCHEDULER_* as well as infrastructure roles SAP_SM_SOLUTION_* and SAP_SMSY_*.
Related Links in the Work Center
In the related links section in the work center, you find all possible links for this work center. Still, the user is not able to run some of the applications since the according authorizations are not included in the defined user roles, but rather additional authorizations included in additional roles, see section Additional Functions. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-to section.
436
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
Job Analysis in Managed Systems
To execute job analysis in managed systems, you need the according authorizations in the managed system. You can use SAP_SM_SCHEDULER_*, which contain remote system transactions.
Process Scheduler Adapter
Requires authorizations for CPS Scheduler, see section External Integration.
27.4.2 User Roles (New)
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for job scheduling as of SP10. With this Support Package the user definitions and authorizations have been adapted to required business needs. This new concept is integrated in transaction SOLMAN_SETUP and the concept of template users. In analogy, composite roles exist, which contain a number of single roles. This new concept can be used in parallel to the old concept (see section on User Roles (Old).
Administrator (technical user name: JM_ADM_XXX)
The technical name of the according composite role is SAP_JOBMAN_ALL_COMP.
Table 310
Single Role Help Text ID
SAP_BC_BATCH_ADMIN_REDWOODSAP_BC_REDWOOD_COMM_EXT_SDL
NoteBoth roles are only needed for managing external schedulers.
AUTH_SAP_BC_REDWOOD
AUTH_SAP_BC_REDWOOD
SAP_BPMJSM_BW_ALL_REPORTING AUTH_SAP_BPMJSM_REPORT
SAP_CM_SMAN_CHANGE_MANAGER AUTH_SAP_CM_SMAN_CHANGE_MANAGER
SAP_CM_SMAN_DEVELOPER AUTH_SAP_CM_SMAN_DEVELOPER
SAP_SOCM_CHANGE_MANAGER AUTH_SAP_SOCM_CHANGE_MANAGER
SAP_SOCM_DEVELOPER AUTH_SAP_SOCM_DEVELOPER
SAP_SM_SCHEDULER_ADMIN AUTH_SAP_SM_SCHED_ADMIN
SAP_SM_SOLUTION_ALL AUTH_SAP_SM_SOLUTION_ALL
SAP_SYSTEM_REPOSITORY_ALL AUTH_SAP_SYSTEM_REPOSIORY_ALL
SAP_SMWORK_BASIC_JSCHED AUTH_SAP_SMWORK_BASIC_JSCHED
SAP_SMWORK_JOB_MAN AUTH_SAP_SMWORK_JOB_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAMEWORK
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMANPRO
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 437
Single Role Help Text ID
SAP_SM_CRM_UIU_SOLMANPRO_ADMIN AUTH_SAP_SM_CRM_UIU_ADMIN
SAP_SM_CRM_UIU_SOLMANPRO_PROC AUTH_SAP_SM_CRM_UIU_PROC
SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM
SAP_SM_JMON_LEVEL02 AUTH_SAP_SM_JMON_LEVEL02
SAP_SM_RFC_DISP AUTH_SAP_SM_RFC_DISP
SAP_SOLAR01_DIS AUTH_SAP_SOLAR01_DIS
SAP_SUPPDESK_PROCESS AUTH_SAP_SUPPDESK_PROCESS
SAP_TASK_INBOX_ALL AUTH_SAP_TASK_INBOX_ALL
In the BW - System
The technical name of the according composite role is SAP_SM_BW_JSCHED_ADMIN_COMP.
Table 311
Single Role Help Text ID
SAP_BI_E2E_JSM AUTH_SAP_BI_E2E
SAP_SM_BI_ADMIN AUTH_SAP_SM_BI_ADMIN
Technical Operator (technical user name: JM_TOP_XXX)
The technical name of the according composite role is SAP_JOBMAN_TOP_COMP.
Table 312
Single Role Help Text ID
SAP_BC_BATCH_ADMIN_REDWOODSAP_BC_REDWOOD_COMM_EXT_SDL
NoteBoth roles are only needed for managing external schedulers.
AUTH_SAP_BC_REDWOOD
AUTH_SAP_BC_REDWOOD
SAP_BPMJSM_BW_ALL_REPORTING AUTH_SAP_BPMJSM_REPORT
SAP_CM_SMAN_DEVELOPER AUTH_SAP_CM_SMAN_DEVELOPER
SAP_SOCM_DEVELOPER AUTH_SAP_SOCM_DEVELOPER
SAP_SM_SCHEDULER_TOP AUTH_SAP_SM_SCHED_TOP
SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS
SAP_SYSTEM_REPOSITORY_ALL AUTH_SAP_SYSTEM_REPOSITORY_ALL
SAP_SMWORK_BASIC_JSCHED AUTH_SAP_SMWORK_BASIC_JSCHED
SAP_SMWORK_JOB_MAN AUTH_SAP_SMWORK_JOB_MAN
438
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
Single Role Help Text ID
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAMEWORK
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMANPRO
SAP_SM_CRM_UIU_SOLMANPRO_ADMIN AUTH_SAP_SM_CRM_UIU_ADMIN
SAP_SM_CRM_UIU_SOLMANPRO_PROC AUTH_SAP_SM_CRM_UIU_PROC
SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM
SAP_SOLAR01_DIS AUTH_SAP_SOLAR01_DIS
SAP_SM_RFC_DISP AUTH_SAP_SM_RFC_DISP
SAP_SUPPDESK_PROCESS AUTH_SAP_SUPPDESK_PROCESS
SAP_TASK_INBOX_ALL AUTH_SAP_TASK_INBOX_ALL
In the BW - System
The technical name of the according composite role is SAP_SM_BW_JSCHED_DIS_COMP.
Table 313
Single Role Help Text ID
SAP_BI_E2E_JSM AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
Business Process Operation (technical user name: JM_BPO_XXX)
In the Solution Manager
The technical name of the according composite role is SAP_JOBMAN_BPO_COMP.
Table 314
Single Role Help Text ID
SAP_BPMJSM_BW_ALL_REPORTING AUTH_SAP_BPMJSM_REPORT
SAP_CM_SMAN_CHANGE_MANAGER AUTH_SAP_CM_SMAN_CHANGE_MANAGER
SAP_SOCM_CHANGE_MANAGER AUTH_SAP_SOCM_CHANGE_MANAGER
SAP_SM_SCHEDULER_BPO AUTH_SAP_SM_SCHED_BPO
SAP_SM_SOLUTION_ALL AUTH_SAP_SM_SOLUTION_ALL
SAP_SYSTEM_REPOSITORY_ALL AUTH_SAP_SYSTEM_REPOSIORY_ALL
SAP_SMWORK_BASIC_JSCHED AUTH_SAP_SMWORK_BASIC_JSCHED
SAP_SMWORK_JOB_MAN AUTH_SAP_SMWORK_JOB_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAMEWORK
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMANPRO
SAP_SM_CRM_UIU_SOLMANPRO_ADMIN AUTH_SAP_SM_CRM_UIU_ADMIN
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 439
Single Role Help Text ID
SAP_SM_CRM_UIU_SOLMANPRO_PROC AUTH_SAP_SM_CRM_UIU_PROC
SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM
SAP_SM_JMON_LEVEL01 AUTH_SAP_SM_JMON_LEVEL01
SAP_SM_RFC_DISP AUTH_SAP_SM_RFC_DISP
SAP_SOLAR01_DIS AUTH_SAP_SOLAR01_DIS
SAP_SUPPDESK_PROCESS AUTH_SAP_SUPPDESK_PROCESS
SAP_TASK_INBOX_ALL AUTH_SAP_TASK_INBOX_ALL
SAP_SM_JMON_LEVEL01 AUTH_SAP_SM_JMON_LEVEL01
In the BW - System
The technical name of the according composite role is SAP_SM_BW_JSCHED_DIS_COMP.
Table 315
Single Role Help Text ID
SAP_BI_E2E_JSM AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
Application Manager (technical user name: JM_AM_XXX)
In the Solution Manager
The technical name of the according composite role is SAP_JOBMAN_AM_COMP.
Table 316
Single Role Help Text ID
SAP_BPMJSM_BW_ALL_REPORTING AUTH_SAP_BPMJSM_REPORT
SAP_SOCM_REQUESTER AUTH_SAP_SOCM_REQUESTER
SAP_SM_SCHEDULER_AM AUTH_SAP_SM_SCHED_AM
SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS
SAP_SYSTEM_REPOSITORY_ALL AUTH_SAP_SYSTEM_REPOSIORY_ALL
SAP_SMWORK_BASIC_JSCHED AUTH_SAP_SMWORK_BASIC_JSCHED
SAP_SMWORK_JOB_MAN AUTH_SAP_SMWORK_JOB_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAMEWORK
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMANPRO
SAP_SM_CRM_UIU_SOLMANPRO_ADMIN AUTH_SAP_SM_CRM_UIU_ADMIN
SAP_SM_CRM_UIU_SOLMANPRO_PROC AUTH_SAP_SM_CRM_UIU_PROC
SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM
440
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
Single Role Help Text ID
SAP_SM_JMON_LEVEL02 AUTH_SAP_SM_JMON_LEVEL02
SAP_SM_RFC_DISP AUTH_SAP_SM_RFC_DISP
SAP_SUPPDESK_DISPLAY AUTH_SAP_SUPPDESK_DISPLAY
SAP_TASK_INBOX_ALL AUTH_SAP_TASK_INBOX_ALL
In the BW - System
The technical name of the according composite role is SAP_SM_BW_JSCHED_DIS_COMP.
Table 317
Single Role Help Text ID
SAP_BI_E2E_JSM AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
Level 2 User (technical user name: JM_L2_XXX) )
The technical name of the according composite role is SAP_JOBMAN_L2_COMP.
Table 318
Single Role Help Text ID
SAP_SOCM_REQUESTER AUTH_SAP_SOCM_REQUESTER
SAP_SM_SCHEDULER_L2 AUTH_SAP_SM_SCHED_L2
SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REPOSIORY_DIS
SAP_SMWORK_BASIC_JSCHED AUTH_SAP_SMWORK_BASIC_JSCHED
SAP_SMWORK_JOB_MAN AUTH_SAP_SMWORK_JOB_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAMEWORK
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMANPRO
SAP_SM_CRM_UIU_SOLMANPRO_ADMIN AUTH_SAP_SM_CRM_UIU_ADMIN
SAP_SM_CRM_UIU_SOLMANPRO_PROC AUTH_SAP_SM_CRM_UIU_PROC
SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM
SAP_SM_RFC_DISP AUTH_SAP_SM_RFC_DISP
SAP_SUPPDESK_PROCESS AUTH_SAP_SUPPDESK_PROCESS
SAP_TASK_INBOX_ALL AUTH_SAP_TASK_INBOX_ALL
Level 1 User (technical user name: JM_L1_XXX)
The technical name of the according composite role is SAP_JOBMAN_L1_COMP.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 441
Table 319
Single Role Help Text ID
SAP_SOCM_REQUESTER AUTH_SAP_SOCM_REQUESTER
SAP_SM_SCHEDULER_L1 AUTH_SAP_SM_SCHED_L1
SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REPOSIORY_DIS
SAP_SMWORK_BASIC_JSCHED AUTH_SAP_SMWORK_BASIC_JSCHED
SAP_SMWORK_JOB_MAN AUTH_SAP_SMWORK_JOB_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAMEWORK
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMANPRO
SAP_SM_CRM_UIU_SOLMANPRO_ADMIN AUTH_SAP_SM_CRM_UIU_ADMIN
SAP_SM_CRM_UIU_SOLMANPRO_PROC AUTH_SAP_SM_CRM_UIU_PROC
SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM
SAP_SM_RFC_DISP AUTH_SAP_SM_RFC_DISP
SAP_SUPPDESK_PROCESS AUTH_SAP_SUPPDESK_PROCESS
SAP_TASK_INBOX_ALL AUTH_SAP_TASK_INBOX_ALL
Display User (technical user name: JM_DIS_XXX)
In the Solution Manager
The technical name of the according composite role is SAP_JOBMAN_DIS_COMP.
Table 320
Single Role Help Text ID
SAP_BPMJSM_BW_ALL_REPORTING AUTH_SAP_BPMJSM_REPORT
SAP_SOCM_REQUESTER AUTH_SAP_SOCM_REQUESTER
SAP_SM_SCHEDULER_DIS AUTH_SAP_SM_SCHED_DIS
SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SMWORK_BASIC_JSCHED AUTH_SAP_SMWORK_BASIC_JSCHED
SAP_SMWORK_JOB_MAN AUTH_SAP_SMWORK_JOB_MAN
SAP_SM_CRM_UIU_FRAMEWORK AUTH_SAP_SM_CRM_UIU_FRAMEWORK
SAP_SM_CRM_UIU_SOLMANPRO AUTH_SAP_SM_CRM_UIU_SOLMANPRO
SAP_SM_CRM_UIU_SOLMANPRO_PROC AUTH_SAP_SM_CRM_UIU_PROC
SAP_SM_CRM_UIU_SOLMANPRO_CHARM AUTH_SAP_SM_CRM_UIU_CHARM
442
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
Single Role Help Text ID
SAP_SUPPDESK_DISPLAY AUTH_SAP_SUPPDESK_DISPLAY
SAP_TASK_INBOX_DIS AUTH_SAP_TASK_INBOX_DIS
In the BW - System
The technical name of the according composite role is SAP_SM_BW_JSCHED_DIS_COMP.
Table 321
Single Role Help Text ID
SAP_BI_E2E_JSM AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
27.5 Solution Maintenance via Work Center
As of SAP Solution Manager Release 7.1 SP01, transactions GSAP (SAP Global Service Access Point) and SOLUTION_MANAGER, SOLUTION_MANAGER_BSP, alternatively DSWP, DSWP_MOVE, DSMOP, are obsolete. All references to these transactions are deleted in the relevant user roles for Issue Management, Solution Operations, Solution Documentation Assistant, Solution Reporting, Solution Directory. Solutions can be created in Work Center Solution Manager Administration.
27.6 Scenario Integration
The following sections describe the integration of job scheduling management with other scenarios within SAP Solution Manager, and which user roles would be applicable.
Incident Management
You can integrate Incident Management with Job Scheduling by configuring the Integration with Service Desk scenario using the IMG for Job Scheduling (transaction SPRO). To use its capabilities, see scenario-specific guide for service desk.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 443
Figure 121: Integration Incident Management/Change Request Management
NoteIn case you are a service provider, you need to assign the according service provider roles. For more information, see specific Service Provider Guide.
Change Request Management
You can integrate Change Request Management with Job Scheduling by configuring the Integration with Change Request Management scenario using the IMG for Job Scheduling (transaction SPRO). To use its capabilities, see scenario-specific guide for change request management.
Business Process Operations
You can integrate Business Process Operations with Job Scheduling.
444
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
Figure 122: Integration with Business Process Operations
Business Blueprint and Configuration
You can integrate Business Blueprint and Configuration and Job Scheduling.
Figure 123: Integration with Business Blueprint and Configuration
IT Task Inbox
You can integrate IT Task Inbox.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 445
27.7 External Integration
27.7.1 SAP CPS
You can integrate with SAP Solution Manager external products. The term External Product refers to either Third Party Products or SAP products, which can be used to complement a function within SAP Solution Manager. Using SAP CPS, you assign your end-user the user roles as described in the previous section User Descriptions and User Roles. The technical user needs to be assigned the roles as described in the table underneath.
Roles for Technical User CPSCOMM
Table 322
Name Type Remarks
SAP_SM_REDWOOD_COMMUNICATION ABAP General authorization for the technical communication user (for instance CPSCOMM)
between Solution Manager and SAP Central Process Scheduler, applied to technical user in SAP Solution Manager system
SAP_BC_REDWOOD_COMM_EXT_SDL ABAP Authorization for the technical user between SAP Solution Manager and SAP Central Process Scheduler for configuration of parameter SAP_EnableRfcServer on the process server;
applied to technical communication user in Solution Manager system
SAP_BC_REDWOOD_COMMUNICATION ABAP Authorization for the technical user between managed (target) system and SAP Central Process Scheduler
446
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Job Management
28 Scenario-Specific Guide: SAP Engagement and Service Delivery
The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. These phases are supported by SAP via SAP Solution Manager as the delivery platform. This guide gives you an overview over all relevant security-related issues for the scenario SAP Engagement and Service Delivery.
28.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 323
Support Package Stacks
(Version)
Description
SP05 Premium Engagement
● New composite role SAP_PREMIUM_ENGAGEMENT_COMP, see section on User for Service Delivery
(Premium Engagement)
CRM - based Authorizations
CRM - based authorization checks (Function Module: CRM_ORD_CHECK_AUTHORITY_ACE) added to Issue
Management, for instance CRM_ORD_OP. All Issue Management roles are adapted accordingly, see role
description tab.
SP08 End-User Roles
The following roles have been adapted according to authorization objects and/or authorization field values. For more information see the description tab of the specified roles.
● Security Optimization Roles. See the according SAP Note 69647.
● Corrected role list for composite role SAP_ISSUE_MANAGEMENT_EXE_COMP. Role
SAP_ISSUE_MANAGEMENT_ALL substituted by SAP_ISSUE_MANAGEMENT_EXE.
New user SAPSERVICE
This user is newly introduced for SAP Service Delivery. The user can be automatically created for the SAP Solution Manager and the managed systems using transaction SOLMAN_SETUP (view Basic Settings). For
more information, see in the Landscape Setup Guide section User SAPSERVICE.
SP10 New user ES_REP_<SID>
This user is newly introduced for Enterprise Service Reporting. The user can be automatically created for the SAP Solution Manager and the BW - system using transaction SOLMAN_SETUP (view Basic Settings). For
more information, see new section on Enterprise Service Reporting User.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 447
Support Package Stacks
(Version)
Description
Support Performance Platform (SPP)
For more information, see new section on Support Performance Platform (SPP).
● SAP_SM_SPP_ALL (full authorization)
● SAP_SM_SPP_DIS (display authorization)
Scenario Integration
● added integration role information for Incident creation: SAP_SUPPDESK_CREATE. For more
information, see section on Scenario Integration.
End-User Roles Changes
The following roles have been adapted according to authorization objects and/or authorization field values. For more information see the description tab of the specified roles.
● SAP_SERVICE_REQUEST_ALL● Added role SAP_SM_RFC_ADMIN to composite role SAP_SERVICE_EXE_ALL_COMP. For more
information on role SAP_SM_RFC_ADMIN, see section on Infrastructure Roles.
● SAP_SMWORK_SERVICE_DEV (due to User Interface changes)
SP12 SAP Note
● SAP Note 1405975: Transaction Code /SDF/ORADLD can be used for high security issues, in case your
security guidelines do not allow access to transactions SE80 or SA80 in your system.
28.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Getting Started: find out about target groups of this guide. Links for any additional components can be found in the Core Guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
448
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
● Security Optimization Services: find out about authorizations for these services.
● Service Delivery User: find out about the service delivery user (Premium Engagement)
● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.
28.3 Prerequisites
28.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete scenario. The SAP Solution Manager is connected via READ - RFC to your managed systems, and your managed systems are connected to the SAP Solution Manager via BACK - RFC. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.
Figure 124: Infrastructure
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 449
28.3.2 Configuration
Basic Configuration transaction SOLMAN_SETUP
After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions, like creating and sending an EarlyWatch Alert report.
Scenario Configuration transaction SPRO
To run the complete SAP Engagement and Service Delivery scenario, you need to configure it using the Implementation Reference Guide (IMG) in transaction SPRO.
Figure 125: Configuration SAP Engagement and Service Delivery
Configuration Roles
There are no specific configuration roles when using transaction SPRO. Nevertheless, you can use the possibility in creating your own configuration roles. For more information, see the according How-to Guide.
28.3.3 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
450
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
Communication Channels
Table 324
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages, retrieval of services
Solution Manager to managed systems and back
RFC Reading information from managed systems
Solution Manager to managed systems within customer network
FTP Update route permission table, content: IP addresses, see section File Transfer
Protocol (FTP)
Solution Manager to SAP Service Marketplace
HTTP(S) Search for notes
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Table 325
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_LOGIN (ABAP connection)
Managed System
System-specific
Customer-specific
Customer-specific
In case of not using trusted
RFC
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution Manager system>
To retrieve data from the managed systems for service sessions; collect information on product licence and maintenance certificates
RFC Connection from Managed System to SAP Solution Manager
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 451
Table 326
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Use How Created
SM_<SID>CLNT<Client>_BACK (ABAP connection)
Solution Manager System
System-specific
System-specific
SMB_<managed system ID>
Send service data from managed systems to SAP Solution Manager
Automatically created via transaction SOLMAN_SETUP (view: managed systems)
Internet Graphics Server (IGS) RFC Connection
Table 327
RFC Destination Name Activation Type How Created
ITS_RFC_DEST Registered Server program (program: IGS.<SID>)
Manually in transaction SM59
RFC Connections from SAP Solution Manager to SAP
Table 328
RFC Destination Name Target Host Name System Number
Logon Client
Logon User (Password)
Use Remarks
SAPOSS (ABAP connection) /H/SAPROUTER/S//sapserv/H/oss001
01 001
OSS_RFC (CPIC)
Notes Assistant
Maintain technical settings in transaction OSS1
SAP-OSS (ABAP connection) /H/SAPROUTER/S//sapserv/H/oss001
01 001
S-User (Customer-specific)
Exchange problem messages with SAP (function: Service Desk),
Automatically created via transaction SOLMAN_SETUP (view:
452
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
RFC Destination Name Target Host Name System Number
Logon Client
Logon User (Password)
Use Remarks
synchronize system data with Support Portal and send data about managed systems; transfer of solution, issue data; transfer feedback to SAP Service Connection, product data download
managed systems)
SAP-OSS-LIST-O01 (ABAP connection)
/H/SAPROUTER/S//sapserv/H/oss001
01 001
S-User (Customer-specific)
Retrieve information about which messages have been changed at SAP
Created in transaction SM59
SDCC_OSS (ABAP connection) See SAP Note 763561
Used by the Service Data Control Center to communicate with the SAP Support Portal
User is a copy of the SAPOSS connection to SDCC_OSS;
userSDCC_NEW with
default
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 453
RFC Destination Name Target Host Name System Number
Logon Client
Logon User (Password)
Use Remarks
front-end system; update Service Definitions (functions: System Monitoring for EWA and Service Plan)
password: download
NoteIf SDCCN is used locally, that is Solution Manager is not Master System, SDCC_OSS is
created automatically in the managed system;
SAPNET_RFC (ABAP connection) /H/SAPROUTER/S//sapserv/H/oss001
01 001
Send EarlyWatch Alerts (functions: System Monitoring for EWA and Service Plan)
A copy of the SAPOSS connection to SAPNET_RFC
SAPNET_RTCC (ABAP connection) /H/SAPROUTER/S//sapserv/H/oss001
01 001
OSS_RFC
Service Preparation Check
Created automatically by
454
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
RFC Destination Name Target Host Name System Number
Logon Client
Logon User (Password)
Use Remarks
(CPIC)
(RTCCTOOL)
RTCCTOOL, copy of
SAPOSS
CCMSPing RFC Connection
Table 329
RFC Destination Name Activation Type Logon User (Password)
Use (Scenario) Remarks
CCMSPING.<server><SystemNr.>
Registered Server Program (program ccmsping.00)
CSMREG (customer-specific)
Service Level Reporting with CCMSPING
User created during configuration of Central Monitoring (CCMS),
see IMG activity
Information and Configuration Prerequisites for setting up a central monitoring system CEN (technical name: SOLMAN_INPERF_CCMS)
28.3.4 Technical Users
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the SAP engagement and service delivery scenario.
User for READ - access in Managed Systems
Users for RFC connection READ
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 455
Table 330
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
User for Back-Destination in SAP Solution Manager System
User for Back-destination
Table 331
User (Password) Type Remarks
SMB_<managed system ID> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in its RFC destination in
the Solution Manager system as well.
System User Technical user “Back User”; assigned role <namespace>_SOLMAN_BACK. It is automatically created
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
Adobe Document Server (ADS)
ADS User
Table 332
User (Password) Type Remarks
ADSUSER Service User Technical user for basic authentication in ADS
ADS_AGENT Service User Technical user for communication between ABAP stack and J2EE stack on which the ADS runs,
assigned roles:
456
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
User (Password) Type Remarks
● SAP_BC_FP_ICF (if double stack: AS ABAP and AS Java (with ADS)
● SAP_BC_FPADS_ICF (if AS ABAP and AS Java
on separate systems)
28.3.5 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER)
Users who communicate with SAP Support Portal via RFC destination SAP-OSS need an SAP Support Portal contact to SAP Solution Manager. You maintain the contact in table AISUSER (transaction AISUSER). This contact corresponds to the S-user in the SAP Support Portal, without the initial S.
CautionThe S-User for the SAP Support Portal must be requested via service.sap.com; see section S-User Authorizations
More Information
see IMG activity: Assign S-User for SAP Support Portal functionality (SOLMAN_PROFILE_PARAM)
28.3.6 S-User Authorization for Service Desk and Expert on Demand
Your S-user needs the following authorizations for SAP Support Portal functions.
S-User Authorization
Table 333
Activity Authorization
Create message ANLEG: Create SAP message
Send messages GOSAP: Send to SAP
WAUFN: Reopen SAP message
Confirm messages QUITT: Confirm SAP message
Display/change secure area PWDISP: Display secure area
PWCHGE: Change secure area
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 457
28.3.7 S-User Authorization for Data Download from SAP
Your s-user needs the following authorizations for the SAP Support Portal functions.
S-user Authorization Download Data from SAP
Table 334
Activity Authorization
Administration ADMIN
Maintain all logon data PWCHGE
Maintain user data USER
Maintain system data INSTPROD
Request license key LICKEY
28.3.8 Business Partners Created During Configuration
When you configure the SAP Solution Manager using the automatic basic settings configuration, additional business partners are created.
For SAP Engagement and Service Delivery
The business partners are created as follows:
Table 335
First Name Last Name Remarks
SAP Technical Quality Manager Automatically assigned ID TQM or
SAPTQM
SAP Support Advisor Automatically assigned ID SAPSUPAD
SAP Engagement Architect Automatically assigned ID SAPENAR
SAP Back Office Automatically assigned ID SAPBACKO
SAP Consulting Automatically assigned ID SAPCON
Customer Program Management Automatically assigned ID CUSTPM
Customer Business Process Operations Automatically assigned ID CUSTBPM
Customer Custom Development Automatically assigned ID CUSTCD
Customer Technical Operations Automatically assigned ID CUSTTO
Customer Partner Automatically assigned ID CUSTPAR
458
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
NoteAn additional business partner (name: SAP Support) is automatically created for user SAPSUPPORT as soon as this user is created during the automatic basic settings configuration (see section:User SAPSUPPORT).
For SOLMAN_SETUP Template Users and Configuration Users
Users created using transaction SOLMAN_SETUP are assigned an according business partner, if the scenario requires this. The system displays the relevant Business Partner number in the log when you create the relevant user.
More Information
on how to configure the basic settings, see Configuration Guide SAP Solution Manager in the Service Marketplace: service.sap.com/instguides SAP Components SAP Solution Manager <current release> .
28.4 CRM Standard Customizing for Solution Manager
The Service Request and Issue Management use cases are based on CRM, and uses CRM customizing such as transaction types, action profiles, and so on. SAP delivers a standard CRM customizing, which is also maintained in the individual CRM authorization objects. The following table gives you an overview of the transaction types used.
CautionIf you copy SAP standard customizing you need to add the changed values in the according CRM - authorization objects for the scenario. See also How-to Guide on how to maintain authorization objects.
Transaction Types Issue ManagementTable 336
Transaction Type
Usage Remarks
SLFI Issues supported
SLFT Top Issues supported
SLFE Expert on Demand supported
TASK Actions supported
Transaction Type Service RequestTable 337
Transaction Type
Usage Remarks
SLFS Service Request supported
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 459
28.5 Recommended Users and Authorizations
To enable your users to work with the application, you need to assign them authorizations in the Solution-Manager-system. This is described in section User Description and User Roles to Use the Work Center.
When you are working in a project to implement new business processes, change existing ones, operate your systems, and so on, you may need SAP support. SAP delivers recommended user descriptions on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles. These roles are described in the section User Description and User Roles for the Service Delivery User.
CautionThe roles delivered by SAP can only be regarded as models for adjustment to your company's needs.
Roles for SAP Engagement and Service Delivery are predefined Composite Roles (technical abbreviation: *_COMP) for users. These composite roles contain a set of single roles that are relevant for the business tasks.
Figure 126: Service Delivery Process
28.5.1 User Descriptions and User Roles to Use the Work Center
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for SAP Engagement and Service Delivery. All users are assigned a composite role, which contains a number of single roles.
460
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information on user interface authorizations, see core security guide.
Figure 127: SAP Engagement and Service Delivery Work Center
The table underneath gives you a further overview, which single roles are included in the composite role. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. As the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Manager/Administrator (technical role name: SAP_SERV_DELIVERY_COMP)
The manager/administrator is allowed to:
● access SAP Engagement and Service Delivery work center
● maintain solutions and update solution data at SAP
● create and process issues/top issues
● create and process service requests
● execute solution reporting, Early Watch Alert Reporting, Service Level Reporting
● setup and execute sessions for services
● update content for Services
● get the current service plan from SAP
Table 338
Single Role Remarks Mapping to Navigation Panel of Work Center
SAP_ISSUE_MANAGEMENT_EXE Authorization to execute issues Top Issue
Issues
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 461
Single Role Remarks Mapping to Navigation Panel of Work Center
Tasks
Reporting
SAP_SERVICE_REQUEST_ALL Authorization to use service requests
Support Requests
Services
Reporting
SAP_SMWORK_BASIC_SERVICES Authorization for work centers Work Center Access
SAP_SMWORK_SERVICE_DEV Access to work center SAP Engagement and Service Delivery
SAP_SM_SOLUTION_ALL Full authorization for solutions Solution
Business Processes
Support Requests
Services
Top Issue
Issues
Tasks
Reporting
SAP_SMSY_DIS Display authorization for transaction SMSY
Business Processes
Support Requests
Services
Top Issue
Issues
Tasks
Reporting
SAP_SV_SOLUTION_MANAGER Full authorization to setup EarlyWatch Alert and Service Level Reporting as well as other services, and execute reporting
Services
Reporting
SAP_BI_E2E Access to BW - data Reporting
Display User (technical role name: SAP_SERV_DELIVERY_DIS_COMP)
The display user is allowed to:
● access SAP Engagement and Service Delivery work center
● display solutions
● display issues and top issues
● display service requests
● display sessions for services
462
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
Table 339
Single Role Remarks Mapping to Navigation Panel of Work Center
SAP_ISSUE_MANAGEMENT_DIS Authorization to display issues Top Issue
Issues
Tasks
Reporting
SAP_SERVICE_REQUEST_DIS Authorization to display service requests
Support Requests
Services
Reporting
SAP_SMWORK_BASIC_SERVICES Authorization for work centers Work Center Access
SAP_SMWORK_SERVICE_DEV Access to work center SAP Engagement and Service Delivery
SAP_SM_SOLUTION_DIS Display authorization for solutions Solution
Business Processes
Support Requests
Services
Top Issue
Issues
Tasks
Reporting
SAP_SMSY_DIS Display authorization for transaction SMSY
Business Processes
Support Requests
Services
Top Issue
Issues
Tasks
Reporting
SAP_SV_SOLUTION_MANAGER_DISP authorization to display EarlyWatch Alert and Service Level Reporting as well as other services, and reporting
Services
Reporting
SAP_BI_E2E Access to BW - data Reporting
Note● To be able to maintain solutions in the Solution Directory (transaction SOLMAN_DIRECTORY), you need to
assign role SAP_SOLMAN_DIRECTORY_* in addition.
● to display CSA and SLR sessions separately, you can use roles in addition to role SAP_SM_SOLUTION_*:
○ SAP_SETUP_DSWP_CSA (setup CSA)
○ SAP_OP_DSWP_CSA (operations session CSA)
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 463
○ SAP_SETUP_DSWP_SLR (setup SLR)
○ SAP_OP_DSWP_SLR (operations session SLR)
Common Task Panel in the Work Center
Maintain System Data
To maintain system data, you need role SAP_SMSY_*.
Maintain Solution Data
To maintain solution data, you need roles SAP_SOLMAN_DIRECTORY_* and SAP_SM_SOLUTION_*.
Maintain Project Blueprint and Configuration
To maintain projects, blueprint, and configuration you may consider to add one of the composite roles used in scenario Implementation and Upgrade, see scenario-specific guide for Implementation and Upgrade. You need at least the following roles:
● SAP_SOL_PROJ_ADMIN_*● SAP_SOLAR01_*● SAP_SOLAR02_*● SAP_SOL_KW_*
Display Roadmap
To display roadmaps, you need role SAP_RMMAIN_DIS. If you want to see documents in roadmaps, you need to add role SAP_SOL_KW_DIS.
Schedule Content Update
You need role SAP_SM_SOLUTION_ALL.
Define Issue Settings
To define issue settings, you need SAP_SM_SOLUTION_ALL and SAP_ISSUE_MANAGEMENT_ALL.
Related Links in the Work Center
In the related links section in the work center, you find all possible links for this work center. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-to section.
Solution Manager Operations
Requires role SAP_SV_SOLUTION_MANAGER.
Issue Management
Requires roles SAP_SM_SOLUTION_ALL and SAP_ISSUE_MANAGEMENT_ALL.
464
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
28.5.2 User Description and User Roles for Service Delivery (Premium Engagement)
You can assign a composite role for SAP Support employees. This role contains a number of single roles. You should assign the composite role to the user in your system which you created for SAP Support employees. You can also execute all self-services yourself. Assign composite role SAP_PREMIUM_ENGAGEMENT_COMP.
28.5.3 Enterprise Service Reporting User - ES_REP_<SID>
Using the Enterprise Service Reporting (ESR/PSLE) self-service tool, you can generate service and support reports in the SAP Solution Manager. You can:
● generate ad-hoc reports
● generate scheduled reports
● create report chapter variants
To be able to use Enterprise Reporting, the default user ES_REP_<SID> is delivered with predefined roles. This user needs to be created in the SAP Solution Manager, and also in the BW-client, if the BW-system is remote. You can find the user description in the system using TXT ID (in transaction SE61) TP_ES_REP.
Prerequisites
Technical Users
The Technical User SM_EFWK needs to be assigned role SAP_SM_BI_ESR_EXTRACTOR for data extraction authorization. The user can be updated with this role, using transaction SOLMAN_SETUP in view: Basic Settings.
End-User Creation
To be able to use this user, you need to create it using transaction SOLMAN_SETUP. Go to View: Basic SettingsSpecify Users .
Features
The following roles are assigned to users :
In the SAP Solution Manager - ClientTable 340
Roles Help Text ID
SAP_SM_ESR_REPORTING AUTH_SAP_SM_ESR_REPORTING
SAP_SMWORK_BASIC_SERVICES AUTH_SAP_SMWORK_BASIC_SER
SAP_SMWORK_SERVICE_DEV AUTH_SAP_SMWORK_SERVICE_DEV
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 465
Roles Help Text ID
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS
In the BW - Client
Table 341
Roles Help Text ID
SAP_BI_E2E_ESR AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
Authorization for Trusted RFC between SAP Solution Manager and BW-System
In case of a remote BW - connection, the user in the SAP Solution Manager system is additional assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
28.5.4 Supportability Performance Platform
The goal of the Supportability Performance Platform (SPP) is to provide a database for SAP customers, that collects and reports standardized and customer specific KPI information. It allows customers to initiate explicit actions in case of deviations from the target values or in comparison to other companies in the same industry or size. This allows customer IT organizations to understand and collaborate better with the lines of business. For SAP, SPP and the derived KPI/Benchmark overview is a starting point to stabilize the SAP engagement with the customer. By benchmarking customer KPIs with related industries, transparency and follow up activities based on improving specific KPIs can be initiated by the TQMs and ESAs. Midterm, the information transferred to SAP can support SAP's service portfolio and strategy. Additionally, with the collected benchmark information SAP can provide business cases for possible improvements that can support the customer IT collaboration with the business. The quality KPIs are aligned with the IT strategy (for instance innovation driver, service, or solution provider) during an ACCOE assessment together with the customer. The KPIs are activated and a baseline measurement is performed. The initial action plan to reach the KPI target is agreed. The KPIs are in the responsibility of the quality managers (customer, partner, and SAP).
Features
Assign one of the following roles to your Service and Support User:
● SAP_SM_SPP_ALL (full authorization)
● SAP_SM_SPP_DIS (display authorization)
466
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
28.5.5 User Descriptions and User Integration Roles for Issue Management
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for SAP Engagement and Service Delivery. All users are assigned a composite role, which contains a number of single roles.
The roles are primarily to be used with integrations, for instance Change Request Management, QGM, and so on. If you only require your users to be able to run Issue Management, you assign these roles in addition to the work center relevant roles.
Manager/Administrator (technical role name: SAP_ISSUE_MANAGEMENT_ALL_COMP)
The manager/administrator is allowed to:
● maintain solutions and update solution data at SAP
● create and process issues/top issues
● setup and execute sessions for services
Table 342
Single Role Remarks
SAP_ISSUE_MANAGEMENT_ALL Authorization to execute issues
SAP_SM_SOLUTION_ALL Full authorization for solutions
SAP_SOL_PROJ_ADMIN_ALL Full authorization to setup EarlyWatch Alert and Service Level Reporting as well as other services, and execute reporting
Operations (technical role name: SAP_ISSUE_MANAGEMENT_EXE_COMP)
The operations user is allowed to:
● maintain solutions and update solution data at SAP
● create and process issues/top issues
● setup and execute sessions for services
Table 343
Single Role Remarks
SAP_ISSUE_MANAGEMENT_ALL Authorization to execute issues
SAP_SM_SOLUTION_ALL Full authorization for solutions
SAP_SOL_PROJ_ADMIN_ALL Full authorization to setup EarlyWatch Alert and Service Level Reporting as well as other services, and execute reporting
Display User (technical role name: SAP_ISSUE_MANAGEMENT_DIS_COMP)
The display user is allowed to:
● display solutions
● display issues/top issues
● display sessions for services
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 467
Table 344
Single Role Remarks
SAP_ISSUE_MANAGEMENT_DIS Display authorization for issues
SAP_SM_SOLUTION_DIS Display authorization for solutions
SAP_SOL_PROJ_ADMIN_DIS Display authorization to setup EarlyWatch Alert and Service Level Reporting as well as other services, and execute reporting
28.5.6 Main Authorization Objects
This section gives you some information on the main authorization objects. For detailed information, see SDN Wiki for Authorizations.
CRM Authorization Objects
Issue Management is based on the CRM - functionality. The main CRM - objects are included in the roles for Issue Management. For more information on CRM authorizations, see in the Core Security Guide the section on CRM integration.
Authorization Object DSWP_ISSUE
This authorization object controls activities for Issues.
Authorization Object DSWP_TOPIS
This authorization object controls activities for Top Issues.
Authorization Object DSWP_EOD
This authorization object controls activities for Expert on Demand.
Authorization Object DSWP_ACTIO
This authorization object controls activities for Actions.
Authorization Object AI_SA_TAB for Issues
This section refers to specific authorization objects and their delivered maintenance in relation to scenario - specific features.
A complete overview of authorization objects used for SAP Solution Manager and related use cases, see according WIKI page for authorizations.
AI_SA_TAB regulates the access restriction for all tabs in transactions SOLAR01, SOLAR02, SOLMAN_DIRECTORY, which are mainly used in scenario Implementation and Upgrade. The authorization object is included in role SAP_ISSUE_MANAGEMENT_* due to the integration of Issue Management with scenario Quality Gate Management (QGM).
Authorization Object D_SVAS_SES
This authorization object restricts Services.
468
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
28.6 Security Optimization Service
For Security Optimization service, you need to assign additional authorizations. For more information, see SAP Note 69647.
28.7 Scenario Integration
SAP Engagement and Service Delivery combines a number of tools with Services, such as Issue Management or Support Request with Services. The integration with other scenarios is described in the following section.
Business Blueprint and Configuration
In the SAP Engagement and Service Delivery scenario you can display business process, but not change. To do so, you can use the links in the work center Common Task section. To be able to maintain business blueprint or configuration data, you need to assign in addition the following roles:
● SAP_SOL_PROJ_ADMIN_*● SAP_SOLAR01_*● SAP_SOLAR02_*● SAP_SOL_KW_*
Incident Management
To be able to create incidents from issues, you need to assign role SAP_SUPPDESK_CREATE.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: SAP Engagement and Service Delivery
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 469
29 Scenario-Specific Guide: Technical Administration
The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution/systems, and the optimization of productive processes in a project. All systems of a solution must be administered during all phases. This guide gives you an overview over all relevant security-related issues for the scenario technical administration of your systems in your landscape.
29.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 345
Support Package Stacks
(Version)
Description of Changes
SP05 User Roles and Authorization
● Additional view in Work Center, Guided Procedure, requires new role SAP_SM_GP_* with new
authorization object SM_GPACUST. See role description tab and section on Users and Authorizations.
SP10 Service Availability Management
New section on Service Availability Management, which includes new composite roles for defined user definitions:
● SAP_SAM_ADMIN_COMP● SAP_SAM_DISPLAY_COMP● SAP_SAM_CONFIG_COMP● SAP_SAM_EDIT_COMP● SAP_SAM_REVIEW_COMP
and single roles:
● SAP_SM_SAM_ALL● SAP_SM_SAM_REVIEW● SAP_SM_SAM_EDIT● SAP_SM_SAM_DIS● SAP_TSAM_CONF
IT Task Inbox and Guided Procedure
470
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
Support Package Stacks
(Version)
Description of Changes
New section on IT Task Inbox and Guided Procedure, which includes new composite roles for defined user definitions:
● SAP_GUIDED_PROCEDURE_ALL_COMP● SAP_TASK_PLANNING_ALL_COMP● SAP_TASK_INBOX_ALL_COMP
new single roles:
● SAP_TASK_PLANNING_ALL● SAP_TASK_PLANNING_DIS
RFC-Connection specifics, and managed system authorizations.
For more information see section User Definitions and Roles for IT Task Inbox and Guided Procedure.
Technical Administration
Added the following single roles to composite roles, see according description on the Description Tab in the roles:
● SAP_SM_SAM_*● SAP_SM_BP_DISPLAY● SAP_TASK_PLANNING_*
User Roles Changes
For more information on the specific adaptations of authorizations and authorization objects, see the Description Tab of the individual role.
● Adapted the following roles, due to new IT Task Inbox and Guided Procedure application:
○ SAP_TASK_INBOX_* (CRM authorizations and batch integration)
○ SAP_SMWORK_BASIC_TECHADMIN○ SAP_SM_GP_*
● SAP_SMWORK_SYS_ADMIN (Due to User Interface changes)
● SAP_NOTIF_ADMIN● SAP_SM_DTM_* (due to SAM)
SP11 User Roles Changes
For more information on the specific adaptations of authorizations and authorization objects, see the Description tab of the individual role.
● Adapted roles SAP_SM_GP* (Display of GPA Browser)
SP12 User Roles Adaptations due to SOLMAN_SETUP integration
For more information on the specific adaptations of authorizations and authorization objects, see the Description tab of the individual role.
● SAP_SM_GP_ADMIN● SAP_SM_GP_EXE● SAP_TASK_PLANNING_ALL
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 471
Support Package Stacks
(Version)
Description of Changes
● SAP_SM_IT_EVENTS_DISP● SAP_SMWORK_SYS_ADMIN (Best Practice Link)
IT Task Management
● New roles SAP_ITTM_CONF and SAP_ITTM_CONF_COMP for configuration of IT Task Management in
transaction SOLMAN_SETUP.
29.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Getting Started: find out about target groups of this guide. Links for any additional components you can find in the Core Guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.
29.3 Prerequisites
29.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete technical administration scenario. The SAP Solution Manager is connected via READ - RFC, and
472
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
TRUSTED - RFC to your managed systems. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.
Figure 128: Infrastructure
29.3.2 Configuration
Technical administration is subdivided into several sub-scenarios, for instance Service Availability Management or IT Task Inbox. The configuration users and their authorizations are described in the individual section for the sub-scenario.
NoteFor conceptual information on:
● configuration users in SAP Solution Manager, see Core Guide chapter Configuration Users.
29.3.3 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 473
Communication Channels
Table 346
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages, retrieval of services
Solution Manager to managed systems RFC Reading information from managed systems
Solution Manager to managed systems within customer network
FTP Update route permission table, content: IP addresses, see section File Transfer
Protocol (FTP)
Solution Manager to SAP Service Marketplace
HTTP(S) Search for notes
Solution Manager to Exchange Server LDAP Reading distribution lists
Solution Manager to Mail Server/SMS Sever
HTTP(S)/ RFC , SMTP, For E-mail and SMS
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Table 347
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution Manager system>
For notification management to fetch users and business partners
29.3.4 Technical Users
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the implementation and upgrade scenario.
474
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
User for READ - access in Managed Systems
Users for RFC connection READ
Table 348
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
29.4 Users and Authorizations
To enable your end-users to work with the application, you need to assign them authorizations in the Solution-Manager-system and in the managed systems.
When you are working in a project to implement new business processes or change existing ones, a number of project members with different tasks are involved. SAP delivers recommended user descriptions on which SAP delivered roles are modelled. These user descriptions and roles can only be regarded as templates for you. You need to first define which tasks the individual members in your company execute, and then adjust the according roles.
CautionThe roles delivered by SAP can only be regarded as models for adjustment to your company's needs.
Roles for Technical Administration are predefined Composite Roles (technical abbreviation: *_COMP) for users. These composite roles contain a set of single roles that are relevant for the business tasks.
29.4.1 User Descriptions and Roles for Technical Administration
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for technical administration. All users are assigned a composite role, which contains a number of single roles.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 475
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization objects SM_WC_VIEW and SM_WD_COMP. For more information about user interface authorizations, see core security guide.
Figure 129: Technical Administration Work Center
The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned. View Central Tool Access does not receive specific roles, as the links to be accessed from this application relate to basic security-relevant tools. For these applications, you need to assign the correct roles from SAP Basis.
Administrator (technical role name: SAP_TECHNICAL_ADMIN_COMP)
Table 349
Single Role Remarks
SAP_SM_DTM_ALL Full authorization for Work Mode Management, former Downtime Management
SAP_SM_ADMIN_COMPONENT_ALL MDM Administration Cockpit
SAP_NOTIF_ADMIN Full authorization for notifications
SAP_ITCALENDAR Full authorization for IT Calendar
SAP_TASK_INBOX_ALL Full authorization for Task Inbox
SAP_SM_IT_EVENTS_ADMIN Full authorization for IT Events (launched from IT Calendar)
476
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
Single Role Remarks
SAP_SYSTEM_REPOSITORY_ALL Full authorization for system repository (LMDB) and
system landscape (transaction SMSY)
SAP_SMWORK_BASIC_TECHADMIN Full authorization for work center
SAP_SMWORK_SYS_ADMIN Access to work center for technical administration
SAP_SM_GP_ALL Run Guided Procedure
SAP_SM_SAM_ALL Full authorization for SAM integration
SAP_SM_BP_DISPLAY Allows Business Partner display in IT Task Inbox
SAP_TASK_PLANNING_ALL Full authorization for Task Planner
Display User (technical role name: SAP_TECHNICAL_ADMIN_DISP_COMP)
Table 350
Single Role Remarks
SAP_SM_DTM_DIS Display authorization for Work Mode Management, former Downtime Management
SAP_SM_ADMIN_COMPONENT_DIS MDM Administration Cockpit
SAP_NOTIF_DIS Display authorization for notifications
SAP_ITCALENDAR Authorization for IT Calendar
SAP_SM_IT_EVENTS_DISP Display authorization for IT Event (launched from IT Calendar)
SAP_TASK_INBOX_DIS Display authorization for task inbox
SAP_SYSTEM_REPOSITORY_DISP Display authorization for system repository (LMDB) and system landscape (transaction SMSY)
SAP_SMWORK_BASIC_TECHADMIN Full authorization for work center
SAP_SMWORK_SYS_ADMIN Access to work center for technical administration
SAP_SM_GP_DIS Display Guided Procedure
SAP_SM_SAM_DIS Display authorization for SAM integration
SAP_SM_BP_DISPLAY Allows Business Partner display in IT Task Inbox
SAP_TASK_PLANNING_DIS Display authorization for Task Planner
Related Links in the Work Center
In the related links section in the work center, you find all possible links for this work center. This link collection is a recommendation about which additional applications could run in the according scenarios. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-to section.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 477
Configuration
For the following two links, you need authorization for the work center SAP Solution Manager configuration and according roles, see the specific guide on Landscape Setup.
● Solution Manager Configuration:
● Managed System Setup
For the link CSA Setup, you need the following roles: SAP_SETUP_DSWP_CSA, SAP_SM_SOLUTION_*, and SAP_SYSTEM_REPOSITORY_*.
Administration
● Solution Manager Administration:
You need authorization for the SAP Solution Manager Administration work center and according authorizations, see scenario-specific guide for SAP Solution Manager Administration.
● Landscape Browser:
You need authorization for LMDB maintenance SAP_SYSTEM_REPOSITORY_*.
● Self-Diagnosis:
You need authorization for solutions SAP_SM_SOLUTION_*.
● My Notification Settings:
You need role SAP_NOTIF_*.
29.4.2 User Roles for IT Task Inbox and Guided Procedure
IT Task Planning allows you to plan Guided Procedures. The new IT Task Inbox shows all available tasks which are assigned to a user, to a support organization, or which are planned for certain managed objects. When a user executes a task, the system opens a related guided procedure and the task is executed via the steps and activities of the guided procedure.
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for technical administration. Template users can be created in the SOLMAN_SETUP configuration procedure for this scenario.
Scenario Configuration
You can configure the IT Task Management scenario using transaction SOLMAN_SETUP.
Work Center Access
Guided Procedure is accessible using the Work Center for Technical Administration.
RFC-Connections
RFC-connections are only used in the case of automated activities that can be used in the self-defined guided procedures. These automated activities always use trusted RFC-connections.
CRM Authorizations Integration
IT Task Inbox requires CRM-integration. Therefore, the transaction type SMOT is used.
478
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
RecommendationTo avoid loss of data when upgrading your system, always copy transaction types and related objects into your own name space. This requires, that you need to adapt the CRM-specific authorization objects accordingly. For more information on CRM-integration, see the according section in chapter Authorization Concept for Solution Manager.
Administration User (Technical name: TP_ITTM_ADM)
The technical role name of the corresponding composite role is: SAP_TASK_MANAGEMENT_ALL_COMP.
Table 351
Single Role Help Text ID
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SMWORK_BASIC_TECHADMIN AUTH_SAP_SMWORK_BASIC_TA
SAP_SMWORK_SYS_ADMIN AUTH_SAP_SMWORK_SYS_ADMIN
SAP_SM_GP_ADMIN AUTH_SAP_SM_GP_ADMIN
SAP_ITCALENDER_DIS AUTH_SAP_ITCALENDER_DIS
SAP_SM_IT_EVENTS_DISP AUTH_SAP_SM_IT_EVENTS_DISP
SAP_TASK_INBOX_ALL AUTH_SAP_TASK_INBOX_ALL
SAP_TASK_PLANNING_ALL AUTH_SAP_TASK_PLANNING_ALL
Authoring User (Technical name: TP_ITTM_AUTH)
The technical role name of the corresponding composite role is: SAP_GUIDED_PROCEDURE_ALL_COMPTable 352
Single Role Help Text ID
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
SAP_TASK_INBOX_ALL AUTH_SAP_TASK_INBOX_ALL
SAP_SYSTEM_REPOSITORY_ALL AUTH_SAP_SYSTEM_REP_ALL
SAP_SMWORK_BASIC_TECHADMIN AUTH_SAP_SMWORK_BASIC_TA
SAP_SMWORK_SYS_ADMIN AUTH_SAP_SMWORK_SYS_ADMIN
SAP_SM_GP_ADMIN AUTH_SAP_SM_GP_ADMIN
IT Manager (Technical name: TP_ITTM_ITM)
The technical role name of the corresponding composite role is: SAP_TASK_PLANNING_ALL_COMP.
Figure 130: Data Flow Task Planning
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 479
Table 353
Single Role Help Text ID
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
SAP_TASK_PLANNING_ALL AUTH_SAP_TASK_PLANNING_ALL
SAP_ITCALENDER_DIS AUTH_SAP_ITCALENDER_DIS
SAP_TASK_INBOX_DIS AUTH_SAP_TASK_INBOX_DIS
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DISP
SAP_SMWORK_BASIC_TECHADMIN AUTH_SAP_SMWORK_BASIC_TA
SAP_SMWORK_SYS_ADMIN AUTH_SAP_SMWORK_SYS_ADMIN
SAP_SM_GP_DIS AUTH_SAP_SM_GP_DIS
SAP_ITCALENDAR_DIS AUTH_SAP_ITCALENDAR_DIS
SAP_SM_IT_EVENTS_DISP AUTH_SAP_SM_IT_EVENTS_DISP
IT Operator (Technical name: TP_ITTM_ITO)
The technical role name of the corresponding composite role is: SAP_TASK_INBOX_ALL_COMP.
Figure 131: Data Flow Task Inbox
Authorization Roles in the Solution Manager - System
Table 354
Single Role Help Text ID
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
SAP_TASK_INBOX_DIS AUTH_SAP_TASK_INBOX_DIS
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DISP
SAP_SMWORK_BASIC_TECHADMIN AUTH_SAP_SMWORK_BASIC_TA
SAP_SMWORK_SYS_ADMIN AUTH_SAP_SMWORK_SYS_ADMIN
SAP_SM_GP_EXE AUTH_SAP_SM_GP_EXE
SAP_TASK_PLANNING_DIS AUTH_SAP_TASK_PLANNING_DIS
Display User (Technical name: TP_ITTM_DIS)
The technical role name of the corresponding composite role is: SAP_TASK_MANAGEMENT_DIS_COMP.
Table 355
Single Role Help Text ID
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
480
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
Single Role Help Text ID
SAP_TASK_PLANNING_DIS AUTH_SAP_TASK_PLANNING_DIS
SAP_ITCALENDER_DIS AUTH_SAP_ITCALENDER_DIS
SAP_TASK_INBOX_DIS AUTH_SAP_TASK_INBOX_DIS
SAP_SYSTEM_REPOSITORY_DISP AUTH_SAP_SYSTEM_REP_DISP
SAP_SMWORK_BASIC_TECHADMIN AUTH_SAP_SMWORK_BASIC_TA
SAP_SMWORK_SYS_ADMIN AUTH_SAP_SMWORK_SYS_ADMIN
SAP_SM_GP_DIS AUTH_SAP_SM_GP_DIS
SAP_SM_IT_EVENTS_DISP AUTH_SAP_SM_IT_EVENTS_DISP
29.4.3 Service Availability Management
Service Availability Management (SAM) enables downtime reporting for technical components like servers, technical systems, and other objects. These downtime entries are called “Service Outages” and can be checked and corrected by System Administrators. The final confirmation is done by an IT Manager. These confirmed Service Outages are mapped to “Agreed Service Times” (AST) and reported using dashboards.
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for SAM. All users are assigned a composite role, which contains a number of single roles.
Configuration
The configuration of SAM is executed using transaction SOLMAN_SETUP. Here, you can also create template users for your application users.
NoteFor conceptual information on:
● configuration users in SAP Solution Manager, see Core Guide chapter Configuration Users.
Creating Configuration User in Basic Configuration transaction SOLMAN_SETUP
You can configure the basic technical settings using transaction SOLMAN_SETUP, running the guided procedure for SAM.
During the specific guided configuration, you can create Template users. The system automatically adds all relevant user roles.
During the basic automated configuration, you can create a specific configuration user (default technical name: SMC_TSAM_<XXX>) for SAM (Help Text ID: USER_CONFIG_SAM). The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.
If you want to create the configuration user manually, assign:
● the composite role SAP_SAM_CONF_COMP, which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 481
NoteTo be able to:
○ create users and assign user roles, assign as well role SAP_SM_USER_ADMIN.
○ use a trusted RFC connection between the Solution Manager and the managed systems, assign role SAP_SM_S_RFCACL in the Solution Manager system as well as the managed system.
Work Center Access
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see core security guide.
Administrator (Help Text-ID: TP_SAM_ADMIN)
Single Roles for Administrator (technical role name: SAP_SAM_ADMIN_COMP) in the SAP Solution Manager System
Table 356
Role Help Text-ID
SAP_SM_SAM_ALL AUTH_SAP_SM_SAM_ALL
SAP_SYSTEM_REPOSITORY_ALL AUTH_SAP_SYSTEM_REP_ALL
SAP_SMWORK_BASIC_TECHADMIN AUTH_SAP_SMWORK_BASIC_TA
SAP_SMWORK_SYS_ADMIN AUTH_SAP_SMWORK_SYS_ADMIN
SAP_SM_DTM_ALL AUTH_SAP_SM_DTM_ALL
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
SAP_SM_DASHBOARDS_DISP_SAM AUTH_SAP_SM_DASHBOARDS_DISP
Display User (Help Text-ID: TP_SAM_DISP)
Single Roles for Display User (technical role name: SAP_SAM_DISPLAY_COMP) in the SAP Solution Manager System
Table 357
Role Help Text-ID
SAP_SM_SAM_DIS AUTH_SAP_SM_SAM_DIS
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SMWORK_BASIC_TECHADMIN AUTH_SAP_SMWORK_BASIC_TA
SAP_SMWORK_SYS_ADMIN AUTH_SAP_SMWORK_SYS_ADMIN
SAP_SM_DTM_DIS AUTH_SAP_SM_DTM_DIS
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
482
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
Role Help Text-ID
SAP_SM_DASHBOARDS_DISP_SAM AUTH_SAP_SM_DASHBOARDS_DISP
Maintenance User (Help Text-ID: TP_SAM_AM)
Single Roles for Maintenance User (technical role name: SAP_SAM_EDIT_COMP) in the SAP Solution Manager System
Table 358
Role Help Text-ID
SAP_SM_SAM_EDIT AUTH_SAP_SM_SAM_EDIT
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SMWORK_BASIC_TECHADMIN AUTH_SAP_SMWORK_BASIC_TA
SAP_SMWORK_SYS_ADMIN AUTH_SAP_SMWORK_SYS_ADMIN
SAP_SM_DTM_ALL AUTH_SAP_SM_DTM_ALL
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
SAP_SM_DASHBOARDS_DISP_SAM AUTH_SAP_SM_DASHBOARDS_DISP
Review User (Help Text-ID: TP_SAM_CNFM)
Single Roles for Review User (technical role name: SAP_SAM_CNFM_COMP) in the SAP Solution Manager System
Table 359
Role Help Text-ID
SAP_SM_SAM_REVIEW AUTH_SAP_SM_SAM_REVIEW
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SMWORK_BASIC_TECHADMIN AUTH_SAP_SMWORK_BASIC_TA
SAP_SMWORK_SYS_ADMIN AUTH_SAP_SMWORK_SYS_ADMIN
SAP_SM_DTM_DIS AUTH_SAP_SM_DTM_DIS
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP_DISPLAY
SAP_SM_DASHBOARDS_DISP_SAM AUTH_SAP_SM_DASHBOARDS_DISP
29.4.4 Main Authorization Objects
In this section we give some information on main authorization objects. For detailed information, see SDN Wiki for Authorizations.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 483
Notification Management Authorization Object SM_NOTI_TA
The authorization object restricts authorizations for notifications.
● Start / Read: display authorization for Notification Management
● reduce scope if not all technical scenarios are allowed for the user
● create, change, delete Recipients/Recipient Lists
Notification Management Authorization Object S_LDAP
In the administration role, the object is delivered with the authorization for assigning servers for LDAP (authorization object S_LDAP) and SMS usage.
Work Mode Management (formerly: DTM) Authorization Object SM_WMMAUTH
The authorization object SM_WMMAUTH restricts access to DTM
NoteIn the roles for Work Mode Management, the authorization object D_DMD_DATA is maintained with full authorization to execute changes on the data model. In addition, they contain authorization objects S_USER_GRP for user information and B_BUPA_RLT for Business Partner information with activity 03 (display) each.
29.5 Integration
Technical Administration refers to the maintenance of all systems in your system landscape. To run all your systems smoothly, this phase needs to integrate with handling of problems. The following sections describe the integration of technical administration with other scenarios within SAP Solution Manager, and which user roles would be applicable.
NoteFor more detail on each individual scenario, see the according Scenario—Specific Guide.
View: Central Tool Access
View Central Tool Access does not receive specific roles, as the links to be accessed from this application relate to basic security-relevant tools. For these applications, you need to assign the correct roles from SAP Basis.
Figure 132: Central Tool Administration
484
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
29.6 Traces and Logs
Work Mode Management provides the feature to notify users about a system downtime. E-mail addresses can be displayed by the system administrator. Changes are logged.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Technical Administration
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 485
30 Scenario-Specific Guide: Business Process Operations
The business process life-cycle stretches via all phases of the life-cycle of a product, the implementation of business processes in a project, their operation as a solution, and the optimization of productive processes in a project. You use scenario business process operations to monitor your most important business processes. This guide gives you an overview over all relevant security-related issues for this scenario.
30.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 360
Support Package Stacks
(Version)
Document Adaptations
SP05 General
Business Process Operations is configured using the automated guided procedure within transaction SOLMAN_SETUP or SAP Solution Manager Configuration work center. Therefore, all users defined by SAP as
default templates can be automatically created within this procedure. The following users are created:
● Scenario Configuration User: This user is created during the guided procedure of the Basic Settings in transaction SOLMAN_SETUP. For configuration, you can also choose the user SOLMAN_ADMIN. In both
cases, the system automatically assigns the necessary authorization roles. The according configuration user can be used later on for configuring the corresponding scenario in transaction SOLMAN_SETUP.
● Standard Users: Standard users for the individual process are created during the guided procedure in transaction SOLMAN_SETUP. These users can be regarded as “demo” Standard users. The system
automatically assigns the necessary authorization roles with according authorization values for the SAP standard scenario. If your processes require customizing due to a different process, and other user differentiation, you must adapt the authorizations. The template users are created in the Solution Manager system, the required BW - system, and managed system
Due to the creation of Standard users in transaction SOLMAN_SETUP, documentation for the users and
roles is directly linked in transaction SOLMAN_SETUP. In this security guide it is only referred to the
according document Text ID in the system.
For more information, see specific Landscape Setup Guide in section User Generation.
● CDC single roles included in BPO composite roles.
● Adapted section on communication channels,
User Definitions
User definition for end-users is refined. See user definitions in the guided procedure step “Create Standard Users” in transaction SOLMAN_SETUP for the scenario.
486
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
Support Package Stacks
(Version)
Document Adaptations
Scenario Configuration
Adaptation according to guided procedure in transaction SOLMAN_SETUP.
End-User Roles
● New single roles for Business Process Analytics for Solution Manager SAP_SM_BPOANA_* and
managed systems SAP_MANAGED_BPOANA_*.
SP07 End-User Roles
substituted role SAP_SM_DASHBOARD_*BPO with SAP_SM_DASHBOARD_ADMIN in composite role
SAP_BPO_CONF_COMP and SOLMAN_SETUP user role assignment for the configuration user.
SP10 New End-User Roles for CDC
New additional roles are shipped for CDC, see section Additional Functions. For more information on
authorization changes for the roles, see MENU tab of the respective role.
● SAP_CDC_INSTANCE_ANALYZER● SAP_CDC_INSTANCE_EXECUTER● SAP_CDC_INSTANCE_CREATOR● SAP_CDC_OBJECT_MODELER
End-User Roles Changes
For more information on authorization changes for the roles, see MENU tab of the respective role
● SAP_MANAGED_BPOANA_* (delivered with according software component ST-PI)
● SAP_SM_BPOANA_*● SAP_SETUP_DSWP_BPM and SAP_OP_DSWP_BPM adapted for new Work Center functionality based
on Extractor Framework
● SAP_SV_SOLUTION_MANAGER_DIS adapted for new Work Center functionality based on Extractor
Framework
● SAP_SM_BPMON_REPORTING adapted for new Work Center functionality based on Extractor
Framework
● SAP_BPO_CONF● SAP_SMWORK_BASIC_BPO
User - Roles Assignments
● New Work Center role SAP_SMWORK_BPO is delivered and added to all composite roles and template
users (in transaction SOLMAN_SETUP). The former Work Center role SAP_SMWORK_BPM can still be
used with the delivered composite roles.
● New role SAP_SM_BP_DISPLAY is added to all composite roles (also SOLMAN_SETUP template users)
to allow the filtering for Business Partner in queries. You can find more information on the role in section: Roles and Authorizations for Infrastructure.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 487
Support Package Stacks
(Version)
Document Adaptations
● New role SAP_SM_JMON_LEVEL01 added to composite roles for Alert user and Administration user to
allow the integration with Job Monitoring. You can find more information on the sub-scenario Job Monitoring in section: Scenario-Specific Guide for Technical Monitoring - Job Monitoring.
● Substituted role SAP_SMSY_DIS with SAP_SYSTEM_REPOSITORY_DIS for all users (and
accordingly in all composite roles) as the scenario relies on LMDB functionality
Technical Users
● Role SAP_SM_S_CSMREG for technical user SM_BPMO adapted (S_BTCH_JOB and S_TABU_DIS removed, and further authorization objects added).
● Technical User CSMREG is no longer required if you use the new BPO Work Center based on the Extractor
Framework functionality.
RFC - Connections
● Instead of READ RFC - Connection the TMW RFC - Connection is use as Batch jobs are running in the
managed system and write access is required.
SP11 Technical Users
● Corrections regarding technical users CSMREG (not required) and SM_BPMO (used in productive client).
SP12 User - Roles Assignments
● single role SAP_NOTIF_ADMIN added to the administration user (composite role:
SAP_BP_OPERATIONS_ADMIN_COMP) for integration of Notification Management
● roles SAP_SM_SYM_LEVEL01 and SAP_SM_JMON_LEVEL01 added to BPO* users (due to
integration with Interface Channel Monitoring and Job Monitoring)
● single role SAP_SM_GP_EXE added to composite roles SAP_BP_OPERATIONS_REPORT_COMP, SAP_BP_OPERATIONS_CDC_COMP, SAP_BP_OPERATIONS_ADMIN_COMP, SAP_BP_OPERATIONS_ALERT_COMP
● single role SAP_SM_GP_DIS added to composite role SAP_BP_OPERATIONS_DIS_COMP● single role SAP_BC_FDT_ADMINISTRATOR added to SAP_BP_OPERATIONS_ADMIN_COMP● adapted roles SAP_OP_DSWP_BPM, SAP_SETUP_DSWP_BPM● single role SAP_SM_SYM_LEVEL01 added to SAP_BP_OPERATIONS_ADMIN_COMP,
SAP_BP_OPERATIONS_ALERT_COMP, SAP_BP_OPERATIONS_DIS_COMP● single role SAP_SM_JMON_LEVEL01 added to SAP_BP_OPERATIONS_ADMIN_COMP,
SAP_BP_OPERATIONS_ALERT_COMP, SAP_BP_OPERATIONS_DIS_COMP● new single roles SAP_SM_DASHBOARDS_DISP_VBD, SAP_BPR_PPM,
SAP_CPR_PROJECT_ADMINISTRATOR, SAP_CPR_USER, SAP_XRPM_ADMINISTRATOR for
project-based delivery, see section Project-based Delivery
SP13 User - Roles Assignments
● assigned role SAP_MANAGED_BPOANA_DIS to user BPO_CDC.
● assigned role SAP_SM_SCHEDULER_BPO to user BPO_ADM_<SystemID> (to allow for Job
Documentation)
488
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
30.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Getting Started: find out about target groups of this guide. Links for any additional components can be found in the Core Guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
● User Roles for Additional Functions: find out about additional authorization for the work center.
● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.
30.3 Prerequisites
30.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete business process operations scenario. The SAP Solution Manager is connected via READ - RFC, and TRUSTED - RFC to your managed systems. IGS is connected via a specified RFC connection. In addition, a local RFC destination is in place from your productive client to the 000 client. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 489
Figure 133: Infrastructure
30.3.2 Scenario Configuration User
The scenario BPO is configured using transaction SOLMAN_SETUP.
To configure the scenario proceed as follows:
Creating Configuration User in Basic Configuration Transaction SOLMAN_SETUP
After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions, like Solution Directory (including graphics), using transaction SOLMAN_DIRECTORY.
During basic automated configuration, you can create a specific configuration user (default technical user name: SMC_BPO_<XXXClient>) for BPO (Help Text ID: USER_CONFIG_BPO). The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.
If you want to create the configuration user manually, you need to assign:
● the composite role SAP_BPO_CONF_COMP which contains all single roles that are automatically assigned to the configuration user in the SAP Solution Manager system.
NoteTo be able to:
○ create users and assign user roles, you need to assign as well role SAP_SM_USER_ADMIN.
○ use a trusted RFC connection between the Solution Manager and the managed systems, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system as well as the managed system.
490
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
● the composite role SAP_BW_BP_OPERATION_ADMIN_COMP which contains all single roles that are automatically assigned to the configuration user in the BW-system.
NoteTo be able to use a trusted RFC connection between the Solution Manager and the BW-system, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system and role SAP_SM_BW_S_RFCACL in the BW-system.
Scenario Configuration Transaction SOLMAN_SETUP
To run Business Process Operations, you need to configure it using transaction SOLMAN_SETUP.During the specific guided configuration you can create Standard template users. The system automatically adds all relevant user roles, see according sections on Users and User Roles.
30.3.3 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Table 361
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages, retrieval of services
Solution Manager to managed systems RFC Exchange data
Solution Manager to managed systems within customer network
FTP Update route permission table, content: IP addresses, see section File Transfer
Protocol (FTP)
Solution Manager to SAP Service Marketplace
HTTP(S) Search for notes
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 491
Table 362
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_LOGIN (ABAP connection)
Managed System
System-specific
Customer-specific
Customer-specific to be used instead of trusted RFC
SM_<SID>CLNT<Client>_TMW (ABAP connection)
Managed System
System-specific
System-specific
Default user: SMT<SID of Solution Manager system>
Used to read data from the managed systems such as joblists, sales organisation data, IDocs, selection help, and so on, and run batch jobs
NoteSpecific data collectors write log information and details list information into table /SSA/PTAB in the managed system.
Batch Jobs BPM_DATA_COLLECTION_1 and BPM_DATA_COLLECTION_2 are scheduled in the managed systems. The jobs allow an asynchronous execution of the data collectors in a managed system. Instead of executing the data collection in a synchronous call from the SAP Solution Manager, the task to actually execute the data collectors is given to a background job. The result of the data collection is buffered in a dedicated persistency on the managed system. In another step these results are fetched to the SAP Solution Manager system and removed from the database of the managed system. The asynchronous data collection is recommended for unfrequent long lasting data collections.
Data collection for monitoring objects that are scheduled to be collected asynchronously will not work. This may result in
492
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
problems for lasting data collections.
SM_<SID>CLNT<Client>_TRUSTED (ABAP connection)
Managed System
System-specific
System-specific
Customer-specific ● Mandatory for CDC functionality setup, due to necessity of code generation in managed system;
● Mandatory for Business Process Monitoring to use according value help from managed systems. Login RFC can be used instead, but then the value help must be maintained manually.
Internet Graphics Server (IGS) RFC Connection
Table 363
RFC Destination Name Activation Type How Created
ITS_RFC_DEST Registered Server program (program: IGS.<SID>)
Manually in transaction SM59
Local Connections
Table 364
Destination Name Target Host Name
System Number
Logon Client
Logon User (Password) Remarks
BPM_LOCAL_<Client> Managing system
System-specific
000 SM_BPMO(customer-
specific)
RFC is created during
Business Process Operations setup session, see IMG activity Create
Local RFC Destination and User (technical name: SOLMAN_BPM_RFC_LOCAL)
BW- Reporting RFC Connection
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 493
Table 365
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
NONE, if BW - reporting is realized
in a BW - standard scenario, for
content activation
Solution Manager productive client
System-specific System-specific System-specific
BI_CLNT<BWclient>, if BW is
realized in remote BW - scenario
system, for content activation
Managed System or Solution Manager System
System-specific System-specific in transaction SOLMAN_SETUP
<SolutionManagerSID>CLNT<SolutionManager– ProductiveClient> BI-
Callback RFC for reorganization
of data and configuration validation
Solution Manager productive client
System-specific System-specific BI_CALLBACK(customer specific)
in transaction SOLMAN_SETUP
Trusted RFC to remote BW system SAP_BILO
remote BW -
system
(source: SAP Solution Manager)
System-specific System-specific Dialog User Used to read data from remote BW for
BI - Reporting,
created during SOLMAN_SETUP
30.3.4 Technical Users
The users in the following tables are created manually during configuration.
Table 366
User (Password) Remarks
SM_BPMO (customer-specific) Technical user (service user) in the productive client, authorized to call managed systems, assigned role: SAP_SM_BPMO_COMP
User for READ - access in Managed Systems
Users for RFC connection READ
Table 367
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
494
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
User User Type Remarks
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
User for BW - Reporting (Reorganization of Data and Configuration Validation)
User for BW - Reporting (Reorganization of Data and Configuration Validation)
Table 368
User User Type Remarks
BI_CALLBACK
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user BI_CALLBACK for reorganization of BW - data
assigned role SAP_BI_CALLBACK. It is automatically
generated during configuration via transaction SOLMAN_SETUP
SMD_BI_RFC, in case of remote BW System User Technical user for data download
SM_EFWK System User Technical user for extractor execution
30.4 Users and Authorizations
To enable your end-users to work with the application, you need to assign them authorizations in the Solution-Manager-system and in the managed systems.
When you are working in a project to implement new business processes or change existing ones, a number of project members with different tasks are involved. SAP delivers recommended user descriptions on which SAP delivered roles are modeled. These user descriptions and roles can only be regarded as templates for you. You
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 495
need to first define which tasks the individual members in your company execute, and then adjust the according roles.
CautionThe roles delivered by SAP can only be regarded as models for adjustment to your company's needs.
Roles for Business Process Operations are predefined Composite Roles (technical abbreviation: *_COMP). These composite roles contain a set of single roles that are relevant for the business tasks.
Figure 134: Business Process Monitoring Process
30.4.1 User Descriptions and User Roles
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for business process operations. All users are assigned a composite role, which contains a number of single roles.
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see core security guide.
The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single role is
496
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Authorization for Trusted RFCs between SAP Solution Manager, Managed Systems, and BW - System
Trusted authorizations are needed between SAP Solution Manager and its managed systems, as well as SAP Solution Manager and a remote BW - system.
● In case of a remote BW - connection, the user in the SAP Solution Manager system is additional assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
● The user in the managed system receives role SAP_SM_S_RFACL (Help Text ID: AUTH_SAP_S_SM_RFCACL) with authorization object S_RFCACL.
Both roles are not contained in the respective composite roles, due to their highly security-relevant character.
Authorization in Managed System
In the managed system, you need to assign the according user application-specific authorizations. For more information, see the applicable security guide for the relevant application.
Administrator/Manager User (Help Text ID: TP_BPO_ADMIN)
Technical composite role name: SAP_BP_OPERATIONS_ADMIN_COMP in the SAP Solution Manager system
Table 369
Single Roles Help Text ID
SAP_BC_FDT_ADMINISTRATOR This role gives access to the BRFplus workbench, that is, the user interface for creating rule objects (like expressions or data objects) and for modeling and testing rules. Business Rule Framework plus (BRFplus) is an ABAP-based business rules modeling system that can be used by all applications that are built upon the Netweaver ABAP stack. With this rule assigned to a user profile, a user can carry out all kinds of activities in the BRFplus workbench, like creating, changing, deleting, or versioning of all kinds of objects that are supported by BRFplus. Due to the comprehensive scope of authorizations granted by this role, you should assign it only to persons who are in charge of taking over administrative tasks with BRFplus. For all other users, you can use this role as a copy template to derive more restricted roles from it.
SAP_SM_GP_EXE AUTH_SAP_SM_GP_EXE
SAP_CDC_DISPLAY AUTH_SAP_CDC_DISPLAY
SAP_OP_DSWP_BPM AUTH_SAP_OP_DSWP_BPM
SAP_SETUP_DSWP_BPM AUTH_SAP_SETUP_DSWP_BPM
SAP_SM_SOLUTION_ALL AUTH_SAP_SM_SOLUTION_ALL
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 497
Single Roles Help Text ID
SAP_SOLMAN_DIRECTORY_EDIT AUTH_SAP_SOLMAN_DIR_EDIT
SAP_SM_BI_BILO AUTH_SAP_SM_BI_BILO
SAP_SM_BI_EXTRACTOR AUTH_SAP_SM_BI_EXTRACTOR
SAP_SM_BPMON_REPORTING AUTH_SAP_SM_BPMON_REPORT
SAP_SM_DASHBOARDS_ADMIN SAP_SM_DASHBOARD_ADMIN
SAP_SM_BPOANA_ALL AUTH_SAP_SM_BPOANA_ALL
SAP_SMWORK_BASIC_BPO AUTH_SAP_SMWORK_BASIC_BPO
SAP_SMWORK_BPO AUTH_SAP_SMWORK_BPO
SAP_SMWORK_BPM AUTH_SAP_SMWORK_BPO
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP
SAP_SM_JMON_LEVEL01 AUTH_SAP_SM_JMON_LEVEL01
SAP_SUPPDESK_CREATE AUTH_SAP_SUPPDESK_CREATE
SAP_NOTIF_ADMIN AUTH_SAP_NOTIF_ADMIN
SAP_SM_SYM_LEVEL01 AUTH_SAP_SM_SYM_LEVEL01
SAP_SM_JMON_LEVEL01 AUTH_SAP_SM_JMON_LEVEL01
SAP_SM_SCHEDULER_BPO AUTH_SAP_SM_SCHEDULER_BPO
Technical composite role name: SAP_BW_BP_OPERATIONS_ADMIN_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system. For more information on BW user concept, see section on BW configuration in section Prerequisites.
Table 370
Single Roles Help Text ID
SAP_BI_E2E_BPO AUTH_SAP_BI_E2E
SAP_SM_BI_ADMIN AUTH_SAP_SM_BI_ADMIN
NoteFor more information on Process Chain Monitoring of an external BW system, see SAP Note 1411885.
Role in the Managed System
The role must be assigned to the user with the same user ID and Password in the managed system.
Table 371
Assigned Role Help Text-ID
SAP_MANAGED_BPOANA_ALL AUTH_SAP_MANAGED_BPOANA_ALL
498
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
Analytics/Reporting User (Help Text ID: USER_TP_BPO_REP)
Technical composite role name: SAP_BP_OPERATIONS_REPORT_COMP in the SAP Solution Manager system
Table 372
Single Roles Help Text ID
SAP_SM_GP_EXE AUTH_SAP_SM_GP_EXE
SAP_OP_DSWP_BPM AUTH_SAP_OP_DSWP_BPM
SAP_SM_SOLUTION_ALL AUTH_SAP_SM_SOLUTION_ALL
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SOLMAN_DIRECTORY_EDIT AUTH_SAP_SOLMAN_DIR_EDIT
SAP_SM_BPOANA_DIS AUTH_SAP_SM_BPOANA_DISP
SAP_SM_BI_BILO AUTH_SAP_SM_BI_BILO
SAP_SM_BI_EXTRACTOR AUTH_SAP_SM_BI_EXTRACTOR
SAP_SM_BPMON_REPORTING AUTH_SAP_SM_BPMON_REPORT
SAP_SM_DASHBOARDS_DISP_CIO_BPO SAP_SM_DASHBOARD_BPO
SAP_SMWORK_BASIC_BPO AUTH_SAP_SMWORK_BASIC_BPO
SAP_SMWORK_BPO AUTH_SAP_SMWORK_BPO
SAP_SMWORK_BPM AUTH_SAP_SMWORK_BPO
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP
SAP_SUPPDESK_CREATE AUTH_SAP_SUPPDESK_CREATE
Technical composite role name: SAP_BW_BP_OPERATIONS_ADMIN_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system. For more information on BW user concept, see section on BW configuration in section Prerequisites
Table 373
Single Roles Help Text ID
SAP_BI_E2E_BPO AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
NoteFor more information on Process Chain Monitoring of an external BW system, see SAP Note 1411885.
Role in the Managed System
The role must be assigned to the user with the same user ID and Password in the managed system.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 499
Table 374
Assigned Role Help Text-ID
SAP_MANAGED_BPOANA_DISP AUTH_SAP_MANAGED_BPOANA_DISP
Alert User (Help Text ID: USER_TP_BPO_ALERT)
Technical composite role name: SAP_BP_OPERATIONS_ALERT_COMP) in the SAP Solution Manager system
Table 375
Single Roles Remarks
SAP_SM_SYM_LEVEL01 AUTH_SAP_SM_SYM_LEVEL01
SAP_SM_JMON_LEVEL01 AUTH_SAP_SM_JMON_LEVEL01
SAP_SM_GP_EXE AUTH_SAP_SM_GP_EXE
SAP_OP_DSWP_BPM AUTH_SAP_OP_DSWP_BPM
SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS
SAP_SOLMAN_DIRECTORY_EDIT AUTH_SAP_SOLMAN_DIR_EDIT
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SMWORK_BASIC_BPO AUTH_SAP_SMWORK_BASIC_BPO
SAP_SMWORK_BPO AUTH_SAP_SMWORK_BPO
SAP_SMWORK_BPM AUTH_SAP_SMWORK_BPO
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP
SAP_SM_JMON_LEVEL01 AUTH_SAP_SM_JMON_LEVEL01
SAP_SUPPDESK_CREATE AUTH_SAP_SUPPDESK_CREATE
SAP_SM_BPMON_REPORTING AUTH_SAP_SM_BPMON_REPORT
SAP_SM_DASHBOARDS_DISP_CIO_BPO SAP_SM_DASHBOARD_BPO
CDC User (Help Text ID: USER_TP_BPO_CDC)
Technical composite role name: SAP_BP_OPERATIONS_CDC_COMP) in the SAP Solution Manager system
Table 376
Single Roles Remarks
SAP_SM_GP_EXE AUTH_SAP_SM_GP_EXE
SAP_OP_DSWP_BPM AUTH_SAP_OP_DSWP_BPM
SAP_SM_SOLUTION_ALL AUTH_SAP_SM_SOLUTION_ALL
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SOLMAN_DIRECTORY_EDIT AUTH_SAP_SOLMAN_DIR_EDIT
SAP_SMWORK_BASIC_BPO AUTH_SAP_SMWORK_BASIC_BPO
500
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
Single Roles Remarks
SAP_SMWORK_BPO AUTH_SAP_SMWORK_BPO
SAP_SMWORK_BPM AUTH_SAP_SMWORK_BPO
SAP_CDC_DISPLAY AUTH_SAP_CDC_DISPLAY
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP
SAP_SUPPDESK_CREATE AUTH_SAP_SUPPDESK_CREATE
SAP_MANAGED_BPOANA_DIS AUTH_SAP_MANAGED_BPOANA_DIS
Display User (technical role name: SAP_BP_OPERATIONS_DIS_COMP)
Table 377
Single Roles Remarks
SAP_SM_SYM_LEVEL01 AUTH_SAP_SM_SYM_LEVEL01
SAP_SM_JMON_LEVEL01 AUTH_SAP_SM_JMON_LEVEL01
SAP_SM_GP_DIS AUTH_SAP_SM_GP_DIS
SAP_SV_SOLUTION_MANAGER_DISP AUTH_SAP_SV_SM_DISP
SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
SAP_SOLMAN_DIRECTORY_DISP AUTH_SAP_SOLMAN_DIR_DIS
SAP_SM_BPOANA_DIS AUTH_SAP_SM_BPOANA_DISP
SAP_SMWORK_BASIC_BPO AUTH_SAP_SMWORK_BASIC_BPO
SAP_SMWORK_BPO AUTH_SAP_SMWORK_BPO
SAP_SMWORK_BPM AUTH_SAP_SMWORK_BPO
SAP_SM_BP_DISPLAY AUTH_SAP_SM_BP
SAP_SUPPDESK_CREATE AUTH_SAP_SUPPDESK_CREATE
Related Links in the Work Center
In the related links section in the work center, you find all possible links for this work center. This link collection is a recommendation about which additional URLs can be called in the according scenario. If you want to display in the related links section only those links that should be possible for the defined user to see, you can adapt the work center navigation role accordingly. For more information about how to adapt the related links section, see the How-to section.
BW authorization check
The authorization check for BW is as follows. If the system does not have any BW - data available, it can not display them. In Health Check Analysis, you may select a solution for which no BW - data are present in the system. In this case, the system does not display any solution data.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 501
Project-based Delivery
To be able to use the function of project-based delivery the following roles must be added additionally to the according user:
● SAP_SM_DASHBOARDS_DISP_VBD● SAP_BPR_PPM (SAP NWBC navigation role, does not need to be copied into customer name space)
● SAP_CPR_PROJECT_ADMINISTRATOR● SAP_CPR_USER● SAP_XRPM_ADMINISTRATOR
NoteCheck as well SAP Note 1346050.
30.5 User Roles for Additional Functions
30.5.1 Dashboard User Roles
See section in the main guide on Dashboard roles.
30.5.2 Solution Maintenance via Work Center
As of SAP Solution Manager Release 7.1 SP01, transactions GSAP (SAP Global Service Access Point) and SOLUTION_MANAGER, SOLUTION_MANAGER_BSP, alternatively DSWP, DSWP_MOVE, DSMOP, are obsolete. All references to these transactions are deleted in the relevant user roles for Issue Management, Solution Operations, Solution Documentation Assistant, Solution Reporting, Solution Directory. Solutions can be created in Work Center Solution Manager Administration.
30.5.3 End-User Roles for CDC
You can use these additional CDC authorization roles, which allow:
● Better segregation of duties by supporting different CDC tasks
● Each role has full authorization to create/change the respective task, but display-only authorization in the other areas
● No need to change the existing authorization objects SM_CDC_OBJ and SM_CDC_INS● SAP_CDC_INSTANCE_ANALYZER for result analysis
● SAP_CDC_INSTANCE_EXECUTER for scheduling
● SAP_CDC_INSTANCE_CREATOR for administration
● SAP_CDC_OBJECT_MODELER for development
502
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
Figure 135: CDC - Authorizations Overview
30.6 Scenario Integration
Business Process Operation refers to the phase in your product life-cycle when you define and refine your business processes by means of projects, business blueprints and related activities. According to the end-to-end business process life-cycle, this phase needs to integrate with a number of other functions which come into play in your daily business, such as handling of problems and so on. The following sections describe the integration of business process operations with other scenarios within SAP Solution Manager, and which user roles would be applicable.
NoteFor more detail on each individual scenario, see the according Scenario-Specific Guide.
Incident Management
Users can create service desk messages. To be able to do so, you need to assign user role SAP_SUPPDESK_CREATE.
NoteIn case you are a service provider, you need to assign the according service provider role SAP_SUPPDESK_SP_CREATE. For more information, see specific Service Provider Guide.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Business Process Operations
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 503
31 Scenario-Specific Guide: Data Volume Management
The Data Volume Management Work Center in SAP Solution Manager offers capabilities to gain insights into the source of data volume movements in single and especially in multisystem landscape environments. It is a SAP Net Weaver BW based solution that provides a holistic landscape based overview of your data.
This guide gives you an overview over all relevant security-related issues for the function Data Volume Management.
Figure 136: DVM Process
31.1 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 378
Support Package Stacks
(Version)
Description
SP05 General
504
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Data Volume Management
Support Package Stacks
(Version)
Description
Data Volume Management is configured using the automated guided procedure within transaction SOLMAN_SETUP or SAP Solution Manager Configuration work center. Therefore, all users defined by SAP as
default templates can be automatically created within this procedure. The following users are created:
● Scenario Configuration User: This user is created during the guided procedure of the Basic Settings in transaction SOLMAN_SETUP. For configuration, you can also choose the user SOLMAN_ADMIN. In both
cases, the system automatically assigns the necessary authorization roles. The according configuration user can be used later on for configuring the corresponding scenario in transaction SOLMAN_SETUP.
● Standard Users: Standard users for the individual process are created during the guided procedure in transaction SOLMAN_SETUP. These users can be regarded as “demo” Standard users. The system
automatically assigns the necessary authorization roles with according authorization values for the SAP standard scenario. If your processes require customizing due to a different process, and other user differentiation, you must adapt the authorizations. The template users are created in the Solution Manager system.
Due to the creation of Standard users in transaction SOLMAN_SETUP, documentation for the users and
roles is directly linked in transaction SOLMAN_SETUP. In this security guide it is only referred to the
according document text ID in the system.
For more information, see specific Landscape Setup Guide in section User Generation.
Scenario Configuration
Adaptation according to guided procedure in transaction SOLMAN_SETUP.
Authorization Objects
Added value SARC, BCTA in authorization object S_TABU_DIS.
Work Center Navigation
Role for Work Center DVM adapted to changes in the user interface. Changes are documented on the Description tab in the role
SP07 End-User Roles
BW integration roles delivered, see the following sections
● Scenario Configuration User
● Communication Channels and Destinations
● Technical Users
● Users and User Roles
Role SAP_DVM_CONFIG adapted, see description tab in the role for details
SP08 End-User Roles
The following roles were adapted for authorization objects and/or authorization field values. For more information, see the Description Tab of the specified role. In addition, see SAP Note 1779670.
● Composite roles SAP_DVM_ADMIN_COMP and SAP_DVM_CONFIG_COMP. Substituted single role
SAP_SYSTEM_REPOSITORY_DIS with SAP_SYSTEM_REPOSITORY_ALL● Single roles SAP_DVM_DIS, SAP_DVM_EXE and SAP_DVM_ALL
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Data Volume Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 505
Support Package Stacks
(Version)
Description
SP10 End-User Roles
The following roles were adapted for authorization objects and/or authorization field values. For more information, see the Description Tab of the specified role. In addition, see SAP Note 1779670.
● Composite roles SAP_DVM_ADMIN_COMP and SAP_DVM_CONFIG_COMP● Adapted SAP_DVM_DIS, SAP_DVM_EXE, SAP_DVM_ALL● Adapted SAP_DVM_GSS● Added role SAP_SM_BI_DISPLAY (Business Partner) to all composite roles/template users
● Added role SAP_SM_RFC_ADMIN for transaction SM59 administration to template users and composite
roles
SP12 End-User Roles
The following roles were adapted for authorization objects and/or authorization field values. For more information, see the Description Tab of the specified role. In addition, see SAP Note 1779670.
● SAP_SMWORK_DVM (Best Practice links)
● SAP_DVM_ALL and SAP_DVM_DIS● new role SAP_SM_DASHBOARDS_DISP_ICI (iCI dashboard integration) added to template users in
SOLMAN_SETUP
SP13 End-User Roles
The following roles were adapted for authorization objects and/or authorization field values. For more information, see the Description Tab of the specified role.
● SAP_DVM_CONFIG
31.2 Getting Started
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
506
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Data Volume Management
● Getting Started: find out about target groups of this guide. Links for any additional components can be found in the Core Guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
● Scenario Integration: according to the life-cycle approach the various scenarios integrate with each other. Here, you can find out about authorizations you need to assign to your users for these cases.
31.3 Prerequisites
31.3.1 Technical System Landscape
The graphic below gives you an overview over the basic technical system landscape that is needed to run the complete scenario. The SAP Solution Manager is connected via READ - RFC, TRUSTED - RFC (alternatively LOGIN) to your managed systems. More information on all connections, when they are used, and which technical users are required, you can find out in more detail in the following sections.
Figure 137: Infrastructure
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Data Volume Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 507
31.3.2 Scenario Configuration User and User Roles
The scenario DVM is configured using transaction SOLMAN_SETUP.
To configure the scenario proceed as follows:
Basic Configuration transaction SOLMAN_SETUP
After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions.
During basic automated configuration, you can create a specific configuration user for DVM (Help Text ID: USER_CONFIG_DVM). The system automatically adds all relevant user roles. Authorizations in these roles are all fully maintained due to automated configuration.
If you create a configuration user manually, the composite role SAP_DVM_CONF_COMP contains all single roles which are automatically assigned to the configuration user.
NoteTo be able to create users and assign user roles, you need to assign as well role SAP_SM_USER_ADMIN.
The composite role SAP_BW_DVM_ADMIN_COMP which contains all single roles that are automatically assigned to the configuration user in the BW-system.
NoteTo be able to use a trusted RFC connection between the Solution Manager and the BW-system, you need to assign role SAP_SM_S_RFCACL in the Solution Manager system and role SAP_SM_BW_S_RFCACL in the BW-system.
Scenario Configuration transaction SOLMAN_SETUP
You can configure the basic technical settings using transaction SOLMAN_SETUP, running the guided procedure for Data Volume Management.
During the specific guided configuration you can create Standard template users. The system automatically adds all relevant user roles, see according sections on Users and User Roles.
31.3.3 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
508
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Data Volume Management
Table 379
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages, retrieval of services
Solution Manager to managed systems RFC Reading information from managed systems
Solution Manager to SAP Service Marketplace
HTTP(S) Search for notes
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Table 380
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password)
Remarks
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution Manager system>
To read DVM statistics and analyses
SM_<SID>CLNT<Client>_LOGIN (ABAP connection)
Managed System
System-specific
System-specific
Customer-specific
for self-service and user authentication when starting analysis in the managed system
BW- Reporting RFC Connection
Table 381
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
NONE, if BW - reporting is realized
in a BW - standard scenario, for
content activation
Solution Manager productive client
System-specific System-specific System-specific
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Data Volume Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 509
RFC Destination Name Target Host Name
System Number
Logon Client Logon User (Password)
How Created
BI_CLNT<BWclient>if BW is
realized in remote BW - scenario
system , for content activation and data download
Managed System or Solution Manager System
System-specific System-specific in transaction SOLMAN_SETUP
<SolutionManagerSID>CLNT<SolutionManager– ProductiveClient> BI-
Callback RFC for reorganization
of data and configuration validation
Solution Manager productive client
System-specific System-specific BI_CALLBACK(customer specific)
in transaction SOLMAN_SETUP
Trusted RFC to remote BW systemSAP_BILO
remote BW -
system
(source: SAP Solution Manager)
System-specific System-specific Dialog User Used to read data from remote BW for
BI - Reporting
, created during SOLMAN_SETUP
31.3.4 Technical Users
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the DVM scenario.
User for READ - access in Managed Systems
Users for RFC connection READ
Table 382
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
510
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Data Volume Management
User User Type Remarks
the Solution Manager system as well.
User for TMW - Connection
User for Change Management Connection in managed systems
Table 383
User User Type Remarks
SMTM<SID of Solution Manager system>(system-specific)
System User Technical User “TMW User”, assigned role: <namespace>_SOLMAN_TMW. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide.
Users for BW - Reporting
Users for BW - Reporting
Table 384
User User Type Remarks
BI_CALLBACK
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user BI_CALLBACK for reorganization of BW - data
assigned role SAP_BI_CALLBACK. It is automatically
generated during configuration via transaction SOLMAN_SETUP
SMD_BI_RFC, in case of remote BW System User Technical user for data lownload
SM_EFWK System User Technical user for extractor execution, assigned role: SAP_SM_DVM_EXTRACTOR
31.4 Users and Authorizations
31.4.1 User and Roles
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for Data Volume Management. All users are assigned a composite role, which contains a number of single roles.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Data Volume Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 511
Work Center
The work center represents a work space for a user, which allows access to all tools necessary for the work of the user. You can use the delivered composite roles to assign to your users. Still, you may want to restrict the access and/or the authorizations for a particular user. Access in the navigation panel is restricted by using the authorization object SM_WC_VIEW. For more information about user interface authorizations, see core security guide.
Figure 138: Data Volume Management
The tables underneath give you a further overview, which single roles are included in the respective composite roles. An additional column indicates, for which section of the navigation panel the according single is absolutely necessary. Since the Overview in a work center always contains all links to the relevant sections in the navigation panel, it is not mentioned.
Authorization for Trusted RFCs between SAP Solution Manager, and Managed Systems
Trusted authorizations are needed between SAP Solution Manager and its managed systems. The user in the managed system and the user in the Solution Manager system receive role SAP_SM_S_RFCACL (Help Text ID: AUTH_SAP_S_SM_RFCACL) with authorization object S_RFCACL.
Note
Both roles are not contained in the respective composite roles, due to their highly security-relevant character.
Authorization for Trusted RFC between SAP Solution Manager and BW-System
In case of a remote BW - connection, the user in the SAP Solution Manager system is additional assigned trusted authorization object S_RFCACL (role SAP_SM_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL). The user in the BW - system is also assigned authorization S_RFCACL (role SAP_SM_BW_S_RFCACL; Help Text ID: AUTH_SAP_S_SM_RFCACL).
512
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Data Volume Management
Administrator User (Help Text ID: TP_DVM_ADMIN)
Technical composite role name: SAP_DVM_ADMIN_COMP in the SAP Solution Manager system
Table 385
Single Roles Help Text ID
SAP_DVM_ALL AUTH_SAP_DVM_ALL
SAP_SM_SOLUTION_ALL AUTH_SAP_SM_SOLUTION_ALL
SAP_SMWORK_BASIC_DVM AUTH_SAP_SMWORK_BASIC_DVM
SAP_SMWORK_DVM AUTH_SAP_SMWORK_DVM
SAP_SYSTEM_REPOSITORY_ALL AUTH_SAP_SYSTEM_REP_ALL
SAP_SM_DASHBOARD_DISP_DVM AUTH_SAP_SM_DASHBOARD_DISP_DVM
SAP_SM_BI_DISPLAY AUTH_SAP_SM_BI_DISPLAY
SAP_SM_DASHBOARD_DISP_ICI AUTH_SAP_SM_DASHBOARD_DISP_ICI
Technical composite role name: SAP_BW_DVM_ADMIN_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 386
Single Roles Help Text ID
SAP_BI_E2E_DVM AUTH_SAP_BI_E2E
SAP_SM_BI_ADMIN AUTH_SAP_SM_BI_ADMIN
Technical role in managed system
Table 387
Single Roles Help Text ID
SAP_DVM_SERVICE AUTH_SAP_DVM_SERVICE
SAP_DVM_GSS AUTH_SAP_DVM_GSS
Display User (Help Text ID: TP_DVM_DIS)
Technical composite role name SAP_DVM_DISPLAY_COMP in the SAP Solution Manager system
Table 388
Single Roles Help Text ID
SAP_DVM_DIS AUTH_SAP_DVM_ALL
SAP_SM_SOLUTION_DIS AUTH_SAP_SM_SOLUTION_DIS
SAP_SMWORK_BASIC_DVM AUTH_SAP_SMWORK_BASIC_DVM
SAP_SMWORK_DVM AUTH_SAP_SMWORK_DVM
SAP_SYSTEM_REPOSITORY_DIS AUTH_SAP_SYSTEM_REP_DIS
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Data Volume Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 513
Single Roles Help Text ID
SAP_SM_DASHBOARD_DISP_DVM AUTH_SAP_SM_DASHBOARD_DISP_DVM
SAP_SM_DASHBOARD_DISP_ICI AUTH_SAP_SM_DASHBOARD_DISP_ICI
SAP_SM_BI_DISPLAY AUTH_SAP_SM_BI_DISPLAY
Technical composite role name: SAP_BW_DVM_DISPLAY_COMP in the BW system/client
In case you use remote BW scenario, these roles must be assigned to the user with the same user ID and Password in the BW system.
Table 389
Single Roles Help Text ID
SAP_BI_E2E_DVM AUTH_SAP_BI_E2E
SAP_SM_BI_DISP AUTH_SAP_SM_BI_DISP
Technical role in managed system
Table 390
Single Roles Help Text ID
SAP_DVM_SERVICE AUTH_SAP_DVM_SERVICE
SAP_DVM_GSS AUTH_SAP_DVM_GSS
31.4.2 Critical Authorization Objects
The following section gives information of some of the main authorization objects for Data Volume Management. For detailed information, see SDN Wiki on Authorizations.
Authorization Object S_TABU_DIS
In user roles for Data Volume Management you find authorization object S_TABU_DIS. Authorization groups SARC, BCTA protect all relevant customizing views and customizing clusters for this scenario.
31.5 Scenario Integration
According to the end-to-end business process life-cycle, this scenario needs to integrate with a number of other functions, which come into play in your daily business. The following sections describe the integration of DVM with other scenarios within SAP Solution Manager, and which user roles would be applicable.
NoteFor more detail on each individual scenario, see the according Scenario—Specific Guide.
514
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Data Volume Management
Technical Scenarios (Technical Monitoring)
Depending on the technical sub scenario, you need one of the composite roles for technical monitoring.
iCI Dashboard
You can use the iCI Dashboard from within the DVM work center. This requires the Dashboard role for iCI in the SAP Solution Manager system, and according BW-authorizations in the BW-system. For testing purposes, you can use the template users for this scenario. For more information, see the scenario-specific guide for Measurement Platform.
Security Guide for SAP Solution Manager 7.1Scenario-Specific Guide: Data Volume Management
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 515
32 Measurement Platform and Enterprise Support Reporting (iCI - Interactive Continuous Improvement)
32.1 Getting Started
The purpose of the SAP Enterprise Support Report is to provide you with a holistic overview and actual status of the application and life-cycle management of your mission critical operations. The objective is to ensure that the appropriate service and support is provided for the SAP Software Solutions and that actions are taken to address any open issues that might have a negative effect on the operations of the installed application or business solutions. The data shown in the ESR is based on the information available in the customer’s SAP Solution Manager or SAP Global Support Backbone and is measured against the SAP E2E standards. The ESR Balanced Scorecard (BSC) and status overview results from the individual Top Issues that are based on the ESR chapters, which focus on the deliverables of Enterprise Support.
Based on the analyzed data the objective is to provide information on the actual status of the support engagement and the level of support needed for the SAP Software Solutions. This includes all necessary services, recommendations and actions. Key elements of the ESR SelfService are a status overview based on the referring Top Issues and the detailed chapters with the analyzed data and recommendations for each area. Strategy discussions and plannings within the customer’s IT organization as well as between customer and SAP may be based on this report. The Self-Service allows you to get an up-to-date insight of their customers from point of view of system landscape management and application lifecycle management. The partner has 3 possibilities:
● focus on one single system/installation
● focus on a group of systems/installations
● look at all systems/installations overall
Accordingly, the final report can be discussed and handed over to SAP or it can be used for customer internal plannings and optimizations.
ESR is generated at customer site in the SAP Solution Manager (not at SAP). ESR is a printable PDF document. Most data required for the report content are available within the SAP Solution Manager, few data exist only at SAP side today (typically the SLA compliance data) technology used. Data Provisioning is supported by BW technologies, the report rendering is performed by Standard ABAP functionality (Web Dynpro Applications and Smart Forms).
What is this guide about? SAP Solution Manager covers a wide range of divers scenarios you can use. As a customer, you might want to start with one scenario, and later on add another scenario in your landscape. Therefore, SAP delivers scenario-specific security guides per scenario which cover all relevant information for this specific scenario.
CautionBefore you start using this scenario-specific guide, you must read the core information about security issues in SAP Solution Manager, and the Landscape Setup Guide, which refers to all security-relevant information during basic configuration of SAP Solution Manager. Without this information, we do not recommend to set up any
516
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Measurement Platform and Enterprise Support Reporting (iCI - Interactive
Continuous Improvement)
specific scenario. This guide does also not replace the daily operations handbook that we recommend customers to create for their productive operations.
This guide covers the following topics:
● Getting Started: find out about target groups of this guide. Links for any additional components can be found in the Core Guide.
● Prerequisites: find out about the specific system landscape components such as RFC - destinations and technical users, and how they connect to each other.
● Users and Authorizations: find out, which users SAP recommends, and which user roles SAP delivers for them. This includes a detailed description of all users and the according roles which represent them. Here, you also find information on the relevant work center(s).
32.2 Document History
Here, all changes to the specific scenario guide are listed according to Support Package.
Table 391
Support Package Stacks
(Version)
Description
SP07 BI Extractor Role for BW Extractors
delivered to SAP_SM_BI_ESR_EXTRACTOR for system user SM_BW_<SID>, and added to according user
role assignment in SOLMAN_SETUP, see section Technical Users.
SP12 With the complete rework of this functionality roles and users are also reworked.
iCI Dashboard
● Integration of iCI Dashboard into Measurement Platform, see new section on Integration
● user SAP_SUGEN removed (obsolete)
32.3 Prerequisites
32.3.1 Scenario Configuration
You can configure Measurement Platform using transaction SOLMAN_SETUP or work center SAP Solution Manager configuration.
Security Guide for SAP Solution Manager 7.1Measurement Platform and Enterprise Support Reporting (iCI - Interactive Continuous Improvement)
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 517
32.3.2 Communication Channels and Destinations
The tables below show the communication channels and destinations used by SAP Solution Manager in this scenario.
Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol used for the connection, and the type of data transferred.
Communication Channels
Table 392
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages, retrieval of services
Solution Manager to managed systems RFC Reading information from managed systems
Solution Manager to managed systems within customer network
FTP Update route permission table, content: IP addresses, see section File Transfer
Protocol (FTP)
Solution Manager to SAP Service Marketplace
HTTP(S) Search for notes
Communication Destinations
The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal).
RFC Connections from SAP Solution Manager to Managed Systems
NoteAll mentioned RFC - destinations are automatically created via transaction SOLMAN_SETUP (view: managed systems), see Landscape Setup Guide.
Table 393
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password) Remarks
SM_<SID>CLNT<Client>_READ (ABAP connection)
Managed System
System-specific
System-specific
Default user: SM_<SID of Solution Manager system>
to read data form the managed system
BW- Reporting RFC Connection
518
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Measurement Platform and Enterprise Support Reporting (iCI - Interactive
Continuous Improvement)
Table 394
RFC Destination Name Target Host Name
System Number
Logon Client
Logon User (Password) How Created
NONE, if BW - reporting is realized in a BW -
standard scenario, for content activation
Solution Manager productive client
System-specific
System-specific
System-specific during installation
BI_CLNT<BWclient>if BW is realized in remote
BW - scenario system , for content activation
Managed System or Solution Manager System
System-specific
System-specific
System-specific in transaction SOLMAM_SETUP
<SolutionManagerSID>CLNT<SolutionManager– ProductiveClient> BI-Callback
RFC for reorganization of data and configuration
validation
Solution Manager productive client
System-specific
System-specific
BI_CALLBACK(customer
specific)
in transaction SOLMAM_SETUP
32.3.3 Technical Users
The users in the following tables are created automatically or manually during configuration. The overview is structured by the main functions used in the implementation and upgrade scenario.
User for READ - access in Managed Systems
Users for RFC connection READ
Table 395
User User Type Remarks
SM_<SID of Solution Manager system> (system-specific)
System User Technical user, “READ User”, for read access, assigned role <namespace>_SOLMAN_READ. It is automatically generated
during basic configuration via transaction SOLMAN_SETUP,
see Landscape Setup Guide
Security Guide for SAP Solution Manager 7.1Measurement Platform and Enterprise Support Reporting (iCI - Interactive Continuous Improvement)
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 519
User User Type Remarks
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
User for BW - Reporting (Reorganization of Data and Configuration Validation)
User for BW - Reporting (Reorganization of Data and Configuration Validation)
Table 396
User User Type Remarks
BI_CALLBACK
CautionDuring automatic basic configuration, the system automatically generates a user password. If you change the password of this user in User Management (transaction SU01),
you need to change the password for this user in the RFC destination in
the Solution Manager system as well.
System User Technical user BI_CALLBACK for reorganization of BW - data
assigned role SAP_BI_CALLBACK. It is automatically during
configuration via transaction SOLMAN_SETUP
SMD_RFC / SMD_BI_RFC User for BI - Reporting
User for BW - Reporting
Table 397
User User Type Remarks
SMD_RFC
NoteIn case of remote BW - scenario
SMD_BI_RFC
System User Technical user SMD_RFC is created during the automated basic
setup procedure in transaction SOLMAN_SETUP, see
Landscape Setup Guide. To run this scenario, you need to assign to the SMD_RFC user role SAP_SM_BW_ESR in addition
to its already assigned roles.
520
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Measurement Platform and Enterprise Support Reporting (iCI - Interactive
Continuous Improvement)
SM_BW_<SID> User for BI - Reporting
User for BW - Data Extraction
Table 398
User User Type Remarks
SM_BW_XXX System User Technical user SM_BW_XXX is created during the automated
basic setup procedure in transaction SOLMAN_SETUP, see
Landscape Setup Guide. To run this scenario, you need to assign to the SM_BW_XXX user role
SAP_SM_BI_ESR_EXTRACTOR in addition to its already
assigned roles.
32.4 Interactive Continuous Improvement (iCI) Dashboard
The iCI Dashboard and KPI Measurement Platform comprises an automated process of KPI collection. It focuses on the following features:
● Measurement Platform 2.0
● Integration into DVM and CCM
Technical System Landscape
The iCI Dashboard is called via URL from a browser. The iCI Dashboard and iCI Maintenance applications are both BSP-applications, which are located in the SAP Solution Manager. The BSP-applications call the iCI ODataService to fetch data from ST-BCO component (BW-system). The ODataService is located in ST component (Solution Manager). The ODataservice encapsulates the iCI queries based on Multiprovider 0SM_ESRSK, on basic cube 0SM_ESRSG and several iCI function modules which are responsible to fetch data from iCI tables or to create/update data in iCI tables. All function modules used in the ODataService are RFC enabled if the BW-system is configured as standalone BW-system (remote BW).
Authorizations and Roles
As iCI runs in Solution Manager and collects data in BW-system, you need authorizations in the Solution Manager to display the collected data. In addition, this users must be present in the BW-system with the correct authorization to collect the relevant data. This is possible per default with template users for DVM and CCM.
Users and Roles in Solution Manager
If you want to use the iCI Dashboard, role SAP_SM_DASHBOARDS_DISP_ICI is relevant. This role is assigned in transaction SOLMAN_SETUP to template users for DVM and CCM.
Authorization Object
Authorization object SM_ICICONF is used to restrict categories for iCI usage. The object is included in various roles for BW:
● SAP_BI_E2E_DVM● SAP_BI_E2E_CCM● SAP_BI_E2E
Security Guide for SAP Solution Manager 7.1Measurement Platform and Enterprise Support Reporting (iCI - Interactive Continuous Improvement)
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 521
33 Service Provider Guidelines
This guideline gives you additional information for Service Provider specific setting you need to consider as a Service Provider. Before you start with this guide, you need to get familiar with the scenario-specific guide for the relevant scenario you are using, that is Incident Management, Maintenance Optimizer, and Implementation and Upgrade (Implementation and Upgrade includes Solution Documentation functions).
This guide adds specific information about relevant RFC - connections to be used, S-user authorizations to consider, specific user roles for you and your customers, and work center access.
33.1 Technical System Landscape
To grant access to customers who connect to the work centers through the Internet, install a reverse-proxy server, such as the SAP Web Dispatcher. The reverse-proxy server routes customer requests to the Solution Manager system, and routes corresponding responses back to the customer. You can use the reverse-proxy server to restrict access to the Solution Manager, and to perform load balancing among the Solution Manager application servers. As an extra security measure, we recommend you always encrypt communication between the customer and the Solution Manager. Use HTTPS (TLS/SSL) communication for this. See the SAP NetWeaver documentation, and the documentation of your reverse-proxy server for further details.
33.2 Service Provider Customer RFC-Connections
As a service provider, you need to create specific RFC connections to SAP for your customers for the scenario Incident Management with an S-User without specific authorizations.
Service Provider Customer RFC Connections from Solution Manager to SAP
Table 399
RFC Destination Name Target Host Name System Number
Logon Client
Logon User (Password)
Use (Scenario)
Remarks
SM_SP_<customer number>
/H/SAPROUTER/S//sapserv /H/oss001
01 001
S-User (Customer—specific, no authorization needed), see section S-
Service Provider
You automatically create customer RFCs based
on RFC SAP-OSS
522
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Service Provider Guidelines
RFC Destination Name Target Host Name System Number
Logon Client
Logon User (Password)
Use (Scenario)
Remarks
User Authorizations
More Information
see IMG activity Setup SAP Connection for Customers (technical name: SOLMAN_VAR_RFC_CUSTO)
33.3 Configuration
Basic Configuration transaction SOLMAN_SETUP
After you have run the basic automated configuration for SAP Solution Manager, you are able to run basic functions.
Scenario Configuration transaction SPRO
To run Quality Gate Management, you need to configure it using the Implementation Reference Guide (IMG) in transaction SPRO.
Figure 139: Transaction SPRO
Security Guide for SAP Solution Manager 7.1Service Provider Guidelines
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 523
Configuration Roles
There are no specific configuration roles when using transaction SPRO. Nevertheless, you can use the possibility in creating your own configuration roles. For more information, see the according How-to Guide.
33.4 Service Provider—Specific Authorization
As a service provider using Incident Management and Solution Documentation for your customers, you need a complete view of all data for the specified scenarios, while your customers should be able to display all data that is necessary for their specific business.
Main authorization object for this purpose is SM_SP with activities:
● 38 (perform)
● 70 (administer — to be able to activity the functionality in customizing)
Per default the authorization object is delivered with activity ACTVT 38, and is contained in the single role SAP_SM_SPC. The role itself is contained in the according composite roles for Service Providers for the relevant scenarios, see section on user roles.
More Information
see IMG activity Assign Service Provider Authorization (technical name: SOLMAN_SPC_AUTH).
33.5 Incident Management User Descriptions and User Roles for Customers
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for incident management for Service Provider Customers. All users are assigned a composite role, which contains a number of single roles. For a detailed overview on each of the single roles and their main authorization objects, see in the Appendix section Roles Overview. Here, the main authorization objects contained in each role are explained.
NoteIf you use transaction NOTIF_CREATE to create service desk messages, you need to add as well authorizations for solutions to your users. These authorizations are included in roles for solution (infrastructure) SAP_SM_SOLUTION_*.
Administrator (technical role name: SAP_SUPPDESK_SP_ADMIN_COMP)
Table 400
Single Roles Remarks
SAP_SUPPDESK_SP_ADMIN Contains full authorization for service desk.
524
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Service Provider Guidelines
Single Roles Remarks
NoteIf you use transaction NOTIF_CREATE to create service desk
messages, you need to add as well authorizations for solutions to your users. These authorizations are included in roles for solution (infrastructure) SAP_SM_SOLUTION_*.
SAP_SM_BI_SPR_REPORTING Contains scenario-specific BW - authorizations
SAP_BI_E2E Contains BW - authorizations for Info Cubes, and so on, with general
relevance for BW - reporting
SAP_BW_SPR_REPORTING Contains authorizations to set up BW - reports, and generate views, only
used for setting up reporting
SAP_SM_BI_EXTRACTOR Extractor framework authorization
SAP_SMWORK_BASIC_INCIDENT Contains authorization for work center
SAP_SMWORK_INCIDENT_MAN_SPC Access to work center incident management
SAP_SM_CRM_UIU_FRAMEWORK General authorization for CRM Web Client framework
SAP_SM_CRM_UIU_SOLMANPRO Business role for the CRM Web Client
NoteThis role defines the navigation for the CRM Web Client. It contains
no authorization objects.
SAP_SM_CRM_UIU_SOLMANPRO_PROC Contains specific (processor-related) additional authorizations for the CRM Web Client
SAP_SM_CRM_UIU_SOLMANPRO_ADMIN Contains specific (administrator-related) additional authorizations for the CRM Web Client
Processor (technical role name: SAP_SUPPDESK_SP_PROCESS_COMP)Table 401
Single Roles Remarks
SAP_SUPPDESK_SP_PROCESS Contains authorization for creating and processing messages.
NoteIf you use transaction NOTIF_CREATE to create service desk
messages, you need to add as well authorizations for solutions to your users. These authorizations are included in roles for solution (infrastructure) SAP_SM_SOLUTION_*.
SAP_BW_SPR_REPORTING Contains authorizations to set up BW - reports, and generate views, only
used for setting up reporting
Security Guide for SAP Solution Manager 7.1Service Provider Guidelines
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 525
Single Roles Remarks
SAP_BI_E2E Contains BW - authorizations for Info Cubes, and so on, with general
relevance for BW - reporting
SAP_SM_BI_DISP Contains authorizations to display BW - reports
SAP_SMWORK_BASIC_INCIDENT Contains authorization for work center
SAP_SMWORK_INCIDENT_MAN_SPC Access to work center incident management
SAP_SM_CRM_UIU_FRAMEWORK General authorization for CRM Web Client framework
SAP_SM_CRM_UIU_SOLMANPRO Business role for the CRM Web Client
NoteThis role defines the navigation for the CRM Web Client. It contains
no authorization objects.
SAP_SM_CRM_UIU_SOLMANPRO_PROC Contains specific (processor-related) additional authorizations for the CRM Web Client
Key User (technical role name: SAP_SUPPDESK_SP_CREATE_COMP)
Table 402
Single Roles Remarks
SAP_SUPPDESK_SP_CREATE Contains authorization to create messages.
NoteIf you use transaction NOTIF_CREATE to create service desk
messages, you need to add as well authorizations for solutions to your users. These authorizations are included in roles for solution (infrastructure) SAP_SM_SOLUTION_*.
SAP_SMWORK_BASIC_INCIDENT Contains authorization for work center
SAP_SMWORK_INCIDENT_MAN_SPC Access to work center incident management
Display User (technical role name: SAP_SUPPDESK_SP_DISPLAY_COMP)
Table 403
Single Roles Remarks
SAP_SUPPDESK_SP_DISPLAY Contains display authorization
SAP_SMWORK_BASIC_INCIDENT Contains authorization for work center
SAP_SMWORK_INCIDENT_MAN_SPC Access to work center incident management
SAP_SM_CRM_UIU_FRAMEWORK General authorization for CRM Web Client framework
SAP_SM_CRM_UIU_SOLMANPRO Business role for the CRM Web Client
526
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Service Provider Guidelines
Single Roles Remarks
NoteThis role defines the navigation for the CRM Web Client. It contains
no authorization objects.
33.6 Solution Documentation User Descriptions and User Roles
This paragraph gives an overview over users as recommended by SAP and their according user roles assignment for solution documentation. The Service Provider user is assigned a composite role, which contains a the relevant user role for the application, and the according role to see all customer systems. The user role for the customers is a single role, which contains all necessary authorizations for customers to run the scenario.
Service Provider User (technical role name: SAP_SOLDOC_SP_ADMIN_COMP)
Authorization for access and use of the work center for implementation and upgrade can be assigned if required:
● SAP_SMWORK_IMP (access to work center)
● SAP_SMWORK_BASIC_IMP (authorizations for work center)
Table 404
Single Roles Remarks
SAP_SM_SPC_SOLAR_ADMIN Contains full authorization for transactions SOLAR01, SOLAR02, SOLAR_EVAL, and SOLMAN_DIRECTORY.
SAP_SM_SPC Contains service provider - specific authorization
Customer User (technical role name: SAP_SM_SPC_SOLAR_ADMIN)
Contains full authorization for transactions SOLAR01, SOLAR02, SOLAR_EVAL, and SOLMAN_DIRECTORY. Authorization for access and use of the work center for implementation and upgrade can be assigned if required:
● SAP_SMWORK_IMP (access to work center)
● SAP_SMWORK_BASIC_IMP (authorizations for work center)
33.7 Work Centers for Service Provider Customers
The following work centers are available especially for customers of Service Providers. Functions that can be executed with these work centers by customers of Service Providers are:
● Service Desk (Incident Management) (technical role name: SAP_SMWORK_INCIDENT_MAN_SPC)
create and change own messages; open service connections
● Maintenance Optimizer (technical role name: SAP_SMWORK_CHANGE_MAN_SPC)
process maintenance optimizer transactions
Security Guide for SAP Solution Manager 7.1Service Provider Guidelines
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 527
● System Monitoring (technical role name: SAP_SMWORK_SYS_MON_SPC)
display SAP EarlyWatch Alert reports and Service Level reports
Change Management work center for customers
Mapping of Work Center Maintenance Optimizer to Authorization Roles
NoteAuthorization roles for customers need not be maintained with individual values, such as for certain systems or certain solutions. You can maintain the according fields with value '*'. The BAdI - Implementation makes sure that data separation takes place and the customers can only see their own systems and solutions.
Table 405
View Mapping of Authorization Roles (see Roles for <scenario/function>)
Overview SAP_MAINT_ADMIN_COMP
Hot News SAP_SM_SOLUTION_*
Maintenance Optimizer SAP_MAINT_ADMIN_COMP
License Management Authorization field S_ADMI_FCD in authorization object S_ADMI_FCD must contain value SLIC
Common Task SAP_MAINT_ADMIN_COMP
Incident Management work center for customers
Mapping Work Center Incident Management to Authorization Roles
For more information, see user roles for customers for this scenario, see section Incident Management User Roles for Service Provider Customers.
Table 406
View in Work Center Mapping of Authorization Roles (see Roles for <scenario/function>)
Overview SAP_SUPPDESK_SP_*_COMP
Messages SAP_SUPPDESK_SP_*_COMP
Common Tasks URL - no authorization check
SAP_SUPPDESK_SP_*_COMP
System Monitoring work center for customers
Mapping of Work Center System Monitoring to Authorization Roles
Table 407
View Link Mapping of Authorization Roles (see Roles for <scenario/function>)
Reporting Report View: SAP Early Watch Alert SAP_OP_DSWP_EWA / SAP_SM_SOLUTION_*
528
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Service Provider Guidelines
View Link Mapping of Authorization Roles (see Roles for <scenario/function>)
NoteFor customers to see all EWA —
reports for systems you need to maintain authorization object S_SMSYEDIT in role
SAP_OP_DSWP_EWA with according
authorization for systems. For instance, enter all SIDs of systems
which the customer should be able to display in field SMSYENAME.
Report View: SAP EarlyWatch Alert for Solutions
SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*, SAP_SM_BI_EXTRACTOR
NoteIf your BW client is not the Solution
Manager client, you need roles
SAP_BI_E2E and
SAP_SM_BI_EXTRACTOR.
Report View: Service Level Reporting SAP_OP_DSWP_SLR / SAP_SM_SOLUTION_*
33.8 Granting Work Center Access to Service Provider Customers
To grant access to Solution Manager work centers via HTTP, an HTTP request from a customer server must be accepted by the Solution Manager server. Your customer should install a proxy server that is enabled for cascading. This proxy should cascade requests from the customer to a proxy server on your side. You route the request directly from your proxy server to the Solution Manager server.
Integration
If you want to restrict customer access to certain services, see SAP Note 1281504 and SAP — Partner—Specific Configuration in the IMG (transaction SPRO) .
Security Guide for SAP Solution Manager 7.1Service Provider Guidelines
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 529
34 Appendix
34.1 HowTo Guides
34.1.1 SDN Wiki for Authorizations
All authorization objects relevant for SAP Solution Manager will be documented within the SDN Wiki for Authorizations. For each object you can find an FAQ sheet, which contains the following information:
● object description aligned with the documentation in the system (transaction SUIM)
● related documentation (for instance SAP Help, SDN, external documentations, and so on)
● related SAP Notes
● links to Use Cases (for instance how to use the object in a specific scenario or function)
Each use case consists of:
○ Motivation / Problem
describes the initial situation, problem or motivation for this use case
○ Approach / Solution
describes the procedure to solve the above described issue
○ Result
describes the final result
○ Additional Information (optional)
A scenario based list provides you with a large number of use cases. These use cases help you to understand, where certain authorization objects are checked or if there is a relationship between several authorization objects. All use cases are only related to SAP Solution Manager functions and can therefore differ from other SAP NetWeaver systems.
34.1.2 How to Create Users and Business Partners
Procedure
Issue
For all scenarios, you need to create users in your systems. For some scenarios, you may as well need to create Business Partners related to your users. The following lists give an overview of scenarios that require users in the Solution Manager system and the managed systems, and functions that require business partner users in the Solution Manager system:
Scenarios Requiring Users for SAP Solution Manager and Managed Systems
● Implementation: if you use Implementation and subsequently Customizing Distribution to centrally configure your managed systems. Implementation and Customizing Distribution use Trusted RFC connections, which always require users in both systems.
530
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
● Test Management: if testers have to test in managed systems. Test Management uses Trusted RFC connections, which always require users in both systems.
● Service Desk: for Key User (end user), see example below
● Technical Administration, System Monitoring, and Business Process Operations: if the system administrator needs to check transactions in managed systems via SAP Solution Manager trusted RFC connection.
● Change Request Management: if the users in the Change Request Management process log on to the managed systems via Solution Manager.
● Quality Gate Management: if the users in the Quality Gate Management process log on to the managed systems via Solution Manager.
● Root Cause Analyses: user SAPSUPPORT is automatically created in the Solution Manager system as well as the managed systems during Root Cause Analysis configuration.
Scenarios Requiring Business Partners Based on Users in SAP Solution Manager
● SAP Engagement and Service Delivery: if you use Issue Management.
● Service Desk: for Key User (end users) and processors of service desk messages
● Change Request Management
● Quality Gate Management
● Test Management for CRM - based workflow
● Job Scheduling Management
● Change Control: functionality Maintenance Optimizer
How to?
Create Users Using Transaction SU01
All human users who work in an SAP system need to be made known to this system by having their own user ID in this system. This section tells you which area in User Management (transaction SU01) needs attention, and why.
1. Create your user in transaction SU01.
2. Enter the required data and save.
Note to add the following information.
Address Data
● First Name and Last Name
○ Digital Signature
○ Business Process Operations and Monitoring
○ Issue Management
○ Service Desk
○ E-Learning Management
The user can receive and send e-mails. This e-mail address can be any address, as long as it is known to the mail server.
NoteBusiness Process Operations: for use of auto-reaction methods.
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 531
Create Users from Reference Users Using Report AI_SDK_SP_GENERATE_BP
You can create users quickly by using a reference user. The system copies the user and attaches roles to the users. The report is documented as an IMG - activity for scenario Service Desk for Service Provider.
Figure 140: Report Documentation - Transaction SPRO - Create Business Partner as Person Automatically
Caution● The system copies all single roles from the Reference User, except for CRM navigation role
SAP_SM_CRM_UIU_SOLMANPRO. You need to assign this role manually.
● SAP Easy Access menu entries are not visible for the dialog user who is based on the reference user.
Create Business Partners Using Transaction BP_GEN
You can easily create Business Partners for your users in the SAP Solution Manager system, but also users from managed system, for instance for scenario Incident Management. The system copies the user IDs to Solution Manager and creates the according Business Partners.
1. Choose User list -> Add system.
2. Select a system from which you want to create business partners.
3. Select users.
4. Choose Edit -> Create Business Partner.
5. Confirm your entries.
What Next?
Assign your roles.
532
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
34.1.3 How to Administer Passwords
Procedure
Changing Passwords within UME
Prerequisites
The J2EE engine is running. You have a user ID with administrator rights, for example: Administrator.
Procedure
1. Start the UME user administration management console: http://localhost:50000/useradmin.
2. Log on as your administrator user.
The User Management screen appears.
3. In Users, choose Create User.
4. Enter the data for the user.
Changing Passwords within ABAP transaction SU01
Prerequisites
The ABAP system is running. You have a user ID with administrator rights.
Procedure
1. Start the transaction SU01 to have access to the ABAP user account maintenance.
2. Log on as your administrator user.
The Maintain User screen appears.
3. On the first screen, fill in the user name and choose Maintain.
4. Go to tab Logon, and change the password.
5. Save the user settings.
34.1.4 How to Create a User Role
Issue
You need to grant authorizations for which SAP does not ship template roles, in the Solution Manager and managed systems. To be able to assign the correct authorizations you can create a dedicated role yourself. This section describes how to create your own roles, using the example of critical authorizations of transactions SU01 (User Management) and PFCG (Role Management).
How To?
Adding ABAP transactions
1. Create a Role in Transaction PFCG
1. Choose transaction PFCG.
2. Enter a role name in your namespace, for instance: ZSU01_PFCG, and choose Single Role.
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 533
3. Enter a description for your role, for instance: Full authorization for SU01 and PFCG.
4. Go to tab Menu and enter transactions SU01 and PFCG.
NoteThe authorization objects required in role creation are maintained using transactions. When you enter a transaction in the menu tab in your role, the system traces all authorization objects required for this transaction.
5. Save your role.
NoteYou are asked for a transport request.
Adding ABAP WebDynpro
1. Create a Role in Transaction PFCG
1. Choose transaction PFCG.
2. Enter a role name in your namespace, for instance: ZWD_SOLUTION, and choose Single Role.
3. Enter a description for your role, for instance: Full authorization for WD Solution.
4. Go to tab Menu and choose Default Authorizations.
Figure 141: Add ABAP WD as TADIR Service
5. Save your role.
NoteYou are asked for a transport request.
534
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
The system adds authorization object S_SERVICE with the service ID.
What Next?
You can now maintain the authorizations for the transactions entered, see section HowTo Maintain Authorizations.
34.1.5 How to Maintain Authorizations in Authorization Objects
Procedure
Issue
You have created a role, copied a role, uploaded a role, or want to change the authorizations for an existing role. In all cases, you need to maintain the values for authorizations in the authorization objects. That you have to maintain authorization objects, or to generate a profile can be indicated by the yellow traffic light on the tab Authorizations in the role in transaction PFCG.
Figure 142: Yellow traffic light on tab Authorizations
NoteDefault authorization objects delivered by SAP contain only minimal authorizations. To grant full authorization to authorization objects, you must edit them. For additional information, see SAP Note 1000004.
How To?
Maintain Full Authorization for All Yellow/Empty Authorization Objects
1. Go to transaction PFCG and choose your role.
2. Choose the Authorizations tab in the Role Maintenance.
3. Choose Change.
The role appears with a yellow traffic light, and some authorization objects appear with a yellow traffic light. The yellow traffic light indicates, that the according authorization object contains an authorization field with no values entered.
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 535
Figure 143: Yellow traffic lights for authorizations
You need to enter values in all fields, otherwise the authorization restriction will not work.
4. To maintain all authorization fields with full authorization, double-click the traffic light for the role.
Alternatively you can double-click the traffic light for each authorization object, or choose the asterisks icon for the authorization object.
NoteThis method of entering full authorization for all fields, that are not maintained, should only be done with SAP Standard roles, if you decide to use them as described in the scenario - specific guides. Otherwise choose the procedure as described underneath.
Maintain Single Specific Authorizations for Authorization Objects
1. Choose the Authorizations tab in the Role Maintenance.
2. Choose Change.
3. Maintain all values per authorization object according to your needs, for instance if you want to grant full authorization, always choose all activities.
Figure 144: Maintain specific values for authorizations
Choose the icon for editing for the authorization. The system displays a list of values you can choose from, or you need to use the value help to find the correct value. For some authorizations value helps are missing. This is for instance possible for many authorization objects of class CRM. In this case, you need to know the value, or read the CRM security guide for information. For example, the authorization object UIU_COMP does not
536
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
have a value help, therefore we recommend to not change the values of the standard role for this authorization object, see also in the Core Guide the section on User Interface Authorizations.
If you have copied a standard role and want to maintain the authorizations according to your requirements, you need to evaluate the authorization values with green traffic lights.
CautionAll authorization objects need to have a green traffic light when you are finished. If you are not sure about the function of the authorization object, double-click the green line. The system opens the documentation for this object in a separate window.
Figure 145: Performance Assistant Help for Authorization Objects
Maintain Multiple Specific Authorization Values for one Authorization Object
In some cases it can be necessary to maintain one authorization object for several combinations of authorization values. This can be the case for authorization objects with more than one authorization. For instance, for solutions you want a user to be able to display all solutions, but only be able to maintain one specific solution.
1. Choose the Authorizations tab in the Role Maintenance.
2. Choose Change.
3. In our example, authorization object D_SOL_VSBL needs to be maintained for two use cases (one user):
○ display all solutions
○ maintain one specific solution
4. To be able to maintain two use cases, copy the authorization object to maintain it twice and maintain the authorizations according to the use cases.
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 537
Figure 146: Multiple Authorizations
NoteIn our case, the user can not create solutions, and:
○ display (ACTVT 03) all (*) solutions
○ maintain one specific solution
. If we wanted the user to be able to create solutions, we would add ACTVT 01 (create) for the first use case, as the solution ID is not known to us. The solution ID is created by the system when the solution is created.
Activating and/or Deactivating Authorization Objects
In some Standard roles you find authorization objects, which are set inactive. These authorization objects have the status of being Standard. This means, that these authorization objects are automatically entered by the system, when you have entered a transaction or ABAP WebDynpro application in the menu tab. The system traces all relevant authorizations for this transaction. It enters automatically all those authorization objects, which are maintained in transaction SU24 in your system. For information on transaction SU24, see the according HowTo.
The standard roles concept (see Core Guide for concept information) restricts which authorization objects are available in one role, for instance due to the modular approach or the segregation of duty approach. Therefore, in the standard roles, all authorization objects which are not required in this role are set inactive. This allows you to know which authorizations are maintained for a transaction, and it prevents the system from overwriting the authorization object if you maintain it.
RecommendationWe recommend to leave all authorization objects that are set inactive in this status for all standard roles.
Sometimes you may as well have to set authorization objects inactive. For instance, there exists no standard display role for role SAP_BI_E2E. If you want to create your own display role, we recommend to copy role SAP_BI_E2E, to set the batch authorization object inactive, and adapt field ACTVT for all authorization objects to 03 (display).
1. Choose the according authorization object, for instance S_BTCH_NAM.
2. Choose the icon “delete” to set the authorization object inactive.
538
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
Figure 147: Role SAP_BI_E2E with object S_BTCH_NAM set inactive
What Next?
You generate the profile for your authorization settings, see section HowTo Generate an Authorization Profile.
34.1.6 How to Generate a Profile
Procedure
Issue
When you have maintained the authorization objects for a new role or changed those for an existing role, you need to generate the profile for this role. Otherwise, the authorization restrictions do not work.
How To?
In the maintenance for authorizations screen, choose the icon for Generate.
The system automatically saves your settings and generates the profile for your authorization objects.
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 539
Figure 148: Profile Generation
On the tab Authorizations, the system enters the generated profile name and text.
CautionEven if the system has entered the name of a profile, always note the Status line for the profile to see if it is generated.
What Next?
You can now execute the user comparison, see section HowTo Assign Roles to Users.
34.1.7 How to Assign Roles to Users
Procedure
Issue
After you have generated profiles from roles, assign the role to your users in one of the two ways explained below.
How To?
Using Transaction SU01
If you want to assign more than one role to many user:
1. Choose transaction SU01.
2. Enter the user and choose edit.
540
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
3. Go to Roles tab.
4. Enter your role.
5. Save.
The system automatically executes a user comparison for the user.
Using Transaction PFCG
If you want to assign many users to one role:
1. Choose transaction PFCG.
2. Enter your role and choose edit.
3. Go to Users tab.
4. Enter the user name.
5. Choose the button User Comparison.
NoteFor more information on User Comparison, see SAP Note 1272331.
NoteAs of SAP_BASIS 7.02 when you call a role in transaction PFCG, the traffic light on tab User contains the following information:
○ green: user comparison is not necessary due to no valid user assignment, no authorization data
○ yellow: profile generation and user comparison required due to no generated profile
○ red: requires user comparison due to changed authorization and profile
6. Save.
34.1.8 How to Create Scenario Configuration Roles
Procedure
Issue
As of the current release of SAP Solution Manager, we do not deliver specific standard roles for the configuration of specific scenarios. The configuration should be done using profiles SAP_ALL and SAP_NEW. If your security policy does not allow for these overall authorization profiles, you can create your own configuration roles for SAP Solution Manager scenarios documented in transaction SPRO.
How To?
Create a project IMG for the Specific Scenario
Call transaction SPRO_ADMIN, and create a project (with title). On the tab Scope, choose the button Specify Scope, and select the scenario, you would like to create the role for. In our case, we want to create a configuration role for scenario Implementation and Upgrade.
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 541
Figure 149: Creating a Project IMG
You may as well create a project view for the Project IMG. This can be useful if you need to upgrade the configuration at some point and need to update the necessary authorizations as well.
Figure 150: Creating a Project IMG View
Create a Role Using the IMG project
The IMG project forms the basis on which you can create your configuration role.
542
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
Figure 151: Creating a Configuration Role
1. In transaction PFCG, create a new role.
2. In the menu, go to Utilities Customizing auth.
3. Choose your IMG project or IMG project view, if you have created one.
Figure 152: Role Menu
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 543
The system automatically adds all transactions from the IMG activities into the role menu.
4. Maintain the role with full authorizations. Nevertheless, note all critical authorizations.
What Next?
Check your critical authorizations, maintain the authorizations.
34.1.9 How to Upgrade Authorizations after Release Upgrade or Support Package Upgrade
Procedure
Issue
After the new installation and an update of your SAP Solution Manager system, you need to update your tables with new default field values for authorization objects, in transaction SU25. This is especially relevant for all new authorization objects delivered with an update.
CautionWhen you update your system, you must import new roles and profiles from client 000 into your productive client.
How to?
1. Call transaction SU25.
2. Choose Information.
The dialog explains in detail what you need to do.
RecommendationPerform at least the first step.
544
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
Figure 153: Transaction SU25
34.1.10 How to Use an ST01 Trace
Procedure
Issue
In case of authorization errors, you may need to find out, which authorizations are checked by the system for a specific procedure, for instance pressing a button or choosing a link. Especially, when you are working in a Web Dynpro Application, you need to use a trace to do so. This is done using transaction ST01.
How to?
Before you trace a particular authorization issue, make sure, that you only trace the part of the process in which the error occurs, so you do get specific results for it.
1. Choose transaction ST01.
2. In the screen, mark that you want to trace Authorizations.
3. For a better result, enter the user ID, with which user you run through the application.
4. Save your settings.
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 545
Figure 154: Transaction ST01 - Prepare Trace
5. Choose the button Trace On.
6. Execute the part of the application again, in which the issue occurred.
7. Go back to transaction ST01.
8. Stop the trace by choosing the button Trace Off.
9. Choose Analysis.
Figure 155: Transaction ST01 - Call Trace Analysis
10. Execute the analysis for the user you ran the application with.
NoteCheck the time interval, that it fits to the time when you have traced the application.
The system displays a list of all authorization objects that were checked during the trace with the according authorization values that were checked as well.
546
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
Figure 156: Transaction ST01 - Analysis
Errors are displayed by RC=12 for the according authorization object.
CautionAn ST01 trace displays all authorization object that are traced by the system. It may therefore display authorization objects, which are actually not checked by the application. Such authorization objects may be S_DEVELOP with value DEBUG or S_CTS_SADM.
In addition, for instance for authorization object UIU_COMP the system returns all authorization values for this object, although only a certain number are used by Solution Manager. For more information on UI Authorizations, see Core Guide.
It may also be the case that the trace displays authorization object SM_WD_COMP with RC = 4. Here, you need to be aware that this is an authorization object for the UI. The RC=4 for this object does not necessarily mean that this authorization is missing, it might actually not be needed. For instance, if you use Technical Monitoring, but do not use the Dashboard functionality for BW - Reporting, the authorization object SM_WD_COMP with value *DASHBOARD* is displayed with RC=4. You can then ignore it. If you nevertheless use dashboards and get this authorization object RC=4, you simply need to add the dashboard authorization role to your user. For more information on the authorization object SM_WD_COMP, see the UI authorization section in the Core Guide.
What next?
Adapt your authorizations.
34.1.11 How to User Transaction SU24
Procedure
You can deactivate the checking of specific authorizations in your system.
Issue
You would like to deactivate the checking of specific authorization objects in your system.
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 547
How To?
1. Choose transaction SU24.
2. Enter the transaction code for the transaction in which you want to deactivate the authorization.
3. For the according authorization object, set the Check Indicator to Do Not Check.
NoteYou can only deactivate authorization objects which do not start with S_*. These authorizations are mandatory to be checked.
34.1.12 How to Translate Your Own Customizing Entries
For some configuration tasks, you create your own modified entries and you need to translate them. Use the following procedure to translate your own customizing entries in customizing tables.
Prerequisites
You have installed all required languages.
Procedure
1. Log on to your SAP Solution Manager system in your original language.
2. Choose the transaction and enter the customizing table:
○ SM30 for table/view
○ SM34 for view cluster
3. Choose Maintain.
4. Choose the line of the object you want to translate.
5. In the menu, choose: Goto Translate .
6. In the dialog box, choose the language into which you want to translate the object.
7. Translate the object.
8. Save your settings.
Example
In function Job Scheduling Management, you maintain the following tables AGS_REGION_CUST and AGS_ORGUNIT_CUST.
548
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
More Information
about how to translate object types in the system, see the Help Portal: help.sap.com , search for SE63.
34.2 Additional Information
Here, you find:
● links to documentation about SAP Solution Manager-relevant additional components.
● a list of all SAP Notes that are included in the IMG.
Additional Notes
Creating or Editing Roadmap documents
When you create or change documents in the SAP Solution Manager Roadmap and you use MS Office 2010, see SAP Note 1699667.
34.2.1 Links for Additional Components on Service Marketplace
Your Solution Manager system is the platform for administrative tasks in implementing, operating and upgrading systems in your system landscape. It relies heavily on mandatory and optional components implemented in addition to SAP Solution Manager. The following table gives you an overview of these additional components.
RecommendationTo ensure a smooth integration of these components, familiarize yourself with their installation, configuration, and operation.
Additional Components
Table 408
Component Where in the Service Marketplace?
System Landscape Directory (SLD)
service.sap.com/sld
or sdn.sap.com SAP NetWeaver Capabilities Lifecycle Management Application
Management System Landscape Directory
Software Life-Cycle Manager (SLM)
service.sap.com/slm and help.sap.com/nw70 Functional View Solution Life Cycle
Management Software Life Cycle Management
Adobe Document Services (ADS)
service.sap.com/adobe
Business Warehouse(BW) service.sap.com/bi
SAP Quality Center by HP service.sap.com/solutionmanager SAP Quality Center by HP
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 549
Component Where in the Service Marketplace?
SAP Redwood Job Scheduling
service.sap.com/job-scheduling
TREX help.sap.com/nw2004s
SAP TAO service.sap.com/saptao
Master Data Management (MDM) – MDM Administration
Cockpit
service.sap.com/mdm and service.sap.com/installmdm
SAP NetWeaver Administrator
service.sap.com/nwa
Adaptive Controlling (ACC) ● for general information sdn.sap.com/irj/sdn/adaptive
● for application help, such as starting and stopping an application service:
help.sap.com
● for installation information service.sap.com/instguides
Information on Technical Usages
service.sap.com/~sapidb/011000358700001166742007E
Business Process Blueprinting Tool
The Business Process Blueprinting Tool (BPB) is used for modeling SAP and non-SAP processes based on existing functionality and proven content from SAP Solution Manager according to the requirement of the company.
If you want to learn more about the Business Process Blueprinting Tool see the
corresponding guides, at service.sap.com/instguides SAP Components SAP Solution
Manager <current release> 6 Additional Guides .
More Information
For a comprehensive overview and to find out which additional components are relevant for the configuration of your scenarios, see master guide for SAP Solution Manager service.sap.com/instguides SAP ComponentsSAP Solution Manager <current release> .
34.2.2 SAP Notes as Mentioned in the IMG
Summary of all relevant SAP Notes mentioned in the IMG for SAP Solution Manager (transaction SPRO) per basic settings, cross-scenario settings, scenario-specific settings and Service Provider-specific settings.
RecommendationDuring configuration via IMG, these notes appear in the relevant IMG-activity. We recommend to consider reading the according SAP note, when you configure an IMG-activity. The list underneath collects all SAP notes mentioned in the IMG.
List of SAP Notes in SAP Solution Manager IMG
550
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
Table 409
IMG SAP Note Number SAP Note Title ST Support Package Relevant for:
READ ME (preparing configuration)
199123 Word Settings X (all)
948871 Solution Manager: Cross-Scenario SAP Notes
X
539977 Release strategy for Add-On ST-PI X
69455 Service tools for Applications ST-A/PI X
560630 ST-PI: Solution Tools plug-in –
prerequisite not met
X
900000 NetWeaver Business Client – FAQ X
1029940 Release restrictions for the NetWeaver Business Client
X
Central Correction Note 797147 Wily Introscope Installation for SAP Customers
X
TECHNICAL SETTINGS
Solution Manager Enhancements
588364 Prerequisites for activating extensions X
Client Copy 806819 sap* logon not available (problems with client copies)
X
LMDB 935245 Importance of “Object Server” SLD parameter
X
Document Management 368861 Knowledge Warehouse and security levels under MS Office
X
368963 Use signed macros in Knowledge Warehouse
X
710711 Solution Manager: Using a Content Server X
777089 Creating a business blueprint document/configuration Guide
X
510007 Setting-up SSL on the Web Application
Server ABAPX
612670 SSOfor local BSP calls using SAP GUI HTML Control
X
436430 Prerequisites for the Document Modeling Workbench
X
350535 Knowledge Warehouse – modeling Work Center
X
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 551
IMG SAP Note Number SAP Note Title ST Support Package Relevant for:
314568 SAP GUI for HTML functionality /
Limitations / SP / Behaviour
X
918236 WD ABAP ALV create print version X
Internet Graphics Server (IGS)
458731 Internet Graphics Server X
454042 IGS: Installing and Configuring theIGS X
Adobe Documentation Services (ADS) Setup
944221 Troubleshooting of problems in forms X
Adaptive Computing 1008828 ACC 7.1 PI / Adaptive Computing
Controller tool Collective Note
X
Work Center 918236 WD ABAP ALV – creating print version X
1098009 Limitations for WebDynpro ABAP X
System Availability with CCMSPING
1175058 Problems with CCMSPING with SAP
Solution Manager
X
SAP Connect 455140 Configuration of e-mail, fax, paging or SMS using SMTP
X
455142 SAPconnect: Configuration paging / SMS viaHTTP
X
CAPABILITIES (OPTIONAL)
Implementation 949220 Solution Manager: Implementation Scenario-Related SAP Notes Tabs
X
1244713 Installation of Custom Development Management Cockpit
X
Test Management 1027579 Extend SAP Solution Manager to Manage New Object Types Testing
X
CATTs and eCATTS 519858 Setting Up SAP Systems to Use eCATT X
Service Desk 949292 Solution Manager: Service Desk Related SAP Notes Service Desk
X
830882 DSWPNOTIFCREATE URL initialization
parameters
X
1050148 Troubleshooting for Service Desk configuration
X
Technical Administrationand Technical Monitoring
949293 Solution Manager: Solution Monitoring-Related SAP Note
X
199123 Word settings X
552
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
IMG SAP Note Number SAP Note Title ST Support Package Relevant for:
420213 Composite SAP note: Central monitoring of mySAP.components
X
1223266 CCMSBI Reporting X
Downtime Management 1096782 CCMS: Configuration of monitoring pauses X
823941 SAP Start Service on Unix X
Job Scheduling Management
1111310 Job Scheduling Management: Extended Configuration
X
1225906 Customizing of the Job Request application
X
1230837 Creating a custom schedule documentation application
X
1225976 Creating custom print forms for Job Documentation
X
Change Request Management Standard Configuration
903527 Solution Manager Change Management: BC sets
X
1384598 Harmonizing RFCcommunication
infrastructure in ChaRM /QGMX
Change Control 1137683 Maintenance Optimizer and SLM X
THIRD PARTY INTEGRATION
SAP Central Process Scheduling by Redwood
1111310 Job Scheduling Management: Extended Configuration
X
1118440 Copy default change transaction to a customer name space
X
1161405 Accumulative Note forSAP CPS for SAP NetWeaver
X
BMC AppSight for SAP Client Diagnostics
1034901 Installation of BMC AppSight for SAP Client Diagnostics
X
1034902 FAQ: BMC AppSight for SAP Client Diagnostics
X
IBM Rational Tools 1254821 SAML authentication for Web services in
AS ABAP
1319507 Overview: Analysis of ABAP Web Service
Configuration
1480768 Test and Incident Management withIBM Rational Tools
X
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 553
IMG SAP Note Number SAP Note Title ST Support Package Relevant for:
SERVICE PROVIDER-SPECIFIC SETTINGS
Service Desk for Service Provider
616946 Support Desk: support team determination using SAP Components Service Provider
X
903530 Solution Manager: Customizing for corporate function
X
Software Partner 951145 DuplicateKB entries – Clear inconsistent
data
X
34.3 Glossary
34.3.1 Terminology: System Landscape and Related Terms
The Solution Manager is based on a system in a system landscape. Different terms are used to refer to this, depending on how the system landscape is viewed. There are two semantic levels:
● A) overall view of systems and their role in the system landscape, and
● the technical level, referring to the technical attributes of a system, not its purpose in the system landscape.
It depends on whether the focus is on a system's purpose or on its technical properties. There are several possible perspectives:
● general perspective
Term: System
● Solution Manager perspective (Solution Manager as the central management platform)
Terms: Managing System, Managed System
554
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
Figure 157
● business process—oriented perspective (business process as main focus)
Term: Business System
Figure 158
● technical perspective (technical attributes as main focus)
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 555
Term: System Type, Technical System
Figure 159
Features
The following table contains definitions of how these term are used in documentation.
Definitions Infrastructure: System
Table 410
Term Definition Additional Remarks
System Neutral definition from a general perspective. The name of the system is based on the SAP product definition. It can be defined more closely (see above), for example, managed system, business system and/or technical system.
Used in general documentation, in overviews and so on.
ExampleIn your system landscape you maintain several systems.
Managing System The central managing system, usually the Solution Manager system, from the Solution Manager perspective. A managing system usually manages other systems, which are called managed systems.
Used in general Solution Manager scenario and function documentation in the system landscape.
Synonym: Central System (CCMS-related)
ExampleYour managing system is SAP Solution Manager.
556
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
Term Definition Additional Remarks
Managed System Any system that is managed by another system, usually the central Solution Manager system platform, from the Solution Manager perspective. In this sense, the Solution Manager system can also be a managed system.
Used in general Solution Manager scenario and function documentation in the system landscape. Synonym: Remote System (CCMS-related)
ExampleYou monitor your managed systems regularly, using SAP Solution Manager.
Business System Any system used in a business scenario, from a business perspective.
Used in general Business Suite and Solution Manager documentation, for Business Suite—related topics.
ExampleYou monitor all business systems on which the business process steps run, regularly.
System Type The type which the system can be, from a technical perspective:
● ABAP● Java
● ABAP and Java
● Trex
● MDM● LiveCache
● ...
Used in general Solution Manager system landscape documentation, with reference to the general system architecture.
ExampleThe SAP Solution Manager system is based on system types AS ABAP and AS
Java.
Technical System A technical unit based on one or more instances, from a technical perspective. Product instances can be installed in one system, but also as independent (technical) systems with independent system IDs. It is
defined by technical attributes, such as:
● System ID
● Installation Number
● ...
ExampleSAP Solution Manager is running on (technical) system: SMP Client 200
Solution Manager Diagnostics is running on (technical) system: SMD
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 557
34.3.2 Terminology: Solution and Related Terms
The life-cycle of a product comprises different phases, such as implementation, operation, and optimization, which are all supported by SAP Solution Manager. In the operational phase, SAP Solution Manager uses the technical unit Solution to bundle systems according to various criteria:
● related business process steps
● related systems by administration purpose
The term is related to another primary concept, the Logical Component. Technical systems are stored in logical components, which are then referenced in the solution. The solution is uniquely defined by its Leading System Role.
Features
The following table contains definitions of how these term are used in documentation.
Definitions Infrastructure: Solution
Table 411
Term Definition Additional Remarks
Solution A group of systems administered in SAP Solution Manager, which are managed together. Solutions are independent of one another, e.g. all systems of one subsidiary.
Used in general documentation, in overviews and so on. The solution is defined in the Solution Directory (transaction SOLMAN_DIRECTORY). Here, all information
about included systems and business processes running on these systems is stored. It forms the basis for subsequent applications, such as Monitoring, Job Scheduling Management or Issue Management.
ExampleSee document SAP Solution Manager – Solution Concept and Design on SAP Service Marketplace at:
service.sap.com/solutionmanager
Media Library Technical Information .
Logical Component A set of technical systems with the same SAP product release and main instance, to be able to use these systems in a system landscape uniformly in various SAP Solution Manager use scenarios, i.e. in implementation, operational processing, and permanent optimization. It separates the abstract component level from the physical system level, allowing system-independent business process definition.
Used in general documentation.
558
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Appendix
Term Definition Additional Remarks
Leading system role The system role of the business processes documented in a solution, for instance production system or development system. The default system role is production, so all business processes defined for this solution run in systems with the system role: productive system.
Used primarily in documentation for Solution Directory.
Navigation role Used only for business process operations: specifies the system role used for navigation (checks, display) to objects in managed systems.
Used in relation to business process operations documentation.
NoteChange of navigation role is user-specific and valid for all solutions in the Solution Directory.
ExampleUser <XY> wants to check objects in the
development systems. The leading role of the solution is production system. The user specifies development system as navigation role.
Security Guide for SAP Solution Manager 7.1Appendix
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 559
A Reference
A.1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various phases in the life cycle of SAP software.
Cross-Phase Documentation
SAPterm is SAP’s terminology database. It contains SAP-specific vocabulary in over 30 languages, as well as many glossary entries in English and German.
● Target group:
○ Relevant for all target groups
● Current version:
○ On SAP Help Portal at help.sap.com Glossary
○ In the SAP system in transaction STERMSAP Library is a collection of documentation for SAP software covering functions and processes.
● Target group:
○ Consultants
○ System administrators
○ Project teams for implementations or upgrades
● Current version:
○ On SAP Help Portal at help.sap.com (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for raising security levels. A collective security guide is available for SAP NetWeaver. This document contains general guidelines and suggestions. SAP applications have a security guide of their own.
● Target group:
○ System administrators
○ Technology consultants
○ Solution consultants
● Current version:
○ On SAP Service Marketplace at service.sap.com/securityguide
Implementation
The master guide is the starting point for implementing an SAP solution. It lists the required installable units for each business or IT scenario. It provides scenario-specific descriptions of preparation, execution, and follow-up of an implementation. It also provides references to other documents, such as installation guides, the technical infrastructure guide and SAP Notes.
● Target group:
○ Technology consultants
560
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Reference
○ Project teams for implementations
● Current version:
○ On SAP Service Marketplace at service.sap.com/instguides
The installation guide describes the technical implementation of an installable unit, taking into account the combinations of operating systems and databases. It does not describe any business-related configuration.
● Target group:
○ Technology consultants
○ Project teams for implementations
● Current version:
○ On SAP Service Marketplace at service.sap.com/instguides
Configuration Documentation in SAP Solution Manager – SAP Solution Manager is a life-cycle platform. One of its main functions is the configuration of business scenarios, business processes, and implementable steps. It contains Customizing activities, transactions, and so on, as well as documentation.
● Target group:
○ Technology consultants
○ Solution consultants
○ Project teams for implementations
● Current version:
○ In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system. The Customizing activities and their documentation are structured from a functional perspective. (In order to configure a whole system landscape from a process-oriented perspective, SAP Solution Manager, which refers to the relevant Customizing activities in the individual SAP systems, is used.)
● Target group:
○ Solution consultants
○ Project teams for implementations or upgrades
● Current version:
○ In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP NetWeaver, and precedes the application operations guides of SAP Business Suite. The manual refers users to the tools and documentation that are needed to carry out various tasks, such as monitoring, backup/ restore, master data maintenance, transports, and tests.
● Target group:
○ System administrators
● Current version:
○ On SAP Service Marketplace at service.sap.com/instguides
The application operations guide is used for operating an SAP application once all tasks in the technical operations manual have been completed. It refers users to the tools and documentation that are needed to carry out the various operations-related tasks.
● Target group:
○ System administrators
Security Guide for SAP Solution Manager 7.1Reference
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 561
○ Technology consultants
○ Solution consultants
● Current version:
○ On SAP Service Marketplace at service.sap.com/instguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes of an SAP solution. It provides scenario-specific descriptions of preparation, execution, and follow-up of an upgrade. It also refers to other documents, such as upgrade guides and SAP Notes.
● Target group:
○ Technology consultants
○ Project teams for upgrades
● Current version:
○ On SAP Service Marketplace at service.sap.com/instguides
The upgrade guide describes the technical upgrade of an installable unit, taking into account the combinations of operating systems and databases. It does not describe any business-related configuration.
● Target group:
○ Technology consultants
○ Project teams for upgrades
● Current version:
○ On SAP Service Marketplace at service.sap.com/instguides
Release notes are documents that contain short descriptions of new features in a particular release or changes to existing features since the previous release. Release notes about ABAP developments are the technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide (IMG).
● Target group:
○ Consultants
○ Project teams for upgrades
● Current version:
○ On SAP Service Marketplace at service.sap.com/releasenotes
○ In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
562
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.All rights reserved.
Security Guide for SAP Solution Manager 7.1Reference
Typographic Conventions
Table 412
Example Description
<Example> Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your <User Name>”.
Example Example Arrows separating the parts of a navigation path, for example, menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
www.sap.com Textual cross-references to an internet address
/example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note, for example, SAP Note 123456
Example ● Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options.
● Cross-references to other documentation or published works
Example ● Output on the screen following a user action, for example, messages
● Source code or syntax quoted directly from a program
● File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools
EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE
EXAMPLE Keys on the keyboard
Security Guide for SAP Solution Manager 7.1Typographic Conventions
CUSTOMER© Copyright 2015 SAP SE or an SAP affiliate company.
All rights reserved. 563
www.sap.com
© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE's or its affiliated companies' strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.