Curity Guide SAP Solution Manager 7.1 SP10

7/14/2019 Curity Guide SAP Solution Manager 7.1 SP10

1/533

Security Guide for SAP Solution Manager 7.1

Target Audience

System administrators

Technology consultants

Application consultants

SAP Security Professionals

CUSTOMERDocument version: 2013-10-31


2/533

Document History

CAUTION

Before you start the implementation and configuration of SAP Solution Manager, make sure you

have the latest version of this document. You can find the latest version at the following location:

http://service.sap.com/instguides SAP Components SAP Solution Manager .

The following table provides an overview of the most important document changes.SupportPackageStacks(Version) Date Description

SP10 General

Role enhancements for Infrastructure Roles: SAP_SYSTEM_REPOSITORY_*, and

SAP_SM_RFC_*, see section Authorization and Roles for Infrastructure.

Guide structure enhancement to the following individual sections:

Secure System Configuration (specifically relating to system configuration issues

in regard to security)

SAP Solution Manager Authorization Concept

User Interface (SAP NWBC 4.0not supported)

Landscape Setup Guide

Scenario-specific Guides

Overviews

User Authentication and Administration Tools:

new section about Solution Manager User Administration (SMUA) mass tool

enhanced section on Automatic User Creationin SOLMAN_SETUP(new fields User

Group, Namespace, Role Upload)

new section on password policy for SAP Solution Manager default users

Roles and Authorizations for Infrastructure and LMDBusage, see section on Roles

for Infrastructure and LMDB

New single roles SAP_SM_BP_*for Business Partner and Product assignment inLMDBand related queries.

New single role for LMDBDashboard SAP_SM_DASHBOARDS_DISP_LMDB

New authorization object check for LMDBRemote Access AI_LMDB_RE(included

in roles SAP_SYSTEM_REPOSITORY_*)

Adapted role SAP_SM_SOLUTION_ALL

Adapted role SAP_SOLMAN_DIRECTORY_*

Adapted role SAP_SM_RFC_ADMIN(added authorization object S_RFC_TT)

Adapted roles SAP_SYSTEM_REPOSITORY_* (primarily for authorization object

S_RFC)

Scenario-Specific Guides

Check out changes in the Document History for the following scenarios:

2/534 CUSTOMER 2013-10-31
http://service.sap.com/instguides


3/533

SupportPackageStacks(Version) Date Description

Custom-Code Life Cycle Management (CCA, CCML)

Business Process Operations

Business Process Change Analyser

Change Request Management

Incident Management

NOTE

Authorizations for ST-ICCare described in the according ST-ICC

Configuration Guide.

Solution Documentation Assistant

Test Management

Implementation (cProject ITPPMintegration)

Solution Manager Administration

Technical Monitoring

Technical Administration (IT Task Inbox and Guided Procedure)

Quality Gate Management

SAP Engagement and Service Delivery

Job Management

Important SAP Notes

1812046(Role Updates in case of CUA)

1830640(Roles for READ, TMW, and Back RFC Users)

1908051 (Roles for ST-PI (managed systems))

SAP TAO

Section on SAP TAO has been transferred to the SAP TAO Administrators Guide, see

on the Service Marketplace at: http://service.sap.com/saptao .

2013-10-31 CUSTOMER 3/534
http://service.sap.com/saptaohttp://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1908051%20&_NLANG=en&_NVERS=0http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1830640&_NLANG=en&_NVERS=0http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1812046&_NLANG=en&_NVERS=0


4/533

Table of Contents

Chapter 1 Security Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.1 Target Group of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.3 How to Use this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.4 Links for Additional Components on the Service Marketplace . . . . . . . . . . . . 25

2.5 Using SAP Solution Manager as a Service Provider . . . . . . . . . . . . . . . . . . . . . . 28

Chapter 3 Terminology as Used in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . 31

Chapter 4 Quick Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Chapter 5 Overviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

5.1 Overview: Capabilities/Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

5.2 Overview: Solution Manager Functions Integration . . . . . . . . . . . . . . . . . . . . 40

5.3 Overview: Solution Manager Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.4 Overview: Solution Manager Technical RFC - Users per Scenario . . . . . . . . . . 42

5.5 Overview: Third Party Products to Be Used with Solution

Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Chapter 6 System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

6.1 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Chapter 7 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

7.1 Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

7.2 Communication Channels and Communication Destinations . . . . . . . . . . . . 47

7.3 Internet Communication Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

7.4 Secure Socket Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

7.5 HTTP Connect Service for SAP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

7.6 File Transfer Protocol (FTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

7.7 Use of Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

4/534 CUSTOMER 2013-10-31


5/533

Chapter 8 User Administration and Authentication Tools . . . . . . . . . . . . . . . . . . . . 53

8.1 Basic SAP User Management Tools and User Types . . . . . . . . . . . . . . . . . . . . . 53

8.2 Automatic User Creation using Transaction SOLMAN_SETUP . . . . . . . . . . . . 578.3 Automatic Mass User Creation/Update using Solution Manager User

Administration (SMUA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

8.4 Passwords for Solution Manager Default Users . . . . . . . . . . . . . . . . . . . . . . . . 61

8.5 Secure Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

8.6 Integration into Single Sign-On Environments (SSO) . . . . . . . . . . . . . . . . . . . 62

Chapter 9 Authorization Concept for SAP Solution Manager . . . . . . . . . . . . . . . . . 63

9.1 User Definitions in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

9.2 End - User Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

9.3 Configuration User Roles for SAP Solution Manager . . . . . . . . . . . . . . . . . . . . 72

9.4 Integration of Functions/Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

9.5 Authorizations and Roles for Infrastructure (LMDB, BP, Projects, Solutions,

Directory) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

9.6 Work Center Navigation Role Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

9.7 Using SAP Solution Manager with Customer Relationship Management

(CRM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

9.8 Using SAP Solution Manager with Business Warehouse (BW) . . . . . . . . . . . . . 879.8.1 General Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

9.8.2 BI - Reporting Data Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

9.8.3 Configuration of BW and Activation of BW - Content (Step by

Step) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

9.8.4 Diagnostics Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

9.8.5 BI - Reporting Authorizations and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

9.8.6 Using BI - Dashboards for BI - Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

9.9 Authorizations for User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

9.10 Critical RFC Connections and Authorization Objects . . . . . . . . . . . . . . . . . . 101

9.10.1 Generated RFC - Connection

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

9.10.2 Authorization Objects S_RFCACL and S_RFC_TT for Trusted

RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

9.10.3 Generated RFC - Connections READ, TMW and BACK . . . . . . . . . . . . . . . . 104

9.10.4 Authorization Object S_RFC and S_DEV_REMO . . . . . . . . . . . . . . . . . . . . . 104

9.10.5 Authorization Object S_TABU_DIS and S_TABU_CLI . . . . . . . . . . . . . . . . . 106

2013-10-31 CUSTOMER 5/534


6/533

9.10.6 Authorization Object S_TABU_NAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

9.10.7 Authorization Object S_DEVELOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

9.11 How to Build Your Own Authorization Concept . . . . . . . . . . . . . . . . . . . . . . 108

Chapter 10 Using Central User Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

10.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

10.3 Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

10.4 Configuration Integration in Transaction SOLMAN_SETUP . . . . . . . . . . . . . 117

Chapter 11 Additional Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Chapter 12 Data Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Chapter 13 Landscape Setup, Configuration, and Root Cause Analysis

Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

13.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

13.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128


13.4 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . 133

13.5 Required TCP/IP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13613.6 SAP Solution Manager Configuration Work Center / Transaction

SOLMAN_SETUP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

13.7 Root Cause Analysis Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

13.8 Users Created During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

13.8.1 Database User SAPDB [MANAGED.DB.USER] . . . . . . . . . . . . . . . . . . 141

13.8.2 OS Engine User [MANAGED.OS.SIDADM] . . . . . . . . . . . . . . . . . . . . . . . . . . 142

13.8.3 OS User Dedicated to the Diagnostics Agent ADMIN

[MANAGED.OS.AGTSIDADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

13.9 Users and Authorizations for SAP Solution Manager Configuration/

Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

13.9.1 Password Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

13.9.2 Configuration and Administration User SOLMAN_ADMIN

[SOLMAN.DUAL.ADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

13.9.3 Technical User SMD_AGT [SOLMAN.DUAL.AGTCOM] . . . . . . . . . . . . . . . . 147

13.9.4 Technical User SOLMAN_BTC [SOLMAN.DUAL.BTC] . . . . . . . . . . . . . . . . . 147

13.9.5 Technical User SM_EXTERN_WS [SOLMAN.DUAL.EXTERN] . . . . . . . . . . . 147

13.9.6 Technical User SM_INTERN_WS [SOLMAN.DUAL.EXTERN] . . . . . . . . . . . 148

6/534 CUSTOMER 2013-10-31


7/533

13.9.7 Dialog User SAPSUPPORT [SOLMAN.DUAL.SAPSUPPORT]

[SOLMAN.BI.SUPPORT] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

13.9.8 Dialog User SAPSERVICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

13.9.9 Technical User SMD_RFC [SOLMAN_DOUBLE_SMDRFC] . . . . . . . . . . . . . 150

13.9.10 Technical User SEP_WEBSRV [SOLMAN.ABAP.WEBSRV] . . . . . . . . . . . . . . . 150

13.9.11 Technical User CONTENTSERV [SOLMAN.ABAP.CONTSERV] . . . . . . . . . . 150

13.9.12 Technical User for RFC - connection BACK

[MANAGING.ABAP.RFC] . . . . . . . . . . . . 150

13.9.13 User Wily Guest [SOLMAN.WILY.GUEST] . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

13.10 Users and Authorizations for Managed Systems . . . . . . . . . . . . . . . . . . . . . . . 151

13.10.1 NGAP - Based Managed Systems Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

13.10.2 Administrator User in ABAP: SM_ADMIN

[MANAGED.JAVA.ABAP.ADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

13.10.3 Administrator User in Java: SM_ADMIN_

[MANAGED.JAVA.ADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

13.10.4 Technical User SMDAGENT_ for Wily Host Agent

[MANAGED.ABAP.WILYAGT] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

13.10.5 Technical Users for RFC - Connections READ and TMW

[MANAGED.ABAP.RFC] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

13.10.6 SAPSUPPORT User [MANAGED.DUAL.SAPSUPPORT] . . . . . . . . . . . . . . . . . 155

13.10.7 Dialog User SAPSERVICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14913.10.8 Technical User SM_COLL_ . . . . . . . . . . . . . . . . . . . . . . . . . 157

13.10.9 J2EE Administrator J2EE_ADMIN [MANAGED.J2EE.ADMIN] . . . . . . . . . . . . 158

13.10.10 Administrator OS User [MANAGED.OS.ADMIN] . . . . . . . . . . . . . . . . . . . . . 158

13.10.11 Technical Users for CTC Configuration and Runtime Activation . . . . . . . . . 158

13.11 Users and Authorizations for BW Configuration . . . . . . . . . . . . . . . . . . . . . . 158

13.11.1 BW Administrator User SM_BW_ADMIN [SOLMAN.BI.ADMIN] . . . . . . . . . 159

13.11.2 Technical User SM_BW_ACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

13.11.3 Technical User SM_ EFWK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

13.11.4 Technical User SMD_BI_RFC [SOLMAN.BI.RFC] . . . . . . . . . . . . . . . . . . . . . 160

13.11.5 Technical User SM_ BW_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

13.11.6 Dialog User SAPSUPPORT [SOLMAN.DUAL.SAPSUPPORT]

[SOLMAN.BI.SUPPORT] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

13.11.7 Dialog User SAPSERVICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

13.11.8 Technical User BI_CALLBACK [SOLMAN.BI.CALLBACK] . . . . . . . . . . . . . . . 163

13.11.9 Diagnostics Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

13.12 Users and Authorizations for SLD and LMDB . . . . . . . . . . . . . . . . . . . . . . . . . 163

13.12.1 Technical User SLD_CS_USER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

2013-10-31 CUSTOMER 7/534


8/533

13.12.2 Technical User SLDDSUSER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

13.12.3 Technical User for CTC Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

13.13 S-Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

13.13.1 S-User for SAP Backend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

13.13.2 S-User for Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

13.14 Landscape Modelling and Infrastructure Roles . . . . . . . . . . . . . . . . . . . . . . . . 167

13.14.1 User Roles for System Landscape Infrastructure . . . . . . . . . . . . . . . . . . . . . . . 167

13.14.2 User Roles for Solutions, Projects, Solution Directory . . . . . . . . . . . . . . . . . . 169

13.14.3 User Roles f or System Landscape Verification . . . . . . . . . . . . . . . . . . . . . . . . . 172

13.15 User Role for TREX Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

13.16 Configuration User Roles for SAP Solution Manager . . . . . . . . . . . . . . . . . . . . 72

13.17 Business Partners Created During Configuration . . . . . . . . . . . . . . . . . . . . . . 174

13.18 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Chapter 14 Scenario-Specific Guide: Solution Manager Administration . . . . . . . . . 177


14.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

14.3 User Descriptions and User Roles in SAP Solution Manager . . . . . . . . . . . . . . 178

Chapter 15 Scenario-Specific Guide: Technical Monitoring . . . . . . . . . . . . . . . . . . . 183

15.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18315.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

15.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

15.3.1 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

15.3.2 Scenario Configuration Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

15.3.3 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . 190

15.3.4 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

15.4 Work Center Technical Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

15.5 User Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

15.6 User Roles for System, Database, Host Monitoring, and Self -

Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

15.6.1 First Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

15.6.2 Second Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . 197

15.7 User Roles for Process Integration - Monitoring and Message Flow -

Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

15.7.1 First Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

15.7.2 Second Level Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . 199

15.8 User Roles for End-User Experience Monitoring . . . . . . . . . . . . . . . . . . . . . . 200

8/534 CUSTOMER 2013-10-31


9/533



15.9 User Roles for Business Intelligence Monitoring . . . . . . . . . . . . . . . . . . . . . . 202



15.10 User Roles for Interface (Channel) Monitoring . . . . . . . . . . . . . . . . . . . . . . . 204


15.10.2 Second Level Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . 205

15.11 End-User Roles for Job Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206


15.11.2 Second Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

15.12 User Roles for Infrastructure Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208



15.13 Integration Visibility in Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

15.14 Role for Technical Monitoring Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

15.15 Role for Technical Monitoring Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

15.16 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

15.17 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

15.18 Background Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Chapter 16 Scenario-Specific Guide: Maintenance Optimizer . . . . . . . . . . . . . . . . . . 217


16.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

16.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218


16.3.2 Scenario Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219


16.3.4 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

16.3.5 SAP Support Portal Contact in SAP Solution Manager (Table:

AISUSER) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

16.3.6 S-User Authorization for Maintenance Optimizer . . . . . . . . . . . . . . . . . . . . . 222

16.4 CRM Standard Customizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

16.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

16.5.1 User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

16.5.2 User Roles in Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

16.5.3 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

16.6 System Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

2013-10-31 CUSTOMER 9/534


10/533

Chapter 17 Scenario-Specific Guide: Implementation and Upgrade . . . . . . . . . . . . . 227


17.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22817.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229


17.3.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229


17.3.4 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233


17.4.1 User Descriptions and User Roles in the SAP Solution Manager . . . . . . . . . . . 235

17.4.2 User Descriptions and User Roles in Managed Systems . . . . . . . . . . . . . . . . . 247


17.5 User Roles for Additional Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

17.5.1 User Roles for Roadmap Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

17.5.2 User Roles for Activation of Business Functions . . . . . . . . . . . . . . . . . . . . . . . 250

17.5.3 User Roles for Custom Development Management Cockpit

(CDMC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

17.5.4 User Roles for Upgrade Dependency Analyzer . . . . . . . . . . . . . . . . . . . . . . . . 252

17.5.5 User Roles for Customizing Comparison and Distribution . . . . . . . . . . . . . . 253

17.5.6 User Roles for BC-Set Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25317.5.7 User Roles for Help Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

17.5.8 Solution Maintenance via Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254


17.7 External Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

17.7.1 Business Process Management Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

17.7.2 Enterprise Service Repository within Process Integration (PI) . . . . . . . . . . . . 259

17.7.3 SAP Productivity Pak by RWD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

17.7.4 Business Process Blueprinting Tool (BPB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

17.8 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Chapter 18 Scenario-Specific Guide: Solution Documentation Assistant . . . . . . . . 263


18.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

18.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264


18.3.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265


10/534 CUSTOMER 2013-10-31


11/533

18.3.4 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268




18.6 Background Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Chapter 19 Scenario-Specific Guide: Test Management . . . . . . . . . . . . . . . . . . . . . . . 277


19.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

19.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279


19.3.2 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279


19.3.4 Technical Users for RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282





19.5.1 User Roles for Test Workbench Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

19.5.2 User Roles for Extended Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

19.5.3 User Roles for CBTA (Component-Based Test Automation) . . . . . . . . . . . . . 30219.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305


19.7.1 Tool with BC ECATT- Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

19.7.2 Q uality Center by HP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

19.7.3 IBM Rational Test Management Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Chapter 20 Scenario-Specific Guide: Business Process Change Analyzer . . . . . . . . . 311


20.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

20.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313




20.3.4 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

20.4 CRM Standard Customizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318



2013-10-31 CUSTOMER 11/534


12/533


Chapter 21 Scenario-Specific Guide: IT Service Management . . . . . . . . . . . . . . . . . . 325


21.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328




21.3.4 Technical Users for RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333


AISUSER) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

21.3.6 S-User Authorization for Service Desk and Expert on Demand . . . . . . . . . . . 335

21.4 CRM Standard Customizing for Solution Manager . . . . . . . . . . . . . . . . . . . . 335



21.5.2 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341



21.7.1 External Service Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

21.8 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Chapter 22 Scenario-Specific Guide: Job Management . . . . . . . . . . . . . . . . . . . . . . . . 345


22.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

22.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346




22.3.4 Technical User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349


22.4.1 User Roles (Old) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

22.4.2 User Roles (New) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

22.5 Solution Maintenance via Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254



22.7.1 SAP CPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

12/534 CUSTOMER 2013-10-31


13/533

Chapter 23 Scenario-Specific Guide: SAP Engagement and Service

Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365


23.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367


23.3.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367


23.3.4 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373


AISUSER) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

23.3.6 S-User Authorization for Service Desk and Expert on Demand . . . . . . . . . . . 335

23.3.7 S-User Authorization for Data Download from SAP . . . . . . . . . . . . . . . . . . . 375

23.3.8 Business Partners Created During Configuration . . . . . . . . . . . . . . . . . . . . . . 174


23.5 Recommended Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

23.5.1 User Descriptions and User Roles to Use the Work Center . . . . . . . . . . . . . . . 377

23.5.2 User Description and User Roles for Service Delivery (Premium

Engagement) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

23.5.3 Enterprise Service Reporting User - ES_REP_ . . . . . . . . . . . . . . . . . . . 38223.5.4 Supportability Performance Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

23.5.5 User Descriptions and User Integration Roles for Issue

Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383


23.6 Security Optimization Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385


Chapter 24 Scenario-Specific Guide: Technical Administration . . . . . . . . . . . . . . . . 387


24.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

24.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389


24.3.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389


24.3.4 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391


24.4.1 User Descriptions and Roles for Technical Administration . . . . . . . . . . . . . . 392

2013-10-31 CUSTOMER 13/534


14/533

24.4.2 User Descriptions and Roles for IT Task Inbox and Guided

Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

24.4.3 Service Availability Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398


24.5 Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

24.6 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Chapter 25 Scenario-Specific Guide: Business Process Operations . . . . . . . . . . . . . . 403


25.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

25.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405




25.3.4 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410




25.5.1 Dashboard User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

25.5.2 Solution Maintenance via Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

25.5.3 End-User Roles for CDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41725.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

Chapter 26 Scenario-Specific Guide: Change Request Management . . . . . . . . . . . . . 419


26.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

26.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422




26.3.4 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426



26.5.1 Users and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

26.5.2 Best Practice: Manage Import Authorizations in Managed Systems . . . . . . . . 436

26.5.3 User Roles for Additional Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

26.5.3.1 User Roles for Retrofit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

26.5.3.2 User Roles for Communication Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

14/534 CUSTOMER 2013-10-31


15/533

26.5.3.3 User Roles for CTS- PlugIn Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439




Chapter 27 Scenario-Specific Guide: Quality Gate Management . . . . . . . . . . . . . . . . 445


27.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

27.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447


27.3.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448


27.3.4 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449




27.5.2 User Descriptions and User Roles in the Managed Systems . . . . . . . . . . . . . . 454

27.5.3 CTS-Integration User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . 454

27.5.4 Critical Authorization Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455


Chapter 28 Scenario-Specific Guide: Configuration Validation . . . . . . . . . . . . . . . . 457


28.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

28.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458




Chapter 29 Scenario-Specific Guide: Data Volume Management . . . . . . . . . . . . . . . 463


29.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

29.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465


29.3.2 Scenario Configuration User and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . 466


29.3.4 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468


2013-10-31 CUSTOMER 15/534


16/533

29.4.1 User and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

29.4.2 Critical Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472


Chapter 30 Scenario-Specific Guide: Custom - Code Life Cycle

Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475


30.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

30.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476




30.3.4 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479



30.4.2 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

30.5 Background Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

Chapter 31 Measurement Platform and Enterprise Support Reporting . . . . . . . . . . 483

31.1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

31.2 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48431.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

31.3.1 Scenario Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484


31.3.3 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486


31.4.1 SAP_SUGEN User [SOLMAN.ABAP.SUGEN] . . . . . . . . . . . . . . . . . . . . . . . . . 487

Chapter 32 Service Provider Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489


32.2 Service Provider Customer RFC-Connections . . . . . . . . . . . . . . . . . . . . . . . . 489

32.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

32.4 Service ProviderSpecific Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

32.5 Incident Management User Descriptions and User Roles for

Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

32.6 Solution Documentation User Descriptions and User Roles . . . . . . . . . . . . . 493

32.7 Work Centers for Service Provider Customers . . . . . . . . . . . . . . . . . . . . . . . . 494

32.8 Granting Work Center Access to Service Provider Customers . . . . . . . . . . . . 495

16/534 CUSTOMER 2013-10-31


17/533

Chapter 33 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497

33.1 HowTo Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497

33.1.1 SDN Wiki for Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49733.1.2 How to Create Users and Business Partners . . . . . . . . . . . . . . . . . . . . . . . . . . 497

33.1.3 How to Administer Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

33.1.4 How to Create a User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

33.1.5 How to Maintain Authorizations in Authorization Objects . . . . . . . . . . . . . . 502

33.1.6 How to Generate a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

33.1.7 How to Assign Roles to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508

33.1.8 How to Create Scenario Configuration Roles . . . . . . . . . . . . . . . . . . . . . . . . . 509

33.1.9 How to Upgrade Authorizations after Release Upgrade or Support Package

Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

33.1.10 How to Use an ST01 Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513

33.1.11 How to User Transaction SU24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

33.1.12 How to Translate Your Own Customizing Entries . . . . . . . . . . . . . . . . . . . . . 516

33.2 Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

33.2.1 Links for Additional Components on Service Marketplace . . . . . . . . . . . . . . . 517

33.2.2 SAP Notes as Mentioned in the IMG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518

33.3 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

33.3.1 Terminology: System Landscape and Related Terms . . . . . . . . . . . . . . . . . . . 52133.3.2 Terminology: Solution and Related Terms . . . . . . . . . . . . . . . . . . . . . . . . . . 524

Chapter A Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

A.1 The Main SAP Documentation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

2013-10-31 CUSTOMER 17/534


18/533

This page is left blank for documentsthat are printed on both sides.


19/533

1 Security Guide

CAUTION

Usage Rights for SAP Solution Manager Enterprise Edition

The extent of the usage of the software package SAP Solution Manager 7.1 depends upon the

type of maintenance contract you have signed. If you have a signed contract for:

SAP Enterprise Support

Product Support for Large Enterprises

SAP Premium Support

SAP MaxAttention

you are authorized to use all functions in the software package, without any restrictions.

If you have signed exclusively standard support contracts, you are allowed to install this software

package, but you are only allowed to use a restricted functionality. You are not allowed to use

the following Enterprise Edition functions:

Business Process Change Analyzer

Quality Gate Management

Custom Development Management Cockpit

This Security Guide is updated in the SAP Service Marketplace at: http://service.sap.com/

instguides SAP Components SAP Solution Manager ) with every Support Package.

For any issues with security, authorizations, roles, and user management for SAP Solution Manager

use SV-SMG-AUT.

Integration

Security topics are relevant for the following phases:

Installation and Upgrade

Configuration

Operation

RECOMMENDATION

Use this guide during all phases. For a detailed overview of which documentation is relevant for

each phase, see guides reference on the Service Marketplace at: http://service.sap.com/

instguides SAP Components SAP Solution Manager 7.1 .

1 Security Guide

2013-10-31 CUSTOMER 19/534
http://service.sap.com/instguideshttp://service.sap.com/instguideshttp://service.sap.com/instguideshttp://service.sap.com/instguideshttp://service.sap.com/instguides


20/533

More Information

For a complete list of the available SAP Security Guides, see the SAP Service Marketplace: http://

service.sap.com/securityguides

1 Security Guide

20/534 CUSTOMER 2013-10-31
http://service.sap.com/securityguideshttp://service.sap.com/securityguides


21/533

2 Introduction

2.1 Target Group of This Guide

The purpose of SAP Solution Manager is to provide an administration, and implementation

environment, to allow for better managing your systems and business processes in a transparent way.

The target groups of this guide are readers who are familiar with SAP Solution Manager and

configuration procedures in an implementation and/or upgrade project, that is technical consultants,

system administrators and/or application consultants.

technology consultants: working with technical processes supported by SAP software during

implementation, when deciding which settings to make

system administrators: optimizing the SAP Solution Manager system during and after

implementation

application consultants: mapping a companys actual business processes to the processes and

functions supported by SAP software during implementation, and when deciding which settings

to make

SAP Security Professionals: securing the system landscape settings

2.2 Getting Started

This security guide provides you with an overview of the security-relevant information that applies to

SAP Solution Manager 7.1 as of SP01and higher. Since SAP Solution Manager covers several scenarios,

this document first provides general security recommendations for SAP Solution Manager in a so called

Core Guide followed by specific security guidelines for the individual capabilities.

In other words, this guide consists of a main guide, the core guide, containing general information on

how to execute on authorizations and roles within SAP Solution Manager, such as authorizations

concept and integration as well as user management functions. The Specific Scenario Guidesare

descriptions of the delivered scenarios in analogy to the work centers and configuration view structure

in transaction SOLMAN_SETUP.

The SAP Solution Manager IMGcomprises several nodes for configuration, see configuration guide for

SAP Solution Manager for more information. Scenario configuration is done during Capabilities

configuration. This graphic references the IMGas delivered with SAP Solution Manager 7.1 as of SP02.

The structure can change when delivered with further SPs, due to changes or additions in capabilities.

Therefore, this graphic only represents an example for IMGstructure.

2 Introduction

2.1 Target Group of This Guide

2013-10-31 CUSTOMER 21/534


22/533

Authorization assignments or specific user creation for scenarios are described in the according IMG

activities, which are referenced as well in the scenario - specific security guides.

The initial configuration, or Basic Configuration, references to the automated basic configuration using

transaction SOLMAN_SETUPor Solution Manager Configuration work center.

RECOMMENDATION

We recommend to always use this security guide in combination with transaction

SOLMAN_SETUPand the Implementation Reference Guide (IMG) for configuration.

Which topics are covered in the core guide

The following topics are covered in this core security guide:

Target Group: Who should use this guide

How to use this guide: How should different user groups use this guide effectively?

Links to additional components: Where can you find further information for functions, tools,

and third party product which are not covered in this guide?

Using Solution Manager as Service Provider: How to use this guide as a Service Provider?

Terminology: How are specific terms to be understood in this guide?

System Landscape

Security Dependencies: Which additional dependencies have to be taken into account?

Network and Communication Security: How should your network be built up?

User Management Tools: Which tools are used within SAP Solution Manager to create users?

Central User Administration: How to set up CUAin Solution Manager?

Secure Storage

Integration into Single Sign-On Environments

Authorization Integration Concept: How is the authorization concept for SAP Solution

Manager defined?

User Definitions: How do we define users?

User Roles: How do we define user roles?

Data Storage

What should you know in advance

If you have little or no knowledge concerning security and authorization concepts, start with

reading the general documentation for authorizations at SAP. This topic is not covered in this guide

and is regarded as a prerequisite. In addition, before using this guide you should familiarize yourself

with the respective Master Guide for SAP Solution Manager, and general user and authorization

information for SAP NetWeaver systems: Transaction SPRO SAP Customer Reference Guide SAP

NetWeaver Application Server System Administration User and Authorization.

2 Introduction

2.2 Getting Started

22/534 CUSTOMER 2013-10-31


23/533

2.3 How to Use this Guide

Setting up an authorization concept for your own company for SAP Solution Manager is not simple.

It requires approaching the topic from a technical as well as content - oriented perspective.

Authorizations are strongly tied to configuration topics for certain scenarios, as well as security relevant

technical information. The knowledge for these sectors is seldom found within one department at the

customer's side, as technical and application components must be aligned for a successful concept.

Especially with SAP Solution Manager this is important, as the product is aimed at the support for the

life - cycle of systems (maintained by technical staff), but also the life - cycle of solutions (maintained

by application - oriented staff).

Therefore, as described in the former section, this guide is directed to differing groups with different

focus on SAP Solution Manager. These groups can be organizationally divided.

This guide addresses the resulting differing ways of approaching authorizations and their maintenancefrom a content oriented view (for instance application consultant), and a technically oriented view

(for instance system administrator).

RECOMMENDATION

To set up a stable authorization concept, both views are to be considered, and involved.

The following sections give you a short guidance to how to use this guide, depending on your main

tasks when setting up an authorization concept or authorization roles for SAP Solution Manager.

How to use the guide from a technically - oriented perspective

What do we mean by technical perspective? The technical perspective means, that you should know how

to apply an authorization concept in an SAP system effectively. You know how to handle transactions

PFCG,SU01, and roles and profile generation. This implies that you are familiar with the SAP role concept

and its specifics, such as for instance profiles SAP_ALLand SAP_NEW.

It also includes a basic technical background knowledge of the SAP Solution Manager system and its

landscape structure, such as Business Warehouse (BW) integration or the handling of the System

Landscape Directory (SLD) specifics. The maintenance of roles and authorizations depends on this

knowledge.

In addition, you should have a basic idea about the basic configuration of the SAP Solution Manager

system, and its managed systems.

From a Technical Perspective (Recommendation)

Step Section Remark

1 Core Guide This guide includes all relevant information to know about the SAP

Solution Manager authorization concept, overall topics such as

clients to be used, setup information, and so on.

2 Setup Landscape Guide If the system is initially installed or upgraded, most users and

authorizations need to be adapted. This guide contains all

2 Introduction


2013-10-31 CUSTOMER 23/534


24/533

Step Section Remark

information on basic system landscape setup, users, and

authorizations needed to run SAP Solution Manager

3 Scenario-specific Guides Each scenario-specific guide contains roles for users, which can be

assigned to users. These roles are recommendations of SAP. For each

scenario, or function a so called ALLor ADMIN(administration) role is

delivered. This role contains full authorization for a specific scenario.

In addition, SAP delivers a so calledDISP(display) role, which contains

only display authorizations for the respective scenario. If your

company's business processes are different to the recommended SAP

process, these roles need to be adapted. Your application consultant

should define the applicable roles to be used. If the definition differs,

according authorization objects must be maintained.

4 Glossary in this guide,

Transaction SUIMin the

system, WIKIforAuthorizations

If you need to maintain authorization objects, you may check the

mentioned information sources on individual authorization objects,

and how they relate to functions.The glossarygives you an overview of all roles mentioned in this

guide with the main authorization objects included in these roles.

In transaction SUIM, you can search for individual authorization

objects and read their documentation.

The new WIKI page for authorizations in SAP Solution

Managercovers many of the relevant authorization objects for

Solution Manager with according use cases, such as how should the

authorization object be maintained to restrict certain functions. The

use cases are more or less taken from customer situations.

5 HowTosection This section covers how-to guides for technical as well as content -

oriented tasks.

How to use the guide from a content - oriented perspective

What do we mean by content - oriented perspective? The SAP Solution Manager is an SAP product that supports

your business. Roles and authorization objects are delivered to allow your end - users to work within

the limits of their tasks. In other words, they should only be allowed to execute and see what they need

in their daily work. These tasks depend on your specific business processes. As a logical consequence,

the authorizations and roles assigned to your users depend heavily on the business processes you deploy,

and are depending on the configuration of your system accordingly. The concept of your configuration

needs to be considered for the concept of your authorizations. Although we deliver template roles for

your use, they can hardly ever be applied without modification to your business. Therefore, before

tailoring authorizations or using SAP template roles, you need to consider your business processes, the

content of your business.

From a Content - Oriented Perspective (Recommendation)

Step Section Remark

1 Core Guide This guide includes all relevant information to know about the SAP

Solution Manager authorization concept, overall topics such as

clients to be used, setup information, and so on.

2 Introduction


24/534 CUSTOMER 2013-10-31


25/533

Step Section Remark

2 Setup Landscape Guide If the system is initially installed or upgraded, most users and

authorizations need to be adapted. This guide contains all

information on basic system landscape setup, users, and

authorizations needed to run SAP Solution Manager. It gives you anoverview on which scenarios should be running out-of-the-box

after the setup is done.

3 Scenario-specific Guides Each scenario-specific guide contains roles for users, which can be

assigned to users. These roles are recommendations of SAP. If the

definition differs, according authorization objects must be

maintained. You need to discuss which authorizations must be

maintained in these cases with the person responsible for the technical

implementation of the authorization concept.

All roles are delivered according to a specific user definition. This user

definition gives you an overview of which tasks the user is authorized

if the SAP delivered template roles are used.4 HowTosection This section covers how-to guides for technical as well content -

oriented tasks.

How to use this guidewhen upgrading from Release 7.0 to 7.1

1. Read the SAP Solution Manager Upgrade Guide first, for information see section Additional Links.

2. Check out the Document Historyfor the specific scenarios you are using.

3. Check for updates in transaction SOLMAN_SETUP.

4. Activate the Release Noteinfo button in the IMGto display all information icons for new release

features for the configuration of the specific scenarios.

5. If required, read additional guides for additional functions and tools.

NOTE

If you are already acquainted with the authorization concept in SAP Solution Manager, we

strongly recommend to read the Document Historyfor changes in roles and authorization objects,

and in addition the Operations Guide for SAP Solution Manageron the Service Marketplace at: http://

service.sap.com/instguides SAP Components SAP Solution Manager. .

2.4 Links for Additional Components on the ServiceMarketplace

Your Solution Manager system is the platform for administrative tasks in implementing, operating

and upgrading systems in your system landscape. It relies heavily on mandatory and optional

components implemented in addition to SAP Solution Manager. This guide cannot describe all relevant

details for integrated components, like third party product or other SAP components. We refer

therefore to the applicable guides, Service Marketplace links, or IMG- activities as relevant information

sources.

2 Introduction

2.4 Links for Additional Components on the Service Marketplace

2013-10-31 CUSTOMER 25/534
http://service.sap.com/instguideshttp://service.sap.com/instguideshttp://service.sap.com/instguides


26/533

The following table gives you an overview of these additional components, where to find more details,

and what they are used for in connection with SAP Solution Manager.

RECOMMENDATIONTo ensure a smooth integration of these components, familiarize yourself with their installation,

configuration, and operation if needed.

Additional Information on SAP Solution Manager

Component Where in the Service Marketplace? And Additional Sources

Master Guide for SAP

Solution Manager

http://service.sap.com/instguides SAP Components SAP Solution Manager

7.1

Upgrade Guide for SAP

Solution Manager


7.1

Operations Guide for SAPSolution Manager

http://service.sap.com/instguides SAP Components SAP Solution Manager7.1

Installation Guide for SAP

Solution Manager


7.1

Implementation

Reference Guide for SAP

Solution Manager

no link, see transactionsSOLMAN_SETUPandSPROin the SAP Solution Manager system

Solution Manager

Diagnostics

http://service.sap.com/diagnostics

IMGprojects and project

IMG

s

How to Create Customizing Projects and Project IMGson the Service Marketplace: http://

service.sap.com/solutionmanager

Media Library Technical Papers.

Additional Information on Infrastructure

Component Where in the Service Marketplace?

Guide Landscape

Management Database


Release 7.1 Additional Guides

System Landscape

Directory (SLD)

http://service.sap.com/sld

or http://sdn.sap.com SAP NetWeaver Capabilities Lifecycle Management

Application Management System Landscape Directory

NOTE

Transaction SOLMAN_SETUPin the SAP Solution Manager system

Software Life-Cycle

Manager (SLM)

http://service.sap.com/slmand http://help.sap.com/nw70 Functional View

Solution Life Cycle Management Software Life Cycle Management

NOTE

Information and Configuration Prerequisites Change Control scenario

(technical name: SOLMAN_MOPZ_SLM_INFO)

Adobe Document Services

(ADS)

http://service.sap.com/adobe

NOTE

Information and Configuration Prerequisites ADS setup (technical name:

SOLMAN_ADS_INFO)

2 Introduction


26/534 CUSTOMER 2013-10-31
http://service.sap.com/adobehttp://help.sap.com/nw70http://service.sap.com/slmhttp://sdn.sap.com/http://service.sap.com/sldhttp://service.sap.com/instguideshttp://service.sap.com/solutionmanagerhttp://service.sap.com/solutionmanagerhttp://service.sap.com/diagnosticshttp://service.sap.com/instguideshttp://service.sap.com/instguideshttp://service.sap.com/instguideshttp://service.sap.com/instguides


27/533


One Transport Order service.sap.com/solutionmanager Media Library Technical Papers

TREX http://help.sap.com/nw2004s

NOTE

Information and Configuration Prerequisites TREX(technical name:

SOLMAN_TREX_INFO)

Master Data Management

(MDM) MDM

Administration Cockpit

http://service.sap.com/mdm and http://service.sap.com/installmdm

SAP NetWeaver

Administrator

http://service.sap.com/nwa

Adaptive Controlling

(ACC) for general information http://sdn.sap.com/irj/sdn/adaptive

for application help, such as starting and stopping an application service:

http://help.sap.com for installation information http://service.sap.com/instguides

Application help for

security topics connected

to ICF services

http://help.sap.com/nw07

System security for SAP

NetWeaver ABAPand Java

(Help setting up system

security for ABAPand Java)

http://service.sap.com/security Media Library Literature

Current list of ports used

by SAP

http://service.sap.com/security Infrastructure Security TCP/IP Ports Used by

SAP Applications .

Diagnostics http://service.sap.com diagnostics .

Authorization object

S_RFCACL

http://help.sap.com/nw70

Auditing and Logging http://help.sap.com Search Documentation , search for Auditing and Logging.

Web Dispatcher See according Help documentation for Web Dispatcher step in transaction

SOLMAN_SETUP

Additional Information on Business Warehouse Integration


Business Warehouse (BW) http://service.sap.com/bi

NOTE

Information and Configuration Prerequisites BW(technical name:

SOLMAN_BI_CLIENT_INF)

Additional Information on Third Party


SAP Quality Center by HP http://service.sap.com/solutionmanager SAP Quality Center by HP

2 Introduction


2013-10-31 CUSTOMER 27/534
http://service.sap.com/solutionmanagerhttp://service.sap.com/bihttp://help.sap.com/http://help.sap.com/nw70http://service.sap.com/http://service.sap.com/securityhttp://service.sap.com/securityhttp://help.sap.com/nw07http://service.sap.com/instguideshttp://help.sap.com/http://sdn.sap.com/irj/sdn/adaptivehttp://service.sap.com/nwahttp://service.sap.com/installmdmhttp://service.sap.com/mdmhttp://help.sap.com/nw2004shttp://service.sap.com/solutionmanager


28/533


NOTE

Information and Configuration Prerequisites Third Party (technical name:

SOLMAN_THIRDPARTY_IN)

SAP Redwood Job

Scheduling

service.sap.com/job-scheduling

NOTE

Information and Configuration Prerequisites Third Party (technical name:

SOLMAN_THIRDPARTY_IN)

SAP TAO http://service.sap.com/saptao

Wily Introscope User

Administration

Introscope Installation for SAP Introscope Version 8.0 Installation Guide for SAP.

NOTE

See SAP Note 797147

Used in Root Cause Analysis and Technical Monitoring Work Center

Additional Information on User Management


User Management Engine

(UME)

http://help.sap.com/saphelp_nw04

/helpdata/6a/d39b3e09cdf313e10000000a114084/frameset.htm

Central User

Administration (CUA)

http://help.sap.com/saphelp_nw73

/helpdata/en /23/cbce3b1bc7fa20e10000000a114084/frameset.htm

NOTE

You can find the complete CUAconfiguration guide on the Service Marketplace

at: http://help.sap.comSingle Sign-On http://service.sap.com/sso-smp.

Additional Information on other SAP Product


PI Security Guide http://help.sap.com/saphelp_nw04 /helpdata/en/

58 /d22940cbf2195de10000000a1550b0/frameset.htm

Additional Information on Roles Management


SAP NW Guide for PFCG general PFCG link

Details about OBN navigation inSAP NWBC https://wiki.wdf.sap.corp/wiki/display /NWBC/

Documentation .

on roles for SAP Change and Transport Analysis

Sessions

SAP Note 1074808

2.5 Using SAP Solution Manager as a Service Provider

As a Service Provider, you provide services to your customers using SAP Solution Manager. The Service

Provider scenario extends the SAP Solution Manager standard scenario setup for specific customer

contexts.

2 Introduction


28/534 CUSTOMER 2013-10-31
http://help.sap.com/http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=SAP%20Note%201074808&_NLANG=en&_NVERS=0http://localhost/var/www/apps/conversion/tmp/scratch_10/NWBC/Documentationhttp://localhost/var/www/apps/conversion/tmp/scratch_10/NWBC/Documentationhttps://wiki.wdf.sap.corp/wiki/displayhttp://localhost/var/www/apps/conversion/tmp/scratch_10/d22940cbf2195de10000000a1550b0/frameset.htmhttp://localhost/var/www/apps/conversion/tmp/scratch_10/helpdata/en/58http://localhost/var/www/apps/conversion/tmp/scratch_10/helpdata/en/58http://help.sap.com/saphelp_nw04http://service.sap.com/sso-smphttp://help.sap.com/http://localhost/var/www/apps/conversion/tmp/scratch_10/23/cbce3b1bc7fa20e10000000a114084/frameset.htmhttp://localhost/var/www/apps/conversion/tmp/scratch_10/helpdata/enhttp://help.sap.com/saphelp_nw73http://localhost/var/www/apps/conversion/tmp/scratch_10/helpdata/6a/d39b3e09cdf313e10000000a114084/frameset.htmhttp://help.sap.com/saphelp_nw04http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=SAP%20Note%20797147&_NLANG=en&_NVERS=0http://service.sap.com/saptaohttp://service.sap.com/job-scheduling


29/533

Figure 1: Customer Contexts

If your SAP Solution Manager is used for one of the above contexts, you can use it as a Service Provider.

For this purpose you would also need to add some additional configuration and specific authorizations

for you, as the Service Provider, and your customers/subsidiaries.

See the section Service Provider and Service Provider Customer Specification.

For more information on Service Provider scenarios and definition, see the master guide for SAP

Solution Manager in the Service Marketplace: http://service.sap.com/instguides SAP

Components SAP Solution Manager .

2 Introduction


2013-10-31 CUSTOMER 29/534
http://service.sap.com/instguides


30/533

This page is left blank for documentsthat are printed on both sides.


31/533

3 Terminology as Used in SAP SolutionManager

This section gives you an overview of the main terms used in this security guide. It refers only to

terminology specifically used in regard to SAP Solution Manager. It does not cover overall SAP

terminology. For more detail on SAP terminology, refer to the SAPterm.

General SAP Solution Manager Guide Terminology

Term Definition as Used in This GuideSynonyms as Could beUsed by Other Sources

Core Security Guide In the Core Security Guide you find all sections

referring to conceptual issues concerning the

security for SAP Solution Manager. In contrast to

the more specific scenario guides, it outlines

prerequisites for dealing with the landscape setup

or operation of SAP Solution Manager in this

regard.

Main Guide, Main

Security Guide

Scenario - Specific Guide In analogy to the configuration structure in

transaction SPRO, each capability is regarded as a

separate scenario. For each scenario, you find theaccording information forRFC connections,

users, configuration, and so on in the scenario -

specific guides. Due to the nature of SAP Solution

Manager as an end-to-end platform, you find as

well sections for scenario integrations, and the

integration with external products.

Scenario Guides

User Management

Term Definition as Used in This GuideSynonyms as Could beUsed by Other Sources

User A user is a person working in the system with auser ID.

human user, end - user

Technical User The technical user is the overall term for users

which are not dialog users in the system. They can

be service users, system users, or communication

users. The user types are explained in more d

Curity Guide SAP Solution Manager 7.1 SP10

Documents

Transcript of Curity Guide SAP Solution Manager 7.1 SP10