SAP Solution Manager EhP1 Security Guide

EhP1Security Guide

Target Audience

n System administratorsn Technology consultantsn Application consultants

PUBLICDocument version: 04/30/2010

Document History

Caution

Before you start the implementation and configuration of SAP Solution Manager, make sure youhave the latest version of this document. You can find the latest version at the following location:http://service.sap.com/instguides SAP Components SAP Solution Manager .

The following table provides an overview of the most important document changes.

SupportPackage(Version)

Date Description

New roles for solution authorization. Authorization object D_SOL_VSBLis now included in the roles for solutions SAP_SM_SOLUTION_*. Theauthorization object is inactive in all other roles. See section: Roles in SolutionManager. It needs to be granted in addition to the role for the functionality,for instance Maintenance Optimizer.

New roles for:n

Job Schedulingn

Issue Managementn

Maintenance Optimizer (additional)See section: Roles and Authorizations

New roles for work center navigation. See section Work Center Navigation Rolesand the example it contains

SP15 02/06/2008

Composite role SAP_SM_BPMO_COMP for background user SM_BPMO. Seesection: Communication Destinations.

SP16 New roles for Solution Documentation Assistant See sections: Roles andAuthorization and section Work Center Navigation Roles New roles for Third PartyProduct: BMC AppSight for SAP Client Diagnostics See section: Roles andAuthorizations

SP17 Values for authorization object S_RFC in role SAP_SOLMANDIAG_E2Eextended

2/170 PUBLIC 04/30/2010


Date Description

EhP1 (1.0) 12/15/2008 Changes in sectionsn navigation in all work centers , see according sections on work center

navigation roles.n menu entries for composite role SAP_SMWORK_ADMINISTRATOR_COMP

deleted due to restrictions in SAP NetWeaver Business Client (NWBC),see section How to Create Composite Roles

n role extensions for Job Scheduling Management, see section Roles forJob Scheduling Management

n role extension for SAP_SERVICE_CONNECT for SAProuter Update , seesection Roles for Infrastructure

n role extensions for Business Process Operation, authorization objects:SM_BPM_AUT and SM_CNT_UPD, see section Roles for Business Process Operationand Roles for SAP Engagement and Service Delivery

n new profile S_SD_CREATE for RFC connection BACK for messagecreation, see section RFC Connections

n new profile S_SM_EXECUTE for RFC connection TMW for SolutionDocumentation Assistant, see section RFC Connections

NoteThe authorization profile S_SM_EXECUTE allows batch processing inthe managing system for managed systems. You can use this profilealso solely for this purpose. In this case, you have to assign the profileto the according technical user, manually.

n new RFC user naming convention, see sections on technical usersn new roles in Quality Gate Management SAP_SM_QGM_* , see section

Roles for Change Request Managementn new roles for Business Process Change Analysis (BPCA) in Work Center: Test

Management, see sections Roles for Test Management and Work Center TestManagement

n new role for BI Reporting in Test Management SAP_BI_TWBn new role SAP_QC_WSDL_ACCESS for technical user QCALIAS , see sections

Roles for Third Party Integration, and in technical usersn new role SAP_SUPPCF_DISP for Service Provider display authorization,

see section Roles for Service Desk for Service Provider

New general How to sections onn

how to find documentation on individual authorization objectsn

how to create work center composite roles

New sections due to new developmentsn

new roles for configuration, see section Roles for Configurationn

new roles for Master Data Management (MDM) Administration Cockpit inthe System Administration work center, see section Roles for Master DataManagement

04/30/2010 PUBLIC 3/170


Date Description

nnew roles in Downtime Management SAP_SM_DTM_* , see section Roles inDowntime Management

nnew roles for Root Cause Analysis , see sections SAPSUPPORT User, Roles forRoot Cause Analysis, Roles for Configuration

nSAP Support user SAPSUPPORT, see section SAPSUPPORT User

nfor automatically created business partners for SAP Engagement and ServiceDelivery, see section Business Partners Created During Configuration

nnew work center navigation roles for Service ProviderSAP_SMWORK_SYS_MON_SPC, SAP_SMWORK_CHANGE_MAN_SPC,SAP_SMWORK_INCIDENT_MAN_SPC, see Work Center for Service Provider Customers

nnew authorization role for Service Provider SAP_SM_SPC , see sectionService ProviderSpecific Authorization

nnew work center navigation role MYHOME , see section MYHOME

nspecial users and authorizations for CTC configuration tasks, see sectionson technical users and Roles for Business Connectivity Configuration

nnew work center composite role SAP_SMWORK_JOB_MAN_COMP, see sectionHow to Create Work Center Composite Roles

nnew roles for Custom Development Management Cockpit (CDMC) roles, see sectionRoles for Custom Development Management Cockpit (CDMC)

nnew role for technical framework BI extractor SAP_SM_BI_EXTRACTOR,see section Roles for BIrelated Reporting

nSAP NetWeaver Business Client (NWBC) where appropriate

Extensions in sections:n Roles for Implementation and Upgrade

Due to Help Center functionality: SAP_SOL_KW_ALL extended foradministration

n RFC ConnectionsNew profile S_KWHELP for BACK destination

n Authorization object S_RFCFunction groups for profile S_KWHELP

n Technical Users in SAP Solution Manager SystemNew profile S_KWHELP for back destination

n Roles for Business Process Operations

SP19

4/170 PUBLIC 04/30/2010


Date Description

Authorization object SM_BPM_AUT: per default Data Volume Management(DVM) is deselected

n S-User Authorization for Data Download from SAPAdditional authorization LICKEY for request of license key required

n How to Create Work Center Composite RolesThe concept of composite roles does not work if existing single rolesof the composite roles are extended by customers.

n User Management Tools, How to Assign Roles to Users, and Work Center RolesConceptsee SAP Note 1272331 for more information on User Comparison.

n Additional SAP Notes regarding authorization objects and roles forRoot Cause Analysis:SAP Note 1307419 (depending on ST-PI)SAP Note 1308640 (only applicable to EhP1)SAP Note 1306820 (only applicable to EhP1 / SPS19)SAP Note 1355945 (for EhP1 / SPS19 and SPS20)

Changes regarding authorization objects in rolesFor changes of authorization values in authorization objects in roles thatare already delivered, see SAP Note 834534 and SAP Note 831535.n

SAP_SOLMANDIAG_E2E and according profile S_SMDIAG_E2E, see sectionTechnical Users in Solution Manager

nSAP_SM_BASIC_SETTINGS, see section Roles for Configuration

nSAP_SUPPDESK_ADMIN, see section Roles for Service Desk

nSAP_SM_BATCH, see section Roles for Configuration

nprofiles S_CSMREG and S_AI_SMD_E2E, see section Authorization Object S_RFCand SAP Note 1296428.

nSAP_SOL_KW_ALL, see section Roles for Implementation and Upgrade

New chaptersn

Secure Storagen

Roles for EarlyWatch AlertAccording paragraph in section Roles for System Monitoring and SystemAdministration transferred

04/30/2010 PUBLIC 5/170


Date Description

GeneralChapter on How-to Guides moved to Solution OperationsGuide for SAP Solution Manager on the Service Marketplace:http://service.sap.com/instguides SAP Components SAP Solution

Manager

Changes regarding authorization objects in rolesn

Profile S_DBA_DISP extended by authorization object S_TCODE withvalues: DBACOCKPIT, DBACOCKPIT_ITS, SU53, see section Roles for DatabaseAdministration Cockpit

nProfile S_SMDIAG_E2E (according role SAP_SOLMANDIAG_E2E) extended byauthorization objectsS_DBCON with display authorization and S_RFC with function groupsFG_DIAGSTP_WILY, E2E_EFWK_TOOLS, E2E_CHECK_BANNED_EXTRACTORS,see section Roles for Root Cause Analysis

nTechnical user for RFC destination for Help Center functionalityrequires role SAP_SM_HELP_CENTER, see sections on Roles for Implementationand Upgrade, on technical users for Solution Manager, and CommunicationDestinations

nRole SAP_SM_BASIC_SETTINGS authorization objects added, see sectionRoles for Basic Configuration.

NoteAny changes of authorizations due to functional enhancements andso on are described in the role description for SAP_SM_BASIC_SETTINGSin transaction PFCG.

nAdded new authorization objects to role SAP_SM_BATCH for userSOLMAN_BTC, see section Roles for Solution Manager Configuration and SAPNote 1314587

nRole SAP_QC_INTERFACE for Third Party Product Quality Center 10.0 byHP extended by authorization object S_IWB with authorization for 01(create, generate), 02 (change), 03 (display), and 33 (read), see sectionRoles for Third Party Integration

nChange of product naming for Business Intelligence (BI): as of now itis called Business Warehouse (BW)

nRole SAP_BC_REDWOOD_COMM_EXT_SLD for communication user extendedin authorization object S_RFC_ADM for field RFCDEST with value REDWOOD,see SAP Note

SPS 20

6/170 PUBLIC 04/30/2010


Date Description

Extensions in sectionsTechnical user DEFECTMAN for Quality Center by HP (integration with DefectManagement) must be additionally assigned role SAP_SUPPDESK_ADMIN,see section on technical users in SAP Solution Manager

Service Provider specific changesn

Roles for SAPSUPPORT user must be extended, if IMG activities forWork Center for Customers are executed by Service Provider, see sectionSAPSUPPORT User

nDue to the design of the system list in Work Center System Monitoringfor Customers, to view EarlyWatch Alert reports for systems , youmust maintain authorization object S_SMSYEDIT for Service Providercustomers, see section Work Center for Service Provider Customers

SPS 21 10/26/2009 New Roles/Authorization Extensionsn Renaming of chapter Roles for Third Party Integration to End-User Roles for

External Integrationn Role SAP_SM_BPCA_TBOM for recording TBOMs in managed system, see

section End User Roles for Test Managementn Role SAP_SM_TAO_RFC for RFC communication between the TAO

repository in the SAP Solution Manager and the TAO client, roleSAP_TAO_AGENT_RFC for communication between managed systemand TAO client, see section End User Roles for External Integration andabout Technical Users in Solution Manager

n Authorization object D_DM_DATA with ACTVT values 00, 10 for changingsolutions in amaintenance project SAP_SOLAR01_* and SAP_SOLAR02_*,see section End-User Roles for Implementation

n Role extension for authorization objects of SAP_SM_BASIC_SETTINGS,see description tab of role in the system, transaction PFCG

n Role extension SAP_SUPPDESK_ADMIN menu entry Effort Reporting, seesection End-User Roles for Service Desk

n Role extension (authorization object SM_TIMEREP) for time recordingin Work Center Incident Management for roles SAP_SUPPDESK_ADMIN,SAP_SUPPDESK_PROCESS, and SAP_SUPPDESK_DISPLAY, see sectionEnd-User Roles for Service Desk

n Role SAP_SMWORK_BASIC extended for field Application ID value SOLMAN*in authorization object CA_POWL, see section Work Center Roles.

n Role extension for SAP_SOLMANDIAG_E2E (according profileS_SMDIAG_E2E), see section End-User Roles for Root Cause Analysis.

04/30/2010 PUBLIC 7/170


Date Description

SPS 22 01/25/2010 Extensions in Sections: Authorization Objects in Roles/Profilesn New authorization object SM_SETUP for transaction SOLMAN_SETUP to

differentiate between change and display mode for all available views,see section on End-User Roles for Basic Configuration of SAP Solution Manager

n New role SAP_RWD_INTERFACE for integration SAP Solution Managerand RWD InfoPak, see sections on technical users in Solution Managerand End-User Roles for External Integration

n New end-user roles for function End-User Experience MonitoringEEM:SAP_EEM_ADMIN and SAP_EEM_DIS, and role for technical userSAP_EEM_WS

n Single roles SAP_SOCM_* (contained in composite roles SAP_CM_*_COMP)for Change Request Management extended by authorization objectCRM_TXT_ID.

n SAP_RCA_DISP (profile S_RCA_DISP) added authorization objectS_SMSYEDIT with display authorization, see section Roles for RootCause Analysis

New and Changed Sectionsn New section on Data Storagen Changed s-user authorization for data download from value GLOBAL

to value PWCHGE, see section on s-users

New Roles According to ScenarioService Request in Work Center SAP Engagement and Service Deliveryn

New roles for Service Request SAP_SERVICE_REQUEST_ALL andSAP_SERVICE_REQUEST_DIS containing new authorization objectSM_RS_AUTH, see section End-User Roles for Service Request

nRoles also included in composite roles for Service DeliverySAP_SOLMAN_ONSITE_ALL_COMP and SAP_SOLMAN_ONSITE_COMP

Business Process Monitoring in Work Center Business Process Operationsn

New role for BW-Reporting for Business Process MonitoringSAP_SM_BPMON_REPORTING, see section End-User Roles for Business ProcessOperations

Incident Management for Service Providern

New role for Service Provider (Incident Management) BW-ReportingSAP_SPR_REPORTING, see section on End-User Roles for BW-Reporting

Enterprise Service Reporting (ESR)n

New role for ESR - Reporting SAP_BW_ESR_REPORTING

Authorization Object Extensions in RolesAutomated Basic Configuration Using Transaction SOLMAN_SETUPn

Extensions in role SAP_SM_BASIC_SETTINGS, see description in role.

SPS23 04/30/2010

8/170 PUBLIC 04/30/2010


Date Description

nExtensions in role SAP_SM_BATCH, see description in role.

Copy Solutionsn

Added authorization objects D_SVAS_PRD, D_SOLMAN, D_MD_DATA to roleSAP_SM_SOLUTION_ALL and SAP_SM_SOLUTION_ONSITE

End-User Experience Monitoringn

Added authorization objects in role SAP_EEM_ADMIN: S_ICF_ADM,S_APPL_LOG, S_SERVICE, S_DEVELOPwith field ACTVT 03 for field OBJTYPEvalue WEBI

Change Request Managementn

Information regarding authorization objects for administrativemessage,see SAP Note 1445005 and SAP Note 1445790

Substitution Management in Work Center Incident Managementn

Added authorization object B_BUPR_BZT with ACTVT 01, 02,03, 06 in roles SAP_SUPPDESK_ADMIN for functionality ManageSubstitution. The authorization object is added in status inactive inroles SAP_SUPPDESK_CREATE and SAP_SUPPDESK_PROCESS. If substitutionmanagement is needed, the authorization object can be activated. Seesections on End-User Roles for Service Desk and Work Center Incident Management

SAP Engagement and Service Deliveryn

Added transaction AGS_UPDATE (depending authorizationobject SM_CNT_UPD in roles SAP_SOLUTION_MANAGER_ONSITE,SAP_SOLUTION_MANAGER_ONSITE_AL, SAP_SV_SOLUTION_MANAGER,

SAP_SV_SOLUTION_MANAGER_DISP

Authorization Values Extensions in Authorization ObjectsBusiness Functions in Transactions SOLAR* and Work Center Implementation and Upgraden

Extension for tab Business Functions in roles SAP_SOLAR* for transactionsSOLAR01 and SOLAR02 in authorization object AI_SA_TAB value BFUNC, seesection End-User Roles for Implementation and Upgrade

nFor authorizations for managed systems, see SAP Note 1434210.

Root Cause Analysis in Transaction SOLMAN_SETUP and Work Center Root CauseAnalysisn

Extensions of authorization objects in role/profile SAP_RCA_SAT_DISP/ S_RCASAT_DIS:1.

S_ADMI_FCD extended by value USDP1.

S_TCODE extended by values ST05_E2E, BD87

04/30/2010 PUBLIC 9/170


Date Description

Quality Gate Management in Work Center Change Managementn

Extension of authorization object S_PROJ_GEN by values CHCH,TRCH,TRDC,TRAS,TACR,TRTP in role SAP_SM_QGM_ALL, and valuesTRCH,TRDC,TRAS,TACR,TRTP for role SAP_SM_QGM_TRANSPORT; see sectionEnd-User Roles for Quality Gate Management

BW - Authorizations in SOLMAN_SETUPn

Additional values for BW - authorizations (class: RS) in role SAP_BI_E2EEnd-User Experience Monitoringn

Extension of authorization object AI_EEM by value 70 in field ACTVT(administration) in role SAP_EEM_ADMIN. It allows administrationrestriction for globally relevant activities.

Business Process Monitoring in Work Center Business Process Operationsn

Extension of authorization object SM_BPM_AUT by value 40 (BPA- Business Process Analysis) in roles SAP_SV_SOLUTION_MANAGER,SAP_SOLUTION_MANAGER_DISP, SAP_OP_DSWP_BPM, see section End-UserRoles for Business Process Monitoring

Work Center (WC) User Interface (UI) Changed and AccordingAuthorization Adjustmentssee according sections on work centersn

WC Job ManagementAdditional views: Recommended Jobs, Administration; application BasicJob Request received parameter VIEWTYPE with value 00 .

nWC Incident ManagementAdditional Common Tasks: Manage Substitutes, Fast Display Message

nWC Business Process OperationsAdditional common task: Business Process Analytics

nWC SAP Engagement and Service DeliveryNew view: Service Requests

10/170 PUBLIC 04/30/2010

Table of Contents

Chapter 1 Security Guide . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 2 Getting Started . . . . . . . . . . . . . . . . . . . . . . 172.1 Target Group of This Guide . . . . . . . . . . . . . . . . . . 172.2 How to Use this Guide . . . . . . . . . . . . . . . . . . . . 182.3 SAP Solution Manager Scenarios and Functions/Capabilities . . . . . . . 182.4 Integration of Functions/Capabilities . . . . . . . . . . . . . . . 192.5 Links for Additional Components on Service Marketplace . . . . . . . 202.6 Using SAP Solution Manager as Service Provider . . . . . . . . . . . 222.7 How to Setup Your Authorization Concept: An Example . . . . . . . . 22

Chapter 3 System Landscape . . . . . . . . . . . . . . . . . . . . . 273.1 Technical System Landscape . . . . . . . . . . . . . . . . . . 27

Chapter 4 Network and Communication Security . . . . . . . . . . . . . 294.1 Network Topology . . . . . . . . . . . . . . . . . . . . . . 294.2 Communication Channels . . . . . . . . . . . . . . . . . . . 304.3 Communication Destinations . . . . . . . . . . . . . . . . . . 304.4 Internet Communication Framework . . . . . . . . . . . . . . . 384.5 Secure Socket Layer (SSL) for HTTP Connections . . . . . . . . . . . 384.6 HTTP Connect Service for SAP Support . . . . . . . . . . . . . . 404.7 File Transfer Protocol (FTP) . . . . . . . . . . . . . . . . . . . 404.8 Required TCP/IP Ports . . . . . . . . . . . . . . . . . . . . . 40

Chapter 5 User Administration and Authentication . . . . . . . . . . . . 435.1 User Management Tools . . . . . . . . . . . . . . . . . . . . 435.2 Secure Storage . . . . . . . . . . . . . . . . . . . . . . . 445.3 Technical/Dialog Users Created/Used in Solution Manager System

Configuration . . . . . . . . . . . . . . . . . . . . . . . 445.4 Technical/Dialog Users Created/Used During Configuration in the Managed

Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 535.5 User SAPSUPPORT . . . . . . . . . . . . . . . . . . . . . . 605.6 Business Partners Created During Configuration . . . . . . . . . . . 625.7 Integration into Single Sign-On Environments (SSO) . . . . . . . . . 63

04/30/2010 PUBLIC 11/170

Chapter 6 Authorizations . . . . . . . . . . . . . . . . . . . . . . 656.1 How to Build Up Your Own Authorization Concept . . . . . . . . . 656.2 RFCConnections to/fromManaged Systems and Critical Authorization Objects 666.2.1 Trusted RFC Connections . . . . . . . . . . . . . . . . . . . 666.2.2 Authorization Object S_RFCACL . . . . . . . . . . . . . . . . 676.2.3 RFC Connections TRUSTED, READ, TMW, BACK . . . . . . . . . . 686.2.4 Authorization Object S_RFC . . . . . . . . . . . . . . . . . . 716.3 End-User Roles for Solution Manager Configuration . . . . . . . . . 736.3.1 End-User Roles for Basic Configuration of Solution Manager . . . . . . 736.3.2 End-User Roles for Basic Configuration in Managed Systems . . . . . . 766.3.3 End-User Roles for Scenario-Specific Configuration in Solution Manager . . 776.4 Authorization Roles and Profiles for End Users . . . . . . . . . . . . 796.4.1 End-User Roles for Infrastructure . . . . . . . . . . . . . . . . 796.4.2 End-User Roles for Implementation and Upgrade . . . . . . . . . . 816.4.3 End-User Roles for Custom Development Management Cockpit (CDMC) . 866.4.4 End-User Roles for Test Management . . . . . . . . . . . . . . . 876.4.5 End-User Roles for EarlyWatch Alert . . . . . . . . . . . . . . . 896.4.6 End-User Roles for System Monitoring and System Administration . . . . 916.4.7 End-User Roles for Downtime Management . . . . . . . . . . . . 936.4.8 End-User Roles for Master Data Management . . . . . . . . . . . . 936.4.9 End-User Roles for Database Administration Cockpit . . . . . . . . . 946.4.10 End-User Roles for Job Scheduling Management . . . . . . . . . . . 956.4.11 End-User Roles for Business Process Operations . . . . . . . . . . . 956.4.12 End-User Roles for SAP Engagement and Service Delivery . . . . . . . 966.4.13 End-User Roles for Service Request . . . . . . . . . . . . . . . . 986.4.14 End-User Roles for Issue Management . . . . . . . . . . . . . . . 996.4.15 End-User Roles for Service Desk . . . . . . . . . . . . . . . . . 996.4.16 End-User Roles for Maintenance Management . . . . . . . . . . . 1006.4.17 End-User Roles for Change Request Management . . . . . . . . . . 1016.4.18 End-User Roles for Root Cause Analysis . . . . . . . . . . . . . . 1046.4.19 End-User Roles for BW - Reporting . . . . . . . . . . . . . . . . 1076.4.20 End-User Role for TREX Administration . . . . . . . . . . . . . . 1096.4.21 End-User Roles for External Integration . . . . . . . . . . . . . . 1096.5 End-User Roles for Configuration of Business System Connections . . . . 113

Chapter 7 Work Center Navigation Roles . . . . . . . . . . . . . . . . 1157.1 Work Center Roles Concept . . . . . . . . . . . . . . . . . . 1157.2 Basic Authorizations for Work Centers . . . . . . . . . . . . . . 1167.3 My Home . . . . . . . . . . . . . . . . . . . . . . . . . 1167.4 Implementation and Upgrade Work Center . . . . . . . . . . . . . 1177.5 Test Management Work Center . . . . . . . . . . . . . . . . . 120

12/170 PUBLIC 04/30/2010

7.6 Job Management Work Center . . . . . . . . . . . . . . . . . 1227.7 Incident Management Work Center . . . . . . . . . . . . . . . 1247.8 Change Management Work Center . . . . . . . . . . . . . . . . 1257.9 Business Process Operations Work Center . . . . . . . . . . . . . 1267.10 SAP Engagement and Service Delivery Work Center . . . . . . . . . . 1287.11 System Administration Work Center . . . . . . . . . . . . . . . 1307.12 System Monitoring Work Center . . . . . . . . . . . . . . . . . 1327.13 System Landscape Management Work Center . . . . . . . . . . . . 1347.14 Root Cause Analysis Work Center . . . . . . . . . . . . . . . . 1357.15 Solution Documentation Assistant Work Center . . . . . . . . . . . 1367.16 Solution Manager Administration Work Center . . . . . . . . . . . 1377.17 Creating Work Center Composite Roles . . . . . . . . . . . . . . 139

Chapter 8 S-User Authorizations . . . . . . . . . . . . . . . . . . . . 1418.1 S-User Concept . . . . . . . . . . . . . . . . . . . . . . . 1418.2 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER) . . 1418.3 S-User Authorization for Service Desk and Expert on Demand . . . . . . 1418.4 S-User Authorization for Service Connection . . . . . . . . . . . . 1428.5 S-User Authorization for Maintenance Optimizer . . . . . . . . . . 1428.6 S-User Authorization for Data Download from SAP . . . . . . . . . . 143

Chapter 9 Service Provider and Service Provider Customer Specification . . . . 1459.1 Service Provider Customer RFC Connections . . . . . . . . . . . . 1459.2 Service ProviderSpecific Authorization . . . . . . . . . . . . . 1459.3 Work Center for Service Provider Customers . . . . . . . . . . . . 1469.4 S-User Authorization for Service Provider Customers . . . . . . . . . 1489.5 Work Center Access for Customers . . . . . . . . . . . . . . . . 148

Chapter 10 Background Processes . . . . . . . . . . . . . . . . . . . . 14910.1 Background Jobs for Infrastructure . . . . . . . . . . . . . . . . 14910.2 Background Jobs for Implementation . . . . . . . . . . . . . . . 15110.3 Background Jobs for Test Management . . . . . . . . . . . . . . 15110.4 Background Jobs for Monitoring . . . . . . . . . . . . . . . . . 15110.5 Background Jobs for BW Reporting . . . . . . . . . . . . . . . . 15310.6 Background Jobs for Service Desk . . . . . . . . . . . . . . . . 15310.7 Background Jobs for Change Request Management . . . . . . . . . . 15410.8 Background Jobs for SAP Engagement and Service Delivery and Issue

Management . . . . . . . . . . . . . . . . . . . . . . . . 15410.9 Background Jobs for Root Cause Analysis . . . . . . . . . . . . . . 15610.10 Background Jobs for Third Party Products . . . . . . . . . . . . . 15610.11 Background Jobs for Service Provider . . . . . . . . . . . . . . . 157

04/30/2010 PUBLIC 13/170

Chapter 11 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . 15911.1 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . 159

Chapter 12 Data Storage . . . . . . . . . . . . . . . . . . . . . . . . 161

Chapter A Reference . . . . . . . . . . . . . . . . . . . . . . . . . 163A.1 The Main SAP Documentation Types . . . . . . . . . . . . . . . 163

14/170 PUBLIC 04/30/2010

1 Security Guide

1 Security Guide

Caution

Usage Rights for SAP Solution Manager Enterprise EditionThe extent of the usage of the software package SAP Enhancement Package 1 for SAP SolutionManager 7.0 depends upon the type of maintenance contract you have signed. If you have a signedcontract for:

n SAP Enterprise Supportn Product Support for Large Enterprisesn SAP Premium Supportn SAP MaxAttention

you are authorized to use all functions in the software package, without any restrictions.If you have signed exclusively standard support contracts, you are allowed to install this softwarepackage, but you are only allowed to use a restricted functionality. You are not allowed to use thefollowing Enterprise Edition functions:

n Business Process Change Analyzern Quality Gate Managementn Custom Development Management Cockpit

This Security Guide is updated in the SAP Service Marketplace at:http://service.sap.com/instguides SAP Components SAP Solution Manager ,for each new support package and SAP Enhancement Package (EhP).

IntegrationSecurity topics are relevant for the following phases:

n Installation and Upgraden Configurationn Operation

Recommendation

Use this guide during all phases. For a detailed overview of which documentation is relevant for eachphase, see also SAP Note 1088980. Refer to the documents described in this note.

04/30/2010 PUBLIC 15/170

1 Security Guide

More InformationFor a complete list of the available SAP Security Guides, see the SAP Service Marketplace:http://service.sap.com/securityguides

16/170 PUBLIC 04/30/2010

2 Getting Started

2 Getting Started

What is this guide about? This guide does not replace the daily operations handbook that werecommend customers to create for their productive operations. With the increasing use ofdistributed systems and the Internet for managing business data, the demands on security are also onthe rise. When using a distributed system, you need to be sure that your data and processes supportyour business needs without allowing unauthorized access to critical information. User errors,negligence, or attempted manipulation of your system should not result in loss of information orprocessing time. These security requirements also apply to SAP Solution Manager. This guide helpsyou to secure your system landscape. It covers the following SAP Solution Manager functions:

n Getting Startedand getting the big picture with information on the integratedfunctions/modularity concept, and a step by step procedure to use this guide.

n Network and Communication Security with overviews of communication channels anddestinations in your system landscape, and information on ICF Framework.

n User Administration and Authentication with overviews of users and business partners, andinformation on Single SignOn.

n Authorizations with a detailed description of critical authorizations for the most relevant RFCconnections in your system landscape, and overviews of roles for functions and scenarios. Accessto the data in must be granted only for authorized users. Unfortunately, a unique and uniformsecurity implementation that suits all possible usage scenarios does not exist. Therefore, weprovide you with flexible and configurable security mechanisms, which allow you to implementthe necessary security restrictions according to your requirements.

n Work Center Navigation with mappings of the work center views onto authorization roles.n S-User Authorizations with information on S-users, and their authorization.n Service Provider and Service Provider Customer Specification with information on Service

Providerspecific authorizations and security topics.n Background Processes with overviews of background jobs per function.n Traces and Logs with information on traces and log possibilities.

2.1 Target Group of This Guide

The target groups of this guide are readers who are already familiar with SAP Solution Manager andconfiguration procedures in an implementation and/or upgrade project, that is technical consultants,system administrators and/or application consultants.

04/30/2010 PUBLIC 17/170

2 Getting Started2.2 How to Use this Guide

n technology consultants: working with technical processes supported by SAP software duringimplementation, when deciding which settings to make

n system administrators: optimizing the system during and after implementationn application consultants: mapping a companys actual business processes to the processes and

functions supported by SAP software during implementation, and when deciding which settingsto make

2.2 How to Use this Guide

Depending on your general SAP and authorization specific knowledge, start with the accordingsections.

Procedure

n If you have little or no knowledge concerning security and authorization concepts, start withreading the general documentation for authorizations at SAP. This topic is not covered in thisguide and is regarded as a prerequisite.

n Everyone, even the experts should read the topic about the modularity approach in SAP SolutionManager.

n If you are already acquainted with the authorization concept in SAP Solution Manager, westrongly recommend to read the Document History for changes in roles and authorization objects,and in addition the Operations Guide for SAP Solution Manager on the Service Marketplace at:http://service.sap.com/instguides SAP Components SAP Solution Manager. .

n If decided on the scenarios you use, read the according sections, to find out about the roles youcan use.

n If you are a Service Provider, read as well the chapter on Service Provider specific information.

2.3 SAP Solution Manager Scenarios andFunctions/Capabilities

SAP Solution Manager is a tool which supports the entire product life-cycle of your business processesand systems, within a system/platform. The product life-cycle can be regarded as a set of scenarios. Ascenario is a group of business processrelated functions/capabilities which support the sequentialand logical relationships of processes within the life-cycle of the product. We differentiate betweenscenarios (for instance: Implementation/Upgrade of SAP Solutions or Service Desk), processes relating tothese scenarios (for instance: Roadmap) and functions/capabilities that can be used in one or morescenarios (for example, the function/capability Document Management can be used in the scenarioImplementation and/or the scenario Test Management).

18/170 PUBLIC 04/30/2010

2 Getting Started2.4 Integration of Functions/Capabilities

Note

Usage data about the functions and scenarios used by the customer is sent to SAP. See: SAP Note939897 (How to prevent this transfer).

More InformationIf you have insifcient understanding of SAP Solution Manager and its applica-tions, see the master guide for SAP Solution Manager in the Service Marketplacehttp://service.sap.com/instguides SAP Components SAP Solution Manager

and the according application help on the Help Portal http://help.sap.com/solutionmanager .

2.4 Integration of Functions/Capabilities

The life cycle of a product comprises various phases, such as implementation, operation, upgrade,and so on. Tools can be used to realize a process within these phases. The tools integrate strongly witheach other to support seamless document and information flow over the whole life cycle. The workcenter approach demonstrates this integration. To realize this integrated approach and at the sametime allow you the freedom to build and configure according to your companys needs, configurationand SAP template roles are function/capabilityrelated. Configuration and authorizations forintegrated functions are based on a modular approach.

Example

All delivered template roles for end users contain only authorizations that are relevant for thefunction/capabilities they describe. Therefore, roles of different functions/capabilities can be assignedto one user. You must know which one you want to use.

Before you can work with a scenario/function in the Solution Manager systems, you need to make allrelevant systems, databases, and servers known, and maintain primary units such as solutions andlogical components, and your business processes. This guide refers to all these as infrastructure. Theappendix of this guide contains a detailed definition of these terms. Infrastructure comprises allentities that are the basis for scenarios.

Example

Roles are structured according to functions/capabilities in scenarios and infrastructure. Roles forinfrastructure include roles for systems, roles for solutions, roles for Service Data Control Center,and so on.

04/30/2010 PUBLIC 19/170

2 Getting Started2.5 Links for Additional Components on Service Marketplace

PrerequisitesFor a detailed description of scenarios and functions/capabilities, see the master guide for SAPSolution Manager http://service.sap.com/instguides SAP Components SAP Solution Manager .

2.5 Links for Additional Components on Service Marketplace

Your Solution Manager system is the platform for administrative tasks in implementing, operatingand upgrading systems in your system landscape. It relies heavily on mandatory and optionalcomponents implemented in addition to SAP Solution Manager. The following table gives youan overview of these additional components.

Recommendation

To ensure a smooth integration of these components, familiarize yourself with their installation,configuration, and operation.

FeaturesAdditional Components

Component Where in the Service Marketplace? IMG Activities andOther InformationSources

System Landscape Directory (SLD) http://service.sap.com/sldor http://sdn.sap.com SAP NetWeaverCapabilities Lifecycle Management ApplicationManagement System Landscape Directory

Information andCongurationPrerequisites SLD(technical name:SOLMAN_SLD_INFORMATI)

Software Life-Cycle Manager (SLM) http://service.sap.com/slm andhttp://help.sap.com/nw70 Functional

View Solution Life Cycle Management SoftwareLife Cycle Management

Information andCongurationPrerequisites ChangeControl scenario(technical name:SOLMAN_MOPZ_SLM_INFO)

Adobe Document Services (ADS) http://service.sap.com/adobe Information andConfigurationPrerequisites ADSsetup (technical name:SOLMAN_ADS_INFO)

Business Warehouse(BW) http://service.sap.com/bi Information andCongurationPrerequisites BW(technical name:SOLMAN_BI_CLIENT_INF)

20/170 PUBLIC 04/30/2010

2 Getting Started2.5 Links for Additional Components on Service Marketplace

Component Where in the Service Marketplace? IMG Activities andOther InformationSources

SAP Quality Center by HP http://service.sap.com/solutionmanagerSAP Quality Center by HP

Information andCongurationPrerequisites ThirdParty (technical name:SOLMAN_THIRDPARTY_IN)

SAP Redwood Job Scheduling service.sap.com/job-scheduling Information andCongurationPrerequisites ThirdParty (technical name:SOLMAN_THIRDPARTY_IN)

One Transport Order service.sap.com/solutionmanager MediaLibrary Technical Papers

TREX http://help.sap.com/nw2004s Information andConfigurationPrerequisites TREX(technical name:SOLMAN_TREX_INFO)

SAP TAO http://service.sap.com/saptao

Master Data Management (MDM) MDM Administration Cockpit

http://service.sap.com/mdm andhttp://service.sap.com/installmdm

Used in SystemAdministration WorkCenter

SAP NetWeaver Administrator http://service.sap.com/nwa Used in SystemAdministration WorkCenter

Adaptive Controlling (ACC) n for general informationhttp://sdn.sap.com/irj/sdn/adaptive

n for application help, such as startingand stopping an application service:http://help.sap.com

n for installation informationhttp://service.sap.com/instguides

Used in SystemAdministration andSystem LandscapeManagement WorkCenters

Wily Introscope http://bis.wdf.sap.corp:1080/twiki/bin/view/Main/IntroScopeUsed in Root CauseAnalysis and SystemMonitoring WorkCenter

Information on Technical Usages http://service.sap.com/~sapidb/011000358700001166742007EUsed in functionalitiesMaintenanceOptimizer andBusiness Functions

04/30/2010 PUBLIC 21/170

2 Getting Started2.6 Using SAP Solution Manager as Service Provider

More InformationFor a comprehensive overview and to find out which additional components are relevantfor the configuration of your scenarios, see master guide for SAP Solution Managerhttp://service.sap.com/instguides SAP Components SAP Solution Manager

2.6 Using SAP Solution Manager as Service Provider

As a Service Provider, you provide services to your customers using Solution Manager. See thesection Service Provider and Service Provider Customer Specification. For more information on Service Providerscenarios and definition, see the master guide for SAP Solution Manager in the Service Marketplace:http://service.sap.com/instguides SAP Components SAP Solution Manager .

2.7 How to Setup Your Authorization Concept: An Example

For completeness, the guide includes overviews of topics, such as technical users, or RFCconnections. These overviews are bundled according to functions and modularity, as described insection Integration of Functions. For example, the RFC connections overview allows you to either see allRFC connections relevant for Solution Manager and its managed systems, or check certain types ofconnections, such as all connections from SAP Solution Manager to SAP, or local connections. Or ifyou are, for instance, interested in all users for Root Cause Analysis, you can see just the Root CauseAnalysis subsection in the technical users overview.As security topics are closely connected to configuration tasks, we refer to related sections of theSAP Implementation Reference Guide (IMG) in transaction SPRO, if appropriate.How you use this guide depends largely on your individual needs. If you are interested in onefunction and all related security topics, you would look into each section and especially for yourtopic. For instance, if you are interested in System Monitoring using a work center in SAP NetWeaverBusiness Client, see the sections on technical users for System Monitoring, roles for SystemMonitoring and System Monitoring work center, where you find the overviews of what you needfor System Monitoring. To integrate this information into your configuration procedure, use theSAP Reference IMG.The following step by step procedure gives you an outline of how to secure your network,according to your system landscape settings, and create roles according to your companys securityrequirements.

22/170 PUBLIC 04/30/2010

2 Getting Started2.7 How to Setup Your Authorization Concept: An Example

Procedure

Step Description Remarks

1 Define your system landscape see master guide for SolutionManager. http://service.sap.com/instguides SAPComponents SAP Solution Manager

2 Define the scenarios and functionsyou use

see master guide for SolutionManager. http://service.sap.com/instguides SAPComponents SAP Solution Manager

3 Define which additionalcomponents are needed

see master guide for SolutionManager. http://service.sap.com/instguides SAPComponents SAP Solution Manager

4 Get to know the concept ofintegration of functions

see this guide section Integration of Function

5 Create configuration user inmanaged systems

A configuration user must be created in the managedsystem.

6 Assign authorizations to theconfiguration user in the managedsystem

see the section Roles for Basic Configuration in Managed Systems

7 Configure basic settings using rolesfor basic settings configuration

see conguration guide for SolutionManager. http://service.sap.com/instguidesSAP Components SAP Solution Manager (section Basic Settings) and section Roles for Basic Congurationin Solution Manager

NoteInvolves creation of technical users and so on.

8 Check your network andcommunication security

see section Network and Communication Security

9Recommendation

Create an IMG project for thefunctions and scenarios you wantto configure

see conguration guide for SolutionManager. http://service.sap.com/instguidesSAP Components SAP Solution Manager section ScenarioSpecic and/or Service ProviderSpecic Settings

10Recommendation

Create roles for scenariospecificfunctions

see conguration guide for SolutionManager. http://service.sap.com/instguidesSAP Components SAP Solution Manager section ScenarioSpecic and/or Service ProviderSpecic Settingsand section Creating Roles for ScenarioSpecic Conguration inSolution Manager

11 Configure scenariospecificfunctions for your scenarios

use IMG project

NoteWithout an IMG project, use transaction SPRO.

04/30/2010 PUBLIC 23/170



12 Assign work center navigationroles (including workcenter authorization roleSAP_SMWORK_BASIC) to yourend users

see section Work Center Navigation

13 Develop your own authorizationconcept

see section Authorization Concept

14 Develop your own authorizationroles per function on basis ofSAPdelivered template roles

see section Authorization Roles and Profiles for End Users

15 Assign authorization roles to yourusers using the mapping tables forwork center navigation roles, andauthorization roles to your endusers

see section Work Center Navigation

ExampleSystem Monitoring (including KPI Reporting and IT Performance Reporting) using the work centerapproach on SAP NetWeaver Business Client.

Caution

This example is a suggestion of how to configure this scenario from a securityrelevant perspective.The same example, from a configurationrelevant perspective, is used in the configuration guide.


1 Define your system landscape two productive managed systems, SLD, BW client is SolutionManager client

2 Define which scenarios andfunctions you use

System Monitoring and Reporting; Service Desk for messagecreation

3 Define which additionalcomponents are needed

System Landscape Directory, see section Links to AdditionalComponents in the Service Marketplace

4 Get to know the concept ofintegration of functions

n System Monitoring (sessions)n KPI Reporting and IT Performance Reporting (BW)n work center for System Monitoringn Service Desk message creationn SAP NetWeaver Business Client

5 Create configuration user inSolution Manager system andmanaged systems

Create configuration user (for instance: SOLMAN_ADMIN) inmanaged systems

24/170 PUBLIC 04/30/2010



6 Assign authorizations to theconfiguration user in the managedsystem

Assign roles to configuration user:n for authorization object S_RFCACLn SAP_SDCCN_ALL

7 Configure basic settings using rolesfor basic settings configuration

Use of automatic basic settings configuration viaSOLMAN_SETUP ( role for configuration user SOLMAN_ADMIN isgenerated automatically). Includes the setup of SolutionManager and of both managed systems

8 Check your network andcommunication security

n check RFC connections from Solution Manager tomanaged systems, RFC connection from managed systemto Solution Manager, RFC connections from SolutionManager to SAP, and so on

n check SSL settings

9 Create an IMG project for thefunctions and scenarios you wantto configure

Create an IMG project for IMG node System Monitoring and ServiceDesk in transaction SPRO_ADMIN

10 Create roles for scenariospecificfunctions

Create role for IMG project (or use profile SAP_ALL), andassign it to your configuration user.

NoteFor crossscenario configuration, see the IMG activityfor additional roles such as: SAP_SM_BI_EXTRACTOR,SAP_BW_CCMS_SETUP, SAP_PI_CCMS_SETUP

11 Configure scenariospecificfunctions for your scenarios

see created IMG project

12 Assign work center navigationroles, including workcenter authorization role(SAP_SMWORK_BASIC), to yourend users

Assign roles as described:n SAP_SMWORK_SYS_MONn SAP_SMWORK_BASIC

13 Develop your own authorizationconcept

customerspecific

14 Develop your own authorizationroles per function on basis ofSAPdelivered template roles

assign copies of roles (for System Monitoring and ServiceDesk) to your end users, according to your customerconcept:n SAP_SMSY_*n SAP_SM_SOLUTION_*n SAP_OP_DSWP_SMn SAP_SETUP_DSWP_SMn SAP_SM_BI_EXTRACTORn SAP_BW_CCMS_REPORTINGn SAP_SUPPDESK_CREATE

15 Assign authorization roles to yourusers using the mapping tables for

04/30/2010 PUBLIC 25/170



work center navigation roles andauthorization roles, to your endusers

26/170 PUBLIC 04/30/2010

3 System Landscape

3 System Landscape

3.1 Technical System Landscape

SAP Solution Manager is based on AS ABAP and AS Java. To use SAP Solution Manager you needSAP GUI, Web Browser or SAP NetWeaver Business Client (NWBC) (for work center functionality).Communication with other systems is via RFC technology and web services.

More InformationFor a detailed view of the overall system architecture of SAP Solution Manager, see master guide forSAP Solution Manager in the Service Marketplace: http://service.sap.com/instguides SAPComponents SAP Solution Manager . .

04/30/2010 PUBLIC 27/170

This page is left blank for documentsthat are printed on both sides.

4 Network and Communication Security

4 Network and Communication Security

This section gives an overview of the communications concept for SAP Solution Manager, includingsections on topics related to HTTP connections and RFC connections.When transmitting sensitive data between components or servers, you have to preventeaves-dropping. The way to achieve this in open environments is to rely on message level security (seethe Quick Guide to Message Level Security). For intra-company scenarios, which may neverthelessuse the internet as a communication platform, it is sufficient to use cryptography to secure thecommunication channel.authentication, and encryption. Depending on the platform your application is running on, youmight consider using of SSL, SNC, or VPNs. The Secure Sockets Layer (SSL) protocol is a protocollayer placed between a reliable connection-oriented network-layer protocol (for example TCP/IP) andthe application protocol layer (for example HTTP). SSL provides secure communication between aclient and server by allowing mutual authentication, the use of digital signatures for integrity, andencryption for privacy. Secure Network Communication (SNC) is SAPs implementation of theGeneric Security Services Interface (GSS-API). SNC provides message authenticity, integrity, andconfidentiality between application servers, the Windows SAPGui, and RFC programs. Virtual PrivateNetworks (VPNs) extend a closed network to machines outside of the network by implementing anetwork of secure links over a public IP infrastructure. VPN implementations typically fall into threecategories: intranet, extranet, and secure remote access. Within each of these three categories thereneeds to be some element of access control, authentication, and encryption. VPNs can be static ordynamic. Static VPNs run permanently. Dynamic VPNs operate on demand and are more commonlyused for mobile workers and telecommuters.

4.1 Network Topology

Your network infrastructure must protect your system. It needs to support the communicationnecessary for your business and your needs, without allowing unauthorized access. A well-definednetwork topology can eliminate many security threats based on software flaws (at both the operatingsystem and application level) or network attacks such as eavesdropping. If users cannot log on toyour application or database servers at the operating system or database layer, then there is noway for intruders to compromise the machines and gain access to the back-end systems databaseor files. Additionally, if users are able to connect to the server LAN (local area network), they canexploit well-known bugs and security holes in network services on the server machines. The networktopology for the Solution Manager is based on the topology used by the SAP NetWeaver platform.

04/30/2010 PUBLIC 29/170

4 Network and Communication Security4.2 Communication Channels

Recommendation

The security guidelines and recommendations described in the SAP NetWeaver Security Guidealso apply to the Solution Manager.

4.2 Communication Channels

The table below shows the communication channels used by SAP Solution Manager, the protocolused for the connection, and the type of data transferred.

FeaturesCommunication Channels

CommunicationChannel ProtocolType of Data Transferred /Function

Solution Manager to OSS RFCExchange of problem messages,retrieval of services

Solution Manager to managedsystems and back RFC

for more information, see sectionRFC Connections

Solution Manager to managedsystems within customer network FTP

Update route permission table,content: IP addresses, see sectionFile Transfer Protocol (FTP)

Solution Manager to SAP ServiceMarketplace HTTP(S) Search for notes

Solution Manager Service Deskto/from Third Party Service Desks SOAP over HTTP(S) Problem messages

Solution Manager to/from QualityCenter by HP SOAP over HTTP (S)

Test requirements (send andreceive data) ; Defect Management

SAP CPS SOAP over HTTP (S) Job Scheduling Management

SAP Productivity Pak by RWD SOAP over HTTP (S) Document Management

BMC AppSight for SAP ClientDiagnostics SOAP over HTTP (S)

4.3 Communication Destinations

The table below shows an overview of the main communication destinations used by SAP SolutionManager (including its managed systems and SAP Support Portal).

30/170 PUBLIC 04/30/2010

4 Network and Communication Security4.3 Communication Destinations

FeaturesRFC Connections from SAP Solution Manager to Managed Systems

RFC DestinationName

TargetHostName

SystemNumber

LogonClient

Logon User(Password) Use Remarks

SM_CLNT_LOGIN

(ABAP connection)Man-aged Sys-tem

Cus-tomer-specic

Customer-specific

SystemMonitoring, andImplementationand Distribution

TransactionsSMSY orSOLMAN_SETUP

SM_CLNT_READ


System-specific

System-specific

Default user:SM_

(automaticallygenerated, canbe defined bycustomer viatransactionSMSY)

For read accessfor functionssuch as: SystemMonitoring,Business ProcessOperations,Implementationand Distribu-tion, ServiceDesk (BusinessPartners: seeIMG activity:Create Key UsersSOLMAN_SUP_BUSPART)

Transaction SMSYor SOLMAN_SETUP

SM_CLNT_TRUSTED


System-specific

System-specific

SystemMonitoring andImplementationand Distribution

Log on througha trustedconnection;transaction SMSYor SOLMAN_SETUP

SM_CLNT_TMW


System-specific

System-specific

Default user:SMTW(au-tomaticallygenerated, canbe dened bycustomer viatransactionSMSY)

Creating,releasingtransportrequests

Transaction SMSYor SOLMAN_SETUP

04/30/2010 PUBLIC 31/170


RFC DestinationName

TargetHostName

SystemNumber

LogonClient


BW, if BW isManaged systemCLNT

Man-aged Sys-tem

System-specific

System-specific

For instanceALEREMOTE

(customer-specific)

BW-relevantscenarios:Root CauseAnalysis; SystemMonitoring (ITPerformanceReporting),(Integration)TestManagement

See IMGactivity ConnectSource System(technical name:SOLMAN_SET_SOURCE_SY)

BW, if BW isManaged systemCLNTDIALOG

Man-aged Sys-tem

System-specific

System-specific

Administratorof managedsystem(customer-specific)

BW-relevantfunctions:Root CauseAnalysis; SystemMonitoring (ITPerformanceReporting),(Integration)TestManagement

See IMGactivity ConnectSource System(technical name:SOLMAN_SET_SOURCE_SY)

_RZ20_


RFCDestinationName

Target HostName

SystemNumber Logon Client

Logon User(Password) Use How Created

SM_CLNT_BACK

(ABAP con-nection)

SolutionManagerSystemCustomer-specific

Customer-specific

Default user:SMB_

automaticallygenerated,can bedefined bycustomer viatransactionSMSY)

Send ServiceDesk mes-sages, sendsession data,check lockedcustomiz-ing objects;Service Desk,System Moni-toring (Early-Watch Alert),and Imple-mentationand Distribu-tion

TransactionSMSY orSOLMAN_SETUP

HELP_CENTER_TO_SOLMANSolutionManagerSystemCustomer-specific

Customer-specific

Customer-specific

TechnicalUser forwriting accessto KnowledgeWarehousein SolutionManager

TransactionSU01

Note

The System Monitoring scenario provides support for functions such as Service Level Reporting,EarlyWatch Alert, and System Monitoring. For instance, Early Watch Alert contains data on systemhealth. The data is collected automatically in the managed system, sent via RFC to the SolutionManager system, and then analyzed in Solution Manager. If you want to transfer download data of aservice (EarlyWatch Alert and so on) from a managed system into a Solution Manager system, butyour managed system has no RFC connection to the Solution Manager system, see SAP Note 657306.

RFC Connections from SAP Solution Manager to SAP

RFCDestinationName Target Host Name

Sys-temNum-ber

Lo-gonClient


SAPOSS (ABAPconnection) /H/SAPROUTER/S//sapserv/H/oss00101 001

OSS_RFC

(CPIC) Notes Assistant

Maintaintechnical settingsin transactionOSS1

04/30/2010 PUBLIC 33/170



Sys-temNum-ber

Lo-gonClient


SAP-OSS (ABAPconnection) /H/SAPROUTER/S//sapserv/H/oss00101 001

S-User(Customer-specific)

Exchange problemmessages with SAP(function: ServiceDesk), synchronizesystem data withSupport Portaland send dataabout managedsystems; transfer ofsolution, issuedata; transferfeedback toSAP (function:Delivery of SAPServices), ServiceConnection,product datadownload

TransactionSOLUTION_MANAGER;menu path:

Edit GlobalSettings

SAP-OSS-LIST-O01

(ABAP connec-tion) /H/SAPROUTER/S//sapserv/H/oss00101 001


Retrieveinformation aboutwhich messageshave been changedat SAP (function:Service Desk)

Created intransaction SM59

SDCC_OSS

(ABAPconnection)

See SAP Note763561

Used by the ServiceData Control Center tocommunicate withthe SAP SupportPortal frontendsystem; updateService Definitions(functions: SystemMonitoring for EWAand Service Plan)

User is a copyof the SAPOSSconnectionto SDCC_OSS;userSDCC_NEWwith defaultpassword:download

NoteIf SDCCN is usedlocally, thatis SolutionManager isnot MasterSystem, SDCC_OSSis createdautomaticallyin the managedsystem;

34/170 PUBLIC 04/30/2010



Sys-temNum-ber

Lo-gonClient


SAPNET_RFC

(ABAPconnection) /H/SAPROUTER/S//sapserv/H/oss00101 001

Send EarlyWatchAlerts (functions:SystemMonitoring forEWA and ServicePlan)

A copy ofthe SAPOSSconnection toSAPNET_RFC

SAPNET_RTCC

(ABAPconnection) /H/SAPROUTER/S//sapserv/H/oss00101 001

OSS_RFC

(CPIC)

Service PreparationCheck (RTCCTOOL),(function in SAPEngagement andService Delivery)

Createdautomatically byRTCCTOOL, copy ofSAPOSS

SM_SP_ /H/SAPROUTER/S//sapserv/H/oss00101 001


Service Providerfunctionality

Automaticallycreated, see IMGactivity Set UpSAP Connectionfor Customers(technical name:SOLMAN_VAR_RFC_CUSTO)

Local Connections

DestinationName

TargetHostName



BW, if BWclient is theproductiveSolutionManagerclientCLNT

For instanceALEREMOTE

(customer-specific)

BW-relevantfunctions:Root CauseAnalysis;SystemMonitoring(ITPerformanceReporting,KPI

Reporting),(Integration)TestManagement

See IMGactivity ConnectSource System(technicalname:SOLMAN_SET_SOURCE_SY)

04/30/2010 PUBLIC 35/170


DestinationName

TargetHostName



WEBADMIN Jco SMD_RFC Root CauseAnalysis

RoleSAP_SOLMANDIAG_E2E

(prole:S_SMDIAG_E2E)automaticallyassigned touser duringconguration

BPM_LOCAL_ SM_BPMO(customer-specic)

BusinessProcessOperations

RFC is createdduringBusinessProcessOperationssetup session,see IMGactivity CreateLocal RFCDestinationand User(technicalname:SOLMAN_BPM_RFC_LOCAL)

CCMSPing RFC Connection

RFC DestinationName Activation Type

Logon User(Password) Use (Scenario) Remarks

CCMSPING.RegisteredServer Program(programccmsping.00)

CSMREG (customer-specific)

Service LevelReporting withCCMSPING; systemavailabilityoverview inSystem Monitoringwork center;IT PerformanceReporting

User created duringconfiguration ofCentral Monitoring(CCMS),see IMG activityInformation andCongurationPrerequisites forsetting up a centralmonitoring system CEN(technical name:SOLMAN_INPERF_CCMS)

System Landscape Directory (SLD) RFC Connections

36/170 PUBLIC 04/30/2010


RFC DestinationName Activation Type Use (Scenario) How Created

SLD_UC (Unicode) >analogue SLD_NUC(Non-Unicode)

Registered Serverprogram (program:SLD_UC) analogous toSLD_NUC

General infrastructureusing SLD

Automatically created

SAPSLDAPI Registered Serverprogram (program:SAPSLDAPI_)

General infrastructureusing SLD

Copy of SLD_UC or SLD_NUC

TREX RFC Connections


TREX_ (ABAPconnection)

Registered ServerProgram (programTREXRfcServer_)

Service Desk (SolutionDatabase), SAPEngagement andService Delivery (IssueManagement)

IMSDEFAULT Start on explicithost (program:ims_server_admin.exe)

IMSDEFAULT_REG Registered ServerProgram (program:rfc_sapretrieval)

Document Management(projects)

Transaction SM59;TREX can be administeredusing the TREX admintool, see IMG activityInformation and ConfigurationPrerequisites for TREX Setup(technical name:SOLMAN_TREX_INFO)

Internet Graphics Server (IGS) RFC Connection


GFW_ITS_RFC_DEST Registered Serverprogram (program:IGS.)

All functions that usea graphical display, forinstance: Root CauseAnalysis, EarlyWatchAlert Reports, ServiceLevel Reports, BWReporting

Transaction SM59

More Information

n about configuring RFC connections from Solution Manager to managed systems, see IMG activityGenerate RFC Connections to/from Managed Systems (technical name: SOLMAN_GENERATE_RFCS)

n about configuring RFC connections from Solution Manager to SAP, see IMG activities under nodeConnection to SAP

n about connections from Solution Manager to SAP, see IMG activity Information and ConfigurationPrerequisites for Connections to SAP (technical name: SOLMAN_VAR_INFORM)

04/30/2010 PUBLIC 37/170

4 Network and Communication Security4.4 Internet Communication Framework

4.4 Internet Communication Framework

Most functions in SAP Solution Manager use either BSP or Web Dynpro technology. They are basedon HTTP protocol. The Internet Communication Framework (ICF) provides the infrastructure forhandling HTTP requests in work processes in an SAP system (server and client). It enables you touse standard protocols (HTTP, HTTPS, and SMTP) for communication between systems throughthe Internet. You do not need any additional SAP program libraries. The only condition is thatyour system platform is Internet-compliant. This gives you a maximum amount of flexibilityin responding to varying communication requirements. Communication through the ICF hasthe following benefits:

n Increased security: The HTTPS protocol guarantees secure data transmission at the same level asmodern security standards for RFC/SNC communication and other interfaces. You can changedefault settings for services if you do not maintain an HTTPS - connection and you are requiredto enter your user and password (message in the logon screen: No Switch to HTTPS occurred,so it is not secure to send a password):1. Choose transaction SICF and the according service (/default_host/sap/bc/webdynpro).2. Select tab Error Pages and choose the button Configuration.3. Change the protocol selection.4. Save.

n Increased flexibility: Using the ICF, the user can open a connection to an SAP system across theInternet from any location.

Caution

SAP delivers all ICF services inactive, for security reasons.

n Reduced technological barriers: The open HTTP standard is used worldwide, which makes itefficient to install and configure.

4.5 Secure Socket Layer (SSL) for HTTP Connections

Secure Socket Layer (SSL) allows you to create secure connections for HTTP.

Caution

You must setup SSL for SAP NetWeaver ABAP and Java (for instance: Maintenance Optimizer andSLM). See SAP Note 1138061.

38/170 PUBLIC 04/30/2010

4 Network and Communication Security4.5 Secure Socket Layer (SSL) for HTTP Connections

FeaturesTo setup SSL in your system, follow the procedure described in SAP Note 510007.See also the installation guide for SAP Solution Manager in the Service Marketplace:http://service.sa.com/instguides SAP Components SAP Solution Manager .

Note

To check if SAP Cryptolib has been successfully implemented, run program SSF02. Set the flag getversion and choose execute. The system displays the current version of SAP Cryptolib.

ConstraintsSSL only provides a secure channel between partners communicating directly in a network. SSLprotects the messages only while in transit, but offers no security for (XML) data in storage.

More Informationon: Maintenance Optimizer (SLM), see IMG activity Information and Configuration Prerequisites for MaintenanceOptimizer and SLM (technical name: SOLMAN_MOPZ_SLM_INFO).Further Information on SSL

Information Source Remarks

SAP Note 510007Setting Up SSL on the Web Application Server(Procedure to set up SSL)

SAP Note 1000000Web Dynpro ABAP FAQ (General authorization checksfor services and application are available over the ICF)

SAP Note 1153116

SAP Note 938809

Web Dynpro ABAP checklist for creating problemmessages (If you create an error message for WebDynpro ABAP under component BC-WD-ABA, see thechecklist in SAP Note)

SAP Note 810159 Subsequent installation of SAP JAVA CRYPTO TOOLKIT

Application help for security topics connected to ICFservices help.sap.com/nw07

Installation guidesservice.sap.com//instguides SAP Components

SAP Solution Manager

System security for SAP NetWeaver ABAP and Java(Help setting up system security for ABAP and Java)

service.sap.com/security Media LibraryLiterature

04/30/2010 PUBLIC 39/170

4 Network and Communication Security4.6 HTTP Connect Service for SAP Support

4.6 HTTP Connect Service for SAP Support

Due to the firewall between customer and SAP systems, it is not possible to display pages of BSPs orWeb Dynpro applications in SAP Solution Manager using standard service or support connections.To receive support from SAP for these technology types, you need to setup an HTTP ConnectService. To do so, follow the descriptions in SAP Note 1072324. You need to maintain this connectionfor on-site and remote support. Make this HTTP secure for remote support with HTTPS.

4.7 File Transfer Protocol (FTP)

FTP is a network protocol used to send data from one computer to another through a network suchas the Internet. You use FTP for SAProuter permission table.

Recommendation

We recommend protecting FTP communication with SAPFTP, using Secure Socket Shell (SSH). Formore information, see SAP Note 795131.

More Informationon the configuration task involved, see IMG activity Maintain Router Permission Table (technical name:SOLMAN_SAPROUTER).

4.8 Required TCP/IP Ports

The following ports have to be opened up in your firewall, prior to installation.

Recommendation

Put the SAP Solution Manager system in the same subnet or DMZ of your managed landscape. If youmanage systems in different subnets, adapt your security settings and firewall accordingly.

FeaturesPorts for Communication to SAP Solution Manager

40/170 PUBLIC 04/30/2010

4 Network and Communication Security4.8 Required TCP/IP Ports

Established Connection

FromHosts/Source HostTo Host/DestinationHost

Service on DestinationHost (Protocol) Format (example)

Outside (or DMZ) Diagnostics Server J2EE engine (HTTP)500

(50100)

Outside (or DMZ) Diagnostics Server ITS (HTTP)80

(8000)

Outside (or DMZ) Diagnostics ServerIntroscope Manager(HTTP) Default: 8081

Diagnostics Server Diagnostics Server IGS (HTTP)480

(40180)

All managed systems(Diagnostics Agent) Diagnostics Server J2EE engine (P4)

504

(50104)

All managed systems(Diagnostics Agent) Diagnostics Server

Message Server (HTTP)Note: not 36XX)

81

(8101)

All managed systems(Introscope Agent)

Diagnostics Server Introscope EnterpriseManager (TCP/IP)

Default: 6001

Ports for Communication with Managed Systems

Established Connection

From Host/Source Host To Hosts/DestinationHosts

Service on DestinationHosts (Protocol) Format (example)

Outside (or DMZ) All managed systems J2EE engine (HTTP) 500(50200)

Outside (or DMZ) All managed systems ITS (HTTP) 80(8000)

All managed systems(Diagnostics Agent)

Associated managedsystems

J2EE engine (P4) 504(50204)

More Informationon the current list of ports used by SAP, in the SAP Service Marketplace:service.sap.com/security Infrastructure Security TCP/IP Ports Used by SAP Applica-

tions .

04/30/2010 PUBLIC 41/170

This page is left blank for documentsthat are printed on both sides.

5 User Administration and Authentication

5 User Administration and Authentication

The SAP Solution Manager uses the user management and authentication mechanisms provided bythe SAP NetWeaver platform, in particular the SAP NetWeaver ABAP. If you use Root Cause Analysis,the user management and authentication mechanisms provided by SAP NetWeaver Java are also used,so the security recommendations and guidelines for user administration and authentication, asdescribed in the SAP NetWeaver ABAP Security Guide and the SAP NetWeaver Java Security Guide,also apply to SAP Solution Manager. We also provide a list of the standard users required to operatethe Solution Manager. As the mechanisms provided by the SAP NetWeaver AS Java only apply forDiagnostics, see its guide in the Service Marketplace: http://service.sap.com/diagnostics .Technical users are usually created automatically. Thirdparty users are always created manually.User overviews are classified according to whether they are created in the Solution Manager systemor in the managed system.

5.1 User Management Tools

User Management for SAP Solution Manager uses the mechanisms provided by the SAP NetWeaverABAP, and Java tools (ABAP: SU01 and Java: UME), user types, and password policies. As SAP SolutionManager is based on SAP NetWeaver ABAP and Java, the User Management Engine (UME) of the Javastack is to be configured against the ABAP stack.

FeaturesTools Overview

Object RecommendedTool Remarks

Users

NoteIf useradministrationis performedcentrally, theadministrationtool is thecentral useradministration(CUA)

transaction SU01 User Management in the ABAP system(s)

CautionFor password security information, see SAP Note 862989 (NWABAP 7.0)

04/30/2010 PUBLIC 43/170

5 User Administration and Authentication5.2 Secure Storage

Object RecommendedTool Remarks

PFCG roles transaction PFCGNote

User Comparison feature was corrected, see SAP Note 1272331

J2EE securityroles and UMEroles (onlyapplies to Javaapplication, forinstance RootCause Analysis)

UME and the VisualAdministrator

Administration console to manage UME roles, and administrationtool of the Java Application Server, to manage J2EE security roles.Both of these tools are part of SAP NetWeaver Java. To integratethe Java-based authorizations supplied by J2EE security roles andUME roles with PFCG roles, you can integrate PFCG roles as groupsin SAP NetWeaver Java.

Integration

Recommendation

You should use transaction SU01 to create users, and transaction PFCG to assign users to roles.

More Informationon UME conversion, see IMG activity: Convert UME (technical name: SOLMAN_CHANGE_UME)

5.2 Secure Storage

The secure storage stores encoded data, for instance access data of systems, SLD, SAP Portalconnection, and so on. The system uses the installation number of the system and the system IDwhen creating the key for the secure storage.

Caution

If one or more of these values change, the system can no longer read the data in the secure storage.

More InformationSAP Note 816861 and SAP Note 1027439.

5.3 Technical/Dialog Users Created/Used in SolutionManager System Configuration

The users in the following tables are created automatically or manually during configuration. Theoverviews are structured by main functions/scenarios. Some users are relevant for more than onescenario and are therefore mentioned more than once. Some users have already been created duringthe installation process, such as:

44/170 PUBLIC 04/30/2010

5 User Administration and Authentication5.3 Technical/Dialog Users Created/Used in Solution Manager System Configuration

n SAPJSF

n J2EE_ADMIN

n J2EE_GUEST

n DDIC

n ADSUSER

n ADS_AGENT

n SLDDSUSER

n SLDAPIUSER

Note

If your security policy does not permit the automatic creation of generic users, you need to createthem manually. Automatic creation of users is only possible if you use Java UME with ABAP. If you usethe Central User Administration (CUA), you need to create them manually.

FeaturesUser for RFC Connection BACK (Infrastructure)

User (Password) Type Remarks

SMB_ System User Technical user Back User; assignedroles/profiles:n S_CUS_CMP for data read accessn S_CSMREG for central system repository datan S_SD_CREATE and D_SOLMAN_RFC for Service

Desk messagesn S_BDLSM_READ SDCCN data (customer-specific)

for SDCCN Service Desk message frommanaged systems

n S_KWHELP for Help Center, document displaysee section: RFC Connections READ, TMW, BACK

NoteThe role ZSOLMAN_BACK is created from atemplate during automatic basic settingsconfiguration.

Users for General Infrastructure Set-up


SOLMAN_ADMIN (customer-specific) Dialog User User created for basic settings configuration byautomatic basic configuration, via transactionSOLMAN_SETUP; see section Roles for BasicConfiguration in Solution Manager

04/30/2010 PUBLIC 45/170



SOLMAN_BTC (customer-specific) System User User created for background processing byautomatic basic configuration, via transactionSOLMAN_SETUP; see section Roles for BasicConfiguration in Solution Manager

S-User (customer-specific) User in SAP SupportPortal

User to exchange problem messages with SAP;retrieve information about which messageshave been changed at SAP; The S-user for theSAP Support Portal must be requested viahttp://service.sap.com; see section S-UserAuthorizations

OSS_RFC (CPIC) Notes Assistant; Update Service Definitions;Service Preparation Check (RTCCTOOL)

CTC2SM_

(automatically created)System User Technical user for CTC runtime, automatically

created when CTC runtime is activated;responsible for communication from CTC toSolution Manager; automatically assignedprofile for role SAP_SMSY_CTC_RT

SM2CTC (automaticallycreated)

System User Technical user for CTC templates, automaticallycreated when CTC runtime is activated. User isresponsible for communication from SolutionManager to CTC, if the CTC runtime of theSolution Manager J2EE stack is called for theinitial automatic basic configuration of SolutionManager; automatically assigned role in therelated ABAP stack: SAP_J2EE_ADMIN

DDIC User for execution of CTC templates

SLDDSUSER (customer-specific) Dialog User Data Supplier user

SLDAPIUSER (customer-specific) Dialog User User for SLD connectivity, assigned roleSAP_SLD_CONFIGURATOR corresponds to J2EEsecurity role LcrInstanceWriterLD; allows you tocreate, modify and delete CIM instances of theLandscape Description and Name Reservation subset(includes the LcrUser role).

Users for J2EE Integration (ABAP UME)


SAPJSF (customer-specific) Communication User Technical user for SAP Java SecurityFramework (display) ; assigned role:SAP_BC_JSF_COMMUNICATION_RO

46/170 PUBLIC 04/30/2010



J2EE_ADMIN (customer-specific) Dialog User User for J2EE administration, assigned roles:SAP_J2EE_ADMIN; SAP_BC_AI_LANDSCAPE_DB_RFC

J2EE_GUEST (customer-specific) Dialog User User for J2EE display rights, assigned role:SAP_J2EE_GUEST

User for Graphical Display


SOLARSERVICE (customer-specific) Service User Technical user for accessing HTTP services in theSolution Manager without login, assigned role:SAP_SOL_LEARNING_MAP_DIS; for instance fordisplaying HTML Learning Maps

Users for Business Process Operations and Job Scheduling Management Scenarios/Functions


SM_BPMO (customer-specific) Service User Technical user, authorized to call managedsystem, assigned role: SAP_SM_BPMO_COMP

CSMREG (customer-specific) Communication User Technical user for data collection (to getCCMS alerts) for Business Process Operations;created in transaction RZ10; assigned roleSAP_BC_CSMREG; automatically assigned duringcreation

ADSUSER (customer-specific) Service User Technical user for basic authentication ADS

ADS_AGENT (customer-specific) Service User Technical user for communication betweenABAP stack and J2EE stack on which the ADSruns, assigned roles:n SAP_BC_FP_ICF (if double stack: AS ABAP and

AS Java (with ADS)n SAP_BC_FPADS_ICF (if AS ABAP and AS Java

on separate systems)

Users for Root Cause Analysis Scenario/Function

04/30/2010 PUBLIC 47/170



SMD_RFC Communication User Technical user, set in WEBADMIN JCo RFCdestination, for communication between ABAPstack and Java stack; roles:n SAP_SOLMANDIAG_E2E (profile S_SMDIAG_E2E)

automatically assigned during configurationof Root Cause Analysis

n SAP_BI_E2E (profile S_SMDIAG_BI)

SMD_BI_RFC Communication User Technical user for BW communication, in caseBW is implemented in another SAP SolutionManager client or BW system

SMD_ADMIN Communication User Technical user, needed by agent to connect toRoot Cause Analysis; automatically assignedrole: SAP_J2EE_ADMIN

SAPSUPPORT Dialog User User created for SAP Engagement andService Delivery by automatic basic settingsconfiguration, via transaction SOLMAN_SETUP; seesection User SAPSUPPORT

Users for Service Desk Scenario/Function


SMB_

CautionDuring automatic basicconfiguration, the systemautomatically generates a userpassword. If you change thepassword of this user in UserManagement (transaction SU01),

System User Technical user Back User; assignedroles/profiles:n S_CUS_CMP for data read accessn S_CSMREG for central system repository datan S_SD_CREATE and D_SOLMAN_RFC for Service



n S_KWHELP for Help Center, document display

48/170 PUBLIC 04/30/2010


User (Password) Type Remarksyou need to change the passwordfor this user in its RFC destinationin the Solution Manager systemas well.

NoteWhen you generate RFCconnections using transactionSMSY, you can alter user andpassword settings for this user,before generating the RFCconnection.

See section RFC Connections READ,TMW, BACK

see section: RFC Connections READ, TMW, BACK


Technical user to exchange problem messageswith SAP; get information about whichmessages have been changed at SAP; the S-userfor the SAP Support Portal must be requestedvia http://service.sap.com; see section: S-UserAuthorizations

Users for Change Control (Maintenance Optimizer) Scenario/Function



Technical user to exchange problem messageswith SAP; get information about whichmessages have been changed at SAP; the S-userfor the SAP Support Portal must be requestedvia http://service.sap.com; see section S-UserAuthorizations

Users for SAP Engagement and Service Delivery Scenario

04/30/2010 PUBLIC 49/170




Technical user to exchange problem messageswith SAP; get information about whichmessages have been changed at SAP; the S-userfor the SAP Support Portal must be requestedvia http://service.sap.com; see section: S-UserAuthorizations

ADSUSER Service User Technical user for basic authentication in ADS

ADS_AGENT Service User Technical user for communication betweenABAP stack and J2EE stack on which the ADSruns, assigned roles:n SAP_BC_FP_ICF (if double stack: AS ABAP and

AS Java (with ADS)n SAP_BC_FPADS_ICF (if AS ABAP and AS Java

on separate systems)

SAPSUPPORT Dialog User User created for Service Delivery byautomatic basic configuration, via transactionSOLMAN_SETUP; see section User SAPSUPPORT

Users for System Administration and System Monitoring Scenario/Function


ALEREMOTE Service User

SAP_SM_ALEREMOTE with profile S_BI-WX_RFC,for configuration of general settings for BWreporting, (see SAP Note 150315), in case BW isimplemented in another logical system

SMB_

CautionDuring automatic basicconfiguration, the systemautomatically generates a userpassword. If you change thepassword of this user in UserManagement (transaction SU01),you need to change the passwordfor this user in its RFC destinationin the Solution Manager systemas well.

NoteWhen you generate RFCconnections using transactionSMSY, you can alter user andpassword settings for this user,before generating the RFC





50/170 PUBLIC 04/30/2010



connection.


CSMREG (customer-specific) Communication User Technical user for System Monitoring andBI IT Performance Reporting (Central CCMS)data collection (to get CCMS alerts); createdin transaction RZ21 Technical InfrastructureConfigure Central System Create User CSMREG .Role SAP_BC_CSMREG automatically assignedduring creation

OSLevel Administrator OS-Level User User to set up CCMS agents

Users for External Integration


Quality Center integration user(Test Management)

Service User Technical user for web service; assigned roleSAP_QC_INTERFACE

Quality Center integration user(Test Management): for instanceQCALIAS

System User Technical user for WSDL access; assigned roleSAP_QC_WSDL_ACCESS

Quality Center integration user(Defect Management): for instanceDEFECTMAN

System User Technical user for data exchange;assigned roles SAP_SUPPDESK_INTERFACEand SAP_SUPPDESK_ADMIN

CPS integration user: for instanceCPSCOMM

Communication User Technical user for communication betweenSAP CPS and SAP Solution Manager forJob Scheduling Management; assignedroles SAP_SM_REDWOOD_COMMUNICATION andSAP_BC_REDWOOD_COMM_EXT_SDL

BMC integration user Communication User User for Web Service; assigned roleSAP_APPSIGHT_INTERFACE

External Service Desk integrationuser

Communication User User for data exchange; assignedroles SAP_SUPPDESK_ADMIN andSAP_SUPPDESK_INTERFACE

04/30/2010 PUBLIC 51/170



SAP TAO RFC user System User Technical User for RFC communicationbetween the TAO repository in the SAP SolutionManager and the TAO client, assigned roleSAP_SM_BPCA_TBOM

RWD InfoPak integration user Service User Technical user for web service; assigned roleSAP_RWD_INTERFACE

Users for Implementation and Upgrade (Help Center Function)


SMB_

CautionDuring automatic basicconfiguration, the systemautomatically generates a userpassword. If you change thepassword of this user in UserManagement (transaction SU01),you need to change the passwordfor this user in its RFC destinationin the Solution Manager systemas well.

NoteWhen you generate RFCconnections using transactionSMSY, you can alter user andpassword settings for this user,before generating the RFCconnection.






customer-specific technical user,for instance HCUSER

Communication User Technical User for RFC destination for HelpCenter functionality to be able to write inKnowledge Warehouse of Solution Manager;assigned role SAP_SM_HELP_CENTER, see sectionRoles for Document Management and CommunicationDestinations

52/170 PUBLIC 04/30/2010

5 User Administration and Authentication5.4 Technical/Dialog Users Created/Used During Configuration in the Managed Systems

More Information

n on automated basic settings configuration of SAP Solution Manager, see configuration guide forSAP Solution Manager in the Service Marketplace: http://service.sap.com/instguidesSAP Components SAP Solution Manager

n users created during installation, see installation guide for SAP Solution Manager in the ServiceMarketplace: http://service.sap.com/instguides SAP Components SAP Solution Manager

5.4 Technical/Dialog Users Created/Used DuringConfiguration in the Managed Systems

The users in the following tables are created, automatically or manually, during configuration. Theoverviews are structured according to main functions/scenarios. Some users are relevant for morethan one scenario and are therefore mentioned more than once.

Note

If your security policy does not permit the automatic creation of generic users, you need to createthem manually. Automatic creation of users is only possible if you use Java UME with ABAP. If you usethe Central User Administration (CUA), you need to create them manually.

FeaturesUsers for RFC connections READ and TMW (Infrastructure)role (release > = SAP NW ABAP and Java 6.10) and profile (release < SAP NW ABAP and Java 6.10) inmanaged systems

User User Type Remarks

SM_

CautionDuring automatic basicconfiguration, the systemautomatically generates a userpassword. If you change thepassword of this user in UserManagement (transaction SU01),you need to change the passwordfor this user in the RFC destinationin the Solution Manager system System User

Technical user, READ User, for read access;automatically generated; see section RFC ConnectionsREAD, TMW, BACKassigned roles/profiles:n S_CUS_CMP for data read accessn S_CSMREG for cen

SAP Solution Manager EhP1 Security Guide

Documents

Transcript of SAP Solution Manager EhP1 Security Guide