Description
Security GuideDocument version: 1.1 – 2014-08-18 SAP Supplier Lifecycle Management 2.0 PUBLIC © Copyright 2014 SAP AG. Alle Rechte vorbehalten. All rights reserved. Tous droits réservés. Все права защищены. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, Speries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/ 400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Some components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited, as is any decompilation of these components. Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way. 2 PUBLIC © Copyright 2014 SAP AG. All rights reserved. SAP Supplier Lifecycle Management 2.0 Typographic Conventions Table 1 Example Description <Example> Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your <User Name>”. Example Example Arrows separating the parts of a navigation path, for example, menu options Example Emphasized words or expressions Example Words or characters that you enter in the system exactly as they appear in the documentation www.sap.com Textual cross-references to an internet address /example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web 123456 Example Hyperlink to an SAP Note, for example, SAP Note 123456 ● Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options. Example ● Cross-references to other documentation or published works ● Output on the screen following a user action, for example, messages ● Source code or syntax quoted directly from a program ● File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE EXAMPLE SAP Supplier Lifecycle Management 2.0 Typographic Conventions Keys on the keyboard PUBLIC © Copyright 2014 SAP AG. All rights reserved. 3 sap.Document History Caution Before you start the implementation.0 Document History . All rights reserved.0 2014-07-28 Initial version of the Security Guide for SAP Supplier Lifecycle Management 2. Table 2 Version Date Description 1. You can find the latest version at the following location: service. The following table provides an overview of the most important document changes. make sure you have the latest version of this document.1 2014-08-18 Chapter Data Protection: Paragraphs added about blocking of personal data (business partner) and about sample configuration for read access logging (RAL). SAP Supplier Lifecycle Management 2.0.com/securityguide. 4 PUBLIC © Copyright 2014 SAP AG. 1. . . . . . . . . . . . 54 Deletion of Personal Data . . . . . . . . . . . . . . . . 29 29 31 31 6 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Before You Start . . . . . . . . . . . . . . . . . All rights reserved. . . . . . . 41 9 Internet Communication Framework (ICF) Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 13 Dispensable Functions with Impacts on Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Content 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Data Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 10 Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . .2 5. . . . . . . . . . . . . . . . . . . . . . . . . . . 7 38 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 User Administration and Authentication . . . . . . . . . . . . . . . . . 39 Communication Channel Security . . . . . . . . . . . . . . . . . . .1 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Read Access Logging . . . . . . . . . . . . . . . . . . . . .1 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Data Synchronization . . . . . . . . . . . . . . . . 8 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 14 Enterprise Services Security . . . . . . . . . . . 61 SAP Supplier Lifecycle Management 2. . . . . . . . . .1 8. . . . . . . . . . . . . . . . . 56 12 Security for Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Communication Destinations . . . . . . . . . . . 33 7 Session Security Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Flow. and Processes . . . . . . . . . . . . .0 Content PUBLIC © Copyright 2014 SAP AG. . . . . . . . . . . 8 3 Technical System Landscape . . . . . . . . . . 10 4 Security Aspects of Data. . . . . . . . . . . User Management . . . . . . . . . 53 11 11. . . . . . . . . . . . . . . . . . . . . . . . Integration Into Single Sign-On Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 15 Security-Relevant Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 PUBLIC © Copyright 2014 SAP AG.0 . SAP Supplier Lifecycle Management 2. All rights reserved. you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. Likewise.0 Introduction PUBLIC © Copyright 2014 SAP AG. Why is Security Necessary With the increasing use of distributed systems and the Internet for managing business data. Recommendation We strongly recommend that you additionally consult the SAP NetWeaver Security Guide. Configuration Guides. or Upgrade Guides.1 Introduction Caution This guide does not replace the administration or operation guides that are available for productive operations. Technical Operation Manuals. When using a distributed system. SAP Supplier Lifecycle Management 2. the demands on security are also on the rise. This guide is not included as part of the Installation Guides. All rights reserved. whereas the Security Guides provide information that is relevant for all life cycle phases. these demands on security apply to SAP Supplier Lifecycle Management. or attempted manipulation on your system should not result in a loss of information or processing time. 7 . negligence. User errors. Such guides are only relevant for a certain phase of the software life cycle. com/securityguide on the SAP Service Marketplace.sap.2 Before You Start Fundamental Security Guides Table 3: Fundamental Security Guides Scenario. See using SRM Server 7.com/securityguide Guides SAP NetWeaver SAP Security <select the Security Guide that corresponds to your SAP SLC release> SAP Supplier Relationship Management Security Guide. see service.sap. for example for SAP ERP 6. Selected services must be activated manually.sap. 8 PUBLIC © Copyright 2014 SAP AG.com/securityguide Guides SAP Security SAP Business Suite Applications Governance SAP Master Data <select the Security Guide that corresponds to your SAP SLC release> SAP Jam Administrator Guide See help.01 or higher Guides service.0 EHP 5 See or higher Guides service.com/securityguide SAP Security SAP Business Suite Applications SAP ERP <select the Security Guide that corresponds to your SAP SLC release> Master Data Governance Security Guide See service.com/securityguide SAP Security SAP Business Suite Applications SAP SRM <select the Security Guide that corresponds to your SAP SLC release> SAP ERP Security Guide. Important SAP Notes The most important SAP Notes that apply to the security of SAP Supplier Lifecycle Management are listed in the table below: Table 4: Important SAP Notes SAP Note Number Title Comment 2027120 SAP Supplier Lifecycle Management: Add-on installation note Installing SRMSMC 200 on NW 2026551 SAP Supplier Lifecycle Management 2.com Cloud SAP Jam Administrator Guide For a complete list of the available SAP Security Guides. SAP Supplier Lifecycle Management 2. or Component Security Guide SAP NetWeaver Security Guide Most Relevant Sections or Specific Restrictions See service.0 Before You Start .sap.0 Release Information Note Installation: RIN 517484 Inactive Services in the Internet The ICF Services are inactive when SAP Web Communication Framework Application Server is installed. All rights reserved. Application.sap.sap. SAP Note Number Title Comment 1251255 Authorizations for the system user (WF- Recommendations for the user defined in BATCH) RFC destination WORKFLOW_LOCAL<client> In addition.com/notes service.com/irj/sdn/netweaver Overview of the Business Scenarios and Business Processes For an overview of the Business Scenarios and Business Processes supported by SAP Supplier Lifecycle Management.sap.sap. For more information.sap. you can find a list of security-relevant SAP Hot News and SAP Notes on SAP Service Marketplace at service.com/securityguide Related SAP Notes service.com/securityguide SAP Solution Manager service.sap.com/solutionmanager SAP NetWeaver sdn.sap. All rights reserved.sap. see SAP Help Portal at help.sap.com/pam Network Security service.com/securitynotes Released Platforms service.sap.com/securitynotes.sap.com/irj/sdn/security Security Guides service.sap. see the Quick Links as shown in the table below. Configuration The steps you must perform to configure SAP Supplier Lifecycle Management in a secure manner are mentioned in this document. see the Master Guide for SAP Supplier Lifecycle Management on SAP Service Marketplace at service.com/slc-inst. 9 .0 Before You Start PUBLIC © Copyright 2014 SAP AG.sap.com/slc <release> Configuration and Deployment Information Configuration Guide Basic Settings for SAP Supplier Lifecycle Management Technical Basic Settings Additional Information For more information about specific topics. Table 5: Quick Links to Additional Information Content Quick Link on the SAP Service Marketplace or SDN Security sdn. SAP Supplier Lifecycle Management 2. the system landscape for the standalone deployment is used. whereas purchasers only operate behind the firewall (buy side).0 Technical System Landscape . see the Master Guide for SAP Supplier Lifecycle Management on SAP Service Marketplace at service.sap. The following graphic gives an overview of the user interface components in SAP Supplier Lifecycle Management (SAP SLC): 10 PUBLIC © Copyright 2014 SAP AG.com/slc-inst. SAP Supplier Lifecycle Management 2. To enable communication between the buy side and the sell side.3 Technical System Landscape The following graphic gives an overview of a possible technical system landscape of SAP Supplier Lifecycle Management (SAP SLC). ● Communication via asynchronous enterprise services. using Web Services Reliable Messaging (WSRM). you have the following options: ● Point-to-Point communication via asynchronous enterprise services. As an example. mostly background RFCs (bgRFCs) For an overview of all supported deployment modes. Suppliers operate only outside the firewall (sell side). using SAP NetWeaver Process Integration (SAP NetWeaver PI) ● Remote function calls (RFCs). Figure 1: System Landscape for Standalone Deployment of SAP Supplier Lifecycle Management SAP Supplier Lifecycle Management is split into the sell side and the buy side. All rights reserved. 11 .Figure 2: User Interface Components in SAP Supplier Lifecycle Management The table below gives an overview of the user interface components used in SAP Supplier Lifecycle Management and where you can find more information in the SAP NetWeaver Security Guide that is available on the SAP Help Portal at help. SAP Supplier Lifecycle Management 2. All rights reserved.sap. SAP NetWeaver Portal Optional on the buy side.0 Technical System Landscape PUBLIC © Copyright 2014 SAP AG.com/netweaver SAP NetWeaver Platform <release> Security Information . Table 6 SAP SLC UI Component Comment Web Dynpro for ABAP Mandatory for all buy-side processes More Information SAP NetWeaver Security Guide Security Guides for SAP NetWeaver According to Usage Type Security Aspects for Usage Type DI and Other Development Technologies Web Dynpro ABAP Security Guide Business Server Pages Integral part of SAP NetWeaver (BSP) Mandatory for all sell-side SAP NetWeaver According to Usage Types processes and for evaluation and Aspects for Usage Type DI and Other Development qualification responses on the buy Technologies SAP NetWeaver Security Guide Security Guides for Security Security Aspects for BSP side. WebClient UI Framework The technical libraries from this (Web CUIF) framework are used for the SAP No further information available SLC BSP applications. You can SAP NetWeaver Security Guide Security Guides for use either the SAP NetWeaver SAP NetWeaver According to Usage Types Portal or the SAP NetWeaver Guides for Usage Types EPC and EP Business Client as a framework for Guide Security Portal Security displaying Web Dynpro/ABAP and BSP screens on the buy side. com/netweaver SAP NetWeaver Platform SAP NetWeaver 7. we recommend that you use the SAP Web Dispatcher as an application gateway and as a reverse proxy between the Internet and your SAP Supplier Lifecycle Management system that consists of one or more SAP NetWeaver Application Servers. Here. 12 PUBLIC © Copyright 2014 SAP AG. In this way. you can either use the SAP NetWeaver Portal or call the BSP pages directly. see SAP Help Portal at help.0 Technical System Landscape . the SAP Supplier Lifecycle Management security concept follows the general SAP security standards used worldwide. you have only a single point of access for HTTP(S) requests in your system. The graphic below shows the network zones used in SAP Supplier Lifecycle Management. For more information about SAP Web Dispatcher.0 including Application Help SAP SAP NetWeaver by Key Capability UI Technology 7 Security Aspects ABAP SAP NetWeaver Business or the corresponding documentation for higher releases of SAP NetWeaver Exchange of Data with External Users The SAP Supplier Lifecycle Management security concept incorporates a demilitarized zone (DMZ) that is delimited by an inner and an outer firewall. Thus. Technology SAP Help Portal at help.sap. using the corresponding ICF services. while you can configure them to fit your requirements behind the internal firewall. An application gateway allows you to ensure that your URLs and ports for the systems are not known to users outside the external firewall.0 including Enhancement Package 2 Application Help SAP Library SAP NetWeaver SAP NetWeaver by Key Capability Solution Life Cycle Management by Key Capability System Management SAP Web Dispatcher or the corresponding documentation for higher releases of SAP NetWeaver. SAP Supplier Lifecycle Management 2. using HTTPS-based calling of Business Server Pages (BSP). SAP Web Dispatcher is connected to the Internet Communication Manager (ICM) using the internal firewall of the DMZ. Data exchange with external users (suppliers) in the demilitarized zone occurs in SAP Supplier Lifecycle Management. SAP Web Dispatcher also balances the load so that the request is always sent to the server with the greatest capacity. SAP NetWeaver Business Optional on the buy side. You can Client (NWBC) use either the SAP NetWeaver NetWeaver Platform Portal or the SAP NetWeaver Enhancement Package 2 Business Client as a framework for NetWeaver displaying Web Dynpro/ABAP and Application Platform by Key Capability BSP screens. our target applications are the Internet-facing applications (the applications that can be accessed by individuals or organizations over the public Internet).sap.com/netweaver Client SAP SAP NetWeaver 7.SAP SLC UI Component Comment More Information On the sell side. Data Exchange Between SAP SLC Buy Side and SAP SLC Sell Side Customers often want to run individual components of the software in different network zones for security reasons. The following business processes on the sell side use Business Server Pages: ● Registering Suppliers ● Maintaining Supplier Data ● Qualifying Suppliers ● Task processing in the Managing Activities process Within the DMZ. All rights reserved. com/irj/sdn/ha SRM and the underlying components such as SAP NetWeaver High availability (general) Solutions SAP Supplier Lifecycle Management 2. see the resources listed in the table below. Table 7 Topic Guide/Tool Quick Link to SAP Service Marketplace or SDN Technical description for SAP Master Guide service. 13 . More Information For more information about the technical system landscape. ● Documentation about the data transferred using SOA messages is available on the SAP Help Portal at help.com/srm-inst High Availability for SAP www.com/slc <release> Application Help SAP Supplier Lifecycle Management Technical Concepts Enterprise Services . All other data is only stored on the buy side. All rights reserved. For a list of the RFC function modules used in SAP Supplier Lifecycle Management. If you transfer data using SOA or WSRM and you want to influence the data that is transferred to the sell side.sdn. WSRM.0 Technical System Landscape PUBLIC © Copyright 2014 SAP AG.sap. see section Network Communications. The replication of data is performed using SOA.sap.Figure 3: Network Zones of SAP Supplier Lifecycle Management Only data relevant for suppliers is replicated to the sell side of SAP Supplier Lifecycle Management.sap. or RFC. you can use the BAdIs from the corresponding inbound SOA implementations on the sell side. More Information: ● Information about the data transferred using RFC connections can be seen in the signature of the function modules used. sap.com/irj/sdn/security 14 PUBLIC © Copyright 2014 SAP AG.sap.0 Technical System Landscape .sdn. Quick Link to SAP Service Marketplace or SDN SAP Supplier Lifecycle Management 2.sdn.com/irj/sdn/landscapedesign Security See applicable documents www. All rights reserved.Topic Guide/Tool Technical landscape design See applicable documents www. if required. Data Flow.0 Security Aspects of Data. and Processes PUBLIC © Copyright 2014 SAP AG. The business processes of SAP Supplier Lifecycle Management are: ● Registering Suppliers ● Maintaining Supplier Data ● Qualifying Suppliers ● Evaluating Suppliers Based on Events ● Evaluating Supplier Peer Groups ● Managing the Supplier Portfolio ● Classifying Suppliers ● Managing Activities Registering Suppliers The figure below shows the data flow of the Registering Suppliers process: Figure 4: Registering Suppliers I SAP Supplier Lifecycle Management 2. and Processes This chapter gives an overview of the security mechanisms that are available in the business processes of SAP Supplier Lifecycle Management.4 Security Aspects of Data. Data Flow. 15 . All rights reserved. It also describes how you can modify the existing mechanisms and take additional measures. see section Communication Destinations. n/a The data is not saved. communication with a technical user who is assigned a specific role. and Processes . All rights reserved. 3 The sell-side system sends the registration request to The system is accessed using SOA or RFC the buy side. For more information. a service user with the /SRMSMC/SUP_SELFREG_SELLSIDE role exists to enable access to the self-registration application. 5 An approval workflow is implemented: a work item is n/a created on the buy side. SAP Supplier Lifecycle Management 2. If you want potential suppliers to use a CAPTCHA feature to identify them as human users.Figure 5: Registering Suppliers II The table below lists the process steps and the security mechanisms available: Table 8 Step Description Security Mechanism 1 A potential supplier enters registration data on the sell No role is required at this stage. For more information. Data Flow. User Integration of CAPTCHA . any interested user can side. see section Management 2 The user submits the registration data on the sell side. you can implement a BAdI.0 Security Aspects of Data. register using a public service. In the system. 16 PUBLIC © Copyright 2014 SAP AG. 4 The buy-side system receives the registration request n/a and executes a duplicate check whether the supplier already exists. An object Registration is selected in the personalization object “central person” is automatically created and assigned to /SRMSMC/EXT_ROLE_ATTRIBUTES.0 Security Aspects of Data. password. 9 If the registration request is rejected. 12 The sell-side system sends an e-mail with the data of this You can implement the BAdI Change of Default Recipient user to the e-mail address that the potential supplier has (/SRMSMC/BD_SUPPL_NOTIF). 17 . 8 If the registration request is approved. You can do this in Customizing for SAP Supplier Lifecycle Management under SAP Supplier Lifecycle Management 2. you can change the validity period. your security policy. this e-mail is sent to the same email address. 13 The sell-side system creates a separate e-mail with a See step 12.com/slc <release> Management Application Help SAP Supplier Lifecycle Technical Concepts Approval Processes . Security Mechanism check potential supplier data. the buy-side The system is accessed using SOA or RFC system sends the data of the potential supplier to the sell communication with a technical user who is assigned a side. supplier data and n/a contact data for the potential supplier is created and saved in the database on the buy side. the user ID and password are valid for 31 SU01). saves the data on the database. depending on Details. the sell side system sends an e-mail to the user about the rejection. This central person is also assigned to the contact person of the supplier. This BAdI allows you submitted with the registration request under Contact to change the default logic in many ways. You can replace the configured workflow by your own workflow template. days. For information about workflow in SAP Supplier Lifecycle Management. see SAP Help Portal at help. Data Flow.Step Description 6 An approval step on the buy side determines whether the An approval workflow is available that allows you to registration data is accepted or rejected. By default. the sell side n/a receives the supplier and contact data. generated by the system (can be displayed in transaction By default.sap. and Processes Sell Side Supplier Registration PUBLIC © Copyright 2014 SAP AG. For example. 10 If the registration request is approved. 14 The potential supplier logs on with the user ID that was See step 11. All rights reserved. you can decide not to send the e-mail to the specified address but to an administrator or to an employee of a shared services center. specific role. ensure that displayed in transaction SU01) with the Initial Supplier (/ the checkbox Assign Role to Initial Supplier User in SRMSMC/SUPPLIER_INITIAL) role. see section Communication Destinations. For more information. who discloses the password to the potential supplier by telephone. If required. 7 If the registration request is approved. 11 The sell-side system automatically creates a user (can be When you create your own role for this task. this user. and sends a confirmation to the buy side. see SAP Help Portal at slc <release> Configuration and Deployment Information Interface by Adding Customer Fields. that is. and Processes . see SAP Note 1876166. This alias must be used for all further log-on activities of the administrator. help. generated user ID. which is carried out by employees on the sell side. Registration checkbox is selected in the /SRMSMC/ EXT_ROLE_ATTRIBUTES personalization object.0 Security Aspects of Data. 16 At the same time. 15 The potential supplier creates the permanent An alias with a maximum of 40 digits is created for the administrator account.sap. Maintaining Supplier Data includes: ● Company data ● Contact details ● Employee data ● Attachments ● Certificates 18 PUBLIC © Copyright 2014 SAP AG. For more information about the extensibility concept.Step Description Security Mechanism Maintain Customer Settings for Supplier Registration . Data Flow. section Extending the User Maintaining Supplier Data (Self-Maintenance Performed by Suppliers) The figure below shows the data flow of the Maintaining Supplier Data process. Users doing this must have the role Buy-Side/ Sell-Side: Administrator for Extensibility (SRMSMC/ ADMINISTRATOR).com/ Configuration Guide . SAP Supplier Lifecycle Management 2. the Initial Supplier role (/SRMSMC/ The potential supplier can no longer log on to the sell- SUPPLIER_INITIAL) is replaced by the roles for side system or work in the sell-side system with the Initial which the Assign Role to Administrator User in Supplier (/SRMSMC/SUPPLIER_INITIAL) role. For more information. You can add your own fields or hide SAP-delivered fields used for Registering Suppliers by extending the SAP screens. with the following roles: ● Employee Administrator (/SRMSMC/ EMPLOYEE_ADMINISTRATOR) ● Supplier Master Data Manager (/SRMSMC/ SUPPLIER_MASTER_DATA) ● Qualification Expert (/SRMSMC/ QUALIFICATION_EXPERT) 17 The sell-side system displays a confirmation screen with n/a a link to the Supplier Data Maintenance screen. All rights reserved. 19 .com/slc <release> Application Help SAP Supplier PUBLIC © Copyright 2014 SAP AG. RFC communication with a technical user who is assigned a specific role. the data is stored in the database on the n/a sell side. This data can be company data. 4 An approval workflow allows you to ensure that changed supplier data is For more information about checked manually before it is saved on the database and potentially attachments.0 Security Aspects of Data. and Processes help. 2 When the user saves the entries. see section Communication Destinations. contact details. The status of the data is Update Pending until the change is confirmed on the buy side. SAP The system is accessed using SOA or NetWeaver PI. see section Security for distributed to further systems. attachments. For information about workflow in SAP Supplier Lifecycle Management. For more information.Figure 6: Maintaining Supplier Data The table below lists the process steps and the security mechanisms available: Table 9 Step Description Security Mechanism 1 A user with the role Supplier Master Data Manager (/SRMSMC/ n/a SUPPLIER_MASTER_DATA) changes the data of the supplier.sap. Additional Applications. 3 The updated supplier data is transferred to the buy side using RFC. Data Flow. or WSRM. All rights reserved. or certificates. see SAP Help Portal at SAP Supplier Lifecycle Management 2. An e-mail is sent from the sell side to the supplier about the rejection of the changes. For more information about the extensibility concept. Users doing this must have the role Buy-Side/ Sell-Side: Administrator for Extensibility (SRMSMC/ ADMINISTRATOR).com/ Configuration Guide . the changes on the sell side are n/a discarded. help. section Extending the User Qualifying Suppliers The figures below shows the data flow of the Qualifying Suppliers process. see SAP Help Portal at slc <release> Configuration and Deployment Information Interface by Adding Customer Fields. If the change of the supplier data is approved.Step Description Security Mechanism Lifecycle Management Concepts 5a 5b Technical Approval Processes ..0 Security Aspects of Data. Figure 7: Qualifying Suppliers I 20 PUBLIC © Copyright 2014 SAP AG. e-mail to the supplier. The sell-side system sends an user who is assigned a specific role. see section changes. You can add your own fields or hide SAP-delivered fields used for Maintaining Supplier Data by extending the SAP screens. and Processes . Data Flow. If the change of the supplier data is rejected. All rights reserved. Communication Destinations. The RFC communication with a technical supplier data is also updated on the sell side. SAP Supplier Lifecycle Management 2. the data is updated on the The system is accessed using SOA or database and transferred to the sell side and the back-end system(s).sap. informing him about the approval of the data For more information. 2 The Category Manager publishes the qualification n/a request. All rights reserved. 4 A copy of the qualification request is saved on the n/a database on the sell side. 3 The qualification request is saved on the buy-side n/a database. Data Flow. SAP Supplier Lifecycle Management 2.Figure 8: Qualifying Suppliers II The table below lists the process steps and the security mechanisms available: Table 10 Step Description Security Mechanism 1 A Category Manager (/SRMSMC/ n/a CATEGORY_MANAGER) creates a qualification request and enters data.0 Security Aspects of Data. 5 The sell-side system creates qualification responses and n/a saves them on the sell-side database. 21 . A copy of the qualification request is transferred to the sell side. steps 1 and 2 are performed automatically by the buy side of SAP Supplier Lifecycle Management. Note: If the qualification is triggered automatically after the approval of a registration request. and Processes PUBLIC © Copyright 2014 SAP AG. 7 The supplier fills out the questionnaire(s) and uploads Implement a virus scanner that scans the attachments attachments. see section Communication Destinations Communication Destinations for Supplier Evaluation . All rights reserved.Step Description Security Mechanism 6 The sell-side system sends an e-mail with a link to the n/a qualification response to the supplier. 10. see section Communication Destinations. most activities are also performed on the buy side of SAP Supplier Lifecycle Management. SAP Supplier Lifecycle Management 2. and Processes . For more information. 22 PUBLIC © Copyright 2014 SAP AG. For more information. If further clarification is required. 13 The Category Manager can approve or reject the n/a response. You can implement a workflow to enhance the standard approval process. For more information. ● Evaluating Suppliers Based on Events In this variant. n/a 9 The sell-side system saves the qualification response The system is accessed using SOA or RFC and sends the qualification response to the buy side. No data is transferred between systems. For more information about how to implement RFC connections. for example in SAP ERP. see SAP Help Portal at help. 14 The buy-side system saves the qualification response. about RFC users and the required roles. The system user that enables this RFC connection must be assigned the role Buy-Side RFC Inbound Processing in Supplier Evaluation (/SRMSMC/ BG_SUP_EVAL_BUYSIDE). attachments to a qualification response are scanned again before the qualification response is saved on the database.sap. if applicable. n/a Evaluating Suppliers You can use the following variants of the Evaluating Suppliers process: ● Evaluating Supplier Peer Groups In this variant. Data relevant for the evaluation is transferred using an RFC.0 Security Aspects of Data. see the qualification response on the database. or he can send it back to the supplier and request further clarification. The response includes one or several questionnaires. The sell-side system saves before they are uploaded. all activities are performed on the buy side of SAP Supplier Lifecycle Management. section Security for Additional Applications. However. Data Flow. trigger the evaluation process. steps 7 to 13 are reiterated. 8 The supplier submits the qualification response. communication with a technical user who is assigned a specific role. For more information. 11 The qualification response is updated on the buy side You can customize the virus scanner in such a way that and saved on the database. 12 A notification is sent to the Category Manager. events occurring in external systems.com/slc <release> Configuration and Deployment Information Configuration Guide Basic Settings for SAP Supplier Lifecycle Management Technical Basic Settings Define RFC Connections Defining Process-Specific RFC Connections . see section Security for Additional Applications. By default. The appraiser is then automatically logged on with a service user that is common to all appraisers without system user ID. This user requires the role Appraiser without User ID (/SRMSMC/EVL_APPRAISER_NON_USER).sap. see SAP Help Portal at help.Security Measures for System Access In both variants of the Evaluating Suppliers process. the standard security mechanisms provided by SAP NetWeaver are sufficient. ● The appraiser has no user ID but a valid e-mail address. section Configuring Supplier Evaluation for Appraisers Without a User ID.sap. see section Security for Additional Applications. 23 . or RFC. Data Flow. For all other security aspects of the Evaluating Suppliers process. For a description of the process flow of both variants. system access can be granted to appraisers in either of the following ways: ● The appraiser has a valid user ID with the Appraiser role (/SRMSMC/EVALUATION_APPRAISER). For more information. the leading system can be: ● The buy side of SAP SLC ● Leading SAP ERP ● Master Data Governance (MDG) The figures below show two variants of the data flow of the Managing the Supplier Portfolio process: SAP Supplier Lifecycle Management 2. a hash function has been implemented. WSRM. and to the sellside system using SOA. To ensure that each appraiser can only fill out questionnaires that are intended for him or her. see SAP Help Portal at help. access for appraisers without system users is deactivated. all manual activities are carried out on the buy side of SAP Supplier Lifecycle Management. For the Managing the Supplier Portfolio process.com/slc <release> Configuration and Deployment Information Configuration Guide SAP Supplier Lifecycle Management . Further Security Measures Implement a virus scanner that scans the attachments before they are uploaded by appraisers (or by category managers acting on behalf of appraisers). The data is then distributed to the connected back-end systems SAP SRM and/or SAP ERP using RFC. All rights reserved. and Processes PUBLIC © Copyright 2014 SAP AG. Managing the Supplier Portfolio In this process. You can activate this function in Customizing for SAP Supplier Lifecycle Management under Buy Side Supplier Evaluation Basic Settings for Supplier Evaluation Activate Appraisers Without User ID . For more information about the configuration of supplier evaluation by appraisers without user ID.0 Security Aspects of Data.com/slc <release> Application Help SAP Supplier Lifecycle Management Buy Side: Activities for Purchasers Evaluating Suppliers Evaluating Suppliers Using the Group-Based Process and Evaluating Suppliers Using the EventDriven Process . Figure 9: Managing the Supplier Portfolio — Leading System: SAP SLC Buy Side The system connection between SAP SLC buy side and the back-end systems is based on RFC. SAP Supplier Lifecycle Management 2. and Processes . All rights reserved. Figure 10: Managing the Supplier Portfolio — Leading System: SAP ERP or MDG 24 PUBLIC © Copyright 2014 SAP AG. Data Flow.0 Security Aspects of Data. For security aspects of SAP Jam. The assignment between SAP Jam activities and suppliers resides in the SAP Supplier Lifecycle Management system and is accessed using the SAP Jam ABAP Library. Data Flow. several prerequisites must be met. see section Communication Destinations. SAP Supplier Lifecycle Management 2. see SAP Help Portal at help. you can use the BAdIs that are available in the following places: ● Customizing for SAP Supplier Lifecycle Management under Business Add-Ins (BAdIs) Supplier Integration ● Customizing for the SAP ERP integration component under SAP Customizing Implementation Guide Integration with Other SAP Components SAP Supplier Lifecycle Management Business Add-Ins (BAdIs) Supplier Integration ● Customizing for the SAP SRM integration component under SAP Implementation Guide Integration with Other SAP Components SAP Supplier Lifecycle Management Business Add-Ins (BAdIs) Supplier Integration Buy Side Supplier Portfolio Management Integration of SAP Jam (Optional) When maintaining supplier data.com/slc <release> Configuration and Deployment Information Configuration Guide Basic Settings for SAP Supplier Lifecycle Management Technical Basic Settings Define RFC Connections Defining Process-Specific RFC Connections . about RFC users.If you use SAP ERP or Master Data Governance (MDG) as the leading system.sap. 25 . you can create and assign activities in SAP Jam. For more information about how to implement RFC connections. see SAP Help Portal at help. and Processes PUBLIC © Copyright 2014 SAP AG. see SAP Help Portal at help.com Cloud SAP Jam Administrator Guide .sap.com/slc <release> Configuration and Deployment Information Configuration Guide Business Processes Managing the Supplier Portfolio Configuring the SAP Jam Configuration Functionality for SAP Supplier Lifecycle Management . The system connections between SAP SLC buy side and the leading systems is based on the following technologies: ● RFC between SAP SLC buy side and SAP ERP ● SOA (WSRM or SAP NetWeaver PI) between SAP SLC buy side and MDG The system users that enable the RFC connections must be assigned one of the following roles.0 Security Aspects of Data. All rights reserved. To modify the data transfer to the receiving systems. for more information.sap. To be able to collaborate using SAP Jam. and about the roles required. as applicable: ● Buy-Side RFC Inbound Processing when Transferring the Supplier Data (/SRMSMC/ RFC_SUP_MNGT_BUYSIDE) ● Sell-Side RFC Inbound Processing when Transferring the Supplier Data (/SRMSMC/ RFC_SUP_MNGT_SELLSIDE) ● RFC Inbound Processing in ERP with CVI when Transferring Supplier Data from SLC (SAP_ERP_SLC_RFC_SUP_MNGT_BP) ● RFC Inbound Processing in ERP when Transferring Supplier Data from SLC (SAP_ERP_SLC_RFC_SUP_MNGT) ● RFC Inbound Processing in SRM IC when Transferring Supplier Data from SLC (SAP_SRM_SLC_RFC_SUP_MNGT) For more information. you can create suppliers in these systems. 26 PUBLIC © Copyright 2014 SAP AG. see section Security for Additional Applications. see SAP Help Portal at help.Figure 11: Using SAP Jam to Collaborate in Managing the Supplier Portfolio Classifying Suppliers In this process. Two roles are available for the Classifying Suppliers process: ● Users with the Classification Manager (/SRMSMC/CLASSIFICATION_MANAGER) role can create classification profiles and edit classification data. all activities are carried out on the buy side of SAP Supplier Lifecycle Management. Data Flow. SAP Supplier Lifecycle Management 2. All rights reserved. the standard security mechanisms provided by SAP NetWeaver are sufficient. Managing Activities: Processing of Tasks The figures below shows the data flow of task processing in the Managing Activities process. For all other security aspects. and Processes . For more information about the business process. There is no data transfer to the sell side or the back-end systems.com/slc <release> Configuration and Deployment Information Configuration Guide Business Processes Classifying Suppliers .sap. For more information.0 Security Aspects of Data. Security Measures Implement a virus scanner that scans the attachments before they are uploaded by classification managers. ● Users with the Display Role for Classification (/SRMSMC/CLASSIFICATION_DISPLAY) can display but not create or edit classification data. As a n/a result. attachments to a task are scanned again before the task SAP Supplier Lifecycle Management 2. 2 The Activity Manager sends the task to the supplier.0 Security Aspects of Data. the task is saved on the buy-side database.Figure 12 The table below lists the process steps and the security mechanisms available: Table 11 Step Description Security Mechanism 1 From within an activity. 5 The supplier contact with the role Supplier Task Implement a virus scanner that scans the attachments Processor (/SRMSMC/SUPPLIER_TSK_PROCESSOR) before they are uploaded. The sell- The system is accessed using SOA or RFC side system sends the task to the buy side. 4 The sell-side system sends an e-mail to the supplier n/a contact. if section Security for Additional Applications. 7 The task is updated on the buy side and saved on the You can customize the virus scanner in such a way that database. a user with the role Activity n/a Manager (/SRMSMC/ACTIVITY_MANAGER) creates a task and enters data. communication with a technical user who is assigned a defined role. and Processes PUBLIC © Copyright 2014 SAP AG. see section Communication Destinations. see processes the task and uploads attachments. informing him about the task. 27 . All rights reserved. applicable. Data Flow. For more information. 6 The Supplier Task Processor submits the task. 3 A copy of the task is created on the sell side and saved n/a on the sell-side database. For more information. Data Flow. you must create the Portal roles as described in SAP Note 1685257 Upload of SAP delivered NWBC Roles to SAP NetWeaver Portal. If you run SAP Supplier Lifecycle Management in an SAP NetWeaver Portal environment. SAP Supplier Lifecycle Management 2. 28 PUBLIC © Copyright 2014 SAP AG.Step Description Security Mechanism is saved on the database. and steps 3 to 8 are reiterated.0 Security Aspects of Data. For more information. 8 The Activity Manager can set the task to "Completed" or n/a request clarification. and Processes . the following roles are available on the buy side: ● Activity Manager (/SRMSMC/ACTIVITY_MANAGER) ● Participant in Activity (/SRMSMC/ACTIVITY_PARTICIPANT) The following role is available on the sell side: ● Supplier Task Processor (/SRMSMC/SUPPLIER_TSK_PROCESSOR) Note that the corresponding Portal roles are not delivered by SAP. the task is sent back to the supplier. All rights reserved. If he requests clarification. Security Measures For the Managing Activities process. see section Security for Additional Applications. SAP Supplier Lifecycle Management 2. you assign it to the external alias pointing to the ICF request is approved. the sell-side system automatically service for the self-registration BSP application / creates a user with the Initial Supplier User role (/SRMSMC/ default_host/sap/bc/bsp/srmsmc/ros_ext. in particular the SAP NetWeaver Application Server ABAP. This SUPPLIER_INITIAL). The contact person is technically related to the supplier. in transaction SICF on the Logon Data using a public service. the types of users required. Table 12: Mandatory User Management Tools Used in SAP Supplier Lifecycle Management Tool Description Transactions SU01 and SU10 Standard user administration functions of SAP NetWeaver AS ABAP Transaction PFCG Standard role and authorization administration of SAP NetWeaver AS ABAP Supplier self-registration on the sell side: A potential supplier enters registration data on the sell side.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7.0 including Enhancement Package 2 Application Help SAP Library SAP NetWeaver SAP NetWeaver by Key Capability Security User Authentication and Single Sign-On or the corresponding documentation for higher releases of SAP NetWeaver. If the registration tab. and the standard users that are delivered with SAP Supplier Lifecycle Management. 29 . An object “central person” is user must be assigned the Sell-Side Role for Technical User automatically assigned to this user.sap. All rights reserved. ● Integration Into Single Sign-On Environments This sections describes how SAP Supplier Lifecycle Management supports Single Sign-On (SSO) mechanisms. you can find information that applies specifically to SAP Supplier Lifecycle Management in the following sections of this guide: ● User Management This sections lists the tools for user management. In addition to these guidelines. 5. no role is required. You can find these guidelines on the SAP Help Portal at help.5 User Administration and Authentication SAP Supplier Lifecycle Management applies the user management and authentication mechanisms provided with the SAP NetWeaver platform. Therefore.1 User Management For an overview of how the security mechanisms available in SAP NetWeaver apply to SAP Supplier Lifecycle Management. see the sections below. You create a user and.0 User Administration and Authentication PUBLIC © Copyright 2014 SAP AG. User Administration Tools The following table lists the tools to use for user management and user administration with SAP Supplier Lifecycle Management. the security recommendations and guidelines for user administration and authentication as described in the Security Guide for SAP NetWeaver Application Server ABAP are also valid for SAP Supplier Lifecycle Management. users with the role Supplier Master Data Suppliers with the role Employee Administrator (/SRMSMC/ Manager (/SRMSMC/SUPPLIER_MASTER_DATA) can EMPLOYEE_ADMINISTRATOR) can display.sap. Users in linked systems are created from the central system. and create other supplier users.0 User Administration and Authentication . For users enabling background processing this may not be required. maintain supplier data in the BSP application / delete. your policy may foresee that individual users who perform tasks interactively have to change their passwords on a regular basis.sap. create. Registration) screen in the BSP application supplier administration screens/ default_host/sap/bc/bsp/srmsmc/SRMSMC/ ROS_EXT_2. Library Application Help SAP NetWeaver by Key Capability Management Security SAP SAP NetWeaver Identity or the corresponding documentation for higher releases of SAP NetWeaver User Types It is often necessary to specify different security policies for different types of users.com/netweaver SAP NetWeaver Platform SAP Note that for users distributed to SAP NetWeaver 7. The initial user creates an administrator account for his The supplier administrator can then create further accounts company on the Initial User Administration (User for the employees of his company. and unlock users for their company. SAP Help Portal at help. Management SAP NetWeaver SAP SAP NetWeaver Security Identity User and Role Administration or the corresponding of AS ABAP documentation for higher releases of SAP NetWeaver SAP Identity Management Central administration system that includes CUA-like functions.Tool Description for Supplier Self-Registration (/SRMSMC/ SUP_SELFREG_SELLSIDE). All rights reserved. For example. SRMSMC/EMPLOYEE_ADMINISTRATOR) can also maintain users. Users with the role Employee Administrator (/ requests. The user types that are required for SAP Supplier Lifecycle Management include the following technical users: ● 30 Service users for: PUBLIC © Copyright 2014 SAP AG.0 including Enhancement Supplier Lifecycle Management currently no Package 2 relationship to contact persons are created. change.com/netweaver (CUA) of SAP NetWeaver and authorizations. SAP NetWeaver Platform SAP NetWeaver 7. On the sell side. edit and display qualification S3Q_EXT). These users default_host/sap/bc/bsp/srmsmc/SRMSMC/ can maintain supplier data. Table 13: Optional User Management Tools That Can Be Used in SAP Supplier Lifecycle Management Tool Description More Information Central User Administration Serves as a central system for creating users SAP Help Portal at help.0 including Enhancement Note that for users distributed to SAP Package 2 Supplier Lifecycle Management the system Library Application Help currently does not create relationships to by Key Capability contact persons. SAP Supplier Lifecycle Management 2. lock. 2 User Data Synchronization If you use the Central User Administration (CUA) or SAP Identity Management for distributing users to the sell side. RFC.● ○ Establishing system connections for WSRM. The BAdI enables you to include any third-party CAPTCHA product to your Supplier Registration web page. All rights reserved. You can implement the BAdI in Customizing for SAP Supplier Lifecycle Management under Sell Side Supplier Registration Business Add-Ins Implementation of the CAPTCHA Function . You must create such a system user. the security recommendations and guidelines for user administration and authentication as SAP Supplier Lifecycle Management 2. 5. For more information. 31 . ○ Category Manager (/SRMSMC/CATEGORY_MANAGER) This role contains the necessary authorizations to perform the tasks of a category manager. for example. For more information about the above user types. 5. (CAPTCHA is the acronym for Completely Automated Public Turing test to tell Computers and Humans Apart). see User Types in the SAP NetWeaver Application Server ABAP Security Guide. ● Assign the central person to the business partner. Integration of CAPTCHA You can use a BAdI to implement a confirmation prompt to prevent denial-of-service attacks.3 Integration Into Single Sign-On Environments SAP Supplier Lifecycle Management supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver AS ABAP. Therefore. ● Assign the new business partner to the “Supplier” business partner. for example WFBATCH. creating suppliers and contacts.0 User Administration and Authentication PUBLIC © Copyright 2014 SAP AG. CAPTCHA asks users to read a string of distorted characters and type them correctly. ● Create a business partner of type “Contact Person” for the user in the sell-side system. and SOA communication ○ Anonymous logon to Supplier Registration ○ Anonymous logon for appraisers without user ID to Supplier Evaluation A system user for the execution of the workflow. this user should be assigned the following roles: ○ SAP Business Workflow: Service User (SAP_BC_BMT_WFM_SERV_USER) This role contains all the necessary authorizations to execute and manage workflows. see SAP Note 1251255. Caution This user should not be assigned the authorization profile SAP_ALL. Instead. you must do the following either manually or using a BAdI to use the distributed user accounts: ● Create a central person for the user in the sell-side system. see SAP Help Portal at help. All rights reserved.0 User Administration and Authentication . 32 PUBLIC © Copyright 2014 SAP AG.described in the SAP NetWeaver Application Server ABAP Security Guide also apply to SAP Supplier Lifecycle Management.0 including Enhancement Package 2 Application Help SAP Library SAP NetWeaver SAP NetWeaver by Key Capability Security User Authentication and Single Sign-On or the corresponding documentation for higher releases of SAP NetWeaver. SAP Supplier Lifecycle Management 2.com/ netweaver SAP NetWeaver Platform SAP NetWeaver 7. For more information about the available authentication mechanisms.sap. Table 15: Standard Roles — Sell Side Role Description /SRMSMC/SUPPLIER_INITIAL Initial Supplier /SRMSMC/EMPLOYEE_ADMINISTRATOR Employee Administrator /SRMSMC/SUPPLIER_MASTER_DATA Supplier Master Data Manager /SRMSMC/QUALIFICATION_EXPERT Qualification Expert SAP Supplier Lifecycle Management 2. The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. All rights reserved. Therefore.sap. the recommendations and guidelines for authorizations as described in the SAP NetWeaver Security Guide also apply to SAP Supplier Lifecycle Management.6 Authorizations SAP Supplier Lifecycle Management uses the authorization concept provided by SAP NetWeaver AS ABAP. 33 . Standard Roles The table below shows the business roles that are available for the buy side of SAP Supplier Lifecycle Management.0 including Enhancement Package 2 Application Help SAP Library SAP NetWeaver SAP NetWeaver by Key Capability Security Identity Management User and Role Administration of AS ABAP or the corresponding documentation for higher releases of SAP NetWeaver. use the profile generator (transaction PFCG) on the AS ABAP. For more information. For role maintenance. Table 14: Standard Roles — Buy Side Role Description /SRMSMC/CATEGORY_MANAGER Category Manager /SRMSMC/CLASSIFICATION_MANAGER Classification Manager /SRMSMC/CLASSIFICATION_DISPLAY Display Role for Classification /SRMSMC/QUESTIONNAIRE_MANAGER Questionnaire Manager /SRMSMC/CERTIFICATE_MANAGER Certificate Manager /SRMSMC/ACTIVITY_MANAGER Activity Manager /SRMSMC/ACTIVITY_PARTICIPANT Participant in Activity /SRMSMC/EVALUATION_APPRAISER Appraiser /SRMSMC/APPROVER Approver /SRMSMC/TRANSLATOR Translator /SRMSMC/ADMINISTRATOR Administrator The table below shows the business roles that are available for the sell side of SAP Supplier Lifecycle Management. see SAP Help Portal at help.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7.0 Authorizations PUBLIC © Copyright 2014 SAP AG. and display mode. see section Communication Destinations or SAP Help Portal at help. All rights reserved. For more information. Authorization Object /SRMSMC/AC The authorization object /SRMSMC/AC represents the authorization to display screens (“actions”) in the Supplier Maintenance BSP application on the sell side (/SRMSMC/S3Q_EXT) of SAP Supplier Lifecycle Management.sap. Authorizations Specific to SAP Supplier Lifecycle Management Authorizations in the Supplier Portfolio Management Process Authorization checks allow you to enable users to work with supplier data in create.com/slc <release> Configuration and Deployment Information Configuration Guide Basic Settings for SAP Supplier Lifecycle Management under: ● Point-to-Point Enablement ● SAP NetWeaver Process Integration ● Technical Basic Settings Define RFC Connections Authorizations for Executing Reports To execute reports.Role Description /SRMSMC/SUPPLIER_TSK_PROCESSOR Supplier Task Processor /SRMSMC/ADMINISTRATOR Administrator The table below shows the technical roles that are available for the buy side and the sell side of SAP Supplier Lifecycle Management.com/slc Application Help SAP Supplier Lifecycle Management Technical Concepts Roles . The following standard authorization objects for business partners are used: ● Business Partner: Authorization Groups (B_BUPA_GRP) ● Business Partner: BP Roles (B_BUPA_RLT) ● Business Partner Relationships: Relationship Categories (B_BUPR_BZT) For more information. SAP Supplier Lifecycle Management 2. Table 16: Technical Roles — Buy Side or Sell Side Role Description /SRMSMC/EVL_APPRAISER_NON_USER Buy Side: Technical User for Appraisers Without System User /SRMSMC/REPORT_EXEC_ADMIN Buy Side: Technical Role with Authorization to Start Reports in SAP SLC /SRMSMC/SUP_SELFREG_SELLSIDE Sell-Side Role for Technical User for Supplier Self-Registration For more information about the roles listed above. Also.0 Authorizations . These 34 PUBLIC © Copyright 2014 SAP AG. several technical roles exist for implementing the required system connections in a secure manner. <release> Roles for System Communication In addition. see SAP Note 1824646.sap. and in all combinations of these modes. see SAP Help Portal at help. Some of the reports additionally check the start authorizations for the relevant user interface ICF services that process the same data as the report. This is to ensure that the user is experienced in handling the data affected by the report and is aware of its effects. edit. users must have been assigned the technical role Buy Side: Technical Role with Authorization to Start Reports in SAP SLC (/SRMSMC/REPORT_EXEC_ADMIN). see the report documentation that is available in the system. users must be authorized to process the objects and data handled by the reports. For more information about the requirements for each report. you can specify the following: ○ Questionnaire (/SRMSMC/BO_QNR) ○ Certificate (/SRMSMC/MO_CRT) ○ Qualification response (/SRMSMC/BO_SQR) ○ Classification profile (/SRMSMC/BO_SCS) ○ Purchasing category (/SRMSMC/MO_PUC) ○ Activity (/SRMSMC/BO_ACT) ○ Task (/SRMSMC/BO_TSK) As actions that the user can perform.detail. ● Certificate managers can display.actions are defined in the sell-side system in Customizing for SAP Supplier Lifecycle Management under Sell Side Determine Actions . for example. create. Authorization Object /SRMSMC/BO The authorization object /SRMSMC/BO represents the authorization to interact with an instance of a business object of SAP Supplier Lifecycle Management in a specific way. 35 . and edit questionnaires. and edit classification profiles. you can specify. and edit objects in the question library. create. You define which screens and activities users can access by assigning them a role containing this authorization object and selecting the corresponding actions. Questionnaire Manager. or to the S_START authorization in Web Dynpro for ABAP. ● Supplier task processors can display and edit tasks. it is called in “Display” mode. All rights reserved. questions. Display. and edit certificate types. ● Participants in activities can display activities.0 Authorizations PUBLIC © Copyright 2014 SAP AG. Certificate Manager. This has the following effect: ● Category managers can display all objects in the question library (sections. for example. ● Translators cannot create any objects but can edit questions. sections. Other business objects appearing in the same POWL are called in “Display” mode. and certificate types. but they cannot create or edit question library objects. ● When users access a business object as a result of navigating from another business object. It offers the following checkboxes: ● Checkbox Appraiser Role ● Checkbox Category Manager Role SAP Supplier Lifecycle Management 2. create. the main business object is always called in “Edit” mode. ● Classification managers can display. The following use of the authorization object is supported: ● ● As the type of business object that the user can access.edit. Translator. The standard behavior for accessing business objects is the following: ● When users access business objects from a POWL. ● Questionnaire managers can display. ● Category managers can display but not create and edit questionnaires. or certificates. and Questionnaire Expert roles. ● Questionnaire managers can display. for example action employee. The authorization object is used in the Category Manager. and they can display and edit tasks. Edit. or others. and groups). Classification Manager. and edit activities and tasks. Personalization Object “SLC: PFCG Role Attributes” The personalization object SLC: PFCG Role Attributes (/SRMSMC/PFCG_ROLE_ATTRIBUTES) is relevant only on the buy side. This approach is comparable to the transaction authorization in SAPGUI. ● Activity managers can display. create. create. and Create. for example for an Appraiser. In the SAP standard. the checkbox is selected in the Initial Supplier role (/SRMSMC/SUPPLIER_INITIAL). Personalization Object “SLC Sell Side: PFCG Role Attributes” The personalization object SLC Sell Side: PFCG Role Attributes (/SRMSMC/EXT_ROLE_ATTRIBUTES) offers three checkboxes that allow you to specify the following in the sell-side roles: ● Checkbox Assign Role to Initial Supplier User in Registration Select this checkbox in a role that you want to be automatically assigned to users for initial access to the sellside system. the checkbox is selected in the following roles: ● ○ Employee Administrator (/SRMSMC/EMPLOYEE_ADMINISTRATOR) ○ Supplier Master Data Manager (/SRMSMC/SUPPLIER_MASTER_DATA) Checkbox Display Role in Employee Administration Select this checkbox in roles that you want the Employee Administrator to be able to assign to users. performing these activities also depends on the authorization objects assigned to the role. a Purchaser Responsible. Example For a user to be found in a search for Purchaser Responsible. in addition to the checkbox in the personalization object. ● Checkbox Assign Role to Administrator User in Registration Select this checkbox in a role that you want to be automatically assigned to users who act as administrators for supplier data and employee data on the sell side. In the SAP standard.0 Authorizations . the Questionnare Manager Role or the Activity Manager Role checkboxes are required. depending on the process where the search is performed. ● Only users for whom the personalization object checkbox is selected are considered during a search.● Checkbox Questionnaire Manager Role ● Checkbox Approver Role ● Checkbox Classification Manager Role ● Checkbox Activity Manager Role ● Checkbox Activity Participant Role Setting one of the above checkboxes in a role has the following effects on users to whom the role has been assigned: ● The users can perform the activities intended for this role. the Category Manager Role . Note that. the Classification Manager Role. In the SAP standard. the checkbox is selected in the following roles: 36 ○ Employee Administrator (/SRMSMC/EMPLOYEE_ADMINISTRATOR) ○ Qualification Expert (/SRMSMC/QUALIFICATION_EXPERT) ○ Supplier Master Data Manager (/SRMSMC/SUPPLIER_MASTER_DATA) ○ Supplier Task Processor (/SRMSMC/SUPPLIER_TASK_PROCESSOR) PUBLIC © Copyright 2014 SAP AG. SAP Supplier Lifecycle Management 2. All rights reserved. All rights reserved.Critical Combinations We recommend that you do not assign the Appraiser and the Category Manager role to the same person. Under exceptional circumstances. you can grant both roles to the same person. 37 . such as Category Managers filling out questionnaires for other colleagues.0 Authorizations PUBLIC © Copyright 2014 SAP AG. SAP Supplier Lifecycle Management 2. activate Secure Session Management. users can then start applications that require a user logon without logging on again. Use transaction SICF_SESSIONS to specify the parameter values shown in the table below in your AS ABAP system: Table 17 Profile Parameter Recommended Value Comment icf/set_HTTPonly_flag_on_cookies 0: HTTPonly attribute active for all ICF cookies Client-dependent login/ticket_only_by_https 1: Ticket is only sent by the browser during Not client-dependent HTTPS connections For more information. a list of the relevant profile parameters. 38 PUBLIC © Copyright 2014 SAP AG.0 Session Security Protection . With an existing security session. SAP Supplier Lifecycle Management only supports Secure Sockets Layer (SSL) technology to protect the network communications where security-relevant cookies are involved. Session Security Protection on the AS ABAP To prevent access in JavaScript or plug-ins to the SAP logon ticket and security session cookies (SAP_SESSIONID_<sid>_<client>).sap.0 Activating HTTP Security Session Management on AS ABAP or the corresponding documentation for higher releases of SAP NetWeaver. All rights reserved. you must activate secure session management via https. see SAP Help Portal at help.7 Session Security Protection To increase security and prevent access to the SAP logon ticket and security session cookie(s). When a security session is ended.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7. and detailed instructions. SAP Supplier Lifecycle Management 2.0 including Enhancement Package 2 Application Help SAP Library SAP NetWeaver SAP NetWeaver by Key Capability Security User Authentication and Single Sign-On Authentication on the AS ABAP Using SAML 2. the system also ends all applications that are linked to this security session. If users cannot log on to your application or database servers at the operating system or database layer.0 Network and Communication Security PUBLIC © Copyright 2014 SAP AG.sap. using Web Services Reliable Messaging (WSRM) ● Communication via asynchronous enterprise services. Your network needs to support the communication that is required for your business without allowing unauthorized access. 8. if users are not able to connect to the server LAN (local area network). 39 . Additionally. the options using asynchronous enterprises services are preferable. For more information. All rights reserved. you have the following options: ● Point-to-Point communication via asynchronous enterprise services. there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. mostly background RFCs (bgRFCs) Note ● From a security point of view. ● Communication between SAP Supplier Lifecycle Management and Master Data Governance (MDG) can be based on WSRM or SAP NetWeaver PI. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. see the following information on the SAP Help Portal at help. ● Communication between SAP Supplier Lifecycle Management and its back-end systems. More Information ● For more information about SAP NetWeaver Process Integration. the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to SAP Supplier Lifecycle Management. The network topology for SAP Supplier Lifecycle Management is based on the topology used by the SAP NetWeaver platform. see the section Enterprise Services Security.8 Network and Communication Security Your network infrastructure is extremely important in protecting your system. SAP Supplier Lifecycle Management 2. SAP ERP and SAP SRM.1 Communication Channel Security To establish the communication between SAP Supplier Lifecycle Management buy side and sell side.0 including Enhancement Package 2 Security Information SAP NetWeaver Security Guide or in the corresponding documentation for higher releases of SAP NetWeaver: ● Network and Communication Security ● Security Guides for Connectivity and Interoperability Technologies Details about network and communication security that are specific to SAP Supplier Lifecycle Management are described in the following sections of this document.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7. using SAP NetWeaver Process Integration (SAP NetWeaver PI) ● Remote function calls (RFCs). or with a leading SAP ERP system is always based on remote function calls (RFCs). they cannot exploit well-known bugs and security holes in network services on the server machines. Therefore. More Information For more information about SNC and SSL. bank data.sap.0 including Enhancement Package 2 Application Help SAP Library SAP NetWeaver SAP NetWeaver by Key Capability Application Platform by Key Capability Platform-Wide Services Connectivity Components of SAP Communication Technology Classical SAP Technologies (ABAP) RFC Background Communication bgRFC (Background Remote Function Call) or the corresponding documentation for higher releases of SAP NetWeaver. SAP Supplier Lifecycle Management 2. 40 PUBLIC © Copyright 2014 SAP AG.com SAP NetWeaver Platform SAP NetWeaver 7.● For information about the configuration of the above communication channels. Table 18: Communication Paths Communication Path Protocol Used Type of Data Transferred Data Requiring Special Protection Front-end client using a Web HTTPS All application data browser to AS ABAP Communication between sell side and buy side Passwords. bank data. personal data. tax data You have the following options: ● All application data Passwords. bank data.sap. tax data between buy side and leading SAP ERP Communication between buy WSRM or SAP NetWeaver PI side and MDG All application data Personal data.com/slc SAP NetWeaver 7. bank data. see SAP Help Portal at help.0 Network and Communication Security . All rights reserved. tax data The Dynamic Information and Action Gateway (DIAG) and RFC connections can be protected using Secure Network Communications (SNC). tax data RFC (in some cases synchronous) ● Enterprise services using SAP NetWeaver PI ● WSRM Communication between buy RFC (in some cases synchronous) All application data side and back ends or Personal data. see SAP Help Portal at help. see SAP Help Portal at help. For more information about bgRFCs. personal data.0 including Enhancement Package 2 Application Help SAP Library SAP NetWeaver SAP NetWeaver by Key Capability Security Network and Transport Layer Security Transport Layer Security on the AS ABAP or the corresponding documentation for higher releases of SAP NetWeaver.0 including Enhancement Package 2 Configuration and Deployment Information Configuration Guide Basic Settings for SAP Supplier Lifecycle Management or the corresponding documentation for higher releases of SAP NetWeaver under: ○ Point-to-Point Enablement ○ SAP NetWeaver Process Integration ○ Technical Basic SettingsDefine RFC Connections The table below shows the communication paths used by SAP Supplier Lifecycle Management.com SAP NetWeaver Platform SAP NetWeaver 7. HTTPs connections are protected using the Secure Sockets Layer (SSL) protocol. and the type of data transferred.sap. the protocol used for the connection. Data (/SRMSMC/SOA_SUP_MNGT_SELLSIDE) including task This user is required to execute inbound SOA calls on the sell side. <SOA User 2> Sell side Supplier Sell-Side SOA Inbound Processing in Registering Suppliers registration (/SRMSMC/SOA_SUP_REG_SELLSIDE) This user is required to execute inbound SOA calls that trigger the rejection e-mail to be sent to potential suppliers after they have been rejected on the buy side. for example. management <SOA User 4> Sell side Supplier data Sell-Side SOA Inbound Processing when Transferring Supplier maintenance. processing. using Web Services Reliable Messaging (WSRM) ● Communication via asynchronous enterprise services. you must create technical users with the following roles: Table 19 User System Process PFCG Role <SOA User 1> Buy side Supplier Buy-Side SOA Inbound Processing in Registering Suppliers (/ registration SRMSMC/SOA_SUP_REG_BUYSIDE) This user is required to execute inbound SOA calls that transfer the supplier registration request from the sell side to the buy side.2 Communication Destinations To establish the communication between SAP Supplier Lifecycle Management buy side and sell side. see chapter 4. Enterprise Services (SOA) Communication To enable cross-system communication based on the Service-Oriented Architecture (SOA). Data (/SRMSMC/SOA_SUP_MNGT_BUYSIDE) including task This user is required to execute inbound SOA calls on the buy processing. as the negative result of an approval workflow on the buy side. and Processes.8. 41 . All rights reserved. in activity side. Security Aspects of Data. <SOA User 3> Buy side Supplier data Buy-Side SOA Inbound Processing when Transferring Supplier maintenance. you have the following options: ● Point-to-Point communication via asynchronous enterprise services. using SAP NetWeaver Process Integration (SAP NetWeaver PI) ● Remote function calls (RFCs) Cross-system communication is required to enable the following processes running between the buy side and the sell side: ● Supplier registration ● Supplier data maintenance ● Supplier portfolio management ● Supplier qualification ● Task processing in activity management For more information.0 Network and Communication Security PUBLIC © Copyright 2014 SAP AG. Data Flow. in SAP Supplier Lifecycle Management 2. RFC Communication In SAP Supplier Lifecycle Management. or on the sell side of SAP Supplier Lifecycle Management. To enable cross-system communication between the buy side and the sell side of SAP SLC and between the buy side of SAP SLC and its back-end systems. for security reasons. <SOA User 6> Sell side Supplier Sell-Side SOA Inbound Processing in Qualifying Suppliers ( / qualification SRMSMC/SOA_SUP_QUAL_SELLSIDE) This user is required to execute inbound SOA calls that transfer the supplier qualification request from the buy side to the sell side. ● The entries in the “S/A” column indicate whether an RFC call is synchronous (“S”) or asynchronous (“A”). in SAP ERP. SAP Supplier Lifecycle Management 2. ● For communication through an SAP NetWeaver Process Integration Server. that is. also assign the Web Service Consumer role (SAP_BC_WEBSERVICE_CONSUMER) to the technical users. All rights reserved. These RFC roles contain authorizations to execute RFCs (authorization object S_RFC) as well as application-specific authorizations for inbound processing in the receiving system. they must have been assigned to their respective communication process types in the target systems. For the RFC connections to work. the following additional roles are required: ● For point-to-point (P2P) communication using WSRM. you must create several technical users of the user type Service in all systems that are involved in the communication. Note The above roles only contain the required business authorizations. Depending on the technology you use for system communication. SAP SRM. assign the Exchange Infrastructure: Service User for Application Systems role (SAP_XI_APPL_SERV_USER). Note 42 ● The RFC connections listed below mostly use background RFCs (bgRFCs). and also between SAP Supplier Lifecycle Management and its back-end systems.0 Network and Communication Security . you can use RFC connections as an alternative to SOA communication to enable communication between the sell side and the buy side. Note that. you must create a separate technical user for each communication process type.activity management <SOA User 5> Buy side Supplier Buy-Side SOA Inbound Processing in Qualifying Suppliers (/ qualification SRMSMC/SOA_SUP_QUAL_BUYSIDE) This user is required to execute inbound SOA calls that transfer the supplier qualification response from the sell side to the buy side. The roles that you assign to these technical users are specific to the combination of a communication process type and the target system of the RFC. PUBLIC © Copyright 2014 SAP AG. 0 Network and Communication Security RFC_SUP_QUAL_BUYSIDE) PUBLIC © Copyright 2014 SAP AG. All rights reserved. 43 .Table 20: Communication Destinations Specific to the Registering Suppliers Process (Communication Process Type “Supplier Registration”) Process Step Direction of RFC S/A RFC Function Modules Call Role of RFC User (Target System) Transfer registration SAP SLC sell side A request from sell side to buy side /SRMSMC/ROS_REQUEST_INBOUND Buy-Side RFC Inbound Processing in Registering to buy side Suppliers (/SRMSMC/ RFC_SUP_REG_BUYSIDE) Send rejection e-mail if SAP SLC buy potential supplier was side to sell side S /SRMSMC/ Sell-Side RFC Inbound ROS_REGISTRATION_RESP Processing in Registering rejected on buy side Suppliers (/SRMSMC/ RFC_SUP_REG_SELLSIDE) Table 21: Communication Destinations Specific to the Qualifying Suppliers Process (Communication Process Type “Supplier Qualification”) Process Step Direction of RFC S/A RFC Function Modules Call Transfer qualification SAP SLC buy request from buy side side to sell side Role of RFC User (Target System) A /SRMSMC/SQQ_CREATE Sell-Side RFC Inbound Processing in Qualifying to sell side Suppliers (/SRMSMC/ RFC_SUP_QUAL_SELLSIDE ) Transfer qualification SAP SLC sell side A response from sell side to buy side /SRMSMC/SQR_UPDATE Buy-Side RFC Inbound Processing in Qualifying to buy side Suppliers (/SRMSMC/ RFC_SUP_QUAL_BUYSIDE) Reopen qualification SAP SLC buy response on sell side. side to sell side A /SRMSMC/SQR_REOPEN Sell-Side RFC Inbound Processing in Qualifying using data (request for Suppliers clarification) from buy (/SRMSMC/ side RFC_SUP_QUAL_SELLSIDE ) Update qualification SAP SLC sell side A response on buy side to buy side /SRMSMC/SQR_RESUBMIT Buy-Side RFC Inbound Processing in Qualifying using data (clarification Suppliers from supplier) from sell (/SRMSMC/ side SAP Supplier Lifecycle Management 2. 0 Network and Communication Security . transfer SUP_CREA_SSIDE_RFCWRAP supplier data and Sell-Side RFC Inbound Processing when Transferring the Supplier Data (/SRMSMC/ create supplier on sell RFC_SUP_MNGT_SELLSIDE side ) Transfer standard SAP SLC buy product classification side to sell side S /SRMSCM/SPC_PUBLISH Sell-Side RFC Inbound Processing when Transferring codes from buy side to the Supplier Data sell side (/SRMSMC/ RFC_SUP_MNGT_SELLSIDE ) Transfer changes to SAP SLC sell supplier data from sell side to buy side A /SRMSMC/SUPPLIER_MAIN_REQ Buy-Side RFC Inbound Processing when Transferring side to buy side the Supplier Data (/SRMSMC/ RFC_SUP_MNGT_BUYSIDE) Transfer supplier SAP SLC sell attachments from sell side to buy side A /SRMSMC/ATTACHMENT_SEND Buy-Side RFC Inbound Processing when Transferring side to buy side the Supplier Data (/SRMSMC/ RFC_SUP_MNGT_BUYSIDE) Transfer changes to SAP SLC buy supplier data to sell side to sell side side A /SRMSMC/SUPPLIER_CHANGE /SRMSMC/ SUP_CHG_SSIDE_RFCWRAP Sell-Side RFC Inbound Processing when Transferring the Supplier Data (/SRMSMC/ 44 PUBLIC © Copyright 2014 SAP AG.Table 22: Communication Destinations for Transfer of Supplier Data between SAP SLC Buy Side and Sell Side (Communication Process Type “Supplier Data Management”) Process Step Direction of RFC S/A RFC Function Modules Call Initial upload of SAP SLC buy supplier(s) from sell side to sell side side to buy side if sell deployed on SUS Role of RFC User (Target System) S /SRMSMC/SUPPLIER_GETLIST /SRMSMC/SUPPLIER_GETDATA side is deployed on Sell-Side RFC Inbound Processing when Transferring the Supplier Data (/SRMSMC/ SUS RFC_SUP_MNGT_SELLSIDE ) Send rejection e-mail if SAP SLC buy changes to supplier side to sell side S /SRMSMC/SUPPLIER_MAIN_CONF Sell-Side RFC Inbound Processing when Transferring data were rejected on the Supplier Data buy side (/SRMSMC/ RFC_SUP_MNGT_SELLSIDE ) Upon approval of SAP SLC buy registration request on side to sell side S /SRMSMC/SUPPLIER_CREATE /SRMSMC/ buy side. All rights reserved. SAP Supplier Lifecycle Management 2. as response to transfer of changes to supplier data to SAP ERP SAP Supplier Lifecycle Management 2.Process Step Direction of RFC S/A RFC Function Modules Call Role of RFC User (Target System) RFC_SUP_MNGT_SELLSIDE ) Transfer key mapping SAP SLC sell data (supplier ID) from side to buy side S /SRMSMC/ Buy-Side RFC Inbound SUPPL_CHANGE_CALLBACK Processing when Transferring the Supplier Data sell side to buy side .as response to transfer of (/SRMSMC/ changes to supplier RFC_SUP_MNGT_BUYSIDE) data Table 23: Communication Destinations for Upload and Transfer of Supplier Data Between SAP Supplier Lifecycle Management and SAP ERP (Communication Process Type “Supplier Data Management”) Process Step Direction of RFC S/A RFC Function Modules Call If Customer Vendor SAP SLC buy Integration (CVI) is side to SAP ERP Role of RFC User (Target System) S SMC_SUPPLIER_GETLIST_BP SMC_SUPPLIER_GETDATA_BP used: Perform initial RFC Inbound Processing in ERP with CVI when Transferring Supplier Data upload of suppliers from SLC (SAP_ERP_SLC from SAP ERP to SAP _RFC_SUP_MNGT_BP) SLC If CVI is used: SAP SLC buy S SMC_SUPPLIER_CREATE_BP RFC Inbound Processing in Distribute supplier data side to SAP ERP ERP with CVI when to SAP ERP Transferring Supplier Data from SLC (SAP_ERP_SLC _RFC_SUP_MNGT_BP) If CVI is used: SAP SLC buy Distribute changes to side to SAP ERP A SMC_SUPPLIER_CHANGE_BP SMC_SUPPLIER_CHANGE_BP_RFCW supplier data to SAP RAP ERP RFC Inbound Processing in ERP with CVI when Transferring Supplier Data from SLC (SAP_ERP_SLC _RFC_SUP_MNGT_BP) If CVI is used: SAP SLC buy Distribute updates to side to SAP ERP A SMC_SUPPLIER_UPDATE_BP SMC_SUPPLIER_UPDATE_BP_RFCW supplier data to SAP RAP ERP RFC Inbound Processing in ERP with CVI when Transferring Supplier Data from SLC (SAP_ERP_SLC _RFC_SUP_MNGT_BP) Transfer key mapping SAP ERP to SAP data from SAP ERP to SLC buy side SAP SLC .0 Network and Communication Security S /SRMSMC/ Buy-Side RFC Inbound SUPPL_CHANGE_CALLBACK Processing when Transferring the Supplier Data (/SRMSMC/ RFC_SUP_MNGT_BUYSIDE) PUBLIC © Copyright 2014 SAP AG. 45 . All rights reserved. SAP Supplier Lifecycle Management 2.0 Network and Communication Security . All rights reserved.Process Step Direction of RFC S/A RFC Function Modules Call If CVI is not used: SAP SLC buy Perform initial upload side to SAP ERP Role of RFC User (Target System) S SMC_SUPPLIER_GETLIST SMC_SUPPLIER_GETDATA of suppliers from SAP ERP to SAP SLC RFC Inbound Processing in ERP when Transferring Supplier Data from SLC (SAP_ERP_SLC_ RFC_SUP_MNGT) If CVI is not used: SAP SLC buy S SMC_SUPPLIER_CREATE RFC Inbound Processing in Distribute supplier data side to SAP ERP ERP when Transferring to SAP ERP Supplier Data from SLC (SAP_ERP_SLC_ RFC_SUP_MNGT) If CVI is not used: SAP SLC buy Transfer of changes to side to SAP ERP A SMC_SUPPLIER_CHANGE SMC_SUPPLIER_CHANGE_RFCWRAP supplier data from SAP SLC to SAP ERP RFC Inbound Processing in ERP when Transferring Supplier Data from SLC (SAP_ERP_SLC_ RFC_SUP_MNGT) Request creation of SAP SLC buy supplier data in side to SAP ERP S SMC_SUPPLIER_CREATE_MD RFC Inbound Processing in ERP when Transferring Leading SAP ERP Supplier Data from SLC (SAP_ERP_SLC_ RFC_SUP_MNGT) Request changes to SAP SLC buy supplier data in side to SAP ERP A SMC_SUPPLIER_UPDATE_MD_RFCW RFC Inbound Processing in RAP ERP when Transferring Leading SAP ERP Supplier Data from SLC (SAP_ERP_SLC_) RFC_SUP_MNGT) Transfer of changes of SAP ERP to SAP supplier data from SLC buy side S /SRMSMC/ Buy-Side RFC Inbound SUPPL_MODIFY_BY_MD_SYS Processing when Transferring Leading SAP ERP to the Supplier Data SAP SLC buy side (/SRMSMC/RFC_ SUP_MNGT_BUYSIDE) Transfer of changes of SAP SLC buy supplier data from SAP side to SAP ERP SMC_SUPPLIER_MODIFY_SLC (depends on customer’s roles in SAP ERP) SLC buy side to Leading SAP ERP 46 PUBLIC © Copyright 2014 SAP AG. All rights reserved. 47 .Process Step Direction of RFC S/A RFC Function Modules Call Replicate certificate SAP SLC buy types from SAP SLC side to sell side Role of RFC User (Target System) A /SRMSMC/CRT_REPLICATE Sell-Side RFC Inbound Processing when Transferring buy side to sell side the Supplier Data (/SRMSMC/ RFC_SUP_MNGT_SELLSIDE ) Replicate purchasing SAP SLC buy categories from SAP side to sell side A /SRMSMC/PUC_REPLICATE Sell-Side RFC Inbound Processing when Transferring SLC buy side to sell the Supplier Data (/SRMSMC/ side RFC_SUP_MNGT_SELLSIDE ) Retrieve SAP ERP SAP SLC buy purchasing side to SAP ERP S BBP_RFC_READ_TABLE RFC Inbound Processing in ERP when Transferring organization and Supplier Data from SLC account group in SAP (SAP_ERP_SLC_ ERP and make it RFC_SUP_MNGT) available as input help in Customizing activity Define System Landscape and BackEnd Specific Distribution Data on the buy side Retrieve SAP SRM SAP SLC buy purchasing side to SAP SRM S BBP_OM_FIND_PURCH_ORG_EXT RFC Inbound Processing in SRM IC when Transferring organization and Supplier Data from SLC accounting group in (SAP_SRM_ SAP SRM and make it SLC_RFC_SUP_MNGT) available as input help in Customizing activity Define System Landscape and BackEnd Specific Distribution Data on the buy side Table 24: Communication Destinations for Upload and Transfer of Supplier Data Between Buy Side of SAP Supplier Lifecycle Management and SAP SRM (Communication Process Type “Supplier Data Management”) Process Step Direction of RFC S/A RFC Function Modules Call Perform initial upload SAP SLC buy of suppliers from SAP side to SAP SRM SRM to SAP SLC buy side SAP Supplier Lifecycle Management 2.0 Network and Communication Security Role of RFC User (Target System) S BBP_SUPPLIER_GETLIST BBP_SUPPLIER_GETDATA RFC Inbound Processing in SRM IC when Transferring Supplier Data from SLC (SAP_SRM_SLC_ PUBLIC © Copyright 2014 SAP AG. Process Step Direction of RFC S/A RFC Function Modules Call Role of RFC User (Target System) RFC_SUP_MNGT) Distribute supplier data SAP SLC buy from SAP SLC buy side S BBP_SUPPLIER_CREATE side to SAP SRM RFC Inbound Processing in SRM IC when Transferring to SAP SRM Supplier Data from SLC (SAP_SRM_SLC_ RFC_SUP_MNGT) Transfer changes to SAP SLC buy supplier data to SAP side to SAP SRM A BBP_SUPPLIER_CHANGE BBP_SUPPLIER_CHANGE_RFCWRAP SRM (update business partner & contact RFC Inbound Processing in SRM IC when Transferring Supplier Data from SLC (SAP_SRM_SLC_ person) RFC_SUP_MNGT) Transfer key mapping SAP SRM to SAP data from SAP SRM to SLC buy side S /SRMSMC/ Buy-Side RFC Inbound SUPPL_CHANGE_CALLBACK Processing when Transferring SAP SLC buy side - as the Supplier Data response to transfer of (/SRMSMC/ changes to supplier RFC_SUP_MNGT_BUYSIDE) data to SAP SRM Retrieve SAP SRM SAP SLC buy purchasing side to SAP SRM S BBP_OM_FIND_PURCH_ORG_EXT RFC Inbound Processing in SRM IC when Transferring organization and make Supplier Data from SLC it available as input (SAP_SRM_SLC_ help in Customizing RFC_SUP_MNGT) activity Define System Landscape and BackEnd Specific Distribution Data on the buy side Table 25: Communication Destinations for Supplier Evaluation Process Step Direction of RFC S/A RFC Function Module Role of RFC User A /SRMSMC/SRS_CREATE_ASYNC Buy-Side RFC Inbound Call Creation of follow-on Local call within documents to supplier SAP SLC buy-side Processing in Supplier evaluation requests system Evaluation (/SRMSMC/BG_SUP_ EVAL_BUYSIDE) Trigger of creation of Back-end system S/A /SRMSMC/EV_EVENT_INBOUND Buy-Side RFC Inbound evaluation response for (for example, SAP Processing in Supplier event-driven evaluation ERP, SAP SRM, Evaluation non-SAP system, depending on customer's BAdI 48 PUBLIC © Copyright 2014 SAP AG. All rights reserved. (/SRMSMC/BG_SUP_ EVAL_BUYSIDE) SAP Supplier Lifecycle Management 2.0 Network and Communication Security Process Step Direction of RFC S/A RFC Function Module Role of RFC User Call implementation) to SAP SLC buy-side system Table 26: Communication Destinations Specific to the Managing Activities Process (Communication Process Type "Supplier Data Management" Process Step Direction of RFC S/A RFC Function Modules Call Transfer task from buy SAP SLC buy side to sell side side to sell side Role of RFC User (Target System) A /SRMSMC/TSK_REPLICATE Sell-Side RFC Inbound Processing when Transferring the Supplier Data (/SRMSMC/ RFC_SUP_MNGT_SELLSIDE ) Submit task from sell SAP SLC sell side A side to buy side after to buy side /SRMSMC/TSK_INT_REPLICATE Buy-Side RFC Inbound Processing when Transferring the task was processed the Supplier Data by supplier on the sell (/SRMSMC/ side RFC_SUP_MNGT_BUYSIDE) Resend task from buy SAP SLC buy side to sell side after side to sell side A /SRMSMC/TSK_RESEND Sell-Side RFC Inbound Processing when Transferring the text in the task was the Supplier Data modified on the buy (/SRMSMC/ side (request for RFC_SUP_MNGT_SELLSIDE clarification) ) Resubmit task from sell SAP SLC sell side A side to buy side after /SRMSMC/TSK_INT_RESEND to buy side Buy-Side RFC Inbound Processing when Transferring the task was processed the Supplier Data again on sell side (/SRMSMC/ (clarification from RFC_SUP_MNGT_BUYSIDE) supplier) Overview of the RFC Roles Used in the Tables Above: Table 27 Description of Role Name of Role Buy-Side RFC Inbound Processing when Transferring the /SRMSMC/RFC_SUP_MNGT_BUYSIDE Supplier Data Sell-Side RFC Inbound Processing when Transferring the /SRMSMC/RFC_SUP_MNGT_SELLSIDE Supplier Data Buy-Side RFC Inbound Processing in Qualifying Suppliers /SRMSMC/RFC_SUP_QUAL_BUYSIDE Sell-Side RFC Inbound Processing in Qualifying Suppliers /SRMSMC/RFC_SUP_QUAL_SELLSIDE SAP Supplier Lifecycle Management 2.0 Network and Communication Security PUBLIC © Copyright 2014 SAP AG. All rights reserved. 49 Description of Role Name of Role Buy-Side RFC Inbound Processing in Registering Suppliers /SRMSMC/RFC_SUP_REG_BUYSIDE Sell-Side RFC Inbound Processing in Registering Suppliers /SRMSMC/RFC_SUP_REG_SELLSIDE Buy-Side RFC Inbound Processing in Supplier Evaluation /SRMSMC/BG_SUP_EVAL_BUYSIDE RFC Inbound Processing in ERP with CVI when Transferring SAP_ERP_SLC_RFC_SUP_MNGT_BP Supplier Data from SLC RFC Inbound Processing in ERP when Transferring Supplier SAP_ERP_SLC_RFC_SUP_MNGT Data from SLC Note This role can also be used when SAP ERP is the leading system. RFC Inbound Processing in SRM IC when Transferring SAP_SRM_SLC_RFC_SUP_MNGT Supplier Data from SLC For more information about how to implement RFC connections, about RFC users, and about the roles required, see SAP Help Portal at help.sap.com/slc <release> Configuration and Deployment Information Configuration Guide Basic Settings for SAP Supplier Lifecycle Management Technical Basic Settings Define RFC Connections Defining Process-Specific RFC Connections . 50 PUBLIC © Copyright 2014 SAP AG. All rights reserved. SAP Supplier Lifecycle Management 2.0 Network and Communication Security If your firewalls use URL filtering. you have to specify logon data for the following services: Table 28 /default_host/sap/bc/bsp/srmsmc/ Frontend Server for Supplier Registration ros_ext /default_host/sap/bc/bsp/srmsmc/ SLC Applic. For example. for example. see SAP Help Portal at help. ● Creation of External Aliases We recommend that you create external aliases for all ICF services. the authorization object SICF must be assigned to the role and the string must be specified in the authorization object. if you define logon data directly on the ICF service. ● Activation of Relevant ICF Services You activate only those ICF services in transaction SICF that are required for the applications running in your system. a string has been defined on the Service Data tab as the SAP Authoriziation. To enable a user with a specific role to access an ICF service.com <release> Configuration and Deployment Information Configuration Guide Basic Settings for SAP Supplier Lifecycle Management Technical Basic Settings Activate Services . For a list of the services required in SAP Supplier Lifecycle Management.sap. XSRF protection must be deactivated. For more information. ○ You can hide the path of the service in the URL.9 Internet Communication Framework (ICF) Security The security concept for users accessing Internet Communication Framework (ICF) services involves the following: ● Start Authorizations for ICF Services For each of the Web Dynpro ICF services.sap.com/slc <release> Configuration and Deployment Information Configuration Guide Important Settings for ICF Services . This can be useful. All rights reserved. see SAP Help Portal at help. see SAP Help Portal at help. In SAP Supplier Lifecycle Management. ○ You can create several external aliases for one service. in a system where the same ICF service is used in several clients.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7.0 including Enhancement Package 2 Application Help SAP Library SAP NetWeaver SAP NetWeaver by Key Capability Application Platform by Key Capability Platform-Wide Services Connectivity SAP Supplier Lifecycle Management 2. This has the following advantages: ○ You can avoid modifying SAP content.0 Internet Communication Framework (ICF) Security PUBLIC © Copyright 2014 SAP AG.sap. for Supplier Evaluation by Appraisers eva_cmn Without User ID Note For these ICF services. The system then checks whether users have the appropriate roles and the parameter settings in the authorization object S_ICF. note the URLs used for the services and adjust your firewall settings accordingly. For information about how to do this and for configuration of these services. this data could be overwritten. 51 . modifications can be overwritten by future software updates. All rights reserved. see SAP Help Portal at help. 52 PUBLIC © Copyright 2014 SAP AG. or SAP Supplier Lifecycle Management 2.0 Internet Communication Framework (ICF) Security .com/netweaver SAP NetWeaver Platform SAP NetWeaver 7.0 including Enhancement Package 2 Security Information SAP NetWeaver Security Guide Security Guides for Connectivity and Interoperability Technologies RFC/ICF Security Guide the corresponding documentation for higher releases of SAP NetWeaver. For more information about ICF security.sap.Components of SAP Communication Technology Communication Between ABAP and Non-ABAP Technologies Internet Communication Framework Development Server-Side Development Creating and Configuring ICF Services Activating and Deactivating ICF Services or the corresponding documentation for higher releases of SAP NetWeaver. see Customizing Implementation Guide under CrossApplication Components Processes and Tools for Enterprise Applications Reusable Objects and Functions for BOPF Environment Dependent Object Attachment Folder Maintain Attachment Type Schema . Cookies The application uses a Web browser. The SAP Web AS must issue cookies and accept them. some processes when maintaining supplier master data enable storage of supplier master data and contact person data in the databases of SAP SRM and SAP ERP.10 Data Storage Security All data is stored in the buy-side and sell-side databases of the SAP Supplier Lifecycle Management system. In addition. SAP Supplier Lifecycle Management 2. All rights reserved.0 Data Storage Security PUBLIC © Copyright 2014 SAP AG. Attachments Attachments are stored in the SAP Content Server. 53 . This server allows attachment folders to be assigned either of the following storage categories: ● Storage of data in database: BS_ATF_DB ● Storage of data on HTTP content server: BS_ATF To display the storage category set for your system. it is necessary to consider compliance with industry-specific legislation in different countries. regional or country-specific requirements. Where-used check (WUC) A simple check to ensure data integrity in case of potential blocking. compliance with data privacy laws is not a product feature. All rights reserved. exists. The definitions and other terms used in this guide are not taken from any given legal source. if the data is still 54 PUBLIC © Copyright 2014 SAP AG.0 Data Protection . SAP software supports data privacy by providing security features and specific data-protection-relevant functions such as functions for the simplified blocking and deletion of personal data. After the EoP has been reached. etc. The WUC checks whether any dependent data for a certain customer. decisions related to data protection must be made on a case-bycase basis and under consideration of the given system landscape and the applicable legal requirements. that is. In addition to compliance with general data privacy acts. industry. supplier. Deletion Deletion of personal data so that the data is no longer usable. This section and any other sections in this Security Guide do not give any advice on whether these features and functions are the best method to support company. central business partner. Note In the majority of cases. SAP does not provide legal advice in any form. If dependent data exists. SAP Supplier Lifecycle Management 2. Glossary Table 29 Term Definition Personal data Information about an identified or identifiable natural person Business purpose A legal. this guide does not give any advice or recommendations with regard to additional features that would be required in a particular environment. contractual. Blocking A method of restricting access to data for which the primary business purpose has ended. the data is blocked and can only be accessed by users with special authorization. Retention period The time period during which data must be available. End of purpose (EoP) A method of identifying the point in time for a data set when the processing of personal data is no longer required for the primary business purpose. or in other form justified reason for the processing of personal data. The assumption is that any purpose has an end that is usually already defined when the purpose starts. Furthermore.11 Data Protection Data protection is associated with numerous legal requirements and privacy concerns. This section describes the specific features and functions that SAP provides to support compliance with the relevant legal requirements and data privacy. supplier. 11. Some basic requirements that support data protection are often referred to as technical and organizational measures (TOM). Data Flow. For more information. All rights reserved. the dependent data must be deleted by using the existing archiving and deletion tools or by using any other customer-specific solution.0 Data Protection PUBLIC © Copyright 2014 SAP AG. adequate logging of system changes. or central business partner. security note implementation. the system does not block the customer.1 Deletion of Personal Data SAP Supplier Lifecycle Management (SAP SLC) might process data (personal data) that is subject to the data protection laws applicable in specific countries as described in SAP Note 1825544.com/ slc20 Application Help Buy Side: Activities for Purchasers Managing the Supplier Portfolio Deleting and SAP Supplier Lifecycle Management 2. and appropriate usage of the system are the basic technical requirements for compliance with data privacy legislation and other legislation. Network security. SAP SLC uses the standard archiving and deletion functions that is available for the business partner functionality. and Processes and in Network and Communication Security ● Input Control: The business objects in SAP SLC have fields on the user interface that show which user has created or changed the business object and when this change was performed. ● Read access logging: as described in section Read Access Logging below.Term Definition required for business activities. ● Transmission control as described in Security Aspects of Data. Caution The extent to which data protection is ensured depends on secure system operation. The following topics are related to data protection and require appropriate TOMs: ● Access control: Authentication features as described in section User Administration and Authentication. Configuration of Data Protection Functions Certain central functions that support data protection compliance in SAP Supplier Lifecycle Management are available in Customizing for Cross-Application Components under Data Protection Authorization Management General Settings and under Data Protection Deletion of Data Deletion of Business Partner Data . There is no additional logging. If you still want to block the data. ● Availability control as described in ● ○ Section Data Storage Security ○ SAP NetWeaver Database Administration documentation ○ SAP Business Continuity documentation in the SAP NetWeaver Application Help under Oriented View Solution Life Cycle Management SAP Business Continuity Function- Separation by purpose: Is subject to the organizational model implemented and must be applied as part of the authorization concept. ● Authorizations: Authorization concept as described in section Authorizations. 55 . see the application help for SAP SLC on SAP Help Portal at help.sap. The Read Access Logging (RAL) component can be used to monitor and log read access to data and provide information such as which business users accessed personal data. Relevant Application Objects and Available Deletion Functionality Table 30 Application Detailed Description Provided Deletion Functionality SAP Supplier Lifecycle Management Application help for SAP SLC on SAP Transaction used for deletion: SARA Help Portal at Archiving object relevant for deletion: (SAP SLC) Application Help for Purchasers Portfolio Suppliers help. For more information about RAL. 56 PUBLIC © Copyright 2014 SAP AG.com/slc20 Buy Side: Activities Managing the Supplier CA_BUPA Deleting and Archiving Archiving Archiving and Deleting Business Partner Data 11. of a business partner. In RAL. and in which time frame. SAP SLC does not deliver an end of purpose check (EoP) nor a where-used check (WUC). see Read Access Logging (RAL) in the documentation for SAP NetWeaver. sample configuration for RAL can be implemented with SAP Note 2052337. All rights reserved. With SAP Note 2053237. you can configure which read-access information to log and under which conditions.2 Read Access Logging If no trace or log is stored that records which business users have accessed data. Therefore.Archiving Suppliers Deleting Business Partners . it is difficult to track the person(s) responsible for any data leaks to the outside world. SAP Supplier Lifecycle Management 2. For SAP Supplier Lifecycle Management.0 Data Protection . for example. personal data is stored with the business object central business partner.sap. Blocking of Personal Data In SAP Supplier Lifecycle Management. you can implement code that allows your SAP SLC system to make use of the central lock that has been set for a central business partner. The virus scan is performed in the following cases: ● When attachments are uploaded from the user interface.sap. to enable these checks. You must make the Customizing settings for the virus scan profile both on the buy side and the sell side: ● Buy Side In Customizing for SAP Supplier Lifecycle Management under Lifecycle Management Virus Scan Interface ● Buy Side Basic Settings for SAP Supplier Sell Side Basic Settings for SAP Supplier Sell Side In Customizing for SAP Supplier Lifecycle Management under Lifecycle Management Virus Scan Interface Note The virus scan profile /SIHTTP/HTTP_UPLOAD is always used for Business Server Pages. you must have an external virus scanner installed. on the sell side or on the buy side.12 Security for Additional Applications Attachments The attachment types that you can use in SAP Supplier Lifecycle Management are: ● General attachments ● Certificates ● Supplier logos You can adjust settings for attachments. such as restricting the allowed MIME types. ● When attachments are transferred from the sell side to the buy side. users can choose whether to open the attachments or download them to their computers. 57 . All rights reserved. see SAP Help Portal at help. To do this. in Customizing for SAP Supplier Lifecycle Management under the following paths: ● Buy Side ● Supplier Portfolio Management Supplier Attachments Define Supported MIME Types . Virus Scan for Attachments You can activate virus scans that check attachments before they are uploaded and stored in the database. Note ● Attachments are never opened immediately.0 Security for Additional Applications SAP NetWeaver Platform SAP NetWeaver PUBLIC © Copyright 2014 SAP AG.com/netweaver SAP Supplier Lifecycle Management 2. Instead. ● Attachments uploaded by suppliers are only transferred from the sell side to the buy side. activate the virus scan profile /SIHTTP/HTTP_UPLOAD. ● Buy Side Activity Management ● Sell Side Supplier Data Maintenance ● Sell Side Activity Management Define MIME Types for Define MIME Types for Attachments . to enable these checks. Define Supported MIME Types . activate the virus scan profile /SRMSMC/FND_CFG/FILE_UPLOAD. Buy Side Supplier Qualification Basic Settings for Supplier Qualification Attachments Used for Qualification . You can perform a virus scan on the sell side and on the buy side. For more information. attachments uploaded by category managers and by activity managers on the buy side are not transferred to the sell side. Define MIME Types for Attachments . 0 Security for Additional Applications .sap.com/netweaver under SAP NetWeaver Platform SAP NetWeaver 7. SAP Supplier Lifecycle Management 2. More Information See SAP Help Portal at help. All rights reserved.0 including Enhancement Package 2 Application Help SAP Library <Language> SAP NetWeaver SAP NetWeaver By Key Capability Security System Security Virus Scan Interface or the corresponding documentation for higher releases of SAP NetWeaver. 58 PUBLIC © Copyright 2014 SAP AG.7.0 including Enhancement Package 2 Security Information Security Guide SAP NetWeaver Security Guide Security Guides for SAP NetWeaver According to Usage Types Security Aspects for Usage Type DI and Other Development Technologies Security Aspects for BSP or the corresponding documentation for higher releases of SAP NetWeaver. Appraiser Without System User in Supplier Evaluation You can decide to not enable the function that allows appraisers who do not have a user ID to fill out evaluation responses. 59 .13 Dispensable Functions with Impacts on Security To minimize security risks. Supplier Data Maintenance on Sell Side You can decide to maintain supplier data on the buy side only and not allow suppliers to maintain their own data on the sell side. You can activate it in Customizing for SAP Supplier Lifecycle Management under Buy Side Supplier Evaluation Basic Settings for Supplier Evaluation Activate Appraisers Without User ID . the appraisers without user ID receive a link to the evaluation via e-mail. SAP Supplier Lifecycle Management 2. If you do enable this function.0 Dispensable Functions with Impacts on Security PUBLIC © Copyright 2014 SAP AG. By default. All rights reserved. this function is deactivated. They are logged on with a technical user that is common to all appraisers without user ID. you can decide not to use the following functions: Supplier Registration on Sell Side You can decide to create supplier data on the buy side only or transfer supplier data from back-end systems. and not allow suppliers to register on the sell side. 0 including Enhancement Package 2 Application Help SAP Library SAP NetWeaver by Key Capability Security Recommended WS Security Scenarios or the corresponding documentation for higher releases of SAP NetWeaver. ● Recommended WS Security Scenarios For more information.sap.0 including Enhancement Package 2 Security Information SAP NetWeaver Security Guide Security Guides for Connectivity and Interoperability Technologies Web Services Security or the corresponding documentation for higher releases of SAP NetWeaver.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7.sap. ● SAP NetWeaver Process Integration Security Guide For more information. see SAP Help Portal at help.0 Enterprise Services Security .com/netweaver SAP NetWeaver Platform SAP NetWeaver 7.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7. 60 PUBLIC © Copyright 2014 SAP AG. We recommend that you use SAP NetWeaver Process Integration (PI) or Web Services Reliable Messaging (WSRM) for enabling secure communication between the buy side and the sell side. see help.sap. For details about system communication using enterprise services in cross-system communication. All rights reserved.0 including Enhancement Package 2 Security Information SAP NetWeaver Security Guide Security Guides for SAP NetWeaver According to Usage Types Security Guide for Usage Type PI or the corresponding documentation for higher releases of SAP NetWeaver. see section Communication Destinations. see help.14 Enterprise Services Security The following sections in the SAP NetWeaver Security Guide and documentation are relevant for all enterprise services delivered with SAP Supplier Lifecycle Management: ● Web Services Security For more information. SAP Supplier Lifecycle Management 2. see SAP Help Portal at help.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7. The data transferred using background remote function calls (bgRFCs) are monitored. SAP Supplier Lifecycle Management 2. For more information.15 Security-Relevant Logging and Tracing SAP Supplier Lifecycle Management uses application logging to log all changes to supplier and user master data. 61 .0 including Enhancement Package 2 Application Help SAP Library SAP NetWeaver SAP NetWeaver by Key Capability Application Platform by Key Capability Platform-Wide Services Connectivity Components of SAP Communication Technology Classical SAP Technologies (ABAP) RFC Background Communication bgRFC (Background Remote Function Call) or the corresponding documentation for higher releases of SAP NetWeaver.0 Security-Relevant Logging and Tracing PUBLIC © Copyright 2014 SAP AG. To analyze the application log. see SAP Help Portal at help.sap.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7. use transaction SLG1.0 including Enhancement Package 2 Security Information SAP NetWeaver Security Guide Security Aspects for System Management Auditing and Logging or the corresponding documentation for higher releases of SAP NetWeaver. All rights reserved. For more information.sap. which is part of the logging and tracing mechanisms provided by SAP NetWeaver. 62 PUBLIC © Copyright 2014 SAP AG. SAP Supplier Lifecycle Management 2.0 . All rights reserved. com .www.sap.
Copyright © 2024 DOKUMEN.SITE Inc.