Anda di halaman 1dari 66

Application Security Guide

mySAP

TM

SRM 4.0

Using SAP Enterprise Buyer 5.0, SAP Supplier Self-Services 2.0, SAP Catalog Content Management 1.0, SAP Enterprise Portal 6.0 Document Version 2.1 - February 11, 2005

SAP AG Neurottstrae 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com

Copyright 2003 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

JAVA is a registered trademark of Sun Microsystems, Inc. JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MarketSet and Enterprise Buyer are jointly owned trademarks of

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint and SQL Server are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix and Informix Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries. ORACLE is a registered trademark of ORACLE Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, MultiWin and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.

SAP AG and Commerce One. SAP, SAP Logo, R/2, R/3, mySAP, mySAP.com, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Disclaimer Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way.

Typographic Conventions
Type Style Example Text Represents Words or characters that appear on the screen. These include field names, screen titles, and pushbuttons, as well as menu names, paths, and options. Cross-references to other documentation Example text Emphasized words or phrases in body text, titles of graphics, and tables Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE. Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, source code, as well as names of installation, upgrade, and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries. Keys on the keyboard, for example, function keys (such as F2) or the Ctrl key.

Icons
Icon Meaning Caution Example Note Recommendation Syntax

EXAMPLE TEXT

Example text

Example text

<Example text>

EXAMPLE TEXT

Contents

Contents
Introduction .......................................................................................5
Important SAP Notes..............................................................................................................6 Other Security Guides............................................................................................................6 Overview of the Scenarios.....................................................................................................8

Technical System Landscape ........................................................17


Architecture ..........................................................................................17
Exchange of Data via External User Interfaces .................................................................17 Exchange of Data/Documents via External System Interfaces .......................................21

Network Security and Communication Security ..........................22


Communication Channel Security......................................................22
Enabling SSL (HTTPS) for Web Application Server 6.40..................................................22 Enabling SSL for J2EE 6.40.................................................................................................23 Secure Connection of Application Systems to SAP XI ....................................................23

Network Security..................................................................................25 Communication Destinations .............................................................25

User Administration and Authentication ......................................27


User Management ................................................................................27 Integration into Single Sign-On Landscapes ....................................28

Authorizations .................................................................................29
1) ABAP Roles for SRM 4.0/ Enterprise Buyer 5.0 ............................................................30 2) ABAP Roles for SRM 4.0 (SUS Deployment) .................................................................44 3) Catalog Content Management Roles..............................................................................48 4) Portal Roles (for Enterprise Portal 6.0) ..........................................................................49 Changes to the Authorization Check .................................................................................54

Appendix ..........................................................................................60
Virus Checking of Document Attachments .......................................................................60

Related Guides .....................................................................................61 Additional Information.........................................................................63


Special Information for the Live Auction Cockpit 2.0 .......................................................63 Specific Information on Catalog Content Management 1.0 .............................................66

February 2005

Introduction

Introduction

This guide does not replace the daily operations handbooks that we recommend customers create for their specific productive operations.

About this Guide The solution mySAP Supplier Relationship Management (mySAP SRM) consists of different components, such as SAP Enterprise Buyer (EBP), SAP Bidding Engine (both reside on SRM Server) and Live Auction. This cross-component security guide provides security-relevant information for the individual SRM components. In many cases, the required information has already been provided in other security guides and in configuration and installation guides. In these cases, we have provided a reference to the relevant sections within these guides. Security in the context of an SRM Solution comprises the following aspects: User authentication Support of Single Sign-On Administration and checking of user authorizations in order to prevent unauthorized access to saved data Secure data transfer between users and the SRM application components, especially in the case of browser-based access via the Internet General access control, including protection of the system against unauthorized external access Safeguarding of data against unauthorized access when business data is being exchanged between SRM and external systems, especially in the case of data exchange with supplier systems via the Internet

The individual components of the mySAP SRM solution are based on SAP standard technology, like SAP Web Application Server (including Internet Transaction Server) and SAProuter. This means that only the official precepts of the SAP Security strategy are used. The standard tools and mechanisms of the SAP NetWeaver Platform are used. In eighty percent of cases, a SRM system landscape comprises Enterprise Buyer and Live Auction. The User Management Engine (UME) is only required in conjunction with Enterprise Portal and this is why UME is not covered by this guide. This Security Guide focuses on specific mySAP SRM implementations the standard case is covered by the security guides of the respective basis technologies.

Target Groups Technical consultants System administrators

February 2005

Introduction

This document is not part of the installation, configuration, or operation process for update guides as these are often written for a certain phase of the software lifecycle. The information contained in this guide pertains to all phases of the software lifecycle.

Important SAP Notes


SAP Notes for SRM: SAP Note Number 39267 638963 595519 Title Availability of the SAP Security Guide Error with Netscape 6.20 Include EBP in a portal Comment

For more SAP Notes on security, see the SAP Service Marketplace at http://service.sap.com/security -> SAP Security Notes -> SAP Notes on mySAP Security or the notes for the application area BC-JAS-SEC and BC-SEC.

Other Security Guides


SAP NetWeaver Security Guide The SAP NetWeaver Security Guide provides an introduction to security with the SAP NetWeaver platform as well as individual security guides for each of the SAP NetWeaver components. See the tables below: Introduction to Security with the SAP NetWeaver Platform Topic Technical System Landscape User Administration and Authentication Network and Transport Layer Security Connectivity and Interoperability See Technical System Landscape User Administration and Authentication Network and Communication Security Security Aspects for Connectivity and Interoperability

Related Security Guides for SAP NetWeaver Components Components Operating System and Database Platforms Operating System and Database Platforms Application Platform SAP Web Application Server SAP Web Application Server Security Guide Operating System and Database Platform Security Guides See

February 2005

Introduction

SAP Content Server SAP Knowledge Warehouse People Integration Portal SAP Mobile Infrastructure Information Integration SAP Business Information Warehouse Security Guide SAP Knowledge Management

SAP Web AS Security Guide for ABAP Technology SAP Web AS Security Guide for Java Technology Internet Transaction Server Security Security Aspects in Development Security Aspects with SAP Web AS System Management

SAP Content Server Security Guide SAP Knowledge Warehouse Security Guide

Portal Platform Security Guide Security Guide for SAP Mobile Infrastructure

SAP Business Information Warehouse Security Guide Knowledge Management Security Guide: Guide Search and Classification (TREX) Security Guide Content Management Security

Process Integration SAP Exchange Infrastructure SAP Exchange Infrastructure Security Guide

Under Appendix -> Related Guides, you can find a composition of all useful SRM and SAP documents mentioned in this guide.

February 2005

Introduction

Overview of the Scenarios


(See also SRM Master Guide: Section 3 Business Scenarios of mySAP SRM.) Before you start the security setup, you need to decide which SRM components need to be installed. Also, you should have carried out a rough sizing exercise in order to answer questions on the technical setup. You can use this Security Guide to define the network structure, for example firewalls, routers, load balancing, protocols used, and the necessary configuration of the components, as well as a concept for User Administration. In this section, you can find the Software Component Matrix from the Master Guide, as well as a list of relevant sections of the Security Guide per scenario.

Software Component Matrix


This section provides an overview of which business scenario of this mySAP Business Suite solution (my SAP SRM) uses which components: Business Scenario/Software Component Matrix (M = mandatory/ O = optional) Software Component Business Scenario Catalog ContentManagement

SAP Supplier Relationship Management Server 5.0 (SAP SRM Server) (Based on SAP Web Application Server 6.40, comprises SAP Enterprise Buyer, SAP Bidding Engine and Supplier Self-Service) SAP Internet Transaction Server (SAP ITS) 6.20/ 6.40 SAP Internet Pricing and Configurator 4.0 (SAP IPC) SAP Business Warehouse 3.5 (SAP BW) plus SAP BI Content 3.5.2 Add-On SAP Catalog Content Management 1.0 Add-On Search & Classification (TREX) 6.1 SAP Enterprise Portal 6.0 (Portal Server) Live Auction Cockpit Web Presentation Server 2.0 (LACWPS) SAP Exchange Infrastructure 3.0 (SAP XI)

M O O M M O -O

M O O -O O -M

M -O M M O O O

M --M M O -M

M O O O O O -O

-O O -O

February 2005

Spend Analysis M M -M 8

Self-Service Procurement

Plan-Driven Procurement

Service Procurement

Strategic Sourcing

Introduction

Self-Service Procurement

Self-Service Procurement

Application Gateway

HTTPS / OCI

HTTP(S)

Firewall

BSP SAP BW 3.5

ITS

SAP CCM 1.0

BI CONT 3.5.2 R/3 Plug_In

SAP SRM SERVER 5.0


EBP

IPC 4.0

R/3 3.1i SAP ECC 5.0 MM FI / CO

(IDOC)

R/3 Plug_In

XI Proxy XI Int. Framew. Engine

RFC

TREX 6.1
RFC

XI Proxy XI Int. RFC Framew. Engine TREX 6.1 (Contracts)

HTTP(S) XML

XI Integration Engine
XI Cont. CCM 1.0

XML

XI 3.0
XI Cont. RosettaNet 1.0

XI Cont. SRM Server 5.0

Self-Service Procurement (Indirect Procurement) enables your employees to create and manage their own requirement requests. They can search in catalogs provided by SAP CCM. SAP BI 3.5 is used to carry out evaluations. The SRM Server (EBP) Web front end uses Internet Transaction Server (ITS) technology. With NetWeaver 04, the ITS 6.40 is part of the SAP-Kernels 6.40. ITS 6.20, a separate UI installing application, can also be used. The Web front end of SAP CCM 1.0 and SAP Business Intelligence is realized using Business Server Pages (BSP) technology. Depending on the requirements of the SRM 4.0 installation (should SRM Server (EBP) be available via the Internet?) and depending on the internal Security Policy, the following has to be carried out: SAP SRM Server 5.0: Enable WebAS 6.40 SSL (configure HTTPS protocol) SAP CCM 1.0: Enable WebAS 6.40 SSL (configure HTTPS protocol) SAP BI 3.5: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 Configure Application Gateway for SAP CCM 1.0 Configure Application Gateway for SAP BI 3.5 Configure SSO between SAP SRM Server 5.0, SAP CCM 1.0 and SAP BI 3.5

February 2005

Introduction

If necessary, configure SNC connections between SAP SRM Server and backend system If necessary, configure SNC connections between SAP SRM Server/backend system and SAP BI 3.5

Plan-Driven Procurement

Plan-Driven Procurement

Application Gateway

HTTP(S)

Firewall

ITS

BSP IPC 4.0 R/3 3.1i SAP ECC 5.0 MM FI / CO IPC 4.0 SAP SRM SERVER 5.0 SUS XI Proxy XI Int. Framew. Engine

SAP BW 3.5
BI CONT 3.5.2 R/3 Plug_In
RFC

SAP SRM SERVER 5.0


EBP

(IDOC)

R/3 Plug_In

TREX 6.1
(Contracts)

Separate IPC for SUS not needed if SUS and EBP are implemented in the same SAP system
RFC IDOC

RFC

RFC

HTTP(S)

IDOC Adapt.
XI Cont. SRM Server 5.0

XI Integration Engine

XML

XI 3.0

Plan-Driven Procurement (Direct Procurement) automates and streamlines ordering processes for regularly needed core materials. Suppliers can process purchase orders directly in the SAP SRM Server (SUS). The purchase orders are transferred to the SAP SRM Server (SUS) from the backend system via SAP Exchange Infrastructure (XI). The Web front end of the SAP SRM Server (SUS) is realized using BSP technology. Since suppliers log onto the SAP SRM Server (SUS) via the Internet, the HTTPS protocol should definitely be configured for the SAP SRM Server (SUS). Necessary steps: SAP SRM Server 5.0 (SUS): Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 (SUS)

If SAP SRM Server (EBP) is also to be accessed via the Internet, or depending on the internal Security Policy, it might be necessary to do the following: SAP SRM Server 5.0 (EBP): Enable WebAS 6.40 SSL (configure HTTPS protocol)

February 2005

10

Introduction

SAP BI 3.5: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 (EBP) Configure Application Gateway for SAP BI 3.5 If necessary, configure SNC connections between SAP SRM Server and backend system If necessary, configure SNC connections between SAP SRM Server/backend system and SAP BI 3.5 If necessary, connect SAP SRM Server 5.0 (EBP) and SAP SRM Server 5.0 (SUS) via HTTPS and SNC to the SAP Exchange Infrastructure (See XI Security Guide: Section HTTP and SSL and RFC and SNC)

Service Procurement

Service Procurement
Application Gateway

HTTPS / OCI

HTTPS

Firewall

BSP SAP BW 3.5

ITS

SAP CCM 1.0

BI CONT 3.5.2 R/3 Plug_In

SAP SRM SERVER 5.0


EBP
RFC XI Proxy

IPC 4.0

R/3 3.1i SAP ECC 5.0 FI / CO R/3 Plug_In

BSP SAP SRM SERVER 5.0 SUS XI Proxy XI Int.

XI Proxy XI Int. Framew. Engine

RFC

XI Int. Framew. Engine

TREX 6.1

Separate IPC for SUS not needed if SUS and EBP are implemented RFC in the same SAP system

IPC 4.0

RFC Framew. Engine

HTTP(S)

XML

XML

XI Integration Engine

XML

XI Cont. SRM Server 5.0

XI Cont. CCM 1.0

XI 3.0

This business scenario is used to cover the entire service procurement process. Necessary steps: SAP SRM Server 5.0 (SUS): Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 (SUS)

Depending on whether the SAP SRM Server (EBP) is also to be made available via the internet, or depending on the internal Security Policy, the following might also be necessary:

February 2005

11

Introduction

SAP SRM Server 5.0: Enable WebAS 6.40 SSL (configure HTTPS protocol) SAP CCM 1.0: Enable WebAS 6.40 SSL (configure HTTPS protocol) SAP BI 3.5: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 Configure Application Gateway for SAP CCM 1.0 Configure Application Gateway for SAP BI 3.5 Configure SSO between SAP SRM Server 5.0, SAP CCM 1.0 and SAP BI 3.5 If necessary, configure SNC connections between SAP SRM Server and backend system If necessary, configure SNC connections between SAP SRM Server/backend system and SAP BI 3.5 If necessary, connect SAP SRM Server 5.0 (EBP), SAP SRM Server 5.0 (SUS), and SAP CCM 1.0 via HTTPS and SNC to the SAP Exchange Infrastructure (XI) (See XI Security Guide: Section HTTP and SSL and RFC and SNC)

Catalog Content Management

Catalog Content Management

Application Gateway

HTTP(S)

Firewall

BSP

ITS

SAP CCM 1.0

SAP SRM SERVER 5.0


EBP

XI Proxy XI Int. Framew. Engine

RFC

XI Proxy XI Int. RFC Framew. Engine

TREX 6.1

TREX 6.1
(Contracts)

HTTP(S)

XML Catalog Upload

XML

XI Integration Engine
XI Cont. CCM 1.0

XML

Masterdata Contractdata

XI Cont. SRM Server 5.0

XI 3.0

February 2005

12

Introduction

In SAP CCM 1.0, suppliers can upload their catalogs. The necessary function is provided in the Web front end. The Web front end is realized using Business Server Pages (BSP) technology. The upload occurs via the HTTPS protocol. The catalog is in XML or CSV format. The catalog is mapped in the SAP Exchange Infrastructure (XI) to convert it into SAP CCM XML format. Contract data can be loaded via the SAP Exchange Infrastructure (XI) from the SRM Server System. TREX (Search and Classification) helps you search for products in the catalog. In the scope of a procurement process, transfer of product data from SAP CCM to SAP SRM Server occurs via HTTP(S) in accordance with the Open Catalog Interface (OCI) specification via the user browser. Necessary steps: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP CCM 1.0 (See CCM Configuration Guide: Section Setting Parameters for Internet Communication Manager) Configure SSO between SAP CCM and SAP SRM Server (See CCM Configuration Guide: Section Using SAP Catalog Content Management with SAP Enterprise Buyer) Configure TREX http(s) protocol (See TREX Installation Guide: Section Configuration of the HTTP Connection) If necessary, connect SAP CCM via HTTPS and SNC to the SAP Exchange Infrastructure (XI) (See CCM Configuration Guide: Section SAP Exchange Infrastructure and XI Security Guide: Section HTTP and SSL and RFC and SNC)

February 2005

13

Introduction

Strategic Sourcing

Strategic Sourcing

Application Gateway

HTTPS / OCI

HTTPS

BSP SAP BW 3.5

ITS

SAP CCM 1.0

BI CONT 3.5.2 R/3 Plug_In

SAP SRM SERVER 5.0


EBP Bidding Engine
RFC

IPC 4.0
(IDOC)

R/3 3.1i SAP ECC 5.0 MM R/3 Plug_In

SAP LAC WPS 2.0

XI Proxy XI Int. Framew. Engine

RFC

XI Proxy XI Int. Framew. Engine TREX 6.1


RFC HTTP(S)

TREX 6.1

XML

XI Integration Engine
XI Cont. CCM 1.0

XML

XI Cont. SRM Server 5.0

XI 3.0

Within Strategic Souring, bid invitations are created in SAP SRM Server and suppliers are invited to participate in these bid invitations by submitting bids. Bid invitations can also be converted into Live Auctions. Live Auctions occur in the SAP LACWPS (Live Auction Cockpit). SAP LACWPS consists of a server part running on a SAP J2EE 6.40 and a Java Applet that communicates with the server. The Java applet is loaded into the browser of the user and is executed locally. Necessary steps: SAP SRM Server 5.0 (EBP/ Bidding Engine): Enable WebAS 6.40 SSL (configure HTTPS protocol) Enable SAP J2EE 6.40 (SAP LACWPS) SSL (See Transport Layer Security on the SAP J2EE Engine: Section Configuring the Use of SSL on the SAP J2EE Engine) Configure Application Gateway for SAP SRM Server 5.0 (EBP/Bidding Engine) Configure Application Gateway for SAP LACWPS 2.0

Optional (if components are accessed via the Internet): Enable SAP CCM 1.0: WebAS 6.40 SSL (configure HTTPS protocol) Enable SAP BI 3.5: WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP CCM 1.0 Configure Application Gateway for SAP BI 3.5

February 2005

14

Introduction

If necessary, configure SNC connections between SAP SRM Server and backend system If necessary, configure SNC connections between SRM Server/backend system and SAP BI 3.5

Spend Analysis

Spend Analysis

Application Gateway

HTTP(S)

Firewall

SAP BW 3.5
BI CONT 3.5.2 R/3 Plug_In

R/3 3.1i SAP ECC 5.0 MM FI / CO

ITS

SAP SRM SERVER 5.0


EBP
RFC

R/3 Plug_In

TREX 6.1
(Contracts)

RFC

RFC

SRM 4.0 enables you to consolidate data in mySAP Business Intelligence (SAP BI) and to carry out evaluations. The data for this comes from the SAP SRM Server or its backend system via RFC/SNC. Users access the reports via a Web front end that is realized using BSP technology.

If BW reports are also made available to suppliers, SAP BI has to be accessible via the Internet. If it is only available to the purchasers, it depends on the individual realization of the scenario: Necessary steps: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP CCM Should the SRM system landscape be available to the purchasers via the Internet or only via the Intranet? Does the internal security policy require that HTTPS be used for all Web-based applications?

February 2005

15

Introduction

If necessary, configure SNC between SAP SRM Server/backend system and SAP Business Intelligence

February 2005

16

Technical System Landscape

Technical System Landscape


SRM supports various presentation technologies on which the individual SRM components run and via which user access/data transfer occurs. The architecture, determined by the respective presentation technology, is crucial for the security of an SRM system. The architecture determines the security concept.

Architecture
The architecture of an SRM system landscape is heavily dependent on the security measures that are in turn determined by the data to be transferred and the data channels. In an SRM system landscape, there are two types of channel via which data is exchanged and which require careful attention in terms of provision of security during data exchange via external interfaces: Exchange of data via external user interfaces Exchange of data/documents via external system interfaces

In both cases, the SRM security concept incorporates a Demilitarized Zone (DMZ) that is delimited by an internal and an external firewall. Within the DMZ there is an application gateway. (SAP recommends that you use the SAP Web Dispatcher.) URLs and ports for the systems behind the internal firewall can be configured in any way and are not known to users outside of the external firewall. In this way, the SRM security concept follows the usual SAP security standards (that are used on a world-wide basis).

Exchange of Data via External User Interfaces


Data exchange via external user interfaces occurs in SRM in two different ways: 1. Data exchange via the Application Gateway using an internal Internet Transaction Server or for components with Web front end on BSP technology 2. Data exchange via JAVA Applet Live Auction Cockpit WPS (also via Application Gateway)

February 2005

17

Technical System Landscape

1. Data Exchange via the Application Gateway for Applications with Web Front ends on ITS and BSP Technology The following SRM scenarios, where the Web front end is based on ITS or BSP technology, work on this principle: Self-Service Procurement Plan-Driven Procurement Service Procurement Catalog Content Management Spend Analysis (Strategic Sourcing with Bidding Engine but without LAC WPS)

External Users Access via Application Gateway (ITS and BSP)


Internet
Internet Browser
HTTP(S)

Firewall DMZ
Application Gateway (SAP Web Dispatcher)
HTTP(S)/ OCI HTTP(S)

Firewall Internal Zone

SAP BW 3.5
BI CONT 3.5.2 R/3 Plug_In

ITS

SRM Server 5.0


EBP Bidding Engine

R/3 3.1i SAP ECC 5.0

BSP

BSP

SAP CCM 1.0

SRM Server 5.0


SUS

R/3 Plug_In

RFC

RFC

SAP Basis 6.40 SAP Kernel 6.40 (incl. ITS 6.40)

Basic representation of the communication paths of the SRM components to the outside via the application gateway.

The SAP Web Dispatcher functions as an Application Gateway and is used as a "software Web switch" between the Internet and your SRM Server system, which consists of one or more Web Application Servers. You therefore have only one point of access for HTTP(S) requests in your system. Furthermore, the SAP Web dispatcher balances the load, so that the request is always sent to the server with the greatest capacity. More information: SAP Web Dispatcher

February 2005

18

Technical System Landscape

The SAP Web Dispatcher is connected to the Internet Communication Manager (ICM) via the internal firewall of the DMZ. All security aspects are dealt with via the ITS and the SAP WAS. In this way, the SRM security concept, like all other SAP solutions, is entirely based on the general SAP security standards.

2. Data Exchange via JAVA Applet Live Auction Cockpit WPS In the SRM scenario Strategic Sourcing a JAVA Applet is loaded in the browser of an external supplier for Live Auctions (not for auctions via the Sourcing Cockpit of the SRM Bidding Engine). This applet communicates with the server part of the LAC on the J2EE 6.40 via the application gateway.

External Users Access to Java Applet (LAC WPS)


Internet
Internet Browser
HTTP(S)

Firewall DMZ
Application Gateway (SAP Web Dispatcher)
HTTP(S)/ OCI HTTP(S)

Firewall Internal Zone

BSP

SAP BW 3.5
BI CONT 3.5.2 R/3 Plug_In

ITS

SAP CCM 1.0

SRM Server 5.0


EBP Bidding Engine

R/3 3.1i SAP ECC 5.0

LAC WPS 2.0

R/3 Plug_In

JCo

RFC

RFC

SAP Basis 6.40 SAP Kernel 6.40 (incl. ITS 6.40)

SAP J2EE 6.40

Basic representation of the communication paths of the SRM components incl. LAC WPS 2.0 to the outside. The ABAP application Sourcing Cockpit allows external suppliers to participate in bid invitations that are created and evaluated using the SAP Bidding Engine. Auctions can be converted into Live Auctions and are then processed in the LAC. LAC is a JAVA component LAC WPS on presentation level whose runtime environment is the J2EE of SAP WAS 6.40.

February 2005

19

Technical System Landscape

LAC WPS consists of a server part that runs on J2EE 6.40 and a Java Applet that is loaded into the browser of the user and executed locally there. The applet communicates via HTTP(S) with the server part. The server communicates with the SRM Server via RFC. Communication between the JAVA applet and the LAC WPS server occurs just like any HTTP(S) based communication with the Internet via Application Gateway that exists in the DMZ. (Each type of communication with the Internet that occurs via HTTP(S) makes use of the Application Gateway.) All security aspects are dealt with by SAP WAS.

February 2005

20

Technical System Landscape

Exchange of Data/Documents via External System Interfaces


External Documents Exchange via XI
SAP WAS 6.40 (incl. SAP J2EE 6.40) SAP BW 3.5
BI CONT 3.5.2 R/3 Plug_In XI Proxy Framew.

SRM Server 5.0


EBP Bidding Engine SUS XI Int. Engine XML MM

R/3
FI/CO

R/3 Plug-In

Internal Zone
RFC HTTP(S)

RFC

XI 3.0

XI Integration Engine
XML HTTP(S) & TCP / IP

Firewall Application Gateway (SAP Web Dispatcher)


XML

DMZ Firewall
HTTP(S)

Internet Firewall

Business Partner IT Landscape

In an SRM system landscape, the Exchange Infrastructure (XI) is used to transfer data in the form of documents via external system interfaces. Here, too, the Exchange Infrastructure of SAP Web Dispatcher is on an HTTP(S) Web server in the DMZ. All security aspects are dealt with by the SAP Web Dispatcher and the Exchange Infrastructure. (For more information, see SAP Web Dispatcher and SAP Exchange Infrastructure Security Guide)

See the following table for more information about the technical system landscape: Topic Technical System Landscape Guide/Tool SRM Master Guide Quick Link to the SAP Service Marketplace (service.sap.com) http://service.sap.com/instguides -> mySAP Business Suite Solutions -> mySAP SRM -> Using SAP EBP 5.0 -> Master Guide - mySAP SRM

February 2005

21

Network Security and Communication Security

Network Security and Communication Security


Communication Channel Security
This section deals with measures to protect data that is being transferred from unauthorized access. Data transfer is by means of HTTPS (SSL encryption) that is also used in SAP system landscapes. The mechanisms to use for transport layer security and encryption depend on the protocols used. For Internet protocols such as HTTP, you can use the Secure Sockets Layer (SSL) protocol to provide the protection. For SAP protocols such as dialog and RFC, you can use Secure Network Communications. See Network Security for SAP Web AS ABAP and Network Security for the SAP J2EE Engine for an overview of the corresponding SAP Web AS connections and the security mechanism to use. We recommend that you consult the following documentation on Network and Communication Security in the SAP NetWeaver Security Guide: Basic Network Topology for SAP Systems Network Services Using Firewall Systems for Access Control o Application-Level Gateways Provided by SAP Example Network Topology Using a SAProuter Example Network Topology When Using SAP Remote Services Using Multiple Network Zones Transport Layer Security o o Secure Network Communications (SNC) SNC-Protected Communication Paths in SAP Systems

Additional Information on Network Security

Enabling SSL (HTTPS) for Web Application Server 6.40


This section is relevant for all Web applications that are based both on the ITS 6.40 and on BSP, so basically all scenarios with the exception of Strategic Sourcing with LAC WPS 2.0. This safeguards data against unauthorized access when business data is being exchanged between SRM and external systems, especially in the case of data exchange with supplier systems via the Internet. The electronic exchange of business data between SRM and a connected supplier must also be protected. Purchase orders and shipping notifications contain confidential information that an SRM customer will want to protect from unauthorized access. Here also, SRM makes use of the standard Internet features. With the HTTP adapter, the SAP Exchange Infrastructure supports the Secure HTTP protocol. By means of this protocol, all data is saved during the entire transfer from the sending system to the receiving system. As far as the automatic authentication of the participating systems is concerned, SRM relies on the exchange of certificates, which guarantees state-of-theart security. The communication channels within the mySAP SRM system landscape can be made secure using HTTPS (SSL). However, it only makes sense to use this coding technology to achieve overall security for the channels.

February 2005

22

Network Security and Communication Security

Consult the Network and Transport Layer Security guide before carrying out the SSL settings for the SAP WAS 6.40: Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP o Configuring the SAP Web AS for Supporting SSL

To carry out the SSL settings for the ITS 6.40 (internal ITS on WAS 6.40) proceed in accordance with the following sections of the WEB AS Security Guide: Internet Transaction Server Security o o o A Secure Network Infrastructure for the ITS Protecting the Server and Network Components TCP Ports Used by the ITS

For security issues in regard of the SRM applications with Web front end on BSPbasis, note the following documentation: Security Aspects for BSP

Enabling SSL for J2EE 6.40


This section is relevant if you want to implement the SRM scenario Strategic Sourcing with LAC WPS 2.0 (LAC WPS runs on the J2EE of SAP WAS 6.40). To configure SSL for LAC on J2EE 6.40, proceed in accordance with the following documentation: Configuring the Use of SSL on the SAP J2EE Engine

See also: Security Guide for Connectivity with the SAP J2EE Engine Transport Layer Security on the SAP J2EE Engine

Secure Connection of Application Systems to SAP XI


All XI runtime components using the HTTP protocol support the encryption of the HTTP data stream by means of the SSL protocol, also known as HTTPS. HTTPS data streams are completely transparent to the Exchange Infrastructure. Depending on the protocol used, all data (including passwords) is usually transmitted through the network (intranet or internet) in plain text. To maintain the confidentiality of this data, you can apply transport layer encryption to the connection between the business systems, the Integration Server, the adapters, and the Web browser. SAP especially recommends using encryption when you transmit passwords, orders, company-specific information or any other data that you consider sensitive. You can use Secure Sockets Layer (SSL) or Secure Network Communication (SNC) to increase the security of the following connections: Between adapters and Integration Server Between business systems and Integration Server Between PCK and Integration Server

February 2005

23

Network Security and Communication Security

Between business systems and adapters

Adapters, business systems, and Integration Servers communicate with each other using the RFC or HTTP protocol, which can be secured by SNC or SSL respectively. Find detailed information here: SAP Exchange Infrastructure Security Guide -> Chapter Network and Communication Security -> HTTP and SSL and Security Configuration Here you find information to send and receive messages with the Adapter Engine using HTTPS/ SSL: Configuration Guide - SAP XI 3.0: Chapter 10 Communication and Security and 10.1 HTTPS Configuration for the Adapter Engine

Integration of EBP Services into Enterprise Portal Ensure that you downloaded all relevant portal roles for SRM 4.0 from the iView studio at http://www.iviewstudio.com/. Here you can also find the actual Business Package of SRM 5.0. Security Information: Portal Platform Security Guide -> Secure Communications -> Communication Between Internal Components -> Communication with Backend Systems Note: The portal and the ITS of the EBP system must run under the same protocol (both under http or both under HTTPS, no other combination is possible) The portal and the ITS of the EBP system must be in the same domain If you wish to implement your own EBP services, you must ensure that the iViews of the EBP services have EPCF level "2"

February 2005

24

Network Security and Communication Security

Network Security
General Access Control, Including Protection of the System and Stored Data Against Unauthorized External Access, General Standards: Firewalls, DMZ, SNC SAP Standards: ITS, SAProuter mySAP SRM is a solution with many external interfaces, including interfaces to the Internet. This makes mySAP SRM vulnerable to attempts from outsiders to access confidential data. Indeed, studies have shown that unauthorized access by internal employees also represents a considerable risk. As a pure business solution, mySAP SRM can offer protection in this regard bases on the Authorization Concept within SAP WAS (SAP Authorization Concept). It is important to understand that SRM is embedded in a comprehensive protection concept that offers protection both on a physical level and also, through additional firewalls, protected access to all levels of an IT infrastructure. As the SRM architecture graphics shows, SAP recommends protecting the different SRM components using appropriate firewalls. This includes setting up a DMZ (Demilitarized Zone) that protects all critical components from direct access via the Internet. Furthermore, SAP recommends installing protection against access to the entire data store of the various SRM applications components. For more information on firewalls and the relevant settings, see the section Network and Communication Security -> Using Firewall Systems for Access Control ( for firewall settings) in the SAP NetWeaver Security Guide and SAProuter in the SRM documentation (for SAProuter settings). For more information on the settings for Security Network Communications (SNC), see the section SNC-protected Communication in the SAP WebAS Security Guide. See also: Additional Information on Network Security

Communication Destinations
All relevant communication destinations (such as RFC, IDoc, and so on) for mySAP SRM are described in the Business Scenario Configuration Guides. The following table provides an overview of the relevant sections: Business Scenario Configuration Guide SRM 4.0 Self-Service Procurement Section System Connections Where to find SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Self-Service Procurement SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Plan-Driven Procurement SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Strategic Sourcing SAP Service Marketplace: http://service.sap.com/ibc -> for

SRM 4.0 Plan-Driven Procurement

System Connections

SRM 4.0 Strategic Sourcing

System Connections

SRM 4.0 Catalog Content Management

System Connections

February 2005

25

Network Security and Communication Security

mySAP SRM -> Catalog Content Management SRM 4.0 Service Procurement SAP Service Procurement with Loose Supplier Integration/with Close Supplier Integration System Connections SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Service Procurement SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Spend Analysis

SRM 4.0 Spend Analysis

February 2005

26

User Administration and Authentication

User Administration and Authentication


This section describes how user data is protected from unauthorized access and the aspects of authorization. X.509 Certificates are used in conjunction with accounts and passwords as general security standard. The SAP role concept and user attributes are used for authorization purposes. For more information, see the section Authenticating Users in the SAP WAS Security Guide. There are three different scenarios for authenticating users in SAP System Internet applications. See: Authenticating Internet Users Authenticating Named Users With User ID and Password Authenticating Named Users Using X.509 Client Certificates

See Using X.509 Client Certificates to get a procedure for configuring the system for the use of X.509 client certificates.

User Management
In general, SRM supports user authentication using user accounts and passwords. It also supports user authentication using X.509 certificates and, this way, integrates seamlessly with public key infrastructure. The following types of roles are supported: SRM Server roles and portal roles. New users can only be created by the user administrator or by a manager. In the case of selfregistration by new users, the actual release of the new account has to be approved by the user administrator or manager.

To use the user approval workflow, the workflow WS10000192 has to be activated and the indicator Approval Indicator has to be set in the IMG under SRM Server -> Master Data -> Create Users -> Set Approval Indicator. As standard, creation of users is always approval-relevant.

February 2005

27

User Administration and Authentication

Integration into Single Sign-On Landscapes


Support of Single Sign-On on SRM Because of the fact that mySAP SRM consists of a range of different application components, and certain SRM users must access several of these applications, the support of Single Sign-On is a significant benefit. In SRM the standard SSO mechanism is used (the initial application generates the SSO cookie, which is stored in the users web browser and other applications accept it). (For security reasons, the cookie is placed in the main memory and is automatically deleted as soon as the user actively logs off or closes the browser.) Using this cookie, users can access all SRM applications for which they are authorized without having to authenticate themselves again, that is, go through the authentication process again. When the user accesses applications based on SAP R/3, such as SAP EBP, the cookie is converted to a SAP Logon ticket on-the-fly. Single Sign-On in SRM is supported both with and without the Enterprise Portal. For more information on SSO und Authentication Methods on SAP Web AS, see: SAP Web Application Server Security Guide -> Authentication and Single Sign-On User Authentication and Single Sign-On -> Using Logon Tickets

February 2005

28

Authorizations

Authorizations
In SRM one or more predefined roles are assigned to each user or user account. Depending on the role, the user is authorized to carry out certain transactions and access certain data. In addition, each user or user account is assigned to its company and/or organizational unit. By way of this assignment, the user inherits additional attributes that further restrict his access, for example, employees may only assign purchase orders to their own cost centers. In the standard SRM delivery, customers receive predefined role templates that they can extend or adapt to their specific requirements. The standard roles include roles for managers, employees, and so on. Individual users access SRM transactions and data via their browsers and then transfer sensitive confidential data. This information must be protected against unauthorized access. As standard, this is taken care of by encoding all data during the transfer from the Web Server to the browser. SRM follows the standard in this case and supports secure HTTP.

Roles for System Configuration


Users wanting to set up or configure an SRM Server system are assigned to the SRM Administrator role, which provides them with the required authorizations. The necessary Customizing authorizations ensure that these setup users are able to carry out IMG projects. See the SAP Library (http://help.sap.com/): SAP NetWeaver -> SAP NetWeaver Technical Operations Manual Administration of the SAP Web Application Server Management of the ABAP Subsystem Users and Roles (BC-SECUSR) Role Maintenance Role Maintenance Functions: Customizing Auth.

SRM does not supply separate Customizing or setup roles. Instead, you should use the functions provided in Role Maintenance (transaction PFCG).

February 2005

29

Authorizations

1) ABAP Roles for SRM 4.0/ Enterprise Buyer 5.0


The following roles are delivered: Roles/ Technical Names Employee
SAP_EC_BBP_EMP LOYEE

Services Trans(Menu Entry) action


Request Shop BBPSC18 BBPSC02

Authorization Group
AAAB

Authorization Objects
B_BUPA_RLT (02,03) B_BUPR_BZT (ACTVT 02; RELTYP BUR010) S_ME_SYNC (38) S_PRO_AUTH (03) S_RFC S_TCODE

S_RFC

S_TCODE

ARFC

BBP_BGRD_APPROVAL

BBP_ATTR_ BBP_CTR_DISP MAINT

SAP_BBP_STAL_EM Shop (one PLOYEE screen) SAP_BBP_MULTI_E MPLOYEE Check Status Confirm Goods/Services Enter Invoice/Credit Memo Inbox OLD Approval

BBPSC03 BBPSC04 BBPCF02 BBPIV02

BBP_BD_M ETA_BAPIS BBP_BS_P OD BBP_BS_R QD BBP_BS_R SD BBP_CHAN GE_DOC

BBP_CTR_DISPNR BBP_CTR_EXT_PO BBP_CTR_WF_APP BBP_GETCD_ITS

BBPBWSP BBPBWSP _SIMPLE

BBP

BBP_FUNCT BBP_PD_CNF BBP_PD_INV BBP_PD_PO (ACTVT: 03) BBP_PD_QUO (ACTVT: 03, 75) BBP_PD_SC (ACTVT: 01, 02, 03, 04, 06) M_BBP_PC

BBP_OCI_AGENT

BBP_CROO BBP_POC_WF_APP M_CTR BBP_CROO BBP_POC_WF_REV M_INV BBP_CROO BBP_QUOT_EXTST M_SC BBP_FRAM EWORK BBP_SC_DARKAPP_IAC

BBP_IU_GE BBPAT03 N BBP_REQR EQ BBP_WAP BBPAT04 BBPAT05

BC_A

C_DML (ACTVT: 03) S_DATASET (ACTV: 33, 34; PROGRAM: SAPLSWT01) S_TABU_DIS (03) S_USER_GRP (02, 03)

BBP_WAP_I BBPATTRMAINT NBOX

BBPFAKEW BBPCF04 P ERFC RFC1 BBPCF05 BBPGLOBAL

BC_C

S_DEVELOP (ACTVT: 16; Package: dummy; object name: BUS*; object type: SOBJ; authorization group = dummy)

February 2005

30

Authorizations

Roles/ Technical Names

Services Trans(Menu Entry) action

Authorization Group
BC_Z

Authorization Objects
S_OC_DOC S_OC_FOLCR S_OC_ROLE S_OC_SEND S_OC_TCD ( SO01, SO02, SO03, SO04)

S_RFC

S_TCODE

RSAN SDIF SDIFRUNTI ME SI17_V SKBW

BBPHELP BBPIV04 BBPIV05 BBPIV06 BBPPU01

S_BDS_DS (01, SSCV 02, 03, 04, 06) S_WF_LVIEW S_WF_WI HR PLOG P_TCODE (PF*, PP*) SU_USER SURL SUSO SUSW SWEL SWLWFIN SWOR SWWA SYST SYSU

BBPPU02 BBPPU03 BBPPU05 BBPPU08 BBPPU11 BBPPU12 BBPPU16 BBPPU17 BBPSC08 BBPSC10 BBPST01

WP_USER_ BBPVE01 MENU BBPWI BWSP SWK1 T*

Manager
SAP_EC_BBP_MAN AGER SAP_BBP_STAL_MA NAGER SAP_BBP_MULTI_M ANAGER

Edit Attributes Process Company Data (hosted)

BBPATTRM AAAB AINT BBPMAINM ANAGER BBP

S_RFC S_TCODE

BBPMAINA PP

BBP_POC_DISPLY BBP_QUOT_EXTWF

BBP_PD_PO (ACTVT: 03)

BBPBWSC1 BBPMAINAPP BBPPU05 BBPPU07 BBPRP01

February 2005

31

Authorizations

Roles/ Technical Names

Services Trans(Menu Entry) action

Authorization Group

Authorization Objects

S_RFC

S_TCODE

BBPSC07 BWSP T*

Purchasing Assistant
SAP_EC_BBP_SEC RETARY

Shop

BBPSC01

AAAB

S_TCODE

BBP_BW_SC3

Create Public Templates

BBPSC05 BBPPCO02 BBPCF03

BBP

M_BBP_CONF M_BBP_I_IN M_BBP_SHLP (inactive)

BBP_BW_SC4 BBPCF03 BBPIV03

SAP_BBP_STAL_SE Enter Purchase CRETARY Order Response SAP_BBP_MULTI_S ECRETARY Confirm Goods / Services Centrally Enter Invoice / Credit Memo Centrally Shopping Carts per Cost Center Shopping Carts per Product Vendor Prescreening

BBPIV03

BBPPU02

BBP_BW_S C4 BBP_BW_S C3 /sap/ros_pr escreen/mai n.do

BBPPU04 BBPPU05

BBPPU06

BBPPU10 BBPSC03 BBPSC04 BBPSC05 BBPSC06

Professional Purchaser
SAP_EC_BBP_PUR CHASER

Shop

BBPSC01

AAAB

/SAPCND/CM (Application: BBP; use: PR) B_BUPA_RLT B_BUPR_BZT

BBP_AUC_SRM_EX

Create Public Templates

BBPSC05 BBPCF03

BBP_BID_EVAL BBP_BID_EXTSO

SAP_BBP_STAL_PU Confirm Goods / RCHASER Services Centrally SAP_BBP_MULTI_P URCHASER Enter Invoice / Credit Memo Centrally Process Purchase Order Issue Purchase Order

BBPIV03

B_USERST_T

BBP_CFOLDER

BBP_POC BBP_PPF BBP

S_TCODE BBP_BUDGET

BBP_CTR_EXT_CR BBP_CTR_EXT_PO

February 2005

32

Authorizations

Roles/ Technical Names

Services Trans(Menu Entry) action


Process Purchase Order Response Process Global Outline Agreement BBPPCO01

Authorization Group

Authorization Objects
BBP_FUNCT

S_RFC

S_TCODE

BBP_CTR_EXT_WF

BBP_CTR_ MAINCC

BBP_PD_AUC

BBP_POC_DISPLY

Process Contract BBP_CTR_ MAIN Issue Contract Process Bid Invitation Process Auction Carry Out Sourcing Analysis SC per Cost Center Analysis SC per Product BBP_PPF_ CONT BBP_BID_I NV BBP_AUCT ION BBPSOCO 01 BBP_BW_S C4 BBP_BW_S C3

BBP_PD_BID BBP_PD_CNF BBP_PD_CTR BBP_PD_INV BBP_PD_PCO BBP_PD_PO BBP_PD_QUO BBP_PD_SC

BBP_POC_WF_REQ BBP_QUOT_EXTWF BBP_TRIGG_MEN BBPDIFF BBPMAINAPP BBPPCO_WF BBPPO01 BBPPU02

Manage BBPMAINI Business Partner NT Data Manage BBPMAINP Business Partner URCH (Hosted) Edit Addresses BBPADDRI NTV BBPAVLMA BC_A INT BBPWLRA0 1

BBP_PD_VL

BBPPU04

M_BBP_PC (PCMAS_ACT: 03, 04) S_ADMI_FCD (NADM) S_BTCH_JOB (job action: PLAN, RELE) S_CTS_ADMI (TABL) S_SPO_DEV S_USER_AGR (01, 02, 03, 22, 36, 64, 78) S_USER_GRP (01, 02, 03, 06, 22, 78) S_USER_PRO (01, 02, 03, 07, 22) S_XMB_AUTH (ACTVT: 03, 16; SXMBACTION: RUNTIME) BC_C S_DEVELOP

BBPPU05

Process Vendor List Reassign Workload

BBPPU06 BBPPU07

Display Changes BBP_SUPP _MONI

BBPPU10 BBPRP01 BBPSC03

BBPSC04

BBPSC06

BBPSC14

BBPSC15

February 2005

33

Authorizations

Roles/ Technical Names

Services Trans(Menu Entry) action

Authorization Group
BC_Z

Authorization Objects
S_APPL_LOG (03) S_IDOCCTRL

S_RFC

S_TCODE

BBPSC16 BBPSC17 BBPSC18 BBPSC19 BBPSHOWVD BBPVE01 BWSP BWWF_WI_DECI CRMD_ORDER

Purchase Manager
SAP_BBP_STAL_PU RCHASE_MANAGE R SAP_BBP_MULTI_P URCHASE_MANAG ER

Only composite role

Operational Purchaser

Shop

BBPSC01

AAAB

/SAPCND/CM / (application: BBP; use: PR) B_BUPA_RLT B_BUPR_BZT

BBP_AUC_SRM_EX

SAP_EC_BBP_OP_P Create Public URCHASER Templates SAP_BBP_STAL_OP Confirm ERAT_PURCHASER Goods/Services Centrally Enter Invoice/Credit Memo Centrally

BBPSC05 BBPCF03

BBP_BID_EVAL BBP_BID_EXTSO

BBPIV03

B_USERST_T

BBP_CTR_EXT_CR

Process BBP_POC Purchase Orders Issue Purchase Orders Enter Purchase Order Response Process Purchase Order Response Assign Global Outline Agreement Process Contracts BBP_PPF BBPPCO02 BBPPCO01 BBP

S_TCODE BBP_BUDGET BBP_FUNCT BBP_PD_AUC

BBP_CTR_EXT_PO BBP_CTR_EXT_WF BBP_POC_DISPLY BBP_POC_WF_REQ

BBP_CTR_ SEARCC BBP_CTR_ MAIN

BBP_PD_BID

BBP_PPF_CONT

BBP_PD_CNF

BBP_TRIGG_MEN

February 2005

34

Authorizations

Roles/ Technical Names

Services Trans(Menu Entry) action


Process Bid Invitations Process Auctions Carry Out Sourcing Analysis SC per Cost Center Analysis SC per Product Edit Addresses BBP_BID_I NV BBP_AUCT ION BBPSOCO 01 BBP_BW_S C4 BBP_BW_S C3 BBPADDRI NTV

Authorization Group

Authorization Objects
BBP_PD_CTR BBP_PD_INV BBP_PD_PO BBP_PD_QUO BBP_PD_SC M_BBP_PC (03, 04) S_ADMI_FCD (NADM) S_BTCH_JOB (job action: RELE) S_CTS_ADMI (TABL) S_SPO_DEV S_USER_AGR (01, 02, 03, 22, 36, 64, 78) S_USER_GRP (01, 02, 03, 06, 22, 78) S_USER_PRO (01, 02, 03, 07, 22) S_XMB_AUTH (ACTVT:16; SXMBACTION: RUNTIME)

S_RFC

S_TCODE

BBPDIFF BBPMAINAPP BBPPCO_WF BBPPO01 BBPPU02 BBPPU04 BBPPU05 BBPPU06

Display Changes BBP_SUPP BC_A _MONI Vendor Prescreening /sap/ros_pr escreen/mai n.do

BBPPU07 BBPPU10 BBPRP01

BBPSC03

BBPSC04

BBPSC06

BC_Z

S_APPL_LOG (03) S_IDOCCTRL

BBPSC14 BBPSC15 BBPSC16 BBPSC17 BBPSC18 BBPSC19 BBPSHOWVD BBPVE01 BWSP BWWF_WI_DECI CRMD_ORDER

February 2005

35

Authorizations

Roles/ Technical Names

Services Trans(Menu Entry) action

Authorization Group

Authorization Objects

S_RFC

S_TCODE

Strategic Purchaser

Process Bid Invitation

BBP_BID_I NV BBP_AUCT ION BBP_CTR_ MAINCC BBPPCO01

AAAB

/SAPCND/CM / (application: BBP; use: PR) B_BUPA_RLT B_BUPR_BZT

BBP_AUC_SRM_EX

SAP_EC_BBP_ST_P Process Auction URCHASER SAP_BBP_STAL_ST RAT_PURCHASER Process Global Outline Agreement Process Purchase Order Response

BBP_BID_EVAL BBP_BID_EXTSO

B_USERST_T

BBP_CFOLDER

Process Contract BBP_CTR_ MAIN Issue Contract Process Vendor List BBP_PPF_ CONT BBPAVLMA INT BBP

S_TCODE BBP_BUDGET BBP_FUNCT BBP_PD_AUC

BBP_CTR_EXT_CR BBP_CTR_EXT_PO BBP_CTR_EXT_WF BBP_POC_DISPLY

Manage BBPMAINI Business Partner NT Data Edit Addresses Reassign Workload Vendor Prescreening BBPADDRI NTV BBPWLRA0 1 /sap/ros_pr escreen/mai n.do

BBP_PD_BID BBP_PD_CNF (ACTVT: 03) BBP_PD_CTR

BBP_POC_WF_REQ BBP_PPF BBP_QUOT_EXTWF

BBP_PD_INV (ACTVT: 03) BBP_PD_PCO (ACTVT: 03) BBP_PD_PO BBP_PD_QUO BBP_PD_SC (ACTVT: 02, 03) BBP_PD_VL M_BBP_PC BC_A S_ADMI_FCD (NADM) S_BTCH_JOB (job action: RELE) S_CTS_ADMI (TABL) S_SPO_DEV

BBPMAINAPP BBPPCO_WF BBPPO01 BBPPU02 BBPPU04 BBPPU05 BBPPU06 BBPPU07 BBPPU10

BBPRP01 BBPSC14

February 2005

36

Authorizations

Roles/ Technical Names

Services Trans(Menu Entry) action

Authorization Group

Authorization Objects
S_USER_AGR (01, 02, 03, 22, 36, 64, 78) S_USER_GRP (01, 02, 03, 06, 22, 78) S_USER_PRO (01, 02, 03, 07, 22) S_XMB_AUTH (ACTVT:16; SXMBACTION: RUNTIME) S_DEVELOP

S_RFC

S_TCODE

BBPSC15

BBPSC16

BBPSC17

BBPSHOWVD

BBPSOCO01 BBPVE01 BWSP BWWF_WI_DECI CRMD_ORDER

BC_Z

S_APPL_LOG (03) S_IDOCCTRL

Content Manager
SAP_EC_BBP_CON TENT_MANAGER

Import Product Master Hierarchies Import Products

BBP_CT_S CM_STAGI NG BBP_CT_S TAGING COMMPR0 1 COMMPR0 2 BBP_CCM_ TRANSFER

AAAB

/SAPCND/CM COMM_ATT COMM_ATTRSET (application: BBP; RSET use: PR) COM_ASET (01, 02, 03, 06) COM_CAT (01, 02, 03) COM_HIER (01, 02, 03) COM_IL (ACTVT: 01, 02, 03, 06; RELTYPE: PRDCTI, PRDCTN, PRDMPI, PRDMPN, PRDVND, PRDVNI) COM_PRD (01, 02, 03, 06) COM_PRD_CT (01, 02, 03, 06) S_IFC S_RFC S_TCODE COMM_PC AT_LOC CRM_PRD BBP_CT COMM_HIERARCHY COMM_PCAT_LOC COMM_PCAT_PROFILE

SAP_BBP_STAL_CO Process NTENT_MANAGER Products Activate Products Data Transfer from Product Master to Catalog

Maintain Products in SUS

CONTENT

BC_A

S_BTCH_JOB (job action: RELE)

February 2005

37

Authorizations

Roles/ Technical Names

Services Trans(Menu Entry) action

Authorization Group

Authorization Objects
S_XMB_AUTH (ACTVT:16; SXMBACTION: RUNTIME)

S_RFC

S_TCODE

BC_Z

S_APPL_LOG (ACVT 03; ALG_OBJECT: COM_PRODUCT _CATALOG ; ALG_SUBOBJ: EXPORT_XML)

Component Planner

Component Planning for Orders

BBPOR01

AAAB

S_TCODE

Only standard

SAP_EC_BBP_PLAN Component NER Planning for Projects SAP_BBP_STAL_PL ANNER Change Settings

BBPPS01

BBPAT05

Internal Dispatcher
SAP_EC_BBP_RECI PIENT SAP_BBP_STAL_RE CIPIENT SAP_BBP_MULTI_R ECIPIENT

Confirm Goods / Services Centrally Find Goods Recipient

BBPCF03

AAAB

S_TCODE

Only standard

BBP_PM01

BBP

BBP_FUNCT BBP_PD_CNF BBP_PD_PO (ACTVT: 03)

Accounts Payable Clerk


SAP_EC_BBP_ACC OUNTANT

Invoice and Credit Memo Centrally Issue Document

BBPIV03

AAAB

S_TCODE

Only standard

BBP_TRIG G_MEN

BBP

BBP_FUNCT BBP_PD_INV (ACTVT: 01, 02, 03, 06) BBP_PD_PO (ACTVT: 03)

SAP_BBP_STAL_AC Backend Posting BBPBC1 COUNTANT (Hosted) SAP_BBP_MULTI_A CCOUNTANT

Bidder
SAP_EC_BBP_BIDD ER SAP_BBP_STAL_BI DDER SAP_BBP_MULTI_BI DDER

Process Bid

BBP_QUOT AAAB

/SAPCND/CM BBP_CFOL (application: BBP; DER use: PR) B_BUPA_RLT B_BUPR_BZT S_PRO_AUTH (03) BBP_FRAM EWORK

BBP_CFOLDER

Process User Data

BBPMAINE XT

BBPGLOBAL

BBPFAKEW BBPMAINNEW P RFC1 BBPST01

February 2005

38

Authorizations

Roles/ Technical Names

Services Trans(Menu Entry) action

Authorization Group

Authorization Objects
S_RFC S_TCODE

S_RFC

S_TCODE

RSAN SDIF SDIFRUNTI ME SI17_V SKBW

BBPVENDOR BBPWI

BBP

BBP_PD_AUC (03) BBP_PD_BID (03) BBP_VEND (ACTVT: 01, 02, 03, 06; BBP_OBJTYP: BUS2200, BUS2202, BUS2208)

BC_A

S_DATASET (33) SSCV S_TABU_DIS (03) SU_USER SURL

BC_Z

S_BDS_DS (ACTV: 01, 02, 03, 04, 30; CLASSTYPE: BO, CL, OT) PLOG

HR

SUSO SUSW SWLWFIN SWOR SYST SYSU WP_USER_ MENU

Vendor
SAP_EC_BBP_VEN DOR

Enter Delivery / Service Enter Invoice / Credit Memo

BBPCF01

AAAB

/SAPCND/CM BBP_CFOL (application: BBP; DER use: PR) B_BUPA_RLT B_BUPR_BZT S_PRO_AUTH (03) S_RFC S_TCODE BBP_FRAM EWORK

BBP_BGRD_APPROVAL

BBPIV01 BBPMAINE XT BBPADDR EXT BBPBWSP BBPBWSP _SIMPLE BBP

BBP_CFOLDER

SAP_BBP_STAL_VE Process User NDOR Data SAP_BBP_MULTI_V ENDOR Edit Addresses Inbox OLD Approval

BBPADDRE BBP_QUOT XT BBPFAKEW BBPGLOBAL P RFC1 RSAN SDIF SDIFRUNTI ME BBPMAINNEW BBPST01 BBPVENDOR BBPWI

BBP_PD_AUC (03) BBP_PD_BID (03)

February 2005

39

Authorizations

Roles/ Technical Names

Services Trans(Menu Entry) action

Authorization Group

Authorization Objects
BBP_VEND (ACTVT: 01, 02, 03, 06; BBP_OBJTYP: BUS2203, BUS2205)

S_RFC

S_TCODE

SI17_V

SWK1

BC_A BC_Z

S_TABU_DIS (03) S_BDS_DS (ACTV: 01, 02, 03, 04, 30; CLASSTYPE: BO, CL, OT) PLOG

SKBW SSCV

HR

SU_USER SURL SUSO SUSW SWLWFIN SWOR SYST SYSU WP_USER_ MENU

Company Administrator (MarketSet)


SAP_EC_BBP_COM PANY_ADMIN SAP_BBP_MULTI_C OMPANY_ADMIN

Process Local Accounting Data

BBP_MS_S AAAB TD_ACC_C

S_TCODE

BBPPU09

Customizable Messages Messages in XML Define Impersonal Account Process FIBackend Process Vendor Number in Backend Process Tax Code Monitor Shopping Cart

BBP_MS_M BBP SG1_C BBP_MS_M SG2_C BBP_MS_A BC_A CC_DET_C BBP_MS_B E_C BBP_BE_LI BC_C ST BBP_MS_M AP_TAX_C BBP_MON_ SC

BBP_FUNCT (MON_ALERTS) BP_PD_SC (ACTVT: 01, 02, 03, 06) S_TABU_CLI

BBPSHOWVD SYST

S_TABU_DIS (ACTVT: 02, 03) S_TRANSLAT (ACTVT: 02)

Administrator

Application Monitors

BBPADM_ COCKPIT

AAAB

B_BUPA_ATT

February 2005

40

Authorizations

Roles/ Technical Names

Services Trans(Menu Entry) action


BBP_MON_ SC BBP_CTR_ MON

Authorization Group

Authorization Objects
B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT B_BUPR_FDG B_CCARD S_RFC

S_RFC

S_TCODE

SAP_EC_BBP_ADMI Monitor NISTRATOR Shopping Carts SAP_BBP_STAL_AD Monitor Contract MINISTRATOR Distribution SAP_BBP_MULTI_A DMINISTRATOR

Monitor Business BBP_SUPP Partner _MONI Synchronization with Backend Manage User Data Edit Internal Addresses Manage Business Partners Edit External Addresses Edit Attributes BBP_CLEA NER BBPUSER MAINT BBPADDRI NTC BBPMAINI NT BBPADDRI NTV BBPATTRM BBP AINT

S_TCODE BBP_BUYER BBP_FUNCT BBP_PD_AUC (03) BBP_PD_BID (03) BBP_PD_CNF (03) BBP_PD_CTR (03) BBP_PD_INV (03) BBP_PD_PCO (03) BBP_PD_PO (03) BBP_PD_QUO (03) BBP_PD_SC (ACTVT: 01, 02, 03, 04, 06) M_BBP_IM_1 M_BBP_PC BC_A S_ADMI_FCD S_ARCHIVE S_BTCH_ADM S_BTCH_JOB S_BTCH_NAM

February 2005

41

Authorizations

Roles/ Technical Names

Services Trans(Menu Entry) action

Authorization Group

Authorization Objects
S_CTS_ADMI S_DATASET S_ENQUE S_GUI S_RZL_ADM S_TABU_CLI S_TABU_DIS S_USER_AGR S_USER_AUT S_USER_GRP S_USER_PRO S_USER_SYS S_USER_TCD S_USER_VAL S_XMB_AUTH (ACTVT:16; SXMBACTION: RUNTIME) S_XMI_PROD

S_RFC

S_TCODE

BC_C

S_DEVELOP S_DOKU_AUT S_PROGRAM S_TRANSPRT

BC_Z

S_APPL_LOG S_IDOCCTRL S_IDOCDEFT S_IDOCMONI S_IDOCPART S_IDOCPORT S_IDOCREPA S_NUMBER S_SCD0 S_WF_WI S_WFAR_OBJ S_WFAR_PRI

February 2005

42

Authorizations

Roles/ Technical Names

Services Trans(Menu Entry) action

Authorization Group
HR

Authorization Objects
PLOG P_TCODE

S_RFC

S_TCODE

Create Vendor (Dummy)


SAP_EC_BBP_CRE ATEVENDOR

Request Vendor or Bidder

BBPMAINN AAAB EW

B_BUPR_BZT

BBPMAINNEW

S_TCODE

Create User (Dummy)


SAP_EC_BBP_CRE ATEUSER

Create User

BBPAT03

AAAB

B_BUPA_RLT

BBPAT03

Forgotten Username / Password

BBPAT04

S_TCODE

BBPAT04

BC_A

S_USER_AGR S_USER_GRP S_USER_PRO S_USER_TCD

SU01

HR

PLOG

Subscribe Marketplace
SAP_EC_BBP_SUB SCRIBE_MARKETPL C

Subscribe to EBP on Marketplace

BBPSUBSC AAAB RIBE

B_BUPA_RLT

ARFC

BBPSUBSCRIBE

S_RFC

BBP_ATTR_ ORG BBP_ATTR_ PD BBP_FRAM EWORK BBPFAKEW P RFC1 RSAN SDIFRUNTI ME SSCV SU_USER SWOR SYST SYSU

S_TCODE BC_A S_USER_AGR S_USER_GRP S_USER_PRO S_USER_TCD HR PLOG

February 2005

43

Authorizations

2) ABAP Roles for SRM 4.0 (SUS Deployment)


Roles/ Technical Names Order Processor
SAP_EC_SUS_ORDER_PROCE SSOR

Folder
Purchase Orders

Menu Entry
All New Changed In Process Confirmed Partially Confirmed

Authorization Authorization Objects Group


AAAB B_BUPA_ATT B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT S_TCODE (SICF) BBP BBP_FUNCT BBP_SUS_PD (ACTVT: 02, 03, 09; BBP_OBJTYP: BUS2230, BUS2232, BUS2235) BC_A S_ADMI_FCD (NADM) S_USER_GRP (ACTVT: 02, 03, 05) BC_Z S_BDS_DS (ACTVT: 03; CLASSNAME: DEVC_STXD_BITMAP; CLASSTYPE: OT) PLOG

Administration Messages

Own Data Read Messages

HR

SAR Processor
SAP_EC_SUS_SAR_PROCESS OR

Scheduling Agreement Releases

All New Changed In Process Confirmed Partially Confirmed

AAAB

B_BUPA_ATT B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT S_TCODE (SICF)

Administration Messages

Own Data Read Messages

BBP

BBP_FUNCT BBP_SUS_PD (ACTVT: 02, 03, 09; BBP_OBJTYP: BUS2230, BUS2232, BUS2235)

BC_A

S_ADMI_FCD (NADM) S_USER_GRP (ACTVT: 02, 03, 05)

BC_Z

S_BDS_DS (ACTVT: 03; CLASSNAME: DEVC_STXD_BITMAP; CLASSTYPE: OT) PLOG

HR

February 2005

44

Authorizations

Roles/ Technical Names Invoicer


SAP_EC_SUS_INVOICER

Folder
Purchase Orders Confirmations ASN Invoices

Menu Entry
All Approved Sent All In Process Invoiced Approved

Authorization Authorization Objects Group


AAAB B_BUPA_ATT B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT S_TCODE (SICF) BBP BBP_SUS_PD (ACTVT: 02, 03, 09; BBP_OBJTYP: BUS2230, BUS2231, BUS2232, BUS2233, BUS2234, BUS2235) S_ADMI_FCD (NADM) S_USER_GRP (ACTVT: 02, 03, 05) BC_Z S_BDS_DS (ACTVT: 03; CLASSNAME: DEVC_STXD_BITMAP; CLASSTYPE: OT) PLOG

Rejected Create Administration Own Data

BC_A

Messages

Read Messages

HR

Dispatcher
SAP_EC_SUS_DISPATCHER

Purchase Orders ASN

Confirmed All In Process Sent

AAAB

B_BUPA_ATT B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT S_TCODE (SICF)

Administration Messages

Own Data Read Messages BBP

BBP_SUS_PD (ACTVT: 02, 03, 09; BBP_OBJTYP: BUS2230, BUS2231, BUS2232, BUS2235) S_ADMI_FCD (NADM) S_USER_GRP (ACTVT: 02, 03, 05)

BC_A

BC_Z

S_BDS_DS (ACTVT: 03; CLASSNAME: DEVC_STXD_BITMAP; CLASSTYPE: OT) PLOG

HR

Service Agent
SAP_EC_SUS_SERVICE_AGEN T

Purchase Orders Confirmations

Confirmed All In Process Returned Approved

AAAB

B_BUPA_ATT B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT

February 2005

45

Authorizations

Roles/ Technical Names

Folder

Menu Entry
Rejected

Authorization Authorization Objects Group


S_TCODE (SICF) BBP BBP_SUS_PD (ACTVT: 02, 03, 09; BBP_OBJTYP: BUS2230, BUS2232, BUS2233, BUS2235) S_ADMI_FCD (NADM) S_USER_GRP (ACTVT: 02, 03, 05) HR PLOG

Administration

Own Data

Messages

Read Messages

BC_A

Service Manager
SAP_EC_SUS_MANAGER

Purchase Orders Confirmations

Confirmed All In Process Returned Approved Rejected

AAAB

B_BUPA_ATT B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT S_TCODE (SICF)

Administration Messages

Own Data Read Messages

BBP BC_A

BBP_FUNCT (GLOB_ACCSS) S_ADMI_FCD (NADM) S_USER_GRP (ACTVT: 02, 03, 05)

HR

PLOG

The Service Manager is allowed to search for and display his own confirmations and those of ALL Service Agents.

Vendor Administrator
SAP_EC_SUS_ADMIN_VENDOR

Administration

Create User Search User Own Data Company Data Customer Overview

AAAB

B_BUPA_ATT B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT S_TCODE (SICF, SU01)

Messages

Read Messages BBP BC_A

BBP_SUS_PD (ACTVT: 03; BBP_OBJTYP: BUS2235) S_ADMI_FCD (NADM) S_USER_AGR S_USER_GRP S_USER_PRO

HR

PLOG

February 2005

46

Authorizations

Roles/ Technical Names Purchaser Administrator


SAP_EC_SUS_ADMIN_PURCHA SER

Folder
Administration

Menu Entry
Create User Search User Own Data

Authorization Authorization Objects Group


AAAB B_BUPA_ATT B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT (ACTVT: 01, 02, 03) B_BUPR_BZT S_TCODE (SICF, SU01) BBP BC_A BBP_SUS_PD (ACTVT: 02, 03; BBP_OBJTYP: BUS2235) S_ADMI_FCD (NADM) S_USER_AGR S_USER_GRP S_USER_PRO HR PLOG

Messages

Process Messages Read Messages

Bidder
SAP_EC_SUS_BIDDER

Bid Invitations

AAAB BC_A

S_TCODE (SICF) S_ADMI_FCD (NADM)

February 2005

47

Authorizations

3) Catalog Content Management Roles


If you want to use the CCM roles /CCM/CATALOG_MANAGER and /CCM/CATALOG_APPROVER, make the appropriate settings in the Implementation Guide (IMG) under Supplier Relationship Management -> SRM Server -> Cross-Application Basic Settings -> Roles -> Define Roles.

February 2005

48

Authorizations

4) Portal Roles (for Enterprise Portal 6.0)


Portal Role/ Top Level Entry SRM_Employee Go Shopping iView
Request

iView (technical name)


ebp.bbpsc18

Component
EBP

Shop Order Status Confirm Goods Receipt Enter Invoice / Credit Memo Inbox OLD Approval Change my Settings Change Attributes User Management

BBPSC02 BBPSC04 ebp.bbpcf02 ebp.bbpiv02 BBPBWSP ebp.bbpbwsp_simple ebp.bbpat05 ebp.bbpattrmaint um.usermanagement

EBP EBP EBP EBP EBP EBP EBP EBP UM

User Settings

Change my Settings

ebp.bbpat05

EBP

Change Attributes User Management

ebp.bbpattrmaint um.usermanagement

EBP UM

SRM_Manager Approval and Analysis

Approval

ebp.bbpapproval ebp.bbpbwsp_simple BBPMAINMANAGER bw.costcenterinfo 0TPL_0BBP_C02_Q1003_V002001 bw.shopcostinfo 0TPL_0BBP_SC_Q014_V01 0TPL_SR_VE_SERVICEPROVIDER ebp.bbpat05 ebp.bbpattrmaint um.usermanagement

EBP

Process Company Data Cost Center Information Shopping Cart Information Service Provider Information Change my Settings Change Attributes User Management

EBP BW BW BW EBP EBP UM

SRM_Purchasing_Assistant/ Professional Shopping

Shop

ebp.BBPSC01

EBP

Enter Purchase Order Response Order Status

ebp.bbpPCO02 ebp.bbpsc04

EBP EBP

February 2005

49

Authorizations

Portal Role/ Top Level Entry

iView
Process Public Templates Confirm Goods/Services Centrally Enter Invoice/Credit Memo Centrally Shopping Cart Information Shopping Carts per Cost Center Shopping Carts per Product Vendor Prescreening

iView (technical name)


ebp.bbpSC05 ebp.bbpcf03 ebp.bbpiv03 bw.shopcostinfoassistant 0TPL_BBP_SC_Q003_V0302 BBP_BW_SC4 BBP_BW_SC3 /sap/ros_prescreen/main.do

Component
EBP EBP EBP BW EBP EBP SUS

SRM_Operational_Purchaser/ Operational Purchasing

Process Purchase Orders Issue Purchase Orders Enter Purchase Order Response Process Purchase Order Response Schedule Monitoring Held Purchase Orders Pending Shopping Carts Analysis SC per Cost Center Analysis SC per Product Sourcing Process Global Outline Agreement Process Contracts Contract Usage Process Auctions Process Bid Invitation Shop Order Status Process Public Templates Confirm Goods/Services Centrally

EBP.BBP_POC

EBP

ebp.bbp_ppf BBPPCO02 BBPPCO01 bw.schedulemonitor 0TPL_0BBP_DS1_Q013_V002 bw.heldoders 0TPL_0BBP_PO_Q007_V02 bw.pendingcarts 0TPL_0BBP_SC_Q004_V02 BBP_BW_SC4 BBP_BW_SC3 ebp.bbpsoco01 BBP_CTR_SEARCC ebp.bbp_ctr_main bw.contractusage 0TPL_0BBP_CT_Q004 BBP_AUCTION com.sapmarkets.pct.srm.ebp.bbp_bid_ inv BBPSC01 BBPSC04 BBPSC05 BBPCF03

EBP EBP EBP BW BW BW EBP EBP EBP EBP EBP BW EBP EBP EBP EBP EBP EBP

February 2005

50

Authorizations

Portal Role/ Top Level Entry

iView
Enter Invoice/Credit Memo Centrally Edit Addresses Display Changes

iView (technical name)


BBPIV03 BBPADDRINTV BBP_SUPP_MONI

Component
EBP EBP EBP

SRM_Strategic_Purchaser/ Strategic Purchasing

Spend Analysis

bw.spendanalysis 0TPL_0BBP_C01_Q036034 bw.supplierallocation 0TPL_SR_GLS_SUPPL_ALLOC bw.vendorportfolioanalysis 0TPL_SR_VE_PORTFOLIO bw.topvendors 0TPL_SR_VE_TOPVENDORS com.sapmarkets.pct.srm.ebp.bbp_bid_ inv BBP_AUCTION bw.contractanalysis 0TPL_0BBP_CT_Q003 BBP_CTR_MAINCC BBP_CTR_MAIN ebp.bbp_ppf_cont BBPPCO01 ebp.bbpavlmaint bw.relationshipanalysis 0TPL_0BBP_C01_Q03032 bw.vendorprofile 0TPL_SR_VE_PROFILE ebp.bbpmainint ebp.bbpaddrintv 0TPL_BBP_C01_Q039 0TPL_BBP_C01_Q027 0TPL_BBP_PO_Q005_V02 BBPWLRA01

BW

Supplier Allocation Vendor Portfolio Analysis Top and Bottom Vendors Process Bid Invitation Process Auction Contract Analysis Process Global Outline Agreement Process Contracts Issue Contracts Process Purchase Order Response Process Vendor List Relationship Analysis Vendor Profile Manage Business Partners Edit External Addresses Measure EBP-Project Success Workload per Purchasing Group Workload Workload Reassignment

BW BW BW EBP EBP BW EBP EBP EBP EBP EBP BW BW EBP EBP BW BW BW EBP

SRM_Content_Manager/ Content Management

Import Product Master Hierarchies Import Products Process Products

BBP_CT_SCM_STAGING

EBP

BBP_CT_STAGING ebp.commpr01

EBP EBP

February 2005

51

Authorizations

Portal Role/ Top Level Entry

iView
Activate Products

iView (technical name)


ebp.commpr02

Component
EBP

SRM_Component_Planner/ Component Planning

Orders

ebp.bbpor01

EBP

Projects Change Settings

ebp.bbpps01 BBPAT05

EBP EBP

SRM_Recipient/ Goods Receipt

Confirm Goods / Services Centrally Find Goods Recipient Open Item Analysis

ebp.bbpcf03

EBP

ebp.bpp_pm01 (ebp.bbp_pm01) bw.openitemanalysis 0TPL_BBP_DS1_Q002009

EBP BW

SRM_Accountant/ Accounting

Enter Invoice / Credit Memo Centrally Issue Document Backend Posting (Hosted) Invoice Analysis

ebp.bbpiv03

EBP

BBP_TRIGG_MEN BBPBC1 bw.invoiceanalysis 0TPL_BBP_DS1_Q002

EBP EBP BW

SRM_Administrator/ SRM Administration

User Management

um.usermanagement

UM

Application Monitors Monitor Shopping Carts Monitor Contract Distribution Monitor Business Partner Manage Business Partners Manage User Data Edit External Addresses Edit Internal Addresses

ebp.bbpadm_cockpit ebp.bbp_mon_sc BBP_CTR_MON BBP_SUPP_MONI ebp.bbpmainint ebp.bbpusermaint ebp.bbpaddrintv ebp.bbpaddrintc

EBP EBP EBP EBP EBP EBP EBP EBP

Content Approver/ CCM_Catalog_Approver

Approve Catalog Entries

/CCM/CAT_CDC/CDC_MAIN.do

CCM

Application Monitors

ebp.bbpadm_cockpit

EBP

Catalog Manager/

Edit Catalogs

BSP_APPLICATION: /CCM/CAT_CDC/CDC_MAIN.do

CCM

February 2005

52

Authorizations

Portal Role/ Top Level Entry CCM_Catalog_Manager

iView

iView (technical name)

Component

Create Supplier Catalog

BSP_APPLICATION: /CCM/CAT_sup_catalog/create_sup_c at.htm BSP_APPLICATION: /CCM/CAT_pub_catalog/create_pub_c at.htm BSP_APPLICATION: /CCM/cat_supplier/start.htm BSP_APPLICATION: /CCM/CAT_PROTOCOL/display_proto cols.htm

CCM

Create Procurement Catalog Edit Supplier Data Display Log

CCM

CCM CCM

February 2005

53

Authorizations

Changes to the Authorization Check


As of Supplier Relationship Management (SRM) 4.0, the authorization check has been refined. Authorization objects used in previous releases have been replaced by new ones that include authorization parameters and authorization fields. As of Supplier Relationship Management (SRM) 4.0, the authorization check has been refined. Authorization objects used in previous releases have been replaced by new ones that include authorization parameters and authorization fields. The fields responsible purchasing organization (PORG), responsible purchasing group (PGR) and business transaction type have been added to the authorization field activity. Document checks in combination are possible: This allows control of the permitted function per document type and also a differentiation on organizational level. Example: A purchaser in purchasing group PGR123 is assigned to the role SAP_EC_BBP_PURCHASER and has the authorization object BBP_PD_PO - SRM: Process Purchase Orders, allowing the purchaser to create, change, display, print, and delete purchase orders (in the standard system). If the purchasing group object is restricted to PG123 , the purchaser can only process purchase orders that belong to this group and not all purchase orders without restriction. The purchaser might have less extensive authorization (for example display authorization) for other purchasing groups.

1. Document check
Checks whether a user can access a document (shopping cart, purchase order, and so on) with a particular function (change, delete, and so on). Check fields:

o o o o

PORG PGR Transaction type Activity (prior to SRM 4.0 the only check field)

New object BBP_PD_AUC BBP_PD_BID BBP_PD_CNF BBP_PD_CTR BBP_PD_INV BBP_PD_PCO BBP_PD_PO BBP_PD_QUO BBP_PD_VL BBP_PD_SC

Old object M_BBP_AUC M_BBP_BID M_BBP_CONF M_BBP_CTR M_BBP_I_IN

SRM document Live auction Bid invitation Confirmation Contract Invoice Purchase order response

M_BBP_PO M_BBP_Q_IN

Purchase order Bid Vendor list Shopping cart

Live Auction Authorization object: BBP_PD_AUC

February 2005

54

Authorizations

You can define that purchasers are only able to enter or display auctions for certain purchasing organizations and purchasing groups.

Bid invitation Authorization object: BBP_PD_BID You can define that purchasers are only able to enter, display, or publish bid invitations for certain purchasing organizations and purchasing groups.

Enter confirmation Authorization object: BBP_PD_CNF The purchasing organization and purchasing group fields are not checked.

Contracts Authorization object: BBP_PD_CTR You can define that purchasers are only able to enter and display contracts for certain purchasing organizations and purchasing groups.

Enter invoice Authorization object: BBP_PD_INV The purchasing organization and purchasing group fields are not checked.

Purchase orders Authorization object: BBP_PD_PO You can define that purchasers are only able to enter and display purchase orders for certain purchasing organizations and purchasing groups.

Bids Authorization object: BBP_PD_QUO You can define that purchasers are only able to display, accept, or reject bids for certain purchasing organizations and purchasing groups.

Vendor list Authorization object: BBP_PD_VL You can define that purchasers are only able to enter, display, or change vendor lists for certain purchasing organizations and purchasing groups.

Shopping cart Authorization object: BBP_PD_SC When you create and change shopping carts, no checks occur. In the Shopping Cart Status service, the system checks whether the current user is authorized to change, print, or delete shopping carts. If not, the relevant icons are not displayed. Since, in the status, the system only displays shopping carts belonging to the user, a check of organizational units is unnecessary.

Sourcing Cockpit

February 2005

55

Authorizations

Authorization object: BBP_PD_SC

When an item is transferred to the work area, the system checks against activity SO. 2. Check of special functions
When a transaction is called, the system checks the check object S_TCODE. If a transaction is included in a role, the appropriate authorization is automatically assigned during profile generation. SRM contains several services/functions that are not checked using S_TCODE (but these should not be available for all users). The authorization object BBP_FUNCT provides a simple access authorization: Checked value in field BBP_FUNCT CR_COMPANY MON_ALERTS CR_ASSETS BE_F4_HELP EVAL_VEND

New object BBP_FUNCT BBP_FUNCT BBP_FUNCT BBP_FUNCT BBP_FUNCT

Old object BBP_BUYER M_BBP_ADM M_BBP_ASS M_BBP_SHLP M_BBP_VE

Service/function Create purchasing company Access to monitors and alerts Create assets Call input help in R/3 Vendor evaluation

3. Check during vendor access


When vendors access an EBP System directly (not via SUS) to create purchase order confirmations (transaction BBPCF01 ) and invoices BBPIV01) or to submit bids (BBP_QUOT), these are not assigned to a purchasing organization or a purchasing group. These authorization parameters are not used. Business object type and activity are used for checking. New object BBP_VEND BBP_VEND BBP_VEND Old object M_BBP_I_EX M_BBP_Q_EX M_BBP_SES SRM document Invoice Bid Purchase order confirmation

4. Checks in SUS
In SUS, checks are mainly performed in conjunction with the authorization object BBP_SUS_PD. The object contains the two parameters: BBP_OBJTYP Object type (with possible values) BUS2230 SUS Purchase Order BUS2231 Shipping Notification BUS2232 SUS Purchase Order Response BUS2233 SUS Confirmation BUS2234 SUS Invoice BUS2235 SUS Notification and ACTVT Activity 02 Create, change

February 2005

56

Authorizations

03 Display 09 Display price (for purchase order)

SUS users are employees working for a supplier and are therefore not assigned to a purchasing organization and a purchasing group. Generally, you can only control whether a user can display certain object types (with or without price) or change them. In the case of confirmations, the system also uses the authorization object BBP_FUNCT with the value GLOB_ACCSS to check whether a user wants to confirm all confirmations sent to the supplier.

5. Other Checks
Some authorization objects were already checked prior to SRM 4.0 and have not been changed in the scope of the new authorization concept: BBP_BUDGET Authorization for budget check The object controls whether a user can use the budget display (activity 03) or whether the user can also branch to the evaluation in BW (activity 28). M_BBP_PC Procurement card master data This object checks in transaction BBM1 whether the user is allowed to display and change procurement card master data. The checked parameters are: o o o o PCINS PCNUM PCBEGRU Procurement card company Procurement card number Authorization group

PCMAS_ACT Authorization activity for procurement card master Note: The following value assignment is valid for the authorization field PCMAS_ACT and differs from the standard activity ACTVT: 01 = Create 02 = Change 03 = Display 04 = Display list 05 = Delete

/SAPCND/CM Maintenance of conditions (product master, contract) You can use this to control to what extent a user can create and change master data for conditions.

6. Programmed Restrictions in the Transactions


User restrictions are defined for some applications using the attributes in the organizational plan (cost center, account assignment category, requester, and so on). In the shopping cart, purchase order, confirmation, and invoice applications, these attributes are used for default values and are not used to control user activity. In the shopping cart, a user can only order goods for him/herself or for other users for which he is allowed to buy on behalf of. (Transaction PPOMA_BBP, attribute Requester) In workflow, the Approval Limits and Personal Budget attributes control the workflow relevance and processor determination. See the relevant SRM documentation in the Knowledge Warehouse. Application-based Customizing has an authorization-like effect in workflow and in the HR organization model: In workflow, processor assignment controls how approvers/reviewers are added. In the HR organizational model, fine control for attribute maintenance authorization is achieved using table BBP_ATTR_ACCESS.

February 2005

57

Authorizations

7. Checks in the Product Master and Partner Maintenance


Product master maintenance

The following authorization objects are checked in product master maintenance:


Object COM_PRD Field ACTVT Values 01, 02, 03, 06

General checks for product masters When you start transaction COMMPR01 several authorization checks are carried out simultaneously with one of the activities listed above. COM_ASET ACTVT 03 Reading attributes

/SAPCND/CM

ACTVT /SAPCND/AP /SAPCND/US /SAPCND/CT /SAPCND/TY

01, 02 BBP PR SAP001, SAP118 01PV

Creating and changing conditions data

Partner Maintenance The following authorization objects are checked in partner maintenance (supplier view): Object Field Values

BBP_FUNCT BBP_FUNCT CR_COMPANY General check to establish whether the user can create business partners PLOG PPFCODE DISP PLVAR 01 OTYPE US, O INFOTYP 1000, 1222, 1001, 5500, 5501, 5502, 5503 SUBTYP 0020, A490, 0200, A002 Authorization checks during maintenance of personnel planning data and organizational structures. B_BUPA_RLT ACTVT 03 Checks which business partner roles can be processed.

8. Other Checks
In User Maintenance (transaction SU01) on the Personalization tab, there are several Personalization Objects available for workflows (BBP_WFL_SECURITY, BBP_APPROVAL_LIMIT, BBP_SPENDING_LIMIT) and shopping carts (BBP_USER_BUDGET). You can use these to restrict the authorizations of users or to define value limits for control of approval workflows. BAdIs have been integrated into the selection screens. These allow customers to further restrict the selected quantities. In the Business Information Warehouse (BW), authorization tables are read before the results list is tailored to the calling user. (Authorization checks are not carried out, but access to the database is controlled appropriately.) It is only possible to define several Companies in the hosted scenario. Consideration of Companies is hard-coded. Note:

February 2005

58

Authorizations

o o

The authorization profiles have to be regenerated after a system update because of the new authorization objects (transaction PFCG - Role Maintenance). The new authorization check is used as standard. If you do not want to use it, you can revert back to the previous authorization check: IMG: Supplier Relationship Management -> SRM Server -> Master Data -> Create User -> Switch Back to Old Authorization Checks (SRM 3.0) (If the indicator is set, the old authorization objects are used. If not, only the new ones are used for checking.) If required, you can enhance the standard checks. You can use the BAdI BBP_PD_AUTH_CHECK Further Authorization Check for SRM Documents to do this.

February 2005

59

Appendix

Appendix
Virus Checking of Document Attachments
SRM provides you with the opportunity to check office documents that you attach to SRM documents with a virus scanner before they are stored in the database. You must have a virus scanner installed and must have configured it correctly. For more information, see SAP Implementation Guide --> SAP Web Application Server -> System Administration -> Virus Scanner Interface. The virus scanning functions in SRM are activated when you implement BAdI BBP_ATT_CHECK. SAP supplies BAdI BBP_ATT_VIRSCAN as an example implementation. The interface contains a structure that is used in SRM for storage of attachments. The field PHIO_FNAME contains the file name and the tabular field PHIO_CONTENT contains the file part of the attachment (where the actual file is stored). Viruses are dealt with in the implementation. For example, the data part is deleted. An implementation of the function BBP_PD_MSG_ADD is also important. The messages from this function are transferred to the user interface.

February 2005

60

Appendix

Related Guides
For more information about the security of SAP applications, see: http://service.sap.com/security and http://service.sap.com/securityguide.

Documentation mentioned and pointed to in this Guide: Area/ Topic SRM Guide/ Documentation SRM Master Guide Link: http://service.sap.com /instguides -> mySAP Business Suite Solutions -> mySAP SRM -> Using SAP EBP 5.0 -> Master Guide - mySAP SRM /ibc-srm -> Catalog Content Management -> Business Scenario Configuration Guide /instguides -> SAP NetWeaver -> Release 04 -> Installation -> Installation Guide Search and Classification (TREX) /instguides -> mySAP Business Suite Solutions -> mySAP SRM -> Using SAP EBP 5.0 -> Installation Guide: Live Auction Cockpit 2.0 /security -> Security in Detail -> SAP Security Guides -> SAP NetWeaver '04 Security Guide Administration of SAP WAS and SAP NetWeaver Components: SAP NetWeaver Technical Operations Manual Network and Communication Security

CCM TREX

CCM Configuration Guide TREX 6.1 Installation Guide LAC 2.0 Installation Guide SAP NetWeaver '04 Security Guide NetWeaver Technical Operations Manuals Network and Communication Security

LAC

NetWeaver

SAP Technical Infrastructure SAP Web AS

Network Integration

/network Network Integration of SAP Servers

SAP Web AS Security Guide

/security -> Security in Detail -> SAP Security Guides -> SAP NetWeaver '04 Security Guide -> Security Guides for the SAP NetWeaver Components -> SAP Web Application Server Security Guide SAP Web AS Security Guide for ABAP Technology SAP Web AS Security Guide for Java Technology User Authentication Internet Transaction Server Security Authentication and Single Sign-On

SSL

Network and Transport Layer Security

Network and Transport Layer Security

February 2005

61

Appendix

J2EE

Security Guide for Connectivity with the SAP J2EE Engine Transport Layer Security on the SAP J2EE Engine Configuring the Use of SSL on the SAP J2EE Engine

Security Guide for Connectivity with the SAP J2EE Engine

J2EE (SSL)

Transport Layer Security on the SAP J2EE Engine

Configuring the Use of SSL on the SAP J2EE Engine SAProuter ITS Administration Guide RFC/ICF Security Guide SAP Web Dispatcher, Configuring the SAP Web Dispatcher to Support SSL TCP/IP Ports used by SAP Applications Security Aspects for BSP /security -> Security in Detail -> SAP Security Guides ->SAP Exchange Infrastructure (XI) Security Guides -> SAP Exchange Infrastructure Security Guide /instguides -> SAP NetWeaver -> Release 04 -> Installation -> Installation Guide - SAP Exchange Infrastructure 3.0 /instguides -> SAP NetWeaver -> Release 04 -> Installation -> Configuration Guide - SAP XI 3.0 SAP Business Information Warehouse Security Guide

SAProuter ITS RFC SAP Web Dispatcher (Application Gateway)

SAProuter Documentation ITS Administration Guide RFC Security Guide SAP Web Dispatcher Documentation Ports Settings Security Aspects for BSP XI Security Guide

TCP/ IP Ports BSP XI

XI Installation Guide XI Configuration Guide SAP BW (BI) SAP Business Information Warehouse Security Guide EP Security Guide

Enterprise Portal

Portal Platform Security Guide

You can find more guides related to the NetWeaver platform on the SAP Service Marketplace: http://service.sap.com -> SAP NetWeaver in Detail -> Solution Life-Cycle Management -> Installation -> Installation and Upgrade Guides -> SAP NetWeaver -> Installation You can find SRM-related guides on the SAP Service Marketplace: http://service.sap.com -> SAP NetWeaver in Detail -> Solution Life-Cycle Management -> Installation -> Installation and Upgrade Guides -> mySAP Business Suite Solutions -> mySAP SRM

February 2005

62

Appendix

Additional Information
Special Information for the Live Auction Cockpit 2.0
(Only relates to the SRM scenario Strategic Sourcing with LAC WPS 2.0.)

Which part of Live Auction should be set up in which network segment? The client portion of Live Auction (Java applet) is deployed on the Internet. The applet communicates with the LAC on J2EE (6.40) server. Therefore the external user has to allow the applet to be downloaded. The server portion (Web AS) should be located on the LAN. The SAP system (R/3) should be located on the LAN. Where exactly is data stored? System configuration data is stored in properties files on the WAS. (System configuration data is shipped with the system.) Runtime transactional data is stored in the database of the SAP system. (Transactional data is stored during run-time of the application.) No temporary data is stored anywhere else. Which type of data access is required at what point in time? Read access of system configuration data is required during server start-ups. Read and write accesses to transactional data are required during run-time. What level of protection is recommended for which data? Administration system permissions should be used to restrict access to Live Auction properties configuration in the WAS Visual Administrator. Customers must ensure that only system administrators should have access to WAS Visual Administrator. Configuration data in WAS Visual Administrator are protected by a password. Password Encryption Access to WAS Visual Administrator needs a password: This password is set during the installation of WAS. For the LAC scenario, the username is J2EE_ADMIN and password is what was set by the first accessing user (normally a consultant). Only a dummy password is stored as a file in the deployment EAR file before deployment of the application. Once the application is deployed, the value is internally encrypted in the database in J2EE and can only be accessed through J2EE Visual Administrator. After the deployment, you it is necessary to change the password via the Visual Administrator. (The Visual Administrator tool can be configured for the use of SSL. So the communication between Visual Administrator and J2EE server can be secured.) (In UME [part of the part of the J2EE 6.40], the properties values are stored in the same way. It is not necessary to encrypt the content of the password to be stored as real values in DB since communication between Visual Admin and J2EE server can be secure as well.) RFC users should be created for RFC/JCo connections to the SAP Systems. JCO-RFC-Password for Live Auction to SRM server:

February 2005

63

Appendix

The dummy password that is store in the LAC deployable application is required for the RFC connection between the Live Auction application and the SRM Server. Once WAS has been installed and the LAC application has been deployed, it is necessary to use the WAS Visual Administrator to configure this JCO-RFC-Password/ Username so that the live auction application can run. (At present, this JCO RFC password is visually encrypted as ***** when it is entered just like in R/3 transaction SU01. A consultant with administrator authorization on the J2EE engine can only reset the password, just like in the R/3 transaction SU01.)

Does the application require an Internet browser as the user interface? The SRM Live Auctions client (Java Applet) requires an Internet browser. Cookies are only used by User Management Engine (UME) for Single Sign-On (SSO) tickets. Which RFC/JCo destinations are delivered/required? The Live Auction application will establish RFC connections via JCo. (There is no need to maintain RFC destinations in SM 59 for Live Auction since the JCo server is not used.)

What is the minimum authorization required by the communication user for RFC/JCo connections? The communication user can be defined as a system user in a production system where this is no need for JCo/ABAP debugger. If the debugger needs to be used, the communication user must be defined as a dialog user. Furthermore, the user must have both purchaser and supplier profiles for Live Auction. (In a productive system, a dialog (RFC) user always represents a limited security risk.)

SSO and SAP Logon Tickets The SRM Live Auctions application uses UME API to verify Single-Sign-on tickets. No user data is replicated since all user data is in EBP Bidding Engine in SRM Server. (User data synchronization is not required.) By default, the SRM Live Auctions application accepts SAP Logon Tickets. Details for Login Scenario for SRM Live Auction:Purchaser and Bidder log into SRM through the standard login page. Inside the Bidding Engine auction user interface (Sourcing Cockpit) the Live Auction applet is launched. For Single-Sign-on and user validation the Java user management client is used. If the applets URL is directly typed into the browser window, the user is validated through UME 4.0 and redirected to a UME 4.0 login page. After successful login he gets redirected back to the applet.

February 2005

64

Appendix

SAP J2EE Server 6.40 UME4.0 SRM Server


User

ITS

Launch Applet thru SSO

SRM Live Auction


UME Logon App

Authorization and Roles No roles are delivered with Live Auction. All roles are delivered with SRM Server. Customers do not need to create any additional roles.

Are authorization technologies other than roles used? Yes, bidders must be added to an auctions invitation list in order to view and bid on that auction using Live Auction. Bidders are added into this invitation list (in the SRM Server system) when the auction is created. Since this is a private auction (Bidding Engine) there is no self-registration or subscription.

February 2005

65

Appendix

Specific Information on Catalog Content Management 1.0


(Affects the SRM scenarios Self-Service Procurement, Catalog Content Management, and Strategic Sourcing.)

Logon/Users/Password There are two ways to create users for SAP Catalog Search Engine:

1. Create named users in SAP Catalog Search Engine:


The users then logon to SAP Catalog Search Engine directly or using Single Sign-On. SAP recommends that you use this method. (This is the standard method. If EBP and CCM run in different systems/clients, an identical user is applied in the CCM and in EBP system and a Trust Relation between CCM and EBP is established.) In this way, the view determination in the catalog can be done for each user and catalog individually. If this is your scenario, you can skip the next point. 2. Usage of the call structure of the Open Catalog Interface (OCI) in the SAP Enterprise Buyer system to provide user names and passwords: Some customers are used to providing a user name and password through the OCI (Open Catalog Interface) call for which then the views are determined. In other words, the views in the catalog are determined by the user provided in the OCI call instead of the real user (SSO). In such cases, you have to enter a service user in the ICF of the catalog search engine (transaction SICF). The catalog session is then always executed with this service user as logon user, but then you have to provide a CCM user and CCM password in the OCI call. The system checks the user name and password provided, and then view determination is run for this user or an error message is displayed if it was not correct. (The service user needs authorization to execute the search. The CCM user is required to detect the views.) The disadvantage of this option is that both user name and password of the service user are stored in Customizing. As a result, these details are displayed in the URL field when the catalog is called. Optional Parameter: Name ccm-user ccm-password Value <user-ID> <password for user above> Type Fixed value Fixed value

For security reasons, we recommend that you create named users in SAP Catalog Search Engine and that users use Single Sign-On to logon.

For more information on both options, see SAP Service Marketplace at http://service.sap.com/ibc-srm -> Catalog Content Management -> CCM Business Scenario Configuration Guide, chapter: Configuring SAP Catalog Search Engine

February 2005

66