sap landscape transformation replication ... - sap help portal

INTERNAL | SAP AND CUSTOMER USE ONLY

Security Guide

SAP Landscape Transformation Replication Server

Document Version: 1.4 – 2020-09-30

INTERNAL


2

INTERNAL

© 2020 SAP AG. All rights reserved.


Typographic Conventions


Typographic Conventions

Type Style Description

Example Words or characters quoted from the screen. These include field names, screen titles,

pushbuttons labels, menu names, menu paths, and menu options.

Textual cross-references to other documents.

Example Emphasized words or expressions.

EXAMPLE Technical names of system objects. These include report names, program names,

transaction codes, table names, and key concepts of a programming language when they

are surrounded by body text, for example, SELECT and INCLUDE.

Example Output on the screen. This includes file and directory names and their paths, messages,

names of variables and parameters, source text, and names of installation, upgrade and

database tools.

Example Exact user entry. These are words or characters that you enter in the system exactly as they

appear in the documentation.

<Example> Variable user entry. Angle brackets indicate that you replace these words and characters

with appropriate entries to make entries in the system.

EXAMPLE Keys on the keyboard, for example, F2 or ENTER .


Document History

INTERNAL

© 2020 SAP AG. All rights reserved. 3


Document History

Version Date Change

1.0 2019-01-28 Initial published version for DMIS 2018 SP01.


1.2 2019-11-22 Updated version November 2019.



4

INTERNAL



Table of Contents


Table of Contents

1 Introduction .................................................................................................................................................... 6 1.1 Target Audience ...................................................................................................................................................... 6 1.2 Why Is Security Necessary? ................................................................................................................................... 6 1.3 About this Document .............................................................................................................................................. 6 1.4 Overview of the Main Sections ............................................................................................................................... 6

2 Before You Start ............................................................................................................................................. 8 2.1 SAP Landscape Transformation Replication Server Guides ............................................................................... 8 2.2 SAP HANA Guides ................................................................................................................................................... 8 2.3 Important SAP Notes .............................................................................................................................................. 9

3 Technical System Landscape ..................................................................................................................... 10

4 User Administration and Authentication .................................................................................................. 13

5 Authorizations .............................................................................................................................................. 15 5.1 Authorization Objects ........................................................................................................................................... 15

5.1.1 S_DMIS................................................................................................................................................... 15 5.1.2 S_DMC_S_R ........................................................................................................................................... 16 5.1.3 S_DMIS_SLT .......................................................................................................................................... 16 5.1.4 S_DMIS_MOM ....................................................................................................................................... 16 5.1.5 S_DHCDCACT ....................................................................................................................................... 17 5.1.6 S_DHBASACT........................................................................................................................................ 17 5.1.7 S_DHCDCCDS ....................................................................................................................................... 18 5.1.8 S_DHCDCTAB ....................................................................................................................................... 18 5.1.9 S_DHCDCSTP ....................................................................................................................................... 19

5.2 User Roles .............................................................................................................................................................. 19 5.2.1 User Roles for SAP Landscape Transformation Replication Server ................................................ 19 5.2.2 User Roles for ABAP Source System ..................................................................................................20 5.2.3 User Roles for Non- ABAP Source System .........................................................................................20

5.3 Authorizations in the SAP HANA System............................................................................................................ 22 5.3.1 Option 1: Replicating to SAP HANA System (database connection managed by SAP) ................. 22 5.3.2 Option 2: Replicating to SAP HANA System (database connection not managed by

SAP) ....................................................................................................................................................... 26 5.3.3 Restricting Access to the Source System .......................................................................................... 27

6 Network and Communication Security ..................................................................................................... 31 6.1 Network Security ................................................................................................................................................... 31 6.2 Communication Destinations ............................................................................................................................... 31 6.3 ABAP Source System ............................................................................................................................................ 31 6.4 Non- ABAP Source System .................................................................................................................................. 32 6.5 SAP HANA System ................................................................................................................................................ 32


Table of Contents

INTERNAL



7 Security-Relevant Logging and Tracing ................................................................................................... 33 7.1 Change Log ............................................................................................................................................................ 33

7.1.1 Settings for Data Retention Period ..................................................................................................... 33 7.1.2 Deleting Entries from the Change Log ............................................................................................... 33

8 Data Privacy and Protection ...................................................................................................................... 34 8.1 Overview ................................................................................................................................................................ 34 8.2 Deletion of Personal Data ..................................................................................................................................... 35 8.3 Read Access Logging ........................................................................................................................................... 36 8.4 Keeping Data in the Target System Secure ........................................................................................................ 37 8.5 Additional Information for INDX-like Tables ........................................................................................................ 37

9 Additional Replication Scenarios .............................................................................................................. 39 9.1 Replicating Data to ABAP-Based SAP Systems ................................................................................................ 39

9.1.1 ABAP-Based SAP Source Systems .................................................................................................... 39 9.1.2 Non ABAP-Based Source Systems .................................................................................................... 39 9.1.3 SAP Landscape Transformation Replication Server System .......................................................... 40 9.1.4 ABAP-Based SAP Target System ....................................................................................................... 40

9.2 Replicating Data to Other Databases .................................................................................................................. 40 9.2.1 ABAP-Based SAP Source Systems ..................................................................................................... 41 9.2.2 SAP Landscape Transformation Replication Server System ........................................................... 41 9.2.3 Target Database .................................................................................................................................... 41

9.3 Replicating Data to SAP BW Using ODP .............................................................................................................. 41 9.3.1 ABAP-Based SAP Source Systems .................................................................................................... 42 9.3.2 SAP Landscape Transformation Replication Server System .......................................................... 42 9.3.3 SAP BW System ................................................................................................................................... 43

6

INTERNAL



Introduction


1 Introduction

1.1 Target Audience

• Technology consultants

• Security consultants

• System administrators

This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation

Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas

the Security Guides provide information that is relevant for all life cycle phases.

1.2 Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands on

security are also on the rise. When using a distributed system, you need to be sure that your data and processes

support your business needs without allowing unauthorized access to critical information. User errors,

negligence, or attempted manipulation of your system should not result in loss of information or processing time.

These demands on security apply likewise to SAP Landscape Transformation Replication Server. To assist you in

securing SAP Landscape Transformation Replication Server, we provide this Security Guide.

1.3 About this Document

The Security Guide provides an overview of the security-relevant information that applies to SAP Landscape

Transformation Replication Server. The information in this guide covers the replication of data to an SAP HANA

target system. Information regarding additional target systems, for example ABAP-based SAP systems is

provided in chapter 9.

1.4 Overview of the Main Sections

The Security Guide comprises the following main sections:

• Before You Start

This section contains information about why security is necessary, how to use this document, and references

to other Security Guides that build the foundation for this Security Guide.

• Technical System Landscape


Introduction

INTERNAL



This section provides an overview of the technical components and communication paths that are used by

SAP Landscape Transformation Replication Server.

• User Administration and Authentication

This section provides an overview of the user administration and authentication.

• Authorizations

This section provides an overview of the authorization concept that applies to SAP Landscape Transformation

Replication Server.

• Network and Communication Security

This section provides an overview of the communication paths used by SAP Landscape Transformation

Replication Server and the security mechanisms that apply.

8

INTERNAL



Before You Start


2 Before You Start

2.1 SAP Landscape Transformation Replication Server Guides

For more information about SAP LT Replication Server for SAP HANA, see the resources listed in the table below.

Guide Location

Installation Guide

http://help.sap.com/sapslt

Sizing Guide https://service.sap.com/sizing → Sizing Guidelines →

Database and Technology → SAP In-Memory

Computing → SAP Landscape Transformation

Replication Server, SAP HANA

2.2 SAP HANA Guides

For more information about SAP HANA landscape, security, installation and administration, see the resources

listed in the table below.

Topic Quick Link

SAP HANA Landscape, Deployment & Installation http://help.sap.com/hana → Installation and Upgrade

SAP HANA Administration http://help.sap.com/hana → Administration

SAP HANA Security http://help.sap.com/hana → Security


https://service.sap.com/hana

http://help.sap.com/hana




Before You Start

INTERNAL



2.3 Important SAP Notes

SAP Note

Number

Title Comment

1514967 SAP HANA: Central Note Central SAP Note about SAP HANA

1598623 SAP HANA appliance software: Central

Security Note

Current information about SAP HANA security

topics

http://service.sap.com/sap/support/notes/1514967


10

INTERNAL



Technical System Landscape


3 Technical System Landscape

SAP LT Replication Server is a replication technology to provide data from ABAP systems in a SAP HANA

environment. It acts as a key enabler for SAP HANA customers to supply their HANA environment with relevant

data.

The following components are used in the technical system landscape:

• Source system

The source system tracks database changes by using database triggers. It records information about

changes in the logging tables. The read modules transfer the data from the source system to the SAP LT

Replication Server system. The relevant data is read from the application tables.

• Non-ABAP source system

The non-ABAP source system tracks database changes by using database triggers. It records information

about changes in the logging tables. The read modules transfer the data from the non-ABAP source system to

the SAP LT Replication Server system. The relevant data is read from the application tables.

• SAP LT Replication Server system

If the source is an ABAP system, the SAP LT Replication Server system polls the logging tables in the source

system with a remote function call (RFC) connection. If the source system is a non-ABAP system, the SAP LT

Replication Server system polls the logging tables in the non-ABAP source system with a database

connection.

• SAP HANA system

The SAP HANA system contains the SAP HANA database. It is used to store the replicated data. The SAP LT

Replication Server system and the SAP HANA system communicate by means of a database connection.

SAP LT Replication Server can be used for replication from ABAP source systems and non- ABAP source systems

to the HANA system. For ABAP source systems, SAP LT Replication Server can either be installed within the

source system or in a separate ABAP system.

The relevant information required to create the connection between the source system, the SAP LT Replication

Server system, and the SAP HANA system is specified within the SAP LT Replication Server system as a

Configuration. In the SAP LT Replication Server Cockpit (transaction LTRC), you can define a new configuration.

The following figures show the possible technical system landscapes for SAP LT Replication Server.

Option 1 – ABAP Source System with Separate SAP LT Replication Server System



INTERNAL



SAP LT Replication Server is installed in a separate ABAP system. Therefore, two network communication

channels are required - the RFC connection to the source system and the connection to the SAP HANA system.

Option 2 – SAP LT Replication Server Installed on ABAP Source System

The SAP LT Replication Server system component is installed in the source system. Therefore, the read modules

are located in the source system. Only one external network communication channel is required to connect to the

SAP HANA system.

12

INTERNAL





Option 3 - Non-ABAP Source System with Separate SAP LT Replication Server System

• For a non-ABAP source system, SAP LT Replication Server needs to be installed in a separate system. In

contrast to a setup with an ABAP source system, the read modules are created in the SAP LT Replication

Server system. To communicate between the SAP LT Replication Server and the non-ABAP source system, a

database connection is used.

Ensure that the database of your non-ABAP source system fulfils all the prerequisites for using SAP LT

Replication Server.


User Administration and Authentication

INTERNAL



4 User Administration and Authentication

SAP LT Replication Server and the ABAP source system use the user management and authentication

mechanisms provided by the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server.

Therefore, the security recommendations and guidelines for user administration and authentication as described

in the SAP NetWeaver Security Guide [SAP Library] → Application Server ABAP Security Guide also apply to SAP

LT Replication Server and ABAP source systems.

In addition, the following information about user management, administration, and authentication applies to the

source systems and the SAP LT Replication Server system:

• SAP LT Replication Server

To access the SAP LT Replication Server Cockpit in the SAP LT Replication Server system, a user with specific

authorizations is required. This user can create a new configuration, which is used to establish the connection

between the source system, the SAP LT Replication Server, and the SAP HANA system.

There are two possibilities for replicating data to SAP HANA using SAP Landscape Transformation

Replication Server. The database connection to the target system is either managed by SAP LT Replication

Server or not (for more information, see the SAP LT Replication Server application help at

http://help.sap.com/sapslt).

If the database connection to the target system is managed by SAP LT Replication Server, a user in the SAP

HANA system is required that is authorized to create the SAP HANA database schema. You can access the

SAP LT Replication Server Cockpit by using transaction LTRC.

If the database connection to the target system is not managed by SAP LT Replication Server, you need to

ensure that the database schema (replication schema) that will contain the target tables already exists. You

then create a secondary database connection to the SAP HANA system. We recommend creating one

replication user for each replication schema. We also recommend that the replication user has the same

name as the corresponding schema. The replication user is used to connect from the SAP LT Replication

Server to the SAP HANA system for replication. This means that only the SAP LT Replication Server can

connect as replication user to the SAP HANA system. The replication user needs full access to the target

database schema (EXECUTE, SELECT, INSERT, UPDATE, and DELETE privileges), and has read access to

schema SYS.

• ABAP Source System

In order to access the ABAP source system by RFC, a communication user is required. To create an RFC

connection, a user with specific authorizations has to be created in the source system. The communication

user can access the source system exclusively by RFC and cannot execute steps in dialog mode directly in a

system. For more information about this user type, see the section User Types in the SAP Web AS ABAP

Security Guide.

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/8c/2ec59131d7f84ea514a67d628925a9/frameset.htm


14

INTERNAL



User Administration and Authentication


Note

The user role SAP_IUUC_REPL_ADMIN is required to use SAP Landscape Transformation Replication

Server. By default, this role does not allow users to view the data that is replicated from the source

system to the target system. However, the authorization object S_DMIS (with activity 29) allows users to

view the data that is being replicated (by means of the replication logging function).

For the replication target, the authorization and authentication mechanisms provided by the SAP HANA

database are used.

• Non-ABAP source system

To access the non-ABAP source systems by a database connection, the relevant user must be created with all

necessary authorizations in the non-ABAP source system. Contact your system administrator to get a user

with the relevant authorizations as described under Authorizations in chapter 5.


Authorizations

INTERNAL



5 Authorizations

The SAP LT Replication Server and the ABAP source system use the authorization concept provided by the SAP

NetWeaver AS ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP

NetWeaver AS Security Guide ABAP also apply to the SAP LT Replication Server.

In SAP NetWeaver, authorizations are assigned to users based on roles.

Note

For more information about how to create roles, see Role Administration (SAP Library)

Specific authorizations apply for each system. To control the actions that a user is authorized to perform,

authorizations for the source system(s) and the SAP LT Replication Server system are available in the user

profiles.

5.1 Authorization Objects

The following SAP NetWeaver based authorization objects are especially important for using the SAP LT

Replication Server:

5.1.1 S_DMIS

Description: Authority object for SAP SLO Data migration

Authorization fields:

Field name Heading

MBT_PR_ARE MBT PCL: Scenario

MBT_PR_LEV MBT PCL: Processing Role Level

ACTVT Activity

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/6714a9439b11d1896f0000e8322d00/frameset.htm

16

INTERNAL



Authorizations


5.1.2 S_DMC_S_R

Description: MWB: Reading / writing authorization in sender / receiver

Authorization fields

Field name Heading

ACTVT Activity

5.1.3 S_DMIS_SLT

Description: Control Authority on Configuration Level in SAP LT Replication Server system.

You can use this authorization object to restrict access to specific configurations. To do this, you specify an

authorization group (either when creating a configuration, or after you have created a configuration on the

Administration tab in transaction LTRC). Note if you want to use authorization object S_DMIS_SLT, you have to

add it to the roles for the relevant users manually.

5.1.4 S_DMIS_MOM

Description: Authorizations for MWB/ Migration Object Modeler


Field name Heading

ACTVT Activity

If you need to check, create, edit, or delete migration objects by using MWB or transaction LTMOM, these

authorizations will be checked.


Authorizations

INTERNAL



5.1.5 S_DHCDCACT

Description: Activities of CDC Engine

Only relevant for S/4HANA On-Premise 2020 source systems (or higher).

This authorization object is checked when transferring data from the source system.


Field name Heading

DHCDCACTVT Type of Activity in CDC Engine

5.1.6 S_DHBASACT

This authorization object is checked when activities are called in the source system such as determining fields for

ABAP dictionary objects.


Field name Heading

DHCDCACTVT Type of Activity in ABAP Agent

18

INTERNAL



Authorizations


5.1.7 S_DHCDCCDS

Description: CDS Views released for CDC Engine

This authorization object is checked for every CDS views that is accessed in the source system. If access must be

limited to a certain set of CDS views, field DHCDCCDSNM can be used to specify which CDS views can be

accessed.


Field name Heading

DHCDCSBTYP Subscriber Type

DHCDCCDSRS CDS Release State of Stability Contract

DHCDCCDSNM DD: Name of Structured Object (For Example, Entity,

Context)

ACTVT Activity

5.1.8 S_DHCDCTAB

Description: Database Tables released for CDC Engine

This authorization object is checked for every database table that is accessed in the source system. If access

must be limited to a certain set of tables, field DHBASTABNM can be used to specify which tables can be

accessed.


Field name Heading


DHBASTABNM Table name, 16 characters

ACTVT Activity


Authorizations

INTERNAL



5.1.9 S_DHCDCSTP

Description: Subscriber Types released for CDC Engine

This authorization object checks which data transfer scenario is enabled for the source system.

Field name Heading


ACTVT Activity

5.2 User Roles

Depending on the system and the support patch level, different roles and authorizations are required for the user.

You can generate roles using the profile generator (transaction PFCG).

5.2.1 User Roles for SAP Landscape Transformation Replication Server

You can generate and use the following role to display, change, create, or delete configurations:

SAP_IUUC_REPL_ADMIN

You can generate and use the following role to display configurations only; this role does not permit the creation of

a new configuration, or changes to any settings:

SAP_IUUC_REPL_DISPLAY

Note

With SAP Landscape Transformation Replication Server SP13, new versions of the roles

SAP_IUUC_REPL_ADMIN and SAP_IUUC_REPL_DISPLAY were delivered. If you are upgrading to SP15

from a lower release (not SP13), you must ensure that you have the new versions of these roles in the

relevant clients.

20

INTERNAL



Authorizations


5.2.2 User Roles for ABAP Source System

For an ABAP source system, generate and use the following role:

SAP_IUUC_REPL_REMOTE

Note

Do not use the DDIC user. Roles are not generated by default. Grant and generate all roles.

For SAP S/4HANA on-premise source systems (release 2020 or higher), you need to also generate and use the

role SAP_DH_CDC_REMOTE.

SAP_DH_CDC_REMOTE is a template role, which means that some of the fields are empty and values must be

specified for these fields before you generate the role.

For authorization object S_DHCDCCDS, specify values for the following fields:

• DHCDCSBTYP

Specify the value SLT.

• DHCDCCDSRS

Specify the value C1. The value “NO” must only be used if CDS views that are not delivered by SAP or are not

yet released with status C1.

• DHCDCCDSNM

Specify a list of all CDS views that can be accessed in the source system.

For the authorization object S_DHCDCTAB, specify values for the following fields:

• DHCDCSBTYP

Specify the value SLT.

• DHBASTABNM

Specify a list of all database tables that can be accessed in the source system.

For the authorization object S_DHCDCSTP specify the value SLT for the field DHCDCSBTYP.

5.2.3 User Roles for Non- ABAP Source System

To establish a secondary database connection from an ABAP system to an external database, the connection

data and the user data of a user are required. This user must be authorized to establish a connection to the

external database The ABAP system connects to a specific schema from the database. To perform the replication

and initially load a specific table from a given schema, the database user must have privileges for the following

actions:

• Selecting from the table


Authorizations

INTERNAL



• Creating a table in the given schema (for creating the logging table)

• Selecting from the logging table

• Deleting the logging table

• Creating database triggers for the table

• Deleting the triggers

• Creating synonyms for the specific table

• Deleting the synonyms

Depending on the specific external database system, the process of granting privileges to a user can vary.

Note

If you want to transfer data from non-ABAP source systems, the relevant user in the SAP Landscape

Transformation Replication Server system needs the role SAP_IUUC_REPL_REMOTE in addition to the

role SAP_IUUC_REPL_ADMIN. Alternatively, you can adjust the role SAP_IUUC_REPL_ADMIN. Ensure

that the following activities for the authorization object S_DMC_S_R are selected:

01 - Create or Generate

33 - Read

34 - Write

40 - Create in DB

41 - Delete in DB

22

INTERNAL



Authorizations


5.3 Authorizations in the SAP HANA System

The replicated data is stored in the SAP HANA system. The authorization concept of the SAP HANA database is

used.

Depending on the scenario you have chosen for your replication to SAP HANA, different requirements for

authorizations apply:

5.3.1 Option 1: Replicating to SAP HANA System (database connection managed by SAP)

5.3.1.1 Initial User

The SAP LT Replication Server requires an initial user, which is used to create a database connection from the

SAP LT Replication Server to the SAP HANA system. The database connection is automatically created when you

set up a new configuration.

Create a new user with the following authorizations in the SAP HANA system as described below:

On the tab System Privileges, add the following system privileges:

• CREATE SCHEMA

• ROLE ADMIN

This privilege is required for creating roles for data provisioning and for accessing the schema. This privilege

can be revoked once the configuration has been created.

• USER ADMIN

If you want SAP Landscape Transformation Server to create a new target schema, the system creates the

schema on the HANA database together with the corresponding user. In order to do this, both privileges

CREATE SCHEMA and USER ADMIN are required. The privilege USER ADMIN can be revoked once the

schema has been created.

• CATALOG READ

This privilege is required to read the existing schemas in the SAP HANA database. This prevents a schema

being created that has the same name as an existing schema.


Authorizations

INTERNAL



5.3.1.2 SQL Privileges

In the SAP HANA system, the table RS_REPLICATION_COMPONENTS contains information about the source

systems connected the SAP HANA system via SAP Landscape Transformation Replication Server. In order to

register a new configuration when one is created, and to deregister a configuration when one is deleted, certain

SQL privileges are required.

When you create the first SAP LT Replication Server configuration for an SAP HANA database, the SQL schema

SYS_REPL is created in the SAP HANA database. If another database user requires access to this configuration

(or configurations created after this one), then you need to assign the system privileges mentioned above to this

user, as well as the following SQL privileges:

On the tab SQL Privileges, add the SQL object SYS_REPL, and select the following privileges:

• EXECUTE

• SELECT

• INSERT

• UPDATE

• DELETE

Note:

You can use the following SQL script to create this user in the SAP HANA system:

create user SLT_USR password <pwd>;

grant user admin to SLT_USR;

grant CREATE SCHEMA to SLT_USR;

grant ROLE ADMIN to SLT_USR;

grant CATALOG READ to SLT_USR;

grant insert on schema _SYS_REPO to SLT_USR;

grant delete on schema _SYS_REPO to SLT_USR;

grant update on schema _SYS_REPO to SLT_USR;

grant select on schema _SYS_REPO to SLT_USR;

grant insert on schema SYS_REPL to SLT_USR with grant option;

grant delete on schema SYS_REPL to SLT_USR with grant option;

grant update on schema SYS_REPL to SLT_USR with grant option;

grant select on schema SYS_REPL to SLT_USR with grant option;

grant execute on schema SYS_REPL to SLT_USR with grant option;

24

INTERNAL



Authorizations


5.3.1.3 Replication User

The SAP LT Replication Server creates the replication user by using the initial user for this operation. One

replication user is created for each replication schema. The replication user has the same name as the

corresponding schema.

The replication user is used to connect from the SAP LT Replication Server to the SAP HANA system for

replication. The authentication information for the replication user is generated by the SAP LT Replication Server

and stored as a secondary database connection in the SAP LT Replication Server. This means that only the SAP

LT Replication Server can connect as replication user to the SAP HANA system.

5.3.1.4 Replication Roles

The following roles are defined and have authorization on the target schema on the SAP HANA system:

• <REPLICATION SCHEMA>_DATA_PROV

Assign this role to users who configure and monitor the data provisioning process. This role has the right to

select data in the replication schema and to insert values into the RS_ORDER table within the replication

schema.

• <REPLICATION_SCHEMA>_POWER_USER

This role provides full control over the contents of the replication schema.

Note

Assign this role only for urgent operations, such as maintenance operations. The rights granted by this

role allow the user to perform operations that can destroy the consistency of the replicated data.

• <REPLICATION_SCHEMA>_USER_ADMIN

This role provides access to the database stored procedures RS_GRANT_ACCESS and

RS_REVOKE_ACCESS. They are used for fine-grained access control on the replication schema content.

• <REPLICATION_SCHEMA>_SELECT_USER

This role contains select privileges of the entire replication target schema.

Note that the access rights assigned to each of these roles do not include a grant option. This means that users

who have been granted these roles cannot grant the individual privileges to other users and roles. This is due to

the fact that granted privileges depend on the privilege of the granting user: If the granting user is revoked the

privilege, or is entirely dropped, the granted privileges are also revoked.

The following select user role that can be granted to others is automatically created in the schema in the SAP

HANA system:

• <schema>_SELECT_USER_GRANTABLE


Authorizations

INTERNAL



Note that for configurations created using SP11 or lower, this role must be created manually in the SAP HANA

system. For more information, see SAP Note 2307329.

5.3.1.5 Managing Access to Replicated Tables

Access to replicated tables is managed by a user of the role <REPLICATION_SCHEMA>_USER_ADMIN by calling

either the procedure RS_GRANT_ACCESS or RS_REVOKE_ACCESS.

Note

Access to the configuration and monitoring tables that start with prefix ‘RS_’ cannot be granted or

revoked by this procedure.

5.3.1.6 Granting Access

Access to a table is granted by calling the procedure RS_GRANT_ACCESS, which has the following parameters:

Parameter Description

TABLENAME Table name to grant privileges

GRANTEE User/Role that is granted privileges

SELECT_PRIVILEGE ‘X’ to grant SELECT privilege, ‘ ‘ for no operation

INSERT_PRIVILEGE ‘X’ to grant INSERT privilege, ‘ ‘ for no operation

UPDATE_PRIVILEGE ‘X’ to grant UPDATE privilege, ‘ ‘ for no operation

DELETE_PRIVILEGE ‘X’ to grant DELETE privilege, ‘ ‘ for no operation

5.3.1.6.1 Revoking Access

Access to a table is revoked by calling the procedure RS_REVOKE_ACCESS, which has the following parameters:


26

INTERNAL



Authorizations


Parameter Description

TABLENAME Table name to revoke privilege

GRANTEE User/Role that is revoked a privilege

SELECT_PRIVILEGE ‘X’ to revoke SELECT privilege, ‘ ‘ for no operation

INSERT_PRIVILEGE ‘X’ to revoke INSERT privilege, ‘ ‘ for no operation

UPDATE_PRIVILEGE ‘X’ to revoke UPDATE privilege, ‘ ‘ for no operation

DELETE_PRIVILEGE ‘X’ to revoke DELETE privilege, ‘ ‘ for no operation

5.3.1.7 Monitoring Access Management

Calling RS_GRANT_ACCESS and RS_REVOKE ACCESS writes log entries into the table RS_MESSAGES. The

Component field of the RS_MESSAGES table is populated with RS_GRANT_ACCESS or RS_REVOKE_ACCESS

respectively. The following information is logged:

• Affected table (column TABLENAME)

• Time stamp of operation (column MESSAGETIME)

• Errors in granting / revoking privileges (column LINE)

o Try to grant to / revoke from reserved table

o Try to grant on non-existent table

o Try to grant to / revoke from non-existent user or role

• Privileges granted / revoked by user in the form of a line (column LINE)

<PRIVILEGE> TO <USER> BY <CURRENT_USER> or

<PRIVILEGE> FROM <USER> BY <CURRENT_USER> or

Where <CURRENT_USER> is the calling user of the procedure.

5.3.2 Option 2: Replicating to SAP HANA System (database connection not managed by SAP)


Authorizations

INTERNAL



5.3.2.1 Schemas in Target Database

Whereas the schema in the target database is created by SAP LT Replication Server for option 1, for this option

you need to ensure that the database schema (replication schema) that will contain the target tables already

exists.

5.3.2.2 Replication User

We recommend creating one replication user for each replication schema. We also recommend that the

replication user has the same name as the corresponding schema.

The replication user is used to connect from the SAP LT Replication Server to the SAP HANA system for

replication. This means that only the SAP LT Replication Server can connect as replication user to the SAP HANA

system.

The replication user needs full access to the target database schema (EXECUTE, SELECT, INSERT, UPDATE, and

DELETE privileges), and has read access to schema SYS.

Note

Your system administrator needs to provide the required authorizations for any users that require access

to replicated tables. SAP LT Replication Server does not create any roles for accessing the replicated

tables.

5.3.3 Restricting Access to the Source System

Important Information

By default, the SAP LT Replication Server system has unrestricted access to all tables in the ABAP-based SAP

source system.

However, there may be situations where you want to restrict the access to data. To do this, you can use table

DMC_C_WL_TABL_OP in the ABAP-based SAP source system. This table is delivered empty, which means that

the SAP LT Replication Server system has unrestricted access to all tables.

In this table, you can specify which remote RFC user can access which tables in the source system. In addition,

you can specify the type of the action that can be performed on the table. The following actions are possible:

• Read table metadata

• Load data from the table

• Replicate data from the table

• Create a freeze trigger for the table

A standard database trigger records changes to a table (INSERT, UPDATE, and DELETE statements) in a

logging table. If a freeze trigger exists for a table, then the system returns an error message if a standard

database trigger records a change for the table. Instead of creating an entry in the logging table for the

28

INTERNAL



Authorizations


trigger, the system creates an error message. In this way, you can use freeze triggers to prevent changes to

the source system table, and to be informed if any attempt is made to change data in the table.

If table DMC_C_WL_TABL_OP contains at least one entry, then the system restricts access to data to only those

entries. If you want additional access to data, you need to create additional entries in the table.

If the action READ_METADATA is permitted for a table, and the table has include structures, you must also permit

the action READ_METADATA for the include structures. Note that it is not necessary to permit other actions such

as LOAD_DATA or REPLICATE_DATA for the include structures.

The fields in table DMC_C_WL_TABL_OP are described below:

Field Description

RFC_USER The user specified in the RFC connection used to

connect to the ABAP-based source system.

TABLENAME The name of the table in the source system.

READ_METADATA If set to ‘X’, then the SAP LT Replication Server system

is permitted to read metadata for the table.

LOAD_DATA If set to ‘X’, then the SAP LT Replication Server system

is permitted to load data from the specified table.

REPLICATE_DATA If set to ‘X’, then the SAP LT Replication Server system

is permitted to replicate data from the specified table.

FREEZE_TRIGGER If set to ‘X’, then the SAP LT Replication Server system

is permitted to create a freeze trigger for the specified

table.

Note: If you permit the actions LOAD_DATA or REPLICATE_DATA for a table, then you must also permit the action

READ_METADATA for the table. This is because SAP LT Replication Server needs to read the metadata of a table

before performing the initial load or starting the replication process.

For SAP S/4HANA on-premise source systems (release 2020 or higher), you can restrict access by using the role

SAP_DH_CDC_REMOTE (see section 5.2.2). Field DHCDCCDSNM of authorization object S_DHCDCCDS lists all

CDS views that can be accessed in the source system. Field DHBASTABNM of authorization object S_DHCDCTAB

lists all tables that can be accessed in the source system.


Authorizations

INTERNAL



5.3.3.1 Examples

Example 1

In the example outlined in the table below, the SAP LT Replication Server system (specifically user SJOHN) is not

permitted to perform any actions for the source system table SBOOK.

Note that as long as table DMC_C_WL_TABL_OP contains at least one entry, the SAP LT Replication Server

system is not permitted to perform any action for any source system tables. If you want additional access to data,

you need to create additional entries in the table.

Note the SAP LT Replication Server system is connected to the ABAP-based SAP source system by means of an

RFC connection created with the user SJOHN.

RFC_USER TABLENAME READ_METADATA LOAD_DATA REPLICATE_DATA FREEZE_TRIGGER

SJOHN SBOOK

Example 2

In the example outlined in the table below, the SAP LT Replication Server system (specifically user SJOHN) is

permitted to load data from the source system table SBOOK.




SJOHN SBOOK X X

Example 3

In the example outlined in the table below, the SAP LT Replication Server system (specifically user SJOHN) is

permitted to read metadata from the source system table SBOOK, and also to replicate data from the table.




SJOHN SBOOK X X

30

INTERNAL



Authorizations


Note:

For SAP Landscape Transformation Replication Server versions SP13 and lower, table

IUUC_TAB_ALLOWED was used to restrict access to the ABAP-based SAP source system. For SP14 and

higher, table DMC_C_WL_TABL_OP is used to restrict access. If you are installing SAP LT Replication

Server for the first time (using SP15), both tables will be delivered empty, and you can use table

DMC_C_WL_TABL_OP as described in this section.

If you are upgrading to SP15 from a lower SP, the system checks whether there are any entries in table

DMC_C_WL_TABL_OP. If the table is empty, the system checks whether there are any entries in table

IUUC_TAB_ALLOWED. If there are entries in table IUUC_TAB_ALLOWED, then these entries will be

considered by the system. If you subsequently make an entry in table DMC_C_WL_TABL_OP, then only

table DMC_C_WL_TABL_OP will be considered by the system; table IUUC_TAB_ALLOWED will be

disregarded completely. So, while it is possible to continue using table IUUC_TAB_ALLOWED, we strongly

recommend using table DMC_C_WL_TABL_OP instead.

Note that if you permit actions for a table using table IUUC_TAB_ALLOWED, and the table has include

structures, you must also permit actions for the include structures.


Network and Communication Security

INTERNAL



6 Network and Communication Security

6.1 Network Security

Access to ABAP source systems using SAP LT Replication Server takes place exclusively through RFC

connections. For more information about security-relevant information concerning RFC, see the SAP Library on

SAP Help Portal.

For non-ABAP source systems, a database connection has to be established to transfer the data from the source

to the SAP LT Replication Server. For more information, refer to the relevant database vendor documentation.

If any of the participating systems are located in a public network or are connected to a public network, then you

need to establish suitable protection mechanisms such as introducing a firewall.

6.2 Communication Destinations

The SAP LT Replication Server does not come with fixed destinations or user names. The following

communication destinations need to be created:

6.3 ABAP Source System

1. Create a user (type Dialog) in your source system with the role SAP_IUUC_REPL_REMOTE. For SAP

S/4HANA on-premise source systems (release 2020 or higher), also add the role SAP_DH_CDC_REMOTE.

2. Create an RFC connection (type 3 – ABAP) from the SAP LT Replication Server system to the source system

with the created user. If both systems are Unicode, specify this RFC as Unicode.

Note:

Do not use the DDIC user for RFC connection. If the source system and the SAP LT Replication Server are

the same system, also create an RFC connection. Do not use the option NONE.

3. Use the created RFC to define the connection between the ABAP source system and the SAP LT Replication

Server within your new configuration.

http://help.sap.com/

32

INTERNAL



Network and Communication Security


6.4 Non- ABAP Source System

To establish a secondary database connection, the user must have the required privileges as described under

User Roles for Non-ABAP Source System.

Use the created database connection to define the connection between the ABAP source system and the SAP LT

Replication Server within your new configuration.

6.5 SAP HANA System

If the database connection from the SAP LT Replication Server system to the SAP HANA system is managed by

SAP LT Replication Server, then the database connection is created automatically.

If the database connection from the SAP LT Replication Server system to the SAP HANA system is not managed

by SAP LT Replication Server, then you need to establish a secondary database connection as described in the

SAP LT Replication Server operations guide and in the application help (https://help.sap.com/sapslt). Note that

the user must have the required privileges as described in section “Authorizations in the SAP HANA System” of

chapter “Authorizations”.

The created database connection is then used to define the connection between the SAP LT Replication Server

and the target database within your new configuration.

For more information about the two options for replicating data to SAP HANA, see the application help at

http://help.sap.com

http://help.sap.com/


Security-Relevant Logging and Tracing

INTERNAL



7 Security-Relevant Logging and Tracing

SAP Landscape Transformation Replication Server uses the logging and tracing capabilities provided by the SAP

NetWeaver AS ABAP platform. For example, the logging of security-related events is handled by the security audit

log (transaction SM19, transaction SM20).

For more information see: SAP NetWeaver Security Guide -> Logging and Tracing.

7.1 Change Log

In the initial screen SAP LT Replication Server Cockpit (transaction LTRC), you can access the SAP LT Replication

Server Change Log by choosing the Change Log button. The change log records all changes triggered by users of

the SAP LT Replication Server application. You can use the change log to view the changes that you are interested

in.

7.1.1 Settings for Data Retention Period

The retention period is the length of time (in days) that the logs are kept in the system. The default retention

period is 60 days. To change the retention period, choose the Settings for Data Retention Period button.

The system displays a dialog box where you can choose one of the following options:

o Data Retention Period Off

If you choose this option, logs are kept in the system indefinitely.

o Data Retention Period On

If you choose this option, you can specify a number of days after which the logs will be deleted from

the system.

7.1.2 Deleting Entries from the Change Log

If required, you can delete all entries from the change log before a specific date. To do this, choose the Delete

Entries button.

The system displays a dialog box where you can specify a date. The system will delete all changes that were

recorded before this date (changes recorded on the specified date will still be visible).

http://help.sap.com/saphelp_nw75/helpdata/en/4a/af6fd65e233893e10000000a42189c/frameset.htm

34

INTERNAL



Data Privacy and Protection


8 Data Privacy and Protection

8.1 Overview

Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance

with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different

countries. This section describes the specific features and functions that SAP provides to support compliance

with the relevant legal requirements and data privacy.

This section and any other sections in this Security Guide do not give any advice on whether these features and

functions are the best method to support company, industry, regional or country-specific requirements.

Furthermore, this guide does not give any advice or recommendations with regard to additional features that

would be required in a particular environment; decisions related to data protection must be made on a case-by-

case basis and under consideration of the given system landscape and the applicable legal requirements.

Note

In the majority of cases, compliance with data privacy laws is not a product feature.

SAP software supports data privacy by providing security features and specific data-protection-relevant

functions such as functions for the simplified blocking and deletion of personal data.

SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not

taken from any given legal source.

Glossary

Term Definition

Personal data Information about an identified or identifiable natural

person.

Business purpose A legal, contractual, or in other form justified reason

for the processing of personal data. The assumption is

that any purpose has an end that is usually already

defined when the purpose starts.

Blocking A method of restricting access to data for which the

primary business purpose has ended.

Deletion Deletion of personal data so that the data is no longer

usable.

Retention period The time period during which data must be available.



INTERNAL



Term Definition

End of purpose (EoP) A method of identifying the point in time for a data set

when the processing of personal data is no longer

required for the primary business purpose. After the

EoP has been reached, the data is blocked and can

only be accessed by users with special authorization.

Some basic requirements that support data protection are often referred to as technical and organizational

measures (TOM). The following topics are related to data protection and require appropriate TOMs:

• Access control: Authentication features as described in section User Administration and Authentication.

• Authorizations: Authorization concept as described in section Authorizations.

• Read access logging: As described in section Read Access Logging.

• Transmission control / Communication security: as described in section Network and Communication

Security

• Separation by purpose: Is subject to the organizational model implemented and must be applied as part of the

authorization concept.

Caution

The extent to which data protection is ensured depends on secure system operation. Network security,

security note implementation, adequate logging of system changes, and appropriate usage of the system

are the basic technical requirements for compliance with data privacy legislation and other legislation.

8.2 Deletion of Personal Data

SAP LT Replication Server might transfer data (personal data) that is subject to the data protection laws

applicable in specific countries. Usually, this data is not persisted nor accessible within the SAP LT Replication

Server system. The data is only present in-memory during the replication process.

The only exception to this is the replication logging feature (refer to chapter 8 of the SAP LT Replication Server

Operations Guide). With this feature, the content of replicated tables may be stored in the SAP LT Replication

Server system for a certain amount of time, customizable by the SAP LT Replication Server user. The data is

persisted in a cluster table which means that it cannot be accessed by using database tools such as transaction

SE16.

36

INTERNAL





Nevertheless, it is possible to access this data by using an SLT expert function in transaction LTRC (if the user is

authorized to use the expert function). As part of the data privacy and protection mechanisms, access to the data

may be logged via Read Access Logging (described in the next chapter).

The data stored by the replication logging feature is permanently deleted once the defined threshold for

temporary storage is reached and the SAP LT Replication Server cleanup report (IUUC_HOUSEKEEPING) is

executed. The cleanup report is executed at three different points in time:

1. When the SAP LT Replication Server system is restarted.

2. At midnight.

3. Whenever the configuration that uses the replication logging feature is deactivated and activated again.

The customization of the retention period (threshold for deletion) can be configured by using transaction LTRS.

8.3 Read Access Logging

Read access to personal data is partially based on legislation, and it is subject to logging functionality. The Read

Access Logging (RAL) component can be used to monitor and log read access to data and provide information

such as which business users accessed personal data (for example, fields related to bank account data), and

when they did so.

In RAL, you can configure which read-access information to log and under which conditions.

Within SAP LT Replication Server, Read Access Logging has been configured for the Replication Logging feature,

where data replicated from a source system to a target system is temporarily stored in the SAP LT Replication

Server system (refer to chapter 8 of the SAP LT Replication Server Operations Guide). As SAP LT Replication

Server does not know about the content of the tables which are replicated and whether these tables contain

personal data, any access to the temporary storage will be logged if Read Access Logging is activated. The log will

provide information that a certain user accessed data for a certain table.

Prerequisites

Before you can use the delivered RAL configurations, the following prerequisites are met:

• Ensure that your SAP Basis release supports RAL. For more information, see SAP Note 1969086.

• You have enabled RAL in each system client.




INTERNAL



Activating the RAL Configuration

1. In transaction SRALMANAGER, on the Administration tab page, choose Configuration.

2. Choose the desired channel, which is “Dynpro”.

3. Choose Search.

The system displays the available configurations for the selected channel.

An example configuration for SAP LT Replication Server replication logging feature is

SAP_CA_LT_LTRC_DYNPRO.

4. Choose Display Configuration for detailed information on the configuration. For specific channels, related

recordings can also be displayed.

5. Select the configuration and choose Activate.

More Information

For general information on Read Access Logging, see the product assistance for SAP NetWeaver on SAP Help

Portal at http://help.sap.com/netweaver → SAP NetWeaver Library: Function-Oriented View → System Security

for SAP NetWeaver AS for ABAP Only.

For up-to-date information on the delivered RAL configurations, see SAP Note 1514967.

8.4 Keeping Data in the Target System Secure

Once data is extracted from a source table and is moved to a table in the target system, the SAP LT Replication

Server authorization concept no longer applies. That is, data in target tables can be read using functions that are

not part of SAP LT Replication Server, and that lack the authorizations that are in place when SAP LT Replication

Sever reads data from the source system. You must therefore ensure that access to data in the target system is

managed in a secure way.

8.5 Additional Information for INDX-like Tables

Data in INDX-like tables is stored in a compressed and raw data format. Data from an INDX-like table cannot be

read in a usual way. Only applications that have specific authorizations can read data from these tables, and write

its data to standard tables in a readable format.

SAP Landscape Transformation Replication Server is such an application. It can transfer data from INDX-like

tables to a standard table in the target system in a readable format.

http://help.sap.com/netweaver


38

INTERNAL





Data from INDX-like tables may need to be made transparent for audit or analysis purposes. However, once data

is extracted from an INDX-like table, and is moved to a standard table in a readable format, the original

authorization concept no longer applies. That is, data in standard tables can be read using functions that are not

application-dependent, and which typically lack the authorizations that applied to the source INDX-like table. For

example, standard tables can be accessed by using transaction SE16.

INDX-like tables can contain data of a personal or sensitive personal nature. This type of table is used extensively

by SAP ERP HCM. Examples of HCM data that is stored in INDX-like tables include payroll and absence data,

though any conceivable type of sensitive data could be stored in these tables. The customer must ensure that the

transparent data extracted from INDX-like tables is protected in a manner that conforms to local data protection

regulations.

An additional consideration for INDX-like tables concerns transaction CNV_INDX_OVERVIEW. If a user has the

authorizations required to use this transaction, they can view the data from INDX-like tables directly. This data

can be highly sensitive, and the environment could be productive. With sufficient authorizations, a user can simply

select an INDX-like table, then an application area such as Payroll Results, and then view individual records

containing, for example, wage type and money amounts for specific personnel numbers.

Since transaction CNV_INDX_OVERVIEW is so critical, there is no standard role that enables a user to use it. In

addition, the authorizations required are very strict and should only be granted to a user that has a specific

requirement to test or analyze an SAP Landscape Transformation Replication Server function. It must be

understood that a user with the required authorizations can then see all the data in the specifically selected INDX-

like table. The following table outlines the required authorizations:

Authority Object Field 1 Field 2 Field 3

S_TCODE TCD

Field Values CNV_INDX_OVERVIEW

S_DMIS MBT_PR_ARE MBT_PR_LEV ACTVT

Field Values SLOP PACKAGE 02

S_TABU_DIS DICBERLCS ACTVT

Field Values DM06 03

S_TABU_NAM ACTVT TABLE

Field Values 03 INDX-like table to which

access is required (for

example PCL2)


Additional Replication Scenarios

INTERNAL



9 Additional Replication Scenarios

Depending on how you use SAP Landscape Transformation Replication Server, different authorizations are

required. Different users (with the relevant authorizations) are required to operate SAP Landscape

Transformation Replication Server.

The specifics depend on your scenario. The following sections outline the different users and authorizations

required for the various scenarios.

9.1 Replicating Data to ABAP-Based SAP Systems

The user roles required in the different systems are outlined in the following sections.

9.1.1 ABAP-Based SAP Source Systems

In order to connect to and retrieve data from the SAP Landscape Transformation Replication Server system by

means of an RFC connection, generate and use the following role:

• SAP_IUUC_REPL_REMOTE

For SAP S/4HANA on-premise source systems (release 2020 or higher), you also need to generate and use the

role SAP_DH_CDC_REMOTE. For more information, see chapter 5.2.2.

9.1.2 Non ABAP-Based Source Systems

To establish a secondary database connection from an ABAP-based system to an external database, the

connection data and user data are required. This user must be authorized to establish a connection to the

external database. The ABAP-based system connects to a specific schema from the database. To perform the

replication and initially load a specific table from a given schema, the database user must have privileges for the

following actions:

• Selecting from the table

• Creating a table in the given schema (for creating the logging table)

40

INTERNAL





• Selecting from the logging table

• Deleting the logging table

• Creating database triggers for the table

• Deleting the database triggers

• Creating synonyms

• Deleting synonyms

Depending on the specific external database system, the process of granting privileges to a user can vary.

9.1.3 SAP Landscape Transformation Replication Server System

In order to create, change, or display configurations, you can generate and use the following role:

• SAP_IUUC_REPL_ADMIN

You can generate and use the following role in order to display configurations only. Note that this role does not

permit the creation of a new configuration, or changes to any settings:

• SAP_IUUC_REPL_DISPLAY

9.1.4 ABAP-Based SAP Target System

In order to connect to and write data to the ABAP-based SAP target system by means of an RFC connection,

generate and use the following role:


9.2 Replicating Data to Other Databases




INTERNAL




In order to connect to the SAP Landscape Transformation Replication Server system by means of an RFC

connection, generate and use the following role:


For SAP S/4HANA on-premise source systems (release 2020 or higher), you also need to generate and use the

role SAP_DH_CDC_REMOTE. For more information, see chapter 5.2.2.


In order to create, change, or display configurations, you can generate and use the following role:





9.2.3 Target Database

The user must have authorizations to write data to the database and to create objects such as views and

synonyms (depending on the database used).

9.3 Replicating Data to SAP BW Using ODP

The source system connects to the ODP framework in the SAP Landscape Transformation Replication Server

system. You have to create an RFC connection from the source system to the SAP Landscape Transformation

Replication Server system (by using transaction SM59). For this connection, use an RFC user with the

role SAP_IUUC_REPL_REMOTE. As the RFC connection to the target system points to the same system that the

SAP Landscape Transformation Replication Server is running on, you can use the connection NONE.

42

INTERNAL





The SAP BW system connects to the ODP framework as a subscriber. For this connection, it uses an RFC user

with the role SAP_IUUC_REPL_ADMIN_BW_ODQ. When you setup the logical system type ODP SLT in SAP BW,

you need to enter a user for the callback connection that allows the data transfer from ODP to SAP BW. The user

which is used for this connection needs to have the profiles S_BI-WHM_RFC and S_BI-WX_RFCA.

Note

The callback connection is the RFC connection <BW System><Client Number> which is created in the

SAP Landscape Transformation Replication Server system. Ensure that you use the correct user and

password combination as defined in this RFC connection.



In order to connect to the SAP Landscape Transformation Replication Server system by means of an RFC

connection, generate and use the following role:


Note

Do not use the DDIC user. Roles are not generated by default; you need to grant and generate all roles.


In order to create, change, or display configurations, you can generate and use the following role for the SAP

Landscape Transformation Replication Server system:







INTERNAL



9.3.3 SAP BW System

In order to configure and monitor the data provisioning process in the BW system, generate and use the following

role:

• S_RS_RDEMO


www.sap.com/contactsap

Material Number


No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior

notice.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software

vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System ads, System i5, System

p, System p5, System x, System z, System z10, System z9, z10, z9,

iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,

S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise

Server, PowerVM, Power Architecture, POWER6+, POWER6,

POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,

BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2

Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,

Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are

trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and

other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either

trademarks or registered trademarks of Adobe Systems

Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered trademarks

of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered

trademarks of W3C®, World Wide Web Consortium, Massachusetts

Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc.,

used under license for technology invented and implemented by

Netscape.

SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge,

ByDesign, SAP Business ByDesign, and other SAP products and

services mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in Germany and in

several other countries all over the world. All other product and

service names mentioned are the trademarks of their respective

companies. Data contained in this document serves informational

purposes only. National product specifications may vary.

These materials are subject to change without notice. These

materials are provided by SAP AG and its affiliated companies ("SAP

Group") for informational purposes only, without representation or

warranty of any kind, and SAP Group shall not be liable for errors or

omissions with respect to the materials. The only warranties for SAP

Group products and services are those that are set forth in the

express warranty statements accompanying such products and

services, if any. Nothing herein should be construed as constituting

an additional warranty.

sap landscape transformation replication ... - sap help portal

Documents