security guide for mysap crm

Security Guide for mySAP CRM (SAP CRM 4 .0 )

Release 623

HE

LP

.SG

CR

M

SAP Online Help 15.09.2005

Security Guide for mySAP CRM 623 2

Copyright © Copyright 2004 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.



Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help → General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation. Example text Emphasized words or phrases in body text, graphic titles, and table

titles.

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.



Security Guide for mySAP CRM................................................................................................ 6 Introduction ............................................................................................................................ 7 System Landscape ................................................................................................................ 9 User Administration and Authentication............................................................................... 12

User Administration .......................................................................................................... 13

User Data Synchronization............................................................................................... 14

Integration with the Single Sign-On Environment ............................................................ 15

Authorizations ...................................................................................................................... 16 Network and Communication Security................................................................................. 17 Channel................................................................................................................................ 18

CRM Enterprise................................................................................................................ 19

Enterprise Sales ........................................................................................................... 20

Sales Planning and Forecasting ............................................................................... 22

Enterprise Marketing..................................................................................................... 23

Product Proposals..................................................................................................... 24

External List Management ........................................................................................ 26

Field Applications ............................................................................................................. 28

Mobile Sales ................................................................................................................. 29

Hard Drive Encryption ............................................................................................... 32

Mobile Service .............................................................................................................. 38

Mobile Client Synchronization ...................................................................................... 39

Mobile Sales and Service for Handheld Using CRM 4.0.............................................. 48

E-Commerce .................................................................................................................... 51

E-Service ...................................................................................................................... 52

SAP Internet Sales ....................................................................................................... 56

Selling Via eBay............................................................................................................ 73

Interaction Center............................................................................................................. 80

Interaction Center WinClient......................................................................................... 81

Interaction Center WebClient........................................................................................ 90

E-Mail Response Management System ..................................................................... 100

Interaction Center Manager ........................................................................................ 105

Interaction Center: Workforce Management Services................................................ 110

Channel Management .................................................................................................... 113

Channel Sales Management for High Tech................................................................ 114

Contracts and Chargeback for Pharmaceutical.......................................................... 116

SAP CRM Powered by SAP NetWeaver........................................................................ 118

CRM Server ................................................................................................................ 119

Software Agent Framework ........................................................................................ 123

Solution Database ...................................................................................................... 129



CRM Billing ................................................................................................................. 132

Intelligence Connector ................................................................................................ 134

SAP Internet Pricing and Configurator ....................................................................... 138

People-Centric CRM................................................................................................... 146

People-Centric User Interface (PC UI).................................................................... 148

SAP Business Information Warehouse ...................................................................... 154

Object Links, Input Help, Core Services and Java Lists............................................. 155

SAP Internet Sales ..................................................................................................... 158

BSP Application .......................................................................................................... 160

CRM Access Control Engine ...................................................................................... 161

Knowledge Management ............................................................................................ 164

Alerts........................................................................................................................... 166

Integration of SAP R/3-Transactions with Portal Roles.............................................. 168

Roles in the CRM System for Portal Users ................................................................ 170

Appendix ............................................................................................................................ 172



{ TC "Security Guide for mySAP CRM" \l 1 \* MERGEFORMAT } Security Guide for mySAP CRM



{ TC "Introduction" \l 2 \* MERGEFORMAT } Introduction

This guide does not replace the Daily Operations Handbook, which we recommend that you use to create your specific productive operations.

About this Guide The following guideline provides an overview of possible security settings and measures that can help you to operate a secure a CRM system. It will first provide you with all the relevant information on standard settings and general recommendations that apply across CRM. Channels provides information on the individual technical components that differ from the standard.

The CRM system is based on a series of components such as databases and operating systems. They all have their own security settings. For information on non-SAP components, ask the manufacturer.

You should also look at the following guidelines within SAP when securing your CRM system:

• SAP NetWeaver ’04: help.sap.com → SAP NetWeaver → Release ‘04 → SAP NetWeaver → Security → SAP NetWeaver Security Guide

• SAP Web Application Server: help.sap.com → SAP NetWeaver → Release ‘04 → SAP NetWeaver → Security → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Components → SAP Web Application Server Security Guide

• SAP Internet Transaction Server: help.sap.com → SAP NetWeaver → Release ‘04 → SAP NetWeaver → Security → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Components → SAP Web Application Server Security Guide → Internet Transaction Server Security

• SAP J2EE Engine: service.sap.com/security → Security in Detail → Hot Topic: J2EE

• SAP Enterprise Portal: help.sap.com → SAP NetWeaver → Release ‘04 → SAP NetWeaver → Security → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Components → Portal Platform Security Guide

You can find additional security guides in SAP Service Marketplace under service.sap.com/security and service.sap.com/securityguide.

Why do we need Security? Nowadays, it is increasingly useful to collect as much information as possible on customers and to use this knowledge when selling goods or services in order to provide the customer with a perfectly tailored product. The more detailed the information, the better you will be able to advise your customers. This, in turn, means that you have information that other industries or companies could use to gain new customers or to force you out of the market.

You must also only make it possible to access your data in such a way that it is not possible to use filters to find individual data records such as orders or postings. Data security is also extremely important when providing data protection for personal data.



Target Groups • Technical consultants

• System administrators

This document is not part of the following guides:

• Installation guide

• Configuration guide

• Technical operation manuals

• Upgrade guide

These guides are each only relevant for individual phases of the software lifecycle, whereas the Security Guide provides information that is relevant for all sections.

Important SAP Notes

Check regularly for SAP Notes available for application security.

Important SAP Notes

SAP Note Number Title Comment

715371 SAP J2EE – collective note security Basis 6.30/6.40

Very important SAP Note on the secure operation of J2EE Engine Basis 6.30 and 6.40.

You can find important SAP Notes on other SAP components in the documentation for the individual technical components.

You can find other SAP Notes on security in SAP Service Marketplace under service.sap.com/security → SAP Security Notes.



{ TC "System Landscape" \l 2 \* MERGEFORMAT } System Landscape The following table describes where you can find additional information on the technical system landscape.

Further information on the system landscape

Title Guide/Tool Quick Link to the SAP Service Marketplace (service.sap.com)

Application and industry-specific components , such as SAP Financials and SAP Retail, technical components such as SAP Web Application Server

Different master guides /instguides

Technical components Different infrastructure guides /ti

Security -- /security

mySAP CRM Master Guide /crm-inst

SAP NetWeaver -- SAP Help Portal under help.sap.com → SAP NetWeaver → Release ’04 → SAP NetWeaver → Application Platform (SAP Web Application Server) → Architecture of SAP Web AS

Depending on the operative area, the system must meet different technical requirements. If you want to restrict the use of the CRM system to internal users, make sure that it is not possible to access the system via the Internet, and that there are no CRM servers in the demilitarized zone (DMZ).

If you want to allow internal users to access your system externally (e.g. via a laptop or when working from home), we recommend that you install a Virtual Private Network (VPN). This ensures encrypted data transfer, even when you are not working with CRM.

If you want to allow external users to access your system, we recommend that you use SAP Web Dispatcher. The dispatcher is only used for CRM and BW backend systems.

SAP Web Dispatcher filters URL's and thereby secures access to your backend systems. For this reason, it should be included in your public DMZ, to ensure that all queries from the Portal to the CRM or BW systems pass through this dispatcher.

To ensure that SAP Web Dispatcher can operate correctly, you must configure every URL that accesses your backend in SAP Web Dispatcher. You must also configure the assignment to every internal server called via BSP’s. Set the filter according to the syntax of every BSP URL.

Configuring the SAP Web Dispatcher ...

1. Write down all required BSP and BW URL’s that need to be filtered.

a. BSP Syntax



There are two different types of BSP’s: The blueprint-based BSP’s that each end with crm_bsp_frame/entrypoint.do, and the server-dependent BSP’s.

For this type of BSP, the developer defines the application and the start page to differentiate the URL.

The following section contains a couple of exceptions to the standard BSP's for CRM:

URL’s for server-dependent BSP’s

Name of BSP iView URL

Indexes crm_ei_cmp_admn/cmpadmin.do

Workflow Modeler SWFMOD_PORTAL/WF_MOD_WorkflowModeler.htm

Presales Activities: Facts and Reminders CRM_BSP_PSD_CHM/main.do

Sales Target supx_exec2/start.htm

Overview CRM_ERMS_RPT/overview.htm

E-Mail Transfer CRM_GW_INTEG/gw_integration.do

Sales Planning upx_exec2/start.htm

The following templates inherit the values from the derived BSP:

URL’s for server-dependent BSP’s, that inherit the values from the derived BSP

Name of BSP iView URL

CRM ValueHelp iView crm_bsp_frame/f4h_main.do

CRM PCUI BSP iView crm_bsp_frame/entrypoint.do

b. BW Syntax

The basic syntax is structured as follows: <BW System>/sap/bw/BEx?TEMPLATE_ID =<Technical Name of Template>

2. Configure the SAP Web Dispatcher.

When you have identified all BSP URL’s, create the filters in the authorization table.

You must use the Uniform Resource Identifier authorization table to define the rules according to which SAP Web Dispatcher will handle incoming URL’s.

This is a file that lists the rules in lines. The syntax is based on the syntax of the Route Permission Table.

Every line is structured as follows: P/D/S <URI template>, where the letter at the beginning of the line indicates the following:

P: allows the query through. It is forwarded by the SAP Web Dispatcher to the corresponding application server.

D: rejects the query and sends a message to the client.

S: only allows secure connections (HTTPS) as URL prefix.

You can only use the wildcard character (*) at the beginning or the end of the URI template string.

A URI authorization table might appear as follows:



# SAP Web Dispatcher test authorization table

P crm_bsp_frame/entrypoint.do

D *.do

P CRM_BSP_PSD_CHM/*

P sap/bw/*

This table reflects the following configuration:

The BSP page entrypoint.do in crm_bsp_frame can be executed (line 1), the query is forwarded in accordance with load balancing for the appropriate SAP WebAS server. Otherwise, no other *.do pages can be executed (line 2)

The first connection means that if the first two lines in the table are exchanged, crm_bsp_frame/entrypoint.do could also not be executed, because the first line checks the URL prefix and the second is not fully analyzed.

The http Request Handler behind CRM_BSP_PSD_CHM should be executed.

You should not execute any BSP pages that have not been explicitly mentioned here, as the SAP Web Dispatcher rejects this query.

Remember that you must set this system up both for CRM and BW BSP's.

For further information on configuring SAP Web Dispatcher, see SAP Help Portal under help.sap.com → SAP NetWeaver → Release 04 → Select Language English → SAP NetWeaver → SAP NetWeaver Configuration → SAP Web Application Server → Management of the SAP Web Dispatcher.



{ TC "User Administration and Authentication" \l 2 \* MERGEFORMAT } User Administration and Authentication The main system for users of a CRM application is generally a backend system such as SAP WebAS, where users and roles are maintained (transaction SU01 for user maintenance and transaction PFCG for role maintenance). If you are also using a portal, you must also create the users in the portal via Portal administration and then reconcile them between the Portal and the backend system using the SAP User Management Engine. You can reconcile users between several backend systems using Central User Administration (CUA). For further information, see the SAP NetWeaver Security Guide under help.sap.com → SAP NetWeaver → Release 04 → SAP Net Weaver → Security → SAP NetWeaver Security Guide → User Administration and Authentication → User Management. We recommend that you use the Single Sign-On mechanism for authentication. In this way, when you use a Portal, it will provide the ticket. For further information, see the installation and configuration guides for the business package for mySAP CRM in the SAP Service Marketplace under service.sap.com/crm-inst → People-Centric CRM Inst. a. Config. Guides.

If you are using mobile clients, pay attention to the special characteristics of CRM server [Seite 119] and mobile sales [Seite 29].



{ TC "User Administration" \l 3 \* MERGEFORMAT } User Administration Most of the technical components of mySAP CRM use standard tools for managing users. This facilitates combination of CRM with other SAP products. For further information, see the SAP NetWeaver Security Guide under help.sap.com → SAP NetWeaver → Release 04 → Select Language English → SAP Net Weaver → Security → SAP NetWeaver Security Guide → User Administration and Authentication → User Management.

To provide an indication of which user administration tools are used, the following table lists the most commonly used tools.

Separate user management has only been developed for mobile clients in mySAP CRM.

All other technical components are generally based on tools from the SAP NetWeaver environment. The following table lists the most important tools for user administration in mySAP CRM:

User Administration Tools

Tool Comments

SAP User Management Engine for ABAP Engine (transaction SU01)

Central user administration for SAP WebAS. Nearly always needed.

Profile Generator (transaction PFCG) Tool for WebAS for role administration. Important for authorization administration, among other things.

SAP User Management Engine Administration Platform

Tool for administration of portal users and roles.

SAP J2EE Engine user management using the Virtual Administrator

Tool for administration of J2EE users and roles

Users

The users in the system / the default users are described in the individual technical components under Channels.



{ TC "User Data Synchronization" \l 3 \* MERGEFORMAT } User Data Synchronization With the SAP NetWeaver platform, SAP provides two main tools for reconciling user data:

• The User Management Engine (UME) is delivered with the Portal and enables you to reconcile user data with the backend system. For further information, see the SAP help Portal under help.sap.com → SAP NetWeaver → Release ‘04 → Select Language English → SAP NetWeaver → People Integration → Portal → Enterprise Portal Architecture → Security and User Management → User Management Engine (UME)

• Central User Administration (CUA) enables central administration of the user data for all backend systems. For further information, see the SAP help Portal under help.sap.com → SAP NetWeaver → Release ‘04 → Select Language English → SAP NetWeaver → Security → Identity Management → Central User Administration.

For further information, see the SAP NetWeaver Security Guide under help.sap.com → SAP NetWeaver → Release ‘04 → SAP Net Weaver → Security → SAP NetWeaver Security Guide → User Administration and Authentication → Integration of User Management in our System Landscape.



{ TC "Integration with the Single Sign-On Environment" \l 3 \* MERGEFORMAT } Integration with the Single Sign-On Environment In more complex scenarios that go beyond simplz using SAP WebAS and Win-GUI, especially in scenarios that contain SAP WebAS and Portal, we recommend that you use Single Sign-On (SSO).

An alternative to SSO that supresses the need for repeated logins is user assignment. It is a good option for test systems, but should be avoided for productive operation.

For further information, see the SAP NetWeaver Security Guide under help.sap.com → SAP NetWeaver → Release 04 → Select Language English → SAP Net Weaver → Security → SAP NetWeaver Security Guide → User Administration and Authentication → User Authentication and Single Sign-On.



{ TC "Authorizations" \l 2 \* MERGEFORMAT } Authorizations When you are assigning authorizations, you should make sure that you have assigned only those authorizations that a user needs to complete his/her tasks. Of course, to facilitate your the everyday operation of your business, you can assign the users slightly more authorizations than absolutely necessary, but you should definitely avoid providing individual users with full access rights to everything in your system. An attacker using this user would be able to cause significant damage.

You can perform authorization checks in all of your CRM system. In most cases, SAP WebAS is also the main focus of attention here.

Maintain the authorizations for SAP WebAS (transaction PFCG) first, because they determine whether a user can access business data.

Do not, however, neglect authorizations for other systems, as these also access central data that must be protected, such as SAP Knowledge Management (KM) in the Portal. Access to documents saved in KM cannot be controlled via SAP WebAS.

In many cases, SAP provides authorizations and authorization default values for application components such as transactions or BSP applictions. Because, however, the system must be adjusted during the implementation of mySAP CRM in the project, upon completion of implementation and Customizing, you should track the authorizations used (transaction ST01) and provide the corresponding roles with the authorizations determined (transaction PFCG).

For mobile clients, there are additional options for managing user authorizations from an SAP WebAS perspective. For further information, see SAP Help Portal under help.sap.com → SAP NetWeaver → Release ’04 → Select Language English → SAP NetWeaver → Security → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Components → Security Guide for SAP Mobile Infrastructure.

An additional authorization tool has been developed in CRM specifically for Channel Management. For further information, see CRM Access-Control-Engine [Seite 161].



{ TC "Network and Communication Security" \l 2 \* MERGEFORMAT } Network and Communication Security To achieve a minimum level of security in your systems, we recommend that you pay particular attention to this topic. Many people are not aware of the fact that many systems transfer user names and passwords from the client to the server in clear text format, encrypting them only once they are on the server. It is therefore often very easy for an attacker to eavesdrop on communication and find out a password.

We recommend that you also encrypt communication, even for completely in-house solutions. Because mySAP CRM is based on NetWeaver platform functionality, you can secure your system appropriately with SAP NetWeaver. For further information, see the Security Guide for SAP NetWeaver under help.sap.com → SAP NetWeaver → Release ‘04 → SAP NetWeaver → Security → SAP NetWeaver Security Guide → Network and Communication Security.

Exception: using mobile clients with middleware functionality. For further information, see CRM server [Seite 119] and mobile sales [Seite 29].



{ TC "Channel" \l 2 \* MERGEFORMAT } Channel The following section contains all security-relevant information on technical components that differ from the standard settings described elsewhere in this document.



{ TC "CRM Enterprise" \l 3 \* MERGEFORMAT } CRM Enterprise CRM Enterprise focuses on the requirement of corporate in-house employees. It supports your entire customer interaction cycle, starting with your first customer contact, through to business transactions, order fulfillment, customer service, and finally to analytical reporting.

This area provides you with specific security information for the following:

• Enterprise Sales

Sales Planning and Forecasting scenario

• Enterprise Marketing

External List Management scenario

Product Proposals

There is no specific security information available for Enterprise Service and Analytics.



{ TC "Enterprise Sales" \l 4 \* MERGEFORMAT } Enterprise Sales Introduction This topic details the security information relevant for CRM Enterprise Sales.

User Administration and Authentication User Management User Management Tools

Tools Detailed Description Prerequisites SU01

For a detailed description, refer to the Users and Roles section of the Technical Operations Manual for mySAP Technology on Help Portal.

Nil

Portal Role – Sales Representative / Sales Manager

Technical name (Sales Manager): com.sap.pct.crm.v02.salesmanager

For a detailed description, refer to the Business Package for SAP CRM 4.0 under mySAP Customer Relationship Management on Help Portal.

Technical name (Sales Representative): com.sap.pct.crm.v02.salesrepresentative


Nil

User Types

The user type used is Individual Users, such as:

• Dialog users

• Background users

Customers must create:

• Individual users to be able to use the delivered standard processes

• Initial identification parameters such as password, certificate for these users. This is not handled by SAP.

Network and Communication Security Communication Channel Security The communication channels used are:

• RFC

• SM59



• BDoc type: BUS_TRANS_MSG

• ABAP SQL for the connection to database

Data Storage Security Data is stored in the CRM database. Listed below are the various types of data access:

• Read

• Write

• Delete

• Change

• Query

CRM Enterprise Sales uses the PC UI as the web browser user interface. For more security information about PC UI, see People-Centric CRM [Seite 146].



{ TC "Sales Planning and Forecasting" \l 5 \* MERGEFORMAT } Sales Planning and Forecasting Introduction This section provides information about:

• Authorizations for Users and Queries

• BPS Responsibility Engine that is built on the following components:

SAP Web Application Server 6.20

Enterprise Portal 6.0

CRM CE 2004

Related Security Guides

Application Guide Most-Relevant Sections or Specific Restrictions

BW/BPS

User Administration and Authentication User Management User Management is achieved through standard SAP portal roles. Responsibility management for planning is achieved through BPS Responsibility Engine.

Authorizations Sales Manager Role.



{ TC "Enterprise Marketing" \l 4 \* MERGEFORMAT } Enterprise Marketing Enterprise marketing provides an array of tools and functions to perform marketing related activities, such as:

• Planning campaigns and trade promotions

• Creation of target groups

• Personalized product recommendations

• Complex market analysis

This area explains the security aspects associated with:

• External List Management

• Product Proposals



{ TC "Product Proposals" \l 5 \* MERGEFORMAT } Product Proposals Introduction The product proposals consist of Cross-/Up-/Down-Selling, Accessories and Top N Lists. They use SAP Web Application Server 6.20 and Business Information Warehouse. The people-centric UI of the product proposals uses the Enterprise Portal.



Internet Sales

Telesales

User Administration and Authentication User Management

User Management Tools

Tool Detailed Description Prerequisites

SAP Web Application Server

The product proposals use the normal user management of the SAP Web Application Server. In addition, they require dialog users. If product proposals are used in Internet Sales, internet users are also required.

Product association rules for cross-, up-, and down-selling and products for top N lists can be determined in a business information system and uploaded to the CRM system. This action requires an RFC connection with a user and password.

User

System User Delivered? Type Default Password

Detailed Description

Customer Relationship Management

Normal user No Dialog user

Business Information Warehouse

Normal user No Dialog user

Authorizations The CRM_PAR authorization object manages the authorization requirements to maintain product association rules (cross-/up-/down-selling).

There is no authorization object for top N lists.



Network and Communication Security Communication Channel Security The following communication channels are used:

• Front-end to application server

• Application server to application server

The following technology is used for communication:

• DIAG

Transfers front-end application data

• RFC

The following data is transferred:

Certain top N data

Product association rule data

Certain product related data

Communication Destinations

Connection Destinations

Destination

Delivered? Type User, Authorizations

Description

Business Information Warehouse

No RFC User, password

Data Storage Security The data is stored in the database tables. Based on the user, the access rights (such as read, write, change, and delete) are required.

Minimal Installation The people centric UI requires a web browser. (See the corresponding security guidelines).



{ TC "External List Management" \l 5 \* MERGEFORMAT } External List Management Introduction External List Management works with Address List data provided by Address Providers that contain data to create Business Partners. This section provides information about the security aspects associated with External List Management.

External List Management for CRM 4.0 is built on the following components:

• Web Application Server 6.20

• EP 5.0

• BW 3.30

For more information on the security aspects of the above mentioned components, refer to the corresponding security guides.

User Administration and Authentication User Management The user management is performed by both the application and Web Application Server. The users are created in CRM by using the SU01 transaction and user authentication is performed by Web Application Server. For more information, refer to the security guide of WAS 6.20.

The application uses the following types of users:

• Dialog user

Creates and maintains Address Lists that includes activities, such as

Creating an Address List

Marking Process Steps that must be executed in the workflow

Deleting an Address List

• Workflow user

Executes the marked Process Steps in External List Management in the background through a workflow


The application does not provide any tools for user management. Refer to the User Management tools for WAS 6.20.

User

The Workflow user (WF-BATCH) is delivered as part of the standard by the SAP business workflow and not by the application directly. However, if not delivered, the user is created when you customize the SAP Business Workflow.

Integration Into Single Sign-On Environments The integration into Single Sign On (SSO) is managed by the framework and not by the application. For more information on Single Sign On, refer to the Web AS Security Guide and SAP Portal user guide.

Authorizations The authorizations provided in the different systems are explained below:

• CRM



The applications, Maintain Address List and Maintain Format for Mapping, perform an authority check on the objects, CRM_LIST_H and CRM_MAP_FM respectively. These objects contain the ACTVT field. Based on the value of this field, authorizations are provided to create, change, delete, or display an Address List or a Mapping Format respectively.

• BW

External List Management depends on an authority check on the S_TCODE object for the ELM transaction.

• Portal

The Campaign Manager role (SAP_PCC_CAMPAIGN_MANAGER) contains authorizations for BSP applications, List Management and List Management Mapping.

Network and Communication Security Communication Channel Security External List Management uses the following communication channels:

• Browser to Application Server (HTTP/HTTPS)

Transfer of data between the browser and the application server if the application is used in Enterprise Portal. For more information on the security aspects, refer to the security guide of EP 5.0.

• Application Server to Application Server (RFC)

Data is transferred from BW to CRM by using RFC calls.

• Front end to Application Server (File System and DIAG)

The Address List File is transferred from the front end and stored in the application server.

Network Security For information about the network security, see the Web Application Server configuration guide.

Communication Destinations The application does not deliver any RFC destination or Server Group. Customers must create the RFC destinations and server groups (used in parallel processing while executing Process Steps).

Data Storage Security The application uploads the Address List file from the front end to the application server or uses the files already stored in the application server. These files contain Business Partner master data. The files are stored in the MARKETING_FILES logical path in the application server.

We recommend that the physical path assigned to this logical path comprises sufficient access control mechanism.



{ TC "Field Applications" \l 3 \* MERGEFORMAT } Field Applications Field Applications enables you to utilize marketing, sales, and service functionality in an offline environment for sales force representatives and service technicians who work in the field. Using Field Applications, field sales representatives and service technicians are able to access and update customer relationship data on their notebooks or PDAs (Personal Digital Assistants) while they carry out work in the field.

This area details the specific security relevant information for the following field applications:

• Mobile Sales

• Mobile Service

• Mobile Sales for Handheld

• Mobile Service for Handheld



{ TC "Mobile Sales" \l 4 \* MERGEFORMAT } Mobile Sales Introduction The security information in this topic is relevant for all mobile client applications, such as Mobile Sales and Mobile Service.

Important SAP Notes

Check regularly which SAP Notes are available about the security of the application.


686244 AMT basic concepts Nil

686684

Tile authorizations are the same across the application

Nil

628401 Unable to login Mobile client with windows normal

Nil

559410 Login and Password Maintenance Functionality in 4.0

Nil

694071 Logon to application Fails using Winlogon

Nil

622748 Workgroup Login Failure: Creation of Crypting Object

Nil

User Administration and Authentication User Management You can assign multiple business partners with the role “Employee” to a site (mobile client). For every employee a user can be created on the CRM Server. This is done using the Administration Console. In the standard delivery:

• Employees get a Bulk replication using the publication Employee.

• Users get the Intelligent replication using the Users (By Employee) publication.

This means that for a connected site all employees are available, but users are available for those employees that need to logon to a mobile client application.

A mobile client user must change the default given password (‘init’) to a unique password during the first logon to a mobile client application. The replication is triggered by a mobile client user using ConnTrans. Once the synchronization is complete, the data is imported into the user database, and all business components of the mobile client application are updated simultaneously.

User Types

Apart from a demo database, there are no other user types delivered with the mobile client application. The customer must create users using the Administration Console on the CRM



Server. According to the defined subscription only those users that are created for the site, “mobile clients” are replicated to mobile clients.

Usually the system administrator at customer’s site creates individual interactive users. However, there is only one technical user (IDES) that is delivered with the mobile client application. Details are given in the table below:

System User User Delivered? Type Default Password


User database (SQL Server)

IDES Yes Technical User

IDES This user is used to access the user database (SQL Server). The data for the technical user is stored in the local registry. The password can be encrypted (>40SP06).

User Data Synchronization The mobile client synchronization is performed using ConnTrans. Data is synchronized with the Consolidated Database (CDB) of the CRM Server. This means that the data is exchanged between the mobile client and the CRM Server. Synchronization can be triggered by a mobile client user any number of times and at any point in time.

For more information, see Mobile Client Synchronization [Seite 39].

Integration Into Single Sign-On Environments There is no integration into Single Sign-On environments. Mobile client applications do not accept any SAP logon tickets or X.509 digital certificates.

Authorizations There are no specific roles defined for mobile client applications. A customer can define authorizations using the SAP CRM Mobile Authorization Management Tool (AMT). However, there are a few predefined roles that are shipped for an AMT user.

Authorization is disabled with the default installation of mobile client applications.

For more information refer to:

• The SAP Note 6864244

• mySAP Customer Relationship Management → SAP CRM Powered by SAP NetWeaver → Application Platform → CRM Mobile Technology → SAP CRM Mobile Authorization Management Tool on Help Portal.

Network and Communication Security For more information, see Mobile Client Synchronization [Seite 39].



Data Storage Security Data for mobile client applications is stored in the user database (SQL Server) on the mobile client. A mobile client user can create, modify, and delete all types of business objects and business data in a mobile client application. All changes are immediately updated in the user database. In addition to this, there are some temporary files that are stored on the local file system, WindowsUser\%Temp% of the mobile client.

Data Protection

Data protection on the mobile client is achieved using the Subscriptions provided by CRM Middleware. This mechanism allows a system administrator to set subscriptions that allow only the data that is required for a specific user to be downloaded to a mobile client. This prevents a mobile client user from viewing or modifying data that is not relevant to his user.

A site of type mobile clients, A001 is created using the administration console. A mobile client user is associated with this site. This user must only receive business partner information based on the postal area code.

To do this, you must first create a publication “Postal code area customer”, and then define a subscription for this publication. Various sites can now subscribe to this. Thus, a user can only work on the data that is relevant for him.

For more information refer to:

• mySAP Customer Relationship Management → SAP CRM Powered by SAP NetWeaver → Process Integration → CRM Integration Services → CRM Middleware on Help Portal.

• Hard Disc Encryption [Seite 32]

Minimal Installation • The recommended landscape is described in the landscape section.

For more information refer to mySAP Customer Relationship Management → SAP CRM Powered by SAP NetWeaver → Application Platform → CRM Mobile Technology → Implementation of CRM Mobile Client Applications → Standard Implementation → Preliminary Implementation Tasks → Set Up of a System Landscape on Help Portal

• All mobile client components that must be installed are described in the installation guide. During the installation of mobile client components, Visual Studio 6.0 Sp05 and VBA 6.3 are also installed. These system resources are mandatory for the functioning of mobile client components.

The main difference between a demo and a non-demo system is that a database is installed. Depending on the selection either the demo or the non-demo database is installed. Since only the necessary components are installed, a customer does not have to remove anything from the productive system.

For more information refer to mySAP Customer Relationship Management → SAP CRM Powered by SAP NetWeaver → Application Platform → CRM Mobile Technology → Implementation of CRM Mobile Client Applications → Standard Implementation → Preliminary Implementation Tasks → Installation of Mobile Client Components on Help Portal

• A customer can decide if AMT is required. SAP recommends that you use this tool to restrict certain functions to certain groups of users.

For more information refer to mySAP Customer Relationship Management → SAP CRM Powered by SAP NetWeaver → Application Platform → CRM Mobile Technology → SAP CRM Mobile Authorization Management Tool on Help Portal.



{ TC "Hard Drive Encryption" \l 5 \* MERGEFORMAT } Hard Drive Encryption By stealing hard drives, criminals often attempt to access internal company data that can then be used to damage that company or to provide an advantage to a competing company. To combat the threat of unauthorized access to information, data on local hard drives is encrypted. If, as a user, you want to view your plain text data on the hard drive, you must first enter a password to decrypt them. Any person attempting unauthorized access without this password will only see indecipherable binary data.

Bear in mind the following aspects of encryption:

• Manageability

When using encryption, you must always ensure good administration of the encryption keys used. Depending on the product, this implies additional planning, management and administration.

• Encryption technology

• Useability

• Loss in performance

When accessed, the encrypted data is first decrypted and then reencrypted when it is changed. The loss in performance depends on the solution used and the implementation scenario. If the encryption is implemented with hardware support, then performance loss is generally less than for a fully software-based solution.

• Emergency guidelines for application errors caused by the user or by hardware problems

Remember that encryption is usually only performed for individual users. In other words, procedures for encryption recovery or data recovery must be used to ensure that encryption does not make it impossible for authorized personnel to access company data. These procedures can also be applied if users delete the encryption key or if hardware problems prevent encryption for normal operation. The corresponding emergency mechanisms, procedures and guidelines must therefore be available, planned and implemented.

• Saving encrypted data

You must decide whether to save data in enrcypted or unencrypted form. If you save in encrypted form, you must also ensure that the corresponding encryption keys are also saved so that you can decrypt the data again.

There are several options for data encryption in the CRM Mobile Client context. They have the following properties:

• Encryption is performed either at operating system level, or at a lower level.

• Encryption is performed either for individual files or for all data.

The following solutions are currently available:

• File encryption using Encrypting File System (EFS)

• Encryption of virtual hard drives

• Hard drive encryption

In hard drive encryption, the entire hard drive is encrypted. This is the major advantage of hard drive encryption: no data areas are left unencrypted. You must even specfy a password for the boot process, in order to decrypt and reencrypt data. Hard drive



encryption is available both as a fully software-based solution, or including hardware support.

Some manufacturers provide an HDD password to protect the hard drive. However, HDD passwords are merely used to restrict access to the hard drive controller. The hard drive data itself is not encrypted.

File Encryption Using Encrypting File System (EFS) From Windows 2000, Microsoft provides the option to encrypt individual files using software encryption. This makes is possible to encrypt the local CRM database. The advantage of Encrypting File System (EFS) is that it is available as standard from Windows 2000 onwards.

Products from other manufacturers also provide data encryption. This document only lists EFS because it is integrated with Windows.

In order to use EFS data encryption in the CRM Mobile Client scenario, you must first configure MS SQL Server, so that it runs on a dedicated user account. The CRM database files can then be encrypted for this user account.

Remember that encryption must be activated in the selected user account. To do this, an administrator can log on interactively via the SQL Server account and activate encryption for the database files.

We recommend that you combine all CRM-specific database files in a sub-directory and then flag this directory for encryption. Encryption key creation and management is performed automatically by Windows. This solution means that you do not need to run a Windows Public Key Infrastructure (PKI), although this is still possible if desired. The encryption keys are kept in a user profile and can be entered via the normal backup procedure.

To ensure that only the SQL server account has access to these files, the access rights must be changed accordingly. This can be done automatically via scripts, using the commands "runas", "cacls" and "cipher".

Because MS SQL server is run as a service, the user right Log on as a service must also be assigned to the SQL server account. This is generally done automatically if the corresponding account is entered in service administration.

If encryption-related problems occur, then the machine can generally be operated normally. Only applications that access encrypted data will be unable to operate correctly. In the CRM scenario, for example, the CRM application would no longer function correctly, but the other computer functions could still be used (e.g. login, mail, other applications).

Remember the following points:

• In Windows 2000, a domain account must be used as the SQL server account. Otherwise, it would be possible for an attacker to reset the password via the administrator account. The attacker could then log on to the account and decrypt the database files.

• Additional rights need to be assigned to the SQL server account (precisely which rights is still unclear), or it must be included in the local administrators group. We do not recommend the latter, however, as this would compromise the SQL server and could provide an attacker with administrator rights.

• To prevent somebody from logging on to the SQL server interactively after the initial encryption of the database files, the right to interactive logon should be removed from the account (user right Deny local logon).

• The SQL server password saved in the registry database must not be stored in plain text, as it could be used to access the encrypted data via the local SQL server.



• When using EFS, it is not possible to encrypt the swap file (disk space set aside for virtual memory) or the hibernation file (suspend to disk).

• The operating system cannot be encrypted.

Advantages of this Solution • Software solution, no additional hardware required.

• No additional costs.

• No installation necessary.

• Only the required files are encrypted.

• Integrated with operating system (no compatability problems).

• No PKI required.

• Encryption key creation and administration is automated via Windows.

• Encryption problems only affect applications that access encrypted data.

Disadvantages of this Solution • Configuration required.

• Encryption must be activated explicitly for all files requiring protection.

• The computer must run in a domain, in order to use a domain account.

• Data security depends on the operating system configuration (e.g. protection of selected account on which the SQL service is run, password quality, user rights).

• Memory images are not protected.

• The operating system is not encrypted.

• You may be forced to accept lower performance than for a hardware-supported procedure.

Encryption of Virtual Hard Drives Unlike encryption of individual files, this solution allows encryption of all data that has been copied onto a virtual hard drive. The virtual hard drive is represented by a file saved in your file system, which can be connected as a separate drive using a special driver. The advantage of this solution is that all the data on the virtual hard drive is always encrypted. This type of encryption is called software encryption.

Unlike encryption of individual files, encryption of virtual hard drives allows you to encrypt the entire file hierarchy on the virtual hard drive. In order to do this, the correct software must be installed. The encrypted, virtual drive is usually represented by a file in the computer’s normal file system. The content of this file is always encrypted. When the file is connected as a drive, you usually have to enter a password, which is then used to encrypt and decrypt the data when the virtual drive is accessed.

In the CRM Mobile Client scenario, CRM database files could be stored on a virtual drive. Depending on the product, the encrypted hard drive is either connected automatically when the user logs on, or it must be activated manually. The virtual drive can also be used to save other sensitive data.

One advantage of this solution versus EFS file encryption is that security of the encrypted data relies exclusively on the encryption software and the quality of the selected encryption password. An attacker will then be unable to view the plain text data even if he/she succeeds in getting past the operating system’s access protection.

When selecting a product, make sure that the encryption product can also encrypt a virtual drive for several users. This is important because the CRM database may be accessed by



several users (depending on the scenario). Access rights to the file that implements the virtual drive must be configured so that it can be accessed by all authorized users.

Encryption key generation and administration is is usually performed within the encryption product. Depending on the range of functions, the product is also provided with its own Public Key Infrastructure (PKI), which must be installed and managed accordingly. Before or during initial operation, the keys must therefore be created either by the users themselves or by an administrator. Administration and backup of the keys must therefore be planned for.

When using encrypted virtual hard drives, it is not possible to encrypt the swap file (disk space set aside for virtual memory) or the hibernation file (suspend to disk). The operating system can also not be installed on an encrypted virtual hard drive. As for file encryption, any encryption-related problems only affed the applications that access data saved on the encrypted virtual drive. The remaining computer functions are not affected.


• Data security independent of the operating system configuration.

• All data on the virtual hard drive is always encrypted.

• No access to plain text data even after the operating system has been compromised.

• Encryption problems only affect applications that access encrypted data.

Disadvantages of this Solution • Installation of additional software required.

• Licence costs for encryption software.

• Files must be saved explicitly to the encrypted virtual drive.

• Depending on the CRM scenario, the product must support encryption for several users.

• Key generation and administration (e.g. including backup) must be planned separately.

• A separate PKI must be used, depending on the product.

• Memory images are not protected.

• The operating system is not encrypted.


Hard Drive Encryption (Software) Encryption of the entire hard drive for a computer protects all the data on the hard drive equally. After installation, the encryption software is started during the boot process before the operating system. A password (used for decrypting and reencryptign data) must be entered before all the data on the hard drive can be decrypted. This means that if the hard drive is stolen and accessed with a disk editor, the attacker will still only be able to access the encrypted data rather than the plain text data.

This process can also be used in the CRM scenario, as all the relevant data would also be covered by the encryption. In scenarios where several people are sharing a single CRM Mobile Client computer, make sure that the product used can also be operated for several users. Hard drive encryption products often also provide a pre-boot PKI that enables access to the encrypted disk (i.e. access to the computers protected with the product) via users and groups. This PKI must then be installed and managed.

Compared with file encryption and virtual drive encryption, hard drive encryption provides general, all-round protection for all saved data. This process does, however, make slightly



greater organizational and technical demands. Also, any encryption problems always affect the entire compurter, as the operating system is also encrypted.

Full encryption of the hard drive also protects the swap files. Standby mode (suspend to RAM) is generally supported by these products without any problems. Some products, however, might not support hibernation mode (suspend to disk), preventing you from using it. Where one or both of the suspend modes are supported, the password must be entered again when the computer starts up again.


• All data on the hard drive are protected equally.

• Security independent of operating system and its configuration.

• The entire operating system (including the swap files) is encrypted.


• Licence costs for encryption software.

• Depending on the product, hibernation mode may not be supported (cannot be used).

• Increased technical and organizational demands.

• A separate PKI must be installed, depending on the product.

• When encryption-related problems occur, the computer can no longer be used.


Hard Drive Encryption (Software and Hardware) As well as fully software-based hard drive encryption, hardware can also be used to support encryption mechanisms. There are two main types of hardware support:

• Encryption of data using special hardware.

• Hardware used to store the encryption keys.

Only the first type is likely to provide improved performance, as the second type still uses software to encrypt the data. Whether hardware encryption actually provides better performance than software encrpytion depends to a large extent on the technology used. If you are using a high-performance encryption chip that is well-integrated with the computer hardware (high level of data throughput), then you should experience very little loss in performance.

Procedures that simply store the encryption key or user identities on separate hardware (e.g.: smart card, USB token) provide increased system access security, as you need the password and the hardware to access the system. This also means that if the hardware is lost, then the computer can no longer be accessed. Of course, this is also true in the event of to encryption-related problems. You should therefore plan and apply appropriate emergency mechanisms and procedures (insofar as they are supported by the encryption product).

As a rule, a product-specific PKI must also be operated and managed.

Advantages of this Solution • Depending on the implementation, better performance than for software solutions

(hardware encryption).

• Depending on the implementation, greater security, as physical possession of the hardware is required (keys/identities saved on the hardware)



• All data on the hard drive are protected equally.

• Security independent of operating system and its configuration.

• The entire operating system (including the swap files) is encrypted.


• Installation of additional hardware required.

• Licence costs for encryption product.

• Depending on the product, hibernation mode may not be supported (cannot be used).

• Increased technical and organizational demands.

• A separate PKI must be installed, depending on the product.

• When encryption-related problems occur, the computer can no longer be used.

• Performance depends on the product to a great extent.



{ TC "Mobile Service" \l 4 \* MERGEFORMAT } Mobile Service Introduction Mobile Service is a key functional area of mySAP CRM that supports the field service force using mostly autonomous mobile devices. For more information about security details for the Mobile Service application, see Mobile Sales [Seite 29].



{ TC "Mobile Client Synchronization" \l 4 \* MERGEFORMAT } Mobile Client Synchronization Introduction This section explains the security aspects associated with the synchronization of data between the mobile client and the CRM server that is performed using the Communication Station.



Communication Station Service Marketplace – Alias: instguides - Communication Station Guide

Mobile Client Service Marketplace – Alias: instguides - Communication Station Guide

Why Is Security Necessary? The data that is synchronized between the mobile client and the CRM server is normally validated by the backend R/3 system. Therefore, it is mandatory to prevent unauthorized access to the backend R/3 system as it can result in loss or corruption of data.

Important SAP Notes


Important SAP Notes


519995 Communication Station: Mimimum Authorizations

This note explains the user, who is entered in the DCOM Connector Destination, to log on and work with the CRM server.

618527 BDoc messages rejected due to missing authorizations

This note explains how to proceed in the following scenarios:

• The RFC user on the Communication Station does not have complete authorizations (SAP_ALL).

• The incoming queue is automatically carried out by another user who does not have the required authorizations.



User Administration and Authentication User Management The synchronization of data between the mobile client and the CRM server involves two types of users:

• Windows domain user to connect the mobile client to the Communication Station

• R/3 user to connect the Communication station to the CRM server

User



CRM Server RFC Users for the internal logical connection SAPCRM_MW_RR_*

No Communication

IMG

Communication Station

RFC User to the CRM Server

No Communication

Communication Station Installation Guide

Mobile Client RFC User to the CRM Server

No Communication



SAP Dcom connector

Windows user management

At the customer site, the Windows NT administrator must create users for the mobile clients.

One Windows user must be created for each mobile client.

The individual users are required to connect the mobile client to the SAP CRM Transfer Service on the Communication Station by using DCOM.

There is one technical user for each destination on the Communication Station. The R/3 user information is stored in the registry in an encrypted form on the Communication Station. Subsequently, this information is used to log on to the R/3 Server.

Authorizations The SAP CRM Transfer Service, which is a COM+ application is installed along with the Communication Station installation. The default roles that are delivered along with this application are:

• Administrator

Allows you to change the technical settings of the application. In addition, you can create new users under the role User.



The customer is not required to create any new role. However, the customer can create new users by using the administrator role.

• User

Allows mobile client users to access the application

In addition, you can execute certain tasks or define access to different objects related to the mobile client by using the Administration Console (Transaction SMOEAC) on the CRM server. The following table lists the roles that SAP delivers:

All these roles authorize the user to display sites.

Role Description

SAP_CRM_MWAC_ADMIN_ALL Administration Console – Full authorizations

SAP_CRM_MWAC_EMPL_CHANGE Administration Console – maintenance of employees

SAP_CRM_MWAC_EMPL_DISPLAY Administration Console – display of employees

SAP_CRM_MWAC_GROUP_CHANGE Administration Console – maintenance of organizations

SAP_CRM_MWAC_GROUP_DISPLAY Administration Console – display of organizations

SAP_CRM_MWAC_ILTP_CHANGE Administration Console – maintenance of interlinkages

SAP_CRM_MWAC_ILTP_DISPLAY Administration Console – display of interlinkages

SAP_CRM_MWAC_PUBL_CHANGE Administration Console – maintenance of publications

SAP_CRM_MWAC_PUBL_DISPLAY Administration Console – display of publications

SAP_CRM_MWAC_REPOBJ_CHANGE Administration Console – maintenance of replication objects

SAP_CRM_MWAC_REPOBJ_DISPLAY Administration Console – display of replication objects

SAP_CRM_MWAC_SITE_CHANGE Administration Console – maintenance of sites

SAP_CRM_MWAC_SITE_DISPLAY Administration Console – display of sites

SAP_CRM_MWAC_SITE_INDIRECT Authorization to start the indirect assignment of subscriptions (Transaction SMOEIND)

SAP_CRM_MWAC_SITE_EXTRACT Authorization to start extracts through the Administration Console (Transaction SMOEIND)

Roles related to the Subscription Generator

Role Description

SAP_CRM_MWAC_SUBAGENT_CHANGE Administration Console – maintenance of subscription agent



SAP_CRM_MWAC_SUBAGENT_DISPLAY Administration Console – display of subscription agent

SAP_CRM_MWAC_SUBSCR_CHANGE Administration Console – maintenance of subscriptions

SAP_CRM_MWAC_SUBSCR_DISPLAY Administration Console – display of subscriptions

R&R Queue Administration (Transaction SMOHQUEUE)

The authorization object is CRM_MW_RR. It is recommended to have at least two profiles:

• Standard User

Display only (Activity = 03)

• Power Users

Display, delete entries, and operate queues (Activity = 03+06+16)

Network and Communication Security The system landscape of mySAP CRM with the mobile scenario consists of:

• One or more SAP R/3 systems that operate as backend servers. These R/3 systems are based on a SAP Web Application Server.

• A CRM Server that is based on a database in addition to the SAP Web Application Server. The CRM Server also includes the Middleware Broker.

• One or more Communication Stations that connect to the CRM Server. The Communication Station is a Windows 2000 based system with a Microsoft MTS (or COM+) infrastructure.

• The mobile clients that connect to one of the Communication Stations.

• Between the mobile clients and the Communication Station there might exist a RAS server or Microsoft Internet Information Server (IIS) based web server. However, these instances and the Communication Station and CRM Server might physically exist on the same machine.

• In a typical installation, security walls between some of these

components may be required. This can be achieved using firewalls and security settings.

• To set up connections between the CRM Mobile Clients, Communication Stations, CRM Server, SAP R/3 systems, and SAP Business Warehouse (if required) can be a complicated process in a larger organization due to firewalls and network security policies, which require a more detailed knowledge on the necessary network connections.

Communication Channel Security The mobile client and the Communication Station communicate by using the DCOM protocol that allows authentication, data integrity checks, and data encryption. On the other hand, the SAP R/3 systems, CRM Middleware, and Communication Stations communicate by using the SAP RFC connections.

Security Settings for RFC and DCOM Connections

Both the connection types with their security settings are explained below:



RFC Connections

These connections are configured as RFC destinations on each system. To configure these destinations, you use the RFC destination tool (Transaction SM59) within a SAP Web Application Server. On the Communication Station, you need the similar tool from the DCOM Connector.

RFC connections are using TCP/IP. A SAP Web Application Server is addressed by its host name or its IP address and a fixed port, which is implicitly determined by the system number of the application server. The system number is a two-digit number, which you configure during the setup of the server. If xx is the system number, the required IP port to be opened is always 33xx.

You might want to install a SAProuter between any of these nodes. Then, you need to configure the RFC destinations by using the following SAProuter addressing string:

/H/<hostname of saprouter>/S/<saprouter port>/H/<hostname of appl.server>/S/< appl.server port>

In the transaction SM59 or the SAP DCOM Connector, you need to specify the host name only and leave the system number field blank.

Between all these nodes it might be useful to set up firewalls. In many cases you will have at least one firewall separating the Communication Station and the other more critical instances, the SAP R/3 systems and the CRM Server.

DCOM Connections

Specifying TCP/IP ports for DCOM

DCOM uses the following ports during communication:

• Fixed port 135 (TCP or UDP)

Must be opened in the firewall all the time and cannot be reconfigured.

• Dynamically assigned port

In the standard configuration, this port is allocated in the range 1024 – 65535.

Dynamic allocation of this port prevents any conflicts with other applications. However, configuring a firewall is complicated. Therefore, you must restrict the port range that DCOM uses on the Communication Station to ensure that only ports opened within the firewall are used.

You must perform this activity only on the Communication Station and not on the clients.

To do this, use the regedt32.exe on the Communication Station (not regedit.exe), navigate to the HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet registry key, and enter or change the following named values:

Ports This is a multi-line entry. You can enter a single port or a port range, for example, 3000-4000 on every line.

PortsInternetAvailable Value must be Y

UseInternetPorts Value must be Y

For more information, refer to the Microsoft Paper Using Distributed COM with Firewalls by using the following link: http://www.microsoft.com/com/wpaper/dcomfw.asp.



Subsequently, you must permit all incoming traffic using the configured port range and single port 135.

• Some firewalls allow IP address translations. However, this does not

work with DCOM connections. The client must be able to connect to the server through its actual IP address.

• You can see the active DCOM settings directly by using the QmtCnfg.exe diagnostic tool on the Client and Communication Station. You can find the QmtCnfg.exe in the <installation folder>\mobile\bin directory on the client and the <installation folder>\rfcsdk\crm directory on the Communication Station.

Network Security If the Communication Station and all the client hosts are NOT in the same NT domain or and if local Windows users are used on the clients, the following setting must be performed additionally on the mobile clients:

• Log on to the Mobile Client.

• Start the Windows service program Dcomcnfg.exe (from the directory \winnt\system32).

• Choose Default Properties → Default Distributed COM communication properties → Default Authentication Level and select the entry (None).

• Close the program with Apply and OK.

• Reboot the mobile client to activate the new setting.

To allow the mobile client users to use the CRM Message Transfer service, some other settings must be performed on the Communication Station as explained below: ...

1. Log on to the Communication Station.

2. Select Start → Settings → Control Panel.

3. Choose Administrative Tools and then choose Component Services.

4. Select Console Root → Component Services → Computers → My Computer → Com+ Applications.

5. Choose SAP CRM Transfer Service → Roles → User → Users.

6. Right-click on Users and choose New → User.

7. Add all the Windows users or Windows user groups specified in the domain that have access to the component.

The other local users that cannot be added, you must create local users with the same name and password on the Communication Station by using the NT user manager and include these users in the User role of the QMT.QmtServer.1 component.

We recommend you to deactivate the DCOM / MTS security for such a heterogeneous NT network.

8. Reboot the Communication Station.



The communication occurs through DCOM that allows you to choose from a range of ports. For more information, refer to the firewall survival guide for the Communication Station.

You can set up the network infrastructure by using any of the following methods:

Intranet Access

In a Intranet scenario, the recommended way to set up the network infrastructure is as follows:

• Ensure that the mobile clients and the communication station share access to the same Windows domain controller.

• Activate security on the communication station package SAP CRM Transfer Service and the QMT.QmtServer.1 component by using the Component Services in the Administrative Tools part of the Control Panel. After installation, this is the default setting.

• Configure the appropriate roles and user groups. You can restrict access to the Transfer Service only to the group of users using mobile clients. However, this is not mandatory as the Transfer Service itself checks for registered clients and allows only pass through calls from clients that are known to the site administration of the Administration Console.

• You may want to place the CRM Server and the SAP R/3 systems in a separate and isolated domain. In addition, you may want to place a firewall between the Communication Station(s) and the CRM Server and R/3 system(s) to allow at least incoming traffic via the ports 33xx and maybe 32xx for SAPGUI connections.

• Do not place firewalls between the mobile clients and their Communication Station. However, if you must provide firewalls, ensure that you switch to TCP/IP as the preferred DCOM transport protocol on all sides.

• You can choose to use any Authentication Level for the authentication, wire encryption, or packet integration checks by configuring the appropriate parameter for the Transfer Service component QMT.QmtServer.1.

Dial-up Access

The preferred method to set up the infrastructure for dial-up users is to allow the mobile clients to log on to the network during dial-up and ensure that the dial-up clients and their Communication Station use (or have access) to the same Windows domain. Subsequently, perform the same steps as described for intranet clients.

However, if you cannot allow the clients to log on to the network or if the clients and their Communication Station must not exist in the same Windows domain (maybe because there is a firewall between them), you can use one of the following methods:

• Create local users on the Communication Station with the same name and passwords as for the mobile clients and place these users in the roles configured for access to the Transfer Service. However, this is not a simple task to perform. Therefore, we recommend you to turn off the DCOM security or use the Internet scenario explained below.

• Turn off the DCOM authentication for the Transfer Service on the Communication Station and mobile clients. On the Communication Station you must turn off security for the Transfer Service package and configure the Authentication Level only for the Transfer Service component QMT.QmtServer.1 to None. You must perform the same on all clients by using DComCnfg.exe and then choosing the Default Properties → Default Distributed COM communication properties.



This switches the authentication off only for the Transfer Service. The security for all other services remains the same. The mobile clients possess a SiteID/DBID GUID key pair that is unique for a laptop and created during the activation of the laptop. This key pair is always used to authenticate the mobile clients towards the Middleware Broker. This authentication is not affected by switching off the authentication for the Transfer Service on the Communication Station.

Communication Destinations The Communication Station and the CRM Server communicate through RFC calls. Therefore, you must create an RFC destination by using the SAP DCOM connector available on the Communication Station.


Destination Delivered? Type User, Authorizations

Description

AC-COM4ABAP: Mobile Client User Administration

TCP/IP destination

Not required Refer to the IMG documentation under:

Customer Relationship Management → CRM Middleware and Related Components → Communication Setup → Define RFC Destinations.

Refer to the Communication Station Installation Guide in the SAP Service Marketplace, alias – instguides.

Replication and Realignment Queue Processing

Logical destination in client 000 and in CRM client

Refer to the IMG documentation under:

Customer Relationship Management → CRM Middleware and Related Components → Communication Setup → Create RFC Users.





We recommend the SAP_ALL authorization profile.

Data Storage Security The data recorded by the sales representative is stored in the user database of the mobile client. This data is stored when the sales representative performs an activity on the mobile client such as creating a sales order. Subsequently, this data is synchronized with the CRM server through the communication station and stored in the consolidated database (CDB) on the CRM server.

During synchronization, the data is persisted in the queues that are available both on the CRM server and mobile client. The queues are further classified into inbound and outbound queues that sequentially send and receive data from the mobile client and the CRM server respectively.

Trace and Log Files The runtime information associated with the data synchronization between the mobile client and the CRM server is logged in the TransferService.Log file that is created both in the mobile client and Communication Station.

We recommend you to set the trace level to the minimum value to ensure that minimum information is logged in the log file.



{ TC "Mobile Sales and Service for Handheld Using CRM 4.0" \l 4 \* MERGEFORMAT } Mobile Sales and Service for Handheld Using CRM 4.0 Introduction The mobile sales and service application for handheld is based on the following components:

• Mobile Infrastructure 2.1 SP02

• SAP Web Application Server 6.20

• CRM 4.0 SP05

• MSA/MSE 4.0 SP05



SAP Web Application Server 6.20

SAP Security Guide

MI 2.1 SP02 SAP Security Guide http://service.sap.com/securityguide (-> SAP Mobile Engine)

Why Is Security Necessary? The security for the application is required to protect:

• Attacks from the Internet

• Password theft

• Data mismatch for each user

User Administration and Authentication User Management The user management is performed by the Mobile Infrastructure Web Console. There is no user management in the PDA device. The PDA does not have an administrative user management principle. However, a one time setting of userID->applicationID->MobileID is performed by default during the setting up of the application.

In the Mobile Infrastructure Web Console, customers must maintain the following types of users:

• Administrator User

Creates the Sync user and associates it with the application

• Sync User (device user)

Uses the Mobile Sales and Service application on the PDA

No standard users are delivered. Therefore, the customer must create the required users. The administrator for the customer will create the handheld (Sync user) users for the application. Subsequently, these sync users can use the handheld application to synchronize data with the CRM server.



• The sync users are authenticated by SAP authentication on the CRM

system.

• The method by which sync users obtain their initial identification parameters depends on the company’s policy.



MI Web Console http://service.sap.com/securityguide (-> SAP Mobile Engine)

User Data Synchronization The synchronization of user data is explained below:

• Application synchronization

The application is synchronized with the Mobile Infrastructure Web Console.

• Data synchronization

The application data is synchronized with CRM.

The synchronization is managed by the Mobile Infrastructure as follows:

• Application synchronization

The application associated with the user is downloaded to the handheld device.

• Data synchronization

The CRM data applicable to the user is downloaded to the handheld device.

When the handheld user starts synchronization, the CRM data applicable to the user is exchanged.

Integration Into Single Sign-On Environments The Authentication to enable integration is part of the Mobile Infrastructure.

Authorizations No authorization object exists for the application.

Network and Communication Security Communication Channel Security The following Communication channels are used:

• PDA to the Mobile Infrastructure

• PDA to CRM online

This communication is managed by the Mobile Infrastructure through TCP/IP.

The following technology is used for this communication:

• HTTP

• HTTPS



• File System

The following data is transferred:

• The user relevant CRM data maintained in CRM is downloaded and

• The business data created on the handheld is uploaded.

Network Security You can operate the different components, such as MI, SAP WAS, and CRM, in different network segments.

• This is possible only if the components are maintained in different

network segments.

• The communication between the different components is achieved through an HTTP port.

• The firewall settings depend on the company’s policy.

• During the synchronization of data, the PDA must be connected to the network to transfer data to the CRM system.

Communication Destinations The communication destinations are maintained by the Mobile Infrastructure.

Data Storage Security The data is stored locally on the PDA in the SAPMobileEngine as OBJ files during the downsync from the CRM system or when different business operations are performed using the application.

The access rights, such as read, write, and change depend on the operation performed by the application.

• The access to data is protected by Mobile Infrastructure.

• The application requires the web browser as the user interface. However, the cookies are not used to store data.

Other Security-Relevant Information The front end (User interface) of the application uses the JavaScript and applet. To save any information from the applet to the application, the security policy file must be updated.

This is applicable only if the CRM application is used as a desktop application. In a PDA, this is managed by the mobile engine.



{ TC "E-Commerce" \l 3 \* MERGEFORMAT } E-Commerce



{ TC "E-Service" \l 4 \* MERGEFORMAT } E-Service Introduction The Internet Customer Self-Service (ICSS) runs on SAP J2EE Engine and is accessed through the SAP Enterprise Portal. In addition, the application must be configured with the proper user name and password to connect to the corresponding SAP CRM system.



SAP J2EE Engine J2EE guide

SAP NetWeaver J2EE guide

SAP Enterprise Portal EP 6.0 SP2: Security Guide Authentication, Authorizations

SAP CRM 4.0 CRM Security Guide Authentication, Authorizations, and Authority Checks

Why Is Security Necessary? The ICSS application must be secured to prevent attacks from the Internet, such as:

• Unauthorized access to the application or a part of the application

• Access to restricted information when the communication is not protected

User Administration and Authentication User Management The ICSS application runs using the SU01 user type.



SU01 Transaction Refer to SU01 documentation

SAP J2EE Engine Admin Access to Administration Console

Active after the deployment of the ICSS application

Web based user management in portal environment

The authentication value must be the SU01 User ID.

User Types



J2EE Engine Administrator Yes User administered on the J2EE engine

As define during the J2EE Engine installation

This can be used to enter the ICSS application administration page. For more information, see the Installation



Guide.

User Data Synchronization Currently, the data is stored in the CRM system. As a result, no data synchronization occurs.

Integration Into Single Sign-On Environments The application supports Single Sign-On through the SAP Enterprise Portal.

It only accepts SAP logon tickets.

Authorizations The following table lists the authorization objects that are used in ICSS:

Auth. Object Auth. Object Description

Usage User

S_RFC RFC CALL All Anonymous user, Named user

S_USER_SYS User Master Maintenance

User Admin Anonymous user, Named user

S_BUPA_RLT BUPA Roles User Admin, Create Request

Anonymous user, Named user

B_USER_STAT User Status Management

Request List Named user

CRM_ORD_LP Authorization Object CRM Order

Create Request Named user

COM_ASET Set Types/Attributes Product Registration (get attributes)

Named user

COM_PRD Product Master Product Registration Named user

COM_IL Authorization Check for Relationships

Product Registration Named user

Network and Communication Security Communication Channel Security The Internet Customer Self-Service application uses:

• RFC/JCo to connect to the CRM server for transferring application data

• These connections are password protected.

• The FAQ and Solution Search components provide general access to non-sensitive data. In such a case, the user is not required to login to the application.

• HTTP/HTTPS to interact with the user

The following Communication Channels and Protocols are used between different components:

Component A Component B Channel Technology

Web Browser HTTP Server Front-end to server HTTP/HTTPS



Communication with the web browser

HTTP Server J2EE Engine/ICSS Server to server

Requests from the web browser are forwarded to the ICSS application running on J2EE engine. Responses from the ICSS application are forwarded to the web browser.

HTTP/HTTPS

J2EE Engine/ICSS CRM Application to server

ICSS executes application logic running on the SAP system

JCo/RFC

J2EE Engine/ICSS TREX Application to server

Communication to get catalog data and Entities (from Solution Database)

JCo/RFC

Network Security The application uses HTTP/HTTPS to connect end-users and P4 ports for the SAP J2EE Engine. For more information, refer to the SAP J2EE Engine/ NetWeaver security guide.




Description

Connection to the CRM system

No JCO A user is created at the customer side for JCo connection. This user must have authorization for RFC calls.

This information is available in the Installation Guide.

TREX No RFC No manual configurations are required.

Data Storage Security The application data is stored in the SAP CRM system and can be accessed through the web browser.

• No persistent cookies are used.

• No data is stored on the client side.



Minimal Installation The application uses JavaScript in the Web browser due to its complex UI requirements. Therefore, this browser’s feature must be enabled for the application to function correctly.

Trace and Log Files The application uses standard SAP J2EE Engine logging and tracing mechanism. In addition, SAP J2EE Engine manages the access and protection of the log and trace files. For more information, see the Solution Manager.



{ TC "SAP Internet Sales" \l 4 \* MERGEFORMAT } SAP Internet Sales Introduction This section provides information about the security aspects associated with the following components running on a J2EE Engine 6.30 (Internet Sales 4.0 SP06 or higher):

• SAP Internet Sales for CRM

• SAP Internet Sales for R/3

• Internet Sales related parts of Channel Management (mostly web applications)

The security relevant topics of the dependent components, such as the J2EE Engine, are described in detail in the corresponding security guides.

It is assumed that SAP J2EE Engine 6.40 is used. However, if you use SAP J2EE Engine 6.20, refer to the note 646140.

The abbreviation ISA is used as synonym for all Internet Sales web application.



CRM CRM Security Guide

NetWeaver J2EE Guide How to configure SSL

Channel Management ACE

Enterprise Portal EP

Why Is Security Necessary? SAP Internet Sales applications normally run on the Internet, for example, B2C. Therefore, such applications must be secured to prevent attacks from the Internet, such as:

• Access to restricted parts of application

• User Interface related attacks

• Access to information when communication is not encrypted

Important SAP Notes


Important SAP Notes


646140 Security Check of Internet Sales

This note contains a mandatory security check when running an Internet Sales application on a SAP J2EE Engine 6.20.



629442 EP 5.0 portal support in Internet Sales application

Installation and configuration notes for EP 5.0 portal support in the Internet Sales application B2B and web-based User Management.

696537 No authorization check for shop management CRM

Authorization check in CRM when using ISA Shop Management.

635082 Credit card information in ISA B2B scenario

In the ISA B2B standard solution of SAP, no credit card information is supported. This consulting note outlines a project-specific solution.

827869 Logging of JCO Password in R3CatalogServerEngine

User Administration and Authentication The type of the user administration differs depending on the use of Internet Sales CRM, R/3 or Enterprise Portal as explained in the following sections.

Internet Sales runs by using SU01 and SU05 user types.

User Management

User Management Tools for all ISA Scenarios


SAP J2EE Engine user management using the Visual Administrator

Access to administration pages, which are part of every Internet Sales application, is controlled using J2EE Engine security.

Is automatically activated after deploying the web ISA web applications

User Management Tools: ISA for R3


User Management for the ABAP Engine (transaction SU01).

Maintenance of roles and profiles via transaction PFCG

Refer to the SU01 Documentation.

Only possible for B2B and Shop Management application.

For information on the login configurations for ISA R/3, refer to the Configuration Guide.

SU05 (Internet Users) Refer to the SU05 Documentation.

We recommend you to use SU01 users where possible.

Only possible for B2B and B2C application.

For information on the login configurations for ISA R/3, refer to the Configuration Guide.

User Management Tools: ISA for CRM




Web-Based User Management

For configuration documentation, see SAP Solution Manager.

Only applicable for B2B users with SU01 user type.

For more information, refer to the configuration guide.

User Management for the ABAP Engine (transaction SU01)

Maintenance of roles and profiles via transaction PFCG

Refer to the SU01 and PFCG Documentation.

Possible in the ISA applications B2B, B2C, Web-Based User Management, and Shop Management.


Business Partner Maintenance (transaction BP)

Refer to the BP Documentation Creation of business partners with the role Internetuser.

SU05 (Internet Users) Refer to the SU05 Documentation.

We recommend you to use SU01 users.

Only possible for B2B and B2C.


User Management Engine (UME)

Refer to the UME Documentation and note 713472.

Only possible for B2B and Web-Based User Management with SU01 user type.

EP 5.0 LDAP Note 629442 Data must be replicated to EP 5.0 LDAP. Requires SU01 login type

User Management Tools when using ISA within Portal (Channel Management)


Web-Based User Management

For configuration documentation, see SAP Solution Manager.

Only applicable for B2B users with SU01 user type. As authentication value SU01 “user ID” must be used.

Only for ISA for CRM.

LDAP update Refer to the Portal Documentation and note 629442.

Only for EP 5.0 together with ISA for CRM

User Management Engine (UME)

Refer to the UME Documentation and note 713472.

Only for EP 6.0

ISA application and EP 6.0 must be deployed on the same J2EE Engine (stand NW4).

Only possible for B2B and Web-Based User Management with SU01 user type.

User types for all ISA Applications





J2EE Engine Administrator Yes User Administered on the J2EE Engine

As defined during J2EE Engine Installation

This can be used to enter the ISA Administration pages. For more information, see the Installation Guide.

J2EE Engine isaadmin No User administered on the J2EE Engine

No This user must be created after the Installation of the ISA applications. It must be used when entering the ISA administration pages. For more information, refer to the Restricting Access to ISA Administration pages from the Intranet section.

User types for ISA R3



R/3 Anonymous user for stateless connection

No SU01 service user

No SU01 User for establishing the stateless connection between R/3 and ISA.

Used e.g. for determining the R/3 release before ISA user logs in or for reading the R/3 catalog or customizing.

R/3 ISA user No SU01 dialog user

No The user that logs into ISA.



The full state ISA connection is established with it. Sales documents are created using this connection.

Only relevant if the login type is 4, 7, or 8. For more information, see the Configuration Guide.

R/3 ISA user No SU05 No The user that logs into ISA. The full state ISA connection is established with the anonymous SU01 user.

Only relevant if the login type is 0, 1, or 2. For more information, see the Configuration Guide.

User types for ISA for CRM and Channel Management



CRM Anonymous user for stateless connection


No SU01 User for establishing the stateless connection between CRM and ISA.

CRM ISA user No SU01 dialog user

No The user that logs into ISA. The full state ISA connection is established with it.

CRM ISA user No SU05 No The user that logs into ISA. The full state



ISA connection is established with it.

User Data Synchronization

Support of EP 5.0 in ISA for CRM

ISA for CRM supports EP 5.0 with the replication of user specific data and user roles between the CRM system and the portal LDAP. This replication will be supported by the ISA applications B2B shop and Web-Based User Management as explained below:

• The communication between the ISA applications and the portal LDAP can be established with SSL connections.

The SSL connection is mandatory only for Microsoft LDAP solution.

• The synchronized data can be customized by a field mapping where you can be define the CRM fields that correspond to the LDAP fields. You can choose to assign as many CRM fields as required to each LDAP field or not assign any CRM fields. The same procedure is performed for the mapping of roles.

• The synchronization will be automatically started by the application if an appropriate XCM Application Configuration was loaded. In Web-Based User Management, the data of the new and changed users will be replicated to the LDAP. In B2B shop, only the changes of user data are replicated.

Support of UME (User Management Engine) and EP 6.0

The ISA applications B2B shop (all scenarios) and Web-Based User Management support UME and EP 6.0 concurrently as UME is included in EP6.0

The replication of user data between ISA and UME occurs directly through Java-API. As a result, no external connection needs to be protected. In addition, (stand NW4) ISA and UME must be deployed on the same J2EE Engine and on the same instance.

The synchronized data (user data and user roles) will be customized in the same manner as EP 5.0 support (see above).

The synchronization flow is implemented in the same manner as EP 5.0 support (see above).

In addition, for direct user data synchronization, ISA uses UME logon services. In such a case, UME provides its authentication services that will be called before the logon of ISA applications. After a successful authentication, UME creates a Single Sign-On ticket which will be transmitted to the ISA application. For more information, refer to the UME documentation.

Integration Into Single Sign-On Environments The ISA applications B2B Shop, Web-Based User Management, and Web-Based Shop Management support SAP logon tickets (SSO2).

If UME support is enabled, further logon methods are available for example, X.509 digital certificates. For more information, refer to the UME documentation.

In Channel Management, the SSO ticket is issued by the portal environment, which is created when the user logs into the portal. Subsequently, this ticket is used consistently throughout the portal even for login to the ISA environment.

Authorizations The following table list the roles that are created on the J2EE engine for each application when the application is deployed (installed).

All ISA applications



Role Description

isaadmin Automatically assigned to the administrators group. All users assigned to this role can enter the ISA Administrator area. This role is used by system administrators when configuring the web application, for example, when using Extended Configuration Management (XCM).

ccms Automatically assigned to the administrators group. This role is only used internally by the application for reporting of version/configuration information to the central monitoring system.

ISA for CRM

Role Description

SAP_CRM_INTERNET_CUSTOMER SU01 ISA user in B2B shop and B2C shop (when the user is logged on).

SAP_CRM_ISA_UA_SUPERUSER Refer to the Super User management documentation.

SAP_CRM_ISA_WEBSHOP_MANAGER Refer to Shop Management and User Management documentation.

SAP_CRM_ISA_ITSLOGIN Stateless user. For more information, refer to the Configuration Guide.

SAP_PCC_COL_PARTNEREMPLOYEE Channel Management – Partner Employee

SAP_PCC_COL_PARTNERMANAGER Channel Management – Partner Manager

SAP_PCC_COL_PARTNERMANAGER_CC Channel Management – Partner Manager Channel Commerce

ISA for R3

Authorization object Description

Standard authorization objects for accessing R/3, reading and changing data

See the Installation Guide. Some of these authorizations must be granted to the anonymous user and some to the SU01 ISA user.

The creation of roles that include the specified authorization objects must be performed by the customer.

S_TCODE When the SU01 user logs into the shop management application, an authority check is performed with value CRM_ISA_SM for the field TCD.

The authorization object and its field values to be checked might be changed. Refer to note 710013 and the Configuration Guide.

Channel Management In Channel Management, the roles are delivered along with dummy transactions in the user menu. The dummy transaction is a simple method to assign authority objects and their values to different roles. The list of dummy transactions assigned to a role can be viewed in the Menu tab or Roles.



With dummy transactions, the values delivered as default values for authorizations are not automatically taken over by the Profile Generator. There is an intermediate step where the customers must copy the SAP delivered values to the customer namespace and then change or maintain these values. This is performed in transaction SU22. for details, refer to Note 449832(Maintenance of SU22 data) for details. For further details, navigate to the below mentioned document in SAPnet. If the link does not open the first time, try again.

https://sapneth4.wdf.sap.corp/~form/sapnet?_FRAME=CONTAINER&_OBJECT=011000358700001437252004E

The Access Control Engine (ACE) is another important step towards Authorizations in Channel Management. This is a new tool developed to control access for external users. ACE is used in conjunction with ABAP Authorization concept to provide full security to the applications and data. For more information, refer to ACE documentation.

Network and Communication Security Communication Channel Security The following Communication Channels and Protocols are used between different components in an Internet Sales scenario:


Web Browser HTTP Server Front-end to server

Communication with web browser

HTTP/HTTPS

HTTP Server J2EE Engine/ISA web application

Server to server

Requests from web browser are forwarded to ISA application running on J2EE engine. Responses from ISA are forwarded to the web browser.

HTTP/HTTPS

J2EE Engine/ISA web application

CRM or R3 system Application to server

Java based ISA application executes application logic running on the SAP system.

JCo/RFC


IPC Application to server

Communication for product configuration/pricing

Socket

J2EE Engine/ISA web application (CRM)

TREX Application to server

Communication for getting catalog data

JCo/RFC

J2EE Engine/ISA web application (R3)

TREX Application to server

Communication for getting catalog data

HTTP


Database (SQL Server)

Application to server

Storing basket content/order

JDBC



templates

We recommend you to use SSL in B2B and B2C scenarios as explained below:

• If you want to use standard B2B SSL during the Login process, it is a precondition that the application runs permanently with SSL. You must start the application by using the HTTPS protocol.

• In the standard B2C application during login, registration and check out of the application is automatically switched to SSL. You must set the Component shop parameter in XCM to SSLEnabled.

For information on how to configure the J2EE engine with SSL, refer to the topic Configuring the Use of SSL on the SAP J2EE Engine in the help portal (help.sap.com) under:

SAP NetWeaver → SAP NetWeaver ’04 → SAP NetWeaver → Security → Network and Transport Layer Security → Transport Layer Security on the SAP J2EE Engine.

Securing RFC based connectivity between the ISA web applications and the SAP system and TREX by using SNC is currently not supported.

Network Security For information on network security, refer to the Technical Infrastructure Guide of CRM E-Selling.

If there is no E-Selling Technical Infrastructure guide for 4.0, refer to the 3.1 version of the same.


Connection Destinations from ISA Web Applications


Description

Connection to CRM/SAP system

No RFC Refer to the Authorizations section.

Technical user used for stateless (anonymous) communication with the backend system. Configured using XCM tool after installation.

Connection to IPC server

No Socket based No Configured using XCM tool after installation.

Connection to TREX

No RFC No In most cases no manual configuration needed (although possible).



Connection data is retrieved from CRM system.

Connection to TREX

No HTTP No Refer to the ISA R/3 Configuration Guide.

Data Storage Security The data storage security is explained as follows:

Internet Sales • Cookies

The cookie and its data are stored in the Web browser’s file system. In B2C and B2B, cookies are used as explained below:

B2C

The cookie stores the Business Partner GUID if a user logs on or registers and maintains his profile. As a result, in ISA CRM, the personalized product recommendations offered to the user are also stored in the cookie if the user maintains the personal data.

B2B

The order number and order date are stored in the cookie. A new cookie is generated or the existing cookie is updated, when the user creates or changes an order respectively.

• Configuration data for ISA R/3

The backend relevant customizing is stored on the file system for ISA R/3,. Each shop is stored in XML format. In addition, a list of all the available shops is maintained in the _ObjectList.xml file. The shops are maintained through the Shop Management web application. When an end user enters the ISA R/3 B2B or B2C application, the user can select a shop from the list of available shops and choose the customizing to be used.

The shop storage must be secured through the file system authorization process. For the customizing of the shop storage patch, see the Installation Guide. This customizing is performed within the XCM administration tool.

• Order templates

When using the Java Basket in B2B or B2C application, the data is stored in SAP Web AS database. All data regarding order templates and shopping baskets is stored in the database without payment information (Credit Card number). The user and password used to connect to the database is stored in Secure Storage of the J2EE Engine.

XCM Customer Configuration Data The ISA web application is configured using the XCM. To protect the customer settings, the customer configuration data is stored in a set of files located outside the working directory of the web application. The path to the customer configuration data is derived as follows:

usr/sap/<System Number>/SYS/global/xcm/<web application name>

C:\usr\sap\CR9\SYS\global\xcm\crm.b2b.



The files in this folder contain all the settings configured in XCM apart from the password of the technical user used to connect to the CRM or R/3 system. This password is stored in Secure Storage of the J2EE Engine.

It is possible to secure the XCM customer configuration data at the OS level. In such a case, ensure that the user used to run the J2EE Engine services (on NT) or deamons (on Unix) is a member of the group having access to these files.

Channel Management In Channel Management, the data security is provided by ACE. The access to the data for the users is defined through a set of predefined rules in ACE. These set of rules are applied to the data when it is being created and stored and from this an ACL is generated. This ACL is then used during runtime to determine the extent of access the user has to the data.

Currently the ACE checks run only in CRM online. To get the ACE up and running, the customers must go through certain steps, as defined in ACE guide. In addition, customers are can define their own rules and access rights to provide additional access control based on their business requirements.

Security for Additional Applications For information on the security aspects of the other components used in an Internet Sales scenario, refer to the corresponding Security Guides.

Minimal Installation The following table provides an overview of functions that are not mandatory in the production environment.

Checks are provided in the going-live checklist. Refer to the Checklists section.

Feature Description Activated/Deactivated after Installation

appinfo When the application is started, an additional page opens that provides system information and turns on the single session trace if the additional request parameter appinfo = true is provided.

Deactivated

Browser based download of trace files

It is possible to download trace files from the ISA Administration pages or when using the appinfo feature.

Deactivated

Voice over IP in web collaboration uses the NetMeeting ActiveX control

This ActiveX control enables the Voice over IP communication between the agent and the customer.

Deactivated

Other Security-Relevant Information The application uses Java Script extensively. If Java Script is disabled on the browser, the application does not work. In addition, the application uses session cookies (are deleted when closing the web browser) to keep a client session. If cookies are disabled, it is not guaranteed that the application will work correctly.

Persistent cookies (stored on the client) are used to store history information about the created orders. If persistent cookies are disabled, this function is not available.



Internet Sales Administrator Area The Internet Sales administration is part of each Internet Sales and Channel Management application. It is accessed using the following URL:

http://host:port/<app name>/admin

http://localhost:50000/b2b/admin

In addition to the other features, the administration area provides following features:

• Application configuration for example, connection parameter to CRM or R/3 by using Extended Configuration (XCM) Administrator tool

• Overview on various caches

• Access to logging configuration – browser based download of log files

For more information about the different features of the administration area, refer to the Internet Sales Configuration Guide. For information about XCM, refer to the Internet Sales Installation Guides.

It is important to restrict access to the administration area particularly in a production environment. Before you expose the application to the internet, you must secure the application by using stringent security measures as explained in the following sections.

A going-live checklist is available. For more information, refer to the Checklists section.

Restricting Access to ISA Administration pages from the Intranet

The administration pages are secured using Basic Authentication that ensures before you can access the application, you must provide the username and password. Each user administering the application must be part of the isaadmin role. After deployment of the application, the Administrators are automatically assigned to this role. The user Administrator is always part of the group. It is not recommended to use the Administrator user for administering the web application. Instead, a new user, such as isaadmin must be created on the J2EE Engine or an existing user must be assigned to the isaadmin role. The following steps describe how to create a new user on the SAP J2EE Engine 6.40 (For details, refer to the J2EE Configuration Guide): ...

1. Log on to the J2EE Engine by using Visual Administrator.

2. Select the Security Provider Service of the J2EE Server.

3. Select the UserManagement tab pane.

4. Choose Create User.

5. Enter the name of the user, for example, isaadmin.

6. Enter the password for the user.

7. Choose OK.

8. Select the Policy Configurations tab pane.

9. Select the ISA for which you the user will be the administrator, for example, sap.com/crm.b2b*b2b.

10. Click the Security Roles pane

11. Select the isaadmin role.

12. Assign the previously created user to the role.



Restricting Access to ISA Administration pages from the Internet

As a general rule, define as few mappings as possible. The HTTP server must allow only those requests that are required by your application.

The Internet Sales Administration pages must not be accessible from the Internet. There are two options to restrict access from the Internet:

• Using IIS HTTP Server in front of J2EE Engine

You have an HTTP server between the J2EE Engine and the Internet that is recommended by the ISA Technical Infrastructure Guide. It is important to restrict access through the web server for the following pages:

/<applicationname>/admin.

You can restrict access by using the lisProxy, for example:

<ISAPI-config version="1.6">

<filter name="IisProxy filter" />

<extension name="IisProxy extension" />

<mapping name="B2B Secure Admin Area">

<source>

<protocol>http</protocol>

<prefix>/b2b/admin/</prefix>

<new-prefix>/error/</new-prefix>

</source>

<target>


<host>localhost.your.corp</host>

<port>51000</port>

</target>

</mapping>

<mapping name="B2B Application">

<source>


<prefix>/b2b/</prefix>

</source>

<target>


<host>localhost.your.corp</host>

<port>51000</port>

</target>

<compress-types>text/html, text/plain</compress-types>

</mapping>

</ISAPI-config>



The mapping to the ISA Administration leads to a non-existing area /error.

• Using Apache HTTP Server in front of J2EE Engine

The security relevant settings of the Apache HTTP server are not explained here. Refer to:

Apache HTTP Server Version 1.3

http://httpd.apache.org/docs/misc/security_tips.html

Apache HTTP Server Version 2.0

http://httpd.apache.org/docs-2.0/misc/security_tips.html

• No HTTP Server in front of the J2EE Engine

You must turn off all the features of administration. Refer to the Turning Features of Administration Area Off section.

Turning Features of Administration Area Off

You can turn on/off access to each feature of the administration area by using the following context parameter in the web.xml:

adminconfig.core.isa.sapmarkets.com

The value of this parameter contains a comma-separated list of keywords. Each key word is associated with a feature in the administration area. Therefore, when you remove a keyword, the corresponding feature is disabled.

The settings can be changed using the SAP J2EE Engine Visual Administrator in the Service WebContainer: ...

1. Log on to the J2EE Engine by using Visual Administrator.

2. Select the WebContainer Service of the J2EE Server.

3. Select the required web application.

4. Click View; A new panel opens.

5. Select Context Parameters tab pane.

6. Select the adminconfig.core.isa.sapmarkets.com context parameter.

7. Change the setting.

8. Press the Modify button.

After changing the settings, you must restart the web application. This is performed in the deploy service.

The following table provides an overview of the available features:

Feature Description Access after Installation

isacorecache Application core caches Yes

catalogcache Web catalog cache Yes

corecache System level cache Yes

jcoinfo Information about SAP Java Connector

Yes

logging Access to logging configuration/Displaying content of log/trace files in

Yes



web browser

version Displays application version Yes

loggingfiledownload Enables to download log files from the logging configuration area or when using the appinfo feature. This feature must be turned off in production.

No

appinfo Turns application info feature on/off. This feature is started by passing an additional request parameter appinfo=true when starting the application. For example, b2b/b2b/init.do?appinfo=true. An additional page opens that provides system information. Session trace is turned on and it is possible to download the session trace file by using a web browser. This feature must be turned off in production.

No

sat Turns Single Activity Trace No

xcmadmin Turns access to XCM Administration tool on/off

Yes

Trace and Log Files After installation tracing is switched off. If you have switched on tracing during development, ensure that the traces are switched off in production. If the severity ERROR is associated to the location com.sapmarkets.isa, tracing is switched off. For more information, refer to the Internet Sales Configuration Guide.

There is a feature in Internet Sales that enables you to trace the import/export parameter of any function module called by the application. The function that must be traced is registered in the file <root>/WEB-INF/xcm/customer/modification/modification-config.xml. After deployment, <root> is the directory of the application in the file system. If the function module transfers some sensitive information in import/export parameters, this data must not be traced. Therefore, it is possible to disable some import/export parameters from being traced. For more information, refer to the comments in the modification-config.xml file.

The following table explains the different trace and log files:

Trace/Log file Location Description

web application log Can be viewed using the J2EE Engine Log Viewer

Information about errors in the application

web application trace • Can be viewed using the J2EE Engine Log Viewer.

• Can be accessed from Internet Sales administration area

Developer trace that is primarily required by developers and the support team. This trace must be switched off in production.



Appendix Checklists The following check list is a mandatory going-live checklist. Ensure that your application adheres to all the requirements specified in this checklist:

Protecting Internet Sales Administration pages/functions

Security Item Method Reference Result/Comments

Ensure that ISA administration area is not accessible from the Internet.

Call admin area from the Internet, for example: http://www.acme.com/b2b/admin

Web Server configuration

It must not be accessible and no pop-up prompting for the username and password must appear.

Check if access to the ISA administration area is restricted from the Intranet. Log on using the user created during ISA installation

Call admin area from the intranet, for example:

http://host:port/b2b/admin

Creating a user for administration

A logon pop up must appear. Log on using the user created during ISA installation.

Check if the Administrator password is blank

Call admin area from the intranet, for example:


User – Administrator

Password – leave empty

You must not be able to logon.

Check if appinfo feature is turned off. This feature must be turned On only during development.

Call application with additional appinfo request parameter, for example:

http://host:port/b2b/b2b/init.do?appinfo=true

Refer to the Configuration Guide.

You must not be prompted to logon. A second browser window that provides system information must not be opened.

Check if log-file download is turned off

Enter the ISA administration area, for example:


=> ‘Logging’ => view log files => Click on one of the links in the download column


You must not be able to download the file.

Ensure that tracing is turned off

Check settings in the file log-config.properties located in WEB-INF/cfg


Ensure that you have the following settings:

com.sapmarkets.isa.severity = ERROR

log[isa].severity = ERROR



If you have extended this file, additionally check your own settings.

Ensure that the showstacktrace switch is turned off

ISA < SP06: Check context parameter showstacktrace.isacore.isa.sapmarkets.com in web.xml.

ISA >= SP06: Check in XCM – component ui value showstacktrace.isacore

ISA < SP06: The value must be false.

ISA => SP06: The value must be false.

SAP J2EE Engine 6.20 Related Checks


Check cumulative security note

Note number – 606733

Web Server configuration

Apply all patches described in this note.

Turn off HTTP based directory browsing

Config tool => cluster/server => services => DirList = false

Restart J2EE server.

It must not be possible to browse the directory structure. For example: http://host:port/b2b

Protecting IPC Price Analysis Tool


Ensure that IPC price analysis and enable pricing conditions display is turned off.

ISA < SP06: Check context parameter enable.priceAnalysis.isa.sapmarkets.com in web.xml.

ISA >= SP06: Check in XCM – component ui value enable.priceAnalysis

ISA < SP06: The value must be false.

ISA => SP06: The value must be false.



{ TC "Selling Via eBay" \l 4 \* MERGEFORMAT } Selling Via eBay Introduction This section provides information about the security aspects of the Selling Via eBay (SVE) component running on J2EE 6.40. The security aspects of this component primarily depend on the security aspects associated with Internet Sales (CRM).



Internet Sales Refer to the previous chapter on SAP Internet Sales.

Refer to the following subsections:

• Data storage Security

For XCM customer configuration data

• Other Security-Relevant Information

All subsections except the first three paragraphs.

• Trace and Log files

• Appendix

All sections except SAP J2EE 6.20 related checks and Protecting IPC.

Why Is Security Necessary? The SVE application runs within the intranet. However, it communicates with eBay API server on the internet using HTTPS/SSL. This communication can contain the buyer personal details and seller authentication information. eBay APIs, such as publishing an item for auction on eBay, is an XML document that contains information about the item and seller authentication. The seller authentication information includes the eBay seller user ID and password along with the eBay authentication certificates.

The SVE application must be secured to prevent unauthorized access to:

• The data packets being exchanged between the SVE and eBay API server therefore, gaining access to the personal information of the buyer.

• Information when the communication is not encrypted.

Important SAP Notes


Important SAP Notes




597059 License conditions SAP-Cryptographic Library

The SVE requires the SAP cryptographic software to communicate with the live eBay system. Use these two notes to obtain license for the SAP cryptographic software.

397175 SAP Cryptographic Software - Export check

User Administration and Authentication The administration of users is required in the following areas:

• J2EE deployed SVE administration (XCM and other J2EE admin)

Refer to the User Management subsection in the User Administration and Authentication section under SAP Internet Sales.

• Auction Seller and Auction Administrator account management on R/3 and CRM

The Auction Seller and Auction Administrator must be of SU01 user type with a profile attached to it. This profile can be created in R/3 or CRM through the transaction PFCG and can be configured through the XCM tool. You can access the XCM tool through the URL http://servername:port/sve/admin.

• eBay seller Administration

eBay seller accounts must be created on the eBay site. These eBay user accounts are bound with R/3 or CRM accounts in SVE through the SVE admin user interface. You can access SVE admin through URL http://servername:port/sve/aucadm/init.do.

User Management



SAP J2EE Engine user management using the Visual Administrator

Access to administration pages, which are part of all the Internet Sales applications, is controlled using the J2EE Engine security.

Is automatically activated after deploying the web ISA applications

User Management for the ABAP Engine (transaction SU01).

Maintenance of roles and profiles (Transaction PFCG)

Refer to the SU01 documentation.

Refer to the SVE Configuration Guide that provides information about the different user types.

Business Partner maintenance in CRM scenario only (Transaction BP)

Refer to the BP documentation.

User

Refer to User types for all ISA applications in the corresponding section under SAP Internet Sales.





R/3 & CRM Anonymous user for stateless connection


No SU01 User for establishing the stateless connection between R/3 or CRM and SVE.

R/3 & CRM SVE seller or Administrator

No SU01 dialog user

No The user that logs into SVE. The full state SVE connection is established with it. Sales documents are created using this connection.

Only relevant if the login type is 4, 7, or 8. (See the SVE Configuration Guide).

eBay Seller user in eBay

No None No Seller must be created in the external (non SAP) eBay system. Auctions published onto eBay will be associated with this seller user ID. The eBay seller ID is mapped with the seller in R/3 or CRM system through the eBay admin user interface. Refer to the SVE Configuration Guide.

User Data Synchronization No user data synchronization is required for SVE.

Integration Into Single Sign-On Environments Not supported in this release. No portal support in this release.



Authorizations Refer to the All ISA Applications in the corresponding section under SAP Internet Sales.

User Role Activity

Auction Seller Creates and posts auctions onto eBay

Create a profile for this role in R/3 or CRM and bind it in XCM. Refer to the SVE Configuration Guide.

Auction Administrator Administers auction seller accounts, such as:

• Setting validity dates

• Binding eBay users with R/3 or CRM

• Scheduling tasks that communicate with eBay

• Maintaining Themes and other standard settings

Create a profile for this role in R/3 or CRM and bind it in XCM. Refer to the SVE Configuration Guide.

Network and Communication Security Communication Channel Security The following Communication Channels and Protocols are used between different components:


Web Browser HTTP Server Front-end to Server

Communication with the Web Browser

HTTP/HTTPS

HTTP Server J2EE Engine/ISA web application

Server to Server

Requests from the web browser are forwarded to the ISA application running on J2EE engine. Responses from the ISA are forwarded to the web browser.

HTTP/HTTPS

J2EE Engine/SVE eBay API Server SVE to eBay external API server

SVE communicates with the eBay server in the Internet by using HTTPS. SVE application contains an inbuilt HTTPS client that communicates with the eBay API server.

HTTPS

J2EE Engine/SVE web application

CRM or R3 system Application to Server JCo/RFC



Java based ISA application executes application logic running on the SAP system


Database (SQL Server)

Application to Server

Storing eBay information, such as user mappings, auction information, and so on.

JDBC

For information on how to configure the J2EE engine with SSL, refer to the topic Configuring the Use of SSL on the SAP J2EE Engine in the help portal (help.sap.com) under:

SAP NetWeaver → SAP NetWeaver ’04 → SAP NetWeaver → Security → Network and Transport Layer Security → Transport Layer Security on the SAP J2EE Engine.


Connection Destinations from SVE


Description

Connection to CRM/SAP system

No RFC Refer to the Authorizations section.

Technical user used for stateless (anonymous) communication with the backend system. Configured using XCM tool after installation.

Connection to eBay API server

No HTTPS No Configured using XCM tool after installation. Refer to the SVE Configuration Guide.


• Usage of J2EE secure store for storing security related information

The important password data is stored in the Secure Storage of J2EE instead of the database. In addition, the other JCO passwords to communicate with R/3 or CRM are also stored in the Secure Storage. You can configure the encryption levels in the Secure Storage. For more information, refer to NetWeaver Security Guide.

• Cookies

There are no cookies used in the SVE application.

• XCM customer configuration data

Refer to XCM Customer Configuration Data in the Data Storage Security section under SAP Internet Sales.



Minimal Installation The following table provides an overview of the functions that are not mandatory in the production environment.

Feature Description Activated/Deactivated after Installation

appinfo When the application is started, an additional page opens that provides system information and turns on the single session trace if the additional request parameter appinfo = true is provided.

Deactivated

Browser based download of trace files

It is possible to download trace files from the ISA Administration pages or when using the appinfo feature.

Deactivated

• For information on how to configure the features mentioned in the table,

refer to the SAP Internet Sales.

• For information on the checks that are provided, refer to Protecting Internet Sales Administration (except 6.20 and IPC) in the Appendix section under SAP Internet Sales.

Other Security-Relevant Information The front end (User interface) of the application uses the Java script that is accessed from the intranet.

XCM Administration Area Refer to Internet Sales Administration Area in the corresponding section under SAP Internet Sales.

SVE Administrator Area The SVE administrator possesses the privileges explained in the Authorizations section of the document. To restrict access to the SVE administrator area, create a profile in R/3 or CRM and assign it to the SVE administrator role in XCM, as explained in the SVE Configuration Guide. The backend (CRM or R/3) users with that profile only will be allowed to login to the application’s administrator area.

Restricting Access to SVE Administration Pages from the Intranet

Refer to Restricting Access to ISA Administration Pages from the Intranet in the corresponding section under SAP Internet Sales.

Restricting Access to SVE Administration Pages from the Internet

Refer to Restricting Access to ISA Administration Pages from the Internet in the corresponding section under SAP Internet Sales.

Turning Features of Administration Area Off

Refer to Turning Features of Administration Area Off in the corresponding section under SAP Internet Sales.



Trace and Log Files Refer to the corresponding section under SAP Internet Sales.



{ TC "Interaction Center" \l 3 \* MERGEFORMAT } Interaction Center The interaction center is a channel that offers contact center capabilities for sales or customer service organizations. It allows agents to process inbound and outbound contacts as well as business transactions related to a customer. Security has to be considered for business related data such as business partner data and service orders.

See also the following glossary definitions for the user interfaces of the interaction center:

• Interaction Center WinClient [Extern]

• Interaction Center WebClient [Extern]



{ TC "Interaction Center WinClient" \l 4 \* MERGEFORMAT } Interaction Center WinClient Introduction

This guide does not replace the daily operations handbook that we recommend customers to create for their specific productive operations.

About this Guide This guide is for the Interaction Center WinClient (application component CRM-CIC) which is based on the SAP Web Application Server (SAP Web AS) 6.20 and CRM 4.0.


Application Guide

Workflow Management SAP Basis

SAP Web Application Server SAP Web Application Server Security Guide

Why Is Security Necessary? Security is necessary in order to protect data and because of legal regulations.

Important SAP Notes


Technical System Landscape The following figure shows the typical landscape of the Interaction Center (IC) WinClient.



The CRM Server includes the IC WinClient framework and the following SAP applications:

• SAPphone

SAPphone provides a telephony function to the interaction center. It allows data to be exchanged between the CRM Server and the telephony component.

• SAPconnect

SAPconnect provides an integrated e-mail function to the interaction center. It enables communication management software [Extern] to connect to the SAP system (for example, an e-mail server or SMTP server).

Alternatively, you could integrate multichannel support using the multichannel interface. The typical landscape is shown below:



User Administration and Authentication User Management The IC WinClient uses standard user management tools to maintain users. See the following table:


Tool Detailed Description

User maintenance (transaction SU01)

Profile Generator (transaction PFCG) You use the Profile Generator to create roles and assign authorizations to users in ABAP-based systems.

User

The following users must be created for the IC WinClient:



CRM system End user No Dialog user INIT User who can access IC WinClient functions.

Created by CRM system administrator

CRM system WF-BATCH Yes System user No User who can process background workflow



tasks

R/3 back end End user No System user No User who can access R/3 background functions. Depending on RFC destination, user can be individual user or system RFC user.

Created by R/3 system administrator.

BW user End user No System user No Created by BW system administrator if you want to evaluate interactive scripting through BW reporting

Multichannel interface

Administrator No Communication user

No User with multichannel support using multichannel interface.

Created by system administrator.

Multichannel interface

User No System user No Created by multichannel interface administrator to replicate CRM user in multichannel interface and allow these users to access multichannel support (such as e-mail, chat, paging).


Data Synchronization Between CRM System and Other Systems

Data Exchanged When Synchronized How Synchronized

Business partner data When business partner is created in CRM, the data is

Automatically by CRM middleware settings



replicated to R/3.

When business partner is created in R/3, the data is replicated to CRM.

Call related information between SAPphone and communication management software

Automatically by SAPphone setting

Data between SAPconnect and communication management software

Automatically by SAPconnect setting

Data between multichannel interface and CRM if multichannel interface is used as multichannel support

Automatically by CRM settings

Data between CRM and third-party communication management software

If you want to use the predict call functionality, call list data is replicated from CRM to third-party communication management software.

Synchronize when managing the call list to predict calls

Data between CRM system and BW system

Evaluation of interactive scripting using BW

Manual synchronization of evaluation data from CRM to BW

Authorizations No roles are delivered with the IC WinClient.

For an agent to access the IC WinClient, transaction CIC0 must be assigned to the user’s profile.

For a users to work as an interaction center agent, the agent must be defined in the following transactions (in the SAP Menu: Interaction Center → Interaction Center WinClient → Multichannel Interface Administration):

• Assign Agents to E-Mail Queue Groups

• Assign Agents to Chat Queue Groups

• Assign Agents to Paging Queue

For an agent to receive e-mails, the user has to be maintained in transaction SO28.

For a user to start the interactive scripting editor, transaction CRMM_TM_SCRIPT must be assigned to the user’s profile.

Network and Communication Security Communication Channel Security In the IC WinClient, the following communication channels are used:

• HTTP communication between CRM and R/3 using action box (SAP Internet Transaction Server option). Data requests are exchanged through this communication channel.

• RFC communication between remote CRM or R/3, for example, communication to R/3 to retrieve detail employee information through employee search, and communication to R/3 to create R/3 orders through action box.

• RFC communication between the multichannel interface and the CRM Server. Multichannel-related information such as e-mail, chat, paging data is exchanged.



• Distributed Component Object Model (DCOM) is used to communicate between the multichannel interface agent and the multichannel interface server. Data such as incoming calls is exchanged.

• RFC communication between SAPphone and communication management software. (This RFC communication is out of the scope of the IC application. For details, see SAPphone (BC-SRV-COM) [Extern]).

• RFC communication between SAPconnect and communication management software. (This RFC communication is out of the scope of the IC application. For details, see SAPconnect (BC-SRV-COM) [Extern]).

• Socket communication between the broadcast messaging client and server. The port is configurable.

For information on how to secure the communication channel, see the SAP NetWeaver Security Guide (available at service.sap.com/securityguide).

Network Security IC WinClient

The IC WinClient is an application in the CRM Server. For information on network security, see CRM Server [Seite 119].

Multichannel Interface

The multichannel interface server must be a member of the same Windows NT/2000 domain as all the agents’ computers.

We recommend having no firewall between the server and the agents’ computers. If there is a firewall between the multichannel interface and the agents’ computers, port 135 must be opened for bidirectional traffic between the server and the agents’ computers. Additionally, a range of 10 ports above 5000 is required to be opened for DCOM traffic between the multichannel interface server and the client.

In an internet scenario, opening a port in the firewall generally creates a vulnerability. We therefore recommend using the multichannel interface server in an intranet scenario. If it has to be used in an internet scenario, configure the firewall to allow traffic only through a trusted system.

There must be no Network Address Translation (NAT) on the client or server side. For details, see the Multichannel Interface for the Interaction Center (IC) WinClient installation guide on the SAP Service Marketplace at service.sap.com/crm-inst.

Broadcast Messaging

Broadcast messaging is based on Java socket communication technology. If your network has a proxy setting, broadcast messaging cannot pass a proxy unless the proxy is transparent to socket communication.

We recommend running the broadcast messaging service in an intranet scenario. If the server and client machines are in different networks of a company, and there is a firewall between the two networks, it is necessary to open the port for socket communication in the two network firewalls. However, opening a port in the firewall may create a vulnerability. It is therefore better to filter out unauthorized access to the open ports by filtering traffic to allow incoming requests only from a trusted source.

Because each company has its own security policy, we recommend you consult your network security specialist to set up broadcast messaging securely.

For more information, see the Broadcast Messaging Server and Client for the Interaction Center installation guide (available at service.sap.com/crm-inst).




Connection Destinations for Interaction Center WinClient


Description

Connection to ITS

No HTTP Access remote R/3 system using ITS. This communication can be secured by HTTPS. For details, see the SAP NetWeaver Security Guide (available at service.sap.com/securityguide).

Connection to remote R/3 or CRM

No RFC Communication user or individual user is employed

Access remote R/3 system or CRM system using RFC. You could secure RFC over Secure Communication Network. For details, see the SAP NetWeaver Security Guide.

Connection between CRM Server and multichannel interface server

No RFC No communication user

Connection between multichannel interface server and agent

No DCOM Same CRM user is employed

Data Storage Security Data Processed in IC WinClient

Data Where Stored When Stored Type of Access

Customization data CRM system Post installation Read/change/delete/create

Application data CRM system User request Read/change/create

Application data BW system Interactive scripting evaluation

Change

The customization data can only be changed by persons with CRM customization authorization. This is normally done by the system administrator during system installation. CRM application data is protected at individual level. Depending on the role of the interaction center agent assigned, he/she could access, create, or change the application data, for example, create a service order, update business partner data.



Security for Additional Applications The IC WinClient uses the following dependent applications:

• SAPconnect

Internal application from SAP Basis.

SAPconnect connects to an external server to provide e-mail functionality. It may be subject to e-mail spam and virus attack. We recommend setting up an external e-mail server with e-mail spam and e-mail virus cleaning.

• External Exchange Server

Third-party application for e-mail. We recommend setting up e-mail spam and e-mail virus cleaning.

• HR (internal)

SAP internal application for building a human resources structure. The IC WinClient HR is based on the HR structure from SAP HR. In the IC WinClient, the HR module is used to assign different system privileges to different users. An IC profile, which defines the UI layout and accessible functions, is assigned to an organizational unit. Any user belonging to this organizational unit can access only the functions assigned in this profile.

• Multichannel interface

Communication management software. For details, see the Multichannel Interface for the Interaction Center (IC) WinClient installation guide (available at service.sap.com/crm-inst).

• Multichannel interface server

Synchronizes users from the CRM system, so only users existing in CRM and allowed to access multichannel functions can communicate with the multichannel interface server.

Other Security-Relevant Information JavaScript is used extensively in the IC WinClient, for example, in the business partner search, action search, and universal inbox.

ActiveX is used in:

• Multichannel interface agent

If you disable the multichannel interface, interaction center agents cannot get call related data such as incoming calls.

• Broadcast messaging

Broadcast messaging uses a Java plug-in. If you disable ActiveX, interaction center agents cannot receive broadcast messages from their supervisor, the supervisor cannot receive broadcast messages, and the supervisor cannot broadcast messages. The applet’s security model allows the applet to connect only to the machine from which the applet was downloaded. The applet in the client’s machine cannot access local machine information such as local file and system parameters.

Caution

It is not secure to allow ActiveX in the Web browser. A hacker could write an ActiveX code and distribute it through a Web page. This malicious ActiveX could access a local machine’s information, even private information.

We recommend users to set up their browsers securely to safeguard against malicious ActiveX from hackers. The recommended browser settings are as follows:



• Download signed ActiveX controls: Disable

• Download unsigned ActiveX controls: Disable

• Initialize and script ActiveX controls not marked as safe: Prompt

• Run ActiveX controls and plug-ins: Prompt

• Script ActiveX controls marked safe for scripting: Prompt

Trace and Log Files The following trace and log files are provided by the IC WinClient:

• CRM related activities such as user logon and user logoff are logged in a report in the CRM system.

• E-mail using SAPconnect is traced on the CRM server.

• The multichannel interface server keeps the log information in the multichannel interface server log.

Appendix Related Security Guides You can find more information about the security of SAP applications on the SAP Service Marketplace, quick link security. Security guides are available using the quick link securityguide.

Related Information For more information about topics related to security, see the links shown in the table below.

Quick Links to Related Information

Content Quick Link on SAP Service Marketplace

(service.sap.com)

Master guides, installation guides, upgrade guides, solution management guides

instguides

ibc

Related SAP Notes notes

Released platforms platforms

Network security network

securityguide

Technical infrastructure ti

SAP Solution Manager solutionmanager

Broadcast Messaging Server and Client for the Interaction Center installation guide

crm-inst

Multichannel Interface for the Interaction Center (IC) WinClient installation guide

crm-inst



{ TC "Interaction Center WebClient" \l 4 \* MERGEFORMAT } Interaction Center WebClient Introduction


About this Guide This guide is for the Interaction Center WebClient (application component CRM-IC).

Prior to SAP CRM 4.0 Platform Productivity Pack (SP06), the Interaction Center (IC) WebClient supports SAP Web Application Server 6.20 (ABAP and Java).

As of SAP CRM 4.0 Platform Productivity Pack (SP06), the IC WebClient supports SAP Web Application Server 6.20 (ABAP and Java) and, in addition, SAP Web Application Server 6.40 (Java).

In SAP CRM 4.0 Add-On for Service Industries, you can choose between the following configurations of the IC WebClient:

• Non-Java configuration

• Java configuration

You choose the configuration by selecting the corresponding middleware type in transaction CRMS_IC_SYSTEM_PROPS.


Application Guide Most Relevant Sections


Business Communication Broker (BCB)

SAP NetWeaver Security Guide

Connectivity Security Guide

Software Agent Framework SAP CRM Security Guide Software Agent Framework [Seite 123]

Interaction Center Manager SAP CRM Security Guide Interaction Center Manager [Seite 105]

Interaction Center WinClient SAP CRM Security Guide Interaction Center WinClient [Seite 81]

Why Is Security Necessary? Security is necessary to prevent attacks from the Internet and to protect data.

Important SAP Notes


Important SAP Notes




(Java configuration only)

645876

Configuring SNC (J2EE Engine < > ABAP Using JCo)

Describes how to run the JCo connection via Secure Network Communication (SNC)

Technical System Landscape The following figures shows the architecture of the IC WebClient, depending on configuration:

Java Configuration

SAP Web AS Java

IC WebClient

Software Agent Framework

Broadcast Messaging Server

IC Scheduling

Communication Management Software*

Channel ManagementUniversal Queue

Interaction Routing

ICI Connector*

Telephony*

E-Mail*

SAPconnect Connector*

Chat*

* = 3rd party components

TREX

Search Engine

Index MgmtService (IMS)

CRM Server Host

CRM Server

OLTP R/3Plug In

BWAPO

Agent Workplace

Phone*

RDBMS

RDBMS RDBMS RDBMS

Browser

Key

Abbreviation Description

ICI Integrated Communication Interface

RDBMS Relational Database Management System

SAP Web AS Java SAP Web Application Server Java

APO Advanced Planning and Optimization

BW SAP Business Information Warehouse

OLTP Online Transaction Processing System

Non-Java Configuration



Communication Management Software*

Channel ManagementUniversal Queue

Interaction Routing

ICI Connector*

Telephony*

E-Mail*

SAPconnect Connector*

Chat*

* = 3rd party components

TREX

Search Engine

Index MgmtService (IMS)

CRM Server Host

CRM Server

OLTP R/3Plug In

BWAPO

Agent Workplace

Phone*

RDBMS

RDBMS RDBMS RDBMS

Browser

For key to abbreviations, see table above.






User Management Engine (UME) This is mainly for defining users in running the IC WebClient in the SAP Enterprise Portal.

No user is delivered. You need to create the following users:

• System user

RFC user to connect to back-end R/3 system

This user is optional. You can create it to execute functions in the R/3 system from the transaction launcher if you do not want to use the current logon user to connect to back-end R/3 users. The advantage is that, because this user is for RFC use only, it has no system dialog access. Therefore, individuals cannot access the system and cause damage.



(Java configuration only) JCo user to communicate between J2EE Engine and ABAP

• Individual users

Users on CRM Server who can access all functionalities in IC WebClient scenarios

Standard tools are employed for user administration.

User




SAP J2EE Engine

System administrator

No System No For deploying J2EE application and configuring IC server

CRM system End user No Dialog INIT Created by CRM system administrator


CRM system

JAVA_IC No Communication

No Created by administrator for RFC communication between SAP J2EE Engine and CRM server

R/3 back end End user No Dialog No Created by administrator of R/3 back end. This user is employed if you want to use the transaction launcher to access functions from R/3. (User for launch transaction generation depends on RFC destination – either specific user or RFC user.)

Java Configuration Only: J2EE 6.40

If you run the IC WebClient on J2EE 6.40, all created users are still required.

In J2EE 6.40, in order to run the IC server, the IC server servlet must run as J2EE Engine administrator role. (IC server is a servlet application deployed in



the J2EE Engine to provide services such as alerts and multichannel management.) For details, see Java Technology in SAP Web Application Server (available on the SAP Help Portal at http://help.sap.com/).

User Data Synchronization All data is stored in the CRM system. There is no user data synchronization.

Java Configuration Only

The JCo user created for JCo communication has to be entered into the IC WebClient server configuration. In J2EE 6.20, you do this using the Software Deployment Manager. In J2EE 6.40, you do this via Extended Configuration Management (XCM).

Integration Into Single Sign-On Environments The application does not accept SAP logon tickets.

The application does not accept X.509 digital certificates.

When the IC agent user is integrated into the SAP Enterprise Portal, it is SSO enabled.

Authorizations The IC WebClient uses the CRM standard for authorizations.

No roles are delivered with this application. However, one CRM back-end role (SAP_PCC_IC_AGENT) is delivered with the SAP Enterprise Portal. If you run this application in the SAP Enterprise Portal, you assign your users to this CRM back-end role.

This application restricts the users that can change system settings. Only users with authorization S_TABU_DIS can change CRM customizing.

The user JAVA_IC has authorization in mySAP CRM to allow remote function modules to be called via remote function call (RFC) (authorization object S_RFC, ACTVT 16, RFC_TYPE: FUGR).

Function Groups for SAP CRM 4.0

Release Function Groups

SAP CRM 4.0 (Basis 6.20) RFC1, SG00, SRFC, SUNI, SYST

Network and Communication Security Communication Channel Security In the IC WebClient, the following communication channels are used. Generally, Secure Sockets Layer (SSL) is used to secure HTTP connection and SOAP connection. HTTP and SOAP requests can be accepted only through HTTPS. This provides data protection and safeguards against intrusion.

• (Java configuration only) Communication between ABAP virtual machine (VM) to Java VM

Either JCo or SOAP is used. The user request is transferred from ABAP to Java. If you are using the multichannel interface for e-mail, chat, etc., the message is transferred from ABAP to Java.

To secure JCo, configure JCo over Secure Network Communication (SNC). For the process, see the SAP NetWeaver Security Guide (available at service.sap.com/securityguide).

To secure SOAP, configure SOAP running over HTTPS.



• Communication between CRM system and R/3 system using SAP Internet Transaction Server (ITS)

HTTP is used. If you want to configure the ITS to use HTTPS, see the SAP Web Application Server Security Guide → Internet Transaction Server Security (available at service.sap.com/securityguide). User request data is transferred to the ITS.

• Communication between local CRM system using People-Centric UI

HTTP is used.

• Communication between CRM system to communication management software such as Genesys telephony, e-mail router

The Business Communication Broker (BCB) API is used. The BCB API communicates with communication management software via SOAP. The data (such as incoming call, call attached data, e-mail) is transferred from the communication management software to the CRM system.

• Communication between browser to SAP Web AS

HTTP is used. User requests are transferred between the browser and the SAP Web AS. Login information and subsequent requests from the browser are transferred from the browser to the SAP Web AS.

• Communication to remote CRM system or remote R/3 system

RFC is used to transfer requests.

• Communication between browser and CRM server

HTTP is used to transfer user requests.

• (Java configuration only) Communication between browser and Interaction Center Java server

Socket communication based on TCP/IP is used to transfer messages from the Java server side to the browser.

• (Java configuration only) Communication between browser and broadcast messaging server

This communication is necessary only if agents use the broadcast messaging service; otherwise, it is optional.

Non-Java Configuration Only

The non-Java configuration includes the following new communication channels:

• Communication channel between components residing in different ABAP sessions of the IC WebClient

Each IC WebClient application session consists of multiple ABAP sessions running concurrently. Communication between each session is through HTTP.

To secure HTTP communication, we recommend using HTTP over Secure Sockets Layer (HTTPS).

• Communication channel between components residing in the same ABAP session of the IC WebClient through ABAP event infrastructure

• Communication between the IC WebClient and communication management software

SOAP communication is used through the business communication channel ABAP API. To secure this communication, we recommend using HTTPS. To enable communication through HTTPS, your communication management software must support HTTPS.

To start the interaction center in a secure environment, please use default_https.htm to start the application. Subsequent HTTP calls will automatically use secure HTTP call.



Network Security If there is a firewall between agents’ machines and the IC server / CRM Server, and if agents access the IC WebClient from another network or from the Internet by launching the interaction center BSP URL, the Business Server Page (BSP) port has to be open in the firewall.


The IC Java part is deployed as part of the J2EE Engine. It has to be in the same domain as the CRM Server.

The IC WebClient is mainly used in an intranet scenario. In this case, the IC WebClient is set behind the firewall.

We recommend putting the CRM Server and the IC server in the high security area of your local area network (LAN) with no firewall between them. Agents’ machines can be in your company network or on the Internet. To increase security when accessing from the Internet, you can set up a demilitarized zone (DMZ). A DMZ allows access from the Internet, while the IC server/CRM Server receives requests only from the DMZ.

If there is a firewall between agents’ machines and the IC server / CRM Server, the following ports need to be opened. The TCP/IP socket port and the HTTP port are configurable.

• Port for TCP/IP communication between the browser and the IC server

Since the TCP/IP connection cannot go across a proxy, we recommend not using a proxy unless the proxy is transparent to TCP/IP communication.

• HTTP port for J2EE Engine

The IC server is deployed in the J2EE Engine. The browser sends requests and gets responses from the IC server through HTTP or SOAP. If there is a firewall between the IC server and the browser, the HTTP port has to be open.

For details, see the SAP Web Application Server Security Guide (ABAP + Java) → Network Security.

Communication Destinations You have to create the following destinations:



Description


JCo connection

No JCo You create the user JAVA_IC for JCo connection. This user must have authorization for RFC call. Authorization object: S_RFC ACTVT: 16, RFC_TYPE: FUGR

You can find this information in the installation guide for the IC WebClient. This destination is used when you choose to use JCo as the middleware.

Search connection

No HTTP Secure HTTP can be configured

If search is enabled, the connection has to be set (see



installation guide for the Software Agent Framework).

Remote CRM connection

No RFC Secure RFC can be configured

Communication to remote R/3 or remote CRM

R/3 connection No RFC Secure RFC can be configured

Communication to R/3 system to retrieve employee data


An additional communication destination is added for HTTPS.

(Non-Java configuration only)

SSL_CONNECTION

No RFC SSL is activated Created by system administrator for setting up communication between different IC WebClient sessions (agent session, worker session, or SAPphone session)

Data Storage Security Stored Data

Data Where Stored When Stored Type of Access

Customization SAP Web AS database

Post installation Read/write/change/delete

Only by user with CRM customization authorization

(Java configuration only; valid only for J2EE 6.20)

J2EE system registry

Web.xml During installation Read/change

Only by user with J2EE administrator rights

(Java configuration only; valid only for J2EE 6.40)

J2EE system registry

J2EE Engine server directory <j2eeInstance>\SYS\global\xcm\com.sap.ic

During installation Read/change

Only by user with J2EE administrator rights

Application data SAP Web AS database

IC user logon/request Read/write/change/delete

Generated class SAP system During customizing of transaction launcher

Read/write/change/delete

Configuration SAP system Post installation Read/write/change

The IC WebClient supports/requires a Web browser as the user interface. Cookies are used to store data at the front end. The data is stored on the CRM Server.



With regard to data, no special protection is required for the IC server because no private user data or sensitive data is stored on the IC server.

No particular measures are necessary to protect cookies because no sensitive data is stored.

No data is stored on the client side.

All data stored in the CRM system is protected by the CRM back end.


The Simple ABAP Messaging (SAM) component stores HTTP(S) URLs of the different ABAP sessions of the IC WebClient as server side cookies. (Each IC WebClient application session consists of multiple ABAP sessions running concurrently.) This URL contains the session ID of the ABAP session. This data is not very sensitive data and is not accessible from outside the current Web AS, so there is no severe security risk. This information is removed from the server side cookie if and when the application session has shut down correctly.

Security for Additional Applications The following additional applications are associated with the IC WebClient or delivered with it:

• Communication management software (for example, Genesys, AMC)

Has its own authentication and authorization mechanism to ensure security.

• (Java configuration only) JCo

For detailed information on JCo security, see the SAP NetWeaver Security Guide.

• SAPBASLIB

• Business Communication Broker (BCB)

There are no settings in other applications within the system landscape that are important for the security of this application.

There are no particular front-end clients that deviate from the standard SAP system.

Additional Applications

Additional Application

Vendor Security Guide Special Security Settings

JCo SAP internal SAP NetWeaver Security Guide

No

SAPBASLIB SAP internal None necessary (collection of .jar files)

No

ITS SAP internal SAP NetWeaver Security Guide

No

People-Centric UI SAP internal SAP CRM Security Guide: People-Centric User Interface (PC UI) [Seite 148]

To use a People-Centric UI based application within the IC WebClient, users must have authorization to start the People-Centric UI based application.

BCB SAP internal SAP NetWeaver Security Guide

No

Other Security-Relevant Information Active Code



Active Code Location Functions Disabled Without This Active Code


Java applet

Interaction Center messaging service

Alerts, e-mail, chat


Java applet

SAPphone


Java applet (SUN JVM)

Broadcast messaging service Broadcast supervisor

Java applet Interactive scripting editor Interactive scripting editor

JavaScript Widely used in front end Messaging framework

All users must ensure that the scripting Java applet is enabled in their Internet browser.

Trace and Log Files Trace and log information (icserver*.log) is available in the CRM Server and (Java configuration only) in the J2EE Engine.

Java Configuration Only: J2EE 6.40

The log files are protected and cannot be accessed from the URL. Only the J2EE administrator can access the trace and log files.

Appendix Related Security Guides You can find more information about the security of SAP applications on the SAP Service Marketplace, Quick Link security. Security guides are available using the Quick Link securityguide.



Content Quick Link on the SAP Service Marketplace

(service.sap.com)


instguides

ibc




securityguide





{ TC "E-Mail Response Management System" \l 4 \* MERGEFORMAT } E-Mail Response Management System Introduction


The E-Mail Response Management System (ERMS) is a powerful tool for managing massive amounts of e-mail. The ERMS consists of, for example:

• Services for automatically organizing incoming e-mail (by language, topic, country, department, and so on) by routing it to the correct processor

• Services for sending personalized and contextual acknowledgements and automatic responses

• Facilities for helping interaction center agents to efficiently assemble a reply to the e-mail sender

• Monitoring and reporting capabilities

In addition, the ERMS offers a rich set of application programming interfaces (APIs) to allow you to meet your particular needs. For example, the APIs make it possible to write custom actions for handling an incoming e-mail in a certain way, and for collecting information about the person sending the e-mail from any system.

About this Guide This guide is for the E-Mail Response Management System (application component CRM-IC-EMS). The E-Mail Response Management System (ERMS) is based on SAP Web Application Server (SAP Web AS) 6.20 and CRM 4.0. ERMS runtime runs on top of the workflow system. The design time uses the People-Centric UI framework.

The ERMS was introduced with SAP CRM 4.0 Add-On for Service Industries.


Application Guide Most Relevant Sections


People-Centric UI SAP CRM Security Guide People-Centric User Interface (PC UI) [Seite 148]

Workflow SAP Web Application Server Security Guide

Why Is Security Necessary? The ERMS deals primarily with e-mail. Because of the openness of this communication channel (anybody can send an e-mail to this system), it is important to take necessary measures to:

• Ensure high availability of the system (that is, make sure the system is not brought down by massive numbers of requests)

• Protect the system from malicious e-mails containing viruses

• Make sure the incoming e-mail is read or processed only by the intended recipients



Important SAP Notes


Technical System Landscape The following figure shows the architecture of the ERMS.

The entry point to ERMS runtime is SAPconnect [Extern]. Once an e-mail is received by SAPconnect, it hands over the e-mail item to ERMS BOR object ERMSSUPRT2. This starts the execution of workflow ERMS1. You can associate an e-mail address in the system with this ERMS BOR object in transaction SO28.

Once the workflow is started, it invokes the ERMS service manager which is the core of the ERMS runtime.








No user is delivered. You need to create the following users:

• WF-BATCH

User for the workflow system to be able to execute

• Individual users

In addition to the above workflow user, it is necessary to:

Give the system administrator access to the modeling tools available for the ERMS

Create users for interaction center agents so that they can access the system and process incoming e-mails

User



CRM system ERMS administrator

No Dialog No For using tools such as the rule modeler, category modeler, and ERMS reports

CRM system Interaction center agent

No Dialog INIT Created by CRM system administrator, to allow agents to respond to e-mails

SAP Business Information Warehouse

ERMS administrator or interaction center manager

No Dialog No For access to ERMS reports in SAP BW

The user with a default password is required to log into the system to change the default password.

User Data Synchronization Reporting data is stored initially in CRM. For historic reporting, it must be transferred to the BW system.

Integration Into Single Sign-On Environments Single sign-on is supported if the ERMS tools are run in the enterprise portal.

Authorizations The ERMS uses the CRM standard for authorizations.



To enable ERMS administrators to use the ERMS design time tools (transaction PFCG), you must assign ERMS administrators to CRM role SAP_PCC_ERMS_ADMIN. This role includes the necessary authorization to access:

• Rule modeler

• Category modeler

• ERMS reporting

Network and Communication Security Communication Channel Security The preferred way to configure your system is to have a general purpose e-mail server such as Microsoft Exchange, then have filtering tools for spam and viruses, and at the end, hand over the e-mail to CRM ERMS for processing.

Because SAPconnect uses SMTP for receiving e-mails, another (but not recommended) way to configure your system is to send an e-mail directly to the CRM system and have it processesd by the ERMS. For information on SAPconnect, see SAP Note 738326.


Data Where Stored When Stored Type of Access Who Can Access It

E-mail document CRM system → Business Workplace persistence

When e-mail arrives

Read/delete ERMS routes the e-mail to an organizational unit. Users in that organization can access the e-mail document.

ERMS fact base CRM system → Workflow container

When ERMS processes an e-mail

Read/write/delete/change

• ERMS

• ERMS administrator in ERMS log, or transaction SWI1 (only in read mode)

ERMS rules CRM system → ERMS repository (customizing data)

When rules are maintained


ERMS administrator

ERMS configuration

CRM system → ERMS repository (customizing data)

During configuration


ERMS administrator

Person customizing CRM

ERMS reporting data

CRM system → ERMS reporting data

At different points during e-mail processing (manual and


ERMS administrator

Interaction center



automatic), and when ERMS reporting data is maintained

manager

Trace and Log Files Log information is available through transaction CRM_ERMS_LOGGING. The log provides the following information:

• Services invoked by ERMS service manager

• Data gathered by ERMS services

• Rules evaluated

• Categories assigned

• Execution times for different services



{ TC "Interaction Center Manager" \l 4 \* MERGEFORMAT } Interaction Center Manager Introduction


About this Guide The Interaction Center (IC) Manager runs in the SAP Enterprise Portal. The IC Manager includes the following components:

• (People-Centric UI based) Call List Execution and Maintenance (application component CRM-IC-CAL)

• Manager Dashboard (application component CRM-IC-MDB, CRM-CIC-MDB)

• Interaction Center analytics, including interaction statistics and interactive scripting (application component CRM-ANA-IC)


Application Guide


SAP Enterprise Portal 6.0 SAP Enterprise Portal 6.0 Security Guide

SAP Enterprise Portal 5.0 SAP Enterprise Portal 5.0 Security Guide

Why Is Security Necessary? Security is necessary to prevent attacks from the Internet and to protect data.

Important SAP Notes


Important SAP Notes

SAP Note Number Title

645876 Configuring SNC (J2EE Engine < > ABAP Using JCo)

User Administration and Authentication User Management The IC Manager employs standard user management tools to maintain users. See the following table:







User Management Engine (UME) This is mainly for defining users in running the IC Manager in the SAP Enterprise Portal.

No standard users are delivered. You need to create the following users:

• CRM user

If users want to access IC Manager functions, we recommend your system administrator to create users and assign them to role SAP_PCC_IC_MANAGER (see also Authorizations). All functions for the IC Manager are defined in this role.

• Portal user

The portal role is embedded in the IC Manager business package which you can download from iViewStudio.

A portal may have several back-end systems like CRM, BW. The portal user is mapped to the back-end CRM or BW system, but the back-end users are invisible to the portal users.

Users in CRM can access all functionality on the People-Centric UI of Call List Management / Dashboard.

We recommend newly created users with initial password to log onto the back-end system to change the initial password.

User



SAP Enterprise Portal

End user No Dialog Created by portal administrator

CRM system End user No Dialog INIT Created by CRM system administrator

BW system End user No Dialog INIT Created by BW system administrator

User Data Synchronization All data is stored in the CRM system. There is no user data synchronization.

Integration Into Single Sign-On Environments The application accepts SAP logon tickets.

The application does not accept X.509 digital certificates.

When the CRM user or BW user is integrated into the SAP Enterprise Portal, it is SSO enabled.

Authorizations The Interaction Center Manager uses the CRM standard for authorizations.



No roles are delivered with this application. However, one back-end role (SAP_PCC_IC_MANAGER) is delivered with the CRM back end. This role corresponds to the Interaction Center Manager role which is delivered with several versions of the CRM business package. If you run this application in the SAP Enterprise Portal, you assign your users to these roles.

Network and Communication Security Communication Channel Security In the dashboard application, RFC/JCo is the communication channel to retrieve data from the CRM application server. For more information, see SAP Enterprise Portal (EP) Security Guides → Portal Platform Security Guide.

Network Security It is possible to operate the different components/elements of this application in different network segments.

Broadcast messaging uses TCP/IP socket. This port is configurable. The default for broadcast messaging is to use port 10001. The broadcast messaging supervisor and the messaging service use socket communication. Normally, you cannot put a firewall between the server/client unless the system administrator opens a particular port for communication. See Interaction Center WinClient [Seite 81] → Network Security → Broadcast Messaging.

Dashboard uses messaging service. The socket port is configurable.

Communication Destinations For the minimum authorization required by the communication user for RFC/JCo connections, see the Portal Platform Security Guide.

You need to create the following destinations.



JCo/RFC connection No JCo Dashboard uses IContextService to connect to CRM system

Data Storage Security No temporary data is stored.

The application supports/requires a Web browser as the user interface.

Broadcast messaging uses cookies to store some UI favorites on the client side. This data stays there unless it is manually deleted. No sensitive data is stored in the cookie so no particular measures to protect the cookie are required.

Dashboard stores personalization data (for example, application layout) on the client side. This data does not require further security protection.

Security for Additional Applications There are no settings in other applications within the system landscape that are important for the security of this application.

Additional Applications

Additional Application

Vendor Security Guide Special Security Settings



JCo SAP internal SAP NetWeaver Security Guide

No

SAP Enterprise Portal SAP internal SAP NetWeaver Security Guide

No

People-Centric UI SAP internal SAP CRM Security Guide: People-Centric User Interface (PC UI) [Seite 148]

To use a People-Centric UI based application within the IC Manager, users must have authorization to start the People-Centric UI based application.

Other Security-Relevant Information If your security policy does not allow the use of active code, you cannot use dashboard.

Generally speaking, using active code such as applets and ActiveX controls poses a security risk.

Active Code

Application Active Code Functions Affected

Dashboard MSXML.dll Supervisor dashboard

Broadcast messaging Java plug-in Broadcast messaging supervisor cannot be started

Broadcast messaging ActiveXObject Broadcast messaging supervisor cannot retrieve organization unit and distribution list

Interactive scripting editor Java plug-in Interactive scripting editor cannot be started

Trace and Log Files The SAP Enterprise Portal standard is used for tracing and logging at system level and application level.





(service.sap.com)




instguides

ibc




securityguide





{ TC "Interaction Center: Workforce Management Services" \l 4 \* MERGEFORMAT } Interaction Center: Workforce Management Services Introduction Security information for the following two functions of Interaction Center Workforce Management is covered in this topic:

• Interaction Center Agent Scheduling

• Multisite Workforce Deployment

The components of Multisite Workforce Deployment and Interaction Center Agent Scheduling run on the J2EE Engine and can be accessed through the SAP Enterprise Portal.

To be able to access the Java Naming and Directory Interface (JNDI) and the JMS service of the J2EE Engine, Multisite Workforce Deployment and Agent Scheduling must be configured with the proper user name and password, and the connection information to the corresponding SAP R/3 system.

User Administration and Authentication User Management Listed in the table below are the tools and functions used to manage users:


Portal AdminCenter for the following two roles:

• User

• Portal Administrator

Portal user administration

SAP Enterprise Portal must be running

SU01 – SAP R/3 transaction SAP R/3 user administration

SAP R/3 must be running

PCFG – SAP R/3 transaction

SAP R/3 role administration

SAP R/3 must running

Multi-Site Workforce Deployment - Web Administration Tool

Calculation Server – JMS and SAP R/3 users.

For more information, refer to the topic Configure Calculation Servers of Workforce Management Services on Help Portal.

The Calculation Server for Multi-Site Workforce Deployment must be deployed.

Interaction Center Agent Scheduling - Web Administration Tool

Calculation Server – JMS and SAP R/3 users.

For more information, refer to the topic Configure Calculation Servers of Workforce Management

The Interaction Center Agent Scheduling Calculation Server must be deployed.



Services on Help Portal.

There are four situations where user configuration must be performed. Unlike portal administration, this configuration refers to technical users (users needed by the application to function). The application acts as:

• A JNDI user, when reading the configuration from the JNDI tree

• A JMS user, when using the JMS queues

• An SAP R/3 user, when accessing its own data stored in the SAP R/3 system

• JNDI or JMS user for Multisite Workforce Deployment

Other Users

Other necessary users for both Multisite Workforce Deployment and Interaction Center Agent Scheduling are created for the:

• SAP Web Application Server

• Calculation Servers

Users for SAP Web Application Server

These users are created after the SAP Web Application Server is deployed.

• JNDI and JMS user

This user is maintained using the Extended Configuration Manager (XCM). The profile is created during the Calculation Server deployment through Software Delivery Manager (SDM) and is stored in the web.xml file.

Users for Calculation Servers

• JMS user

This user is maintained in the Workforce Management Calculation Services. On the JMS tab, you can enter the name of the J2EE Engine and JMS user name and password. This is needed because the J2EE Engine’s JMS service is used by the Multisite Workforce Deployment and Interaction Center Agent Scheduling.

• SAP R/3 user

This user is also maintained in the Workforce Management Calculation Services. On the Security tab, you can enter an SAP R/3 system with a user name and password. This is in order for the application to access the SAP R/3 system for its data related tasks.

For more information about calculation services, refer to Workforce Management Services on Help Portal.

Integration Into Single Sign-On Environments Multisite Workforce Deployment and Interaction Center Agent Scheduling supports single sign-on through the SAP Enterprise Portal. It accepts SAP logon tickets and X.509 digital certificates.

Authorizations These two functions can be accessed through the SAP Enterprise Portal. They use two roles:

• User

This is a role of a regular portal user, who accesses the business functionality of the application. This role is mapped to a regular SAP R/3 user (dialog type).

• Portal Administrator



A role that is meant to access the administrative part of the application. This role is also mapped to a regular SAP R/3 user of dialog type.

The portal administrator must be given access to the portal iView containing the Multisite Workforce Deployment - Web Administration Tool.

Network and Communication Security Communication Channel Security Multisite Workforce Deployment and Interaction Center Agent Scheduling use the following communication channels:

• RFC/JCo to connect to SAP R/3

This is mainly used for transferring application data.

• JNDI/JMS to connect to J2EE Engine JNDI & JMS Services

This is mainly used to issue commands and transfer application data.

• HTTP/HTTPS for User Interaction and Inter-Calculation Server node Communication

Again, this is mainly used to issue commands and transfer application data.

All of the communication channels listed above are protected by user name and password.

Network Security These functions also use HTTP/HTTPS and P4 ports since they are:

• Configured for the SAP J2EE Engine

• Used to access the SAP R/3 system for data access

Data Storage Security The application data is:

• Stored in SAP R/3 and the application configuration data is stored in J2EE Engine JNDI Service

• Accessible through the web browser and SAP GUI. No persistent cookies are used at any time.

Other Security-Relevant Information Multisite Workforce Deployment and Interaction Center Agent Scheduling use JavaScript in the web browser due to its complex user interface requirements. Hence, JavaScript must be enabled in the web browser in order to provide proper functionality.

Trace and Log Files These functions also use the standard J2EE Engine logging and tracing mechanism. Therefore, the access and protection of the log and trace files is managed by J2EE Engine.



{ TC "Channel Management" \l 3 \* MERGEFORMAT } Channel Management



{ TC "Channel Sales Management for High Tech" \l 4 \* MERGEFORMAT } Channel Sales Management for High Tech Introduction This section provides security relevant information on the following functions in CRM Channel Sales Management:

• Design Registration (Based on Enterprise CRM Opportunities)

• Channel Inventory Management

• Resale Tracking & Claim Management

• Price Protection

• Sell-In (Sales to Channel Partner)

• Transmission Management



Tools Detailed Description Prerequisites

SU01 Refer to the Users and Roles section in the Technical Operations Manual for mySAP Technology in the Help Portal (help.sap.com) under SAP R/3 and R/3 Enterprise.

Portal Role – Channel Manager / Channel Partner

Technical name (Channel Manager): com.sap.pct.crm.v02.channelmanager

Technical name (Channel Partner): com.sap.pct.crm.v02.channelpartner

For a detailed description, refer to the Business Package for Channel Management in CRMHighTech 50.2 under mySAP Customer Relationship Management in the Help Portal (help.sap.com).

User Types

Channel Sales Management uses the Individual Users user type, such as:

• Dialog users




The customers must create:

• Individual users to use the delivered standard processes

• Initial identification parameters, such as the password and certificate for the users

This is not performed by SAP

Network and Communication Security Communication Channel Security Channel Sales Management uses the following communication channels:

• RFC

• SM59

• BDoc type: PROJECT


Data Storage Security The data is stored in the CRM database with the following access rights:

• Read

• Write

• Delete

• Change

• Query

CRM Channel Sales uses the PC UI as the web browser user interface. For more information related to the security of PC UI, see People-Centric CRM [Seite 146].



{ TC "Contracts and Chargeback for Pharmaceutical" \l 4 \* MERGEFORMAT } Contracts and Chargeback for Pharmaceutical Introduction This section provides security relevant information on the following functions in CRM Contracts and Chargeback:

• Chargeback

• Sell-In (Sales to Channel Partner)

• Transmission Management



Tools Detailed Description Prerequisites

SU01 Refer to the Users and Roles section in the Technical Operations Manual for mySAP Technology in the Help Portal (help.sap.com) under SAP R/3 and R/3 Enterprise.

Portal Role – Contract Administrator / Chargeback Analyst

Technical name (Contract Administrator): com.sap.pct.ispha.cpc.contractadmin

Technical name (Chargeback Analyst): com.sap.pct.ispha.cpc.chargebackanalyst

For a detailed description, refer to the Business Package for Commercialization in CRMHighTech 50.2 under mySAP Customer Relationship Management in the Help Portal (help.sap.com).

User Types

Contracts and Chargeback uses the Individual Users user type, such as:

• Dialog users


The customers must create:

• Individual users to use the delivered standard processes



• Initial identification parameters, such as the password and certificate for the users

This is not performed by SAP

Network and Communication Security Communication Channel Security Contracts and Chargeback uses the following communication channels:

• RFC

• SM59

• BDoc type: BUS_CMSCON_MSG


Data Storage Security The data is stored in the CRM database with the following access rights:

• Read

• Write

• Delete

• Change

• Query

CRM Enterprise Sales uses the PC UI as the web browser user interface. For more information related to the security of PC UI, see People-Centric CRM [Seite 146].



{ TC "SAP CRM Powered by SAP NetWeaver" \l 3 \* MERGEFORMAT } SAP CRM Powered by SAP NetWeaver



{ TC "CRM Server" \l 4 \* MERGEFORMAT } CRM Server Introduction This section explains the security aspects associated with the data present in the CRM server. The CRM Middleware, which is an integral part of the CRM server, is based on the following components:

• CRM Server

• R/3 Backend System



CRM Server SAP Web Application Server 6.20 Security Guide

R/3 Backend System SAP Web Application Server Security Guide

Why Is Security Necessary? To ensure:

• Data consistency

The data in the CRM server can become inconsistent if, for example:

The queues are deleted on the CRM server

Reprocessing or setting BDoc messages as deleted

If the processing of the R & R queues extends for a long period of time, do not delete the entries present in the queues. Subsequently, it is a time consuming process to correct the inconsistencies in the lookup tables because the data volume increases significantly and in some specific instances a complete new processing of all the object instances is required. If the inconsistencies in the data distribution are caused by customers due to unauthorized interference in the queue processing, then SAP is not responsible for these inconsistencies. SAP recommends stringent measures to be followed before assigning authorizations for SMOHQUEUE transaction.

• Data protection

You must prevent access to the data in the BDoc messages by using transaction SMW01 or accessing the data in the qRFC queues.

Important SAP Notes

Check the SAP Notes that are applicable to the security of the application on a regular basis.

Important SAP Notes




338537 RFC user authorization for data exchange between R/3 back end <-> CRM

622722 Authorization error during BDoc processing

593551 Composite roles for CRM Middleware


User



R/3 Backend System

RFC User to the CRM Server

No Communication

IMG

CRM Server RFC User to the R/3 Backend

No Communication

IMG

Authorizations The CRM middleware delivers different roles that are assigned to, Middleware administrator, Middleware developer, and CRM Middleware consultants. For more information, refer to note 593551.

General CRM Middleware Roles The following table lists the composite roles that are available for CRM Middleware:

Role Description

SAP_CRM_MW_ADM SAP CRM Middleware Administrator

SAP_CRM_MW_CUSTOMIZING Customizing steps for CRM Middleware (single role)

SAP_CRM_MW_DEV SAP CRM Middleware Developer

Each role contains single roles. For details, refer to Role Maintenance (transaction PFCG).

The transactions along with their assigned roles are explained as follows:

BDoc Summary, Transactions R3AC1, R3AC3, R3AC5 Role Description

SAP_CRM_MW_ADP_ADMINISTRATOR Authorizations for starting an initial load

SAP_CRM_MW_ADP_CUSTOMIZER Authorizations for transaction codes R3AC1, R3AC3, and R3AC5

BDoc Summary, transaction SMW01 It is possible to deactivate the buttons, Reprocess BDoc message and Mark to be deleted. The CRM_MW_FC authority object is used and the queried fields are 16 (for Reprocess BDoc Message) and 06 (for Mark to be deleted).



The following table lists the roles that are available for BDoc processing:

Role Description

SAP_CRM_MWSMW_DELETE Check authorization to delete BDoc messages

SAP_CRM_MWSMW_RETRY Check authorization to retry the processing of BDoc messages

Inbound and outbound queues, transactions SMQ1 / SMQ2 It is possible to disable the deletion of entries from the inbound or outbound queues. Refer to note 93254 for the activation of the authorization check for the deletion from the RFC queues.

BDoc Modeler, Transaction SBDM The following table lists the roles that SAP delivers:

Role Description

SAP_CRM_BDM_ACTIVATE_ALL BDoc Modeler – Activate all BDoc types

SAP_CRM_BDM_CHANGE_ALL BDoc Modeler – Change all BDoc types

SAP_CRM_BDM_CHECK_ALL BDoc Modeler – Check all BDoc types

SAP_CRM_BDM_DELETE_ALL BDoc Modeler – Delete all BDoc types

SAP_CRM_BDM_DISPLAY_ALL BDoc Modeler – Display all BDoc types

SAP_CRM_BDM_GENERATE_ALL BDoc Modeler – Generate all BDoc types

SAP_CRM_BDM_RELEASE_ALL BDoc Modeler – Release all BDoc types

SAP_CRM_BDM_SYNC_BDOCS BDoc Modeler – Synchronization BDoc types

SAP_CRM_BDM_MESSAGING_BDOCS BDoc Modeler – Messaging BDoc types

SAP_CRM_BDM_MOBILE_APPL_BDOCS BDoc Modeler – Mobile Application BDoc types

Queue Processing Follow the instructions provided in note 622722. This ensures that the Inbound Queues are processed by a user with the required authorizations. For all the other dialog users, differentiate between power users who are aware of the consequences of deleting a queue entry or putting stop entries.

Network and Communication Security Communication Destinations



Description

RFC destinations for the R/3 target systems (R/3 Backend, BW, APO)

No RFC connection Refer to the IMG documentation under:

Customer Relationship Management → CRM Middleware and Related Components → Communication Setup →


Customer Relationship Management → CRM Middleware and Related Components → Communication Setup →



Create RFC Users.


Define RFC Destinations. For more information, see note 338537.

RFC destinations for non-R/3 Target Systems

No RFC Destination Refer to the IMG documentation under:

Customer Relationship Management → CRM Middleware and Related Components → Communication Setup → Create RFC Users.






{ TC "Software Agent Framework" \l 4 \* MERGEFORMAT } Software Agent Framework Introduction


About this Guide This guide is for the compilation service and search service of the Software Agent Framework (CRM-BF-SAF).

As of SAP CRM 4.0 SP06, the Software Agent Framework (SAF) is integrated in J2EE Engine 6.40. The SAF’s Java codes are unchanged and all security measures described below remain the same as for 6.20.

In SAP CRM 4.0 Add-On for Service Industries, you can choose between the following configurations of the SAF:

• Non-Java configuration

This is the default configuration. All security follows the standard CRM security.

• Java configuration

In this alternative configuration, the SAF’s Java code line is the same as in SAP CRM 4.0 SP06. Any special security considerations are indicated accordingly in the information below.



Interaction Center (IC) WebClient

mySAP CRM Security Guide Interaction Center WebClient [Seite 90]

Search and Classification (TREX)

SAP Knowledge Management Security Guide

Search and Classification (TREX) Security Guide

Why Is Security Necessary? Data protection is important for this application because the SAF can integrate various knowledge bases, some of which could contain sensitive information such as business partner information.

Important SAP Notes


Technical System Landscape The major differences in the technical system landscape are as follows:

• In SAP CRM 4.0 support packages, the Software Agent Framework (SAF) requires Java components for search and indexing in J2EE. The main communications include:

CRM Server to SAF Java server via JCo or HTTP



SAF Java server to TREX server via HTTP

• In SAP CRM 4.0 Add-On for Service Industries, the Java configuration of the SAF has the same landscape as the SAP CRM 4.0 support packages.

• In SAP CRM 4.0 Add-On for Service Industries, the non-Java configuration of the SAF does not require the SAF’s Java components. The main communications include CRM Server to TREX server via TCP/IP.

For detailed information, see Interaction Center WebClient [Seite 90] → Technical System Landscape.

User Administration and Authentication User Management The SAF does not have user management tools of its own. You can use the standard ABAP user maintenance transaction SU01 to maintain users.


The administrator must create a user in the CRM system. By default, the Web application deployed on the J2EE assumes that the user JAVA_IC (password CI_AVAJ) has been created in CRM. However, the administrator may choose to create another user and/or another password, and change the user configuration for the Web application. For details, see the installation guide for the Software Agent Framework (available on the SAP Service Marketplace at http://service.sap.com/crm-inst).

User



CRM JAVA_IC No Communication user

CI_AVAJ Software Agent Framework installation guide

User Data Synchronization It is not necessary to synchronize the user data with other data sources.

Integration Into Single Sign-On Environments This application does not accept SAP logon tickets or X.509 digital certificates.

Authorizations Communication User (Java Configuration Only)

The communication user JAVA_IC is necessary for the Java configuration to communicate with the SAF Java server. It is not necessary for the non-Java configuration.

The communication user JAVA_IC (or other communication user chosen by the SAF installer) must have authorizations in mySAP CRM that allow remote function modules to be called via remote function call (RFC) (authorization object S_RFC, ACTVT: 16, RFC_TYPE: FUGR).

Function Groups for SAP CRM 4.0

Release Function Groups

SAP CRM 4.0 (Basis 6.20) RFC1, SG00, SRFC, SUNI, SYST



Additionally, the communication user must have authorizations for the following function groups:

• CRM_GENIL_RFCL

• CRM_EI_RFCL

• CRM_EI_ICS_RFC

Knowledge Administration User

There are different ways to access the SAF’s Indexes BSP application. To access via URL or from the CRM system directly, a standard CRM user is sufficient. To access from the SAP Enterprise Portal, the user must have access to the CRM Portal Administrator role SAP_PCC_CRM_PORTAL_ADMIN.

Network and Communication Security Communication Channel Security Java Configuration

The communication channels used between components/parts of the applications are:

• Front-end to application server

HTTP communication from the Indexes UI to the CRM ABAP Web Application Server

• Application server to application server

HTTP communication from the CRM Server to the SAF compilation service installed on J2EE

HTTP communication from the SAF compilation service installed on J2EE to the TREX server

HTTP communication from the CRM Server to the SAF search service installed on J2EE

HTTP communication from the SAF search service installed on J2EE to the TREX server

• RFC/JCo to application server

JCo call from the SAF compilation service installed on J2EE to the CRM Server

JCo call from the SAF search service installed on J2EE to the CRM Server (used by e-service)

RFC call from the CRM Server to the TREX server

The technology used for this communication is:

• HTTP

• JCo

The technology used to access connected third-party systems is HTTP.

The data transferred through communication channels is as follows:

• Compilation service

Compilation requests are sent from the CRM Server to J2EE through HTTP

Get index information requests are sent from the CRM Server to J2EE through HTTP

Knowledge base content is transferred from J2EE to the TREX server through HTTP

Knowledge base content is transferred from the CRM Server to J2EE through JCo



Knowledge base content is transferred from the CRM Server to TREX through RFC

• Search service

Search requests are sent from the CRM Server to J2EE through HTTP

Search query is transferred from J2EE to TREX server through HTTP

SDB attachment content is transferred from the CRM Server to J2EE through JCo

SDB feedback content is transferred from J2EE to the CRM Server through JCo

Data requiring particular protection is business partner information transferred from the CRM Server to the TREX server as knowledge base content, and from TREX to J2EE as a result of a search query.

This application does not use transfer protocols that cannot be encrypted using SSL or SNC (GSS_API).


TREX’s ABAP application programming interface (API) communicates with the TREX server via TCP/IP communication supported by SAP’s standard RFC definition.

Network Security The SAF compilation service has no firewall settings of its own.


Communication with J2EE and the TREX server takes place through HTTP ports. These ports are configurable.

Communication Destinations Java Configuration

The following RFC/JCo destinations are required:

• The RFC or HTTP destination to the TREX server is required and should be configured in the CRM system after the TREX server is installed.

• The HTTP destination to the SAF compilation service installed on J2EE is required and should be configured after the SAF compilation service is installed.

• The HTTP destination to the SAF search service installed on J2EE is required and should be configured after the SAF search service is installed.

• The JCo connection parameters to the CRM system need to be configured in the SAF compilation service installed on J2EE.

The J2EE HTTP port is specified within an HTTP destination defined in transaction SM59. The port information is read at runtime by the SAF.

See also Authorizations → Communication User.

To secure HTTP communication, we recommend running HTTP over Secure Sockets Layer (SSL): ...

1. Start J2EE Engine HTTP service over SSL.

2. Set up HTTP destination to search service by activating SSL in transaction SM59.

3. Set up HTTP destination to compilation service by activating SSL in transaction SM59.

For details, see the SAP Web AS Security Guide for Java Technology.

To secure JCo or RFC communication, we recommend using Secure Network Communication (SNC). For details, see the SAP NetWeaver Security Guide → Network and Communication Security.




The RFC or HTTP destination to the TREX server is required and should be configured in the CRM system after the TREX server is installed.


Data Stored Where Stored When Type of Access Protected by Control

Knowledge bases SAP system Knowledge base maintenance


Yes - Access rto CRM system

Knowledge base indexes (compilation service)

TREX Indexing Write/delete/change Yes – Access required to IndBSP applicatioTREX server

Knowledge base indexes (search service)

TREX User interaction Read Yes – Access required to CRTREX server

Compilation status/time stamp

SAP system Indexing/clustering Read/write/delete/change

Yes - Access rto Indexes BSapplication

Clustering result SAP system Clustering Read/write/delete/change

Yes - Access rto Indexes BSapplication

Compilation Java trace

SAF compilation service on J2EE

Indexing/clustering Write Yes - Access rto J2EE host

SAF customization CRM system SAF post installation Read/write/delete/change

Yes - Access rto Customizing

JCo configuration web.xml file of SAF compilation service on J2EE (6.20 only)

xcm configuration file for SAF compilation service on J2EE (6.40 only)

SAF installation Read/change Yes - Access rto J2EE host

Feedback (search service)

CRM system User interaction Read/write/change Yes - Access rto Customizing

There are no other places in which the data is temporarily stored.

The compilation service supports/requires a Web browser as the user interface. The search service does not require a Web browser.

Cookies are not used to store data at the front end.

No further data is stored on the client.

Other Security-Relevant Information This application does not use active code on the front end.

Trace and Log Files When the logging severity level is set to DEBUG, part of the knowledge base content can be traced.







(service.sap.com)


instguides

ibc




securityguide





{ TC "Solution Database" \l 4 \* MERGEFORMAT } Solution Database Introduction


About this Guide This guide is for the Solution Database (CRM-MD-SDB).


Application Guide Most-Relevant Sections

Software Agent Framework mySAP CRM Security Guide Software Agent Framework [Seite 123]

Content Management SAP Knowledge Management Security Guide

Content Management Security Guide

Why Is Security Necessary? Certain kinds of information that can be stored in the Solution Database (SDB), such as company data and employee data, should not be accessible to all. Therefore, it is necessary to restrict access to different categories of information.

Important SAP Notes





Maintain Information Security Profile (transaction CRMD_SDB_PRMN)

See below

Assign Profile to User (transaction CRMD_SDB_PROF)

See below

Solution Database (SDB) information security is an online maintenance tool for knowledge administrators to restrict the access of certain users to only certain categories of information when users search the SDB via:

• Knowledge search in Interaction Center (IC) WebClient

• Knowledge search in IC WinClient

• Standalone knowledge search (transaction CRMM_SEARCH)

• Frequently asked questions (FAQs) and solution search in Internet Customer Self-Service (ICSS)



For example, you may want to allow customers searching the Solution Database via ICSS to access only information for external users, not to retrieve documents flagged for internal use only.

Information security is achieved by the use of problem profiles, solution profiles, and group profiles. Problem profiles and solution profiles are individual profiles containing a set of values for one or more attributes. Group profiles are a collection of individual problem and solution profiles. They allow the user to access all problems and solutions matching at least one of its individual profiles.

The set of problems and solutions displayed is determined by the values of attributes such as the problem type and validation category. For example, you could specify that the profile Guest is allowed to retrieve only documents belonging to problem type A and validation category Guest.

There is no additional user management for information security. The standard SAP users are employed. The individual profiles and group profiles are stored and delivered as customized data of the SDB.

User Data Synchronization It is not necessary to synchronize the user data with other data sources.

Authorizations A standard CRM user is sufficient.

Data Storage Security There are no special data storage security requirements because it is sufficient that security is ensured by default settings.

Solution Database records are stored in the database of the SAP system as master data. Individual information security profiles and group information security profiles are stored and delivered as customized data of the SDB (see User Management).

Other Security-Relevant Information This application does not use active code on the front end.





(service.sap.com)


instguides

ibc






securityguide





{ TC "CRM Billing" \l 4 \* MERGEFORMAT } CRM Billing Introduction This topic details the security information for CRM Billing. CRM Billing is based on the following applications:


• Enterprise Portal 5.0

• CRM 4.0

User Administration and Authentication User Management User Management Tools


SU01 – Dialog / Batch

For more information, refer to the section SAP Enterprise Portal (EP) Security Guides under the alias securityguide on SAP Service Marketplace

nil

Portal Role – Billing Clerk

Technical name: com.sap.pct.crm.billingClerk


nil

Portal Role – Sales Assistant / Sales Manager

Technical name (Sales Manager): com.sap.pct.crm.v02.salesmanager

Technical name (Sales Assistant):

com.sap.pct.crm.v02.salesassistant


nil

User Types

The user type used is Individual Users, such as:

• Dialog users


Customers must create:

• Individual users to be able to use the delivered standard processes



• Initial identification parameters such as password, certificate for these users. This is not handled by SAP.

Authorizations The role Billing Clerk is delivered with the CRM Billing application. The customer can also create the role Billing Clerk. For more information, refer to the section SAP Enterprise Portal (EP) Security Guides under the alias securityguide on SAP Service Marketplace.

Listed below are the normal operations along with their authorization object:

• Maintenance of the Billing Due List: BEA_DLI

• Creation and Maintenance of Billing: BEA_BDH

• Display of Documents in SAP R/3: Listed BEA_SUBS

• Maintenance of the Price List: BEA_PL

The Profile Generator is used for the generation of these authorization objects. All the objects mentioned in the list above have all the required authorizations.

Network and Communication Security Communication Channel Security Given below are the various communication channels that are used between the components of CRM Billing and other applications:

• HTTP: Between the Front-end and the application server

• BDoc types: Between FI and BW

• BDoc types: Between SAP R/3 (Deliveries), CRM Sales and FI

• RFC: Between IPC and TTE or Vertex (Third-party supplier)

In most cases, only application data is sent across (Billing Due List DLI and Billing Document BDH/BDI). The data that is received is:

• Deliveries from SAP R/3

• Orders from CRM Sales

• Status feedback form FI



{ TC "Intelligence Connector" \l 4 \* MERGEFORMAT } Intelligence Connector Introduction Intelligence Connector for CRM 4.0 is built on the following components:

• Web Application Server 6.20

• SAP J2EE Engine 6.40

• BW 3.2

• CRM 4.0



BW/BPS

Why Is Security Necessary? The security of the intelligence connector is necessary to protect the following:

• Data mining models

The Intelligence Connector works with data mining models that have business critical information to perform real time predictions. In addition, it works with business rules to predict based on these rules. This information must be protected from unauthorized access. The models that contain business critical information can be accessed from the BW. The local prediction server depends on the database authorizations for the security of imported models.

• Key Performance Indicators (KPIs)

The Intelligence Connector uses KPI sets to fetch KPIs from the CRM and BW systems. These KPIs can have critical Business Partner information that must be protected from unauthorized access.

• User Information for Connections

The Intelligence Connector establishes connections to various remote Servers. Therefore, the user information for these connections must be secured. Intelligence Connector uses encryptions and the secure storage of the J2EE engine to store such critical information.

• Global Configurations

To perform various administrative tasks in the Intelligence Connector, the user must modify the configuration settings. the user must have administrative rights of the J2EE Engine, as these modifications use the XCM technology.

User Administration and Authentication To work with Intelligence Connector, log on to the CRM server 4.0 and use the Intelligence Connector transaction. The user administration and authentication is governed by the CRM server 4.0.

User Management The Intelligence Connector does not have a user management system. However, the CRM server 4.0 users can work with the Intelligence Connector by using the Intelligence Connector transaction. There are no specific roles used for the Intelligence Connector.





Transaction SU01 ABAP User for CRM 4.0 system

Authorizations The Intelligence Connector provides the following authorization mechanisms:

• Start of Intelligence Connector

To start Intelligence Connector, the user must be authorized to execute the Intelligence Connector transaction. The authorization must be assigned to the user by using the regular authorization concept of the CRM server 4.0 that allows assigning authorizations to users to execute transactions.

• Execution of Prediction Tasks

Intelligence Connector provides an API to execute the prediction tasks. To execute the local prediction tasks, no authorization check is provided. In such a case, to provide the authorization check, the application must call the Intelligence Connector API. To execute the remote prediction tasks, the RFC user used for the connection to BW must have the SAP_BW_CUSTOMER_BEHAVIOR role.

• Execution of KPI Tasks

Intelligence Connector provides an API to read Key Performance Indicators (KPIs) from an Analytical Data Store (ADS) or BW by executing a KPI task. To be authorized to execute a KPI, the RFC user used for the connection to the CRM server 4.0 must have the CRM_RT_KPI role.

• Access to metadata

Intelligence Connector uses its own database to store metadata and data mining models. The user of the database management system (DBMS) is specified in the dbpool service of the J2EE Engine. To secure the data in the DBMS, the authorization mechanisms of the underlying DBMS apply.

• Settings of global parameters

The Intelligence Connector uses XCM to configure the global parameters. Therefore, the user must have the administrator authorizations to configure these parameters.

Network and Communication Security Communication Channel Security Intelligence Connector uses the following communication channels:

• Communication with BW and CRM servers

Intelligence Connector can be configured to communicate with BW and CRM servers. If critical information, such as critical prediction results and KPIs need to be exchanged, you need to setup a secure network communication by using encrypted RFC. The setup of encrypted RFC between a WebAS and Intelligence Connector’s J2EE Engine is described in more detail in Knowledge Warehouse Document of Intelligence Connector (Link provided in section Technical System Landscape).

The network communication between the WebAS and the J2EE Engine is not required if the Intelligence Connector is installed on the built-in J2EE Engine of the WebAS on the same server.

• Communication with Database Management System



The communication between Intelligence Connector and the underlying database management system depends on the installed JDBC driver. For information on the security aspects associated with this communication channel, refer to the respective documentation of the DBMS and JDBC driver.

• Communication with File System

During the deployment of data mining models from BW to Intelligence Connector, some models may be temporarily stored in the directory specified to be used for temporary files. The directory for temporary files can be specified during installation of Intelligence Connector. Although each file in this directory will be deleted after the transfer into the database (i.e. after deployment), the authorization mechanisms of the operating systems must be used to prevent unauthorized access to the content of this directory.

• Communication with applications

Intelligence Connector provides an API to execute the KPI and prediction tasks. A secure communication between the application and Intelligence Connector must be guaranteed by the application, for example, by using encrypted RFC calls.

Network Security The communication between the Intelligence Connector and the components involved depends exclusively on: ...

1. The JDBC driver used to communicate with the underlying database management system

2. Frequent RFC calls between Intelligence Connector and the other SAP components, such as BW and CRM servers

The distribution of the involved components in a complex network infrastructure depends only on the constraints of the RFC communication and communication implemented in the JDBC driver. For example, you can install the Intelligence Connector in DMZ and execute remote prediction tasks in a BW system, which is located in a Intranet. However, you can execute tasks only if the firewall between the DMZ and the Intranet allows frequent RFC calls into the Intranet.

Communication Destinations Intelligence Connector works with the following communication destinations:

• BW system as model and prediction provider

Intelligence Connector can be connected to a BW system for the deployment of data mining models and to execute prediction tasks. The communication between Intelligence Connector and BW is exclusively based on RFC calls. To deploy models from BW or execute remote prediction tasks, the RFC user specified in the connection to the BW system must have the SAP_BW_CUSTOMER_BEHAVIOR role.

In some application scenarios, the communication to BW systems is not required. For example, some data mining models can be deployed to Intelligence Connector’s local prediction server. As a result, the local prediction tasks can be executed on these models without any communication with the BW system. The RFC communication between BW and Intelligence Connector is not required if:

The PMML file export feature in BW is used

The same PMML file is imported into Intelligence Connector

• CRM 4.0 system to access KPI sets

To execute KPI sets for the management of KPI tasks, the RFC user specified in the connection to the CRM system must have the CRM_RT_KPI role. A connection to a CRM server 4.0 is mandatory to execute the KPI tasks. If the execution of a KPI task leads to the execution of an ODS read or a BW query, the RFC user (specified to connect to the BW server from the CRM server) must be authorized to access the ODS and execute the query respectively. To prevent communication to BW for a KPI read,



the KPIs must be loaded from BW to an Analytical Data Store (ADS) in CRM and the KPI set used in the KPI task must refer to the ADS object. In such a case, the execution of the KPI task leads to a KPI lookup in the ADS. As a result, the communication to the BW system is not required.



Description

BW Yes RFC SAP_BW_CUSTOMER_BEHAVIOR

CRM Yes RFC SAP_BW_CUSTOMER_BEHAVIOR, CRM_RT_KPI

DBMS Yes JDBC Database Authorizations


• Metadata and data mining models

Refer to the Authorizations and Communication Channel Security sections.

• User information for connections

Refer to the Why Is Security Necessary? section.

Minimal Installation The minimum installation of Intelligence Connector consists of the pure installation of Intelligence Connector on the J2EE Engine with a JDBC connection to the database management system.

Other Security-Relevant Information The Intelligence Connector GUI uses basic JavaScript that does not contain security critical information.

Trace and Log Files Intelligence Connector does not log any sensitive information into the trace and log files.



{ TC "SAP Internet Pricing and Configurator" \l 4 \* MERGEFORMAT } SAP Internet Pricing and Configurator Introduction This section provides information applicable to the security of the Internet Pricing and Configurator (IPC) applications that are listed below:

• IPC Dispatcher

• IPC Server

• IPC Web Application

• IPC Data Loader



IPC Web Application ISA Security Guide Other Security-Relevant Information – Internet Sales Administrator Area

IPC Web Application J2EE Security Guide Configuring the Use of SSL on the SAP J2EE Engine

CRM CRM Security Guide

IPC Server, Dispatcher, Dataloader

CRM Security Guide

Why Is Security Necessary? Normally, the execution of IPC applications is protected by a firewall. As a result, these applications are prevented from unauthorized access if the firewall is correctly configured. However, to prevent unauthorized client applications to send commands to the IPC Server, you can switch the IPC applications to secure mode (see note 672421). As a result, the IPC server accepts calls only from authorized clients.

In addition, to secure the communication between the authorized client and the IPC Server:

• Encrypt the RFC connection from the ABAP system to the IPC using SNC

• Encrypt the socket connection from the Web application to the IPC server using SSL

In such a case, the communication is completely prevented from unauthorized access.

• If you switch the IPC applications to secure mode and thereby encrypt

the communication, the performance significantly reduces.

• To secure your CRM system, you must grant minimum rights to the communication user of the IPC Server as explained in note 412309.

Important SAP Notes




Important SAP Notes


658464 Security check of IPC Collective note on IPC security issues

658437 IPC security: Restricting access rights on IPC directory

Only the user under which the IPC Server is running must have access to this directory.

672421 IPC security: Maintaining the security level

General information about the security levels of IPC

669883 SCE: User entries for attribute with not ready for input

412309 Authorization profile RFC user for IPC

Restricts the authorization rights for RFC connections from IPC Server to CRM

698181 IPC security: Maintaining parameters for secured connections

How to secure RFC connections from client applications to IPC Server

720523 IPC security: Maintaining parameters for SSL secured connection

How to secure socket connections from client applications to IPC Server

646140 Security Check of Internet Sales

Collective note on Internet Sales security issues

606733 SAP J2EE - composite SAP note on security of Basis 6.20

User Administration and Authentication User Management The IPC applications do not have a user management system due to their architecture. As a result, only client applications call the IPC Server and not the individual users. The IPC applications use the following user types:

• Individual users – Not applicable.

• Technical users

Technical users can be further classified into the following:

• Service user for remote administration (if enabled)

It is possible to allow remote administration. The Remote Administrator was enabled by default till SP05. However, from SP06 onwards, the customer must explicitly enable the Remote Administrator and no default password is delivered.

The customer has the option to protect the Remote Administrator with a password. The password is stored in an obscure manner in the Parameters.xml file that is located in the <INST_DIR>\lib\properties path.

We strongly recommend you to restrict the access rights to the <INST_DIR> and its sub-directories (see note 658437). This is critical to the security of the IPC applications.

The Remote Administrator tool is located in the <INST_DIR>\bin directory that must be protected by the operating system (OS) level rights (see note 658437).



You do not need to create a user in the ABAP system for remote administration.

• Communication user for connection from the IPC Server to the backend system (ABAP system specific database)

The communication user and password for this connection are stored in an obscure manner in the Parameters.xml file that is located in the <INST_DIR>\lib\properties path.

We strongly recommend you to restrict the access rights to the <INST_DIR> and its sub-directories (see note 658437). This is critical to the security of the IPC applications.

The authorizations of the communication user in the CRM system can be restricted by using the S_RFC authorization object (see note 412309).

User



Backend (CRM or R/3)

User, which is used by the IPC Server to connect to the backend system

No Communication user

No SAP IPC Server Installation Guide and note 412309 (restricting authorizations)

IPC Remote Administrator Tool

Yes. (As of SP06: No.)

Service user IPC (As of SP06: no password delivered)

As of SP06 remote administration is disabled by default and no default password is delivered.

J2EE Engine Administrator Yes User Administered on the J2EE Engine

As defined during J2EE Engine Installation

This user enters the Administration pages of the web-application.

User Data Synchronization The synchronization of user data is not applicable as there are no individual users.

Integration Into Single Sign-On Environments The integration into Single Sign–On environments is not applicable as there are no individual users.



Authorizations The customer can create a role (for example, with transaction PFCG) that uses the S_RFC authorization object for the communication user. As a result, this user is granted minimal rights in the backend system.

We recommend you to strictly follow the instructions in note 412309.

Network and Communication Security Communication Channel Security The following Communication Channels and Protocols are used between different components:


Web Browser HTTP Server

(IPC web-application)

Front-end to server HTTP/HTTPS

See J2EE Security Guide: Configuring the Use of SSL on the SAP J2EE Engine.

From the security perspective, we recommend you to use SSL.

IPC Client-Application

(For example, IPC web-application)

IPC Server Client to server Socket

As of SP06 this connection can be secured with SSL (see note 720523).

From the security perspective, we recommend you to use SSL.

ABAP-System IPC Server Client to server RFC/JCo

As of SP05 this connection can be secured with SNC (see note 698181 and note 672421).

From the security perspective, we recommend you to use SNC.

IPC Server CRM Server to backend RFC/JCo

IPC Server Local database Server to backend JDBC

IPC Dataloader R/3 Server to backend RFC/JCo

R/3 IPC Dataloader Client to server RFC/JCo

The following technology is used to access the connected third-party systems:



• The IPC supports the standard US Sales and Use Tax Interface through which certified third-party tax software can be called.

• In scenarios, such as CRM and VehicleManager, the IPC uses a JCo-based RFC connection to the third-party tax software.

• In the Mobile Sales scenario, a direct Java-to-Java connection is used.

The data that is transferred through the respective communication channel is explained below:

• Calls from clients to IPC Server (using RFC or socket connection)

IPC commands are sent to the IPC server and the server returns the results of the configuration.

• HTTP connection from browser to IPC web-application

The selected values of the configuration are sent to the web-application for further processing.

• Calls from IPC Server to backend

The master data is transferred.

• TTE

The data transferred to third-party tax systems includes technical IDs of the entities that are involved in a business process, location codes, and net prices and tax amounts.

Network Security For network security, refer to the Technical Infrastructure Guide of CRM E-Selling 3.1.

The communication is achieved through the following ports. Each component of the IPC, such as the IPC Server and IPC Dispatcher requires an individual port. However, the customer can change the ports.

• The default ports that are delivered for the IPC Server are: 9999,9998,9997,9996, and 9995.

If no port is maintained, the IPC Server dynamically searches for free ports. You cannot deactivate this dynamic search performed by the IPC Server.

• Port 4444 for the IPC Dispatcher

• Port 4445 for IPC Dataloader

• We recommend you to operate the IPC components in the same network

segment, although it is possible to operate the different components of the IPC, such as the IPC Dispatcher, IPC Server, and so on, in different network segments.

• The IPC applications must always run in the Intranet protected by a firewall to ensure that these applications are not accessed from outside the company network.

• If the IPC web-application is used in a CRM or VehicleManager scenario, the J2EE also must run in the Intranet protected by a firewall.

• For the setup of the J2EE for the Internet Sales scenario, see the Technical Infrastructure Guide of CRM E-Selling.

Communication Destinations The following RFC destinations required:



• RFC destinations for IPC Dispatcher and IPC Server

These can be secured using the SNC.

• RFC destination for the Dataloader

• These destinations are not delivered.

• The minimum authorizations required by the communication user in the target system can be specified using the S_RFC authorization object (See note 412309 for details).



Description

IPC Dispatcher No RFC SAP IPC Server Installation Guide: Configuration Scenarios/Setting up RFC Connections

IPC Server No RFC SAP IPC Server Installation Guide: Configuration Scenarios/Setting up RFC Connections

IPC Data Loader No RFC SAP IPC Server Installation Guide: IPC Data Loader/Defining RFC Destination

Data Storage Security No data is stored in the IPC Server. The results of configuration and pricing are stored in the applications that call the IPC server. The data storage associated with IPC is explained below:

• IPC Server

Stores only administration data. The data is stored in the <INST_DIR>\lib\properties directory.

We recommend you to restrict the access rights to the <INST_DIR> and its sub-directories (see note 658437).

• IPC web-application

Stores only administration data. See the chapter Data Storage Security – XCM Customer Configuration Data in the ISA Security Guide.

During the use of the IPC Server and IPC web-application, only read access to the administration data is required. However, during the administration process, both read and write access is required.



The administration data must be secured on the operating system level (see note 658437).

If you are using the IPC with a local database, the master data is stored in this database. The IPC Server Installation Guide describes how to create an IPC specific user for the database. See the section Creating an IPC Database in the IPC Server Installation Guide.

The database itself must be secured on the operating system level.

A Web browser is required as the user interface. Session cookies (are deleted when closing the web browser) are used to keep a client session. The cookie does not store any other data. On the client side, no user data is stored.

Security for Additional Applications The security for additional applications is explained below:

• Third-party tax systems

Customers can install certified third-party tax systems that are called by the IPC through the US Sales and Use Tax Interface.

For information on the relevant security settings for these additional applications, see the Installation Guides of the certified external tax software packages.

• Other components using the IPC applications

For information on how to secure the other components by using the IPC applications, refer to the corresponding Security Guides.

If you use third-party software, encryption must be activated (if supported).

Minimal Installation The minimal installation requirements are explained below:

• The Remote Administrator is not mandatory. The customer can disable the Remote Administrator by deselecting the Remote Administration option in the IPC Administrator tool.

From SP06 onwards, the Remote Administrator is disabled by default.

• For restricting the use of XCM Administration, see ISA Security Guide.

• The applications, Netmeeting and PCAnywhere are required during support activities. Therefore, we recommend you to enable these applications only during support.

Other Security-Relevant Information The other security relevant information is explained below:

• The IPC web-application uses the Java Script extensively. If Java Script is disabled on the browser, the application does not work. In addition, the application uses session cookies (are deleted when closing the web browser) to keep a client session. If the cookies are disabled, it is not guaranteed that the application will work correctly.



No persistent cookies are used.

• IPC Engine

If the IPC Engine receives a value for an attribute, it does not check whether the attribute is read-only. It always sets the value for the attribute. The read-only flag of an attribute is only checked at the user interface level. If the user manipulates the request, which is sent from the user interface to the engine, it is possible to set values for the attributes that are normally read-only. Therefore, to prevent this, set the IPC Server to security-level 1. For more information, see notes 669883 and 672421.

• Application Administration

For information on the web-based administration tool, see the section Other Security-Relevant Information – Internet Sales Administrator Area in the ISA Security Guide.

Trace and Log Files The following table explains the different trace and log files:

Trace/Log file Location Description

IPC web-application log Can be viewed using the J2EE Engine Log Viewer


IPC web-application trace • Can be viewed using the J2EE Engine Log Viewer

• Accessed from the web-application administration area

Developer trace that is primarily required by developers and the support team

IPC Server log Can be maintained by the customer by using the IPC Administrator tool


The information about user logons and so on is not stored in the log files. However, logging/tracing must be disabled in the productive systems to prevent disclosure of internal system information. For details, see the section IPC Logging in the IPC Configuration Support Guide available in the SAP Service Marketplace (http://service.sap.com/crm-inst -> SAP CRM 4.0 -> IPC 4.0 Configuration Support).



{ TC "People-Centric CRM" \l 4 \* MERGEFORMAT } People-Centric CRM Introduction This topic details the security information for following components/ controllers of the People-Centric UI framework:

• SearchResult List

• ValueHelp

• Pager

• SearchResult Tree OIC

• Data Context (Tree)

• Filter

• Search Request OIC

• Data Context (Search Request)

• Print Preview

• Pattern Interaction Layer

• Data Context (Generic)

• Interface Object Link Generation

• Cursor Setting

• Mandatory Field Check

• Simple Search (Tag)

• Advanced Search (Tag)

• F1 Help

• List Personalization

• HTML Controller

• Search Result OIC

• Multi Select OIC

• MutilEdit ODC

• Blueprint Application Builder (BAB)

• Interface to CRM Designer

• Customizing Tables

• File Upload

• HTML Container Tag

• Tree Tag

• ODC Tree Controller

• DDLB

• Data Binding

• EventOnEnter



• Layout Generation

• Popups

• Structure Edit

• Application Log

• Main Controller

• Entry Point

• Multi ODC

• Detail.do

The PC UI Framework contains a set of objects or controllers that are used to build web applications for SAP Enterprise Portals. The dependencies of the PC UI framework to the web applications are organized as follows:

Web Applications Built On Basis Release Use PC UI Framework Basis Component

Future / Current 7.0 & 6.40 SAP_ABA

CRM 4.0 6.20 UIFRW

CRM 3.1 6.20 CRM component – BBPCRM

See also:

People-Centric User Interface (PC UI) [Seite 148]



{ TC "People-Centric User Interface (PC UI)" \l 5 \* MERGEFORMAT } People-Centric User Interface (PC UI) User Administration and Authentication User Management

• All users are created and stored in the CRM Server and the backend system. All customers must first have an account created to be able to use web applications.

User management is not handled by the PC UI framework or by the web applications that use the PC UI.

• User authentication is performed by SAP Web Application Server along with the connected SAP R/3 system (CRM Server).

Integration Into Single Sign-On Environments Single Sign-On (SSO) is not handled by the PC UI framework.

Authorizations • The main controller of the PC UI framework performs an authority-check. The authority

check is performed on the object BSP_APPL. This object contains the following fields:

BSP_APPL: handles access to all kinds of BSP applications

BSP_VIEW: handles access to certain views for applications in the PC UI

The authority check is performed on this object only when the PC UI is initialized.

For more information about authority-checks and working with authorization objects refer to the:

SAP Web Application Server Security Guide (ABAP+Java) under the alias securityguide on SAP Service Marketplace.

CRM Access Control Engine under mySAP Customer Relationship Management on Help Portal, if you are using this engine.


Uses the PC UI framework in the Preview

The BAB and the CRM Designer Interface perform authority-checks by means of recording modules.

Network and Communication Security Communication Channel Security Communication Channels




The CRM People-Centric User Interface (CRM People-Centric UI) is based on a generic framework. You can create and customize the layout of the user interface using the Blueprint Application Builder and the CRM Designer.

Communication with the CRM Designer is based on XML technology implemented in the CRM Designer Interface. Reading and saving from and into customizing tables is made possible by the CRM Designer Interface. This is a special CRM function that is packaged in the transaction SCIF.

Using the SCIF transaction you can open the XML input of the CRM Designer. The connection is established using the HTTP protocol. You then create a connection to the CRM Designer tool by providing a user and password to access CRM Designer. This will enable the PC UI to receive the XML from that tool and incorporate it into the blueprint tables. Thus enabling changes to the design.

Only error free XML that was produced by the CRM Designer can be uploaded to the blueprint tables.

SCIF is also used to disable the connection to the CRM Designer. This is done by deactivating the whole interface. For more information about the HTTP Maintenance Tool, refer to the Web Application Server Guide.

Communication Technology

The Web Application Server must be directly accessible to all portal clients to ensure that PC UI framework functions as required. Listed below are the main technologies used by the components of the PC UI framework:

• HTTP/HTTPS (Browser to web application server)

This is dependent of the customer set-up.

• RFC, TCP/IP, and Named Pipes depending on the underlying database technology.

• SSL

The interaction between the PC UI framework and SSL is very limited. SSL is used to extend the functionality of HTTP.

The web application server functions and SSL do not interact with the web applications running in the browser, nor does it affect the PC UI framework, which is used by these applications. However, each controller of the PC UI framework must be registered to be able to use HTTPS. In order to do this, you must:

Open the PC UI framework CRM_BSP_FRAME using the transaction SE80.

Choose the Controllers folder from the navigation bar and double-click on one of the listed controllers.

For the controller address.do, choose the checkbox HTTPS under Transfer Options.

In order to use SSL on the SAP Web AS with the PC UI framework, you must perform this action for each and every controller of the framework.

• Cross Frame Scripting (Domain Relaxation)

Cross frame scripting can happen in the PC UI framework if the portal server is different from the PC UI server. If each application in the portal operates on different servers, then domain relaxation is used to update data across iViews. In order to share data between the different frames, these frames have to assign a suffix of their server domain to their document.domain attribute.



This domain relaxation is carried out within the different frames used in PC-UI. This does not pose a security risk, since any frame generated form a server outside a companies’ server infrastructure with a completely different domain can still not access the ‘relaxed’ frames’ data.

For more information about cross frame security and scripting, refer to www. msdn.microsoft.com.

Other communication technologies used are:

• Controller-components of the framework: They handle the communication within the framework.

• Tags reading the blueprint-customizing in CRM

• Tags reading all data to be displayed from CRM database.

• Business Server Pages (BSPs): The SAP technology for creating web-based applications.

• Business HTML (HTMLB): Specialized Markup-Language for presenting data on the internet.

• XML and SOAP: The CRM Designer uses XML and SOAP technologies to update the database.

For more information about these technologies, refer to the SAP Web Application Server Security Guide (ABAP+Java) under the alias securityguide on SAP Service Marketplace.

Level of Protection

The PC UI framework handles only one security-level and that is for the configuration data. The security of the connections is managed by the web applications using the PC UI framework, and not by the framework itself.

The URL connection to the backend system is Base64-encoded. The BSP technology ensures Base64-encoding for all form-parameters in the URL. However, this mechanism is not used within the PC UI. The PC UI framework does not prevent you from using any sort of security technique. You can also safeguard the data in the URL by using either:

• SSL for HTTP

• Direct server communication via HTTP POST

When using the PC UI, it is recommended that you disable the CRM Designer connection. This can be done using the SCIF transaction. In addition, you can also switch the framework and server into SSL mode.

Minimal Installation A user with SAP_ALL rights can call applications that are not part of the portal. In order to restrict this, go to the: ...

1. Blueprint Customizing, using the transaction crmc_blueprint

2. Choose Layout of User Interface → Application/Layout..

In the edit mode you can remove the application from the list.

In case you want to add this application to the list at a later point in time, you must re-enter all the settings of the application layout.

Blueprint Application Builder (BAB)



The CRM Designer Interface bears no relevance during the runtime of the PC UI framework or of web applications using the framework. Hence, you can switch off this tool by deactivating the CRM Designer Interface Service.

Other Security-Related Information PC UI Framework Components Using JavaScript

• Search ResultList

The ResultList classes generate JavaScript for creating HREF links. Links will be generated only when the ResultList is used for portals.

• ValueHelp: Uses JavaScript in cases when:

All tags for using ValueHelp are rendered

The customer triggers ValueHelp, JavaScript will take care of creating a browser-window and handles the selections the user creates.

ValueHelp is not available when JavaScript is switched off.

• SearchResult Tree and SearchRequest OIC

Use JavaScript to be able to launch the Popup-to-Confirm. If you deactivate JavaScript, then you cannot use these components because without the Popup-to-Confirm, the chain of execution for saving changed or new data is broken.

• Interface Object Link Generation

The Interface calls the object link generation method and gets the JavaScript, which is then executed on the browser. If you do not use the active code, the Object Link Generation will not work and a user will not be able to navigate from one application to another.

• Cursor Setting

The cursor setting is implemented purely in JavaScript and the generation of the JavaScript takes place in different controllers. The setting of the cursor and the check of mandatory fields will not work without activated JavaScript.

• Mandatory Field Check

The check of mandatory fields is implemented purely in JavaScript and the generation of the JavaScript takes place in the different controllers.

• Simple Search (Tag) and Advanced Search (Tag)

These controllers do not add any JavaScript, but hyperlinks to JavaScript are present in the buttons shown by the view. Hence, Simple and Advanced Search will not function properly if active scripting is disabled in the browser security settings.

• List Personalization

This will not work if active scripting is disabled. This means that the new window will not appear for the user to personalize the list.

• F1 Help

The Help link will not work if active scripting is disabled.

• Tree

The Tree classes generate JavaScript to create HREF links. Links will be generated only when the Tree is used in portals. JavaScript is also used to change the design of the root node and adjust the indexes of the name part of HTML tags used for the tree node.



The tree will not function if JavaScript is deactivated and the wrong node indexes would be passed back to the server after each roundtrip.

• HTML Container

Uses JavaScript to insert either HTML source code or a source URL into the iframe object, which is the container. The HTML Container will not work if JavaScript is deactivated.

• Dropdown Listbox (DDLB)

The DDLB uses JavaScript only when the basis tags use JavaScript. The ResultList tag and StructureEdit tag do not render JavaScript for DDLB. In case of a multi edit,

The container of the BSP basis is used. This container also uses JavaScript to retrieve the correct values for dropdown list boxes.

If JavaScript is deactivated, correct values for the DDLB are not put into the dropdownlistbox.

• EventOnEnter/ EventOnSearchEnter

These are both JavaScript functions, which provide the ENTER function on the keyboard. Depending on the focus of the mouse a server roundtrip is triggered and depending on the focus, the data is refreshed in the view.

Both functions will not work when JavaScript is deactivated. A user will then have to use the GO button for the search in the web browser. In addition, the Refresh button will not be available.

• Structure Edit

Uses JavaScript for creating links. If JavaScript is deactivated, the Structure Edit will not render any usable link.

Application Log

Uses JavaScript for the links to the message long text (“Details”). If JavaScript is deactivated, long texts for messages will not be available.

• Popups

Uses JavaScript for opening and closing of the additional window and to emulate a modal dialog. If JavaScript is deactivated, popups will not be available.

• Main Controller: Loads the java script file Main.js.

• Detail.do

The Detail.do classes generate JavaScript for creating HREF links. Links will be generated only when the Detail.do is used in portals. If the JavaScript is deactivated, then it would not render any functioning HREF links.

• The following controllers are dependent on JavaScript, but do not generate JavaScript on their own:

Search Result OIC

Multi Select OIC

Multi Edit ODC

PC UI Framework Components Not Using JavaScript

• Pager

• Pattern Interaction Layer

• Generic Data Context:

• HTML Controller



• Tree controller

• Data Binding

• Layout Generation



{ TC "SAP Business Information Warehouse" \l 4 \* MERGEFORMAT } SAP Business Information Warehouse

Security for SAP Business Information Warehouse is covered by the security guide for BW:


Application Guide Most important sections or special restrictions

SAP Business Information Warehouse

For more information on security, see SAP Help Portal under help.sap.com → SAP NetWeaver → Release ’04 → SAP NetWeaver → Information Integration → SAP Business Information Warehouse → BI Suite: Business Explorer → Integration with the SAP Enterprise Portal → Settings in SAP BW and SAP EP → Security



{ TC "Object Links, Input Help, Core Services and Java Lists" \l 4 \* MERGEFORMAT } Object Links, Input Help, Core Services and Java Lists Introduction The following section contains security-relevant information on the following technical components:

• Object links

• Input help

• Core Services

• Java lists

All the components are based on ABAP, Java, SAP Java Connector (JCo) and Portal components, with the following exceptions:

• Input help does not contain Java coding.

• Core services and Java lists are coded exclusively in Java , although they call remote-enabled ABAP function modules (via JCo).

Basic components:



• CRM 4.0

• SAP Java Connector (JCo) 2.0.10, 2.1.2 or higher

Object links and input help are based on URL's that support navigation to Portal content.

Security aspects that need to be considered are as follows:

• The application called: the user can only start certain applications

• Data displayed: the user cannot see / change all data

Because URL’s are only made up of text, it is possible for any user to create them. In this respect, full security cannot be guaranteed for link creation. It is more the responsibility of the application to protect itself from unauthorized startup or data display/change. In other words, when a user attempts to use an application for which he/she does not have authorization, the application itself is responsible for checking this. If necessary, access should be denied. If the current user is authorized to call up the application, then the application must take into account what data can be displayed, and whether it can be displayed with change authorization or as read-only. All this cannot be effectively covered using URL's.

Java lists call function modules in the backend and display the values determined in list format. Here, the function modules must ensure that the user is allowed to call the corresponding modules and that only “allowed” data is displayed.

Core services comprise several components

• URL Dispatcher: analogous to object links.

• Telephony: not security-relevant, as only one telephone number is dialed

Watch out for toll charging numbers starting with 0190.

• CRM Context: storage of user-dependent data, management of JCo connections.



• CRM Core Backend Mapper: this can be used to define specific backend connections to system aliases for individual users or user groups. The standard security rules apply to these backend systems. Data for the Core Backend Mapper is stored in the UME.

• PSID Generator: not security-relevant.



SAP Enterprise Portal

service.sap.com/securityguide → EP 6.0 SP2: Security Guide

Secure Communications → Communication with Backend Systems

Authentication

(Authorizations)

Single Sign-On

JCo service.sap.com/securityguide → SAP NetWeaver ’04 Security Guide

Network and Communication Security

Security Aspects for Connectivity and Interoperability

Security Guides for the SAP NetWeaver Components

Why do we need Security? Security aspects are important for object links, input help, Context Service and Java lists.

For object links, Java lists and input help, it is important to ensure that users can only call the appropriate content and applications. These contents or changes are protected by the program logic used.

User Administration and Authentication Integration with the Single Sign-On Environment Single Sign-On is used particularly for JCo calls of RFC function modules.

Network and Communication Security Communication Channel Security Remote calls are made to function modules in the application server. JCo is used for this.

Communication Destinations JCo calls are made to the CRM Backend. Portal system alias SAP_CRM has been created for this purpose.



For more inforamtion, see SAP Help Portal under help.sap.com → mySAP Business Suite → SAP Customer Relationship Management → SAP CRM Powered by SAP NetWeaver → Application Platform → Lifecycle Management → Configuring the Business Package for mySAP CRM → System Landscape in the Portal →

Editing the Alias in the System Landscape.

Data Storage Security Data for the object links are saved in the CRM backend system.

Context Service saves data in the file system of the Portal server. This data is not security-relevant.

Other Security-relevant Information Object links use JavaScript in the frontend.



{ TC "SAP Internet Sales" \l 4 \* MERGEFORMAT } SAP Internet Sales Introduction This section only describes the security settings that need to be made for the iViews in Channel Management roles.

• CRM 4.0

• mySAP CRM BP (specifically, Channel Management roles)

• J2EE Engine 6.20 / 6.30

Secure Socket Layer settings (SSL) – SAP Cryptographic Libraries (IAIK)

SAP Web applications

Internet Sales Web applications

Internet Customer Self Service (ICSS)

Financial Supply Chain Management (FSCM)

Enterprise Portal



J2EE 6.20 SSL settings SAP Service Marketplace available

Internet Sales

ICSS

FSCM

Enterprise Portal

Why do we need Security? Channel Management roles are connected to SAP Web applications (among others), such as Internet Sales B2B Shop. To ensure a secure connection between the SAP Enterprise Portal and the connected Web applications, connections can be created via Secure Socket Layer (SSL). The underlying protocol is HTTPS.

Important SAP Notes

Check regularly for SAP Notes relevant to application security.

Important SAP Notes


660720 HTTPS workaround for customer portal

679874 Configuration of shop iViews for SSL (HTTPS) support



User Administration and Authentication User Administration In CRM, the SU01 users are referenced. In the Portal, the corresponding Portal users are required. The SAP Web applications each require an enhancement to the SU01 user. These should each be determined from the corresponding documentation.


Tool Detailed description Prerequisites

Internet Sales User ISA documentation

ICSS User ICSS documentation

FSCM User FSCM documentation

Integration with the Single Sign-On Environment Logon to external Web applications is carried out via the Single Sign-On Ticket (SSO) for the Portal. This is sent by the Portal and then read and accepted by the external Web applications. The Portal SSO must be imported to the corresponding ABAP / CRM system, so that SAP Web applications also receive the ticket.

Authorizations The following roles are required for ISA integration:

• SAP_CRM_INTERNET_CUSTOMER

• SAP_CRM_INTERNET_SELF_SERVICE

• SAP_CRM_ISA_UA_SUPERUSER

• SAP_CRM_PRODUCT_CATALOG

Also, in order to use ICSS, a reference user for additional rights (ICSSUSER) must be assigned, requiring the role SAP_CRM_ISA_ITSLOGIN.

Network and Communication Security Communication Channel Security The https protocol can be configured in the Channel Management roles. This ensures that data are transferred between SAP Enterprise Portal and SAP Web applications in encrypted format. The corresponding J2EE servers must support https protocol.

The SAP Web applications can run on a separate J2EE server. Communication between the Portal and the SAP Web applications is represented via TCP/IP.

The Portal and the connected SAP Web applications can use http or https protocol.

The http/https connection from the Portal to the SAP Web application transfers login data, but no user name or passwords – the SSO cookie does this.

Network Security The Portal and the connected SAP Web applications can run in different network segments, they just need to belong to the same domain.



{ TC "BSP Application" \l 4 \* MERGEFORMAT } BSP Application Introduction The People-Centric UI from mySAP CRM is integrated with Enterprise Portal using the Application Integrator component, which, in turn, is part of SAP Enterprise Portal 6.0.

The People-Centric UI of mySAP CRM itself is a framework based on templates. It is created using the technology of the Business Server Page and is based on SAP Web Application Server 6.20.

The security guide for SAP Web Application Server and SAP Enterprise Portal covers all the security-related topics and is used as a guideline for ensuring the integration of the People-Centric UI of mySAP CRM.



SAP Web Application Server service.sap.com/securityguide → "How To" - Guides SAP Web AS 6.20

SAP Web AS 6.20 Security Series 3: SSL

SAP Web AS 6.20 Security Series 1-7

SAP Enterprise Portal service.sap.com/securityguide → EP 6.0 SP2: Security Guide

Secure Communications → Communication with Backend Systems

Authentication

(Authorizations)

Single Sign-On



{ TC "CRM Access Control Engine" \l 4 \* MERGEFORMAT } CRM Access Control Engine Introduction Die Access-Control-Engine (ACE) is set up and managed via Customizing. You can find it under Customer Relationship Management → Basic Functions → Access Control Engine.

ACE is released for Channel Management and is provided with inactive rights that you can activate after the transport.

The following software components are required for ACE:

Components

Component Release Description

SAP_BASIS 620 SAP Basis Component

SAP_ABA 620 Cross Application Component

BBPCRM 400 BBPCRM

PI_BASIS 2003_1_620 PI_BASIS 2003_1_620 : Add-On Installation

Why do we need Security? ACE manages authorizations for users, which therefore need to be protected. Manipulation of authorization data can lead to the assignment incorrect authorizations (i.e. users receiving authorizations that they should not have).

Important SAP Notes

Important SAP Notes


683913 Logging of data changes for specific ACE tables

Description of activation of database logging for important ACE tables.

User Administration and Authentication User Administration The system references SU01 users and their individual roles (i.e. ACE uses user names to manage user authorizations). Therefore, if you are making changes to the SU01 users, it will directly influence the authorizations that ACE manages.


Before deleting an SU01user, remember the following:



Deleting users

Before you delete the user, delete it from all user groups, in which it has Child-Type = U. ...

1. To do this, choose the following path in Customizing Customer Relationship Management → Basic Functions → Access Control Engine → User Groups → Assign Users to User Groups

2. Select the lines that have Child-Type = U.

3. Make a note of the user groups that you selected.

4. Delete the lines and save the table.

5. Choose the following path in Customizing Customer Relationship Management → Basic Functions → Access Control Engine → ACE Administration Tool

6. Choose the User Group Administration tab.

7. Create the user groups that you noted down via Activate.

8. Select the Refresh touched user context checkbox.

9. Choose Activate (F8).

Integration with the Single Sign-On Environment ACE is not integrated with the Single Sign-On environment.

Authorizations No roles are delivered with ACE, as the ACE framework does not need any roles.

The administrator requires the authorization to maintain the ACE tables (transaction SM30) that are maintained in authorization object S_TABU_DIS.

Network and Communication Security Communication Destinations ACE does not provide any RFC/JCO destinations.

Data Storage Security ACE saves data in the database of the SAP system, as well as temporarily on the application server(s) (user context cache).

Activating rights also triggers background processing.

During the runtime, when authorization queries are made to ACE, the system mainly reads the calculated data. Updating the authorization-relevant object data also triggers background processing.

Trace and Log Files Because deleting, adding or changing data in the ACE tables also affects the authorization check, we recommend that you log the ACE. For each table, the tracing mechanism logs the user names and the changes that the user makes.

ACE logs changes to the following database tables in the standard delivery:

• Definition of actor type (CRM_ACE_ACTTYP)

• Customizing (CRM_ACE_CUSTOM)

• Object types (CRM_ACE_OTYPES)

• Rights (CRM_ACE_RIGHTS)

• Activated rights (CRM_ACE_RIG_RT)



• Rules (CRM_ACE_RULES)

• Assignment of table names to super types (CRM_ACE_ST_ACC)

• Activated user groups (CRM_ACE_UGR_RT)

If necessary, you can also activate logging for the following tables:

• Defines determination of actors for the object (CRM_ACE_AFO_CL)

• Defines determination of actors for the user (CRM_ACE_AFO_CL)

• Action groups (CRM_ACE_ANGRP)

• Assignment of actions to action groups (CRM_ACE_ANGRPS)

• Defines determination of objects via a filter (CRM_ACE_OBF_CL)

• User groups (CRM_ACE_U_GRP)

• Assignment of users, roles or groups to user groups (CRM_ACE_U_GRPS)

You can activate and deactivate the tables in the ABAP Dictionary. You can view the log results in the table history (transaction SCU3).

If you activate rights using the ACE administration tool in Customizing, you will find the results of the activations in the Statistics tab.



{ TC "Knowledge Management" \l 4 \* MERGEFORMAT } Knowledge Management

Introduction For KM, you require:



• SAP Portals Knowledge Management

• SAP TRex

Other Security Guides

Application Guide Most important chapter or special restrictions

KM Admin Guide

Why do we need Security? The security settings need to be made to protect internal documents from misuse via external access or access from other departments

User Administration and Authentication Integration with the Single Sign-On Environment Knowledge Management works in a Single-Sign-On environment.

Authorizations Authorizations for Infocenter Directory Structure You have the option to restrict access to the Info Center according to the individual user groups. This function guarantees that information does not reach users (e.g. your customers and partners) for whom it is not intended.

For more information, see SAP Help Portal under help.sap.com → mySAP Business Suite → SAP Customer Relationship Management → SAP CRM Powered by SAP NetWeaver → Application Platform → Lifecycle Management → Configuring the Business Package for mySAP CRM → Knowledge Management in CRM → Setting Authorizations.

Authorizations for WebDAV Hierarchies To publish CRM system documents, set up an http service in the Internet Communication Manager (ICM) of the CRM system. The HTTP service represents the interface of the WebDAV service to the outside world. If you have decided not to use anonymous logon, make sure that you have performed the steps described in SAP Note 686776.

You can use an authorization object (CRM_DOCS_H) to determine whether a user is allowed to see all, none or some hierarchies. The authorization object is usually assigned to a user via the authorization profile of a role.



For more information on authorizations, see SAP Help Portal under help.sap.com → mySAP Business Suite → SAP Customer Relationship Management → SAP CRM Powered by SAP NetWeaver → Application Platform → Lifecycle Management → Configuring the Business Package for mySAP CRM → Knowledge Management in CRM → Publishing CRM System Documents in KM → CRM Server → Maintaining Authorizations for WebDAV Hierarchies.



{ TC "Alerts" \l 4 \* MERGEFORMAT } Alerts Introduction The following text only covers the area of Alert Management in the Portal. It does not cover other security tasks for components that are used or linked to, but which are not part of the Business Productivity Pack.

The following components provide functionality for displaying alerts in the Portal. For further information on the architecture, see the following applications:

• Alert Framework

• SAP CRM 4.0

• Business Package for mySAP CRM - Business Productivity Pack (60.1)

• JCo

Why do we need Security? Alerts must be protected from unauthorized access, because alerts are connected to activities, which in turn make it possible to view subsequent activities. Viewing an activity can itself also trigger an activity or confirm an alert.

Important SAP Notes

Check regularly for SAP Notes available for application security.

Important SAP Notes


703058 Security issue in function modules

System Landscape The following table describes where you can find additional information on the technical system landscape.

Further information on the system landscape

Title Guide/Tool Quick Link to the SAP Service Marketplace (service.sap.com)

Alert Management Alert Management SAP Help Portal under help.sap.com → SAP NetWeaver → Release ‘04 → SAP NetWeaver → Application Platform (SAP Web Application Server) → Business Services → Business Communication Services → Alert Management



User Administration and Authentication Integration with the Single Sign-On Environment Full integration of Alert Integration with the Single Sign-On environment



{ TC "Integration of SAP R/3-Transactions with Portal Roles" \l 4 \* MERGEFORMAT } Integration of SAP R/3-Transactions with Portal Roles Introduction The Business Package for mySAP CRM - Business Productivity Pack SAP R/3 Integration (60.1) contains both BW iViews and transaction iViews. Both iViews use the standard SAP iView templates, where the standard SAP transaction iView template is contained within a CRM transactions iView template.

The transaction iViews are connected with an SAP R/3 System via the Internet Transaction Server (ITS).

A CRM system is used for the object linking.

Pay attention to the system requirements of the Business Package.

For more information, see SAP Help Portal under help.sap.com → mySAP Business Suite → SAP Customer Relationship Management → SAP CRM Powered by SAP NetWeaver → Application Platform → Lifecycle Management → Configuring the Business Package for mySAP CRM (SAP R/3) → System Landscape in the Portal → System Requirements

Other Security Guides

Application Guide Most important chapter or special restrictions

Enterprise Portal

BW system

SAP R/3 system

Internet Transaction Server

User Administration and Authentication User Administration


Tools Detailed description Prerequisites

General tools in SAP Enterprise Portal

General tools in the backend system

Transaction SU01

You must create the following users yourself:

• The required individual users in the backend system

• Portal users corresponding to the backend users, in order to receive the backend contents.



Authorizations The following roles are delivered with the CRM system – they do not contain any authorizations. They are only used for object links.

• Role for sales assistants for SAP R/3 integration (SAP_PCC_V02_SALES_ASSISTANT_CN)

• Role for service manager for SAP R/3 integration (SAP_PCC_V02_SERVICE_MANAGER_CN)

• Role for technical customer consultant for SAP R/3 integration (SAP_PCC_V02_SERVICE_REP_CN)

In the BW system, only the role SAP_BW_PCC_SALES_AST_CN is delivered.

To integrate SAP R/3 roles in the Portal, you must create your own roles in the SAP R/3 system, or you must use your existing roles and add the required authorizations to them.

The configuration guide to the business package contains a description of which portal roles contain which R/3 transactions. You can find this guide in the SAP Help Portal, under help.sap.com → mySAP Business Suite → SAP Customer Relationship Management → SAP CRM Powered by SAP NetWeaver → Application Platform → Lifecycle Management → Configuring the Business Package for mySAP CRM (SAP R/3)

Add the authorizations in accordance with the SAP guidelines (e.g. add transactions that are used by Portal roles). For further information, see SAP Help Portal under help.sap.com → SAP NetWeaver → SAP Web Application Server → SAP Web Application Server 6.20 → mySAP Technology Components → Technical Operations Manual for mySAP Technology → Administration of the SAP Web Application Server → Management of the ABAP Subsystem → Users and Roles.



{ TC "Roles in the CRM System for Portal Users" \l 4 \* MERGEFORMAT } Roles in the CRM System for Portal Users Introduction The Business Package for mySAP CRM - Business Productivity Pack (60.1) combines the following technical components:

• SAP Web Application Server

• SAP Enterprise Portal

• mySAP CRM

• mySAP SEM

• SAP BW

Every Portal user must have a corresponding backend user. Within the backend system, the backend roles are assigned to the backend users. These roles, in turn assign authorization objects to the users.

For more information, see the SAP authorization concept in the SAP Security Guide.

The backend roles and their generated profiles determine what the user is allowed to do within the system. By adding a backend role or a profile to a user, the user receives all authorizations contained in the backend role. The backend roles must correspond to the content of the relevant Portal role.

User Administration and Authentication User administration Create your users both in the backend and in the Portal, so that they can access the content from the backend.

User Data Synchronization After you have used the profile generator for the users assigned to the roles in the backend system, you must update the user data with the newly created profiles. For further information, see Authorizations.

Integration with the Single Sign-On Environment The entire business package is integrated with the SSO environment.

We recommend that you do not apply user mapping for the following applications, because this can restrict integration:

• SAP Business Information Warehouse: for more information, see SAP Help Portal under help.sap.com → SAP NetWeaver → Release '04 → SAP NetWeaver → Information Integration → SAP Business Information Warehouse → BI Suite: Business Explorer → Integration with the SAP Enterprise Portal

• ISA together with Financial Supply Chain Management and Internet Customer Self-Service

For more information, see SAP Help Portal under help.sap.com → SAP NetWeaver → SAP Enterprise Portal → Administration Guide.



Authorizations For every transported Portal role there is a corresponding backend role that collects all the authorizations that the Portal user needs to work with CRM content.

Check the authorization object in the role and maintain it so that the user receives the corresponding authorizations, before you assign a role to a user. Use the profile generator to do this (transaction PFCG)

For further information, see SAP Help Portal under help.sap.com → SAP NetWeaver → SAP Web Application Server → SAP Web Application Server 6.20 → mySAP Technology Components → Technical Operations Manual for mySAP Technology → Administration of the SAP Web Application Server → Management of the ABAP Subsystem → Users and Roles.

For further information, see also SAP Help Portal under help.sap.com → mySAP Business Suite → SAP Customer Relationship Management → SAP CRM Powered by SAP NetWeaver → Application Platform → Lifecycle Management → Configuring the Business Package for mySAP CRM.



{ TC "Appendix" \l 2 \* MERGEFORMAT } Appendix Related Security Guides For more information on the security of SAP applications, see SAP Service Marketplace under service.sap.com/security.

You can find the security guides in SAP Service Marketplace under service.sap.com/securityguide.

Related Information For more information on security-relevant topics, see the links in the table.

Quick Links to related information

Content Quick Link to the SAP Service Marketplace (service.sap.com)


instguides

ibc




securityguide



Checklists