Security Guide PUBLIC

2016-11-14

SAP Nota Fiscal Eletrnica 10.0 Security Guide

Content

1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

4 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.2 Integration Into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

5 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

6 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

6.1 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
6.2 Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
6.3 Communication Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

7 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

8 Enterprise Services Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

9 Trace and Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

SAP Nota Fiscal Eletrnica 10.0 Security Guide

2 PUBLIC Content
1 Introduction

Caution
This guide does not replace the administration or operation guides that are available for productive operations.

This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation
Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software lifecycle, whereby
the Security Guides provide information that is relevant for all lifecycle phases.

Why is Security Necessary

With the increasing use of distributed systems and the Internet for managing business data, the demands on
security are also on the rise. When using a distributed system, you need to be sure that your data and processes
support your business needs without allowing unauthorized access to critical information. User errors,
negligence, or attempted manipulation on your system should not result in loss of information or processing time.
These demands on security apply likewise to SAP Nota Fiscal Eletrnica 10.0. We provide this Security Guide to
assist you in securing SAP Nota Fiscal Eletrnica.

About This Document

The Security Guide provides an overview of the security-relevant information that applies to SAP Nota Fiscal
Eletrnica. As SAP Nota Fiscal Eletrnica 10.0 is based on and runs SAP NetWeaver technology, read the Security
Guide for your SAP NetWeaver release. For example, http://help.sap.com/nw702 Security Information
Security Guide or http://help.sap.com/nw731 Security Information Security Guide . All Security Guides
published by SAP are available on SAP Service Marketplace at http://service.sap.com/securityguide .

Overview of the Main Sections

The Security Guide comprises the following main sections:

Before You Start

This section contains information about why security is necessary, how to use this document, and references
to other Security Guides that build the foundation for this Security Guide.
Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by
SAP Nota Fiscal Eletrnica.
User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
Recommended tools to use for user management.
User types that are required by SAP Nota Fiscal Eletrnica.

SAP Nota Fiscal Eletrnica 10.0 Security Guide

Introduction PUBLIC 3
 Standard users that are delivered with the SAP Nota Fiscal Eletrnica.
Overview of the user synchronization strategy, if several components or products are involved.
Overview of how integration into Single Sign-On environments is possible.
Authorizations
This section provides an overview of the authorization concept that applies to SAP Nota Fiscal Eletrnica.
Network and Communication Security
This section provides an overview of the communication paths used by SAP Nota Fiscal Eletrnica and the
security mechanisms that apply. It also includes our recommendations for the network topology to restrict
access at the network level.
Data Storage Security
This section provides an overview of any critical data that is used by SAP Nota Fiscal Eletrnica and the
security mechanisms that apply.
Trace and Log Files
This section provides an overview of the trace and log files that contain security-relevant information, for
example, so you can reproduce activities if a security breach does occur.

SAP Nota Fiscal Eletrnica 10.0 Security Guide

4 PUBLIC Introduction
2 Before You Start

Fundamental Security Guides

SAP Nota Fiscal Eletrnica is built on SAP NetWeaver. Therefore, the corresponding Security Guide of this
application also applies to SAP Nota Fiscal Eletrnica. Since SAP Nota Fiscal Eletrnica 10.0 is based on and runs
SAP NetWeaver technology, read the Security Guide for SAP NetWeaver at http://help.sap.com/nw702
Security Information Security Guide or http://help.sap.com/nw703 Security Information Security
Guide . Pay particular attention to the most relevant sections or specific restrictions as indicated in the table
below.

Table 1: Fundamental Security Guides

Scenario, Application, or Component Security Guide Most-Relevant Topics or Specific Restrictions

SAP NetWeaver Application Server ABAP Security Guide for Network Security for SAP Web AS ABAP
SAP NetWeaver 7.0 EHP2 or EHP3. Security for the RFC Connections under Protecting your
Productive System (Change and Transport System)
For security issues of the core application of SAP Nota Fiscal
Authentication and Single Sign-On under Authentication
Eletrnica refer to the ABAP Add-On under

http://help.sap.com/nw702 Security Information

Security Guide Security Guides for SAP NetWeaver

According to UsageTypes SAP NetWeaver Application

Server ABAP Security Guide or http://help.sap.com/nw703

Security Information Security Guide Security Guides

for SAP NetWeaver According to UsageTypes SAP

NetWeaver Application Server ABAP Security Guide .

SAP NetWeaver Process Integration Security Guide for your Communication under Technical System Landscape
SAP PI version containing the relevant Information for SAP Network and Communication Security
NetWeaver PI under: http://help.sap.com/netweaver. Adapter-specific Security Configuration, for example for
the SOAP adapter.

For a complete list of the available SAP Security Guides, see http://service.sap.com/securityguide on the SAP
Service Marketplace.

Important SAP Notes

The most important SAP Notes that apply to the security of SAP Nota Fiscal Eletrnica are shown in the table
below.

SAP Nota Fiscal Eletrnica 10.0 Security Guide

Before You Start PUBLIC 5
Table 2: Important SAP Notes

SAP Note Number Title Comment

1492733 GRC NFE 10.0 installation on NW Description about the installation re

7.02/SAP ECC 600 quirements for SAP Nota Fiscal Eletrn
ica

1492736 Delta Upgrade to SLL-NFE with SAP Net Add-on upgrade to SAP NetWeaver Re
Weaver 7.02 lease 702 with SLL-NFE 900.

1492737 Support Packages for SLL-NFE 900 Information on Add-on Support Pack
ages for SLL-NFE 900.

In addition, you can find a list of security-relevant SAP Hot News and SAP Notes on the SAP Service Marketplace
at http://support.sap.com/securitynotes .

Additional Information

For more information about specific topics, see the Quick Links as shown in the table below.

Table 3: Quick Links to Additional Information

Content Quick Link on the SAP Service Marketplace or SDN

Security http://sdn.sap.com/irj/sdn/security

http://support.sap.com/security

Security Guides https://service.sap.com/securityguide

Related SAP Notes https://support.sap.com/notes

https://support.sap.com/securitynotes

Released Platforms https://support.sap.com/release-upgrade-maintenance/

pam.html

Network Security https://service.sap.com/securityguide

https://service.sap.com/network

SAP Solution Manager https://ssupport.sap.com/solutionmanager

SAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver

Central entry point to receive information and documentation http://help.sap.com/nfe

for SAP Nota Fiscal Eletrnica

SAP Nota Fiscal Eletrnica 10.0 Security Guide

6 PUBLIC Before You Start
3 Technical System Landscape

The figure below shows an example of the technical system landscape for SAP Nota Fiscal Eletrnica.

For more information about the technical system landscape, see the resources listed in the table below.

Table 4: More Information About the Technical System Landscape

Topic Guide/Tool Quick Link to the SAP Service Market

place or SDN

Technical description for SAP Nota Fis Master Guide http://service.sap.com//swdc

cal Eletrnica and the underlying techno
Installations and Upgrades A-Z
logical components such as SAP Net
Index N SAP NOTA FISCAL
Weaver.
ELETRONICA SAP Electronic Invoicing

for Brazil SAP NFE 10.0

Installation

SAP Nota Fiscal Eletrnica 10.0 Security Guide

Technical System Landscape PUBLIC 7
Topic Guide/Tool Quick Link to the SAP Service Market
place or SDN

High availability High Availability for SAP Solutions http://sdn.sap.com/irj/sdn/ha

Technical landscape design See applicable documents http://sdn.sap.com/irj/sdn/landscape

design

Security See applicable documents https://service.sap.com/security

SAP Nota Fiscal Eletrnica 10.0 Security Guide

8 PUBLIC Technical System Landscape
4 User Administration and Authentication

SAP Nota Fiscal Eletrnica uses the user management and authentication mechanisms provided with the SAP
NetWeaver platform, in particular the application server ABAP. Therefore, the security recommendations and
guidelines for user administration and authentication described in the SAP NetWeaver Application Server ABAP
Security Guide also apply to SAP Nota Fiscal Eletrnica. Read the Security Guide for SAP NetWeaver at http://
help.sap.com/nw702 Security Information Security Guide Security Guide for SAP NetWeaver According to
Usage Type SAP NetWeaver Application Server ABAP Security Guide or http://help.sap.com/nw703
Security Information Security Guide Security Guide for SAP NetWeaver According to Usage Type SAP
NetWeaver Application Server ABAP Security Guide .

In addition to these guidelines, we include information about user administration and authentication that
specifically applies to SAP Nota Fiscal Eletrnica:

User Management
This topic lists the tools to use for user management, the types of users required, and the standard users that
are delivered with SAP Nota Fiscal Eletrnica.
Integration Into Single Sign-On Environments
This topic describes how SAP Nota Fiscal Eletrnica supports Single Sign-On mechanisms.

4.1 User Management

User management for SAP Nota Fiscal Eletrnica uses the mechanisms provided by the SAP NetWeaver AS
ABAP, for example, tools, user types, and password policies. For an overview of how these mechanisms apply for
SAP Nota Fiscal Eletrnica, see the sections below.

User Administration Tools

The table below shows the tools to use for user management and user administration with SAP Nota Fiscal
Eletrnica.

Table 5: User Management Tools

Tool Description Requirements

User and role maintenance with SAP For more information, see Users and Roles must be created and assigned to
NetWeaver AS ABAP (Transactions Roles (BC-SEC-USR) [SAP Library]. the user
SU01, PFCG)

SAP Nota Fiscal Eletrnica 10.0 Security Guide

User Administration and Authentication PUBLIC 9
User Types

It is necessary to specify different security policies for different types of users. For example, your policy may
specify that individual users who perform tasks interactively have to change their passwords on a regular basis,
but not those users under which background processing jobs run.

The user types that are required for SAP Nota Fiscal Eletrnica include:

Individual users:
Dialog Users:
NF-e outbound operations user monitors the outgoing NF-es using the NF-e monitor, NF-e batch
monitor, NF-e service status monitor, and the corresponding event monitors.
CT-e outbound operations user monitors the outgoing CT-es using the CT-e monitor, CT-e batch
monitor, CT-e service status monitor, and the corresponding event monitors.
MDF-e outbound operations user monitors the outgoing MDF-es using the MDF-e monitor, MDF-e
batch monitor, MDF-e service status monitor, and the corresponding event monitors.
NF-e/CT-e/MDF-e administration user for configuring the NFE solution for outgoing NF-es/CT-es/
MDF-es & incoming NF-es/CT-es.
Inbound fiscal user to monitor and control the incoming NF-es/CT-es using the fiscal workplace and
the Receiver Acknowledgment workplaces (NF-e List and Download, Receiver Acknowledgment
events).
Inbound logistics user to control the logistic steps of the incoming NF-es using the logistics
workplace.
Inbound DF-e Gate Monitor user to control the incoming goods and their corresponding electronic
documents (DF-es).
Technical Users:
RFC user for receiving calls from the ERP backend.
RFC user for receiving calls from the PI system.
Background users are used for running the necessary batch jobs.

For more information about these user types, see User Types in the SAP NetWeaver Application Server ABAP
Security Guide.

Standard Users

There are no standard users delivered with SAP Nota Fiscal Eletrnica (In addition to the NetWeaver standard
users). For more information about these standard users, see the SAP NetWeaver Security Guide at http://
help.sap.com/nw702 Security Information Security Guide (Open the Security Guide) Security Guide for SAP
NetWeaver According to Usage Types SAP NetWeaver Application Server ABAP Security Guide User
Authentication Protecting Standard Users or http://help.sap.com/nw703 Security Information Security
Guide (Open the Security Guide) Security Guide for SAP NetWeaver According to Usage Types SAP
NetWeaver Application Server ABAP Security Guide User Authentication Protecting Standard Users .

SAP Nota Fiscal Eletrnica 10.0 Security Guide

10 PUBLIC User Administration and Authentication
4.2 Integration Into Single Sign-On Environments

SAP Nota Fiscal Eletrnica supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver AS
ABAP. Therefore, the security recommendations and guidelines for user administration and authentication
described in the SAP NetWeaver Application Server ABAP Security Guide also apply to SAP Nota Fiscal Eletrnica.

The most commonly used supported mechanisms are listed below.

Secure Network Communications (SNC)

SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for
Windows or Remote Function Calls.
SAP logon tickets
SAP Nota Fiscal Eletrnica supports the use of logon tickets for SSO when using a Web browser as the
frontend client. In this case, users can be issued a logon ticket after they have authenticated themselves with
the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an
authentication token. The user does not need to enter a user ID or password for authentication but can access
the system directly after the system has checked the logon ticket.
Client certificates
As an alternative to user authentication using a user ID and passwords, users using a Web browser as a
frontend client can also provide X.509 client certificates to be used for authentication. In this case, user
authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and
no passwords have to be transferred. User authorizations are valid in accordance with the authorization
concept in the SAP system.

You can find more information about the available authentication mechanisms under http://help.sap.com/nw702
Security Information Security Guide (Open the Security Guide) Security Guide for SAP NetWeaver
According to Usage Type SAP NetWeaver Application Server ABAP Security Guide User Authentication or
http://help.sap.com/nw703 Security Information Security Guide (Open the Security Guide) Security Guide
for SAP NetWeaver According to Usage Type SAP NetWeaver Application Server ABAP Security Guide User
Authentication .

SAP Nota Fiscal Eletrnica 10.0 Security Guide

User Administration and Authentication PUBLIC 11
5 Authorizations

SAP Nota Fiscal Eletrnica uses the authorizations provided by SAP NetWeaver AS ABAP. Therefore, the
recommendations and guidelines for authorizations described in the SAP NetWeaver Application Server ABAP
Security Guide also apply to SAP Nota Fiscal Eletrnica.

You can find more information about the authorization concept under http://help.sap.com/nw702 Security
Information Security Guide (Open the Security Guide) Security Guide for SAP NetWeaver According to Usage
Types SAP NetWeaver Application Server ABAP Security Guide SAP Authorization Concept or http://
help.sap.com/nw703 Security Information Security Guide (Open the Security Guide) Security Guide for SAP
NetWeaver According to Usage Types SAP NetWeaver Application Server ABAP Security Guide SAP
Authorization Concept .

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.

Customizing

If you want to access the Customizing of SAP NFE, your user role needs to be assigned to authorization group
XNFE with authorization object S_TABU_DIS.

Standard Roles

The table below shows the standard roles that are used by SAP Nota Fiscal Eletrnica.

Table 6: Inbound Roles

Role Technical Name Scenario Description

NF-e Fiscal /XNFE/ NF-e/CT-e Inbound This is the role for the inbound fiscal user. The authoriza
Clerk NFE_IN_FISCAL tions can be restricted with regard to tax numbers and
process type.

NF-e Fiscal /XNFE/ NF-e/CT-e Inbound This is the role for the inbound fiscal user. This is a re
Workplace Dis NFE_IN_FISCAL_DIS stricted role that only allows to display the NF-e/CT-e.
play only PLAY The authorizations can be further restricted with regard to
tax numbers and process type.

NF-e Fiscal /XNFE/ NF-e/CT-e Inbound This is the role for the inbound fiscal user. This is an ex
Clerk Extended NFE_IN_FISCAL_EX tended role that also allows extended control over the
TENDED process flow.

SAP Nota Fiscal Eletrnica 10.0 Security Guide

12 PUBLIC Authorizations
 Role Technical Name Scenario Description

NF-e List and /XNFE/ NF-e Inbound This is the role for the inbound fiscal user. This user ob
Download NFE_IN_RCVRACK serves the documents issued for one of your CNPJs and
downloads them from the National Environment. The au
thorizations can be restricted with regard to tax numbers.

NF-e List and /XNFE/ NF-e Inbound This is the role for the inbound fiscal user. This is a re
Download Dis NFE_IN_RCVRACK_DI stricted role that only allows to display the NF-es issued
play only SPLAY for one of your CNPJs. The authorizations can be further
restricted with regard to tax numbers.

NF-e Logistics /XNFE/ NF-e Inbound This is the role for the inbound logistics user. The authori
Clerk NFE_IN_LOGISTIC zations can be restricted with regard to tax numbers and
process type.

NF-e Logistics /XNFE/ NF-e Inbound This is the role for the inbound logistics user. This is a re
Clerk Display NFE_IN_LOGIS stricted role that only allows to display the NF-e. The au
only TIC_DISPLAY thorizations can be further restricted with regard to tax
numbers and process type.

Denial of Ac /XNFE/NFE_IN_DENY NF-e Inbound This is the role for the inbound fiscal user. This is an ex
ceptance tended role that allows the user to deny the processing of
an NF-e. The authorizations can be restricted with regard
to own tax numbers.

NFE Reporting /XNFE/ NF-e Inbound This is the role for the inbound reporting user. The author
NFE_IN_REPORTS izations can be restricted with regard to own tax number.

NFE Gate Con /XNFE/NFE_IN_GATE NF-e/CT-e Inbound This is the role for the gate control user. The authoriza
trol KEEPER tions can be restricted with regard to own tax numbers.

Table 7: Outbound Roles

Role Technical Name Scenario Description

Outbound NF-e /XNFE/TAXNUMBER NF-e Outbound This is the role for NF-e outbound operations user. The
Monitor authorizations can be restricted with regard to the own
tax number.

Outbound CT-e /XNFE/CTE_OUT CT-e Outbound This is the role for CT-e outbound operations user. The
Monitor authorizations can be restricted with regard to the own
tax number.

Outbound CT-e /XNFE/ CT-e Outbound This is the role for CT-e outbound operations user. This is
Monitor Display CTE_OUT_DISPLAY a restricted role that only allows to display the CT-e. The
only authorizations can be further restricted with regard to
own tax number.

SAP Nota Fiscal Eletrnica 10.0 Security Guide

Authorizations PUBLIC 13
Role Technical Name Scenario Description

Outbound /XNFE/MFE_OUT MDF-e Outbound This is the role for MDF-e outbound operations user. The
MDF-e Monitor authorizations can be restricted with regard to the own
tax number.

Outbound /XNFE/ MDF-e Outbound This is the role for MDF-e outbound operations user. This
MDF-e Monitor MFE_OUT_DISPLAY is a restricted role that only allows to display the MDF-e.
Display only The authorizations can be further restricted with regard to
own tax number.

Table 8: Technical Roles

Role Technical Name Scenario Description

RFC user from /XNFE/PRXYSERV All scenarios Communication from PI System to NFE System
PI to NFE

RFC user from /XNFE/RFCSERV All scenarios Communication from ERP Back-End to NFE System
ERP to NFE

NF-e Role Details

Table 9:

Authorization Ob Role Fields Activity

jects

SAP Nota Fiscal Eletrnica 10.0 Security Guide

14 PUBLIC Authorizations
 /XNFE/NFE1 NF-e Fiscal Clerk /XNFE/PTYP 01 Add or generate
The process that the NF-e runs Manual creation of a DANFE (if no
Authorization of tax
through (for example, NF-e for stand NF-e exists yet or accept NF-e
expert for inbound
ard purchase order) from List and Download WP)
NF-es. This object
/XNFE/CNPJ 02 Change
contains the au
Your own tax number (in case of an Change the CFOP and tax indica
thorizations
incoming NF-e, the recipient's tax tors in the simulation
needed for the daily
number). 03 Display
work of tax experts
/XNFE/CNBP Display the NF-e
so they can display
The partner's tax number (in case of Display those events that be
and process in
an incoming NF-e, the issuer's tax long to the NF-e in the NF-e
bound NF-es
number) Fiscal Workplace
ACTVT Display events in the Event
Allowed Activity Outbound Monitor (Issuing
events for an Inbound NF-e)
and Event Inbound Monitor
(Receiving events for an In
bound NF-e)
If the related NF-e to a re
ceived event is not in the sys
tem yet (especially for
eventsOperation
Acknowledgment and
Operation Denial issued from
the NF-e List and Download
Monitor), no authority check
will be executed and the
events are displayed
16 Execute
Continue the process or exe
cute an individual process
step of an NF-e
Continue the process or exe
cute an individual process
step of an event in the Event
Outbound Monitor (Issuing
events for an Inbound NF-e)
or in the Event Inbound
Monitor (Receiving events for
an Inbound NF-e)
Reject an incorrect event in
the Event Inbound Monitor by
marking the event as
Enable New Receipt
of Event.

SAP Nota Fiscal Eletrnica 10.0 Security Guide

Authorizations PUBLIC 15
 If an NF-e related to a re
ceived event is not in the sys
tem yet, no authority check
will be executed for the event
and the event/s will be proc
essed
Trigger the NF-e Status Up
date to SEFAZ to receive new
events from the authorities
24 Archive
Archive the NF-e including all re
lated events.
25 Reload
Reload the NF-e including all re
lated events from the archive into
the database.
78 Assign
Assign NF-e items to the PO
items.
96 Deny
Rejection of an NF-e including Op
eration Termination event and re
setting of rejection.

/XNFE/NFE1 NF-e Fiscal Work /XNFE/PTYP 03 Display

place Display only The process that the NF-e runs Display the NF-e
Authorization of tax
through (for example, NF-e for stand Display those events that be
expert for inbound
ard purchase order) long to the NF-e in the NF-e
NF-es. This object
/XNFE/CNPJ Fiscal Workplace
contains the au
Your own tax number (in case of an Display events in the Event
thorizations
incoming NF-e, the recipient's tax Outbound Monitor (Issuing
needed for the daily
number). events for an Inbound NF-e)
work of tax experts
/XNFE/CNBP and Event Inbound Monitor
so they can display
The partner's tax number (in case of (Receiving events for an In
and process in
an incoming NF-e, the issuer's tax bound NF-e)
bound NF-es
number) If the related NF-e to a re
ACTVT ceived event is not in the sys
Allowed Activity tem yet (especially for
eventsOperation
Acknowledgment and
Operation Denial issued from
the NF-e List and Download
Monitor), no authority check
will be executed and the
events are displayed

SAP Nota Fiscal Eletrnica 10.0 Security Guide

16 PUBLIC Authorizations
 /XNFE/NFE4 NF-e List and /XNFE/CNPJ 03 Display
Download Your own tax number (in case of an Display the NF-e
Authorization of tax
incoming NF-e, the recipient's tax 05 Download
expert for inbound
number). Download XML or Events
NF-e List Download
/XNFE/CNBP
Monitor. This ob
The partner's tax number (in case of Note
ject contains the
an incoming NF-e, the issuer's tax
authorizations To accept an NF-e, you will need
number)
needed for the daily authorization activity 01 in object /
ACTVT
work of tax experts XNFE/NFE1
Allowed Activity
so they can display
the list of SEFAZ -
NF-es.

/XNFE/NFE4 NF-e List and /XNFE/CNPJ 03 Display

Download Display Your own tax number (in case of an Display the NF-e
Authorization of tax
only incoming NF-e, the recipient's tax
expert for inbound
number). Note
NF-e List Download
/XNFE/CNBP
Monitor. This ob To accept an NF-e, you will need
The partner's tax number (in case of
ject contains the authorization activity 01 in object /
an incoming NF-e, the issuer's tax
authorizations XNFE/NFE1
number)
needed for the daily
ACTVT
work of tax experts
Allowed Activity
so they can display
the list of SEFAZ -
NF-es.

/XNFE/NFE2 NF-e Logistics /XNFE/PTYP 03 Display

Clerk The process that the NF-e runs Display the NF-e
Authorization of lo
through (for example, NF-e for stand 16 Execute
gistics expert for in
ard purchase order) Continue the process or execute
coming NF-es
/XNFE/CNPJ an individual process step
Your own tax number (in case of an
incoming NF-e, the recipient's tax
number). /XNFE/CNBP
/XNFE/CNBP
The partner's tax number (in case of
an incoming CT-e, the issuer's tax
number).
ACTVT
Allowed Activity

SAP Nota Fiscal Eletrnica 10.0 Security Guide

Authorizations PUBLIC 17
/XNFE/NFE2 NF-e Logistics /XNFE/PTYP 03 Display
Clerk Display only The process that the NF-e runs Display the NF-e
Authorization of lo
through (for example, NF-e for stand
gistics expert for in
ard purchase order)
coming NF-es
/XNFE/CNPJ
Your own tax number (in case of an
incoming NF-e, the recipient's tax
number).
/XNFE/CNBP
The partner's tax number (in case of
an incoming CT-e, the issuer's tax
number).
ACTVT
Allowed Activity

/XNFE/NFE5 Denial of Accept /XNFE/CNPJ No Activity

ance Your own tax number (in case of an
Denial of Docu
incoming NF-e, the recipient's tax
ments (Operation
number).
Denial event to SE
FAZ)

/XNFE/NFE3 NF-e Fiscal Clerk /XNFE/PTYP No Activity

Extended The process that the NF-e runs
Extended authori
through (for example, NF-e for stand Note
zation of tax expert
ard purchase order)
for incoming NF-es Special functionality: The authori
/XNFE/CNPJ
zation is required in addition to one
Your own tax number (in case of an
of the NF-e inbound authorization
incoming NF-e, the recipient's tax
objects
number)
/XNFE/CNBP
The partner's tax number (in case of
an incoming NF-e, the issuer's tax
number)

/XNFE/NFE9 NFE Reporting /XNFE/CNPJ No Activity

Your own tax number
Authorization of tax
expert for inbound
NF-es to receive re
ports about in
bound NF-es

/XNFE/DFE1 NFE Gate Control /XNFE/CNPJ No Activity

Your own tax number (the recipient's
tax number); For the CT-e, the author
ity check is performed with recipient's
tax number (and not the tomador) to
ensure that the goods arrived at the
correct gate.

SAP Nota Fiscal Eletrnica 10.0 Security Guide

18 PUBLIC Authorizations
 /XNFE/CNPJ Outbound NF-e /XNFE/CNPJ 03 Display
Monitor Your own tax number Display the NF-e:
Caution ACTVT Display and process NF-e
Allowed Activity documents in the NF-e
This authoriza
Monitor
tion object is
only valid for Display the events that be

NF-es with XML long to the NF-e in the NF-e

layout 2.00 Monitor

Display NF-es in the NF-e
Inbound Monitor (Release
1.0)
Display NF-es in the NF-e
Monitor for archived NF-es
Display and process events
in the Event Outbound
Monitor (Issuing events for
an Outbound NF-e) and
Event Inbound Monitor (Re
ceiving events for an Out
bound NF-e)
Mass-Download of NF-e(s)
including their events
Trigger the NF-e status up
date to SEFAZ

SAP Nota Fiscal Eletrnica 10.0 Security Guide

Authorizations PUBLIC 19
/XNFE/NFE6 Outbound NF-e/ /XNFE/CNPJ 03 Display
Event Monitor Your own tax number Display the NF-e:
Caution ACTVT Display NF-e documents in
Allowed Activity the NF-e Monitor
This authoriza
tion object is Display the events that be

only valid for long to the NF-e in the NF-e

NF-es with XML Monitor

layout 3.10 and Display NF-es in the NF-e

higher Monitor for archived NF-es
Display and process events
in the Event Outbound
Monitor (Issuing events for
an Outbound NF-e) and
Event Inbound Monitor (Re
ceiving events for an Out
bound NF-e)
Mass-Download of NF-e(s)
including their events
16 Execute
Continue the NF-e process or
the NF-e B2B process
Perform other actions in the
NF-e Monitor as defined un
der More Functions
Continue the event process
or the event B2B process in
the Event Outbound Monitor
(Issuing events for an In
bound NF-e) or in the Event
Inbound Monitor (Receiving
events for an Inbound NF-e)
Perform other actions in the
Event Outbound Monitor (Is
suing events for an Inbound
NF-e) or in the Event Inbound
Monitor (Receiving events for
an Inbound NF-e) as defined
under More Functions
24 Archive
Archive the NF-e including all re
lated events.
25 Reload
Reload the NF-e including all re
lated events from the archive into
the database.

SAP Nota Fiscal Eletrnica 10.0 Security Guide

20 PUBLIC Authorizations
Table 10: CT-e Role Details

Authorization Role Fields Activity

Objects

/XNFE/CTE1 CT-e Fiscal Clerk /XNFE/PTYP 02 Change

The process that Change the CFOP and tax indicators in the simulation
Authorization
the CT-e runs 03 Display
of tax expert for
through Display the CT-e
inbound CT-es.
/XNFE/CNPJ Display those events that belong to the CT-e in
This object
Your own tax the CT-e Fiscal Workplace
contains the
number (in case of
authorizations Display events in the Event Outbound Monitor
an incoming CT-e,
needed for the (Issuing events for an Inbound CT-e) and Event
the tomador's tax
daily work of Inbound Monitor (Receiving events for an In
number).
tax experts so bound CT-e)
/XNFE/CNBP
they can dis If the related CT-e for a received event is not in
The partner's tax
play and proc the system yet, no authority check will be exe
number (in case of
ess inbound cuted and the events are displayed.
an incoming CT-e,
CT-es 16 Execute
the issuer's tax
Continue the process or execute an individual
number)
process step of a CT-e
ACTVT
Continue the process or execute an individual
Allowed Activity
process step of an event in the Event Outbound
Monitor (Issuing events for an Inbound CT-e) or
in the Event Inbound Monitor (Receiving events
for an Inbound CT-e)
Reject an incorrect event in the Event Inbound
Monitor by marking the event as Enable New
Receipt of Event.
If a CT-e related to a received event is not in the
system yet, no authority check will be executed
for the event and the event/s will be processed
Trigger the CT-e Status Update to SEFAZ to re
ceive new events from the authorities
24 Archive
Archive the CT-e including all related events.
25 Reload
Reload the CT-e including all related events from the
archive into the database.
96 Deny
Rejection of a CT-e.

SAP Nota Fiscal Eletrnica 10.0 Security Guide

Authorizations PUBLIC 21
Authorization Role Fields Activity
Objects

/XNFE/CTE1 CT-e Fiscal Workplace /XNFE/PTYP 03 Display

Display only The process that Display the CT-e
Authorization
the CT-e runs Display those events that belong to the CT-e in
of tax expert for
through the CT-e Fiscal Workplace
inbound CT-es.
/XNFE/CNPJ Display events in the Event Outbound Monitor
This object
Your own tax (Issuing events for an Inbound CT-e) and Event
contains the
number (in case of Inbound Monitor (Receiving events for an In
authorizations
an incoming CT-e, bound CT-e)
needed for the
the tomadors tax
daily work of If the related CT-e for a received event is not in
number).
tax experts so the system yet, no authority check will be exe
/XNFE/CNBP cuted and the events are displayed.
they can dis
The partner's tax
play and proc
number (in case of
ess inbound
an incoming CT-e,
CT-es
the issuer's tax
number)
ACTVT
Allowed Activity

/XNFE/CTE3 CT-e Fiscal Clerk Ex /XNFE/PTYP No Activity

tended The process that
Extended au
the CT-e runs Note
thorization of
through
tax expert for Special functionality: The authorization is required in
/XNFE/CNPJ
incoming CT-es addition to one of the CT-e inbound authorization ob
Your own tax
jects
number (in case of
an incoming CT-e,
the Tomador's tax
number)
/XNFE/CNBP
The partner's tax
number (in case of
an incoming CT-e,
the issuer's tax
number).

SAP Nota Fiscal Eletrnica 10.0 Security Guide

22 PUBLIC Authorizations
 Authorization Role Fields Activity
Objects

/XNFE/CTE6 Outbound CT-e/Event /XNFE/CNPJ 03 Display

Monitor Your own tax Display the CT-e
Authorization
number (in case of Display those events that belong to the CT-e in
of Tax Expert
an incoming CT-e, the CT-e Monitor
for Outbound
the recipient's tax
CT-es Display events in the Event Outbound Monitor
number)
(Issuing events for an Outbound CT-e) and Event
ACTVT Inbound Monitor (Receiving events for an Out
Allowed Activity bound CT-e)
If the related CT-e for a received event is not in
the system yet, no authority check will be exe
cuted and the events are displayed.
16 Execute
Continue the CT-e process or the CT-e B2B
process
Continue the event process or the event B2B
process in the Event Outbound Monitor (Issuing
events for an Outbound CT-e) or in the Event
Inbound Monitor (Receiving events for an Out
bound CT-e)
Perform other actions in the Event Outbound
Monitor (Issuing events for an Inbound CT-e) or
in the Event Inbound Monitor (Receiving events
for an Inbound CT-e) as defined under More
Functions
24 Archive
Archive the CT-e including all related events.
25 Reload
Reload the CT-e including all related events from the
archive into the database.

Note
If a CT-e related to a received event is not in the sys
tem yet, no authority check will be executed for the
event and the event/s will be processed

SAP Nota Fiscal Eletrnica 10.0 Security Guide

Authorizations PUBLIC 23
Authorization Role Fields Activity
Objects

/XNFE/CTE6 Outbound CT-e Moni /XNFE/CNPJ 03 Display

tor Display only Your own tax Display the CT-e
Authorization
number (in case of Display those events that belong to the CT-e in
of Tax Expert
an incoming CT-e, the CT-e Monitor
for Outbound
the recipient's tax
CT-es Display events in the Event Outbound Monitor
number)
(Issuing events for an Outbound CT-e) and Event
ACTVT Inbound Monitor (Receiving events for an Out
Allowed Activity bound CT-e)

Note
If the related CT-e for a received event is not in the sys
tem yet, no authority check will be executed and the
events are displayed.

Table 11: MDF-e Role Details

Authorization Role Fields Activity

Objects

/XNFE/MFE6 Outbound MDF-e/ /XNFE/CNPJ 03 Display

Event Monitor Your own tax Display the MDF-e
Authorization
number Display those events that belong to the MDF-e in
of Tax Expert
ACTVT the MDF-e Monitor
for Outbound
Allowed Activity Display MDF-es in the MDF-e Monitor for
MDF-es
archived MDF-es
Display events in the Event Outbound Monitor
(Issuing events for an Outbound MDF-e)
Mass-Download of MDF-e(s) including their
events
16 Execute
Continue the MDF-e process
Continue the event process in the Event
Outbound Monitor (Issuing events for an Out
bound MDF-e)
Perform other actions in the Event Outbound
Monitor (Issuing events for an Inbound MDF-e)
as defined under More Functions
24 Archive
Archive the MDF-e including all related events.
25 Releoad
Reload the MDF-e including all related events from
the archive into the database.

SAP Nota Fiscal Eletrnica 10.0 Security Guide

24 PUBLIC Authorizations
 Authorization Role Fields Activity
Objects

/XNFE/MFE6 Outbound MDF-e Mon /XNFE/CNPJ 03 Display

itor Display only Your own tax Display the MDF-e
Authorization
number Display MDF-es in the MDF-e Monitor for
of Tax Expert
ACTVT archived MDF-es
for Outbound
Allowed Activity Display those events that belong to the MDF-e in
MDF-es
the MDF-e Monitor
Display events in the Event Outbound Monitor
(Issuing events for an Outbound MDF-e)
Mass-Download of MDF-e(s) including their
events

SAP Nota Fiscal Eletrnica 10.0 Security Guide

Authorizations PUBLIC 25
6 Network and Communication Security

Your network infrastructure is important in protecting your system. Your network needs to support the
communication necessary for your business and your needs without allowing unauthorized access. A well-defined
network topology can eliminate many security threats based on software flaws (at both the operating system and
application level) or network attacks such as eavesdropping. If users cannot log on to your application or database
servers at the operating system or database layer, then there is no way for intruders to compromise the machines
and gain access to the backend systems database or files. Additionally, if users are not able to connect to the
server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on
the server machines.

The network topology for SAP Nota Fiscal Eletrnica is based on the topology used by the SAP NetWeaver
platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security
Guide also apply to SAP Nota Fiscal Eletrnica. You find more information under http://help.sap.com/nw702
Security Information Security Guide (Open the Security Guide) or http://help.sap.com/nw731 Security
Information Security Guide (Open the Security Guide) . Details that specifically apply to SAP Nota Fiscal
Eletrnica are described in the following topics:

Communication Channel Security

This topic describes the communication paths and protocols used by SAP Nota Fiscal Eletrnica.
Network Security
This topic describes the recommended network topology for SAP Nota Fiscal Eletrnica. It shows the
appropriate network segments for the various client and server components and where to use firewalls for
access protection. It also includes a list of the ports needed to operate SAP Nota Fiscal Eletrnica.
Communication Destinations
This topic describes the information needed for the various communication paths, for example, which users
are used for which communications.

For more information, see the following sections in the SAP NetWeaver Security Guide:

Network and Communication Security

Security Guides for Connectivity and Interoperability Technologies

6.1 Communication Channel Security

The table below shows the communication paths used by SAP Nota Fiscal Eletrnica, the protocol used for the
connection, and the type of data transferred.

SAP Nota Fiscal Eletrnica 10.0 Security Guide

26 PUBLIC Network and Communication Security
Table 12: Communication Paths

Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection

Front-end client using SAP DIAG Customizing data no

GUI for Windows to applica
tion server

Frontend client using a Web HTTP or HTTPS Application data no

browser to application server
(Web Dynpro)

Application server to/from RFC Application data no

third-party application

Application server to/from RFC Application data no

Application server

PI to SEFAZ SOAP Application data Application data signed ac

cording to SEFAZ standards

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer (SSL) protocol.

Note
For more information, see Using the Secure Sockets Layer Protocol with the AS ABAP the SAP NetWeaver
Security Guide (in Network Security for SAPWeb AS ABAP).

Connecting to SEFAZ

From PI to SEFAZ via WebService calls (SOAP Adapter)

HTTP, secured using the Secure Sockets Layer (SSL) protocol.
SEFAZ requires the messages to be signed.

Note
For details how to import the necessary certificate, see SAP Note 1524196 .

6.2 Network Security

There is no application specific information necessary. For the Web Service communication to SEFAZ, refer to the
PI Security Guide.

SAP Nota Fiscal Eletrnica is based on SAP NetWeaver. Therefore, the relevant Security Guides for SAP
NetWeaver are also relevant for SAP Nota Fiscal Eletrnica. For more information about network security of the
underlying SAP NetWeaver, see the SAP NetWeaver Security Guide at http://help.sap.com/nw702 Security
Information Security Guide (Open the Security Guide) SAP NetWeaver Application Server ABAP Security Guide

SAP Nota Fiscal Eletrnica 10.0 Security Guide

Network and Communication Security PUBLIC 27
 Web Dynpro ABAP Security Guide Network infrastructure or http://help.sap.com/nw70 Security
Information Security Guide (Open the Security Guide) SAP NetWeaver Application Server ABAP Security Guide
Web Dynpro ABAP Security Guide Network infrastructure and in particular in the following topics:

Network infastructure
Network Services
This topic contains information about services and ports used by SAP NetWeaver
Network infastructure
Using Firewall Systems for Access Control
This topic contains information about firewall settings
Network infastructure
Using Multiple Network Zones
This topic contains information about the network segments in which individual parts of your application
are to be set up.

6.3 Communication Destinations

No targets are delivered, for creating see above.

SAP Nota Fiscal Eletrnica 10.0 Security Guide

28 PUBLIC Network and Communication Security
7 Data Storage Security

The data for the system is stored in the database of the SAP system
In Archive

Note
The application data for SAP Nota Fiscal Eletrnica does not require special protection

SAP Nota Fiscal Eletrnica 10.0 Security Guide

Data Storage Security PUBLIC 29
8 Enterprise Services Security

The following sections in the NetWeaver Security Guide are relevant for all enterprise services delivered with SAP
Nota Fiscal Eletrnica:

http://service.sap.com/securityguide :

User Administration and Authentication

Network and Communication Security
Security Guide for Usage Type PI
Web Services Security
Security Guide Communication Interfaces
Security Guides for Operating System and Database Platforms
Security Aspects for System Management
Enabling Application-to-Application Processes: Security Aspects
Enabling Business-to-Business Processes: Security Aspects

For more information about special security requirements for Web services, see the SAP NetWeaver
Documentation on the SAP Help Portal at http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0 including
Enhancement Package 2 or 3 SAP Library SAP NetWeaver SAP NetWeaver Developers Guide
Fundamentals Using Java Core Development Tasks Providing and Consuming Web Services Web Service
Toolset Web Services Security .

SAP Nota Fiscal Eletrnica 10.0 Security Guide

30 PUBLIC Enterprise Services Security
9 Trace and Log Files

No security relevant data is logged

SAP Nota Fiscal Eletrnica 10.0 Security Guide

Trace and Log Files PUBLIC 31
Important Disclaimers and Legal Information

Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system
environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP's gross negligence.

Accessibility
The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a
binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does
not apply in cases of wilful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.

Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales
person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.

Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not
warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency
(see: http://help.sap.com/disclaimer).

SAP Nota Fiscal Eletrnica 10.0 Security Guide

32 PUBLIC Important Disclaimers and Legal Information
SAP Nota Fiscal Eletrnica 10.0 Security Guide
Important Disclaimers and Legal Information PUBLIC 33
go.sap.com/registration/
contact.html

2016 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company. The information contained herein may
be changed without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company
for informational purposes only, without representation or warranty
of any kind, and SAP or its affiliated companies shall not be liable for
errors or omissions with respect to the materials. The only
warranties for SAP or SAP affiliate company products and services
are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.