SAP CAR Security
Uploaded by
mthanki.sapSAP CAR Security
Uploaded by
mthanki.sapAdministration Guide CUSTOMER
SAP Customer Activity Repository retail applications bundle
Document Version: 1.0.0 – 2016-11-02
SAP Customer Activity Repository 2.0 SP4 Security
Guide
Content
1 ............................................................................4
2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
5 Security Aspects of Data, Data Flow and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
6 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.2 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.3 User Data Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6.4 Integration Into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
7 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
7.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
7.2 Authorization Requirements for the UDF AFL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
7.3 Authorization Requirements for Omnichannel Article Availability (OAA). . . . . . . . . . . . . . . . . . . . . . . . 40
7.4 Authorization Requirements for Omnichannel Promotion Pricing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8 Session Security Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
9 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
9.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
9.2 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
9.3 Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
9.4 Communication Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
10 Internet Communication Framework Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
11 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
12 Security for Additional Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
13 Enterprise Services Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
14 Payment Card Security According to PCI-DSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
14.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
14.2 Credit Card Usage Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
SAP Customer Activity Repository 2.0 SP4 Security Guide
2 CUSTOMER Content
SAP Customer Activity Repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Detailed Data Flow of Credit Card Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
14.3 PCI-Related Customizing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
SAP Basis Customizing Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
SAP Customer Activity Repository Customizing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
14.4 Rotation or Changing of Encryption Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Key Distribution Web Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Pull Mechanism in SAP Customer Activity Repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Message Choreography SAP Customer Activity Repository and POS Store Solution. . . . . . . . . . . . . 65
Key Distribution User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
14.5 Masked/Unmasked Display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
14.6 Logging of Payment Card Number Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
14.7 Encryption, Decryption, and Storage of Encrypted Credit Card Numbers. . . . . . . . . . . . . . . . . . . . . . . 68
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
SAP Customer Activity Repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
SAP ERP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
14.8 Migration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
14.9 Deletion of Credit Card Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
14.10 Archiving. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
14.11 Interfaces for IDoc/Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
14.12 RFC Debugging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
14.13 Forward Error Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
14.14 Card Verification Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
15 Security-Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
16 Services for Security Lifecycle Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
SAP Customer Activity Repository 2.0 SP4 Security Guide
Content CUSTOMER 3
1
4 CUSTOMER SAP Customer Activity Repository 2.0 SP4 Security Guide
2 Introduction
Caution
This guide does not replace the daily operations handbook that we recommend customers create for their
specific productive operations.
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation
Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereby
the Security Guides provide information that is relevant for all life cycle phases.
Why is Security Necessary
With the increasing use of distributed systems and the Internet for managing business data, the demands on
security are also on the rise. When using a distributed system, you need to be sure that your data and processes
support your business needs without allowing unauthorized access to critical information. User errors,
negligence, or attempted manipulation on your system should not result in loss of information or processing time.
These demands on security apply likewise to the SAP Customer Activity Repository. To assist you in securing the
SAP Customer Activity Repository, we provide this Security Guide.
About This Document
The Security Guide provides an overview of the security-relevant information that applies to the SAP Customer
Activity Repository.
Overview of the Main Sections
The Security Guide comprises the following main sections:
● Before You Start
This section contains information about why security is necessary, how to use this document, and references
to other Security Guides that build the foundation for this Security Guide.
● Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by
SAP Customer Activity Repository.
● Security Aspects of Data, Data Flow and Processes
This section provides an overview of security aspects involved throughout the most widely-used processes
within SAP Customer Activity Repository.
● User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
○ Recommended tools to use for user management.
○ User types that are required by SAP Customer Activity Repository.
SAP Customer Activity Repository 2.0 SP4 Security Guide
Introduction CUSTOMER 5
○ Standard users that are delivered with SAP Customer Activity Repository.
○ Overview of the user synchronization strategy, if several components or products are involved.
○ Overview of how integration into Single Sign-On environments is possible.
● Authorizations
This section provides an overview of the authorization concept that applies to SAP Customer Activity
Repository.
● Session Security Protection
This section provides information about activating secure session management, which prevents JavaScript or
plug-ins from accessing the SAP logon ticket or security session cookie(s).
● Network and Communication Security
This section provides an overview of the communication paths used by SAP Customer Activity Repository and
the security mechanisms that apply. It also includes our recommendations for the network topology to
restrict access at the network level.
● Internet Communication Framework Security
This section provides an overview of the Internet Communication Framework (ICF) services that are used by
SAP Customer Activity Repository.
● Data Storage Security
This section provides an overview of any critical data that is used by SAP Customer Activity Repository and
the security mechanisms that apply.
● Data Protection
This section describes the specific features and functions that SAP provides to support compliance with the
relevant legal requirements related to data privacy.
● Security for Third-Party or Additional Applications
This section provides security information that applies to third-party or additional applications that are used
with SAP Customer Activity Repository.
● Enterprise Services Security
This section provides an overview of the security aspects that apply to the enterprise services delivered with
SAP Customer Activity Repository.
● Security-Relevant Logging and Tracing
This section provides an overview of the trace and log files that contain security-relevant information, for
example, so you can reproduce activities if a security breach does occur.
● Services for Security Lifecycle Management
This section provides an overview of services provided by Active Global Support that are available to assist
you in maintaining security in your SAP systems on an ongoing basis.
● Reference
This section provides references to further information.
SAP Customer Activity Repository 2.0 SP4 Security Guide
6 CUSTOMER Introduction
3 Before You Start
Fundamental Security Guides
SAP Customer Activity Repository is built on the SAP NetWeaver Application Server ABAP and is implemented on
the SAP HANA database. Therefore, the corresponding Security Guides also apply to SAP Customer Activity
Repository.
Table 1: Fundamental Security Guides
Scenario, Application, or Component Security Guide Most-Relevant Sections or Specific Restrictions
SAP HANA Security Guide http://help.sap.com/hana_platform/ Security SAP
HANA Security Guide
Security section of the Administrator's Guide, SAP HANA Live http://help.sap.com/hba Installation, Security,
for SAP Business Suite
Configuration, and Operations Information Administrator's
Guide
SAP NetWeaver 7.4 Security Guide http://help.sap.com/nw74/ Security Information
Security Guide
Portal Security Guide http://help.sap.com/nw74/ Security Information
Security Guide Security Guides for SAP NetWeaver
Functional Units Security Guides for Enterprise Portal (EP)
and EP Core - Application Portal (EPC) Portal Security
Guide
SAP NetWeaver Application Server ABAP Security Guide http://help.sap.com/nw74/ Security Information
Security Guide Security Guides for SAP NetWeaver
Functional Units Security Guides for the Application Server
Security Guides for AS ABAP SAP NetWeaver Application
Server ABAP Security Guide
Security Guide for SAP NetWeaver BW http://help.sap.com/nwbw/ <Your SAP NetWeaver
Business Warehouse version> Security Information SAP
BW Security Guide
SAP ERP 6.0 EHP 5 Security Guide http://help.sap.com/erp/ Security Information
Security Guide
SAP Customer Activity Repository 2.0 SP4 Security Guide
Before You Start CUSTOMER 7
Scenario, Application, or Component Security Guide Most-Relevant Sections or Specific Restrictions
SAP for Retail (Industry Solution) http://help.sap.com/retail-erp605/ Security Information
SAP Service Marketplace SAP Security Guides
Industry Solutions SAP for Retail SAP for Retail
Security Guide - SAP for Retail
SAP Smart Business Products Administrator's Guide http://help.sap.com/ssb/ Installation, Security,
Configuration, and Operations Information Administrator's
Guide
For a complete list of the available SAP Security Guides, see http://service.sap.com/securityguide on the SAP
Service Marketplace.
Important SAP Notes
The most important SAP Notes that apply to the security of the SAP Customer Activity Repository application are
shown in the table below.
Table 2: Important SAP Notes
Title SAP Note Number Comment
SAP HANA 1.0: Security 159623 Contains information and links to other
notes related to the secure operation of
SAP HANA.
Key replacement for encryption of pay 1151936 Contains information about functions for
ment card data a periodic key replacement for the en
cryption of payment card data.
Credit card encryption in the POS Data 1053296 Contains information on using credit
Management card encryption.
Credit card coding in ERP POS inbound 1041514 Contains information on adjustments for
the coding of credit card information in
POS inbound.
Secure handling of credit card data in 1032588 Contains information on enabling secure
ERP handing of credit card data in ERP.
LPA: Settings for enabling Transaction 1533599 Contains information on the settings
Viewer necessary to support LPA services used
by the SAP NetWeaver Portal.
SAP Customer Activity Repository 2.0 SP4 Security Guide
8 CUSTOMER Before You Start
Title SAP Note Number Comment
Authorization Check for Function Mod 1940161 Contains information about authoriza
ules in SAP Customer Activity Reposi tion objects required to support integra
tory and SAP POS DM tion scenarios involving systems con
nected to SAP Customer Activity Repo
sitory using RFC connections.
For a list of additional security-relevant SAP Hot News and SAP Notes, see also SAP Service Marketplace at
http://support.sap.com/securitynotes .
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
Table 3: Quick Links to Additional Information
Content Quick Link on the SAP Service Marketplace or SDN
Security http://scn.sap.com/community/security
Security Guides http://service.sap.com/securityguide
Related SAP Notes http://support.sap.com/notes
http://support.sap.com/securitynotes
Released Platforms http://support.sap.com/pam
SAP Solution Manager http://support.sap.com/solutionmanager
SAP NetWeaver http://scn.sap.com/community/netweaver
SAP Customer Activity Repository 2.0 SP4 Security Guide
Before You Start CUSTOMER 9
4 Technical System Landscape
The figure below shows an overview of the technical system landscape for the SAP Customer Activity Repository
application.
Figure 1: Technical System Landscape
SAP Customer Activity Repository 2.0 SP4 Security Guide
10 CUSTOMER Technical System Landscape
5 Security Aspects of Data, Data Flow and
Processes
The figure below shows an overview of the data flow process for the SAP Customer Activity Repository
application.
Figure 2: SAP Customer Activity Repository Data Flow Process
The table below shows the security aspect to be considered for the process step and what mechanism applies.
Table 4:
Step Description Security Measure
Inbound Flow 1 Manual creation of transaction within SAP Dialog User with necessary authori
POS Workbench (ABAP DynPro / Web zations
DynPro)
SAP Customer Activity Repository 2.0 SP4 Security Guide
Security Aspects of Data, Data Flow and Processes CUSTOMER 11
Step Description Security Measure
Inbound Flow 2 Inbound transaction from SAP Retail us SAP Communication User with neces
ing IDoc sary authorizations, ALE tRFC, encryp
tion**
Inbound Flow 3 Inbound transaction using BAPI SAP Communication User with neces
sary authorizations, RFC
Inbound Flow 4 Inbound transaction using Web Service SAP Communication User with neces
sary authorizations, HTTPS
Inbound Flow 5 Master data retrieval (non-sensitive SAP Dialog/Communication User with
data) necessary authorizations, RFC
Inbound Flow 6 Loyalty card data retrieval from a CRM SAP Dialog/Communication User with
solution (non- sensitive data) necessary authorizations, RFC
Inbound Flow 7 (when required) Data replication from SAP ERP. SLT replication (SAP system user with
necessary authorizations to set up repli
Note cation, SAP technical user(s) with nec
essary authorizations for replication of
Replication is not required in cases of
target schema)
Multiple Components in One Data
base (MCOD) co-deployment of SAP
Customer Activity Repository and
SAP ERP.
For more information, see http://
help.sap.com/car Installation and
Upgrade Information Installation
Guide .
Inbound Flow 8 Loyalty data replication from a CRM sol SLT replication (SAP system user with
ution necessary authorizations to set up repli
cation, SAP technical user(s) with nec
essary authorizations for replication of
target schema
Outbound Flow A* Outbound Aggregated Sales to SAP Re SAP Communication User with neces
tail using IDoc sary authorizations, ALE tRFC, encryp
tion**
Outbound Flow B* Outbound Sales Data & Goods Receipt/ SAP Communication User with neces
Issue Information to SAP F&R using sary authorizations, RFC
BAPI
Outbound Flow C* Outbound Credit Card Settlement using SAP Communication User with neces
BAPI sary authorizations, RFC
SAP Customer Activity Repository 2.0 SP4 Security Guide
12 CUSTOMER Security Aspects of Data, Data Flow and Processes
Step Description Security Measure
Outbound Flow D* Outbound Payment Card using BAPI SAP Communication User with neces
sary authorizations, RFC
Outbound Flow E* Outbound Inventory Management / SAP Communication User with neces
Goods Movement to SAP ERP using sary authorizations, RFC
BAPI
Outbound Flow F* Outbound (Aggregated) Sales Data to SAP Communication User with neces
DMF using BAPI sary authorizations, RFC
Outbound Flow G* Outbound Loyalty Information using SAP Communication User with neces
Web Service sary authorizations, HTTPS
Outbound Flow H* Outbound Sales Analysis, Error Statis SAP Dialog/Communication User with
tics, and Loss Prevention Information to necessary authorizations
SAP BI
Outbound Flow I* Outbound Aggregated Historical Trans SAP Communication User with neces
action & Product Sales Counts to SAP sary authorizations, ALE tRFC
WFM using IDoc
Outbound Flow J Analytical query view data (for example, SAP Hana Database User with necessary
Inventory Visibility, and so on) to report object & analytical privileges, ODBC/
ing tools JDBC
Outbound Flow K Customer-based view data (for example, SAP Communication User with neces
customer segmentation, and so on) to sary authorizations, RFC
SAP CRM
* Within Task Processing
** Sensitive data that must be encrypted would consist of credit card information, and this information will be
stored in a secure manner within the SAP Customer Activity Repository database (for example, encrypted,
masked, and so on).
SAP Customer Activity Repository 2.0 SP4 Security Guide
Security Aspects of Data, Data Flow and Processes CUSTOMER 13
6 User Administration and Authentication
6.1 Introduction
SAP Customer Activity Repository uses the user management and authentication mechanisms provided with the
SAP NetWeaver platform, in particular the AS ABAP. Therefore, the security recommendations and guidelines for
user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security
Guide also apply to SAP Customer Activity Repository.
The SAP HANA content for Customer Activity Repository uses the user management and authentication
mechanisms provided with the SAP HANA appliance software. Therefore, the security recommendations and
guidelines for user administration and authentication as described in the Security section of the Administrator's
Guide, SAP HANA Live for SAP Business Suite, Support Package Stack 02 apply.
In addition to these guidelines, we include information about user administration and authentication that
specifically applies to SAP Customer Activity Repository in the following topics:
● User Management
This topic lists the tools to use for user management, the types of users required, and the standard users that
are delivered with the application.
● User Data Synchronization
The application can share user data. This topic describes how the user data is synchronized with these other
sources.
● Integration Into Single Sign-On Environments
This topic describes how the application supports Single Sign-On mechanisms.
6.2 User Management
User management for SAP Customer Activity Repository uses the mechanisms provided by the SAP NetWeaver
AS ABAP, for example, tools, user types, and password policies. For an overview of how these mechanisms apply
for the SAP Customer Activity Repository, see the sections below. In addition, we provide a list of the standard
users required for operating SAP Customer Activity Repository.
Similarly, other components of the technical system landscape for SAP Customer Activity Repository, such as
SAP ERP Central Component (ECC) and/or SAP NetWeaver Process Integration (PI), also use the mechanisms
provided with the SAP NetWeaver AS ABAP.
User Administration Tools
The table below shows the tools to use for user management and user administration with SAP Customer Activity
Repository.
SAP Customer Activity Repository 2.0 SP4 Security Guide
14 CUSTOMER User Administration and Authentication
Table 5: User Management Tools
Tool Description Requirements
User and role maintenance with SAP For more information, see: SAP NetWeaver Application Server
NetWeaver AS ABAP (Transactions ABAP should be running.
● AS ABAP Authorization Concept in
SU01, PFCG)
the SAP NetWeaver Application
Server ABAP Security Guide
● SAP Library for SAP NetWeaver on
SAP Help Portal at http://
help.sap.com/nw74 Application
Help Function-Oriented View
Solution Life Cycle Management
Security and User Administration
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may
specify that individual users who perform tasks interactively have to change their passwords on a regular basis,
but not those users under which background processing jobs run.
The user types that are required for the SAP Customer Activity Repository application include:
● Individual users:
○ Dialog users are used for interactive system access, such as SAP GUI for Windows or RFC connections.
○ Internet users are used for internet connections. The same policies apply as for dialog users, but used for
Internet connections.
○ Named users are required for all Business Intelligence clients like SAP BusinessObjects BI Suite UIs.
● Technical users:
○ Communication users are used for dialog-free communication through external RFC calls.
○ Background users are used for background processing and communication within the system, such as,
running scheduled inbound/outbound dispatcher jobs.
For more information on these user types, see User Types in the SAP NetWeaver Application Server ABAP Security
Guide.
All user types described in the SAP HANA Security Guide are required for the SAP HANA content for SAP
Customer Activity Repository. For more information, see User Types in the SAP HANA Security Guide.
Standard Users
SAP Customer Activity Repository does not require specialized standard users. The POS Data Transfer and Audit
component of SAP Customer Activity Repository indirectly uses SAP NetWeaver standard users.
For more information about SAP NetWeaver standard users, see Protecting Standard Users in the SAP NetWeaver
Application Server ABAP Security Guide.
SAP Customer Activity Repository 2.0 SP4 Security Guide
User Administration and Authentication CUSTOMER 15
Recommendation
We recommend changing the user IDs and passwords for any users that are automatically created during
installation.
Users and Roles for SAP Smart Business Applications
For more information on the users and roles required by specific SAP Smart Business applications delivered with
SAP Customer Activity Repository, see SAP Help Portal at http://help.sap.com/car <your release>
Application Help Additional Content SAP Smart Business for SAP Customer Activity Repository SAP Smart
Business for Multichannel Sales Analytics . The App Implementation documentation for each SAP Smart
Business application contains the information on the required users and roles.
Users and Roles for Standalone SAP Fiori Apps
Analyze Forecast
SAP Customer Activity Repository is delivered with the Analyze Forecast standalone SAP Fiori app. For more
information, see the following:
● Users and roles for the app: http://help.sap.com/car <your release> Application Help Additional
Content Standalone SAP Fiori Apps for SAP Customer Activity Repository Analyze Forecast App
Implementation: Analyze Forecast
● Configuration of the app: See the Configure the Analyze Forecast App section in the Common Installation
Guide, available at http://help.sap.com/car <your release> Installation and Upgrade Information
Installation Guide .
6.3 User Data Synchronization
The application does not deliver additional user data synchronization related features in addition to those
available in the SAP NetWeaver platform. It also does not impose any special needs or restrictions, which would
limit the usage of related NetWeaver tools.
Recommendation
For any scenarios where system inter-connectedness at the user level is a requirement, it is recommended that
the same users exist throughout all the pertinent connected systems in the landscape.
SAP Customer Activity Repository 2.0 SP4 Security Guide
16 CUSTOMER User Administration and Authentication
6.4 Integration Into Single Sign-On Environments
The SAP Customer Activity Repository supports the Single Sign-On (SSO) mechanisms provided by the SAP
NetWeaver AS ABAP. Therefore, the security recommendations and guidelines for user administration and
authentication as described in the SAP NetWeaver Security Guide also apply to the SAP Customer Activity
Repository application.
For more information about the available authentication mechanisms, see User Authentication and Single Sign-On
in the SAP NetWeaver Library.
SAP Customer Activity Repository 2.0 SP4 Security Guide
User Administration and Authentication CUSTOMER 17
7 Authorizations
7.1 Introduction
SAP Customer Activity Repository uses the authorization provided by the SAP NetWeaver AS ABAP. Therefore,
the recommendations and guidelines for authorizations as described in the SAP NetWeaver Application Server
ABAP Security Guide also apply to the SAP Customer Activity Repository application.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see Role Administration in the SAP NetWeaver Library.
SAP HANA Content for SAP Customer Activity Repository
The SAP HANA content for SAP Customer Activity Repository relies on the access control mechanisms of the
underlying SAP HANA database. As a prerequisite, it is assumed that every business user (user accessing SAP
HANA content for SAP Customer Activity Repository in the SAP HANA database) is created as a named SAP
HANA database user. To control the business user's access to the SAP HANA content and displayed data for SAP
Customer Activity Repository, the relevant authorization settings must be configured in the SAP HANA database.
SAP HANA has implemented the regular SQL authorization concept based on privileges. For more information,
see Security Authorizations Privileges in the Administrator's Guide, SAP HANA Live for SAP Business
Suite, Support Package Stack 02.
Analytics Authorization Assistant
The SAP HANA content for SAP Customer Activity Repository relies on a number of views from SAP HANA Live
for SAP ERP. As a result we recommend that you use the Analytics Authorization Assistant to manage
authorizations.
Analytics Authorization Assistant automatically locates authorizations that a user has in SAP NetWeaver AS
ABAP and transforms these authorizations into analytic privileges on the SAP HANA database. The created
analytic privileges are used to access applicable views included in SAP HANA Live for SAP ERP and SAP HANA
content for SAP Customer Activity Repository. The analytical privileges are then assigned to SAP HANA roles
and/or directly to users.
The user-specific authorizations required by SAP Customer Activity Repository, specifically, the data found in
tables USRBF2 and UST12, are maintained in a source SAP ERP system. Depending on the deployment option you
SAP Customer Activity Repository 2.0 SP4 Security Guide
18 CUSTOMER Authorizations
have selected during the installation of SAP Customer Activity Repository, Analytics Authorization Assistant
accesses authorization tables as follows:
Table 6:
Deployment Option Table Access
SAP Customer Activity Repository co-deployed with SAP ERP Directly from the SAP ERP database schema ( SAP_ECC) on
the SAP HANA database
SAP Customer Activity Repository standalone From tables replicated to a dedicated SAP Customer Activity
Repository schema from the source SAP ERP system
The query views available as part of the SAP HANA content for SAP Customer Activity Repository rely on the
following SAP ERP authorization objects, where applicable:
● M_IS_WERKS (Plant)
● M_IS_VTWEG (Distribution Channel)
● M_IS_VKORG (Sales Organization)
● M_IS_MAKTL (Material Group)
For more information about the Analytics Authorization Assistant in general, refer to SAP Note 1796718 and
SAP Help Portal under http://help.sap.com/hba SAP HANA Live Tools SAP HANA Live Authorization
Assistant .
Authorizations to Support Integration Scenarios
SAP Customer Activity Repository supports the following integration scenarios:
● Loss Prevention Analytics (LPA) (task 5001, SAP Standard Profile)
● Demand Management Foundation (DMF) sales reporting, provided through task processing (task 0050, SAP
Standard Profile)
● Inventory Management (IM) goods movement reporting to ERP, provided through task processing (task 0017,
SAP Standard Profile)
● Forecasting & Replenishment (F&R) sales reporting, provided through task processing (task 0020, SAP
Standard Profile)
● Credit Card Settlement, provided through task processing (task 0015, SAP Standard Profile)
● Oil & Gas SSR Payment Card data processing in ERP, provided through task processing (task 0101, SAP
Standard Profile)
To enable these integration scenarios, the SAP Activity Repository system communicates with other SAP
systems using Remote Function Calls (RFCs). The authorization objects that are verified during this integration
are listed in SAP Note 1940161 .
SAP Customer Activity Repository 2.0 SP4 Security Guide
Authorizations CUSTOMER 19
Role and Authorization Concept for SAP Customer Activity Repository
The tables in the sections below show the standard roles and authorization objects that are used in the
components of SAP Customer Activity Repository.
Standard Roles for SAP Customer Activity Repository
The table below shows the standard roles that are used by SAP Customer Activity Repository.
Table 7: Standard Roles
Role Description
/POSDW/ADMINISTRATOR Performs administrative activities that should not be executed by normal users.
These include deleting data and explicitly reconstructing index records.
● Cross-application Authorization Objects (AAAB):
○ Transaction Code Check at Transaction Start
S_TCODE field TCD has values:
/POSDW/DELE, /POSDW/IDIS, /POSDW/IMG, /POSDW/ODIS, /
POSDW/PDIS, /POSDW/QDIS, /POSDW/QMON, /POSDW/REFI, /
POSDW/REFQ, /POSDW/REFT
● Basis: Administration (BC_A):
○ Cross Client Table Maintenance
S_TABU_CLI field CLII has value: 'X' - Allowed: Maintenance of cross-client
tables
○ Table Maintenance (via standard tools such as SM30)
S_TABU_DIS field ACTVT has values: 02 - Change 03 - Display
● Basis - Central Functions (BC_Z):
○ ALV Standard Layout
S_ALV_LAYO field ACTVT has value: 23 - Maintain
● SAP Point-Of-Sale Data Transfer and Audit:
○ Authorizations for Outbound Processing in PIPE
W_POS_AGGP field /POSDW/OAC has value: 16
○ Authorizations for Aggregation in PIPE
W_POS_AGGR field /POSDW/AAC has values: 01, 02
○ Authorizations for PIPE-related tasks
W_POS_STAT field /POSDW/SAC has value: 01
○ Authorizations for Data on POS Transactions
W_POS_TRAN field /POSDW/PAC has values: 01, 03, 06, 24, 31, 32, 34
SAP Customer Activity Repository 2.0 SP4 Security Guide
20 CUSTOMER Authorizations
Role Description
/POSDW/SALES_AUDIT Performs the daily monitoring of the POS inbound data, including analyses and eval
uations.
● Cross-application Authorization Objects (AAAB):
○ Transaction Code Check at Transaction Start
S_TCODE field TCD has values: /POSDW/IDIS, /POSDW/MON0, /
POSDW/MON1, /POSDW/MON2, /POSDW/PDIS
● SAP Point-Of-Sale Data Transfer and Audit:
○ Authorizations for credit card numbers in the POS Inbound Processing En
gine (PIPE)
W_POS_CCNR fields have value: *
○ Authorizations for PIPE-related tasks
W_POS_STAT fields have value: *
○ Authorizations for Data on POS Transactions
W_POS_TRAN field /POSDW/PAC has values: 01, 02, 03
/POSDW/SAP_QUERY_TRAN_S_RFC Role with RFC authorization for query of POS transactions. This role contains all au
thorizations that are necessary to query POS transactions via the RFC module /
POSDW/SALES_QUERY_RFC. It also contains all authorizations that are necessary
to post the processing confirmation via the RFC module /POSDW/
CONFIRM_AGGR_PACKS_ARFC.
● Basis and Administration (BC_A):
○ Auth. Check for RFC access
S_TCODE field:
○ ACTVT has value: 16 - Execute
○ RFC_NAME has values: /POSDW/CONFIRM_AGGR_PACK, /POSDW/
SALES_QUERY_API, ARFC, ERFC
○ RFC_TYPE has value: FUGR
SAP Customer Activity Repository 2.0 SP4 Security Guide
Authorizations CUSTOMER 21
Role Description
SAP_ISR_DDF_MASTER First PFCG role required for the Demand Data Foundation (DDF) module in SAP
Customer Activity Repository. The role provides access to the following services:
● Check Mass Maintenance
● Configure Load Balancing
● Define Area of Responsibility
● Locations
● Location Hierarchy
● Monitor Compressed Data
● Maintain Product Locations
● Monitor Exceptions
● Monitor Imports
● Placeholder Products
● Process Inbound Staging Tables
● Product
● Product Groups
● Purging Exceptions from the Database
● Remove Time Series
● Schedule Model and Forecasts
● Search for Scheduled Jobs
● Search Placeholder Products
● Search Transportation Lane
● Where Used Framework for Purging
For more information, execute transaction PFCG, call up the role, and consult the
Menu tab.
For service descriptions, see http://help.sap.com/car <your release>
Application Help Demand Data Foundation General Services as well as
Unified Demand Forecast General Services .
SAP_ISR_DDF_READONLY_MASTER Second PFCG role required for the Demand Data Foundation (DDF) module in SAP
Customer Activity Repository. The role provides ready-only access to the same
services as the SAP_ISR_DDF_MASTER role (see above).
For more information, execute transaction PFCG, call up the role, and consult the
Menu tab.
For service descriptions, see http://help.sap.com/car <your release>
Application Help Demand Data Foundation General Services as well as
Unified Demand Forecast General Services .
SAP Customer Activity Repository 2.0 SP4 Security Guide
22 CUSTOMER Authorizations
Standard Roles for On-Shelf Availability
The table below shows the standard roles that are used by the On-Shelf Availability (OSA) functionality in SAP
Customer Activity Repository. These roles are required in addition to the technical role for SAP NetWeaver
Gateway.
Table 8: Standard Roles
Role Description Authorization Objects/Fields
/OSA/MANAGER Permissions assigned to a store man ● /OSA/STOR:OSA/STORE, ACTVT
ager who logs on. ● /OSA/DEPT:OSA/AREA, OSA/
STORE, ACTVT
● /OSA/PROD:OSA/AREA, OSA/
STORE, ACTVT
/OSA/EMPLOYEE Permissions assigned to a store em ● /OSA/STOR:OSA/STORE, ACTVT
ployee who logs on. ● /OSA/DEPT:OSA/AREA, OSA/
STORE, ACTVT
● /OSA/PROD:OSA/AREA, OSA/
STORE, ACTVT
/OSA/ADMINISTRATOR Permissions for administrative activities: ● /OSA/ADM: /OSA/ADM_A
● Dispatching of the OSA algorithm
● Archiving the status log data
External Roles Specific to Loss Prevention Analytics
The table below shows the external roles, that is, roles defined outside of the SAP Customer Activity Repository
application, that are only used if you are implementing the Loss Prevention Analytics functionality.
For more information on integrating SAP Customer Activity Repository with the existing Loss Prevention Analytics
(LPA) business process of the Store Analytics business scenario, see SAP Note 2010774 .
SAP Customer Activity Repository 2.0 SP4 Security Guide
Authorizations CUSTOMER 23
Table 9: External Roles
Role Description
SAP_BW_LPA_LP0 Performs daily monitoring of point-of-sale activities for the
purposes of investigating potential fraudulent activities.
For more information, see http://help.sap.com/bicontent
<Your version of SAP NetWeaver BI Content> Application
Help BI Content Industry Solutions Trading Industries
Retail Trade Store Analytics Loss Prevention Analytics
Roles Loss Prevention Officer .
● Cross-application Authorization Objects (AAAB):
○ Authorization Check for RFC Access
S_RFC field ACTVT has value: 16
S_RFC field RFC_NAME has values: RFC1, RRMX,
RRXWS, RRY1, RSAH, RSBOLAP_BICS, RSBO
LAP_BICS_CONSUMER, RSBOLAP_BICS_PRO
VIDER, RSBOLAP_BICS_PROVIDER_VAR, RSFEC,
RSMENU RSOBJS_RFC_INTERFACE, RSOD_BIRM,
RSRCI_LOCAL_VIEW, RSR_XLS_RFC, RSWAD,
RSWRTEMPLATE, RS_BEX_REPORT_RFC, RS_IGS,
RZX0, RZX2, SDIFRUNTIME, SM02, SMHB, SRFC,
SUNI, SUSO, SYST, SYSU
S_RFC field RFC_TYPE has value: FUGR
○ Transaction Code Check at Transaction Start
S_TCODE field TCD has values:RRMX
● Basis: Administration (BC_A):
○ C calls in ABAP programs
S_C_FUNCT field ACTVT has value: 16 - Execute
S_C_FUNCT field CFUNCNAME has value: *
S_C_FUNCT field PROGRAM has value: *
● Basis - Central Functions (BC_Z):
○ Authorizations for Accessing Documents
S_BDS_D field ACTVT has value: *
S_BDS_D field LOIO_CLASS has value: *
○ Authorizations for Document Set
S_BDS_DS field ACTVT has value: *
S_BDS_DS field ACTVT has value: BW_*
S_BDS_DS field ACTVT has value: OT - Other Ob
jects
○ Authorization Object for Sending
S_OC_SEND field COM_MODE has value: *
S_OC_SEND field NUMBER has value: *
● Business Information Warehouse (RS)
○ BI Authorizations in Role
SAP Customer Activity Repository 2.0 SP4 Security Guide
24 CUSTOMER Authorizations
Role Description
S_RS_AUTH field BIAUTH has value: LOCA
TIO_AUTH
○ BEx Broadcasting Authorization to Schedule
S_RS_BCS field ACTVT has value: *
S_RS_BCS field RS_EVID has value: *
S_RS_BCS field RS_EVTYPE has value: *
S_RS_BCS field RS_OBJID has value: *
S_RS_BCS field RS_OBJTYPE has value: *
○ Business Explorer - Components
S_RS_COMP field ACTVT has values: 01, 02, 03, 06,
16, 22
S_RS_COMP field RSINFOAREA has value: *
S_RS_COMP field RSINFOCUBE has value: *
S_RS_COMP field RSZCOMPID has value: *
S_RS_COMP field RZCOMPTP has values: CKF, REP,
RKF, STR
○ Data Warehousing Workbench - InfoObject
S_RS_IOBJ field ACTVT has value: *
S_RS_IOBJ field RSIOBJ has value: *
S_RS_IOBJ field RSIOBJCAT has value: *
S_RS_IOBJ field RSIOBJPART has value: *
○ Data Warehousing Workbench - Aggregation Level
S_RS_ALVL field ACTVT has value: 03
S_RS_ALVL field RSALVLOBJ has value: *
S_RS_ALVL field RSINFOAREA has value: *
S_RS_ALVL field RSPLSALVL has value: *
○ Data Warehousing Workbench - MultiProvder
S_RS_MPRO field ACTVT has value: 03
S_RS_MPRO field RSMPROOBJ has value: *
S_RS_MPRO field RSINFOAREA has value: *
S_RS_MPRO field RSMPRO has value: *
○ Data Warehousing Workbench - InfoSet
S_RS_ISET field ACTVT has value: 03
S_RS_ISET field RSISETOBJ has value: *
S_RS_ISET field RSINFOAREA has value: *
S_RS_ISET field RSINFOSET has value: *
○ Business Explorer - Variants in Variable Screen
S_RS_PARAM field ACTVT has value: *
S_RS_PARAM field PARAMNM has value: *
SAP Customer Activity Repository 2.0 SP4 Security Guide
Authorizations CUSTOMER 25
OData Service Roles for SAP Customer Activity Repository
The table below shows the roles required to use the OData services provided with SAP Customer Activity
Repository:
Table 10: OData Service Roles
OData Service Role
MaterialQueryResults sap.is.retail.car.int.roles::MaterialQuery
MaterialInternationalArtlNmbrQueryResults sap.is.retail.car.int.roles::MaterialInternationalArtlNmbrQuery
RetailLocationQueryResults sap.is.retail.car.int.roles::RetailLocationQuery
POSSalesQueryResults sap.is.retail.car.int.roles::POSSalesQuery
MultiChannelSalesQueryResults sap.is.retail.car.int.roles::MultiChannelSalesQuery
InventoryVisibilityQueryResults sap.is.retail.car.int.roles::InventoryVisibilityQuery
AnalyzeForecast.xsodata sap.hba.t.rtl.udf.afc.roles::AnalyzeForecast
Standard Authorization Objects for SAP Customer Activity Repository
The table below shows the security-relevant authorization objects that are used by SAP Customer Activity
Repository.
Recommendation
You can use transaction SU21 to maintain authorization objects and to call up detailed information on each
object. For example, to display the values for the /DMF/AOR object, select the object, choose Display from the
context menu, and then Permitted Activities. To display more information about the /POSDW/LPA object,
choose Display Object Documentation.
Table 11: Standard Authorization Objects
Authorization Object Authorization Object Field Value Field Description
Description
/POSDW/LPA Authorization for Loss /POSDW/PTN ● ACTV: Active Pattern Status
Prevention Analytics ● IACT: Inactive
(LPA) ● INIT: Initial
● NEW: New
SAP Customer Activity Repository 2.0 SP4 Security Guide
26 CUSTOMER Authorizations
Authorization Object Authorization Object Field Value Field Description
Description
/POSDW/PTR Authorization for POS ● /POSDW/STO ● Selection from list ● Store
Transaction Data ● /POSDW/PAC of stores currently ● Activities for Au
defined in custom thorization for
izing POS Transactions
● Values for /
POSDW/PAC are:
○ 01 Add or Cre
ate
○ 03 Display
○ 06 Delete
○ 24 Archive
○ 31 Create
TREX Index
○ 32 Index
TREX
○ 34 Delete
TREX Index
W_POS_ADMI Authorization for Ad ● /POSDW/TAB 01 Assign tables to ● Table Name
ministrative Tasks ● /POSDW/ADC Placement Group ● Activities for Au
Types thorization for Ad
ministrative Tasks
02 Create Level 2
Range Partitions for
TLOG tables
03 Delete Level 2
Range Partitions for
TLOG tables
04 View Level 2 Range
Partitions for TLOG ta
bles
SAP Customer Activity Repository 2.0 SP4 Security Guide
Authorizations CUSTOMER 27
Authorization Object Authorization Object Field Value Field Description
Description
W_POS_AGGP Authorizations for ini ● /POSDW/STO ● Selection from list ● Store
tiating outbound proc ● /POSDW/AGL of stores currently ● Aggregation Level
essing in PIPE ● /POSDW/OTS defined in custom ● Task for Outbound
izing Processing
● /POSDW/OAC
● Selection from list ● Activities for Out
of aggregation lev bound Processing
els currently de in PIPE
fined in customiz
ing
● Selection from list
of outbound tasks
currently defined
in customizing
● Values for /
POSDW/OAC are:
○ 16 Process
Outbound
Task
○ 85 Reverse
Outbound
Task
SAP Customer Activity Repository 2.0 SP4 Security Guide
28 CUSTOMER Authorizations
Authorization Object Authorization Object Field Value Field Description
Description
W_POS_AGGR Authorizations for per ● /POSDW/STO ● Selection from list ● Store
forming aggregations in ● /POSDW/AGL of stores currently ● Aggregation Level
PIPE ● /POSDW/AAC defined in custom ● Task for Outbound
izing Processing
● Selection from list ● Activities for Ag
of aggregation lev gregation in PIPE
els currently de
fined in customiz
ing
● Values for /
POSDW/AAC are:
○ 02 Create Ag
gregate
○ 02 Change
Aggregate
○ 03 Display
Aggregate
○ 05 Close Ag
gregate
○ 06 Delete Ag
gregate
○ 24 Archive
Aggregate
○ 25 Reload Ag
gregate
W_POS_CCNR Authorizations for ● /POSDW/STO ● Selection from list ● Store
credit card numbers in ● /POSDW/CAC of stores currently ● Activities for Au
PIPE defined in custom thorization for
izing Credit Card Num
● Values for / bers
POSDW/CAC are:
○ 02 Display
Credit Card
Number
W_POS_FSPR Field Selection Profile /POSDW/FSP Selection from list of
field selection profiles
currently defined in
customizing
SAP Customer Activity Repository 2.0 SP4 Security Guide
Authorizations CUSTOMER 29
Authorization Object Authorization Object Field Value Field Description
Description
W_POS_STAT Authorizations for ● /POSDW/STO ● Selection from list ● Store
PIPE-related tasks ● /POSDW/SAC of stores currently ● Activities for Au
● /POSDW/TAS defined in custom thorization for
izing Task Status
● Values for / ● Task Code
POSDW/SAC are:
○ 01 Process
Task
● Selection from list
of tasks currently
defined in custom
izing
W_POS_TIBQ Authorizations for per ● /POSDW/STO ● Selection from list ● Store
forming Inbound Queue ● /POSDW/IAC of stores currently ● Activities for TIBQ
operations in PIPE ○ 01 Create defined in custom Authorization
izing
○ 02 Change
● Values for /
○ 03 Display
POSDW/IAC are:
○ 06 Delete
○ 16 Process
SAP Customer Activity Repository 2.0 SP4 Security Guide
30 CUSTOMER Authorizations
Authorization Object Authorization Object Field Value Field Description
Description
W_POS_TRAN Authorizations for ● /POSDW/STO ● Selection from list ● Store
changing data in POS ● /POSDW/PAC of stores currently ● Activities for Au
transactions defined in custom thorization for
izing POS Transactions
● Values for /
POSDW/PAC are:
○ 01 Add or Cre
ate
○ 02 Change
○ 03 Display
○ 06 Delete
○ 24 Archive
○ 25 Reload
○ 31 Create
TREX Index
○ 32 Index
TREX
○ 34 Delete
TREX Index
○ 41 Delete Un
processed
Sales Trans
actions
○ 42 Delete Log
Entries
W_POS_UNPR Used to validate ● /POSDW/PLT ● 4-character cus ● Site number
whether a store asso ● /POSDW/UAC tomer-defined ● Activities permit
ciate is authorized to value ted by the authori
view unprocessed ● 03 Display data zation
transactions for a store
B_CCSEC Unmasked display of ACTVT ● 03 Display
credit card numbers ● 06 Delete
● 71 Analyze
CA_POWL Authorizations for the ● POWL_APPID ● Application ID
Personal Object ● POWL_CAT ● Activity
Worklist (POWL) iViews ● POWL_LSEL ● Authority state
for the DDF POWL ap ● POWL_QUERY ● Activity
plications.
● POWL_RA_AL ● Authority state
● POWL_TABLE ● Authority state
SAP Customer Activity Repository 2.0 SP4 Security Guide
Authorizations CUSTOMER 31
Authorization Object Authorization Object Field Value Field Description
Description
S_START Used when checking Object Name /DMF/* and /PRM/*
the start authorization POWL
Object Type
for particular TADIR
WDYA
objects (such as Web Program ID
Dynpro applications). R3TR
Caution
Do not use this au
thorization object
directly in your own
coding. It can only
be used through the
CL_START_AUTH_C
HECK class.
For more information
about the start authori
zation check for pro
gram objects with ob
ject catalog entries, see
SAP Note 1413011 .
S_TCODE Transaction check at TCD Report /DMF/
transaction start. TS_DELETE
RSM37
SM37
/DMF/AOR Authorization for the ACTVT 01 Create or generate Activity
Define (Maintain) Area
02 Change
of Responsibility (AOR)
service. 03 Display
06 Delete
/DMF/CM_AT Authorization to assign ACTVT 01 Create or generate Activity
attributes.
02 Change
03 Display
06 Delete
/DMF/CM_IM Authorization to define ACTVT 02 Change Activity
images.
03 Display
06 Delete
SAP Customer Activity Repository 2.0 SP4 Security Guide
32 CUSTOMER Authorizations
Authorization Object Authorization Object Field Value Field Description
Description
/DMF/DISCH Authorization for the ACTVT 01 Create or generate Activity
Distribution Chain ob
/DMF/SOCHK 02 Change Internal Organizational
ject.
Unit Identifiers
/DMF/CHCHK 03 Display
06 Delete
/DMF/DMDTS Authorization to access ACTVT 01 Create or generate Activity
demand time series
02 Change
data, including any
business intelligence 03 Display
(BI) interfaces that
06 Delete
would be sending point-
of-sale (POS) data or
generic consumption
data.
/DMF/EWB Authorization for the ACTVT 01 Create or generate Activity
exception handling
02 Change
framework.
03 Display
32 Save
33 Read
/DMF/FCANA Authorization to access ACTVT 16 Execute Activity
forecasting analytics.
71 Analyze
/DMF/IMAGE Authorization for the ACTVT 01 Create or generate Activity
Image object.
/DMF/INV Authorization for the ACTVT 01 Create or generate Activity
Inventory object.
02 Change
03 Display
06 Delete
/DMF/LANE Authorization for the ACTVT 01 Create or generate Activity
Transportation Lane
02 Change
object.
03 Display
06 Delete
SAP Customer Activity Repository 2.0 SP4 Security Guide
Authorizations CUSTOMER 33
Authorization Object Authorization Object Field Value Field Description
Description
/DMF/LBUI Authorization for the ACTVT 01 Create or generate Activity
Configure Load
02 Change
Balancing service and
user interface for the 03 Display
DDF server configura
06 Delete
tion.
32 Save
/DMF/LOC Authorization for the ACTVT 01 Create or generate Activity
Location object.
02 Change
03 Display
06 Delete
/DMF/LOCHR Authorization for the ACTVT 01 Create or generate Activity
Location Hierarchy ob
02 Change
ject.
03 Display
06 Delete
/DMF/ME Authorization for the ACTVT 01 Create or generate Activity
Monitor Exceptions
02 Change
service.
03 Display
06 Delete
/DMF/MI Authorization check for ACTVT 01 Create or generate Activity
the Monitor Imports
02 Change
service.
03 Display
06 Delete
/DMF/OFRSO Internal organizational ● /DMF/CHCHK 01 Create or generate Activity
unit identifiers for the ● /DMF/SOCHK
02 Change
distribution channel
and the sales organiza 03 Display
tion.
06 Delete
37 Accept
61 Export
78 Assign
SAP Customer Activity Repository 2.0 SP4 Security Guide
34 CUSTOMER Authorizations
Authorization Object Authorization Object Field Value Field Description
Description
/DMF/OPUI Authorization to access ACTVT 03 Display Activity
the user interface of
16 Execute
the Schedule Model and
Forecasts service.
/DMF/PHP Authorization for the ACTVT 01 Create or generate Activity
Placeholder Product
02 Change
object.
03 Display
06 Delete
/DMF/PROD Authorization for the ACTVT 01 Create or generate Activity
Product object.
02 Change
03 Display
06 Delete
61 Export
/DMF/PRDHR Authorization for the ACTVT 01 Create or generate Activity
Product Hierarchy ob
02 Change
ject.
03 Display
06 Delete
61 Export
/DMF/PRDLC Authorization for the ACTVT 01 Create or generate Activity
Product Location ob
02 Change
ject.
03 Display
06 Delete
/DMF/SLSH Authorization for the ACTVT 02 Change Activity
Sales History object.
03 Display
06 Delete
Standard Authorization Objects for On-Shelf Availability
The table below shows the security-relevant authorization objects that are used by the On-Shelf Availability (OSA)
module in SAP Customer Activity Repository.
SAP Customer Activity Repository 2.0 SP4 Security Guide
Authorizations CUSTOMER 35
Table 12: Standard Authorization Objects
Authorization Object Field Value Description
/OSA/DEPT /OSA/AREA EMPLOYEE, Display authorization for the
department
/OSA/STORE MANAGER
ACTVT 03
/OSA/PROD /OSA/AREA EMPLOYEE, Change and display authori
zation for the product
/OSA/STORE MANAGER
ACTVT 02, 03
/OSA/STOR /OSA/STORE Display authorization of the
store
ACTVT 03
/OSA/ADM /OSA/ADM_A 02, 05 Execute On-Shelf Availability
Dispatcher
Archive On-Shelf Availability
Status Log
All exposed APIs to retrieve the store, department, and product information have an integrated verification to
ensure that the calling user has the necessary authorizations to perform the action. If the user does not have the
necessary permissions, an error is returned to the caller and no data/information is provided. If you want to
restrict access, you can do so by changing the values of the relevant authorization objects.
7.2 Authorization Requirements for the UDF AFL
In this procedure you set up the roles and privileges for the Unified Demand Forecast (UDF) module in SAP
Customer Activity Repository. This is a mandatory procedure that you must do for any implementation scenario.
Use
Caution
● You must do this procedure regardless of whether you want to use UDF forecasting in your scenario or not.
This procedure not only enables UDF, but it is required so that the SAP HANA content for SAP Customer
Activity Repository can be activated correctly.
● You must therefore do this procedure before you activate the SAP HANA content for SAP Customer
Activity Repository.
To set up the authorizations for UDF, you first create three roles in SAP HANA studio. Then you grant specific
privileges to each role. Finally, you assign the roles to specific users.
SAP Customer Activity Repository 2.0 SP4 Security Guide
36 CUSTOMER Authorizations
You need the following roles for UDF:
Table 13:
Roles for the UDF AFL Description
UDF_EXECUTE Defines all privileges for executing UDF; enables the SAP<SID> user to execute
UDF.
UDF_DEPLOY Defines all privileges for deploying the SAP HANA content for UDF; required to
import and activate the SAP HANA content.
UDF_DEPLOY_SYS_REPO Defines additional privileges for the _SYS_REPO standard user; required to acti
vate the SAP HANA content.
Note
We have provided example SQL statements below that you can use and adapt as needed.
If you are familiar with roles and privileges in SAP HANA studio, you can skip directly to the Prerequisites section
below. If you want more background first, continue with the next section.
Background
Authorization Concept
The UDF application function library (UDF AFL) relies on the access control mechanisms of the SAP HANA
database. SAP HANA has implemented the regular SQL authorization concept based on privileges. The privileges
provide access to views and procedures in the SAP HANA content, which in turn provide access to data and
functionality directly on the database level.
You can grant privileges to a user either directly or indirectly (through roles). We recommend that you grant
privileges through roles. A role is a collection of privileges. You can grant roles to users and to other roles.
For more information, see the following sections under http://help.sap.com/hana_platform <your SAP HANA
Platform SPS> Security SAP HANA Security Guide :
● SAP HANA User Management
● SAP HANA Authentication and Single Sign-On
● SAP HANA Authorization (privilege types and roles)
Managing Users, Roles, Privileges, and Schemas in SAP HANA Studio
Here is some general information to help you with the procedure below:
● You can find the Users and Roles in the Security folder of your back-end system in SAP HANA studio.
● When you select a role, a details screen opens where you can grant and remove privileges and other roles.
● When you create a database user (such as SAP<SID>), a database schema of the same name is created
automatically.
● You can find the schemas in the Catalog folder.
SAP Customer Activity Repository 2.0 SP4 Security Guide
Authorizations CUSTOMER 37
● SQLScript procedures are always assigned to a specific schema. For example:
○ Schema _SYS_BIC includes the modeling and forecasting procedures used by the UDF AFL.
○ Schema _SYS_AFL includes the actual UDF AFL procedures.
● Some technical users are available as standard (for example, _SYS_REPO).
Prerequisites
● You have installed the UDF AFL in your SAP HANA database as described in the following:
○ For initial installations: Section Install SAP Customer Activity Repository Retail Applications Bundle in the
Common Installation Guide
○ For upgrade scenarios: Section Upgrade SAP Customer Activity Repository Retail Applications Bundle in
the Common Upgrade Guide
You can find both guides on SAP Help Portal under http://help.sap.com/car <your release> Installation
and Upgrade Information .
● You have an SAP<SID> user and an SAP<SID> schema in your SAP HANA database (the names must be
identical).
● You have checked that the correct schemas are mapped for your back-end system in SAP HANA studio. The
setting under SAP HANA Modeler Schema Mapping must be as follows:
Table 14:
Authoring Schema Physical Schema
SAP_DDF SAP<SID>
Procedure
In this procedure, you create the three roles for the UDF AFL, grant the required privileges, and assign the roles to
specific users:
1. Select your back-end system in SAP HANA studio and open the SAP HANA Administration Console.
2. Navigate to Security Roles , right-click, and select New Role.
3. Enter UDF_EXECUTE as the role name.
SQL example: create role UDF_EXECUTE;
4. Make the following settings for this role:
○ Granted Roles: AFL__SYS_AFL_UDFCORE_AREA_EXECUTE
SQL example: grant AFL__SYS_AFL_UDFCORE_AREA_EXECUTE to UDF_EXECUTE;
○ Object Privileges:
○ For catalog object (schema) SAP<SID>: SELECT, INSERT, UPDATE, DELETE
SQL example: grant SELECT, INSERT, UPDATE, DELETE on schema SAP<SID> to
UDF_EXECUTE;
○ For catalog object (schema) _SYS_BIC: SELECT, EXECUTE
SQL example: grant SELECT, EXECUTE on schema _SYS_BIC to UDF_EXECUTE;
SAP Customer Activity Repository 2.0 SP4 Security Guide
38 CUSTOMER Authorizations
○ Analytic Privileges: _SYS_BI_CP_ALL
SQL example: call
GRANT_ACTIVATED_ANALYTICAL_PRIVILEGE('_SYS_BI_CP_ALL','UDF_EXECUTE');
Save your settings. You have successfully created the first role.
5. Open the details screen for user SAP<SID> and assign the role:
○ Granted Roles: UDF_EXECUTE
SQL example: grant UDF_EXECUTE to SAP<SID>
Save your settings.
6. Navigate again to Security Roles , right-click, and select New Role.
7. Enter UDF_DEPLOY as the role name.
SQL example: create role UDF_DEPLOY;
8. Make the following settings for this role:
○ Granted Roles: CONTENT_ADMIN
SQL example: grant CONTENT_ADMIN to UDF_DEPLOY;
○ System Privileges: CATALOG READ
SQL example: grant CATALOG READ to UDF DEPLOY;
Save your settings.
9. Open the details screen for user SAP<SID> and assign the role:
○ Granted Roles: UDF_DEPLOY
SQL example: grant UDF_DEPLOY to SAP<SID>
Save your settings. You have successfully created the second role.
10. Navigate again to Security Roles , right-click, and select New Role.
11. Enter UDF_DEPLOY_SYS_REPO as the role name.
SQL example: create role UDF_DEPLOY_SYS_REPO;
12. Make the following settings for this role:
○ Object Privileges:
○ For catalog object (schema) SAP<SID>: SELECT, INSERT, UPDATE, DELETE
SQL example: grant SELECT, INSERT, UPDATE, DELETE on schema SAP<SID> to
UDF_DEPLOY_SYS_REPO;
Save your settings. You have successfully set up the third role.
13. Open the details screen for user _SYS_REPO and assign the role:
○ Granted Roles: UDF_DEPLOY_SYS_REPO
SQL example: grant UDF_DEPLOY_SYS_REPO to _SYS_REPO;
Save your settings.
Result
You have successfully set up the roles and privileges for the UDF AFL.
You can now activate the SAP HANA content for SAP Customer Activity Repository as described in the Activate
SAP HANA Content section in the Common Installation Guide or the Common Upgrade Guide.
SAP Customer Activity Repository 2.0 SP4 Security Guide
Authorizations CUSTOMER 39
7.3 Authorization Requirements for Omnichannel Article
Availability (OAA)
There are no OAA-specific PFCG roles; however, there are a number of OAA-specific authorization objects both in
SAP Customer Activity Repository and in SAP Retail. To be able to run the OAA functionality, you need to create 3
technical users, 2 administrator users, and 1 SAP HANA database user.
Roles
There are no OAA-specific PFCG roles.
Authorization Objects in SAP Customer Activity Repository
Authorization class: OAA Authorization Class for Omnichannel Article Availability
Table 15:
Authorization Object Activities Description
/OAA/ATP 16 Execute Controls execution of the ATP calculation (access to ATP snap
shot and to availability information from Inventory Visibility, rec
onciliation of temporary reservations, aggregation of availability
schedule lines).
/OAA/PREC 01 Create or generate Controls access to ATP snapshot.
02 Change Needed for report /OAA/ATP_SNAPSHOT_DELETION.
03 Display
06 Delete
/OAA/RESV 01 Create or generate Controls access to temporary reservations.
02 Change Needed for report /OAA/ATP_RESV_DELETION.
03 Display
06 Delete
/OAA/SRC 16 Execute Controls execution of sourcing.
Needed for report /OAA/ATP_RSI_GENERATION.
SAP Customer Activity Repository 2.0 SP4 Security Guide
40 CUSTOMER Authorizations
Authorization Object Activities Description
/OAA/RSI 01 Create or generate Controls replication of rough stock indicators.
02 Change
06 Delete
16 Execute
Authorization Objects in SAP Retail
Authorization class: WG Retailing
Table 16:
Authorization Object Activities Description
W_OAA_SITE 16 Execute Controls replication of sites data via IDoc.
Needed for report OAA_IDOC_SITE_REPLICATION.
W_OAA_PREC 16 Execute Controls execution of the parallelized ATP check, generation of
the ATP snapshot and replication of the snapshot to SAP Cus
tomer Activity Repository.
Needed for report /OAA/ATP_CALL_PRECALC. This report is
executed in SAP Customer Activity Repository and calls into SAP
Retail via RFC.
Required Users
Table 17:
System Type of User Description Authorizations
SAP Customer Technical user For communication between SAP Hybris Commerce /OAA/ATP Execute
Activity Reposi and SAP Customer Activity Repository
/OAA/PREC Display
tory
Calls the ATP REST API, reads the ATP snapshot, exe
/OAA/SRC Execute
cutes sourcing, creates temporary reservations.
This user is created in SAP Customer Activity Reposi
tory (transaction SU01) and is entered in the Backof
fice application of SAP Hybris Commerce, under
SAP Integration HTTP Destination HTTP
Destination Authentication Type .
SAP Customer Activity Repository 2.0 SP4 Security Guide
Authorizations CUSTOMER 41
System Type of User Description Authorizations
SAP Retail Technical user For communication between SAP Retail and SAP Cus W_OAA_PREC Execute
tomer Activity Repository
Executes the ATP run.
This user is created in SAP Retail (transaction SU01)
and is entered in transaction SM59, in SAP Customer
Activity Repository, for the corresponding ABAP con
nection on tab Logon & Security.
SAP Customer Technical user Creates and updates the ATP snapshot in SAP Cus /OAA/PREC Create or
Activity Reposi tomer Activity Repository. Generate / Change
tory
This user is created in SAP Customer Activity Reposi
tory (transaction SU01) and is entered in transaction
SM59, in SAP Retail, for the corresponding ABAP con
nection on tab Logon & Security.
SAP Customer Administrator Manually deletes ATP snapshot. /OAA/PREC Delete
Activity Reposi
Report /OAA/ATP_SNAPSHOT_DELETION
tory
Manually deletes temporary reservations. /OAA/RESV Delete
Report /OAA/ATP_RESV_DELETION
Manually replicates rough stock indicators. /OAA/RSI Create or
generate / Change /
Report /OAA/ATP_RSI_GENERATION
Delete / Execute
If the reports are to be executed in batch mode, au
thorizations for the batch user must include those
mentioned on the right.
SAP Retail Administrator Manually replicates site data from SAP Retail to SAP W_OAA_SITE Execute
Customer Activity Repository. If the report is to be exe
cuted in batch mode, authorizations for the batch user
must include the one mentioned on the right.
Report OAA_IDOC_SITE_REPLICATION
SAP HANA ABAP database This user needs authorization to create database trig -
user gers in SAP Customer Activity Repository.
Report /OAA/CREATE_TRIGGERS
SAP Customer Activity Repository 2.0 SP4 Security Guide
42 CUSTOMER Authorizations
7.4 Authorization Requirements for Omnichannel Promotion
Pricing
Omnichannel Promotion Pricing delivers the role /ROP/OPP_ADMINISTRATOR as a template. You can copy this
template to your own role (or several roles), and add authorization values as required.
Roles
Table 18:
Role Description
/ROP/OPP_ADMINISTRATOR This role performs administrative activities for Omnichannel Promotion
Pricing that are usually not executed by normal users. These include the
following activities:
● Transforming offers into OPP promotions using the report /ROP/
R_OFFER_TRANSFORM.
● Displaying of the application log that is written during the transforma
tion of offers into OPP promotions using, for example, the re
port /ROP/R_OFFER_APPL_LOG.
● Executing the outbound of regular prices and OPP promotions with
the Data Replication Framework (DRF).
● Several deletion activities, for example, the deletion of the replication
status information for OPP promotions using report /ROP/
R_DELETE_PROMO_REPLSTATUS.
The transaction to transform offers into OPP promotions ( /ROP/OFFER_TRANSFORM) does not use new
authorization objects. Instead, it checks mainly the following authorization objects:
Table 19:
Authorization Object Description
S_TCODE The user must have this authorization to start transac
tion /ROP/OFFER_TRANSFORM.
/DMF/OFRSO The user must have this authorization to display offers in the
related sales organization and the related distribution chan
nel.
SAP Customer Activity Repository 2.0 SP4 Security Guide
Authorizations CUSTOMER 43
8 Session Security Protection
To increase security and prevent access to the SAP logon ticket and security session cookie(s), we recommend
activating secure session management.
We also highly recommend using SSL to protect the network communications where these security-relevant
cookies are transferred.
Session Security Protection on the AS ABAP
To activate session security on the AS ABAP, set the corresponding profile parameters and activate the session
security for the client(s) using the transaction SICF_SESSIONS.
For more information, a list of the relevant profile parameters, and detailed instructions, see Activating HTTP
Security Session Management on AS ABAP in the AS ABAP security documentation.
SAP Customer Activity Repository 2.0 SP4 Security Guide
44 CUSTOMER Session Security Protection
9 Network and Communication Security
9.1 Introduction
Your network infrastructure is extremely important in protecting your system. Your network needs to support the
communication necessary for your business and your needs without allowing unauthorized access. A well-defined
network topology can eliminate many security threats based on software flaws (at both the operating system and
application level) or network attacks such as eavesdropping. If users cannot log on to your application or database
servers at the operating system or database layer, then there is no way for intruders to compromise the machines
and gain access to the backend system's database or files. Additionally, if users are not able to connect to the
server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on
the server machines.
The network topology for the SAP Customer Activity Repository application is based on the topology used by the
SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP
NetWeaver Security Guide also apply to the SAP Customer Activity Repository. Details that specifically apply to
the SAP Customer Activity Repository application are described in the following topics:
● Communication Channel Security
This topic describes the communication paths and protocols used by the application.
● Network Security
This topic describes the recommended network topology for the application. It shows the appropriate
network segments for the various client and server components and where to use firewalls for access
protection. It also includes a list of the ports needed to operate the application.
● Communication Destinations
This topic describes the information needed for the various communication paths, for example, which users
are used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security
● Security Guides for Connectivity and Interoperability Technologies
9.2 Communication Channel Security
The table below shows the communication paths used by SAP Customer Activity Repository, the protocol used
for the connection, and the type of data transferred.
SAP Customer Activity Repository 2.0 SP4 Security Guide
Network and Communication Security CUSTOMER 45
Table 20: Communication Paths
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Front-end client using SAP DIAG All application data Passwords, credit card infor
GUI for Windows to applica mation
tion server
Application server to third- HTTPS System ID, client, and host System information (host
party application name name), personal data, trans
actional data, and credit card
information
Document upload HTTPS XML document Personal data, transactional
data, and credit card informa
tion
Application server to applica RFC Application data System information, personal
tion server data, transactional data, and
credit card information
Application server to applica IDoc Application data records Personal data, transactional
tion server data, and credit card informa
tion
Web service client to Web SOAP XML document Personal data, transactional
service provider data, and credit card informa
tion
Application server to external IDoc Application data records Omnichannel Promotion Pric
receiver ing data, including regular
price data and OPP promo
tion data.
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer (SSL) protocol. SOAP connections are protected with Web services
security.
For more information, see Transport Layer Security the SAP NetWeaver Security Guide.
Recommendation
We strongly recommend using secure protocols (SSL, SNC) whenever possible.
For more information, see Transport Layer Security and Web Services Security in the SAP NetWeaver Security
Guide.
SAP Customer Activity Repository 2.0 SP4 Security Guide
46 CUSTOMER Network and Communication Security
9.3 Network Security
The network topology for SAP Customer Activity Repository is based on the topology used by the SAP NetWeaver
platform. Therefore, refer to the following documentation for information on network security:
● SAP NetWeaver 7.40 Security Guide
● SAP Supply Chain Management Security Guide
● SAP Supplier Relationship Management Security Guide
● SAP ERP Central Component Security Guide
● SAP Customer Relationship Management Security Guide
If you are implementing the Loss Prevention Analytics functionality, you should also refer to the following
documentation:
● Security Guide for SAP NetWeaver BW
● Portal Security Guide
To locate the security guides listed above, go to SAP Help Portal ( http://help.sap.com), choose your product and
then choose Security Information. For example, http://help.sap.com/nw74 Security Information Security
Guide .
Ports
SAP Customer Activity Repository runs on SAP NetWeaver and uses the ports from the AS ABAP. For more
information, see the topics for AS ABAP Ports in the corresponding SAP NetWeaver Application Server ABAP
Security Guide . For other components, for example, SAPinst, SAProuter, or the SAP Web Dispatcher, see also the
document TCP/IP Ports Used by SAP Applications, which is located on SAP Community Network (SCN) at http://
scn.sap.com/community/security under Infrastructure Security Network and Communication Security .
9.4 Communication Destinations
The incorrect configuration of users and authorizations for connection destinations can result in high security
flaws. To ensure the proper configuration of users and authorizations, do the following:
● Choose the appropriate user type: Communication or System
● Assign only the minimum required authorizations to a user type
● Choose a secure and secret password for a user type
● Store only connection user logon data for System user types
● Choose trusted system functionality
Connection destinations are particularly important in SAP Customer Activity Repository for connecting incoming
datasources and outgoing destinations. SAP Customer Activity Repository does not provide any pre-configured
RFC destinations; these destinations are created by customers. Therefore, connection information (such as
connection type, user name and password) is not defined directly within SAP Customer Activity Repository; it
SAP Customer Activity Repository 2.0 SP4 Security Guide
Network and Communication Security CUSTOMER 47
relies on references to system-defined and/or system-administered connections, for example, RFC destinations
or Web service configurations.
You require RFC destinations to connect SAP and non-SAP systems to SAP Customer Activity Repository. If
communication is to be accomplished with IDocs using Application Link Enabling (ALE), you may require
additional ALE configurations to ensure that the applicable message types are correctly routed.
For inbound communication to SAP Customer Activity Repository, you must do the following:
● Define SAP Customer Activity Repository as a target destination within the source system, for example, as an
RFC destination with a specific user identified.
● Define a user with the necessary authorizations for SAP Customer Activity Repository
For outbound communication from SAP Customer Activity Repository, you must do the following:
● Define all target destinations within SAP Customer Activity Repository, for example, as an RFC destination
with a specific user identified for the target system.
● Configure SAP Customer Activity Repository Customizing as the target destinations.
● Define all users with the necessary authorizations on the target system(s).
The table below shows an overview of the communication destinations used by the SAP Customer Activity
Repository application.
Table 21: Connection Destinations
Destination Delivered Type User, Authorizations Description
Customer-defined in No RFC ● S_ICF (for client Inbound transaction
external system system) data from BAPI call
● S_RFC (for server
system)
● S_RFCACL (for
trusted systems
only)
● W_POS_TIBQ (Ac
tivity '01' Create)
Customer-defined No HTTP(S) Web Service Authoriza Inbound transaction
through communica tion Objects: data from Web Service
tion channel (either at call (from POS)
● S_SERVICE
runtime or configured
for proxy/logical port) Web Service Roles:
in external system ● SAP_BC_WEB
SERVICE_CONSU
MER
SAP Customer Activity Repository 2.0 SP4 Security Guide
48 CUSTOMER Network and Communication Security
Destination Delivered Type User, Authorizations Description
Customer-defined in No tRFC ● S_ICF (for client Inbound transaction
external system system) data from IDOC
● S_RFC (for server through ALE (such as
system) for SAP Retail, etc.)
● S_RFCACL (for
trusted systems
only)
● W_POS_TIBQ (Ac
tivity '01' Create)
Customer-defined in No RFC RFC Authorization Ob Outbound transaction
Customizing jects: data from BAPI / Func
tion Module resulting
● S_ICF (for client
from Task Processing
system)
(such as for SAP ERP,
● S_RFC (for server
SAP F&R, Credit Card
system)
Settlement, Payment
● S_RFCACL (for
Card, , etc.)
trusted systems
only)
ALE Authorization Ob
jects:
● B_ALE_RECV
● B_ALE_REDU
Authorization Objects:
● W_POS_AGGP
Roles:
● /POSDW/ADMIN
ISTRATOR
● /POSDW/
SALES_AUDIT
SAP Customer Activity Repository 2.0 SP4 Security Guide
Network and Communication Security CUSTOMER 49
Destination Delivered Type User, Authorizations Description
Customer-defined No HTTP(S) Web Service Authoriza Outbound transaction
through communica tion Objects: data from Web Service
tion channel (either at call resulting from Task
● S_SERVICE
runtime or configured Processing (such as for
for proxy/logical port) Web Service Roles: SAP CRM)
of SAP Customer Activ ● SAP_BC_WEB
ity Repository system SERVICE_CONSU
MER
Authorization Objects:
● W_POS_AGGP
Roles:
● /POSDW/ADMIN
ISTRATOR
● /POSDW/
SALES_AUDIT
Customer-defined in No tRFC RFC Authorization Ob Outbound transaction
external system jects: data from IDOC result
ing from Task Process
● S_ICF (for client
ing (such as for SAP
system)
Retail, etc.)
● S_RFC (for server
system)
● S_RFCACL (for
trusted systems
only)
Authorization Objects:
● W_POS_TIBQ (Ac
tivity '01' Create)
SAP Customer Activity Repository 2.0 SP4 Security Guide
50 CUSTOMER Network and Communication Security
10 Internet Communication Framework
Security
You should only activate those services that are needed for the applications running in your system. For the SAP
Customer Activity Repository application (and specifically for the POS Data Transfer and Audit module), the
following service is required:
Table 22:
Service Description
POSTRANSACTERPBLKCRTRQ Inbound POS Transactions Service
For Loss Prevention Analytics (LPA) services within the SAP NetWeaver Portal, the following services are
required:
Table 23:
Service Description
LPA_WDA_CASHIERLOOKUP Cashier Lookup
LPA_WDA_TXN_VIEWER Transaction Viewer
LPA_WDA_JOURNAL_VIEWER Journal Viewer
You only need to activate these services if you are using LPA functionality. For more information, see SAP Note 1533599 .
You activate these services using transaction SICF. If your firewall(s) use URL filtering, note the URLs used for the
services and adjust your firewall settings accordingly.
For information about activating and deactivating ICF services, see Activating and Deactivating ICF Services in the
SAP NetWeaver Library documentation.
For information about ICF security, see the RFC/ICF Security Guide within the Security Guides for Connectivity and
Interoperability Technologies in the SAP NetWeaver Security Guide.
SAP Customer Activity Repository 2.0 SP4 Security Guide
Internet Communication Framework Security CUSTOMER 51
11 Data Storage Security
Data Storage
The SAP Customer Activity Repository application saves data in the SAP HANA database of the SAP system
(configuration, master, transactional, and aggregation data). Data access for users is controlled through the
standard SAP NetWeaver and SAP HANA authorization concepts (see the Authorizations [page 18] section).
The application makes use of data originating from other SAP systems (for example, SAP ERP, and optionally SAP
CRM). SAP Customer Activity Repository accesses data using SAP HANA read-only views included in SAP HANA
Live for SAP ERP and SAP HANA Content for SAP Customer Activity Repository. The data is protected through
the implementation of the SAP HANA Live for Business Suite authorization concept, which relies on SAP HANA
DB object and analytical privileges for users.
Data is not temporarily stored in the file system for any reason. For non-temporary data storage, see the
subsequent section for information about file system storage for archived transactional and aggregation data.
Using Logical Path and File Names to Protect Access to the File System
The SAP Customer Activity Repository application can optionally save data in files in the file system (specifically
for archiving purposes). Therefore, it is important to explicitly provide access to the corresponding files in the file
system without allowing access to other directories or files (also known as directory traversal). This is achieved by
specifying logical paths and file names in the system that map to the physical paths and file names. This mapping
is validated at runtime and if access is requested to a directory (including subdirectories) that does not match a
stored mapping, then an error occurs.
The following lists show the logical file names and paths used by the SAP Customer Activity Repository
application and for which programs these file names and paths apply:
Logical File Names Used in This Application
The following logical file names have been created in order to enable the validation of physical file names:
● ARCHIVE_DATA_FILE_POSDW
○ Programs using this logical file name and parameters used in this context:
○ Archiving object /POSDW/TL
○ Program /POSDW/ARCHIVE_READ
○ Program /POSDW/ARCHIVE_WRITE
○ Program /POSDW/ARCHIVE_DELETE
○ Program /POSDW/ARCHIVE_RELOAD
○ Parameters used in this context ('_' between parameters, and suffix of ' _TL.ARCHIVE'):
○ < PARAM_1>
○ < PARAM_3>
○ < DATE>
○ < TIME>
○ < PARAM_2>
● ARCHIVE_DATA_FILE_POSDW2
SAP Customer Activity Repository 2.0 SP4 Security Guide
52 CUSTOMER Data Storage Security
○ Programs using this logical file name:
○ Archiving object /POSDW/AGG
○ Program /POSDW/ARCHIVE_READ_AGGERGATE
○ Program /POSDW/ARCHIVE_WRITE_AGGREGATE
○ Program /POSDW/ARCHIVE_DELE_AGGREGATE
○ Parameters used in this context ('_' between parameters, and suffix of ' _AG.ARCHIVE'):
○ < PARAM_1>
○ < PARAM_3>
○ < DATE>
○ < TIME>
○ < PARAM_2>
● ARCHIVE_DATA_FILE_POSDW_F
○ Programs using this logical file name:
○ Archiving object /POSDW/TLF
○ Program /POSDW/ARCHIVE_READ_HDB_F
○ Program /POSDW/ARCHIVE_WRITE_HDB_F
○ Program /POSDW/ARCHIVE_DELETE_HDB_F
○ Program /POSDW/ARCHIVE_RELOAD_HDB_F
○ Parameters used in this context ('_' between parameters, and suffix of ' .ARCHIVE'):
○ < PARAM_1>
○ < PARAM_3>
○ < DATE>
○ < TIME>
○ < PARAM_2>
Logical Path Names Used in This Application
The logical file names listed above all use the logical file path ARCHIVE_GLOBAL_PATH.
Activating the Validation of Logical Path and File Names
These logical paths and file names, as well as any subdirectories, are specified in the system for the
corresponding programs. For downward compatibility, the validation at runtime is deactivated by default. To
activate the validation at runtime, maintain the physical path using the transactions FILE (client-independent)
and SF01 (client-specific). To find out which paths are being used by your system, you can activate the
corresponding settings in the Security Audit Log.
For more information, see:
● Logical File Names in the SAP NetWeaver Library
● Protecting Access to the File System in the SAP NetWeaver Application Server ABAP Security Guide
● Security Audit Log in the SAP NetWeaver Library
SAP Customer Activity Repository 2.0 SP4 Security Guide
Data Storage Security CUSTOMER 53
Data Protection
The SAP Customer Activity Repository application does not support or require a Web Browser as its user
interface, and therefore does not use cookies to store data on the front-end. Additionally, no data is stored on a
client.
The application transactional data may contain sensitive data, in the form of credit card numbers, and so on,
which are provided from outside systems. It is strongly recommended that all such data be encrypted at its
source, remain encrypted when passed between systems, and remain encrypted within the SAP Customer
Activity Repository's application database tables or file system. For specific steps necessary to support or provide
for data encryption, see the relevant SAP Notes in section Before You Start [page 7].
For business use-cases where the decryption of this type of data is required, specific authorizations are necessary
and access is logged for auditing purposes. For more information, see the Authorizations [page 18] section.
SAP Customer Activity Repository 2.0 SP4 Security Guide
54 CUSTOMER Data Storage Security
12 Security for Additional Applications
The SAP Customer Activity Repository application does not have any additional third-party applications
associated with it or delivered with it, nor does it have any mandatory dependencies on third-party applications.
For customer scenarios when third-party applications are optionally used, the relevant security settings for the
applicable application should be considered in combination with those of the SAP Customer Activity Repository
application.
Please refer to the Fundamental Security Guides information in the Before You Start [page 7] section for
additional security topics relating to the use of other SAP systems (SAP ERP, SAP CRM, and so on) within the
overall solution.
The SAP HANA Live for SAP ERP is a pre-requisite for SAP Customer Activity Repository, and additionally the
associated Analytics Authorization Assistant 1.0 tool used within the HANA Developer Studio tool is likewise
required for the execution of the SAP Customer Activity Repository authorization concept. The only relevant
security settings for the use of this tool are that the system administrator has granted the necessary privileges to
the specific database user responsible for administering analytical privileges (please refer to the Analytics
Authorization Assistant documentation for further details).
SAP Customer Activity Repository 2.0 SP4 Security Guide
Security for Additional Applications CUSTOMER 55
13 Enterprise Services Security
The following sections in the SAP NetWeaver Security Guide and documentation are relevant for all enterprise
services delivered with the POS Data Transfer and Audit module of SAP Customer Activity Repository:
● Web Services Security
● Recommended WS Security Scenarios
● SAP NetWeaver Process Integration Security Guide
SAP Customer Activity Repository 2.0 SP4 Security Guide
56 CUSTOMER Enterprise Services Security
14 Payment Card Security According to PCI-
DSS
14.1 Introduction
The Payment Card Industry Data Security Standard (PCI-DSS) was developed jointly by major credit card
companies to create a set of common industry security requirements for the protection of credit card holder data.
Compliance with this standard is relevant for companies processing credit card data. For more information, see
http://www.pcisecuritystandards.org .
This section is provided to assist you in implementing payment card security aspects. It also presents issues that
you must consider in order for your deployment to be PCI-DSS compliant.
Caution
PCI-DSS includes more than the issues and information provided in this section. Ensuring that your system is
PCI-DSS compliant is entirely the customer's responsibility. SAP is not responsible for ensuring that a
customer is PCI-DSS compliant.
The PCI-DSS compliance information provided in this guide is application-specific. For general information on
ensuring payment card security, see: http://help.sap.com/erp Security Information Security Guide
Payment Card Security .
For updated general PCI-DSS information, see also SAP Note 1609917 .
14.2 Credit Card Usage Overview
14.2.1 Introduction
The SAP Customer Activity Repository is an integral part of the Store Connectivity scenario. It is possible that
each connection contains PCI-relevant data. As such, each communication line displayed in the diagram below
could be subject to the PCI-DSS, as could each component. (PCI-DSS implications for each component are
discussed in the individual security guides).
SAP Customer Activity Repository 2.0 SP4 Security Guide
Payment Card Security According to PCI-DSS CUSTOMER 57
Figure 3: Communication Lines
14.2.2 SAP Customer Activity Repository
SAP Customer Activity Repository
SAP Customer Activity Repository can be used to support the Sales Audit transaction, during which credit card
settlements are reviewed. As such, it must be configured to allow the Sales Auditor to access credit card data.
SAP Customer Activity Repository can also serve as a transaction repository, where transactional data (including
credit card data) can be aggregated and forwarded to other systems (Credit Card Settlement, SAP CRM, and SAP
NetWeaver BW [for BI Content]) for additional processing.
The POS Inbound Processing Engine (included in the POS Data Transfer and Audit module) includes the following
functionality to support your PCI-DSS compliance:
● Encryption of credit card data within PIPE using the SAPCRYPTOLIB encryption library
● Decryption of credit card data and decrypted display within PIPE
● Tracing and logging of decryption requests within PIPE
● Masking the display of credit card data in the POS Workbench
● Managing and distributing keys to the source POS
SAP Customer Activity Repository 2.0 SP4 Security Guide
58 CUSTOMER Payment Card Security According to PCI-DSS
14.2.3 Detailed Data Flow of Credit Card Data
The PCI-DSS relevant data within a POS transaction consists of credit card data that can be stored within an
application, and sensitive authentication data that must not be stored within an application.
Credit card data is transferred as part of the POS transaction data from a POS to SAP Customer Activity
Repository; the service code is not transmitted with this data. Depending on the configuration of your transaction
transfer application, the credit card data can be unencrypted or encrypted (symmetrically in an asymmetric
envelope) using the PAYCRV application.
You can configure your system to transfer the credit card data using the HTTPS communication protocol,
regardless of how the individual parts of the TLOG are encrypted.
The data is transferred from the POS to SAP Customer Activity Repository as follows:
1. The SOAP adapter residing in the adapter engine, the J2EE Stack, processes the HTTPS request. The SOAP
adapter calls additional EJBs to encrypt the message, but the payload itself does not use SOAP-enveloping.
Optionally, encrypted parts of the payload can be decrypted.
2. The SOAP adapter replaces all credit card data with dummy values and appends a privacy container as an
RSA-encrypted attachment to the XML message using the SAP Store, Secure and Forward (SSF) API.
3. The XML messages are mapped to the format of the SAP Customer Activity Repository inbound interface and
forwarded to SAP Customer Activity Repository through an RFC adapter (which also resides in the adapter
engine).
You can configure the communication to use Secure Network Communication (SNC) for the Remote Function
Call (RFC), which results in an encrypted data transfer between the SAP NetWeaver PI and SAP Customer
Activity Repository.
During the lifetime of a message in SAP NetWeaver PI, all credit card data is stored in the database as part of
the encrypted XML message attachment (both on the ABAP stack and the J2EE stack).
4. SAP Customer Activity Repository receives the TLOG messages and stores the content within the TLOG table
in the transactional database.
5. The credit card data is separated as follows:
○ The credit card holder's name and the card's expiration date are stored in unencrypted format in the
TLOG table. (The TLOG table content can be accessed by an authorized user in the POS Workbench,
where the data is displayed in clear text format.)
○ The Permanent Account Number (PAN) is stored in encrypted and secure format using the PAYCRV
application.
Only users with the required authorization can view the PAN in clear text format. Authorized users can request
that the PAN be displayed in clear text format by choosing the corresponding button in the interface. Each time a
user requests to view a PAN unmasked, it is logged in the application log.
1. The IDoc containing the POS transactional data is sent from SAP Customer Activity Repository to the SAP
ERP POS Inbound over HTTPS. During the process, all PCI-DSS relevant data is unencrypted.
2. SAP ERP POS Inbound stores the data with an unencrypted or encrypted PAN using the PAYCRV application.
SAP Customer Activity Repository 2.0 SP4 Security Guide
Payment Card Security According to PCI-DSS CUSTOMER 59
14.3 PCI-Related Customizing
14.3.1 SAP Basis Customizing Prerequisites
14.3.1.1 Introduction
SAP Customer Activity Repository PCI-DSS Security Customizing settings enhance the Customizing settings of
SAP Basis. The required SAP Basis Customizing settings consist of:
● Installing and configuring the SAPCRYPTOLIB encryption library
● Establishing the payment card security settings
● Configuring the key versioning
Depending on your system, you may require additional configurations. Check your system to verify if you need to
set up any of the following:
● Your POS to use the public key and version for encryption
● Your POS to transfer secured credit card data with the public key
● SAP NetWeaver PI for secure handling of the credit card data
● SAP ERP, SAP CRM, or other subsequent systems for secure handling of credit card data
● Secure IDoc and BAdI communication
14.3.1.2 Installation of the Encryption Library SAPCRYPTOLIB
The SAPCRYPTOLIB encryption library contains the functions required to encrypt credit card numbers.
You can define general settings for the execution of the encryption software in Customizing under SAP
NetWeaver Application Server System Administration Maintain the Public Key Information for the System .
For more information on installing the SAPCRYPTOLIB encryption library, see the section Installing SapCryptolib in
SAP Note 662340 .
If you set the encryption with the SSFA transaction, you must use the PAYCRV application.
14.3.1.3 Payment Card Security Settings
Payment card security settings are applied to all newly created or changed POS transactions that include credit
card information.
Basic Settings
You must configure the checking rules for payment card types as described in Customizing under Cross-
Application Components Payment Cards Basic Settings Assign Checking Rule . These rules are used for
SAP Customer Activity Repository 2.0 SP4 Security Guide
60 CUSTOMER Payment Card Security According to PCI-DSS
entering the payment card number. To avoid possible errors when making entries, you can use the checking rules
to verify that you have met the conditions of the relevant payment card type.
Settings for Payment Card Security
You must configure settings for the encryption, masking and access logs of payment cards. For information on
configuring the settings, see Customizing under Cross-Application Components Payment Cards Basic
Settings Make Security Settings for Payment Cards .
Note
For SAP NetWeaver 7.0, you can access this activity from Maintain View V_TCCSEC.
Sample settings are as follows:
● Security Level - Masked Display and Encrypted When Saved
● Access Log - Logging of Unmasked Display
● Additional Authorization Check for Unmasked Display - Enabled
● Visible Characters for Masking:
○ At Start - 4
○ At End - 4
○ Key Replacement Active - Enabled
Note
To enable encryption, choose the Masked Display and Encrypted When Saved option in the Security Level field.
Caution
If you select the Masked Display, Not Encrypted When Saved as the security level, credit card numbers may be
lost in the SAP system. Only choose this setting if the payment data is not to be processed any further.
Maintain Payment Card Types
You must execute the steps described in this section only if you have set the Masked Display and Encrypted When
Saved security level to the values described in the previous section.
To specify if payment card numbers for a credit card institution must be encrypted, enter the payment card type
and assign a check rule. If you want to enable data encryption for a credit card type, choose the encryption check
box.
For detailed instructions, see Customizing under Cross Application Component Payment Cards Maintain
Payment Card Type .
SAP Customer Activity Repository 2.0 SP4 Security Guide
Payment Card Security According to PCI-DSS CUSTOMER 61
Caution
Note that if the encryption indicator for a credit card institution is not set, but the general security level is set to
Masked Display and Encrypted Save, the security level for the credit card institution will be lowered to Masked
Display, No Encrypted Save.
Masking Credit Card Number in IDocs
The WECRYPTDISPLAY transaction allows you to mask the display of credit card numbers in IDocs. To do so, you
must make the following entries in the Assignment: Encrypted Segment Field Display table:
● Message Type: WPUBON
● Segment Type: E1WPB06
● Field Name: KARTENNR
ERP Customizing - Customizing of Encryption Save Mode
The Customizing of Encryption Save Mode allows you to specify if existing Globally Unique Identifiers (GUIDs) can
be reused for different credit cards. You can create your own BAdI implementation. If you do not create your own,
the application uses the following existing GUID:
Enhancement spot: ES_WPOS_PCA_SECURITY
BAdI definition: WPOS_PCA_SECURITY
14.3.2 SAP Customer Activity Repository Customizing
SAP Customer Activity Repository Customizing
In addition to the configuration settings described in the SAP Basis Customizing Prerequisites section, the SAP
Customer Activity Repository Customizing activity defines how to store, process, and use sensitive data. For more
information, see SAP Customer Activity Repository POS Data Management POS Inbound Processing
General Settings Define Security Profiles .
SAP Customer Activity Repository 2.0 SP4 Security Guide
62 CUSTOMER Payment Card Security According to PCI-DSS
The table below shows the settings for the encrypted storage of payment card numbers and how they are
displayed on the User Interface. The encryption and display settings are:
Table 24:
Setting Description Example
Security Profile Displays the identifier of the security 0001
profile.
Description Describes the security profile. SAP Standard Security Profile
SSF Application Identifies the STRUST application, which PAYCRV (versioned keys)
is part of SAP Basis.
Save Mode Indicates whether the reference of the Reuse Existing Entry
encrypted payment card number, which
is a GUID (Globally Unique Identifier), is
always re-used for the same payment
card number. Otherwise different GUIDs
are assigned for the same payment card
number.
There is a trade-off between perform
ance and increasing encryption table
size during encryption, but there is no
performance impact during decryption.
As an example, this could provide you
with the option to Re-use Existing Entry
for a cross-selling analysis of a credit
card number or GUID in a further proc
ess/system. This setting does not affect
your PCI-DSS compliancy. However, ac
cording to PCI-DSS, cross-selling analy
sis with card numbers should not be
used, and data mining on a credit card
could invalidate your PCI-DSS compli
ancy.
Security Check The security check must be set to Allow Allow Security Level Check
Security Level Check to be compliant
with the PCI-DSS standard. This allows
SAP Customer Activity Repository to
work and check according to the pay
ment card settings in the TCCSEC table
in SAP Basis.
SAP Customer Activity Repository 2.0 SP4 Security Guide
Payment Card Security According to PCI-DSS CUSTOMER 63
14.4 Rotation or Changing of Encryption Keys
14.4.1 Introduction
To be PCI-DSS compliant, encryption keys must be changed on a regular basis. See SAP Note 1151936 for
more information about key replacement for encryption of payment card data.
14.4.2 Key Distribution Web Service
PCI-DSS requires that credit card data must be encrypted if it is transmitted over open, public networks. To fulfill
this requirement, the Key Distribution Web service was implemented for the distribution of X.509 certificates. The
Web service was under the NetWeaver governance approach. No SAP Business Objects or ARIS content are
delivered with the Web service.
14.4.3 Pull Mechanism in SAP Customer Activity Repository
A pull mechanism is used between SAP Customer Activity Repository and the POS. The POS is the Web service
consumer and SAP Customer Activity Repository is the service provider. The communication between the two
systems is peer-to-peer and does not use SAP NetWeaver PI.
Figure 4: Pull Mechanism
SAP Customer Activity Repository 2.0 SP4 Security Guide
64 CUSTOMER Payment Card Security According to PCI-DSS
14.4.4 Message Choreography SAP Customer Activity
Repository and POS Store Solution
Certificates sent using Web services have an X.509 format, the standard format for public key certificates.
The Web service has a query/response pattern that contains one service interface for the query and one for the
response. These service interfaces are modeled on the SAP NetWeaver PI system (SAP ABA 7.02 and SAP ABA
7.20). SAP NetWeaver PI core and global data types are used as the data types.
Service Interface
The CertificateByApplicationQueryResponse_In service interface, which has a query/response
communication pattern, contains the following three messages:
Table 25:
Name Type Role Description
CertificateByApplicatio Message Type Request Request for the certificate
nQuery_sync and the application
CertificateByApplicatio Message Type Response Response that contains the
nResponse_sync certificate and the version
StandardMessageFault Fault Message Type Fault Fault message
CertificateByApplicationQuery_sync is the message type for the request section of the
CertificateByApplicationQueryResponse_In service interface. It contains the SSF application for which
the certificate is being requested.
Table 26:
Name Type Description
Application String SSF Application
The CertificateByApplicationResponse_sync message contains the current certificate and version of the
requested application.
Table 27:
Name Type
Certificate BinaryObject
Version IntegerValue
Log Log
SAP Customer Activity Repository 2.0 SP4 Security Guide
Payment Card Security According to PCI-DSS CUSTOMER 65
The SSF application is required for the following reasons:
● It is the importing parameter of the SSFV_GET_CURRENT_KEYVERS_RFC function module, which is called
from the proxy class.
● Without the SSF application, it is not possible to get the key version.
IMPORTING
VALUE(IF_APPLIC) TYPE SSFAPPL
EXPORTING
VALUE(EF_KEYVERSION) TYPE SSFKEYVERS
VALUE(EF_CERTIFICATE) TYPE XSTRING
EXCEPTIONS
VERSION_NOT_FOUND
CERTIFICATE_NOT_FOUND
The corresponding class of the proxy contains a method with an importing parameter that is the request message
type and an exporting parameter that corresponds to the response message type.
SAP Customer Activity Repository Keys
Key rotation in SAP Customer Activity Repository is performed using the STRUST transaction. SAP Customer
Activity Repository also provides you with a key management tool. The /POSDW/KEY_DISTRIB_DISPLAY report
displays information about used and distributed key versions.
Recommendation
The key management tool performs a selection on a large central log database that can be used by many
applications, therefore you must make the selection as specific to your needs as possible. For example, select
the following:
● Application log object: KEY_DIST
● SSF application: PAYCRV
The results of the selection allow you to identify:
● Any key versions activated for deletion
● The key versions still in use
● The system to which the key was distributed
14.4.5 Key Distribution User Interface
The /POSDW/DISP_KEYV transaction displays a list of the key versions and allows you to do the following:
● Track which users required a key
● Link to the transaction where an administrator can perform key management
● Flag a key version for deletion. This requires a manual verification by the administrator to ensure that there
are no inbound messages using the encrypted key that is flagged for deletion.
SAP Customer Activity Repository 2.0 SP4 Security Guide
66 CUSTOMER Payment Card Security According to PCI-DSS
Customizing
At least one key version must exist. An administrator can create key versions using the SSFVA transaction.
Process
Every time the user uses the Key Distribution Web service, the information is saved in the application log. The key
version is written in a message structure of the log. The user name, date, time, KEY_DISTR application log object,
SSFV application name, transaction and log number are also written to the log.
An administrator can run the /POSDW/KEY_DISTRIB_DISPLAY report to search the application log and display
information. The existing backend capacity of the application log provides search functionality, persistence of
data and retrieval functionality from the database. The displayed information is read-only.
After the administrator manually verifies in the POS, SAP NetWeaver Pl, and SAP Customer Activity Repository to
ensure that they do not contain encrypted information with a particular key version, the administrator can flag this
key version for deletion using the corresponding button (under the description FLG_DEL). The rest of the deletion
process can be carried out by choosing the KEY_MGNT button to execute the SSFVA transaction.
14.5 Masked/Unmasked Display
The payment card security settings, described in the PCI-Related Customizing [page 60] section, specify the
following:
● Security level - with or without encryption/masking
● Update of the access log with unmasked display
● Selection of additional authorization check with unmasked display
● Number of unmasked characters displayed
In SAP Customer Activity Repository, credit card numbers can only be displayed in the POS Workbench (using
the /POSDW/MON0 transaction). When a user displays the details of a sales transaction with a means of payment
that includes a credit card settlement segment, the credit card details are masked (that is, an asterisk (*) is used
to replace each number). If the B_CCSEC authorization object exists in the user's master record, the user has the
authorization level required to display the credit card details in an unmasked form. The user can display the credit
card details using the magnifier icon next to the credit card number. This action triggers a new entry in the access
log and opens a new window that displays the unmasked details.
The logging mechanism allows you to trace which user has displayed which payment card and when. If the user
does not have the authorization level required to display unmasked credit card numbers, the magnifier icon is not
displayed in the POS Workbench.
Caution
In order for a user to be able to view any credit card information in the POS Workbench, you must enable the
W_POS_CCNR authorization object for activity 02, Display Credit Card Number.
SAP Customer Activity Repository 2.0 SP4 Security Guide
Payment Card Security According to PCI-DSS CUSTOMER 67
The SAP Basis authorization role B_CCARD is enhanced to allow the display of unmasked credit card data.
The /POSDW/SALES_AUDIT authorization role allows auditors to review credit card settlement information.
At a minimum, the following credit card data fields must be encrypted:
● Credit card expiration date
● Credit card holder name
● Authorization number
● Credit card number
The W_POS_FSPR authorization object specifies the protection level required for this sensitive data. The
authorization object has only one field, Field Selection Profile. It is used to specify if data is to be displayed in the
interface or not, depending on which profiles are added to it for a specific user or role.
In Customizing for SAP Customer Activity Repository, you can define field selection profiles. This allows you to
define what information is displayed for a user profile, that is, which list of structures and fields are visible to a
user based on a user's profile.
14.6 Logging of Payment Card Number Access
SAP Customer Activity Repository uses the following SAP Basis reports and programs to display and delete logs
about user access to unmasked credit card data:
● The CCSEC_LOG_SHOW transaction - allows users to display a log of users who have viewed decrypted credit
card information in the POS Workbench. To access the log, a user must have authorization for activity 71 in
the B_CCSEC authorization object.
● The CCSEC_LOG_DEL transaction - allows users to delete log records about users who have accessed
unmasked credit card data in the POS Workbench. A user can only delete log records that are at least one
year old. To activate the deletion program, a user must have authorization for activity 06 in the B_CCSEC
authorization object.
Note
The integrity of the log does affect your PCI-DSS compliance. If the log is not secured, your PCI-DSS
compliance is compromised.
14.7 Encryption, Decryption, and Storage of Encrypted Credit
Card Numbers
14.7.1 Introduction
SAP Customer Activity Repository stores transactional data in the /POSDW/TLOGF table. The table contains the /
POSDW/LRAW transactional data, which is stored in a 32000-length LRAW string. This is the only table in SAP
SAP Customer Activity Repository 2.0 SP4 Security Guide
68 CUSTOMER Payment Card Security According to PCI-DSS
Customer Activity Repository in which credit card data is stored. All credit card data stored in the LRAW strings
must be encrypted.
14.7.2 SAP Customer Activity Repository
IDoc Encryption
BAdIs are used to encrypt and decrypt data. The IDOC_DATA_MAPPER BAdI is used to encrypt and save data to
the IDoc database. The IDOC_DATA_CRYPTION is used to read and decrypt data from the IDoc database.
Three IDoc types contain credit card numbers:
● WPUBON01
● WPUTAB01
● /POSDW/POSTR_CREATEMULTIPLE02
The /POSDW/PCA_IDOC_MAP BAdI is used to encrypt credit card numbers in the WPUBON01 and WPUTAB01 IDocs.
The /POSDW/PCA_IDOC_CRYPT BAdI implementation is used to decrypt credit card numbers in the WPUBON01
and WPUTAB01 IDocs.
To enable the encryption of credit card numbers in the /POSDW/POSTR_CREATEMULTIPLE02 IDoc type, the
CARDGUID and ENCTYPE fields have been added to the /POSDW/E1BPCREDITCARD segment of the /POSDW/
POSTR_CREATEMULTIPLE02 IDoc basic type. The /POSDW/PCA_IDOC_MAP and /POSDW/PCA_IDOC_CRYPT
BAdIs have been enhanced to process the updated segment type.
Processing of Incoming Encrypted Data
The /POSDW/BAPI_POSTR_CREATE BAPI, the /POSDW/CREATE_TRANSACTIONS_EXT remote function module
and the service inbound interfaces have been enhanced to contain a secured data segment or cipher; they have all
been asymmetrically encrypted using PKCS7.
The decrypted secured data must conform to a defined XML structure and is converted to an internal table for
later processing by the /POSDW/XSLT_SECUREXMLTOTABLE simple transformation.
14.7.3 SAP ERP
IDoc Encryption Process
Once the IDoc data records have been sent to the IDOC_PCI_ENCR_IM BAdI implementation, the encryption of
the credit card data begins. The encryption process is as follows:
1. The segment in the IDoc record that contains the credit card information is identified.
2. The encryption process maps the data from the E1WPZ02 and E1WPB06 segments to the internal structure.
SAP Customer Activity Repository 2.0 SP4 Security Guide
Payment Card Security According to PCI-DSS CUSTOMER 69
3. The data is used to retrieve the card GUID, the name of the credit card institution number, and the credit card
number.
4. The security level check is performed.
In Customizing, each credit card institution is assigned a security level. If the security level is set to 2, the
credit card number is encrypted; if the security level is set to 1, the credit card number is masked.
5. The card GUID and encryption type are mapped to the structure for decryption.
6. A message is created to confirm the success or failure of the encryption.
7. The consistency check is performed.
Decryption Process
Once the IDoc data records have been sent to the IDOC_PCI_DECRYPTION_IM BAdI implementation, the
decryption of credit card data begins. The decryption process is as follows:
1. The segment in the IDoc record that contains the credit card information is identified.
2. The decryption process maps the data from the E1WPZ02 and E1WPB06 segments to the internal structure.
3. The data is used to retrieve the card GUID, the encryption type, and the credit card number.
The encryption type is currently a fixed value set to 2.
1. The credit card number is decrypted.
2. A message is created to confirm the success or failure of the decryption.
Secure Handling of Credit Card Information During POS Processing
In SAP Customer Activity Repository, credit card data is handled during inbound and outbound processing.
Inbound and outbound processing are executed using IDoc types.
During outbound processing, store systems are provided with customer-specific credit card master data.
Outbound processing is executed using the WP_PER01 IDoc type. However as this IDoc type is for internal use
only, it cannot be used for the encryption of credit card data.
During inbound processing, credit card details are a payment attribute of sales transactions. Encryption is
required on the IDoc database to support IDoc types that contain credit card data. No other changes are required
to securely handle credit card data:
● No encryption of the customer POS database is required as no business data or credit card data is stored in it.
● Follow-on applications, such as the Retail Information System (RIS) or Business Warehouse (BW), are only
provided with masked credit card numbers in order to perform cross-selling analysis, therefore they do not
require to support encryption.
● No changes are required to the user interfaces of the POS Monitor or Sales Audit because the behavior
remains the same as it was before the IDoc database was encrypted: the credit card information is provided in
clear text format. Credit card information is temporarily available in clear text during inbound processing to
internal applications and when the data is transferred to follow-on applications (such as Analytics and Sales &
Distribution). However, as the risk of losing credit card data at this point is minimal, no changes for encryption
are required.
● Only authorized users can see the credit card data; regular users cannot see secure data while it is being
processed internally.
SAP Customer Activity Repository 2.0 SP4 Security Guide
70 CUSTOMER Payment Card Security According to PCI-DSS
14.8 Migration
The /POSDW/PCA_MIGRATION report allows you to move decrypted or encrypted credit card numbers from other
systems to masked or encrypted credit card numbers in SAP Customer Activity Repository. You can access the /
POSDW/PCA_MIGRATION report using the /POSDW/PCAM transaction.
To use the /POSDW/PCA_MIGRATION report, you must have authorization for activity 02 in the W_POS_TRAN
authorization object. The required underlying security settings must also be configured.
You can consult the migration log to determine for which transactions the data was not migrated successfully.
The log provides an overview, by store and transaction date, of how many transactions were found and whether or
not the data was successfully changed. If an error occurred for a transaction, no credit card numbers or
information is displayed in the log, only the transaction index, store number, posting date, and task number are
provided.
Transaction data can only be changed if it is not posted in any task. All tasks for the transaction must have one of
the following statuses:
● Ready
● Error
● Canceled
● Canceled with Warning
Only transaction data that is not posted to a task can be changed. All transactions must have one of the following
statuses:
● Ready
● Error
● Canceled
● Canceled with Warning
Note
Only transaction data from a task with a Completed status can be changed.
14.9 Deletion of Credit Card Storage
You may be required to delete credit card data, for example, if credit card information is outsourced or in order to
improve your PCI-DSS compliance. Once TLOG transactional data has been archived, SAP Customer Activity
Repository assumes that the old credit card information is no longer accessible and that it will be deleted
eventually. The process deleting old credit card information takes approximately two years as the old data is
overwritten by the new data.
The RCCSECV_DATA_DEL SAP standard report from the CCSECV_DATA_DEL transaction allows you to delete
unused, encrypted credit card data. By default, credit card data is considered unused when it has not been used in
a report or transaction for a minimum of 500 days.
If you have any existing transactions that contain credit card information without an assigned security level, you
can use the /POSDW/PCAM transaction to migrate it.
SAP Customer Activity Repository 2.0 SP4 Security Guide
Payment Card Security According to PCI-DSS CUSTOMER 71
14.10 Archiving
Only masked credit card information can be archived. Clear text credit card information must not be archived.
Archiving encrypted credit card information is problematic because archived data must remain unchanged. PCI-
DSS requires that encrypted credit card information be re-encrypted with a different key, for example, with key
rotation. However, it is not possible to change data in this way in an archive.
Archiving must be disabled on applications and transactions that do not retain the encryption state of the source
data, such as on SAP NetWeaver PI, ABAP Web Services, or Forward Error Handling (FEH). IDocs that contain
credit card information must not be archived. The following IDocs are affected because they may contain credit
card information:
● WPUBON - POS interface: Upload sales docs (receipts) non-aggregated
● WPUTAB- POS interface: Upload day-end closing POS
● WPUFIB - POS interface: Upload Fin.Acc. interface SRS/POS
● /POSDW/POSTR_CREATEMULTIPLE - PIPE: BAPI for Creating Several POS Transactions
You use the CA_PCA_SEC archiving object to archive the encrypted credit card numbers.
You use the following object to archive TLOG transaction data (which may also contain credit card information):
● /POSDW/TLF
SAP Customer Activity Repository 2.0 SP4 Security Guide
72 CUSTOMER Payment Card Security According to PCI-DSS
14.11 Interfaces for IDoc/Services
In a typical SAP Customer Activity Repository landscape, credit card information is communicated as follows:
Figure 5: Credit Card Information Communication Flow
See the Credit Card Usage Overview [page 57] section for more information.
The following interfaces are available for use:
● Web services CertificateByApplicationQuery_Sync and
CertificateByApplicationResponse_Sync are used as a pull mechanism from SAP Customer Activity
Repository.
● Store Connectivity 2.0 or 3.0 can optionally be used to map the encrypted data container to the SAP
Customer Activity Repository inbound proxy.
The interface determinations must contain the
POSLog_To_PointOfSaleTransactionERPBulkCreateRequest_In interface mapping
● The IDOC_DATA_MAPPER IDoc for database encryption is called before saving data to the IDoc database and
IDOC_DATA_CRYPTION IDoc for database decryption is called after reading data from the database.
● The POSDW/BAPI_POSTR_CREATEBAPI, the /POSDW/CREATE_TRANSACTIONS_EXT remote Function Module
and the service inbound interfaces have been enhanced to contain a secured data segment or cipher; they
have all been asymmetrically encrypted with PKCS7. The decrypted secured data must conform to a defined
SAP Customer Activity Repository 2.0 SP4 Security Guide
Payment Card Security According to PCI-DSS CUSTOMER 73
XML structure and is converted to an internal table for processing later by the /POSDW/
XSLT_SECUREXMLTOTABLE transformation.
The following IDoc types contain credit card numbers:
● WPUBON01:
Encryption in BAdI function /POSDW/PCA_IDOC_MAP
● WPUTAB01:
Encryption in BAdI function /POSDW/PCA_IDOC_CRYPT
● /POSDW/POSTR_CREATEMULTIPLE02:
To enable the encryption of the credit card number in the IDoc type, the CARDGUID and ENCTYPEfields have
been added to the /POSDW/E1BPCREDITCARD segment of the IDoc basic type.
Caution
IDoc segments cannot store credit card numbers in clear text due to the PCI-DSS compliance. Once an IDoc is
being processed within the IDoc Framework, all values are temporarily stored, including the credit card number
in clear text format.
For more information about how to process IDocs that contain credit card information, see Handling Sensitive
Data in IDocs in the SAP NetWeaver Security Guide ALE (ALE Applications) .
14.12 RFC Debugging
You must disable RFC debugging when you process credit card information in a productive system. Do not
activate the Set RFC Trace option in your productive system. If this option is activated, the system will save all
RFC call input data in clear text to file. If credit card numbers (including the PAN) are included in calls to a function
module, then this data would be stored to the same file. According to PCI-DSS, credit card numbers must be
encrypted when stored, therefore if you activate the Set RFC Trace option you would no longer be PCI-DSS
compliant.
14.13 Forward Error Handling
In SAP Customizing, you must disable Forward Error Handling (FEH) for all services that contain credit card
numbers.
14.14 Card Verification Values
You must not process any asynchronous services that contain a card verification code or card verification value
(CVV) data (such as CAV2, CID, CVC2, CVV2). The payload of asynchronous services is persisted in the database
SAP Customer Activity Repository 2.0 SP4 Security Guide
74 CUSTOMER Payment Card Security According to PCI-DSS
until the service is processed, however, PCI-DSS does not allow the persistence of card verification values.
Synchronous services can be processed because their payload is not persisted.
Note
In SAP services, these values correspond to the PaymentCardVerificationValueText SAP Global Data
Type (GDT).
SAP Customer Activity Repository 2.0 SP4 Security Guide
Payment Card Security According to PCI-DSS CUSTOMER 75
15 Security-Relevant Logging and Tracing
SAP Customer Activity Repository relies on the logging and tracing mechanisms of SAP NetWeaver.
For more information on tracing and logging, see Auditing and Logging in the SAP NetWeaver Security Guide.
The SAP Customer Activity Repository application (and specifically the POS Data Transfer and Audit module)
delivers and uses /POSDW/PIPE, an SAP NetWeaver Application Server ABAP application log object for
application log entries. This object contains the following subobjects:
● CHANGE_TASKSTATUS: Used for task status change related operations
● CREATETREX: Used for TREX index-related operations
● CREDITCARD_MIGRATION: Used for credit card migration operations
● DELETE: Used for operations related to transaction deletion
● DELETE_AGGREGATE: Used for operations related to transaction aggregate deletion
● IDOC_DISPATCHER: Used for the execution of IDoc Dispatcher processing
● INBOUND_DISPATCHER: Used for the executions of Inbound Processing Dispatcher using Queue
● OUTBOUND_DISPATCHER: Used for execution of Outbound Processing of Aggregates
● PIPEDISPATCHER: Used for execution of PIPE/POS Dispatcher processing
● REFRESH_INDEX: Used for operations related to reconstruction of the transaction index
● REORG_TIBQ: Used for operations related to the reorganization of the inbound queue for point-of-sales
transactions (TIBQ)
● STOREDAYCHANGE: Used for operations related to POS Data Key Changes
● XML_IN: Used for execution of the Import POS Transaction as XML File
● XML_OUT: Used for execution of the Export POS Transaction as XML File
Logging and Tracing for Customizing Changes
To evaluate changes the individual SAP Customer Activity Repository Customizing tables, you can activate the
logging of changes to table data:
1. Use transaction SE13 to change the technical settings of the desired table and activate the logging of
changes.
2. Use transaction SCU3 to evaluate the generated logs.
Logging of Payment Card Number Display
SAP Customer Activity Repository users with the appropriate authorization ( B_CCSEC authorization object) can
view complete credit card numbers in clear text in the POS Workbench. When a user displays a payment card
number in clear-text format, SAP Customer Activity Repository logs it in an access log. SAP Customer Activity
SAP Customer Activity Repository 2.0 SP4 Security Guide
76 CUSTOMER Security-Relevant Logging and Tracing
Repository allows you to perform a trace to determine which user has displayed a particular card number and
when. You can make changes to the authorization log using one of the following programs:
Table 28:
Program Description Prerequisite
CCSEC_LOG_SHOW Allows you to evaluate the access to Authorization for activity 71 in the
payment card data B_CCSEC authorization object
RCCSEC_LOG_DEL Allows you to delete log records that are Authorization for activity 06 in the
more than one year old B_CCSEC authorization object
SAP Customer Activity Repository 2.0 SP4 Security Guide
Security-Relevant Logging and Tracing CUSTOMER 77
16 Services for Security Lifecycle
Management
Use
The following services are available from Active Global Support to assist you in maintaining security in your SAP
systems on an ongoing basis.
Security Chapter in the EarlyWatch Alert (EWA) Report
This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you:
● Whether SAP Security Notes have been identified as missing on your system.
In this case, analyze and implement the identified SAP Notes if possible. If you cannot implement the SAP
Notes, the report should be able to help you decide on how to handle the individual cases.
● Whether an accumulation of critical basis authorizations has been identified.
In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not,
correct the situation. If you consider the situation okay, you should still check for any significant changes
compared to former EWA reports.
● Whether standard users with default passwords have been identified on your system.
In this case, change the corresponding passwords to non-default values.
Security Optimization Service (SOS)
The Security Optimization Service can be used for a more thorough security analysis of your system, including:
● Critical authorizations in detail
● Security-relevant configuration parameters
● Critical users
● Missing security patches
This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-site
service. We recommend you use it regularly (for example, once a year) and in particular after significant system
changes or in preparation for a system audit.
Security Configuration Validation
The Security Configuration Validation can be used to continuously monitor a system landscape for compliance
with predefined settings, for example, from your company-specific SAP Security Policy. This primarily covers
configuration parameters, but it also covers critical security properties like the existence of a non-trivial Gateway
configuration or making sure standard users do not have default passwords.
Security in the RunSAP Methodology / Secure Operations Standard
With the E2E Solution Operations Standard Security service, a best practice recommendation is available on how
to operate SAP systems and landscapes in a secure manner. It guides you through the most important security
operation areas and links to detailed security information from SAP's knowledge base wherever appropriate.
SAP Customer Activity Repository 2.0 SP4 Security Guide
78 CUSTOMER Services for Security Lifecycle Management
More Information
For more information about these services, see:
● EarlyWatch Alert: https://support.sap.com/support-programs-services/services/earlywatch-alert.html
● Security Optimization Service / Security Notes Report: https://support.sap.com/support-programs-
services/services/security-optimization-services.html
● Comprehensive list of Security Notes: https://support.sap.com/securitynotes
● Configuration Validation: https://support.sap.com/solution-manager/processes/change-control-
management.html
● Implement SAP: https://support.sap.com/support-programs-services/methodologies/implement-sap.html
SAP Customer Activity Repository 2.0 SP4 Security Guide
Services for Security Lifecycle Management CUSTOMER 79
Important Disclaimers and Legal Information
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system
environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP's gross negligence.
Accessibility
The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a
binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does
not apply in cases of wilful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales
person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not
warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency
(see: http://help.sap.com/disclaimer).
SAP Customer Activity Repository 2.0 SP4 Security Guide
80 CUSTOMER Important Disclaimers and Legal Information
SAP Customer Activity Repository 2.0 SP4 Security Guide
Important Disclaimers and Legal Information CUSTOMER 81
go.sap.com/registration/
contact.html
© 2016 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company. The information contained herein may
be changed without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company
for informational purposes only, without representation or warranty
of any kind, and SAP or its affiliated companies shall not be liable for
errors or omissions with respect to the materials. The only
warranties for SAP or SAP affiliate company products and services
are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.
You might also like
- Sap Security Upgrade Check List 1725457030No ratings yetSap Security Upgrade Check List 17254570306 pages
- Rise With Sap Sap Hana Cloud Private EdtitionNo ratings yetRise With Sap Sap Hana Cloud Private Edtition33 pages
- Upgrade - SAP Access Control 10 - 0 - 10 - 1 To 12 - 0 PDFNo ratings yetUpgrade - SAP Access Control 10 - 0 - 10 - 1 To 12 - 0 PDF28 pages
- SAP System Landscape Copy: Best Practice For Solution ManagementNo ratings yetSAP System Landscape Copy: Best Practice For Solution Management53 pages
- IIDR Q Replication Migration To 5655-DRQ or To Db2 LUW 11.5 or Above With Replication Architecture Level 1140 Nov 2019100% (1)IIDR Q Replication Migration To 5655-DRQ or To Db2 LUW 11.5 or Above With Replication Architecture Level 1140 Nov 201978 pages
- Guided Procedure For Configuration of SAP Solution Manager - SOLMAN SETUP - Part 2No ratings yetGuided Procedure For Configuration of SAP Solution Manager - SOLMAN SETUP - Part 256 pages
- SAP HANA On AWS Implementation and Operations GuideNo ratings yetSAP HANA On AWS Implementation and Operations Guide39 pages
- Authorization Troubleshooting: Account: Authorization For Company Codes Requires The Specification of Two Field ValuesNo ratings yetAuthorization Troubleshooting: Account: Authorization For Company Codes Requires The Specification of Two Field Values5 pages
- SAP Backbone Configuration With Enable TCINo ratings yetSAP Backbone Configuration With Enable TCI13 pages
- Administrator Guide SAP Access Control 12.0 SP02No ratings yetAdministrator Guide SAP Access Control 12.0 SP0250 pages
- "Brfplus (Business Rule Framework Plus) Is A Business Rules Management System (BRMS) Offered by Sap Ag. Brfplus Is Part of The Sap Netweaver AbapNo ratings yet"Brfplus (Business Rule Framework Plus) Is A Business Rules Management System (BRMS) Offered by Sap Ag. Brfplus Is Part of The Sap Netweaver Abap25 pages
- C - TADM70 - 74 - SAP Certified Technology Associate - OS - DB Migration For SAP NetWeaver 7.4 - SAP TrainingNo ratings yetC - TADM70 - 74 - SAP Certified Technology Associate - OS - DB Migration For SAP NetWeaver 7.4 - SAP Training5 pages
- System Recommendations in SAP Solution Manager 7.2 PDFNo ratings yetSystem Recommendations in SAP Solution Manager 7.2 PDF44 pages
- Sap Basis Notes Keylabs Training 141104032535 Conversion Gate02 PDF100% (1)Sap Basis Notes Keylabs Training 141104032535 Conversion Gate02 PDF97 pages
- Preparation: Snc/identity/as P:CN IDS, OU IT, O CSW, C DENo ratings yetPreparation: Snc/identity/as P:CN IDS, OU IT, O CSW, C DE8 pages
- https___theerplearning.com_free-materials_-10No ratings yethttps___theerplearning.com_free-materials_-10122 pages
- Security Guide for SAP Assurance and Compliance Software for SAP S4HANA_1.5 SP00No ratings yetSecurity Guide for SAP Assurance and Compliance Software for SAP S4HANA_1.5 SP00204 pages
- SAP Cloud Platform Identity Authentication ServiceNo ratings yetSAP Cloud Platform Identity Authentication Service456 pages
- SAP Supply Chain Management 70 Security GuideE100% (1)SAP Supply Chain Management 70 Security GuideE45 pages
- Chapter 1: Introduction: Database System Concepts, 7 EdNo ratings yetChapter 1: Introduction: Database System Concepts, 7 Ed37 pages
- Unit-1 Problem Areas in A Distributed DDBMS100% (3)Unit-1 Problem Areas in A Distributed DDBMS8 pages
- A State of The Art Review of Distributed Database TechnologyNo ratings yetA State of The Art Review of Distributed Database Technology46 pages
- EPAM Systems Senior Data Engineer Interview Questions and AnswersNo ratings yetEPAM Systems Senior Data Engineer Interview Questions and Answers5 pages
- NEB Class 12 Computer Database Management System DBMS Notes100% (1)NEB Class 12 Computer Database Management System DBMS Notes26 pages
- amazon.web.services.certshared.saa-c03.exam.dumps.2024-feb-18.by.mark.288q.vceNo ratings yetamazon.web.services.certshared.saa-c03.exam.dumps.2024-feb-18.by.mark.288q.vce18 pages
- IBM Replication For Business Continuity - Disaster Recovery and High Availabilit 2013No ratings yetIBM Replication For Business Continuity - Disaster Recovery and High Availabilit 201325 pages
- Fullstack Django Syllabus v1-Y4Lp1GgeE3tOKGZoNo ratings yetFullstack Django Syllabus v1-Y4Lp1GgeE3tOKGZo3 pages
- Top 10 Database Security Best PracticesNo ratings yetTop 10 Database Security Best Practices10 pages
- Enterprise Architecture Landscape Using TOGAF Framework For Offshore CompanyNo ratings yetEnterprise Architecture Landscape Using TOGAF Framework For Offshore Company11 pages
- (Ebook) Grails in Action - Second Edition by Peter Ledbrook, Glen Smith ISBN 9781617290961, 1617290963 download100% (1)(Ebook) Grails in Action - Second Edition by Peter Ledbrook, Glen Smith ISBN 9781617290961, 1617290963 download52 pages
