Scribd
Upload
96 views

SAP MDG Security.pdf

Uploaded by

pcpessoal323
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
96 views

SAP MDG Security.pdf

Uploaded by

pcpessoal323
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 44

Security Guide CUSTOMER

Document version: 1.0 – 2016-06-03

SAP Master Data Governance Security Guide


Document History

Caution
Before you start the implementation, make sure you have the latest version of this document. You can find the
latest version at the following location:xxx /xxx

The following table provides an overview of the most important document changes.

Table 1
Version Date Description

0.1 2016-06-03 Preliminary Version

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
2 All rights reserved. Document History
Content

1 SAP Master Data Governance Security Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

5 User Management and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10


5.1 User Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.2 User Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.3 Integration into Single Sign-On Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

6 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

7 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15


7.1 Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7.2 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
7.3 Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
7.4 Use of Virus Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

8 Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

9 Enterprise Services Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

10 Security-Relevant Logs and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

11 Segregation of Duties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

12 Authorization Objects and Roles Used by SAP Master Data Governance . . . . . . . . . . . . . . . . . . 23


12.1 Authorization Objects and Roles Used by SAP MDG, Consolidation and Mass Processing . . . . . . . . . . 23
MDC_PROOT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
MDC_PFILT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
MDC_MASS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
MDC_ADMIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
12.2 Authorization Objects and Roles Used by SAP MDG, Central Governance . . . . . . . . . . . . . . . . . . . . . 28
Master Data Governance for Business Partner (CA-MDG-APP-BP) . . . . . . . . . . . . . . . . . . . . . . . 29
Master Data Governance for Supplier (CA-MDG-APP-SUP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Master Data Governance for Customer (CA-MDG-APP-CUS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Master Data Governance for Material (CA-MDG-APP-MM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Master Data Governance for Financials (CA-MDG-APP-FIN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Master Data Governance for Custom Objects (CA-MDG-COB) . . . . . . . . . . . . . . . . . . . . . . . . . . 38

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Content All rights reserved. 3
13 Change Settings of Generated MDG Database Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

14 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
4 All rights reserved. Content
1 SAP Master Data Governance Security
Guide

The following guide covers the information that you require to operate SAP Master Data Governance securely. To
make the information more accessible, it is divided into a general part, containing information relevant for all
components, and a separate part for information specific for individual components.

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
SAP Master Data Governance Security Guide All rights reserved. 5
2 Introduction

This guide does not replace the administration or operation guides that are available for productive operations.

Target Audience
● Technology consultants
● Security consultants
● System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation
Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas
the Security Guide provides information that is relevant for all life cycle phases.

Why Is Security Necessary?


With the increasing use of distributed systems and the Internet for managing business data, the demands on
security are also on the rise. When using a distributed system, you need to be sure that your data and processes
support your business needs without allowing unauthorized access to critical information. User errors,
negligence, or attempted manipulation of your system should not result in loss of information or processing time.
These demands on security apply likewise to Master Data Governance. To assist you in securing Master Data
Governance, we provide this Security Guide.
Since Master Data Governance is based on and uses SAP NetWeaver technology, it is essential that you consult
the Security Guide for SAP NetWeaver. See SAP Service Marketplace at service.sap.com/securityguide
SAP NetWeaver .

For all Security Guides published by SAP, see SAP Service Marketplace at service.sap.com/securityguide .

Overview of the Main Sections


The Security Guide comprises the following main sections:
● Before You Start [page 8]
This section contains information about why security is necessary, how to use this document, and references
to other Security Guides that build the foundation for this Security Guide.
● Technical System Landscape [page 9]
This section provides an overview of the technical components and communication paths that are used by
Master Data Governance.
● User Management and Authentication [page 10]
This section provides an overview of the following user administration and authentication aspects:
○ Recommended tools to use for user management
○ User types that are required by Master Data Governance
○ Standard users that are delivered with Master Data Governance
○ Overview of the user synchronization strategy
○ Overview of how integration into Single Sign-On environments is possible
● Authorizations [page 14]

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
6 All rights reserved. Introduction
This section provides an overview of the authorization concept that applies to Master Data Governance.
● Network and Communication Security [page 15]
This section provides an overview of the communication paths used by Master Data Governance and the
security mechanisms that apply. It also includes our recommendations for the network topology to restrict
access at the network level.
● Data Storage Security [page 18]
This section provides an overview of any critical data that is used by Master Data Governance and the
security mechanisms that apply.
● Enterprise Services Security [page 19]
This section provides an overview of the security aspects that apply to the enterprise services delivered with
Master Data Governance.
● Security-Relevant Logs and Tracing [page 20]
This section provides an overview of the trace and log files that contain security-relevant information, for
example, so you can reproduce activities if a security breach does occur.
● Segregation of Duties [page 21]
● Authorization Objects and Roles Used by SAP Master Data Governance [page 23]
● Change Settings of Generated MDG Database Tables [page 40]
● Appendix [page 41]
This section provides references to further information.

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Introduction All rights reserved. 7
3 Before You Start

This table contains the most important SAP notes concerning the safety of Master Data Governance.
Table 2
Title SAP Note Comment

Code injection vulnerability in 1493809 MDG and XBRL


UAC_ASSIGNMENT_CONTROL_TEST

More Information

For more information about specific topics, see the sources in the table below.
Table 3
Content Quick Link on SAP Service Marketplace or SDN

Security sdn.sap.com/irj/sdn/security

Security Guides service.sap.com/securityguide

Related Notes service.sap.com/notes

service.sap.com/securitynotes

Allowed platforms service.sap.com/pam

Network security service.sap.com/securityguide

SAP Solution Manager service.sap.com/solutionmanager

SAP NetWeaver sdn.sap.com/irj/sdn/netweaver

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
8 All rights reserved. Before You Start
4 Technical System Landscape

For information about the technical system landscape, see the sources listed in the table below.
Table 4
Subject Guide/Tool Quick Link to SAP Service Marketplace

Technical description of Master Data Master Guide service.sap.com/instguides


Governance and the underlying SAP Business Suite Applications SAP
technical components, such as SAP Master Data Governance
NetWeaver

High availability High Availability for SAP Solutions sdn.sap.com/irj/sdn/ha

Design of technical landscape See available documents sdn.sap.com/irj/sdn/landscapedesign

Security See available documents sdn.sap.com/irj/sdn/security

Note
If you intend to use a portal in your landscape, ensure that the embedding enterprise portal frame has the same
domain as the embedded web dynpro application.
To check the settings, call up the technical help in the web dynpro application (right mouse click, then select
Technical Help). On the Browser tab, check if the Parent window is accessible indicator is marked.

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Technical System Landscape All rights reserved. 9
5 User Management and Authentication

Master Data Governance uses the user management and authentication mechanisms of the SAP NetWeaver
platform, and in particular, SAP NetWeaver Application Server. Therefore, the security recommendations and
guidelines for user management and authentication that are described in the security guide for SAP NetWeaver
Application Server for ABAP Security Guide [external document] also apply to Master Data Governance.
In addition to these guidelines, we also supply information on user management and authentication that is
especially applicable to Master Data Governance in the following sections:
● User Administration [page 10]
This section details the user management tools, the required user types, and the standard users that are
supplied with Master Data Governance.
● User Data Synchronization [page 12]
The components of Master Data Governance can use user data together with other components. This
section describes how the user data is synchronized with these other sources.
● Integration into Single Sign-On Environments [page 12]
This section describes how Master Data Governance supports single sign-on-mechanisms.

5.1 User Administration

Master Data Governance user management uses the mechanisms provided by SAP NetWeaver Application
Server for ABAP, such as tools, user types, and the password concept. For an overview of how these mechanisms
apply for Master Data Governance, see the sections below. In addition, we provide a list of the standard users
required for operating components of Master Data Governance.
User Administration Tools
The following table shows the user administration tools for Master Data Governance.
Table 5
Tool Description

User maintenance for ABAP-based systems (transaction For more information on the authorization objects provided
SU01) by the components of Master Data Governance, see the
component specific section.

Role maintenance with the profile generator for ABAP-based For more information on the roles provided by Master Data
systems (PFCG) Governance, see the component specific section.

Central User Administration (CUA) for the maintenance of For more information, see Central User Administration
multiple ABAP-based systems [external document].

User Management Engine for SAP NetWeaver AS Java (UME) Administration console for maintenance of users, roles, and
authorizations in Java-based systems and in the Enterprise
Portal. The UME also provides persistence options, such as

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
10 All rights reserved. User Management and Authentication
ABAP Engine. For more information, see User Management
Engine [external document].

Note
For more information on the tools that SAP provides for user administration with SAP NetWeaver, see SAP
Service Marketplace at service.sap.com/securityguide SAP NetWeaver 7.0 Security Guides
(Complete) Release User Administration and Authentication .

User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may
specify that individual users who perform tasks interactively have to change their passwords on a regular basis,
but not those users under which background processing jobs run.
User types required for Master Data Governance include, for example:
● Individual users
○ Dialog users
Dialog users are used for SAP GUI for Windows.
○ Internet users for Web applications
Same policies apply as for dialog users, but used for Internet connections.
● Technical users:
○ Service users are dialog users who are available for a large set of anonymous users (for example, for
anonymous system access via an ITS service).
○ Communication users are used for dialog-free communication between systems.
○ Background users can be used for processing in the background.
Standard Users
The following table shows the standard users that are necessary for operating Master Data Governance.
Table 6
System User ID Type Password Additional
Information

SAP Web Application (sapsid)adm SAP system Mandatory SAP NetWeaver


Server administrator installation guide

SAP Web Application SAP Service SAP system service Mandatory SAP NetWeaver
Server (sapsid)adm administrator installation guide

SAP Web Application SAP Standard ABAP See SAP NetWeaver SAP NetWeaver
Server Users (SAP*, DDIC, security guide security guide
EARLYWATCH,
SAPCPIC)

SAP Web Application SAP Standard SAP See SAP NetWeaver SAP NetWeaver
Server Web Application Server security guide security guide
Java Users

SAP ECC SAP Users Dialog users Mandatory The number of users
depends on the area of
operation and the

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
User Management and Authentication All rights reserved. 11
System User ID Type Password Additional
Information

business data to be
processed.

Note
We recommend that you change the passwords and IDs of users that were created automatically during the
installation.

5.2 User Data Synchronization

By synchronizing user data, you can reduce effort and expense in the user management of your system
landscape. Since Master Data Governance is based on SAP NetWeaver, you can use all of the mechanisms for
user synchronization in SAP NetWeaver here. For more information, see the SAP NetWeaver Security Guide on
SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver.

Note
You can use user data distributed across systems by replicating the data, for example in a central directory
such as LDAP.

5.3 Integration into Single Sign-On Environments

Master Data Governance supports the single sign-on (SSO) mechanisms provided by SAP NetWeaver Application
Server for ABAP technology. Therefore, the security recommendations and guidelines for user management and
authentication that are described in the SAP NetWeaver Security Guide also apply to Master Data Governance.
Master Data Governance supports the following mechanisms:
Secure Network Communication (SNC)
SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for
Windows or Remote Function Calls.
SAP Logon Tickets
Master Data Governance supports the use of logon tickets for SSO when using a Web browser as the front-end
client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP
system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token.
The user does not need to enter a user ID or password for authentication, but can access the system directly once
it has checked the logon ticket. For more information, see SAP Logon Tickets in the Security Guide for SAP
NetWeaver Application Server.
Client Certificates
As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front-end
client can also provide X.509 client certificates to use for authentication. In this case, user authentication is
performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol). No passwords have to be
transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
12 All rights reserved. User Management and Authentication
For more information see Client Certificates in the Security Guide for SAP NetWeaver Application Server. For
more information about available authentication mechanisms, see SAP Library for SAP NetWeaver under User
Authentication and Single Sign-On [external document].

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
User Management and Authentication All rights reserved. 13
6 Authorizations

Master Data Governance uses the authorization concept of SAP NetWeaver Application Server ABAP. Therefore,
the security recommendations and guidelines for authorizations that are described in the Security Guide for SAP
NetWeaver Application Server ABAP also apply to Master Data Governance. You can use authorizations to restrict
the access of users to the system, and thereby protect transactions and programs from unauthorized access.
The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based
on roles. For role maintenance in SAP NetWeaver Application Server ABAP, use the profile generator (transaction
PFCG), and in SAP NetWeaver Application Server for Java, the user management console of the User
Management Engine (UME). You can define user-specific menus using roles.

Note
For more information about creating roles, see Role Administration [external document].

Standard Roles and Standard Authorization Objects


SAP delivers standard roles covering the most frequent business transactions. You can use these roles as a
template for your own roles.
For a list of the standard roles and authorization objects used by components of Master Data Governance, see the
section of this document relevant to each component.

Note
Before using the roles listed, you may want to check whether the standard roles delivered by SAP meet your
requirements.

Authorizations for Customizing Settings


You can use Customizing roles to control access to the configuration of Master Data Governance in the SAP
Customizing Implementation Guide (IMG).

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
14 All rights reserved. Authorizations
7 Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your network needs to support the
communication necessary for your business and your needs without allowing unauthorized access. A well-defined
network topology can eliminate many security threats based on software flaws (at both the operating system and
application level) or network attacks such as eavesdropping. If users cannot log on to your application or database
servers at the operating system or database layer, then there is no way for intruders to compromise the devices
and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the
server LAN (local area network), they cannot exploit known bugs and security holes in network services on the
server machines.
The network topology for Master Data Governance is based on the topology used by the SAP NetWeaver platform.
Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also
apply to Master Data Governance. Details that relate directly to SAP ERP Central Component are described in the
following sections:
● Communication Channel Security [page 15]
This section contains a description of the communication channels and protocols that are used by the
components of Master Data Governance.
● Network Security [page 16]
This section contains information on the network topology recommended for the components of Master Data
Governance. It shows the appropriate network segments for the various client and server components and
where to use firewalls for access protection. It also contains a list of the ports required for operating the
subcomponents of Master Data Governance.
● Communication Destinations [page 16]
This section describes the data needed for the various communication channels, for example, which users
are used for which communications.

7.1 Communication Channel Security

Communication channels transfer a wide variety of different business data that needs to be protected from
unauthorized access. SAP makes general recommendations and provides technology for the protection of your
system landscape based on SAP NetWeaver.
The table below shows the communication channels used by Master Data Governance, the protocol used for the
connection, and the type of data transferred.
Table 7
Communication Path Protocol Used Type of Data Transferred Data Requiring Special
Protection

Application server to RFC, HTTP(S) Integration data Business data


application server

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Network and Communication Security All rights reserved. 15
Communication Path Protocol Used Type of Data Transferred Data Requiring Special
Protection

Application server to HTTP(S) Application data For example, passwords,


application of a third party business data
administrator

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer protocol (SSL protocol).

Recommendation
We strongly recommend that you use secure protocols (SSL, SNC).

7.2 Network Security

Since Master Data Governance is based on SAP NetWeaver technology, for information about network security,
see the corresponding sections of the SAP NetWeaver Security Guide at help.sap.com Technology
Platform SAP NetWeaver Release/Language SAP NetWeaver Security Guide Network and Communication
Security Network Services :
If you provide services in the Internet, you should protect your network infrastructure with a firewall at least. You
can further increase the security of your system or group of systems by placing the groups in different network
segments, each of which you then protect from unauthorized access by a firewall. You should bear in mind that
unauthorized access is also possible internally if a malicious user has managed to gain control of one of your
systems.
Ports
Master Data Governance is executed in SAP NetWeaver and uses the ports of AS ABAP or AS Java. For more
information see the corresponding security guides for SAP NetWeaver in the topics for AS ABAP Ports [external
document] and AS Java Ports [external document]. For information about other components, such as SAPinst,
SAProuter, or SAP Web Dispatcher, see the document TCP/IP Ports Used by SAP Applications in SAP Developer
Network at sdn.sap.com/irj/sdn/security under Infrastructure Security Network and Communications
Security .

7.3 Communication Destinations

The use of users and authorizations in an irresponsible manner can pose security risks. You should therefore
follow the security rules below when communicating between systems:
● Employ the user types system and communication.
● Grant a user only the minimum authorizations.

Note
For information on authorization objects, see Authorization Objects and Roles Used by SAP Master Data
Governance [page 23].

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
16 All rights reserved. Network and Communication Security
● Choose a secure password and do not divulge it to anyone else.
● Only store user-specific logon data for users of type system and communication.
● Wherever possible, use trusted system functions instead of user-specific logon data.

7.4 Use of Virus Scanners

If you upload files from application servers into Master Data Governance and you want to use an virus scanner, a
virus scanner must then be active on each application server. For more information, see SAP Note 964305
(solution A).

Note
● Work through the Customizing activities in the Implementation Guide under the Virus Scan Interface node.
● When doing this, use the virus scan profile /MDG_BS_FILE_UPLOAD/MDG_VSCAN, which is delivered for
Master Data Governance.

When you upload files from the front-end into Master Data Governance, the system uses the configuration you
defined for virus scan profile /SIHTTP/HTTP_UPLOAD. For more information, see SAP Note 1693981 .

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Network and Communication Security All rights reserved. 17
8 Data Storage Security

Using Logical Paths and File Names to Protect Access to the File System
Master Data Governance saves data in files in the file system. Therefore, it is important to explicitly provide
access to the corresponding files in the file system without allowing access to other directories or files (also
known as directory traversal). This is achieved by specifying logical paths and file names in the system that map
to the physical paths and file names. This mapping is validated at runtime and if access is requested to a directory
that does not match a stored mapping, then an error occurs. In the application-specific part of this guide, there is
a list for each component of the logical file names and paths, where it is specified for which programs these file
names and paths apply.

Activating the Validation of Logical Paths and File Names


The logical paths and file names are entered in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-dependent). To determine
which paths are used by your system, you can activate the appropriate settings in the Security Audit Log.

More Information

● Logical File Names [external document]


● Protecting Access to the File System [external document]
● Security Audit Logs [external document]
For information about data storage security, see the SAP NetWeaver Security Guide at help.sap.com SAP
NetWeaver Release/Language SAP NetWeaver Library Administrator’s Guide NetWeaver Security Guide
Security Guides for the Operating System and Database Platforms

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
18 All rights reserved. Data Storage Security
9 Enterprise Services Security

The following section in the NetWeaver Security Guide is relevant for Master Data Governance:
● Recommended WS Security Scenarios [external document]

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Enterprise Services Security All rights reserved. 19
10 Security-Relevant Logs and Tracing

The trace and log files of Master Data Governance use the standard mechanisms of SAP NetWeaver. For more
information, see the following sections in the SAP NetWeaver Security Guide at service.sap.com/securityguide
:
Auditing and Logging [external document]
Tracing and Logging [external document] (AS Java)

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
20 All rights reserved. Security-Relevant Logs and Tracing
11 Segregation of Duties

Segregation of duties can be achieved by assigning roles to users and in addition by a strict separation of the user
groups for the workflow.

Activities

Assigning Roles to Users


You can assign roles to a user using the following transactions:
● User Maintenance SU01
Use this transaction to assign one or more roles to one user.
● Role Maintenance PFCG
Use this transaction to assign one or more users to one role.
Separating User Groups for the Workflow
Depending on the component of Master Data Governance you intend to configure, use the following Customizing
activities to separate the user groups:
● MDG-M, MDG-F
Run the Customizing activity under Master Data Governance Central Governance General Settings
Process Modeling Workflow Rule-Based Workflow Configure Rule-Based Workflow .
For further information, see:
○ Configuring Master Data Governance for Material [external document]
○ Configuring Master Data Governance for Financials [external document]
● MDG-S
Run the Customizing activity under Master Data Governance Central Governance Master Data
Governance for Supplier Workflow Assign Processor to Change Request Step Number in BRFplus for
Supplier .
For further information, see Configuring Master Data Governance for Supplier [external document]
● MDG-C
Depending on the change request step, run the following Customizing activities under:
○ Master Data Governance Central Governance General Settings Process Modeling Workflow
Other MDG Workflows Assign Processor to Change Request Step Number (Simple Workflow)
○ Master Data Governance Central Governance Master Data Governance for Customer Workflow
Assign Processor to Change Request Step Number in BRFplus for Customer
For further information, see Configuring Master Data Governance for Customer [external document].
● MDG-BP
Depending on the change request step, run the following Customizing activities under:
○ Master Data Governance Central Governance General Settings Process Modeling Workflow
Other MDG Workflows Assign Processor to Change Request Step Number (Simple Workflow)

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Segregation of Duties All rights reserved. 21
○ Master Data Governance Central Governance General Settings Process Modeling Workflow
Rule-Based Workflow Configure Rule-Based Workflow
For further information, see Configuring Master Data Governance for Business Partner [external document]
For information about the corresponding roles, see the documents listed below:
● Authorization Objects Used by Master Data Governance [page 28]
● Supplier Master Data Governance (CA-MDG-APP-SUP) [page 31]
● Customer Master Data Governance (CA-MDG-APP-CUS) [page 33]
● Material Master Data Governance (CA-MDG-APP-MM) [page 35]
● Financial Master Data Governance (CA-MDG-APP-FIN) [page 37]
● Custom Objects (CA-MDG-COB) [page 38]

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
22 All rights reserved. Segregation of Duties
12 Authorization Objects and Roles Used by
SAP Master Data Governance

This chapter provides information about authorization objects and roles used by:
● Authorization Objects and Roles Used by SAP MDG, Central Governance [page 28]
● Authorization Objects and Roles Used by SAP MDG, Consolidation and Mass Processing [page 23]

12.1 Authorization Objects and Roles Used by SAP MDG,


Consolidation and Mass Processing

Authorization Objects

SAP MDG, consolidation and mass processing uses the authorization objects listed below.
Table 8
Authorization Object Description

MDC_PROOT [page 24] Consolidation Root Permissions

MDC_PFILT [page 26] Consolidation Cluster Permissions

MDC_MASS [page 26] Mass Update Permissions

MDC_ADMIN [page 27] Administrative permissions

B_BUPA_RLT Business Partner: BP Roles

B_BUPA_GRP Business Partner: Authorization Groups

S_BGRFC Authorization Object for NW bgRFC

M_MATE_MAR Material Master: Material Types

M_MATE_MAT Material Master: Materials

M_MATE_WGR Material Master: Material Groups

Caution
To use SAP MDG, consolidation and mass processing in combination with the functions of SAP MDG, central
governance, see the required authorization objects in the documents listed below:
● Authorization Objects and Roles Used by SAP MDG, Central Governance [page 28]
● Master Data Governance for Business Partner (CA-MDG-APP-BP) [page 29]
● Master Data Governance for Supplier (CA-MDG-APP-SUP) [page 31]
● Master Data Governance for Customer (CA-MDG-APP-CUS) [page 33]

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Authorization Objects and Roles Used by SAP Master Data Governance All rights reserved. 23
Standard Roles
Table 9
Frontend Launchpad Role Name

SAP_MDC_BCR_MASTERDATA_SPEC_T Master Data Specialist (Consolidation) - Apps [external


document]

SAP_MDC_BCR_MASTERDATA_ADMIN_T Master Data Administrator (Consolidation) - Apps [external


document]

SAP_MDC_TCR_T SAP Role for MDG, Consolidation - Transactional Apps


[external document]

Table 10
Backend Authorization Role Name

SAP_MDC_ADMIN_APP_02 Master Data Governance, Consolidation: Administrator


[external document]

SAP_MDC_DISP_BP_APP_02 Master Data Governance, Consolidation: Business Partner


Display [external document]

SAP_MDC_SPEC_BP_APP_02 Master Data Governance, Consolidation: Business Partner


Specialist [external document]

SAP_MDC_DISP_BP_NONE_BS_APP_02 MDG, Consolidation: Business Partner Non-SAP-BS Display


[external document]

SAP_MDC_SPEC_BP_NONE_BS_APP_02 MDG, Consolidation: Business Partner Non-SAP-BS Specialist


[external document]

SAP_MDC_DISP_MM_APP_02 Master Data Governance, Consolidation: Material Display


[external document]

SAP_MDC_SPEC_MM_APP_02 Master Data Governance, Consolidation: Material Specialist


[external document]

SAP_MDC_ADMIN_CUSTOBJ_APP_02 Master Data Governance, Custom Objects: Administrator


[external document]

SAP_MDC_DISP_CUSTOBJ_APP_02 Master Data Governance, Custom Objects: Custom Objects


Display [external document]

SAP_MDC_SPEC_CUSTOBJ_APP_02 Master Data Governance, Custom Objects: Custom Objects


Specialist [external document]

12.1.1 MDC_PROOT

This document describes details of the authorization object MDC_PROOT.

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
24 All rights reserved. Authorization Objects and Roles Used by SAP Master Data Governance
Features

The activities listed below are assigned to the authorization object.


Table 11
Activity Text Authorization

01 Create or Create consolidation process


generate

02 Change Run consolidation process


The Start, Retry, Rollback, and Save buttons become active.

Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.

03 Display Display consolidation process

06 Delete Delete consolidation process


The Delete button becomes active.

31 Confirm Continue consolidation process after a process step has been executed
● The Continue button becomes active.
● If the process pauses at a check point, the Continue button stays active only if
the activity 31 Confirm is permitted.

Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.

36 Extended Adjust configuration within the process UI for the current process
maintenance The Adjust link is displayed.

37 Accept Continue consolidation process after a matching step that still contains open
match groups
● The Continue button becomes active.
● If the process pauses at a check point and still open match groups exist, the
Continue button stays active only if the activity 37 Accept is permitted.

Caution
In addition, the activity 31 Confirm has to be permitted.

Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Authorization Objects and Roles Used by SAP Master Data Governance All rights reserved. 25
12.1.2 MDC_PFILT

This document describes details of the authorization object MDC_PFILT

To create a process you have to select a Source, which is a combination of Source System, Status, and an optional
Source Filter.

Features

The activities listed below are assigned to the authorization object. They all are related to the optional Source
Filter.
Table 12
Activity Text Authorization

02 Change Create and run processes containing source data that is assigned to a Source
Filter.
The input help of the Sources field only displays sources with a Source Filter if this
activity is permitted.

06 Delete Delete processes containing source data that is assigned to a Source Filter.

60 Import Run the report MDC_BP_TRANSFORM_SOURCE_DATA for source data that is


assigned to a Source Filter
This report transforms customer and vendor data to business partner data during
the data import.

12.1.3 MDC_MASS

This document describes details of the authorization object MDC_MASS.

Features

The activities listed below are assigned to the authorization object.


Table 13
Activity Text Authorization

01 Create or Create mass processes


generate

02 Change Run mass processes


The Start, Retry, Rollback and Save buttons become active.

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
26 All rights reserved. Authorization Objects and Roles Used by SAP Master Data Governance
Activity Text Authorization

Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.

03 Display Display mass processes

06 Delete Delete mass processes


The Delete button becomes active.

31 Confirm Continue mass processes after a process step has been executed.
The Continue button becomes active.

Caution
If the process pauses at a check point, the Continue button stays active only if
the activity 31 Confirm is permitted.

Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.

36 Extended Adjust configuration within the process UI for the current process
maintenance The Adjust link is displayed.

12.1.4 MDC_ADMIN

This document describes details of the authorization object MDC_ADMIN

Features

The activities listed below are assigned to the authorization object.


Table 14
Activity Text Authorization

02 Change Change process parameters in the process UI like:


● Adapter for a process step
● Adapter Configuration
● Check Point

06 Delete Run the transaction MDC_ADMIN_DELETE

This transaction is used to delete processes with an inconsistent status, for


example caused by a system error.

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Authorization Objects and Roles Used by SAP Master Data Governance All rights reserved. 27
Activity Text Authorization

60 Import Run the report MDC_BP_TRANSFORM_SOURCE_DATA.

This report transforms customer and vendor data to business partner data during
the data import.

12.2 Authorization Objects and Roles Used by SAP MDG,


Central Governance

Authorization Objects

The following authorization objects are used by all components of Master Data Governance.

Note
To obtain more detailed information about specific authorization objects proceed as follows:
1. Choose SAP Menu Tools ABAP Workbench Development Other Tools Authorization Objects
Objects (Transaction SU21).
2. Select the authorization object using (Find) and then choose (Display).
3. On the Display authorization object dialog box choose Display Object Documentation.

Table 15
Authorization Object Description

MDG_MDF_TR Master Data: Transport

MDG_IDM Key Mapping

USMD_CREQ Change Request

USMD_MDAT Master Data

USMD_MDATH Hierarchies

USMD_UI2 UI Configuration

DRF_RECEIVE Authorization for outbound messages for receiver systems

DRF_ADM Create Outbound Messages

CA_POWL Authorization for iViews for personal object worklists

BCV_SPANEL Execute Side Panel

BCV_USAGE Usage of Business Context Viewer

MDG_DEF Data Export

MDG_DIF Data Import

S_DMIS Authority object for SAP SLO Data migration server

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
28 All rights reserved. Authorization Objects and Roles Used by SAP Master Data Governance
Caution
For information about component specific authorization objects, see the corresponding sections:
● Master Data Governance for Business Partner (CA-MDG-APP-BP) [page 29]
● Master Data Governance for Supplier (CA-MDG-APP-SUP) [page 31]
● Master Data Governance for Customer (CA-MDG-APP-CUS) [page 33]
● Master Data Governance for Material (CA-MDG-APP-MM) [page 35]
● Master Data Governance for Financial (CA-MDG-APP-FIN) [page 37]
● Master Data Governance for Custom Objects (CA-MDG-COB) [page 38]

Standard Role
Table 16
Role Name

SAP_MDG_ADMIN Master Data Governance Administrator

This role contains authorizations needed for administrative tasks and for setting up a base configuration in all
components of Master Data Governance. Some authorizations enable critical activities. If multiple users in your
organization are entrusted with the administration and configuration of Master Data Governance, we recommend
that you split the role into several roles, each with its own set of authorizations. The role does not contain the
authorizations for the respective master data transactions.

Enterprise Search
To use the Enterprise Search users have to be assigned to the role SAP_ESH_SEARCH Enterprise Search Hub
(Composite): Authorizations for searching.

12.2.1 Master Data Governance for Business Partner (CA-


MDG-APP-BP)

Authorization Objects
Master Data Governance for Business Partner mainly uses the authorization objects of the business objects
Business Partner, the authorization objects of the Application Framework for Master Data Governance, and the
authorization objects of the Data Replication Framework.
Table 17
Authorization Object Description

B_BUPA_GRP Business Partner: Authorization Groups

Note
This authorization object is optional. You need to assign
this authorization object only if master data records are to
be specifically protected.

B_BUPA_RLT Business Partner: BP Roles

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Authorization Objects and Roles Used by SAP Master Data Governance All rights reserved. 29
Authorization Object Description

B_BUPR_BZT Business Partner Relationships: Relationship Categories

BCV_QUILST Overview

DC_OBJECT Data Cleansing

BCV_PERS Personalize BCV UI for Query View

BCV_QRYVW Query View

BCV_QUERY Query

BCV_QVWSNA Query View Snapshot

S_START Start Authorization Check for TADIR Objects

S_PB_CHIP ABAP Page Builder: CHIP

S_PB_PAGE ABAP Page Builder: Page Configuration

Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 28].

Standard Roles

Table 18
Role Name

SAP_MDGBP_MENU_04 [external document] Master Data Governance for Business Partner: Menu

SAP_MDGBP_DISP_04 [external document] Master Data Governance for Business Partner: Display

SAP_MDGBP_REQ_04 [external document] Master Data Governance for Business Partner: Requester

SAP_MDGBP_SPEC_04 [external document] Master Data Governance for Business Partner: Specialist

SAP_MDGBP_STEW_04 [external document] Master Data Governance for Business Partner: Data Steward

If you want to restrict the authorizations for users or roles to specific values, run the Customizing activity under
Master Data Governance, Central Governance General Settings Data Modeling Define Authorization
Relevance per Entity Type and define which entity types and attributes are authorization relevant.

More Information

If you use the optional feature address screening, see the corresponding security guide under help.sap.com/fra
.

For details on the address screening, see Address Screening [external document].

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
30 All rights reserved. Authorization Objects and Roles Used by SAP Master Data Governance
12.2.2 Master Data Governance for Supplier (CA-MDG-APP-
SUP)

Authorization Objects

Master Data Governance for Supplier does not have dedicated authorization objects, but instead uses the
authorization objects of the business objects Business Partner and Vendor, the authorization objects of the
Application Framework for Master Data Governance, and the authorization objects of the Data Replication
Framework.
Table 19
Authorization Object Description

B_BUPA_GRP Business Partner: Authorization Groups

Note
This authorization object is optional. You need to assign
this authorization object only if master data records are to
be specifically protected.

B_BUPA_RLT Business Partner: BP Roles

B_BUPR_BZT Business Partner Relationships: Relationship Categories

DC_OBJECT Data Cleansing

F_LFA1_APP Vendor: Application Authorization

F_LFA1_BEK Vendor: Account Authorization

Note
This authorization object is optional. You need to assign
this authorization object only if master data records are to
be specifically protected.

F_LFA1_BUK Vendor: Authorization for Company Codes

F_LFA1_GEN Vendor: Central Data

F_LFA1_GRP Vendor: Account Group Authorization

M_LFM1_EKO Purchasing organization in supplier master data

BCV_PERS Personalize BCV UI for Query View

BCV_QRYVW Query View

BCV_QUERY Query

BCV_QUILST Overview

BCV_QVWSNA Query View Snapshot

S_START Start Authorization Check for TADIR Objects

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Authorization Objects and Roles Used by SAP Master Data Governance All rights reserved. 31
Authorization Object Description

S_PB_CHIP ABAP Page Builder: CHIP

S_PB_PAGE ABAP Page Builder: Page Configuration

Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 28].

Standard Roles

Table 20
Role Name

SAP_MDGS_MENU_04 Master Data Governance for Supplier: Menu [external


document]

SAP_MDGS_DISP_06 Master Data Governance for Supplier: Display [external


document]

SAP_MDGS_REQ_06 Master Data Governance for Supplier: Requester [external


document]

SAP_MDGS_SPEC_06 Master Data Governance for Supplier: Specialist [external


document]

SAP_MDGS_STEW_04 Master Data Governance for Supplier: Data Steward [external


document]

SAP_MDGS_VL_MENU_04 Master Data Governance for Supplier (ERP Vendor UI): Menu
[external document]

SAP_MDGS_LVC_MENU_04 Master Data Governance for Supplier (Lean Request UI):


Menu [external document]

SAP_MDGS_LVC_REQ_04 Master Data Governance for Supplier (Lean Request UI):


Requester [external document]

If you want to restrict the authorizations for users or roles to specific values, run the Customizing activity under
Master Data Governance, Central Governance General Settings Data Modeling Define Authorization
Relevance per Entity Type and define which entity types and attributes are authorization relevant.

More Information

If you use the optional feature address screening, see the corresponding security guide under help.sap.com/fra
.

For details on the address screening, see Address Screening [external document].

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
32 All rights reserved. Authorization Objects and Roles Used by SAP Master Data Governance
12.2.3 Master Data Governance for Customer (CA-MDG-APP-
CUS)

Authorization Objects
Master Data Governance for Customer does not have dedicated authorization objects, but instead uses the
authorization objects of the business objects Business Partner and Customer, the authorization objects of the
Application Framework for Master Data Governance, and the authorization objects of the Data Replication
Framework.

Note
Depending on whether you use the Master Data Governance for Customer on a hub system [external
document] or on a client system [external document] a different set of authorization objects is required.

Table 21
Authorization Object Description Hub Client
Syste Syste
m m

B_BUPA_GRP Business Partner: Authorization x x


Groups
Note
This authorization object is optional. You need to assign this
authorization object only if master data records are to be
specifically protected.

B_BUPA_RLT Business Partner: BP Roles x x

B_BUPR_BZT Business Partner Relationships: x x


Relationship Categories

DC_OBJECT Data Cleansing x

F_KNA1_APP Customer: Application Authorization x x

F_KNA1_BED Customer: Account Authorization x x

Note
This authorization object is optional. You do not need to assign
this authorization object if no master records are to be
specifically protected.

F_KNA1_BUK Customer: Authorization for x x


Company Codes

F_KNA1_GEN Customer: Central Data x x

F_KNA1_GRP Customer: Account Group x x


Authorization

MDGC_LCOPY Copy Customer Master Data from — x


MDG Hub

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Authorization Objects and Roles Used by SAP Master Data Governance All rights reserved. 33
Authorization Object Description Hub Client
Syste Syste
m m

V_KNA1_BRG Customer: Account Authorization for x x


Sales Areas

V_KNA1_VKO Customer: Authorization for Sales x x


Organizations

BCV_PERS Personalize BCV UI for Query View x x

BCV_QRYVW Query View x x

BCV_QUERY Query x x

BCV_QUILST Overview x x

BCV_QVWSNA Query View Snapshot x x

S_START Start Authorization Check for TADIR x x


Objects

S_PB_CHIP ABAP Page Builder: CHIP x x

S_PB_PAGE ABAP Page Builder: Page x x


Configuration

Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 28].

Standard Roles
Table 22
Role Name

SAP_MDGC_MENU_04 Master Data Governance for Customer: Menu [external


document]

SAP_MDGC_DISP_05 Master Data Governance for Customer: Display [external


document]

SAP_MDGC_REQ_05 Master Data Governance for Customer: Requester [external


document]

SAP_MDGC_SPEC_05 Master Data Governance for Customer: Specialist [external


document]

SAP_MDGC_STEW_04 Master Data Governance for Customer: Data Steward


[external document]

SAP_MDGC_CL_MENU_04 Master Data Governance for Customer (ERP Customer UI):


Menu [external document]

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
34 All rights reserved. Authorization Objects and Roles Used by SAP Master Data Governance
Role Name

SAP_MDGC_LCC_MENU_04 Master Data Governance for Customer (Lean Request UI):


Menu [external document]

SAP_MDGC_LCC_REQ_04 Master Data Governance for Customer (Lean Request UI):


Requester [external document]

If you want to restrict the authorizations for users or roles to specific values, go to Create Authorizations for Data
Model and define which entity types and attributes are authorization relevant.

More Information

If you use the optional feature address screening, see the corresponding security guide under help.sap.com/fra
.
For details on the address screening, see Address Screening [external document].

12.2.4 Master Data Governance for Material (CA-MDG-APP-


MM)

Authorization Objects

Master Data Governance for Material does not have dedicated authorization objects, but instead uses, for
example, the authorization objects of the Material Master and the Application Framework for Master Data
Governance.
Table 23
Authorization Object Description

K_TP_VALU Transfer Price Valuations

M_MATE_MAF Material Master: Material Locks

M_MATE_MAT Material Master: Material

M_MATE_MAR Material Master: Material Type

M_MATE_WGR Material Master: Material Group

M_MATE_STA Material Master: Maintenance Status

M_MATE_MTA Material Master: Change Material Type

M_MATE_WRK Material Master: Plant

M_MATE_MAN Material Master: Central Data

M_MATE_NEU Material Master: Create

M_MATE_BUK Material Master: Company Codes

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Authorization Objects and Roles Used by SAP Master Data Governance All rights reserved. 35
Authorization Object Description

M_MATE_VKO Material Master: Sales Organization/Distribution Channel

M_MATE_LGN Material Master: Warehouse Numbers

C_KLAH_BKL Authorization for Classification

C_KLAH_BSE Authorization for Selection

C_TCLA_BKA Authorization for Class Types

C_DRAD_OBJ Create/Change/Display/Delete Object Link

C_DRAW_DOK Authorization for document access

C_DRAW_TCD Authorization for document activities

C_DRAW_TCS Status-Dependent Authorizations for Documents

C_DRAW_BGR Authorization for authorization groups

C_DRAW_STA Authorization for document status

C_FVER_WRK PP-PI: Production Version - Plant

DRF_RECEIV Authorization for outbound messages for receiver systems

DRF_ADM Create Outbound Messages

PLM_SPUSR Superuser by Object Type

Note
You need this authorization object for the object type
PLM_MAT only if the search object connector of SAP
NetWeaver Enterprise Search is created for the following
Enterprise Search software components:
● PLMWUI
● Software components that include PLMWUI
For more information about SAP NetWeaver Enterprise
Search, see SAP NetWeaver Enterprise Search [external
document].

C_AENR_BGR CC Change Master – Authorization Group

C_AENR_ERW CC Eng. Chg. Mgmt. Enhanced Authorization Check

C_AENR_RV1 CC Engineering change mgmt – revision level for material

BCV_QUILST Overview

Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 28].

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
36 All rights reserved. Authorization Objects and Roles Used by SAP Master Data Governance
Standard Roles
Table 24
Role Name

SAP_MDGM_MENU_06 Master Data Governance for Material: Menu [external


document]

SAP_MDGM_DISP_06 Master Data Governance for Material: Display [external


document]

SAP_MDGM_REQ_06 Master Data Governance for Material: Requester [external


document]

SAP_MDGM_SPEC_06 Master Data Governance for Material: Specialist [external


document]

SAP_MDGM_STEW_06 Master Data Governance for Material: Data Steward [external


document]

If you want to restrict the authorizations for users or roles to specific values, run the Customizing activity under
Master Data Governance, Central Governance General Settings Data Modeling Define Authorization
Relevance per Entity Type and define which entity types and attributes are authorization relevant.

12.2.5 Master Data Governance for Financials (CA-MDG-APP-


FIN)

Authorization Objects
Table 25
Authorization Object Description

USMD_DIST Distribution

Note
This authorization object is used if you have not activated
business function MDG_FOUNDATION.

(Switch: FIN_MDM_CORE_SFWS_EHP5)

USMD_EDTN Edition

Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 28].

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Authorization Objects and Roles Used by SAP Master Data Governance All rights reserved. 37
Standard Roles
Table 26
Role Description

SAP_MDGF_ACC_DISP_07 Master Data Governance for Financials: Accounting Display


[external document]

SAP_MDGF_ACC_REQ_07 Master Data Governance for Financials: Accounting Requester


[external document]

SAP_MDGF_ACC_SPEC_07 Master Data Governance for Financials: Accounting Specialist


[external document]

SAP_MDGF_ACC_STEW_04 Master Data Governance for Financials: Accounting Data


Steward [external document]

SAP_MDGF_CO_DISP_04 Master Data Governance for Financials: Controlling Display


[external document]

SAP_MDGF_CO_REQ_06 Master Data Governance for Financials: Consolidation


Requester [external document]

SAP_MDGF_CO_SPEC_04 Master Data Governance for Financials: Consolidation


Specialist [external document]

SAP_MDGF_CO_STEW_04 Master Data Governance for Financials: Consolidation Data


Stewar [external document]

SAP_MDGF_CTR_DISP_04 Master Data Governance for Financials: Controlling Display


[external document]

SAP_MDGF_CTR_REQ_06 Master Data Governance for Financials: Controlling Requester


[external document]

SAP_MDGF_CTR_SPEC_04 Master Data Governance for Financials: Controlling Specialist


[external document]

SAP_MDGF_CTR_STEW_04 Master Data Governance for Financials: Controlling Data


Steward [external document]

If you want to restrict the authorizations for users or roles to specific values, run the Customizing activity under
Master Data Governance, Central Governance General Settings Data Modeling Define Authorization
Relevance per Entity Type and define which entity types and attributes are authorization relevant.

12.2.6 Master Data Governance for Custom Objects (CA-MDG-


COB)

Authorization Objects
You can use the following authorization objects for Master Data Governance for Custom Objects.

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
38 All rights reserved. Authorization Objects and Roles Used by SAP Master Data Governance
Table 27
Authorization Object Description

USMD_DIST Replication

USMD_DM Data Model

USMD_EDTN Edition Type

Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 28].

Standard Role
Table 28
Role Name

SAP_MDGX_MENU_04 [external document] Master data governance for self-defined objects

SAP_MDGX_FND_SAMPLE_SF_05 [external document] Master Data Governance for Custom Objects - Flight Data
Model (MDG 8.0)

If you want to restrict the authorizations for users or roles to specific values, run the Customizing activity under
Master Data Governance, Central Governance General Settings Data Modeling Define Authorization
Relevance per Entity Type and define which entity types and attributes are authorization relevant.

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Authorization Objects and Roles Used by SAP Master Data Governance All rights reserved. 39
13 Change Settings of Generated MDG
Database Tables

The SAP system generates database tables for the entities of all defined data models. The settings of these
database tables are the following:
● Buffering and log of data changes is switched on.
● Display and maintenance is allowed with restrictions.

Activities

To change these settings of generated MDG database tables run the transaction MDG_TABLE_ADJUST.
The results of the transaction are listed in the transaction SLG1 (Analyse Application Log), using Object FMDM and
Subobject ADJUST_TABLE.

Caution
● You have to execute the transaction in each system manually.
● After a model activation it might be necessary to execute the transaction again.

More Information

For more information see SAP note 1828363 .

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
40 All rights reserved. Change Settings of Generated MDG Database Tables
14 Appendix

For more information about the security of SAP applications see SAP Service Marketplace at service.sap.com/
security .
You can also access additional security guides via SAP Service Marketplace at service.sap.com/securityguide .
For more information about security issues, see SAP Service Marketplace at service.sap.com .
For information about SAP Fiori Implementation including Security Information, see help.sap.com/
fiori_implementation .
Table 29
Topic SAP Service Marketplace

Master guides, installation guides, upgrade guides, and /instguides


Solution Management guides /ibc

Related notes /notes

Platforms /platforms

Network security /network


/securityguide

Technical infrastructure /ti

SAP Solution Manager /solutionmanager

CUSTOMER
SAP Master Data Governance Security Guide © Copyright 2016 SAP SE or an SAP affiliate company.
Appendix All rights reserved. 41
Typographic Conventions

Table 30
Example Description

<Example> Angle brackets indicate that you replace these words or characters with appropriate entries
to make entries in the system, for example, “Enter your <User Name>”.

Example Example Arrows separating the parts of a navigation path, for example, menu options

Example Emphasized words or expressions

Example Words or characters that you enter in the system exactly as they appear in the
documentation

www.sap.com Textual cross-references to an internet address

/example Quicklinks added to the internet address of a homepage to enable quick access to specific
content on the Web

123456 Hyperlink to an SAP Note, for example, SAP Note 123456

Example ● Words or characters quoted from the screen. These include field labels, screen titles,
pushbutton labels, menu names, and menu options.
● Cross-references to other documentation or published works

Example ● Output on the screen following a user action, for example, messages
● Source code or syntax quoted directly from a program
● File and directory names and their paths, names of variables and parameters, and
names of installation, upgrade, and database tools

EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, database table names, and key concepts of a programming language
when they are surrounded by body text, for example, SELECT and INCLUDE

EXAMPLE Keys on the keyboard

CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. SAP Master Data Governance Security Guide
42 All rights reserved. Typographic Conventions
CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
SAP Master Data Governance Security Guide All rights reserved. 43
www.sap.com

© Copyright 2016 SAP SE or an SAP affiliate company. All rights


reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies. Please see
www.sap.com/corporate-en/legal/copyright/index.epx#trademark
for additional trademark information and notices.

You might also like