Master Data Governance Security Guide

Master Data Governance Security Guide PUBLIC Document Version: 01.08 2014 Master Data Governance Security Guide 70 1

Copyright Copyright 2013 SAP AG. All rights reserved. Portions Copyright 2014 Utopia Global, Inc. All rights reserved. SAP Library document classification: PUBLIC No part of this publication may be reproduced or transmitted in any form or for any purpose without the epress permission of SAP AG and/or Utopia Global, Inc.. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ( SAP Group ) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the epress warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Utopia Global, Inc products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Utopia GLobal, Inc. in the United States of America Please see http://www.sap.com/corporate-en/legal/copyright/inde.ep#trademark for additional trademark information and notices. Master Data Governance Security Guide 70 2

Icons in Body Tet Icon Meaning Caution Eample Note Recommendation Synta Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library. Typographic Conventions Type Style Eample tet Eample tet EXAMPLE TEXT Eample tet Eample tet <Eample tet> EXAMPLE TEXT Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation. Emphasized words or phrases in body tet, graphic titles, and table titles. Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body tet, for eample, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source tet, and names of installation, upgrade and database tools. Eact user entry. These are words or characters that you enter in the system eactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for eample, F2 or ENTER. Master Data Governance Security Guide 70 3

Master Data Governance Security Guide The following guide covers the information that you require to operate Master Data Governance securely. To make the information more accessible, it is divided into a general part, containing information relevant for all components, and a separate part for information specific for individual components. 1 Introduction This guide does not replace the administration or operation guides that are available for productive operations. Target Audience Technology consultants Security consultants System administrators This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the Security Guide provides information that is relevant for all life cycle phases. Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These demands on security apply likewise to Master Data Governance. To assist you in securing Master Data Governance, we provide this Security Guide. Since Master Data Governance is based on and uses SAP NetWeaver technology, it is essential that you consult the Security Guide for SAP NetWeaver. See SAP Service Marketplace at http://service.sap.com/securityguide SAP NetWeaver. For all Security Guides published by SAP, see SAP Service Marketplace at http://service.sap.com/securityguide. Overview of the Main Sections The Security Guide comprises the following main sections: Before You Start [Page 5] This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide. Technical System Landscape [Page 6] Master Data Governance Security Guide 70 4

This section provides an overview of the technical components and communication paths that are used by Master Data Governance. User Management and Authentication [Page 6] This section provides an overview of the following user administration and authentication aspects: o o o o o Recommended tools to use for user management User types that are required by Master Data Governance Standard users that are delivered with Master Data Governance Overview of the user synchronization strategy Overview of how integration into Single Sign-On environments is possible Authorizations [Page 10] This section provides an overview of the authorization concept that applies to Master Data Governance. Network and Communication Security [Page 10] This section provides an overview of the communication paths used by Master Data Governance and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level. Data Storage Security [Page 13] This section provides an overview of any critical data that is used by Master Data Governance and the security mechanisms that apply. Enterprise Services Security [Page 13] This section provides an overview of the security aspects that apply to the enterprise services delivered with Master Data Governance. Security-Relevant Logs and Tracing [Page 14] This section provides an overview of the trace and log files that contain securityrelevant information, for eample, so you can reproduce activities if a security breach does occur. Appendi [Page 25] This section provides references to further information. 2 Before You Start This table contains the most important SAP notes concerning the safety of Master Data Governance. Title SAP Note Comment Code injection vulnerability in UAC_ASSIGNMENT_CONTROL_TEST 1493809 MDG and XBRL Master Data Governance Security Guide 70 5

SAP Library 01.08.2014 Data can be displayed without authorization 1489976 MDG (Financial Master Data Governance, CA-MDG-APP- FIN) More Information For more information about specific topics, see the sources in the table below. Content Security Security Guides Related Notes Quick Link on SAP Service Marketplace or SDN http://sdn.sap.com/irj/sdn/security http://service.sap.com/securityguide http://service.sap.com/notes http://service.sap.com/securitynotes Allowed platforms Network security SAP Solution Manager SAP NetWeaver http://service.sap.com/pam http://service.sap.com/securityguide http://service.sap.com/solutionmanager http://sdn.sap.com/irj/sdn/netweaver 3 Technical System Landscape For information about the technical system landscape, see the sources listed in the table below. Subject Guide/Tool Quick Link to SAP Service Marketplace Technical description of Master Data Governance and the underlying technical components, such as SAP NetWeaver Master Guide http://service.sap.com/instguides SAP Business Suite Applications SAP Master Data Governance High availability Design of technical landscape Security High Availability for SAP Solutions See available documents See available documents http://sdn.sap.com/irj/sdn/ha http://sdn.sap.com/irj/sdn/landscapedesign http://sdn.sap.com/irj/sdn/security 4 User Management and Authentication Master Data Governance Security Guide 70 6

Master Data Governance uses the user management and authentication mechanisms of the SAP NetWeaver platform, and in particular, SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for user management and authentication that are described in the security guide for SAP NetWeaver Application Server for ABAP Security Guide [Eternal] also apply to Master Data Governance. In addition to these guidelines, we also supply information on user management and authentication that is especially applicable to Master Data Governance in the following sections: User Administration [Page 7] This section details the user management tools, the required user types, and the standard users that are supplied with Master Data Governance. User Data Synchronization [Page 9] The components of Master Data Governance can use user data together with other components. This section describes how the user data is synchronized with these other sources. Integration into Single Sign-On Environments [Page 9] This section describes how Master Data Governance supports single sign-onmechanisms. 4.1 User Administration Master Data Governance user management uses the mechanisms provided by SAP NetWeaver Application Server for ABAP, such as tools, user types, and the password concept. For an overview of how these mechanisms apply for Master Data Governance, see the sections below. In addition, we provide a list of the standard users required for operating components of Master Data Governance. User Administration Tools The following table shows the user administration tools for Master Data Governance. Tool User maintenance for ABAP-based systems (transaction SU01) Role maintenance with the profile generator for ABAPbased systems (PFCG) Central User Administration (CUA) for the maintenance of multiple ABAP-based systems User Management Engine for SAP NetWeaver AS Java (UME) Description For more information on the authorization objects provided by the components of Master Data Governance, see the component specific section. For more information on the roles provided by Master Data Governance, see the component specific section. For more information, see User and Role Administration of Application Server ABAP [Eternal] For more information, see Central User Administration [Eternal]. Administration console for maintenance of users, roles, and authorizations in Java-based systems and in the Enterprise Portal. The UME also provides persistence options, such as ABAP Engine. For more information, see User Management Master Data Governance Security Guide 70 7

Engine [Eternal]. For more information on the tools that SAP provides for user administration with SAP NetWeaver, see SAP Service Marketplace at http://service.sap.com/securityguide SAP NetWeaver 7.0 Security Guides (Complete) Release User Administration and Authentication. User Types It is often necessary to specify different security policies for different types of users. For eample, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run. User types required for Master Data Governance include, for eample: Individual users o Dialog users Dialog users are used for SAP GUI for Windows. o Internet users for Web applications Same policies apply as for dialog users, but used for Internet connections. Technical users: o o o Service users are dialog users who are available for a large set of anonymous users (for eample, for anonymous system access via an ITS service). Communication users are used for dialog-free communication between systems. Background users can be used for processing in the background. For more information about user types, see User Types [Eternal] in the Security Guide for SAP NetWeaver AS ABAP. Standard Users The following table shows the standard users that are necessary for operating Master Data Governance. System User ID Type Password Additional Information SAP Web Application Server (sapsid)adm SAP system administrator Mandatory SAP NetWeaver installation guide SAP Web Application Server SAP Service (sapsid)adm SAP system service administrator Mandatory SAP NetWeaver installation guide SAP Web Application SAP Standard ABAP Users (SAP*, DDIC, EARLYWATCH, See SAP NetWeaver SAP NetWeaver security guide Master Data Governance Security Guide 70 8

Server SAPCPIC) security guide SAP Web Application Server SAP Standard SAP Web Application Server Java Users See SAP NetWeaver security guide SAP NetWeaver security guide SAP ECC SAP Users Dialog users Mandatory The number of users depends on the area of operation and the business data to be processed. We recommend that you change the passwords and IDs of users that were created automatically during the installation. 4.2 User Data Synchronization By synchronizing user data, you can reduce effort and epense in the user management of your system landscape. Since Master Data Governance is based on SAP NetWeaver, you can use all of the mechanisms for user synchronization in SAP NetWeaver here. For more information, see the SAP NetWeaver Security Guide on SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver. You can use user data distributed across systems by replicating the data, for eample in a central directory such as LDAP. 4.3 Integration into Single Sign-On Environments Master Data Governance supports the single sign-on (SSO) mechanisms provided by SAP NetWeaver Application Server for ABAP technology. Therefore, the security recommendations and guidelines for user management and authentication that are described in the SAP NetWeaver Security Guide [Eternal] also apply to Master Data Governance. Master Data Governance supports the following mechanisms: Secure Network Communication (SNC) SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls. SAP Logon Tickets Master Data Governance supports the use of logon tickets for SSO when using a Web browser as the front-end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or eternal systems) as an authentication token. The user does not need to enter a user ID or password for authentication, but can access the system directly Master Data Governance Security Guide 70 9

once it has checked the logon ticket. For more information, see SAP Logon Tickets in the Security Guide for SAP NetWeaver Application Server. Client Certificates As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front-end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol). No passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system. For more information see Client Certificates in the Security Guide for SAP NetWeaver Application Server. For more information about available authentication mechanisms, see SAP Library for SAP NetWeaver under User Authentication and Single Sign-On [Eternal]. 5 Authorizations Master Data Governance uses the authorization concept of SAP NetWeaver Application Server ABAP. Therefore, the security recommendations and guidelines for authorizations that are described in the Security Guide for SAP NetWeaver Application Server ABAP also apply to Master Data Governance. You can use authorizations to restrict the access of users to the system, and thereby protect transactions and programs from unauthorized access. The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based on roles. For role maintenance in SAP NetWeaver Application Server ABAP, use the profile generator (transaction PFCG), and in SAP NetWeaver Application Server for Java, the user management console of the User Management Engine (UME). You can define user-specific menus using roles. For more information about creating roles, see Role Administration [Eternal]. Standard Roles and Standard Authorization Objects SAP delivers standard roles covering the most frequent business transactions. You can use these roles as a template for your own roles. For a list of the standard roles and authorization objects used by components of Master Data Governance, see the section of this document relevant to each component. Before using the roles listed, you may want to check whether the standard roles delivered by SAP meet your requirements. Authorizations for Customizing Settings You can use Customizing roles to control access to the configuration of Master Data Governance in the SAP Customizing Implementation Guide (IMG). 6 Network and Communication Security Master Data Governance Security Guide 70 10

Your network infrastructure is etremely important in protecting your system. Your network needs to support the communication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the devices and gain access to the backend system s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot eploit known bugs and security holes in network services on the server machines. The network topology for Master Data Governance is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to Master Data Governance. Details that relate directly to SAP ERP Central Component are described in the following sections: Communication Channel Security [Page 11] This section contains a description of the communication channels and protocols that are used by the components of Master Data Governance. Network Security [Page 12] This section contains information on the network topology recommended for the components of Master Data Governance. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also contains a list of the ports required for operating the subcomponents of Master Data Governance. Communication Destinations [Page 12] This section describes the data needed for the various communication channels, for eample, which users are used for which communications. For more information, see the following section in the SAP NetWeaver Security Guide: Security Guides for Connectivity and Interoperability Technologies [Eternal] 6.1 Communication Channel Security Communication channels transfer a wide variety of different business data that needs to be protected from unauthorized access. SAP makes general recommendations and provides technology for the protection of your system landscape based on SAP NetWeaver. The table below shows the communication channels used by Master Data Governance, the protocol used for the connection, and the type of data transferred. Communication Path Protocol Used Type of Data Transferred Data Requiring Special Protection Application server to application server RFC, HTTP(S) Integration data Business data Application server to application of a third party administrator HTTP(S) Application data For eample, passwords, business data DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer protocol (SSL protocol). Master Data Governance Security Guide 70 11

We strongly recommend that you use secure protocols (SSL, SNC). For more information, see Transport Layer Security [Eternal] und Web Services Security [Eternal] in the SAP NetWeaver Security Guide. 6.2 Network Security Since Master Data Governance is based on SAP NetWeaver technology, for information about network security, see the following sections of the SAP NetWeaver Security Guide at http://help.sap.com SAP ERP Release/Language SAP NetWeaver Library Administrator's Guide NetWeaver Security Guide Network and Communication Security Network Services : Using Firewall Systems for Access Control [Eternal] Using Multiple Network Zones [Eternal] If you provide services in the Internet, you should protect your network infrastructure with a firewall at least. You can further increase the security of your system or group of systems by placing the groups in different network segments, each of which you then protect from unauthorized access by a firewall. You should bear in mind that unauthorized access is also possible internally if a malicious user has managed to gain control of one of your systems. Ports Master Data Governance is eecuted in SAP NetWeaver and uses the ports of AS ABAP or AS Java. For more information see the corresponding security guides for SAP NetWeaver in the topics for AS ABAP Ports [Eternal] and AS Java Ports [Eternal]. For information about other components, such as SAPinst, SAProuter, or SAP Web Dispatcher, see the document TCP/IP Ports Used by SAP Applications in SAP Developer Network at http://sdn.sap.com/irj/sdn/security under Infrastructure Security Network and Communications Security. 6.3 Communication Destinations The use of users and authorizations in an irresponsible manner can pose security risks. You should therefore follow the security rules below when communicating between systems: Employ the user types system and communication. Grant a user only the minimum authorizations. Choose a secure password and do not divulge it to anyone else. Only store user-specific logon data for users of type system and communication. Wherever possible, use trusted system functions instead of user-specific logon data. U 6.4 se of Virus Scanners Master Data Governance Security Guide 70 12

If you upload files from application servers into Master Data Governance and you want to use an virus scanner, a virus scanner must then be active on each application server. For more information, see SAP Note 964305 (solution A). Work through the Customizing activities in the Implementation Guide under the Virus Scan Interface node. When doing this, use the virus scan profile /MDG_BS_FILE_UPLOAD/MDG_VSCAN, which is delivered for Master Data Governance. When you upload files from the front-end into Master Data Governance, the system uses the configuration you defined for virus scan profile /SIHTTP/HTTP_UPLOAD. For more information, see SAP Note 1693981. 7 Data Storage Security Using Logical Paths and File Names to Protect Access to the File System Master Data Governance saves data in files in the file system. Therefore, it is important to eplicitly provide access to the corresponding files in the file system without allowing access to other directories or files (also known as directory traversal). This is achieved by specifying logical paths and file names in the system that map to the physical paths and file names. This mapping is validated at runtime and if access is requested to a directory that does not match a stored mapping, then an error occurs. In the application-specific part of this guide, there is a list for each component of the logical file names and paths, where it is specified for which programs these file names and paths apply. Activating the Validation of Logical Paths and File Names The logical paths and file names are entered in the system for the corresponding programs. For downward compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain the physical path using the transactions FILE (clientindependent) and SF01 (client-dependent). To determine which paths are used by your system, you can activate the appropriate settings in the Security Audit Log. More Information Logical File Names [Eternal] Logical File Names [Eternal] Protecting Access to the File System [Eternal] Security Audit Logs [Eternal] For information about data storage security, see the SAP NetWeaver Security Guide at http://help.sap.com SAP NetWeaver Release/Language SAP NetWeaver Library Administrator s Guide NetWeaver Security Guide Security Guides for the Operating System and Database Platforms 8 Enterprise Services Security Master Data Governance Security Guide 70 13

The following sections in the NetWeaver Security Guide are relevant for Master Data Governance: Web Services Security Guide [Eternal] Recommended WS Security Scenarios [Eternal] 9 Security-Relevant Logs and Tracing The trace and log files of Master Data Governance use the standard mechanisms of SAP NetWeaver. For more information, see the following sections in the SAP NetWeaver Security Guide at http://service.sap.com/securityguide: Auditing and Logging [Eternal] Tracing and Logging [Eternal] (AS Java) 10 Segregation of Duties Segregation of duties can be achieved by assigning roles to users and in addition by a strict separation of the user groups for the workflow. Activities Assigning Roles to Users You can assign roles to a user using the following transactions: User Maintenance SU01 Use this transaction to assign one or more roles to one user. Role Maintenance PFCG Use this transaction to assign one or more users to one role. Separating User Groups for the Workflow Depending on the component of Master Data Governance you intend to configure, use the following Customizing activities to separate the user groups: MDG-M, MDG-F Run the Customizing activity under Master Data Governance General Settings Process Modeling Workflow Rule-Based Workflow Configure Rule-Based Workflow. MDG-S Run the Customizing activity under Master Data Governance Master Data Governance for Supplier Workflow Assign Processor to Change Request Step Number in BRFplus for Supplier. MDG-C Master Data Governance Security Guide 70 14

Depending on the change request step, run the following Customizing activities under: o Master Data Governance General Settings Process Modeling Workflow Other MDG Workflows Assign Processor to Change Request Step Number (Simple Workflow) o Master Data Governance Master Data Governance for Supplier Workflow Assign Processor to Change Request Step Number in BRFplus for Supplier For further information, see Configuring Master Data Governance for Customer [Eternal]. For information about the corresponding roles, see the documents listed below: Authorization Objects Used by Master Data Governance [Page 15] Supplier Master Data Governance (CA-MDG-APP-SUP) [Page 17] Customer Master Data Governance (CA-MDG-APP-CUS) [Page 19] Material Master Data Governance (CA-MDG-APP-MM) [Page 21] Financial Master Data Governance (CA-MDG-APP-FIN) [Page 22] Custom Objects (CA-MDG-COB) [Page 24] 11 Authorization Objects Used by Master Data Governance Authorization Objects The following authorization objects are used by all components of Master Data Governance. To obtain more detailed information about specific authorization objects proceed as follows: 1. Choose SAP Menu Tools ABAP Workbench Development Other Tools Authorization Objects Objects (Transaction SU21). 2. Select the authorization object using (Find) and then choose (Display). 3. On the Display authorization object dialog bo choose Display Object Documentation. Authorization Object MDG_MDF_TR MDG_IDM USMD_CREQ Description Master Data: Transport Key Mapping Change Request Master Data Governance Security Guide 70 15

USMD_MDAT USMD_MDATH USMD_UI2 DRF_RECEIVE DRF_ADM CA_POWL BCV_SPANEL BCV_USAGE MDG_DEF MDG_DIF Master Data Hierarchies UI Configuration Authorization for outbound messages for receiver systems Create Outbound Messages Authorization for iviews for personal object worklists Eecute Side Panel Usage of Business Contet Viewer Data Eport Data Import For information about component specific authorization objects, see the corresponding sections: Master Data Governance for Business Partner (CA-MDG-APP-BP) [Page 16] Master Data Governance for Supplier (CA-MDG-APP-SUP) [Page 17] Master Data Governance for Customer (CA-MDG-APP-CUS) [Page 19] Master Data Governance for Material (CA-MDG-APP-MM) [Page 21] Master Data Governance for Financial (CA-MDG-APP-FIN) [Page 22] Master Data Governance for Custom Objects (CA-MDG-COB) [Page 24] Standard Role Role SAP_MDG_ADMIN Name Master Data Governance Administrator This role contains authorizations needed for administrative tasks and for setting up a base configuration in all components of Master Data Governance. Some authorizations enable critical activities. If multiple users in your organization are entrusted with the administration and configuration of Master Data Governance, we recommend that you split the role into several roles, each with its own set of authorizations. The role does not contain the authorizations for the respective master data transactions. 11.1 Master Data Governance for Business Partner (CA-MDG-APP-BP) Master Data Governance Security Guide 70 16

Authorization Objects Master Data Governance for Business Partner mainly uses the authorization objects of the business objects Business Partner, the authorization objects of the Application Framework for Master Data Governance, and the authorization objects of the Data Replication Framework. Authorization Object B_BUPA_GRP Description Business Partner: Authorization Groups This authorization object is optional. You need to assign this authorization object only if master data records are to be specifically protected. B_BUPA_RLT B_BUPR_BZT DC_OBJECT Business Partner: BP Roles Business Partner Relationships: Relationship Categories Data Cleansing Authorization objects used by all components of Master Data Governance are listed in the document Authorization Objects Used by Master Data Governance [Page 15]. Standard Roles Role SAP_MDGBP_MENU_04 [Eternal] SAP_MDGBP_DISP_04 [Eternal] SAP_MDGBP_REQ_04 [Eternal] SAP_MDGBP_SPEC_04 [Eternal] SAP_MDGBP_STEW_04 [Eternal] Name Master Data Governance for Business Partner: Menu Master Data Governance for Business Partner: Display Master Data Governance for Business Partner: Requestor Master Data Governance for Business Partner: Specialist Master Data Governance for Business Partner: Data Steward If you want to restrict the authorizations for users or roles to specific values, go to Create Authorizations for Data Model and define which entity types and attributes are authorization relevant. 11.2 Master Data Governance for Supplier (CA- MDG-APP-SUP) Master Data Governance Security Guide 70 17

Authorization Objects Master Data Governance for Supplier does not have dedicated authorization objects, but instead uses the authorization objects of the business objects Business Partner and Vendor, the authorization objects of the Application Framework for Master Data Governance, and the authorization objects of the Data Replication Framework. Authorization Object B_BUPA_GRP Description Business Partner: Authorization Groups This authorization object is optional. You need to assign this authorization object only if master data records are to be specifically protected. B_BUPA_RLT B_BUPR_BZT DC_OBJECT F_LFA1_APP F_LFA1_BEK Business Partner: BP Roles Business Partner Relationships: Relationship Categories Data Cleansing Vendor: Application Authorization Vendor: Account Authorization This authorization object is optional. You need to assign this authorization object only if master data records are to be specifically protected. F_LFA1_BUK F_LFA1_GEN F_LFA1_GRP M_LFM1_EKO Vendor: Authorization for Company Codes Vendor: Central Data Vendor: Account Group Authorization Purchasing organization in supplier master data Authorization objects used by all components of Master Data Governance are listed in the document Authorization Objects Used by Master Data Governance [Page 15]. Standard Roles Role Name Master Data Governance Security Guide 70 18

SAP_MDGS_MENU_04 SAP_MDGS_DISP_04 SAP_MDGS_REQ_04 SAP_MDGS_SPEC_04 SAP_MDGS_STEW_04 SAP_MDGS_LVC_MENU_03 SAP_MDGS_LVC_REQ_03 Master Data Governance for Supplier: Menu [Eternal] Master Data Governance for Supplier: Display [Eternal] Master Data Governance for Supplier: Requester [Eternal] Master Data Governance for Supplier: Specialist [Eternal] Master Data Governance for Supplier: Data Steward [Eternal] Master Data Governance for Supplier (Lean Request UI): Menu [Eternal] Master Data Governance for Supplier (Lean Request UI): Requester [Eternal] If you want to restrict the authorizations for users or roles to specific values, go to Create Authorizations for Data Model and define which entity types and attributes are authorization relevant. 11.3 Master Data Governance for Customer (CA- MDG-APP-CUS) Authorization Objects Master Data Governance for Customer does not have dedicated authorization objects, but instead uses the authorization objects of the business objects Business Partner and Customer, the authorization objects of the Application Framework for Master Data Governance, and the authorization objects of the Data Replication Framework. Depending on whether you use the Master Data Governance for Customer on a hub system [Eternal] or on a client system [Eternal] a different set of authorization objects is required. Authorization Object Description Hub System Client System B_BUPA_GRP Business Partner: Authorization Groups This authorization object is optional. You need to assign this authorization object only if master data records are to be specifically protected. B_BUPA_RLT Business Partner: BP Roles B_BUPR_BZT Business Partner Relationships: Master Data Governance Security Guide 70 19

Relationship Categories DC_OBJECT Data Cleansing F_KNA1_APP Customer: Application Authorization F_KNA1_BED Customer: Account Authorization This authorization object is optional. You do not need to assign this authorization object if no master records are to be specifically protected. F_KNA1_BUK Customer: Authorization for Company Codes F_KNA1_GEN Customer: Central Data F_KNA1_GRP Customer: Account Group Authorization MDGC_LCOPY Copy Customer Master Data from MDG Hub V_KNA1_BRG Customer: Account Authorization for Sales Areas V_KNA1_VKO Customer: Authorization for Sales Organizations Authorization objects used by all components of Master Data Governance are listed in the document Authorization Objects Used by Master Data Governance [Page 15]. Standard Roles Role SAP_MDGC_MENU_04 SAP_MDGC_DISP_04 SAP_MDGC_REQ_04 SAP_MDGC_SPEC_04 SAP_MDGC_STEW_04 Name Master Data Governance for Customer: Menu [Eternal] Master Data Governance for Customer: Display [Eternal] Master Data Governance for Customer: Requester [Eternal] Master Data Governance for Customer: Specialist [Eternal] Master Data Governance for Customer: Data Steward [Eternal] Master Data Governance Security Guide 70 20

If you want to restrict the authorizations for users or roles to specific values, go to Create Authorizations for Data Model and define which entity types and attributes are authorization relevant. 11.4 Master Data Governance for Material (CA- MDG-APP-MM) Authorization Objects Master Data Governance for Material does not have dedicated authorization objects, but instead uses, for eample, the authorization objects of the Material Master and the Application Framework for Master Data Governance. Authorization Object M_MATE_MAT M_MATE_MAR M_MATE_WGR M_MATE_STA M_MATE_MTA M_MATE_WRK M_MATE_MAN M_MATE_NEU M_MATE_BUK M_MATE_VKO M_MATE_LGN C_KLAH_BKL C_KLAH_BSE C_TCLA_BKA C_DRAD_OBJ C_DRAW_DOK C_DRAW_TCD C_DRAW_TCS Description Material Master: Material Material Master: Material Type Material Master: Material Group Material Master: Maintenance Status Material Master: Change Material Type Material Master: Plant Material Master: Central Data Material Master: Create Material Master: Company Codes Material Master: Sales Organization/Distribution Channel Material Master: Warehouse Numbers Authorization for Classification Authorization for Selection Authorization for Class Types Create/Change/Display/Delete Object Link Authorization for document access Authorization for document activities Status-Dependent Authorizations for Documents Master Data Governance Security Guide 70 21

C_DRAW_BGR C_DRAW_STA DRF_RECEIV DRF_ADM PLM_SPUSR Authorization for authorization groups Authorization for document status Authorization for outbound messages for receiver systems Create Outbound Messages Superuser by Object Type You need this authorization object for the object type PLM_MAT only if the search object connector of SAP NetWeaver Enterprise Search is created for the following Enterprise Search software components: PLMWUI Software components that include PLMWUI For more information about SAP NetWeaver Enterprise Search, see SAP NetWeaver Enterprise Search [Eternal]. Authorization objects used by all components of Master Data Governance are listed in the document Authorization Objects Used by Master Data Governance [Page 15]. Standard Roles Role SAP_MDGM_MENU_04 [Eternal] SAP_MDGM_DISP_04 [Eternal] SAP_MDGM_REQ_04 [Eternal] SAP_MDGM_SPEC_04 [Eternal] SAP_MDGM_STEW_04 [Eternal] Name Master Data Governance for Material: Menu Master Data Governance for Material: Display Master Data Governance for Material: Requester Master Data Governance for Material: Specialist Master Data Governance for Material: Data Steward If you want to restrict the authorizations for users or roles to specific values, go to Create Authorizations for Data Model and define which entity types and attributes are authorization relevant. 11.5 Master Data Governance for Financials (CA- MDG-APP-FIN) Master Data Governance Security Guide 70 22

Authorization Objects Authorization Object USMD_DIST Description Distribution This authorization object is used if you have not activated business function MDG_FOUNDATION. (Switch: FIN_MDM_CORE_SFWS_EHP5) USMD_EDTN Edition Authorization objects used by all components of Master Data Governance are listed in the document Authorization Objects Used by Master Data Governance [Page 15]. Standard Roles Role SAP_MDGF_ACC_DISP_04 [Eternal] SAP_MDGF_ACC_REQ_04 [Eternal] SAP_MDGF_ACC_SPEC_04 [Eternal] SAP_MDGF_ACC_STEW_04 [Eternal] SAP_MDGF_CO_DISP_04 [Eternal] SAP_MDGF_CO_REQ_04 [Eternal] SAP_MDGF_CO_SPEC_04 [Eternal] SAP_MDGF_CO_STEW_04 [Eternal] SAP_MDGF_CTR_DISP_04 [Eternal] SAP_MDGF_CTR_REQ_04 [Eternal] SAP_MDGF_CTR_SPEC_04 [Eternal] SAP_MDGF_CTR_STEW_04 Description Master Data Governance for Financials: Accounting Display Master Data Governance for Financials: Accounting Requester Master Data Governance for Financials: Accounting Specialist Master Data Governance for Financials: Accounting Data Steward Master Data Governance for Financials: Consolidation Display Master Data Governance for Financials: Consolidation Requester Master Data Governance for Financials: Consolidation Specialist Master Data Governance for Financials: Consolidation Data Steward Master Data Governance for Financials: Controlling Display Master Data Governance for Financials: Controlling Requester Master Data Governance for Financials: Controlling Specialist Master Data Governance for Financials: Controlling Master Data Governance Security Guide 70 23

[Eternal] Data Steward If you want to restrict the authorizations for users or roles to specific values, go to Create Authorizations for Data Model and define which entity types and attributes are authorization relevant. 11.6 Master Data Governance for Custom Objects (CA-MDG-COB) Authorization Objects You can use the following authorization objects for Master Data Governance for Custom Objects. Authorization Object USMD_DIST USMD_DM USMD_EDTN Description Replication Data Model Edition Type Authorization objects used by all components of Master Data Governance are listed in the document Authorization Objects Used by Master Data Governance [Page 15]. Standard Role Role SAP_MDGX_MENU_04 [Eternal] SAP_MDGX_FND_SAMPLE_SF_04 [Eternal] Name Master data governance for self-defined objects Master data governance for self-defined objects - Flight Data Model eample If you want to restrict the authorizations for users or roles to specific values, go to Create Authorizations for Data Model and define which entity types and attributes are authorization relevant. 12 Change Settings of Generated MDG Database Tables The SAP system generates database tables for the entities of all defined data models. The settings of these database tables are the following: Buffering and log of data changes is switched on. Display and maintenance is allowed with restrictions. Master Data Governance Security Guide 70 24

Activities To change these settings of generated MDG database tables run the transaction MDG_TABLE_ADJUST. The results of the transaction are listed in the transaction SLG1 (Analyse Application Log), using Object FMDM and Subobject ADJUST_TABLE. You have to eecute the transaction in each system manually. After a model activation it might be necessary to eecute the transaction again. More Information For more information see SAP note 1828363. 13 Appendi For more information about the security of SAP applications see SAP Service Marketplace at http://service.sap.com/security. You can also access additional security guides via SAP Service Marketplace at http://service.sap.com/securityguide. For more information about security issues, see SAP Service Marketplace at http://service.sap.com followed by: Topic Master guides, installation guides, upgrade guides, and Solution Management guides Related notes Platforms Network security SAP Service Marketplace /instguides /ibc /notes /platforms /network /securityguide Technical infrastructure SAP Solution Manager /ti /solutionmanager Master Data Governance Security Guide 70 25