Security Guide SAP Dealer Business Management

Security Guide

SAP Dealer Business Management

Release 8.1

CUSTOMER

Document Version: 1

Security Guide

SAP Dealer Business Management 2

Copyright

© 2015 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose

without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sap.com%2Fcorporate-en%2Flegal%2Fcopyright%2Findex.epx%23trademark

http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sap.com%2Fcorporate-en%2Flegal%2Fcopyright%2Findex.epx%23trademark

Security Guide


Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of

information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation.

Example text Emphasized words or phrases in body text, graphic titles, and table titles.

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

Security Guide


Contents

Security Guide Template ........................................................................................................... 5

Introduction ............................................................................................................................ 5

Before You Start..................................................................................................................... 7

Technical System Landscape ................................................................................................ 8

User Administration and Authentication ............................................................................... 10

User Management ............................................................................................................ 11

Integration into Single Sign-On Environments ................................................................. 12

Authorizations ...................................................................................................................... 13

Network and Communication Security ................................................................................. 15

Data Storage Security .......................................................................................................... 16

Data Protection .................................................................................................................... 17

Security Guide


Introduction

This guide does not replace the administration or operation guides that are available for productive operations.

Target Audience

● Technology consultants

● System administrators

This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the Security Guides provide information that is relevant for all life cycle phases.

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security apply likewise to the SAP Dealer Business Management. To assist you in securing the SAP Dealer Business Management, we provide this Security Guide.

About this Document

The Security Guide provides an overview of the security-relevant information that applies to the SAP Dealer Business Management.

Overview of the Main Sections

The Security Guide comprises the following main sections:

● Before You Start

This section contains information about why security is necessary, how to use this document and references to other Security Guides that build the foundation for this Security Guide.

● Technical System Landscape

This section provides an overview of the technical components and communication paths that are used by the SAP Dealer Business Management.

● User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

○ Recommended tools to use for user management.

○ Overview of how integration into Single Sign-On environments is possible.

● Authorizations

This section provides an overview of the authorization concept that applies to the SAP Dealer Business Management.

● Network and Communication Security

Security Guide


This section provides an overview of the communication paths used by the SAP Dealer Business Management and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.

● Data Storage Security

This section provides an overview of any critical data that is used by the SAP Dealer Business Management and the security mechanisms that apply.

● Data Protection and Privacy (DP&P)

This section provides an overview of DP&P aspects of this release.

● Appendix

This section provides references to further information.

Security Guide


Before You Start

Fundamental Security Guides

The SAP Dealer Business Management is an Add On for SAP ECC DIMP and is built from the SAP NetWeaver technology. Therefore, the corresponding Security Guides also apply to the SAP Dealer Business Management. Pay particular attention to the most relevant sections or specific restrictions as indicated in the table below.

Fundamental Security Guides

Scenario, Application or Component Security Guide

Most-Relevant Sections or Specific Restrictions

SAP EHP7 for SAP ERP 6.0 SAP Service Marketplace under

service.sap.com/securityguide

SAP ERP Central Component Security Guide SAP Service Marketplace under


SAP ECC DIMP 617 SAP Service Marketplace under


For a complete list of the available SAP Security Guides, see the SAP Service Marketplace at service.sap.com/securityguide.

Important SAP Notes

The most important SAP Notes that apply to the security of the SAP Dealer Business Management are shown in the table below.

SAP Note Title Comment

727839 Authorization role for the SAP SCM - SAP R/3 integration

Additional Information

For more information about specific topics, see the addresses on the SAP Service Marketplace as shown in the table below.

Content SAP Service Marketplace Address

Security service.sap.com/security

Security Guides service.sap.com/securityguide

Related SAP Notes service.sap.com/notes

Released platforms service.sap.com/platforms

Network security service.sap.com/securityguide

SAP Solution Manager service.sap.com/solutionmanager

Security Guide


Technical System Landscape

Use

The figures below shows overviews of the technical system landscapes for the SAP Dealer Business Management.

System Landscape for Databases Other Than SAP HANA:

* Automotive Solutions use PP, LE, MM, SD and ECC DIMP which includes Dealer Portal, Vehicle Management System (VMS), etc.

At minimum, you need to install SAP ECC with the SAP ECC DIMP 617, SAP DBM add-ons and TREX

Note: TREX is required for databases other than SAP HANA. For SAP HANA databases, TREX can be avoided and the search can be performed with the SAP HANA-based variant of embedded search).

Security Guide


System Landscape for SAP HANA:

For more information about the technical system landscape, see the resources listed in the table below.

Topic Guide/Tool Quick Link to the SAP Service Marketplace

Technical description for SAP Dealer Business Management

Industry Solution Master Guide – SAP for Automotive

service.sap.com/instguides

Technical description of the underlying technological component SAP NetWeaver

Master Guide for SAP NetWeaver

service.sap.com/instguides

Security service.sap.com/security

Security for Industry Scenario

Security Guide for Industry Scenarios


Security Guide


User Administration and Authentication

The SAP Dealer Business Management uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide [SAP Library] also apply to the SAP Dealer Business Management.

Security Guide


User Management

Use

User management for the SAP Dealer Business Management uses the mechanisms provided with the SAP NetWeaver Application Server ABAP. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide [SAP Library] also apply to the SAP Dealer Business Management.

We recommend changing the user IDs and passwords for users that are automatically created during installation.

Security Guide


Integration into Single Sign-On Environments

Use

The SAP Dealer Business Management supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guide [SAP Library] also apply to the SAP Dealer Business Management.

The supported mechanisms are listed below.

Secure Network Communications (SNC)

SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.

For more information, see Secure Network Communications (SNC) [SAP Library] in the SAP NetWeaver AS ABAP Security Guide.

SAP logon tickets

The SAP Dealer Business Management supports the use of logon tickets for SSO when using a Web browser as the frontend client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.

You can find more information under SAP Logon Tickets [SAP Library] in the SAP NetWeaver AS ABAP Security Guide.

Client certificates

As an alternative to user authentication using a user ID and passwords, users using a Web browser as a frontend client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.

You can find more information under Client Certificates [SAP Library] in the SAP NetWeaver AS ABAP Security Guide.

Security Guide


Authorizations

Use

The SAP Dealer Business Management uses the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP also apply to the SAP Dealer Business Management.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) when using ABAP technology and the User Management Engine’s user administration console when using Java.

For more information about how to create roles, see Role Maintenance [SAP Library].

Standard Roles

The table below shows the standard roles that are used by the SAP Dealer Business Management.

Standard Roles

Role Description

/DBM/MASTER DBM Master Role

/DBM/CDESK General Role for Cash Desk

/DBM/ORDER General Role for Order

/DBM/PACKAGE General Role for Packages

/DBM/STG General Role for Storage Good Manager

/DBM/TIME_MANAGEMENT General Role for Time Management

/DBM/VEHICLE General Role for Vehicle

/DBM/SERVICE_ADVISOR DBM Service Advisor

/DBM/BACKORDER_PROCESSOR DBM Backorder Processor

/DBM/MODEL_CATALOG DBM role for the authorization to use the model catalog

/DBM/MASS_ACTIONS DBM role for the authorization to carry out mass vehicle actions

/DBM/MASS_ACTION_MENU DBM role for mass vehicle processing in the SAP Menu

/DBM/SALES_ASSISTANT DBM Vehicle Sales Assistant

/DBM/WORKSHOP_CONTROLLER DBM Workshop Controller

Standard Authorization Objects

The table below shows the security-relevant authorization objects that are used by the SAP Dealer Business Management.

Security Guide


Standard Authorization Objects

Authorization Object

Field Value Description

/DBM/CDESK Cash Desk

/DBM/CUST Authorization Object for Customer

/DBM/ORDER Authorization Object for Order

/DBM/PACK Authorization Object for Packages

/DBM/STGP Authorization Object for Storage Goods Manager

/DBM/VEH Authorization Object for Vehicle

/DBM/TM_ST Creation of Time Stamps

/DBM/TM_ER DBM Time Recording: error management

/DBM/VMCAT DBM Authorization for vehicle model catalog

/DBM/NSALE Organizational authorization for DBM VSA new vehicle sales

/DBM/USALE Organizational authorization for DBM

VSA used vehicle sales

/DBM/VTEST Organizational authorization for DBM

VSA test drive

/DBM/TRDIN Organizational authorization for DBM

VSA trade-in business

Security Guide


Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for the SAP Dealer Business Management is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the SAP Dealer Business Management.

For more information, see the following sections in the SAP NetWeaver Security Guide:

● Network and Communication Security [SAP Library]

● Security Aspects for Connectivity and Interoperability [SAP Library]

Security Guide


Data Storage Security

Use In the cash desk functions, SAP DBM only stores the payment type (cash, EC, Visa, MC, check). Credit card numbers are not stored. When checking a customer's credit limit, the system accesses the open items and the customer's credit limit. This access is secured by the SAP authorization concept.

SAP DBM uses some HR data. This data is protected by the SAP authorization concept.

Security Guide


Data Protection

Deletion of Personal Data

Integration with Other Solutions

DBM application component is closely integrated with other components such as:

Material Master

Financial Accounting

Controlling

Sales and Distribution

Warranty

Vehicle Management System

SAP Multiresource Scheduling

CRM

HR

Relevant Application Objects and Available Deletion Functionality

The relevant application objects are DBM Order, DBM Deal and DBM Cashdesk.The deletion functionality is enabled for these application objects.

Relevant Application Objects and Available EoP Functionality

DBM EoP functionality is integrated with standard blocking report for Central Business Partners as well as with blocking report for Customer/Vendor/Contact Persons.

Configuration: Simplified Blocking and Deletion

DBM-relevant EoP function modules/class are registered and delivered in appropriate customizing.

Security Guide SAP Dealer Business Management

Documents

Transcript of Security Guide SAP Dealer Business Management