Release 6.0 HELP.SECGUIDE_ISHERCM

Transcription

1 Release 6.0 HELP.SECGUIDE_ISHERCM

2 Copyright Copyright 2004 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iseries, pseries, xseries, zseries, z/os, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mysap, mysap.com, xapps, xapp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes onl y, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty stateme nts accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP ECC Industry Extension HE&R 6.0 2

3 Icons in Body Text Icon Meaning Caution Example Note Recommendation Syntax Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library. Typographic Conventions Type Style Example text Example text EXAMPLE TEXT Example text Example text <Example text> EXAMPLE TEXT Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation. Emphasized words or phrases in body text, graphic titles, and table titles. Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER. SAP ECC Industry Extension HE&R 6.0 3

4 SAP ECC Industry Extension HE&R: Security Guide... 5 Before You Start... 5 Authorizations... 6 Network and Communication Security... 7 Communication Channel Security... 8 Communication Destinations... 8 Other Security-Relevant Information... 9 Trace and Log Files... 9 SAP ECC Industry Extension HE&R 6.0 4

5 SAP ECC Industry Extension HE&R: Security Guide The Security Guide provides you with the information necessary for operating SAP for Higher Education & Research securely. This guide applies to the Campus Management component of the SAP for Higher Education & Research solution. Before You Start Fundamental Security Guides The SAP ECC Industry Extension Higher Education & Research component is built from the SAP ECC components. Therefore, the corresponding Security Guides also apply to SAP for Higher Education & Research. Fundamental Security Guides mysap ERP Security Guide SAP NetWeaver Security Guide SAP NetWeaver Portal (EP 6.0) Security Guides SAP NetWeaver Business Intelligence Security Guides SAP NetWeaver Exchange Infrastructure Security Guides SAP Customer Relationship Management (CRM 4.0) Security Guides For a complete list of the available SAP Security Guides, see the Quick Link service.sap.com/securityguide on the SAP Service Marketplace. Additional information For more information about specific topics, see the Quick Links shown in the table below. Quick Links to Additional Information Contents Security Security Guides Related SAP Notes Released platforms Network security Technical infrastructure SAP Solution Manager Quick Link on the SAP Service Marketplace service.sap.com/security service.sap.com/securityguide service.sap.com/notes service.sap.com/platforms service.sap.com/network service.sap.com/securityguide service.sap.com/ti service.sap.com/solutionmanager SAP ECC Industry Extension HE&R 6.0 5

6 Use Authorizations The SAP ECC Industry Extension Higher Education & Research component uses the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP and SAP NetWeaver AS Security Guide Java also apply to the SAP ECC Industry Extension Higher Education & Research component. The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) when using ABAP technology and the User Management Engine s user administration console when using Java. Standard Roles in Campus Management The table below shows the standard roles that are used by Campus Management. Standard Roles Role Composite Roles SAP_CM_ADM_COORDINATOR SAP_CM_ADM_OFFICER SAP_CM_ASM_COORDINATOR SAP_CM_ASM_OFFICER SAP_CM_STREC_COORDINATOR SAP_CM_STREC_OFFICER Single Roles SAP_CM_ACCOUNT_DATA_UPDATE SAP_CM_ADMIN_ACAD_STRUCTURE SAP_CM_ADMOFF_STUDYDATA SAP_CM_ADMREGDATA_DISP SAP_CM_ALL SAP_CM_ASMCO_ADDACT SAP_CM_ASMDATA_DISP SAP_CM_ASMOFF_ACT SAP_CM_STMASTERDATA_DISP SAP_CM_STMASTERDATA_MAINT SAP_CM_STRCO_ADDACT SAP_CM_STROFF_ACT SAP_IQ_CAMPUS Description Admission coordinator Admission officer Assessment coordinator Assessment officer Student records coordinator Student records officer Technical user for automatic update of student account data after changes to account-relevant student master data. Administrator for the academic structure (internal single role) Activities for the admission coordinator Display study data Additional activities for the assessment coordinator Display progression and grades Activities for the assessment officer Display student master data Edit student master data Additional activities for the student records coordinator Activities for the student records coordinator Campus Management (only up to release CM SAP ECC Industry Extension HE&R 6.0 6

7 4.72) SAP_CM_MODULEBOOK Module booking (only up to release CM 4.72) SAP_CM_REGIST SAP_CM_STUDENTMASTER All of the above roles are automatically generated by the system. Activities for registration (only up to release CM 4.72) Student master data processing (only up to release CM 4.72) SAP_IQ_CAMPUS and SAP_CM_ALL are critical roles because they contain a comprehensive authorization for all Campus Management functions. The following roles are obsolete as of the SAP ECC Industry Extension Higher Education & Research 6.0 release: SAP_IQ_CAMPUS SAP_CM_MODULEBOOK SAP_CM_REGIST SAP_CM_STUDENTMASTER Standard Authorization Objects The table below shows the security-relevant authorization objects that are used by Campus Management. Standard Authorization Objects Authorization object P_CM_AUDCT P_CM_AUDIT P_CM_AUDPR P_CM_CORR P_CM_FCDOC P_CM_PROC P_CM_UCAS P_CM_UCASR Description Campus Management: requirement catalogs Audits Requirement profile Correspondence Student Accounting document Activity Authorization Object Campus Management UCAS (only for Great Britain) Authorization Object Campus Management UCAS for Reports (only for Great Britain) Network and Communication Security Your network infrastructure is extremely important in protecting your system. Your net work needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system s database or files. Additionally, if users SAP ECC Industry Extension HE&R 6.0 7

8 are not able to connect to the server LAN (local area network), they cannot exploit well -known bugs and security holes in network services on the server machines. The network topology for the SAP ECC Industry Extension Higher Education & Research component is based on the topology used by the SAP-NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the SAP ECC Industry Extension Higher Education & Research component. Details that specifically apply to the SAP ECC Industry Extension Higher Education & Research component are described in the following topics: Communication Channel Security [Page 8] This topic describes the communication paths and protocols used by the SAP ECC Industry Extension Higher Education & Research component. Communication Destinations [Page 8] This topic describes the information needed for the various communication paths, for example, which users are used for which communications. For more information, see the following sections in the SAP NetWeaver Security Guide: Network and Communication Security Security Aspects for Connectivity and Interoperability Communication Channel Security In SAP ECC Industry Extension Higher Education & Research, you can set up communication between Campus Management and CRM, BW or XI. Campus Management always uses the standard communication channels. Communication Channels Used Communication ERP with Customer Relationship Management (CRM) ERP with the SAP Business Information Warehouse (SAP BW) ERP with the SAP Exchange Infrastructure (SAP XI) Communication Channel CRM Middleware Standard communication via SAP BW extractors Standard communication offered by SAP XI Communication Destinations If you use the Campus Management fee calculation functions provided in the SAP ECC Industry Extension Higher Education & Research component, the automatic creation and update functions for student accounts are very important for you. You can only obtain correct fee calculation results if the student master data for fee calculation and the student contract account (student account) data match. The automatic creation function triggers automatic creation of a student account with account-relevant master data when you create student master data. The automatic update function triggers automatic updating of account data when you change account-relevant student master data. SAP ECC Industry Extension HE&R 6.0 8

9 For these automatic creation and update functions, you must set up an RFC destination with a technical user for authorization reasons. You can assign the role SAP_CM_ACCOUNT_DATA_UPDATE to this technical user. You make the required settings for automatic creation and update in Customizing for Campus Management under Technical Settings for Automatic Creation and Update. For detailed information on the automatic creation and update functions, see the IMG activity documentation for (De)Activate Automatic Student Account Creation and Update. Other Security-Relevant Information The SAP ECC Industry Extension Higher Education & Research component contains several sample BSP applications [External] for Campus Management, for example, the BSP applications for student timetables and for module booking. These BSP applications are deactivated in the standard system as of the SAP ECC Industry Extension Higher Education & Research 6.0 release. You can activate these BSP applications according to the description on the page default.htm of the corresponding BSP application. Trace and Log Files SAP ECC Industry Extension Higher Education & Research uses an audit trail and change documents for Campus Management activities. The audit trail enables users to keep track of which data was changed when and by whom. SAP ECC Industry Extension HE&R 6.0 9