Sap MDG Guide

PUBLIC
2017-05-03
SAP Master Data Governance Security Guide

Content
1 SAP Master Data Governance Security Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5 User Management and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

5.1 User Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.2 User Data Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.3 Integration into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
6 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
7 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

7.1 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
7.2 Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7.3 Communication Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7.4 Use of Virus Scanners. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
8 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
9 Enterprise Services Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
10 Security-Relevant Logs and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
11 Segregation of Duties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
12 Authorization Objects and Roles Used by SAP Master Data Governance. . . . . . . . . . . . . . . . . . . . 22

12.1 Authorization Objects and Roles Used by SAP MDG, Consolidation and Mass Processing. . . . . . . . . . . .22
MDC_PROOT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
MDC_PFILT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
MDC_MASS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
MDC_ADMIN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
12.2 Authorization Objects and Roles Used by SAP MDG, Central Governance. . . . . . . . . . . . . . . . . . . . . . . 27
Master Data Governance for Business Partner (CA-MDG-APP-BP). . . . . . . . . . . . . . . . . . . . . . . . . 29
Master Data Governance for Supplier (CA-MDG-APP-SUP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Master Data Governance for Customer (CA-MDG-APP-CUS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Master Data Governance for Material (CA-MDG-APP-MM). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Master Data Governance for Financials (CA-MDG-APP-FIN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

2 PUBLIC Content
Master Data Governance for Custom Objects (CA-MDG-COB). . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
13 Change Settings of Generated MDG Database Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
14 Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Content PUBLIC 3
1 SAP Master Data Governance Security
Guide
The following guide covers the information that you require to operate SAP Master Data Governance securely. To
make the information more accessible, it is divided into a general part, containing information relevant for all
components, and a separate part for information specific for individual components.

4 PUBLIC SAP Master Data Governance Security Guide
2 Introduction
This guide does not replace the administration or operation guides that are available for productive operations.
Target Audience
Technology consultants
Security consultants
System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation
Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas
the Security Guide provides information that is relevant for all life cycle phases.
Why Is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, the demands on
security are also on the rise. When using a distributed system, you need to be sure that your data and processes
support your business needs without allowing unauthorized access to critical information. User errors,
negligence, or attempted manipulation of your system should not result in loss of information or processing time.
These demands on security apply likewise to Master Data Governance. To assist you in securing Master Data
Governance, we provide this Security Guide.
Since Master Data Governance is based on and uses SAP NetWeaver technology, it is essential that you consult
the Security Guide for SAP NetWeaver. See SAP Service Marketplace at http://service.sap.com/securityguide
SAP NetWeaver .
For all Security Guides published by SAP, see SAP Service Marketplace at http://service.sap.com/securityguide
.
Overview of the Main Sections
The Security Guide comprises the following main sections:
Before You Start [page 7]

This section contains information about why security is necessary, how to use this document, and references
to other Security Guides that build the foundation for this Security Guide.
Technical System Landscape [page 8]
This section provides an overview of the technical components and communication paths that are used by
Master Data Governance.

Introduction PUBLIC 5
User Management and Authentication [page 9]
This section provides an overview of the following user administration and authentication aspects:
Recommended tools to use for user management
User types that are required by Master Data Governance
Standard users that are delivered with Master Data Governance
Overview of the user synchronization strategy
Overview of how integration into Single Sign-On environments is possible
Authorizations [page 13]
This section provides an overview of the authorization concept that applies to Master Data Governance.
Network and Communication Security [page 14]
This section provides an overview of the communication paths used by Master Data Governance and the
security mechanisms that apply. It also includes our recommendations for the network topology to restrict
access at the network level.
Data Storage Security [page 17]
This section provides an overview of any critical data that is used by Master Data Governance and the security
mechanisms that apply.
Enterprise Services Security [page 18]
This section provides an overview of the security aspects that apply to the enterprise services delivered with
Security-Relevant Logs and Tracing [page 19]
This section provides an overview of the trace and log files that contain security-relevant information, for
example, so you can reproduce activities if a security breach does occur.
Segregation of Duties [page 20]
Authorization Objects and Roles Used by SAP Master Data Governance [page 22]
Change Settings of Generated MDG Database Tables [page 40]
Appendix [page 41]
This section provides references to further information.

6 PUBLIC Introduction
3 Before You Start
Use
This table contains the most important SAP notes concerning the safety of Master Data Governance.
Table 1:
Title SAP Note Comment
Code injection vulnerability in UAC_AS 1493809 MDG and XBRL

SIGNMENT_CONTROL_TEST
More Information
For more information about specific topics, see the sources in the table below.
Table 2:
Content Quick Link on SAP Service Marketplace or SDN
Security http://sdn.sap.com/irj/sdn/security
Security Guides http://service.sap.com/securityguide
Related Notes http://service.sap.com/notes
http://service.sap.com/securitynotes
Allowed platforms http://service.sap.com/pam
Network security http://service.sap.com/securityguide
SAP Solution Manager http://service.sap.com/solutionmanager
SAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver

Before You Start PUBLIC 7
4 Technical System Landscape
For information about the technical system landscape, see the sources listed in the table below.
Table 3:
Subject Guide/Tool Quick Link to SAP Service Marketplace
Technical description of Master Data Master Guide http://service.sap.com/instguides

Governance and the underlying technical
SAP Business Suite Applications
components, such as SAP NetWeaver
SAP Master Data Governance
High availability High Availability for SAP Solutions http://sdn.sap.com/irj/sdn/ha
Design of technical landscape See available documents http://sdn.sap.com/irj/sdn/landscape

design
Security See available documents http://sdn.sap.com/irj/sdn/security
Note
If you intend to use a portal in your landscape, ensure that the embedding enterprise portal frame has the same
domain as the embedded web dynpro application.
To check the settings, call up the technical help in the web dynpro application (right mouse click, then select
Technical Help). On the Browser tab, check if the Parent window is accessible indicator is marked.

8 PUBLIC Technical System Landscape
5 User Management and Authentication
Master Data Governance uses the user management and authentication mechanisms of the SAP NetWeaver
platform, and in particular, SAP NetWeaver Application Server. Therefore, the security recommendations and
guidelines for user management and authentication that are described in the security guide for also apply to
In addition to these guidelines, we also supply information on user management and authentication that is
especially applicable to Master Data Governance in the following sections:
User Administration [page 9]

This section details the user management tools, the required user types, and the standard users that are
supplied with Master Data Governance.
User Data Synchronization [page 11]
The components of Master Data Governance can use user data together with other components. This section
describes how the user data is synchronized with these other sources.
Integration into Single Sign-On Environments [page 11]
This section describes how Master Data Governance supports single sign-on-mechanisms.
5.1 User Administration
Master Data Governance user management uses the mechanisms provided by SAP NetWeaver Application
Server for ABAP, such as tools, user types, and the password concept. For an overview of how these mechanisms
apply for Master Data Governance, see the sections below. In addition, we provide a list of the standard users
required for operating components of Master Data Governance.
User Administration Tools
The following table shows the user administration tools for Master Data Governance.
Table 4:
Tool Description
User maintenance for ABAP-based systems (transaction For more information on the authorization objects provided by
SU01) the components of Master Data Governance, see the compo
nent specific section.
Role maintenance with the profile generator for ABAP-based For more information on the roles provided by Master Data
systems (PFCG) Governance, see the component specific section.
Central User Administration (CUA) for the maintenance of For more information, see .
multiple ABAP-based systems

User Management and Authentication PUBLIC 9
User Management Engine for SAP NetWeaver AS Java (UME) Administration console for maintenance of users, roles, and
authorizations in Java-based systems and in the Enterprise
Portal. The UME also provides persistence options, such as
ABAP Engine. For more information, see .
Note
For more information on the tools that SAP provides for user administration with SAP NetWeaver, see SAP
Service Marketplace at http://service.sap.com/securityguide SAP NetWeaver 7.0 Security Guides
(Complete) Release User Administration and Authentication .
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may
specify that individual users who perform tasks interactively have to change their passwords on a regular basis,
but not those users under which background processing jobs run.
User types required for Master Data Governance include, for example:
Individual users
Dialog users
Dialog users are used for SAP GUI for Windows.
Internet users for Web applications
Same policies apply as for dialog users, but used for Internet connections.
Technical users:
Service users are dialog users who are available for a large set of anonymous users (for example, for
anonymous system access via an ITS service).
Communication users are used for dialog-free communication between systems.
Background users can be used for processing in the background.
Standard Users
The following table shows the standard users that are necessary for operating Master Data Governance.
Table 5:
System User ID Type Password Additional Information
SAP Web Application (sapsid)adm SAP system adminis Mandatory SAP NetWeaver instal
Server trator lation guide
SAP Web Application SAP Service (sap SAP system service ad Mandatory SAP NetWeaver instal
Server sid)adm ministrator lation guide
SAP Web Application SAP Standard ABAP See SAP NetWeaver SAP NetWeaver secur
Server Users (SAP*, DDIC, security guide ity guide
EARLYWATCH,
SAPCPIC)

10 PUBLIC User Management and Authentication
System User ID Type Password Additional Information
SAP Web Application SAP Standard SAP See SAP NetWeaver SAP NetWeaver secur
Server Web Application Server security guide ity guide
Java Users
SAP ECC SAP Users Dialog users Mandatory The number of users
depends on the area of
operation and the busi
ness data to be proc
essed.
Note
We recommend that you change the passwords and IDs of users that were created automatically during the
installation.
5.2 User Data Synchronization
By synchronizing user data, you can reduce effort and expense in the user management of your system
landscape. Since Master Data Governance is based on SAP NetWeaver, you can use all of the mechanisms for
user synchronization in SAP NetWeaver here. For more information, see the SAP NetWeaver Security Guide on
SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver.
Note
You can use user data distributed across systems by replicating the data, for example in a central directory
such as LDAP.
5.3 Integration into Single Sign-On Environments
Master Data Governance supports the single sign-on (SSO) mechanisms provided by SAP NetWeaver Application
Server for ABAP technology. Therefore, the security recommendations and guidelines for user management and
authentication that are described in the SAP NetWeaver Security Guide also apply to Master Data Governance.
Master Data Governance supports the following mechanisms:
Secure Network Communication (SNC)
SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for
Windows or Remote Function Calls.
SAP Logon Tickets

User Management and Authentication PUBLIC 11
Master Data Governance supports the use of logon tickets for SSO when using a Web browser as the front-end
client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP
system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token.
The user does not need to enter a user ID or password for authentication, but can access the system directly once
it has checked the logon ticket. For more information, see SAP Logon Tickets in the Security Guide for SAP
NetWeaver Application Server.
Client Certificates
As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front-end
client can also provide X.509 client certificates to use for authentication. In this case, user authentication is
performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol). No passwords have to be
transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.
For more information see Client Certificates in the Security Guide for SAP NetWeaver Application Server. For
more information about available authentication mechanisms, see SAP Library for SAP NetWeaver under .

12 PUBLIC User Management and Authentication
6 Authorizations
Master Data Governance uses the authorization concept of SAP NetWeaver Application Server ABAP. Therefore,
the security recommendations and guidelines for authorizations that are described in the Security Guide for SAP
NetWeaver Application Server ABAP also apply to Master Data Governance. You can use authorizations to restrict
the access of users to the system, and thereby protect transactions and programs from unauthorized access.
The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based
on roles. For role maintenance in SAP NetWeaver Application Server ABAP, use the profile generator (transaction
PFCG), and in SAP NetWeaver Application Server for Java, the user management console of the User
Management Engine (UME). You can define user-specific menus using roles.
Note
For more information about creating roles, see .
Standard Roles and Standard Authorization Objects
SAP delivers standard roles covering the most frequent business transactions. You can use these roles as a
template for your own roles.
For a list of the standard roles and authorization objects used by components of Master Data Governance, see the
section of this document relevant to each component.
Note
Before using the roles listed, you may want to check whether the standard roles delivered by SAP meet your
requirements.
Authorizations for Customizing Settings
You can use Customizing roles to control access to the configuration of Master Data Governance in the SAP
Customizing Implementation Guide (IMG).

Authorizations PUBLIC 13
7 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support the
communication necessary for your business and your needs without allowing unauthorized access. A well-defined
network topology can eliminate many security threats based on software flaws (at both the operating system and
application level) or network attacks such as eavesdropping. If users cannot log on to your application or database
servers at the operating system or database layer, then there is no way for intruders to compromise the devices
and gain access to the backend systems database or files. Additionally, if users are not able to connect to the
server LAN (local area network), they cannot exploit known bugs and security holes in network services on the
server machines.
The network topology for Master Data Governance is based on the topology used by the SAP NetWeaver platform.
Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also
apply to Master Data Governance. Details that relate directly to SAP ERP Central Component are described in the
following sections:
Communication Channel Security [page 14]

This section contains a description of the communication channels and protocols that are used by the
components of Master Data Governance.
Network Security [page 15]
This section contains information on the network topology recommended for the components of Master Data
Governance. It shows the appropriate network segments for the various client and server components and
where to use firewalls for access protection. It also contains a list of the ports required for operating the
subcomponents of Master Data Governance.
Communication Destinations [page 15]
This section describes the data needed for the various communication channels, for example, which users are
used for which communications.
7.1 Communication Channel Security
Communication channels transfer a wide variety of different business data that needs to be protected from
unauthorized access. SAP makes general recommendations and provides technology for the protection of your
system landscape based on SAP NetWeaver.
The table below shows the communication channels used by Master Data Governance, the protocol used for the
connection, and the type of data transferred.
Table 6:
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Application server to applica RFC, HTTP(S) Integration data Business data

tion server

14 PUBLIC Network and Communication Security
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Application server to applica HTTP(S) Application data For example, passwords,

tion of a third party adminis business data
trator
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer protocol (SSL protocol).
Recommendation
We strongly recommend that you use secure protocols (SSL, SNC).
7.2 Network Security
Since Master Data Governance is based on SAP NetWeaver technology, for information about network security,
see the corresponding sections of the SAP NetWeaver Security Guide at http://help.sap.com Technology
Platform SAP NetWeaver Release/Language SAP NetWeaver Security Guide Network and
Communication Security Network Services :
If you provide services in the Internet, you should protect your network infrastructure with a firewall at least. You
can further increase the security of your system or group of systems by placing the groups in different network
segments, each of which you then protect from unauthorized access by a firewall. You should bear in mind that
unauthorized access is also possible internally if a malicious user has managed to gain control of one of your
systems.
Ports
Master Data Governance is executed in SAP NetWeaver and uses the ports of AS ABAP or AS Java. For more
information see the corresponding security guides for SAP NetWeaver in the topics for and . For information
about other components, such as SAPinst, SAProuter, or SAP Web Dispatcher, see the document TCP/IP Ports
Used by SAP Applications in SAP Developer Network at http://sdn.sap.com/irj/sdn/security under
Infrastructure Security Network and Communications Security .
7.3 Communication Destinations
The use of users and authorizations in an irresponsible manner can pose security risks. You should therefore
follow the security rules below when communicating between systems:
Employ the user types system and communication.

Grant a user only the minimum authorizations.

Network and Communication Security PUBLIC 15
Note
For information on authorization objects, see Authorization Objects and Roles Used by SAP Master Data
Governance [page 22].
Choose a secure password and do not divulge it to anyone else.

Only store user-specific logon data for users of type system and communication.
Wherever possible, use trusted system functions instead of user-specific logon data.
7.4 Use of Virus Scanners
If you upload files from application servers into Master Data Governance and you want to use an virus scanner, a
virus scanner must then be active on each application server. For more information, see SAP Note 964305
(solution A).
Note
Work through the Customizing activities in the Implementation Guide under the Virus Scan Interface node.
When doing this, use the virus scan profile /MDG_BS_FILE_UPLOAD/MDG_VSCAN, which is delivered for
When you upload files from the front-end into Master Data Governance, the system uses the configuration you
defined for virus scan profile /SIHTTP/HTTP_UPLOAD. For more information, see SAP Note 1693981 .

16 PUBLIC Network and Communication Security
8 Data Storage Security
Use
Using Logical Paths and File Names to Protect Access to the File System
Master Data Governance saves data in files in the file system. Therefore, it is important to explicitly provide
access to the corresponding files in the file system without allowing access to other directories or files (also
known as directory traversal). This is achieved by specifying logical paths and file names in the system that map
to the physical paths and file names. This mapping is validated at runtime and if access is requested to a directory
that does not match a stored mapping, then an error occurs. In the application-specific part of this guide, there is
a list for each component of the logical file names and paths, where it is specified for which programs these file
names and paths apply.
Activating the Validation of Logical Paths and File Names
The logical paths and file names are entered in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-dependent). To determine
which paths are used by your system, you can activate the appropriate settings in the Security Audit Log.
More Information
For information about data storage security, see the SAP NetWeaver Security Guide at http://help.sap.com
SAP NetWeaver Release/Language SAP NetWeaver Library Administrators Guide NetWeaver Security
Guide Security Guides for the Operating System and Database Platforms

Data Storage Security PUBLIC 17
9 Enterprise Services Security
The following section in the NetWeaver Security Guide is relevant for Master Data Governance:

18 PUBLIC Enterprise Services Security
10 Security-Relevant Logs and Tracing
The trace and log files of Master Data Governance use the standard mechanisms of SAP NetWeaver. For more
information, see the following sections in the SAP NetWeaver Security Guide at http://service.sap.com/
securityguide :
(AS Java)

Security-Relevant Logs and Tracing PUBLIC 19
11 Segregation of Duties
Use
Segregation of duties can be achieved by assigning roles to users and in addition by a strict separation of the user
groups for the workflow.
Activities
Assigning Roles to Users
You can assign roles to a user using the following transactions:
User Maintenance SU01

Use this transaction to assign one or more roles to one user.
Role Maintenance PFCG
Use this transaction to assign one or more users to one role.
Separating User Groups for the Workflow
Depending on the component of Master Data Governance you intend to configure, use the following Customizing
activities to separate the user groups:
MDG-M, MDG-F
Run the Customizing activity under Master Data Governance Central Governance General Settings
Process Modeling Workflow Rule-Based Workflow Configure Rule-Based Workflow .
For further information, see:

MDG-S
Run the Customizing activity under Master Data Governance Central Governance Master Data
Governance for Supplier Workflow Assign Processor to Change Request Step Number in BRFplus for
Supplier .
For further information, see
MDG-C
Depending on the change request step, run the following Customizing activities under:
Master Data Governance Central Governance General Settings Process Modeling Workflow
Other MDG Workflows Assign Processor to Change Request Step Number (Simple Workflow)
Master Data Governance Central Governance Master Data Governance for Customer Workflow
Assign Processor to Change Request Step Number in BRFplus for Customer
For further information, see .
MDG-BP

20 PUBLIC Segregation of Duties
Depending on the change request step, run the following Customizing activities under:
Other MDG Workflows Assign Processor to Change Request Step Number (Simple Workflow)
Rule-Based Workflow Configure Rule-Based Workflow
For further information, see
For information about the corresponding roles, see the documents listed below:
Authorization Objects Used by Master Data Governance [page 27]

Supplier Master Data Governance (CA-MDG-APP-SUP) [page 30]
Customer Master Data Governance (CA-MDG-APP-CUS) [page 33]
Material Master Data Governance (CA-MDG-APP-MM) [page 35]
Financial Master Data Governance (CA-MDG-APP-FIN) [page 38]
Custom Objects (CA-MDG-COB) [page 39]

Segregation of Duties PUBLIC 21
12 Authorization Objects and Roles Used by
SAP Master Data Governance
This chapter provides information about authorization objects and roles used by:
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 27]
Authorization Objects and Roles Used by SAP MDG, Consolidation and Mass Processing [page 22]
12.1 Authorization Objects and Roles Used by SAP MDG,

Consolidation and Mass Processing
Authorization Objects
SAP MDG, consolidation and mass processing uses the authorization objects listed below.
Table 7:
Authorization Object Description
MDC_PROOT [page 23] Consolidation Root Permissions
MDC_PFILT [page 25] Consolidation Cluster Permissions
MDC_MASS [page 25] Mass Update Permissions
MDC_ADMIN [page 26] Administrative permissions
B_BUPA_RLT Business Partner: BP Roles
B_BUPA_GRP Business Partner: Authorization Groups
S_BGRFC Authorization Object for NW bgRFC
M_MATE_MAR Material Master: Material Types
M_MATE_MAT Material Master: Materials
M_MATE_WGR Material Master: Material Groups
Caution
To use SAP MDG, consolidation and mass processing in combination with the functions of SAP MDG, central
governance, see the required authorization objects in the documents listed below:
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 27]

22 PUBLIC Authorization Objects and Roles Used by SAP Master Data Governance
Master Data Governance for Business Partner (CA-MDG-APP-BP) [page 29]
Master Data Governance for Supplier (CA-MDG-APP-SUP) [page 30]
Master Data Governance for Customer (CA-MDG-APP-CUS) [page 33]
Standard Roles
Table 8:
Frontend Launchpad Role Name
SAP_MDC_BCR_MASTERDATA_SPEC_T
SAP_MDC_BCR_MASTERDATA_ADMIN_T
SAP_MDC_TCR_T
Table 9:
Backend Authorization Role Name
SAP_MDC_ADMIN_APP_02
SAP_MDC_DISP_BP_APP_02
SAP_MDC_SPEC_BP_APP_02
SAP_MDC_DISP_BP_NONE_BS_APP_02
SAP_MDC_SPEC_BP_NONE_BS_APP_02
SAP_MDC_DISP_MM_APP_02
SAP_MDC_SPEC_MM_APP_02
SAP_MDC_ADMIN_CUSTOBJ_APP_02
SAP_MDC_DISP_CUSTOBJ_APP_02
SAP_MDC_SPEC_CUSTOBJ_APP_02
12.1.1 MDC_PROOT
Use
This document describes details of the authorization object MDC_PROOT.

Authorization Objects and Roles Used by SAP Master Data Governance PUBLIC 23
Features
The activities listed below are assigned to the authorization object.
Table 10:
Activity Text Authorization
01 Create or generate Create consolidation process
02 Change Run consolidation process
The Start, Retry, Rollback, and Save buttons become active.
Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.
03 Display Display consolidation process
06 Delete Delete consolidation process
The Delete button becomes active.
31 Confirm Continue consolidation process after a process step has been executed
The Continue button becomes active.

If the process pauses at a check point, the Continue button stays active only if
the activity 31 Confirm is permitted.
Note
36 Extended mainte Adjust configuration within the process UI for the current process
nance
The Adjust link is displayed.

37 Accept Continue consolidation process after a matching step that still contains open
match groups
The Continue button becomes active.

If the process pauses at a check point and still open match groups exist, the
Continue button stays active only if the activity 37 Accept is permitted.
Caution
In addition, the activity 31 Confirm has to be permitted.
Note
12.1.2 MDC_PFILT
Use
This document describes details of the authorization object MDC_PFILT
To create a process you have to select a Source, which is a combination of Source System, Status, and an optional
Source Filter.
Features
The attribute Source Filter MDC_FILTER is assigned to the authorization object: Depending on the permitted value
the processes are displayed in the process list and the sources are displayed in the Sources dialog box during the
process creation.
12.1.3 MDC_MASS
Use
This document describes details of the authorization object MDC_MASS.

Features
Table 11:
01 Create or generate Create mass processes
02 Change Run mass processes
The Start, Retry, Rollback and Save buttons become active.
Note
03 Display Display mass processes
06 Delete Delete mass processes
The Delete button becomes active.
31 Confirm Continue or rollback mass processes after a process step has been executed.
The Continue button and the Rollback button become active.
Caution
If the process pauses at a check point, the Continue button and the Rollback but
ton stay active only if the activity 31 Confirm is permitted.
Note
36 Extended mainte Adjust configuration within the process UI for the current process
nance
The Adjust link is displayed.
12.1.4 MDC_ADMIN
Use
This document describes details of the authorization object MDC_ADMIN

Features
Table 12:
02 Change Change process parameters in the process UI like:
Adapter for a process step

Adapter Configuration
Check Point
06 Delete Run the transaction MDC_ADMIN_DELETE
This transaction is used to delete processes with an inconsistent status, for exam
ple caused by a system error.
60 Import Run the report MDC_BP_TRANSFORM_SOURCE_DATA.
This report transforms customer and vendor data to business partner data during
the data import.
12.2 Authorization Objects and Roles Used by SAP MDG,

Central Governance
The following authorization objects are used by all components of Master Data Governance.
Note
To obtain more detailed information about specific authorization objects proceed as follows:
1. Choose SAP Menu Tools ABAP Workbench Development Other Tools Authorization Objects
Objects (Transaction SU21).
2. Select the authorization object using and then choose .

3. On the Display authorization object dialog box choose Display Object Documentation.
Table 13:
MDG_MDF_TR Master Data: Transport
MDG_IDM Key Mapping

USMD_CREQ Change Request
USMD_MDAT Master Data
USMD_MDATH Hierarchies
USMD_UI2 UI Configuration
DRF_RECEIVE Authorization for outbound messages for receiver systems
DRF_ADM Create Outbound Messages
CA_POWL Authorization for iViews for personal object worklists
BCV_SPANEL Execute Side Panel
BCV_USAGE Usage of Business Context Viewer
MDG_DEF Data Export
MDG_DIF Data Import
S_DMIS Authority object for SAP SLO Data migration server
Caution
For information about component specific authorization objects, see the corresponding sections:
Master Data Governance for Business Partner (CA-MDG-APP-BP) [page 29]

Master Data Governance for Supplier (CA-MDG-APP-SUP) [page 30]
Master Data Governance for Customer (CA-MDG-APP-CUS) [page 33]
Master Data Governance for Material (CA-MDG-APP-MM) [page 35]
Master Data Governance for Financial (CA-MDG-APP-FIN) [page 38]
Master Data Governance for Custom Objects (CA-MDG-COB) [page 39]
Standard Role
Table 14:
Role Name
SAP_MDG_ADMIN Master Data Governance Administrator
This role contains authorizations needed for administrative tasks and for setting up a base configuration in all
components of Master Data Governance. Some authorizations enable critical activities. If multiple users in your
organization are entrusted with the administration and configuration of Master Data Governance, we recommend

that you split the role into several roles, each with its own set of authorizations. The role does not contain the
authorizations for the respective master data transactions.
Enterprise Search
To use the Enterprise Search users have to be assigned to the role SAP_ESH_SEARCH Enterprise Search Hub
(Composite): Authorizations for searching.
12.2.1 Master Data Governance for Business Partner (CA-MDG-

APP-BP)
Use
Master Data Governance for Business Partner mainly uses the authorization objects of the business objects
Business Partner, the authorization objects of the Application Framework for Master Data Governance, and the
authorization objects of the Data Replication Framework.
Table 15:
Note
This authorization object is optional. You need to assign
this authorization object only if master data records are to
be specifically protected.
B_BUPR_BZT Business Partner Relationships: Relationship Categories
BCV_QUILST Overview
DC_OBJECT Data Cleansing
BCV_PERS Personalize BCV UI for Query View
BCV_QRYVW Query View
BCV_QUERY Query
BCV_QVWSNA Query View Snapshot

S_START Start Authorization Check for TADIR Objects
S_PB_CHIP ABAP Page Builder: CHIP
S_PB_PAGE ABAP Page Builder: Page Configuration
Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 27].
Standard Roles
Table 16:
Role Name
Master Data Governance for Business Partner: Menu
Master Data Governance for Business Partner: Display
Master Data Governance for Business Partner: Requester
Master Data Governance for Business Partner: Specialist
Master Data Governance for Business Partner: Data Steward
If you want to restrict the authorizations for users or roles to specific values, run the Customizing activity under
Master Data Governance, Central Governance General Settings Data Modeling Define Authorization
Relevance per Entity Type and define which entity types and attributes are authorization relevant.
More Information
If you use the optional feature address screening, see the corresponding security guide under http://
help.sap.com/fra .
For details on the address screening, see .
12.2.2 Master Data Governance for Supplier (CA-MDG-APP-

SUP)
Use

Master Data Governance for Supplier does not have dedicated authorization objects, but instead uses the
authorization objects of the business objects Business Partner and Vendor, the authorization objects of the
Application Framework for Master Data Governance, and the authorization objects of the Data Replication
Framework.
Table 17:
Note
B_BUPR_BZT Business Partner Relationships: Relationship Categories
DC_OBJECT Data Cleansing
F_LFA1_APP Vendor: Application Authorization
F_LFA1_BEK Vendor: Account Authorization
Note
F_LFA1_BUK Vendor: Authorization for Company Codes
F_LFA1_GEN Vendor: Central Data
F_LFA1_GRP Vendor: Account Group Authorization
M_LFM1_EKO Purchasing organization in supplier master data
BCV_PERS Personalize BCV UI for Query View
BCV_QRYVW Query View
BCV_QUERY Query
BCV_QUILST Overview
BCV_QVWSNA Query View Snapshot
S_START Start Authorization Check for TADIR Objects

S_PB_CHIP ABAP Page Builder: CHIP
S_PB_PAGE ABAP Page Builder: Page Configuration
Caution
Standard Roles
Table 18:
Role Name
SAP_MDGS_MENU_04
SAP_MDGS_DISP_06
SAP_MDGS_REQ_06
SAP_MDGS_SPEC_06
SAP_MDGS_STEW_04
SAP_MDGS_VL_MENU_04
SAP_MDGS_LVC_MENU_04
SAP_MDGS_LVC_REQ_04
More Information
help.sap.com/fra .

12.2.3 Master Data Governance for Customer (CA-MDG-APP-
CUS)
Use
Master Data Governance for Customer does not have dedicated authorization objects, but instead uses the
authorization objects of the business objects Business Partner and Customer, the authorization objects of the
Application Framework for Master Data Governance, and the authorization objects of the Data Replication
Framework.
Note
Depending on whether you use the Master Data Governance for Customer or a different set of authorization
objects is required.
Table 19:
Authorization Object Description Hub Client

Sys Sys
tem tem
B_BUPA_GRP Business Partner: Authorization x x

Groups
Note
This authorization object is optional. You need to assign this au
thorization object only if master data records are to be specifi
cally protected.
B_BUPA_RLT Business Partner: BP Roles x x
B_BUPR_BZT Business Partner Relationships: Rela x x

tionship Categories
DC_OBJECT Data Cleansing x
F_KNA1_APP Customer: Application Authorization x x
F_KNA1_BED Customer: Account Authorization x x
Note
This authorization object is optional. You do not need to assign
this authorization object if no master records are to be specifi
cally protected.

Authorization Object Description Hub Client
Sys Sys
tem tem
F_KNA1_BUK Customer: Authorization for Com x x

pany Codes
F_KNA1_GEN Customer: Central Data x x
F_KNA1_GRP Customer: Account Group Authoriza x x

tion
MDGC_LCOPY Copy Customer Master Data from x

MDG Hub
V_KNA1_BRG Customer: Account Authorization for x x

Sales Areas
V_KNA1_VKO Customer: Authorization for Sales x x

Organizations
BCV_PERS Personalize BCV UI for Query View x x
BCV_QRYVW Query View x x
BCV_QUERY Query x x
BCV_QUILST Overview x x
BCV_QVWSNA Query View Snapshot x x
S_START Start Authorization Check for TADIR x x

Objects
S_PB_CHIP ABAP Page Builder: CHIP x x
S_PB_PAGE ABAP Page Builder: Page Configura x x

tion
Caution
Standard Roles
Table 20:
Role Name
SAP_MDGC_MENU_04

Role Name
SAP_MDGC_DISP_05
SAP_MDGC_REQ_05
SAP_MDGC_SPEC_05
SAP_MDGC_STEW_04
SAP_MDGC_CL_MENU_04
SAP_MDGC_LCC_MENU_04
SAP_MDGC_LCC_REQ_04
If you want to restrict the authorizations for users or roles to specific values, go to Create Authorizations for Data
Model and define which entity types and attributes are authorization relevant.
More Information
help.sap.com/fra .
12.2.4 Master Data Governance for Material (CA-MDG-APP-

MM)
Master Data Governance for Material does not have dedicated authorization objects, but instead uses, for
example, the authorization objects of the Material Master and the Application Framework for Master Data
Governance.
Table 21:
K_TP_VALU Transfer Price Valuations
M_MATE_MAF Material Master: Material Locks
M_MATE_MAT Material Master: Material

M_MATE_MAR Material Master: Material Type
M_MATE_WGR Material Master: Material Group
M_MATE_STA Material Master: Maintenance Status
M_MATE_MTA Material Master: Change Material Type
M_MATE_WRK Material Master: Plant
M_MATE_MAN Material Master: Central Data
M_MATE_NEU Material Master: Create
M_MATE_BUK Material Master: Company Codes
M_MATE_VKO Material Master: Sales Organization/Distribution Channel
M_MATE_LGN Material Master: Warehouse Numbers
C_KLAH_BKL Authorization for Classification
C_KLAH_BSE Authorization for Selection
C_TCLA_BKA Authorization for Class Types
C_DRAD_OBJ Create/Change/Display/Delete Object Link
C_DRAW_DOK Authorization for document access
C_DRAW_TCD Authorization for document activities
C_DRAW_TCS Status-Dependent Authorizations for Documents
C_DRAW_BGR Authorization for authorization groups
C_DRAW_STA Authorization for document status
C_FVER_WRK PP-PI: Production Version - Plant
DRF_RECEIV Authorization for outbound messages for receiver systems
DRF_ADM Create Outbound Messages

PLM_SPUSR Superuser by Object Type
Note
You need this authorization object for the object type
PLM_MAT only if the search object connector of SAP Net
Weaver Enterprise Search is created for the following En
terprise Search software components:
PLMWUI
Software components that include PLMWUI
For more information about SAP NetWeaver Enterprise

Search, see .
C_AENR_BGR CC Change Master Authorization Group
C_AENR_ERW CC Eng. Chg. Mgmt. Enhanced Authorization Check
C_AENR_RV1 CC Engineering change mgmt revision level for material
BCV_QUILST Overview
Caution
Standard Roles
Table 22:
Role Name
SAP_MDGM_MENU_06
SAP_MDGM_DISP_06
SAP_MDGM_REQ_06
SAP_MDGM_SPEC_06
SAP_MDGM_STEW_06

12.2.5 Master Data Governance for Financials (CA-MDG-APP-
FIN)
Table 23:
USMD_DIST Distribution
Note
This authorization object is used if you have not activated
business function MDG_FOUNDATION.
(Switch: FIN_MDM_CORE_SFWS_EHP5)
USMD_EDTN Edition
Caution
Standard Roles
Table 24:
Role Description
SAP_MDGF_ACC_DISP_07
SAP_MDGF_ACC_REQ_07
SAP_MDGF_ACC_SPEC_07
SAP_MDGF_ACC_STEW_04
SAP_MDGF_CO_DISP_04
SAP_MDGF_CO_REQ_06
SAP_MDGF_CO_SPEC_04
SAP_MDGF_CO_STEW_04
SAP_MDGF_CTR_DISP_04
SAP_MDGF_CTR_REQ_06

Role Description
SAP_MDGF_CTR_SPEC_04
SAP_MDGF_CTR_STEW_04
12.2.6 Master Data Governance for Custom Objects (CA-MDG-

COB)
You can use the following authorization objects for Master Data Governance for Custom Objects.
Table 25:
USMD_DIST Replication
USMD_DM Data Model
USMD_EDTN Edition Type
Caution
Standard Role
Table 26:
Role Name
Master data governance for self-defined objects
Master Data Governance for Custom Objects - Flight Data

Model (MDG 8.0)

13 Change Settings of Generated MDG
Database Tables
Use
The SAP system generates database tables for the entities of all defined data models. The settings of these
database tables are the following:
Buffering and log of data changes is switched on.

Display and maintenance is allowed with restrictions.
Activities
To change these settings of generated MDG database tables run the transaction MDG_TABLE_ADJUST.
The results of the transaction are listed in the transaction SLG1 (Analyse Application Log), using Object FMDM and
Subobject ADJUST_TABLE.
Caution
You have to execute the transaction in each system manually.
After a model activation it might be necessary to execute the transaction again.
More Information
For more information see SAP note 1828363 .

40 PUBLIC Change Settings of Generated MDG Database Tables
14 Appendix
For more information about the security of SAP applications see SAP Service Marketplace at http://
service.sap.com/security .
You can also access additional security guides via SAP Service Marketplace at http://service.sap.com/
securityguide .
For more information about security issues, see SAP Service Marketplace at http://service.sap.com .
For information about SAP Fiori Implementation including Security Information, see http://help.sap.com/
fiori_implementation .
Table 27:
Topic SAP Service Marketplace
Master guides, installation guides, upgrade guides, and Solu /instguides

tion Management guides
/ibc
Related notes /notes
Platforms /platforms
Network security /network
/securityguide
Technical infrastructure /ti
SAP Solution Manager /solutionmanager

Appendix PUBLIC 41
Important Disclaimers and Legal Information
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system
environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP's gross negligence.
Accessibility
The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a
binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does
not apply in cases of willful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales
person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not
warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency
(see: http://help.sap.com/disclaimer).

42 PUBLIC Important Disclaimers and Legal Information
Important Disclaimers and Legal Information PUBLIC 43
go.sap.com/registration/
contact.html
2017 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company. The information contained herein may
be changed without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company
for informational purposes only, without representation or warranty
of any kind, and SAP or its affiliated companies shall not be liable for
errors or omissions with respect to the materials. The only
warranties for SAP or SAP affiliate company products and services
are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.

Sap MDG Guide

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Sap MDG Guide

Hochgeladen von

Copyright:

Verfügbare Formate

PUBLIC

SAP Master Data Governance Security Guide

1 SAP Master Data Governance Security Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5 User Management and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

7 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

8 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

9 Enterprise Services Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

10 Security-Relevant Logs and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

12 Authorization Objects and Roles Used by SAP Master Data Governance. . . . . . . . . . . . . . . . . . . . 22

SAP Master Data Governance Security Guide

13 Change Settings of Generated MDG Database Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

SAP Master Data Governance Security Guide

SAP Master Data Governance Security Guide

Why Is Security Necessary?

Overview of the Main Sections

The Security Guide comprises the following main sections:

Before You Start [page 7]

SAP Master Data Governance Security Guide

SAP Master Data Governance Security Guide

Title SAP Note Comment

Code injection vulnerability in UAC_AS 1493809 MDG and XBRL

Content Quick Link on SAP Service Marketplace or SDN

Security Guides http://service.sap.com/securityguide

Related Notes http://service.sap.com/notes

Allowed platforms http://service.sap.com/pam

Network security http://service.sap.com/securityguide

SAP Solution Manager http://service.sap.com/solutionmanager

SAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver

SAP Master Data Governance Security Guide

Subject Guide/Tool Quick Link to SAP Service Marketplace

Technical description of Master Data Master Guide http://service.sap.com/instguides

High availability High Availability for SAP Solutions http://sdn.sap.com/irj/sdn/ha

Design of technical landscape See available documents http://sdn.sap.com/irj/sdn/landscape

Security See available documents http://sdn.sap.com/irj/sdn/security

SAP Master Data Governance Security Guide

User Administration [page 9]

5.1 User Administration

User Administration Tools

SAP Master Data Governance Security Guide

System User ID Type Password Additional Information

SAP Master Data Governance Security Guide

5.2 User Data Synchronization

5.3 Integration into Single Sign-On Environments

Master Data Governance supports the following mechanisms:

Secure Network Communication (SNC)

SAP Logon Tickets

SAP Master Data Governance Security Guide

SAP Master Data Governance Security Guide

Standard Roles and Standard Authorization Objects

Authorizations for Customizing Settings

SAP Master Data Governance Security Guide

Communication Channel Security [page 14]

7.1 Communication Channel Security

Application server to applica RFC, HTTP(S) Integration data Business data

SAP Master Data Governance Security Guide

Application server to applica HTTP(S) Application data For example, passwords,

7.2 Network Security

7.3 Communication Destinations

Employ the user types system and communication.

SAP Master Data Governance Security Guide

Choose a secure password and do not divulge it to anyone else.