SAP Supplier Lifecycle Management 2.0: Document Version: 1.1 - 2014-08-18

Security Guide
Document version:1.1 2014-08-18
SAP Supplier Lifecycle Management 2.0
PUBLIC
Copyright 2014 SAP AG. Alle Rechte vorbehalten. All rights reserved. Tous droits rservs.
.
Weitergabe und Vervielfltigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher
Form auch immer, ohne die ausdrckliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser
Publikation enthaltene Informationen knnen ohne vorherige Ankndigung gendert werden.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of
other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10,
System z9, z10, z9, iSeries, Speries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/
400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5,
POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2
Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli
and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe
Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or
registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium,
Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and
implemented by Netscape.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP
products and services mentioned herein as well as their respective logos are trademarks or registered trademarks
of SAP AG in Germany and in several other countries all over the world. All other product and service names
mentioned are the trademarks of their respective companies. Data contained in this document serves
informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated
companies (SAP Group) for informational purposes only, without representation or warranty of any kind, and
SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP
Group products and services are those that are set forth in the express warranty statements accompanying such
products and services, if any. Nothing herein should be construed as constituting an additional warranty.
Some components of this product are based on Java. Any code change in these components may cause
unpredictable and severe malfunctions and is therefore expressly prohibited, as is any decompilation of these
components.
Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be
modified or altered in any way.
PUBLIC
Copyright 2014 SAP AG.
All rights reserved.
Typographic Conventions
Table 1
Example
Description
<Example>
Angle brackets indicate that you replace these words or characters with appropriate entries
to make entries in the system, for example, Enter your <User Name>.
Example
Example
Arrows separating the parts of a navigation path, for example, menu options
Example
Emphasized words or expressions
Example
Words or characters that you enter in the system exactly as they appear in the
documentation
www.sap.com
Textual cross-references to an internet address
/example
Quicklinks added to the internet address of a homepage to enable quick access to specific
content on the Web
123456
Example
Hyperlink to an SAP Note, for example, SAP Note 123456
Words or characters quoted from the screen. These include field labels, screen titles,
pushbutton labels, menu names, and menu options.
Example
Cross-references to other documentation or published works
Output on the screen following a user action, for example, messages
Source code or syntax quoted directly from a program
File and directory names and their paths, names of variables and parameters, and
names of installation, upgrade, and database tools
EXAMPLE
Technical names of system objects. These include report names, program names,
transaction codes, database table names, and key concepts of a programming language
when they are surrounded by body text, for example, SELECT and INCLUDE
EXAMPLE

Typographic Conventions
Keys on the keyboard
PUBLIC
Document History
Caution
Before you start the implementation, make sure you have the latest version of this document. You can find the
latest version at the following location: service.sap.com/securityguide.
The following table provides an overview of the most important document changes.
Table 2
Version
Date
Description
1.0
2014-07-28
Initial version of the Security Guide for SAP Supplier Lifecycle Management 2.0.
1.1
2014-08-18
Chapter Data Protection: Paragraphs added about blocking of personal data (business
partner) and about sample configuration for read access logging (RAL).
PUBLIC

Document History
Content
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Security Aspects of Data, Data Flow, and Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
5
5.1
5.2
5.3
User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integration Into Single Sign-On Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
29
31
31
Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Session Security Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
8.1
8.2
Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Internet Communication Framework (ICF) Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
10
Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
11
11.1
11.2
Data Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Deletion of Personal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Read Access Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
12
Security for Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
13
Dispensable Functions with Impacts on Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
59
14
Enterprise Services Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
15
Security-Relevant Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Content
PUBLIC
38
PUBLIC
Introduction
Caution
This guide does not replace the administration or operation guides that are available for productive operations.
This guide is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals,
or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the
Security Guides provide information that is relevant for all life cycle phases.
Why is Security Necessary

With the increasing use of distributed systems and the Internet for managing business data, the demands on
security are also on the rise. When using a distributed system, you need to be sure that your data and processes
support your business needs without allowing unauthorized access to critical information. User errors,
negligence, or attempted manipulation on your system should not result in a loss of information or processing
time. Likewise, these demands on security apply to SAP Supplier Lifecycle Management.
Recommendation
We strongly recommend that you additionally consult the SAP NetWeaver Security Guide.

Introduction
PUBLIC
Before You Start
Fundamental Security Guides

Table 3: Fundamental Security Guides
Scenario, Application, or Component Security Guide

SAP NetWeaver Security Guide
Most Relevant Sections or Specific Restrictions

See
service.sap.com/securityguide
Guides
SAP NetWeaver
SAP Security
<select the Security Guide that
corresponds to your SAP SLC release>

SAP Supplier Relationship Management Security Guide,
See
using SRM Server 7.01 or higher
Guides
SAP Security
SAP Business Suite Applications
SAP SRM
<select the Security Guide that corresponds to your SAP SLC

release>
SAP ERP Security Guide, for example for SAP ERP 6.0 EHP 5
See
or higher
Guides
SAP Security
SAP ERP
<select the Security Guide that corresponds to your SAP SLC

release>
Master Data Governance Security Guide
See
Guides
SAP Security
Governance
SAP Master Data
<select the Security Guide that corresponds to
your SAP SLC release>

SAP Jam Administrator Guide
See
help.sap.com
Cloud
SAP Jam
Administrator
Guide
For a complete list of the available SAP Security Guides, see service.sap.com/securityguide on the SAP Service
Marketplace.
Important SAP Notes

The most important SAP Notes that apply to the security of SAP Supplier Lifecycle Management are listed in the
table below:
Table 4: Important SAP Notes
SAP Note Number
Title
Comment
2027120
SAP Supplier Lifecycle Management:
Add-on installation note
Installing SRMSMC 200 on NW

2026551
Release Information Note
Installation: RIN
517484
Inactive Services in the Internet
The ICF Services are inactive when SAP Web
Communication Framework
Application Server is installed. Selected

services must be activated manually.
PUBLIC

Before You Start
SAP Note Number
Title
Comment
1251255
Authorizations for the system user (WF-
Recommendations for the user defined in
BATCH)
RFC destination WORKFLOW_LOCAL<client>
In addition, you can find a list of security-relevant SAP Hot News and SAP Notes on SAP Service Marketplace at
service.sap.com/securitynotes.
Configuration
The steps you must perform to configure SAP Supplier Lifecycle Management in a secure manner are mentioned
in this document. For more information, see SAP Help Portal at help.sap.com/slc <release> Configuration
and Deployment Information Configuration Guide Basic Settings for SAP Supplier Lifecycle Management
Technical Basic Settings
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
Table 5: Quick Links to Additional Information
Content
Quick Link on the SAP Service Marketplace or SDN
Security
sdn.sap.com/irj/sdn/security
Security Guides
Related SAP Notes
service.sap.com/notes
service.sap.com/securitynotes
Released Platforms
service.sap.com/pam
Network Security
SAP Solution Manager
service.sap.com/solutionmanager
SAP NetWeaver
sdn.sap.com/irj/sdn/netweaver
Overview of the Business Scenarios and Business Processes

For an overview of the Business Scenarios and Business Processes supported by SAP Supplier Lifecycle
Management, see the Master Guide for SAP Supplier Lifecycle Management on SAP Service Marketplace at
service.sap.com/slc-inst.

Before You Start
PUBLIC
Technical System Landscape
The following graphic gives an overview of a possible technical system landscape of SAP Supplier Lifecycle
Management (SAP SLC). As an example, the system landscape for the standalone deployment is used.
Figure1: System Landscape for Standalone Deployment of SAP Supplier Lifecycle Management
SAP Supplier Lifecycle Management is split into the sell side and the buy side. Suppliers operate only outside the
firewall (sell side), whereas purchasers only operate behind the firewall (buy side). To enable communication
between the buy side and the sell side, you have the following options:
Point-to-Point communication via asynchronous enterprise services, using Web Services Reliable Messaging
(WSRM).
Communication via asynchronous enterprise services, using SAP NetWeaver Process Integration (SAP
NetWeaver PI)
Remote function calls (RFCs), mostly background RFCs (bgRFCs)
For an overview of all supported deployment modes, see the Master Guide for SAP Supplier Lifecycle
Management on SAP Service Marketplace at service.sap.com/slc-inst.
The following graphic gives an overview of the user interface components in SAP Supplier Lifecycle Management
(SAP SLC):
10
PUBLIC

Figure2: User Interface Components in SAP Supplier Lifecycle Management
The table below gives an overview of the user interface components used in SAP Supplier Lifecycle Management
and where you can find more information in the SAP NetWeaver Security Guide that is available on the SAP Help
Portal at help.sap.com/netweaver SAP NetWeaver Platform <release> Security Information .
Table 6
SAP SLC UI Component
Comment
Web Dynpro for ABAP
Mandatory for all buy-side

processes
More Information
Security Guides for
SAP NetWeaver According to Usage Type
Security
Aspects for Usage Type DI and Other Development

Technologies
Web Dynpro ABAP Security Guide
Business Server Pages
Integral part of SAP NetWeaver
(BSP)
Mandatory for all sell-side
SAP NetWeaver According to Usage Types
processes and for evaluation and
Aspects for Usage Type DI and Other Development
qualification responses on the buy
Technologies
Security Guides for

Security
Security Aspects for BSP
side.
WebClient UI Framework
The technical libraries from this
(Web CUIF)
framework are used for the SAP
No further information available
SLC BSP applications.

SAP NetWeaver Portal
Optional on the buy side. You can
Security Guides for
use either the SAP NetWeaver
SAP NetWeaver According to Usage Types
Portal or the SAP NetWeaver
Guides for Usage Types EPC and EP
Business Client as a framework for
Guide
Security
Portal Security
displaying Web Dynpro/ABAP and

BSP screens on the buy side.

PUBLIC
11
SAP SLC UI Component
Comment
More Information
On the sell side, you can either use

the SAP NetWeaver Portal or call
the BSP pages directly, using the
corresponding ICF services.
SAP NetWeaver Business
Optional on the buy side. You can
Client (NWBC)
use either the SAP NetWeaver
NetWeaver Platform
Portal or the SAP NetWeaver
Enhancement Package 2
Business Client as a framework for
NetWeaver
displaying Web Dynpro/ABAP and
Application Platform by Key Capability
BSP screens.
Technology
SAP Help Portal at help.sap.com/netweaver
Client
SAP
SAP NetWeaver 7.0 including

Application Help
SAP
SAP NetWeaver by Key Capability

UI Technology
7 Security Aspects
ABAP
SAP NetWeaver Business

or the corresponding
documentation for higher releases of SAP NetWeaver
Exchange of Data with External Users

The SAP Supplier Lifecycle Management security concept incorporates a demilitarized zone (DMZ) that is
delimited by an inner and an outer firewall. Data exchange with external users (suppliers) in the demilitarized zone
occurs in SAP Supplier Lifecycle Management, using HTTPS-based calling of Business Server Pages (BSP).
The following business processes on the sell side use Business Server Pages:
Registering Suppliers
Maintaining Supplier Data
Qualifying Suppliers
Task processing in the Managing Activities process
Within the DMZ, we recommend that you use the SAP Web Dispatcher as an application gateway and as a reverse
proxy between the Internet and your SAP Supplier Lifecycle Management system that consists of one or more
SAP NetWeaver Application Servers. Thus, you have only a single point of access for HTTP(S) requests in your
system.
An application gateway allows you to ensure that your URLs and ports for the systems are not known to users
outside the external firewall, while you can configure them to fit your requirements behind the internal firewall. In
this way, the SAP Supplier Lifecycle Management security concept follows the general SAP security standards
used worldwide.
SAP Web Dispatcher is connected to the Internet Communication Manager (ICM) using the internal firewall of the
DMZ. SAP Web Dispatcher also balances the load so that the request is always sent to the server with the greatest
capacity.
For more information about SAP Web Dispatcher, see SAP Help Portal at help.sap.com/netweaver SAP
NetWeaver Platform SAP NetWeaver 7.0 including Enhancement Package 2 Application Help SAP Library
SAP NetWeaver SAP NetWeaver by Key Capability Solution Life Cycle Management by Key Capability System
Management SAP Web Dispatcher or the corresponding documentation for higher releases of SAP
NetWeaver.
Data Exchange Between SAP SLC Buy Side and SAP SLC Sell Side
Customers often want to run individual components of the software in different network zones for security
reasons. Here, our target applications are the Internet-facing applications (the applications that can be accessed
by individuals or organizations over the public Internet). The graphic below shows the network zones used in SAP
Supplier Lifecycle Management.
12
PUBLIC

Figure3: Network Zones of SAP Supplier Lifecycle Management
Only data relevant for suppliers is replicated to the sell side of SAP Supplier Lifecycle Management. All other data
is only stored on the buy side. The replication of data is performed using SOA, WSRM, or RFC. If you transfer data
using SOA or WSRM and you want to influence the data that is transferred to the sell side, you can use the BAdIs
from the corresponding inbound SOA implementations on the sell side.
More Information:
Information about the data transferred using RFC connections can be seen in the signature of the function
modules used. For a list of the RFC function modules used in SAP Supplier Lifecycle Management, see
section Network Communications.
Documentation about the data transferred using SOA messages is available on the SAP Help Portal at
help.sap.com/slc <release> Application Help SAP Supplier Lifecycle Management Technical
Concepts Enterprise Services .
More Information
For more information about the technical system landscape, see the resources listed in the table below.
Table 7
Topic
Guide/Tool
Quick Link to SAP Service Marketplace or SDN
Technical description for SAP
Master Guide
service.sap.com/srm-inst
High Availability for SAP
www.sdn.sap.com/irj/sdn/ha
SRM and the underlying

components such as SAP
NetWeaver
High availability (general)
Solutions

PUBLIC
13
Topic
Guide/Tool
Technical landscape design
See applicable documents
www.sdn.sap.com/irj/sdn/landscapedesign
Security
See applicable documents
www.sdn.sap.com/irj/sdn/security
14
PUBLIC
Quick Link to SAP Service Marketplace or SDN

Security Aspects of Data, Data Flow, and

Processes
This chapter gives an overview of the security mechanisms that are available in the business processes of SAP
Supplier Lifecycle Management. It also describes how you can modify the existing mechanisms and take
additional measures, if required. The business processes of SAP Supplier Lifecycle Management are:
Maintaining Supplier Data
Evaluating Suppliers Based on Events
Evaluating Supplier Peer Groups
Managing the Supplier Portfolio
Classifying Suppliers
Managing Activities
The figure below shows the data flow of the Registering Suppliers process:
Figure4: Registering Suppliers I

Security Aspects of Data, Data Flow, and Processes
PUBLIC
15
Figure5: Registering Suppliers II
The table below lists the process steps and the security mechanisms available:
Table 8
Step
Description
Security Mechanism
A potential supplier enters registration data on the sell
No role is required at this stage; any interested user can
side.
register using a public service. In the system, a service

user with the /SRMSMC/SUP_SELFREG_SELLSIDE
role exists to enable access to the self-registration
application.
If you want potential suppliers to use a CAPTCHA feature
to identify them as human users, you can implement a
BAdI. For more information, see section
Management
The user submits the registration data on the sell side.
User
Integration of CAPTCHA .
n/a
The data is not saved.

3
The sell-side system sends the registration request to
The system is accessed using SOA or RFC
the buy side.
communication with a technical user who is assigned a

specific role. For more information, see section
Communication Destinations.
The buy-side system receives the registration request
n/a
and executes a duplicate check whether the supplier

already exists.
5
An approval workflow is implemented: a work item is
n/a
created on the buy side.
16
PUBLIC

Step
Description
An approval step on the buy side determines whether the An approval workflow is available that allows you to
registration data is accepted or rejected.
Security Mechanism
check potential supplier data. You can replace the

configured workflow by your own workflow template.
For information about workflow in SAP Supplier Lifecycle
Management, see SAP Help Portal at help.sap.com/slc
<release>
Management
Application Help
SAP Supplier Lifecycle
Technical Concepts
Approval
Processes .
7
If the registration request is approved, supplier data and
n/a
contact data for the potential supplier is created and

saved in the database on the buy side.
8
If the registration request is approved, the buy-side
system sends the data of the potential supplier to the sell communication with a technical user who is assigned a
side.

If the registration request is rejected, the sell side system

sends an e-mail to the user about the rejection.
10
If the registration request is approved, the sell side
n/a
receives the supplier and contact data, saves the data on

the database, and sends a confirmation to the buy side.
11
The sell-side system automatically creates a user (can be When you create your own role for this task, ensure that
displayed in transaction SU01) with the Initial Supplier (/
the checkbox Assign Role to Initial Supplier User in
SRMSMC/SUPPLIER_INITIAL) role. An object
Registration is selected in the personalization object
central person is automatically created and assigned to /SRMSMC/EXT_ROLE_ATTRIBUTES.

this user. This central person is also assigned to the
contact person of the supplier.
12
The sell-side system sends an e-mail with the data of this
You can implement the BAdI Change of Default Recipient
user to the e-mail address that the potential supplier has
(/SRMSMC/BD_SUPPL_NOTIF). This BAdI allows you
submitted with the registration request under Contact
to change the default logic in many ways, depending on
Details.
your security policy. For example, you can decide not to

send the e-mail to the specified address but to an
administrator or to an employee of a shared services
center, who discloses the password to the potential
supplier by telephone.
13
The sell-side system creates a separate e-mail with a
See step 12.
password. By default, this e-mail is sent to the same email address.

14
The potential supplier logs on with the user ID that was
See step 11.
generated by the system (can be displayed in transaction By default, the user ID and password are valid for 31
SU01).
days. If required, you can change the validity period. You
can do this in Customizing for SAP Supplier Lifecycle
Management under

Sell Side
Supplier Registration
PUBLIC
17
Step
Description
Security Mechanism
Maintain Customer Settings for Supplier Registration .
For more information, see SAP Note 1876166.
15
The potential supplier creates the permanent
An alias with a maximum of 40 digits is created for the
administrator account.
generated user ID. This alias must be used for all further
log-on activities of the administrator.
16
At the same time, the Initial Supplier role (/SRMSMC/
The potential supplier can no longer log on to the sell-
SUPPLIER_INITIAL) is replaced by the roles for
side system or work in the sell-side system with the Initial
which the Assign Role to Administrator User in
Supplier (/SRMSMC/SUPPLIER_INITIAL) role.
Registration checkbox is selected in the /SRMSMC/
EXT_ROLE_ATTRIBUTES personalization object, that

is, with the following roles:
Employee Administrator (/SRMSMC/
EMPLOYEE_ADMINISTRATOR)
Supplier Master Data Manager (/SRMSMC/
SUPPLIER_MASTER_DATA)
Qualification Expert (/SRMSMC/
QUALIFICATION_EXPERT)
17
The sell-side system displays a confirmation screen with
n/a
a link to the Supplier Data Maintenance screen.
You can add your own fields or hide SAP-delivered fields used for Registering Suppliers by extending the SAP
screens. Users doing this must have the role Buy-Side/ Sell-Side: Administrator for Extensibility (SRMSMC/
ADMINISTRATOR). For more information about the extensibility concept, see SAP Help Portal at
slc <release> Configuration and Deployment Information
Interface by Adding Customer Fields.
help.sap.com/
Configuration Guide , section Extending the User
Maintaining Supplier Data (Self-Maintenance Performed by Suppliers)

The figure below shows the data flow of the Maintaining Supplier Data process, which is carried out by employees
on the sell side. Maintaining Supplier Data includes:
Company data
Contact details
Employee data
Attachments
Certificates
18
PUBLIC

Figure6: Maintaining Supplier Data
Table 9
Step
Description
Security Mechanism
A user with the role Supplier Master Data Manager (/SRMSMC/
n/a
SUPPLIER_MASTER_DATA) changes the data of the supplier. This data

can be company data, contact details, attachments, or certificates.
2
When the user saves the entries, the data is stored in the database on the
n/a
sell side. The status of the data is Update Pending until the change is
confirmed on the buy side.
3
The updated supplier data is transferred to the buy side using RFC, SAP
The system is accessed using SOA or
NetWeaver PI, or WSRM.
RFC communication with a technical

user who is assigned a specific role.
For more information, see section
An approval workflow allows you to ensure that changed supplier data is
For more information about
checked manually before it is saved on the database and potentially
attachments, see section Security for
distributed to further systems.
Additional Applications.
For information about workflow in
SAP Supplier Lifecycle Management,
see SAP Help Portal at

help.sap.com/slc
<release>
Application Help
SAP Supplier
PUBLIC
19
Step
Description
Security Mechanism
Lifecycle Management
Concepts
5a
5b
Technical
Approval Processes .
If the change of the supplier data is approved, the data is updated on the
The system is accessed using SOA or
database and transferred to the sell side and the back-end system(s). The
RFC communication with a technical
supplier data is also updated on the sell side. The sell-side system sends an
user who is assigned a specific role.
e-mail to the supplier, informing him about the approval of the data
For more information, see section
changes.
If the change of the supplier data is rejected, the changes on the sell side are n/a
discarded. An e-mail is sent from the sell side to the supplier about the
rejection of the changes.
You can add your own fields or hide SAP-delivered fields used for Maintaining Supplier Data by extending the SAP
screens. Users doing this must have the role Buy-Side/ Sell-Side: Administrator for Extensibility (SRMSMC/
ADMINISTRATOR). For more information about the extensibility concept, see SAP Help Portal at
slc <release> Configuration and Deployment Information
Interface by Adding Customer Fields..
help.sap.com/
Configuration Guide , section Extending the User
The figures below shows the data flow of the Qualifying Suppliers process.
Figure7: Qualifying Suppliers I
20
PUBLIC

Figure8: Qualifying Suppliers II
Table 10
Step
Description
Security Mechanism
A Category Manager (/SRMSMC/
n/a
CATEGORY_MANAGER) creates a qualification request

and enters data.
2
The Category Manager publishes the qualification
n/a
request.
Note: If the qualification is triggered automatically after
the approval of a registration request, steps 1 and 2 are
performed automatically by the buy side of SAP Supplier
Lifecycle Management.
3
The qualification request is saved on the buy-side
n/a
database.
A copy of the qualification request is transferred to the
sell side.
4
A copy of the qualification request is saved on the
n/a
database on the sell side.

5
The sell-side system creates qualification responses and n/a

saves them on the sell-side database.

PUBLIC
21
Step
Description
Security Mechanism
The sell-side system sends an e-mail with a link to the
n/a
qualification response to the supplier. The response

includes one or several questionnaires.
7
The supplier fills out the questionnaire(s) and uploads
Implement a virus scanner that scans the attachments
attachments, if applicable. The sell-side system saves
before they are uploaded. For more information, see
the qualification response on the database.
section Security for Additional Applications.
The supplier submits the qualification response.
n/a
The sell-side system saves the qualification response
and sends the qualification response to the buy side.

10, 11
The qualification response is updated on the buy side
You can customize the virus scanner in such a way that
and saved on the database.
attachments to a qualification response are scanned

again before the qualification response is saved on the
database. For more information, see section Security for
Additional Applications.
12
A notification is sent to the Category Manager.
You can implement a workflow to enhance the standard

approval process.
13
The Category Manager can approve or reject the
n/a
response, or he can send it back to the supplier and

request further clarification. If further clarification is
required, steps 7 to 13 are reiterated.
14
The buy-side system saves the qualification response.
n/a
Evaluating Suppliers
You can use the following variants of the Evaluating Suppliers process:
Evaluating Supplier Peer Groups

In this variant, all activities are performed on the buy side of SAP Supplier Lifecycle Management. No data is
transferred between systems.
Evaluating Suppliers Based on Events

In this variant, most activities are also performed on the buy side of SAP Supplier Lifecycle Management.
However, events occurring in external systems, for example in SAP ERP, trigger the evaluation process. Data
relevant for the evaluation is transferred using an RFC. The system user that enables this RFC connection
must be assigned the role Buy-Side RFC Inbound Processing in Supplier Evaluation (/SRMSMC/
BG_SUP_EVAL_BUYSIDE).
For more information, see section Communication Destinations Communication Destinations for Supplier
Evaluation . For more information about how to implement RFC connections, about RFC users and the
required roles, see SAP Help Portal at help.sap.com/slc <release> Configuration and Deployment
Information Configuration Guide Basic Settings for SAP Supplier Lifecycle Management Technical Basic
Settings Define RFC Connections Defining Process-Specific RFC Connections .
22
PUBLIC

Security Measures for System Access

In both variants of the Evaluating Suppliers process, system access can be granted to appraisers in either of the
following ways:
The appraiser has a valid user ID with the Appraiser role (/SRMSMC/EVALUATION_APPRAISER).
The appraiser has no user ID but a valid e-mail address. The appraiser is then automatically logged on with a
service user that is common to all appraisers without system user ID. This user requires the role Appraiser
without User ID (/SRMSMC/EVL_APPRAISER_NON_USER). To ensure that each appraiser can only fill out
questionnaires that are intended for him or her, a hash function has been implemented.
For more information about the configuration of supplier evaluation by appraisers without user ID, see SAP
Help Portal at help.sap.com/slc <release> Configuration and Deployment Information Configuration
Guide SAP Supplier Lifecycle Management , section Configuring Supplier Evaluation for Appraisers Without a
User ID.
By default, access for appraisers without system users is deactivated. You can activate this function in
Customizing for SAP Supplier Lifecycle Management under Buy Side Supplier Evaluation Basic Settings
for Supplier Evaluation Activate Appraisers Without User ID .
Further Security Measures

Implement a virus scanner that scans the attachments before they are uploaded by appraisers (or by category
managers acting on behalf of appraisers). For more information, see section Security for Additional Applications.
For all other security aspects of the Evaluating Suppliers process, the standard security mechanisms provided by
SAP NetWeaver are sufficient.
For a description of the process flow of both variants, see SAP Help Portal at help.sap.com/slc <release>
Application Help SAP Supplier Lifecycle Management Buy Side: Activities for Purchasers Evaluating
Suppliers Evaluating Suppliers Using the Group-Based Process and Evaluating Suppliers Using the EventDriven Process .
Managing the Supplier Portfolio

In this process, all manual activities are carried out on the buy side of SAP Supplier Lifecycle Management. The
data is then distributed to the connected back-end systems SAP SRM and/or SAP ERP using RFC, and to the sellside system using SOA, WSRM, or RFC.
For the Managing the Supplier Portfolio process, the leading system can be:
The buy side of SAP SLC
Leading SAP ERP
Master Data Governance (MDG)
The figures below show two variants of the data flow of the Managing the Supplier Portfolio process:

PUBLIC
23
Figure9: Managing the Supplier Portfolio Leading System: SAP SLC Buy Side
The system connection between SAP SLC buy side and the back-end systems is based on RFC.
Figure10: Managing the Supplier Portfolio Leading System: SAP ERP or MDG
24
PUBLIC

If you use SAP ERP or Master Data Governance (MDG) as the leading system, you can create suppliers in these
systems. The system connections between SAP SLC buy side and the leading systems is based on the following
technologies:
RFC between SAP SLC buy side and SAP ERP
SOA (WSRM or SAP NetWeaver PI) between SAP SLC buy side and MDG
The system users that enable the RFC connections must be assigned one of the following roles, as applicable:
Buy-Side RFC Inbound Processing when Transferring the Supplier Data (/SRMSMC/
RFC_SUP_MNGT_BUYSIDE)
Sell-Side RFC Inbound Processing when Transferring the Supplier Data (/SRMSMC/
RFC_SUP_MNGT_SELLSIDE)
RFC Inbound Processing in ERP with CVI when Transferring Supplier Data from SLC
(SAP_ERP_SLC_RFC_SUP_MNGT_BP)
RFC Inbound Processing in ERP when Transferring Supplier Data from SLC (SAP_ERP_SLC_RFC_SUP_MNGT)
RFC Inbound Processing in SRM IC when Transferring Supplier Data from SLC
(SAP_SRM_SLC_RFC_SUP_MNGT)
For more information, see section Communication Destinations. For more information about how to implement
RFC connections, about RFC users, and about the roles required, see SAP Help Portal at help.sap.com/slc
<release> Configuration and Deployment Information Configuration Guide Basic Settings for SAP Supplier
Lifecycle Management Technical Basic Settings Define RFC Connections Defining Process-Specific RFC
Connections .
To modify the data transfer to the receiving systems, you can use the BAdIs that are available in the following
places:
Customizing for SAP Supplier Lifecycle Management under

Business Add-Ins (BAdIs) Supplier Integration
Customizing for the SAP ERP integration component under SAP Customizing Implementation Guide
Integration with Other SAP Components SAP Supplier Lifecycle Management Business Add-Ins
(BAdIs) Supplier Integration
Customizing for the SAP SRM integration component under SAP Implementation Guide Integration with
Other SAP Components SAP Supplier Lifecycle Management Business Add-Ins (BAdIs) Supplier
Integration
Buy Side
Supplier Portfolio Management
Integration of SAP Jam (Optional)

When maintaining supplier data, you can create and assign activities in SAP Jam. The assignment between SAP
Jam activities and suppliers resides in the SAP Supplier Lifecycle Management system and is accessed using the
SAP Jam ABAP Library. To be able to collaborate using SAP Jam, several prerequisites must be met. for more
information, see SAP Help Portal at help.sap.com/slc <release> Configuration and Deployment
Information Configuration Guide Business Processes Managing the Supplier Portfolio Configuring the SAP
Jam Configuration Functionality for SAP Supplier Lifecycle Management . For security aspects of SAP Jam, see
SAP Help Portal at help.sap.com Cloud SAP Jam Administrator Guide .

PUBLIC
25
Figure11: Using SAP Jam to Collaborate in Managing the Supplier Portfolio
Classifying Suppliers
In this process, all activities are carried out on the buy side of SAP Supplier Lifecycle Management. There is no
data transfer to the sell side or the back-end systems.
Security Measures
Implement a virus scanner that scans the attachments before they are uploaded by classification managers. For
more information, see section Security for Additional Applications. For all other security aspects, the standard
security mechanisms provided by SAP NetWeaver are sufficient.
Two roles are available for the Classifying Suppliers process:
Users with the Classification Manager (/SRMSMC/CLASSIFICATION_MANAGER) role can create classification
profiles and edit classification data.
Users with the Display Role for Classification (/SRMSMC/CLASSIFICATION_DISPLAY) can display but not
create or edit classification data.
For more information about the business process, see SAP Help Portal at help.sap.com/slc <release>
Configuration and Deployment Information Configuration Guide Business Processes Classifying Suppliers .
Managing Activities: Processing of Tasks

The figures below shows the data flow of task processing in the Managing Activities process.
26
PUBLIC

Figure12
Table 11
Step
Description
Security Mechanism
From within an activity, a user with the role Activity
n/a
Manager (/SRMSMC/ACTIVITY_MANAGER) creates a

task and enters data.
2
The Activity Manager sends the task to the supplier. As a n/a

result, the task is saved on the buy-side database.
A copy of the task is created on the sell side and saved
n/a
on the sell-side database.

4
The sell-side system sends an e-mail to the supplier
n/a
contact, informing him about the task.

5
The supplier contact with the role Supplier Task
Implement a virus scanner that scans the attachments
Processor (/SRMSMC/SUPPLIER_TSK_PROCESSOR)
before they are uploaded. For more information, see
processes the task and uploads attachments, if
applicable.
6
The Supplier Task Processor submits the task. The sell-
side system sends the task to the buy side.

defined role. For more information, see section
The task is updated on the buy side and saved on the
You can customize the virus scanner in such a way that
database.
attachments to a task are scanned again before the task

PUBLIC
27
Step
Description
Security Mechanism
is saved on the database. For more information, see
The Activity Manager can set the task to "Completed" or
n/a
request clarification. If he requests clarification, the task

is sent back to the supplier, and steps 3 to 8 are
reiterated.
Security Measures
For the Managing Activities process, the following roles are available on the buy side:
Activity Manager (/SRMSMC/ACTIVITY_MANAGER)
Participant in Activity (/SRMSMC/ACTIVITY_PARTICIPANT)
The following role is available on the sell side:
Supplier Task Processor (/SRMSMC/SUPPLIER_TSK_PROCESSOR)
Note that the corresponding Portal roles are not delivered by SAP. If you run SAP Supplier Lifecycle Management
in an SAP NetWeaver Portal environment, you must create the Portal roles as described in SAP Note 1685257 Upload of SAP delivered NWBC Roles to SAP NetWeaver Portal.
28
PUBLIC

User Administration and Authentication
SAP Supplier Lifecycle Management applies the user management and authentication mechanisms provided with
the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP. Therefore, the security
recommendations and guidelines for user administration and authentication as described in the Security Guide
for SAP NetWeaver Application Server ABAP are also valid for SAP Supplier Lifecycle Management. You can find
these guidelines on the SAP Help Portal at help.sap.com/netweaver SAP NetWeaver Platform SAP NetWeaver
7.0 including Enhancement Package 2 Application Help SAP Library SAP NetWeaver SAP NetWeaver by
Key Capability Security User Authentication and Single Sign-On or the corresponding documentation for
higher releases of SAP NetWeaver.
In addition to these guidelines, you can find information that applies specifically to SAP Supplier Lifecycle
Management in the following sections of this guide:
User Management
This sections lists the tools for user management, the types of users required, and the standard users that
are delivered with SAP Supplier Lifecycle Management.
Integration Into Single Sign-On Environments

This sections describes how SAP Supplier Lifecycle Management supports Single Sign-On (SSO)
mechanisms.
5.1
User Management
For an overview of how the security mechanisms available in SAP NetWeaver apply to SAP Supplier Lifecycle
Management, see the sections below.
User Administration Tools

The following table lists the tools to use for user management and user administration with SAP Supplier Lifecycle
Management.
Table 12: Mandatory User Management Tools Used in SAP Supplier Lifecycle Management
Tool
Description
Transactions SU01 and SU10
Standard user administration functions of SAP NetWeaver

AS ABAP
Transaction PFCG
Standard role and authorization administration of SAP

NetWeaver AS ABAP
Supplier self-registration on the sell side:
A potential supplier enters registration data on the sell side,
You create a user and, in transaction SICF on the Logon Data
using a public service; no role is required. If the registration
tab, you assign it to the external alias pointing to the ICF
request is approved, the sell-side system automatically
service for the self-registration BSP application /
creates a user with the Initial Supplier User role (/SRMSMC/
default_host/sap/bc/bsp/srmsmc/ros_ext. This SUPPLIER_INITIAL). An object central person is

user must be assigned the Sell-Side Role for Technical User
automatically assigned to this user. The contact person is

technically related to the supplier.

PUBLIC
29
Tool
Description
for Supplier Self-Registration (/SRMSMC/
SUP_SELFREG_SELLSIDE).
The initial user creates an administrator account for his
The supplier administrator can then create further accounts
company on the Initial User Administration (User
for the employees of his company.
Registration) screen in the BSP application supplier
administration screens/
default_host/sap/bc/bsp/srmsmc/SRMSMC/
ROS_EXT_2.
On the sell side, users with the role Supplier Master Data
Suppliers with the role Employee Administrator (/SRMSMC/
Manager (/SRMSMC/SUPPLIER_MASTER_DATA) can
EMPLOYEE_ADMINISTRATOR) can display, create, change,
maintain supplier data in the BSP application /
delete, lock, and unlock users for their company. These users
default_host/sap/bc/bsp/srmsmc/SRMSMC/
can maintain supplier data, edit and display qualification
S3Q_EXT). Users with the role Employee Administrator (/
requests, and create other supplier users.
SRMSMC/EMPLOYEE_ADMINISTRATOR) can also maintain

users.
Table 13: Optional User Management Tools That Can Be Used in SAP Supplier Lifecycle Management
Tool
Description
More Information
Central User Administration
Serves as a central system for creating users
(CUA) of SAP NetWeaver
and authorizations. Users in linked systems

are created from the central system.
SAP NetWeaver Platform
SAP
NetWeaver 7.0 including Enhancement
Note that for users distributed to SAP
Package 2
Supplier Lifecycle Management the system
Library
Application Help
currently does not create relationships to
by Key Capability
contact persons.
Management
SAP NetWeaver
SAP
SAP NetWeaver
Security
Identity
User and Role Administration

of AS ABAP
documentation for higher releases of SAP

NetWeaver
SAP Identity Management
Central administration system that includes

CUA-like functions.

SAP
Note that for users distributed to SAP
NetWeaver 7.0 including Enhancement
Supplier Lifecycle Management currently no
Package 2
relationship to contact persons are created.
Library
Application Help
SAP NetWeaver
by Key Capability
Management
Security
SAP
SAP NetWeaver
Identity
documentation for higher releases of SAP

NetWeaver
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may
foresee that individual users who perform tasks interactively have to change their passwords on a regular basis.
For users enabling background processing this may not be required.
The user types that are required for SAP Supplier Lifecycle Management include the following technical users:
30
Service users for:

PUBLIC

Establishing system connections for WSRM, RFC, and SOA communication
Anonymous logon to Supplier Registration
Anonymous logon for appraisers without user ID to Supplier Evaluation
A system user for the execution of the workflow. You must create such a system user, for example WFBATCH.
Caution
This user should not be assigned the authorization profile SAP_ALL.
Instead, this user should be assigned the following roles:
SAP Business Workflow: Service User (SAP_BC_BMT_WFM_SERV_USER)

This role contains all the necessary authorizations to execute and manage workflows. For more
information, see SAP Note 1251255.
Category Manager (/SRMSMC/CATEGORY_MANAGER)

This role contains the necessary authorizations to perform the tasks of a category manager, for example,
creating suppliers and contacts.
For more information about the above user types, see User Types in the SAP NetWeaver Application Server ABAP
Security Guide.
Integration of CAPTCHA
You can use a BAdI to implement a confirmation prompt to prevent denial-of-service attacks. The BAdI enables
you to include any third-party CAPTCHA product to your Supplier Registration web page. CAPTCHA asks users to
read a string of distorted characters and type them correctly. (CAPTCHA is the acronym for Completely
Automated Public Turing test to tell Computers and Humans Apart). You can implement the BAdI in Customizing
for SAP Supplier Lifecycle Management under Sell Side Supplier Registration Business Add-Ins
Implementation of the CAPTCHA Function .
5.2
User Data Synchronization
If you use the Central User Administration (CUA) or SAP Identity Management for distributing users to the sell
side, you must do the following either manually or using a BAdI to use the distributed user accounts:
Create a central person for the user in the sell-side system.
Create a business partner of type Contact Person for the user in the sell-side system.
Assign the central person to the business partner.
Assign the new business partner to the Supplier business partner.
5.3
Integration Into Single Sign-On Environments
SAP Supplier Lifecycle Management supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver
AS ABAP. Therefore, the security recommendations and guidelines for user administration and authentication as

PUBLIC
31
described in the SAP NetWeaver Application Server ABAP Security Guide also apply to SAP Supplier Lifecycle
Management.
For more information about the available authentication mechanisms, see SAP Help Portal at help.sap.com/
netweaver SAP NetWeaver Platform SAP NetWeaver 7.0 including Enhancement Package 2 Application
Help SAP Library SAP NetWeaver SAP NetWeaver by Key Capability Security User Authentication and
Single Sign-On or the corresponding documentation for higher releases of SAP NetWeaver.
32
PUBLIC

Authorizations
SAP Supplier Lifecycle Management uses the authorization concept provided by SAP NetWeaver AS ABAP.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Security
Guide also apply to SAP Supplier Lifecycle Management. The SAP NetWeaver authorization concept is based on
assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction
PFCG) on the AS ABAP. For more information, see SAP Help Portal at help.sap.com/netweaver SAP NetWeaver
Platform SAP NetWeaver 7.0 including Enhancement Package 2 Application Help SAP Library SAP
NetWeaver SAP NetWeaver by Key Capability Security Identity Management User and Role Administration
of AS ABAP or the corresponding documentation for higher releases of SAP NetWeaver.
Standard Roles
The table below shows the business roles that are available for the buy side of SAP Supplier Lifecycle
Management.
Table 14: Standard Roles Buy Side
Role
Description
/SRMSMC/CATEGORY_MANAGER
Category Manager
/SRMSMC/CLASSIFICATION_MANAGER
Classification Manager
/SRMSMC/CLASSIFICATION_DISPLAY
Display Role for Classification
/SRMSMC/QUESTIONNAIRE_MANAGER
Questionnaire Manager
/SRMSMC/CERTIFICATE_MANAGER
Certificate Manager
/SRMSMC/ACTIVITY_MANAGER
Activity Manager
/SRMSMC/ACTIVITY_PARTICIPANT
Participant in Activity
/SRMSMC/EVALUATION_APPRAISER
Appraiser
/SRMSMC/APPROVER
Approver
/SRMSMC/TRANSLATOR
Translator
/SRMSMC/ADMINISTRATOR
Administrator
The table below shows the business roles that are available for the sell side of SAP Supplier Lifecycle
Management.
Table 15: Standard Roles Sell Side
Role
Description
/SRMSMC/SUPPLIER_INITIAL
Initial Supplier
/SRMSMC/EMPLOYEE_ADMINISTRATOR
Employee Administrator
/SRMSMC/SUPPLIER_MASTER_DATA
Supplier Master Data Manager
/SRMSMC/QUALIFICATION_EXPERT
Qualification Expert

Authorizations
PUBLIC
33
Role
Description
/SRMSMC/SUPPLIER_TSK_PROCESSOR
Supplier Task Processor
/SRMSMC/ADMINISTRATOR
Administrator
The table below shows the technical roles that are available for the buy side and the sell side of SAP Supplier
Lifecycle Management.
Table 16: Technical Roles Buy Side or Sell Side
Role
Description
/SRMSMC/EVL_APPRAISER_NON_USER
Buy Side: Technical User for Appraisers Without System User
/SRMSMC/REPORT_EXEC_ADMIN
Buy Side: Technical Role with Authorization to Start Reports in

SAP SLC
/SRMSMC/SUP_SELFREG_SELLSIDE
Sell-Side Role for Technical User for Supplier Self-Registration
For more information about the roles listed above, see SAP Help Portal at help.sap.com/slc
Application Help SAP Supplier Lifecycle Management Technical Concepts Roles .
<release>
Roles for System Communication

In addition, several technical roles exist for implementing the required system connections in a secure manner.
For more information, see section Communication Destinations or SAP Help Portal at help.sap.com/slc
<release> Configuration and Deployment Information Configuration Guide Basic Settings for SAP Supplier
Lifecycle Management under:
Point-to-Point Enablement
SAP NetWeaver Process Integration
Technical Basic Settings
Define RFC Connections
Authorizations for Executing Reports

To execute reports, users must have been assigned the technical role Buy Side: Technical Role with Authorization
to Start Reports in SAP SLC (/SRMSMC/REPORT_EXEC_ADMIN). Also, users must be authorized to process the
objects and data handled by the reports. Some of the reports additionally check the start authorizations for the
relevant user interface ICF services that process the same data as the report. This is to ensure that the user is
experienced in handling the data affected by the report and is aware of its effects. For more information about the
requirements for each report, see the report documentation that is available in the system.
Authorizations Specific to SAP Supplier Lifecycle Management

Authorizations in the Supplier Portfolio Management Process
Authorization checks allow you to enable users to work with supplier data in create, edit, and display mode, and in
all combinations of these modes. The following standard authorization objects for business partners are used:
Business Partner: Authorization Groups (B_BUPA_GRP)
Business Partner: BP Roles (B_BUPA_RLT)
Business Partner Relationships: Relationship Categories (B_BUPR_BZT)
For more information, see SAP Note 1824646.
Authorization Object /SRMSMC/AC

The authorization object /SRMSMC/AC represents the authorization to display screens (actions) in the Supplier
Maintenance BSP application on the sell side (/SRMSMC/S3Q_EXT) of SAP Supplier Lifecycle Management. These
34
PUBLIC

Authorizations
actions are defined in the sell-side system in Customizing for SAP Supplier Lifecycle Management under Sell
Side Determine Actions . You define which screens and activities users can access by assigning them a role
containing this authorization object and selecting the corresponding actions, for example action
employee.detail.edit, or certificates, or others. This approach is comparable to the transaction
authorization in SAPGUI, or to the S_START authorization in Web Dynpro for ABAP.
Authorization Object /SRMSMC/BO

The authorization object /SRMSMC/BO represents the authorization to interact with an instance of a business
object of SAP Supplier Lifecycle Management in a specific way. The following use of the authorization object is
supported:
As the type of business object that the user can access, you can specify the following:
Questionnaire (/SRMSMC/BO_QNR)
Certificate (/SRMSMC/MO_CRT)
Qualification response (/SRMSMC/BO_SQR)
Classification profile (/SRMSMC/BO_SCS)
Purchasing category (/SRMSMC/MO_PUC)
Activity (/SRMSMC/BO_ACT)
Task (/SRMSMC/BO_TSK)
As actions that the user can perform, you can specify, for example, Display, Edit, and Create.
The authorization object is used in the Category Manager, Questionnaire Manager, Translator, Classification
Manager, Certificate Manager, and Questionnaire Expert roles, for example. This has the following effect:
Category managers can display all objects in the question library (sections, questions, and groups), but they
cannot create or edit question library objects.
Category managers can display but not create and edit questionnaires.
Questionnaire managers can display, create, and edit objects in the question library.
Questionnaire managers can display, create, and edit questionnaires.
Translators cannot create any objects but can edit questions, sections, and certificate types.
Classification managers can display, create, and edit classification profiles.
Certificate managers can display, create, and edit certificate types.
Activity managers can display, create, and edit activities and tasks.
Participants in activities can display activities, and they can display and edit tasks.
Supplier task processors can display and edit tasks.
The standard behavior for accessing business objects is the following:
When users access business objects from a POWL, the main business object is always called in Edit mode.
Other business objects appearing in the same POWL are called in Display mode.
When users access a business object as a result of navigating from another business object, it is called in
Display mode.
Personalization Object SLC: PFCG Role Attributes

The personalization object SLC: PFCG Role Attributes (/SRMSMC/PFCG_ROLE_ATTRIBUTES) is relevant only on
the buy side. It offers the following checkboxes:
Checkbox Appraiser Role
Checkbox Category Manager Role

Authorizations
PUBLIC
35
Checkbox Questionnaire Manager Role
Checkbox Approver Role
Checkbox Classification Manager Role
Checkbox Activity Manager Role
Checkbox Activity Participant Role
Setting one of the above checkboxes in a role has the following effects on users to whom the role has been
assigned:
The users can perform the activities intended for this role. Note that, in addition to the checkbox in the
personalization object, performing these activities also depends on the authorization objects assigned to the
role.
Only users for whom the personalization object checkbox is selected are considered during a search, for
example for an Appraiser, a Purchaser Responsible.
Example
For a user to be found in a search for Purchaser Responsible, the Category Manager Role , the
Classification Manager Role, the Questionnare Manager Role or the Activity Manager
Role checkboxes are required, depending on the process where the search is performed.
Personalization Object SLC Sell Side: PFCG Role Attributes

The personalization object SLC Sell Side: PFCG Role Attributes (/SRMSMC/EXT_ROLE_ATTRIBUTES) offers three
checkboxes that allow you to specify the following in the sell-side roles:
Checkbox Assign Role to Initial Supplier User in Registration

Select this checkbox in a role that you want to be automatically assigned to users for initial access to the sellside system.
In the SAP standard, the checkbox is selected in the Initial Supplier role (/SRMSMC/SUPPLIER_INITIAL).
Checkbox Assign Role to Administrator User in Registration

Select this checkbox in a role that you want to be automatically assigned to users who act as administrators
for supplier data and employee data on the sell side.
In the SAP standard, the checkbox is selected in the following roles:
Employee Administrator (/SRMSMC/EMPLOYEE_ADMINISTRATOR)
Supplier Master Data Manager (/SRMSMC/SUPPLIER_MASTER_DATA)
Checkbox Display Role in Employee Administration

Select this checkbox in roles that you want the Employee Administrator to be able to assign to users.
In the SAP standard, the checkbox is selected in the following roles:
36
Employee Administrator (/SRMSMC/EMPLOYEE_ADMINISTRATOR)
Qualification Expert (/SRMSMC/QUALIFICATION_EXPERT)
Supplier Master Data Manager (/SRMSMC/SUPPLIER_MASTER_DATA)
Supplier Task Processor (/SRMSMC/SUPPLIER_TASK_PROCESSOR)
PUBLIC

Authorizations
Critical Combinations
We recommend that you do not assign the Appraiser and the Category Manager role to the same person. Under
exceptional circumstances, such as Category Managers filling out questionnaires for other colleagues, you can
grant both roles to the same person.

Authorizations
PUBLIC
37
Session Security Protection
To increase security and prevent access to the SAP logon ticket and security session cookie(s), you must activate
secure session management via https. SAP Supplier Lifecycle Management only supports Secure Sockets Layer
(SSL) technology to protect the network communications where security-relevant cookies are involved.
Session Security Protection on the AS ABAP

To prevent access in JavaScript or plug-ins to the SAP logon ticket and security session cookies
(SAP_SESSIONID_<sid>_<client>), activate Secure Session Management. With an existing security session,
users can then start applications that require a user logon without logging on again. When a security session is
ended, the system also ends all applications that are linked to this security session.
Use transaction SICF_SESSIONS to specify the parameter values shown in the table below in your AS ABAP
system:
Table 17
Profile Parameter
Recommended Value
Comment
icf/set_HTTPonly_flag_on_cookies
0: HTTPonly attribute active for all ICF cookies
Client-dependent
login/ticket_only_by_https
1: Ticket is only sent by the browser during
Not client-dependent
HTTPS connections
For more information, a list of the relevant profile parameters, and detailed instructions, see SAP Help Portal at
help.sap.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7.0 including Enhancement Package 2
Application Help SAP Library SAP NetWeaver SAP NetWeaver by Key Capability Security User
Authentication and Single Sign-On Authentication on the AS ABAP Using SAML 2.0 Activating HTTP Security
Session Management on AS ABAP or the corresponding documentation for higher releases of SAP NetWeaver.
38
PUBLIC

Session Security Protection
Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support the
communication that is required for your business without allowing unauthorized access. A well-defined network
topology can eliminate many security threats based on software flaws (at both the operating system and
application level) or network attacks such as eavesdropping. If users cannot log on to your application or database
servers at the operating system or database layer, there is no way for intruders to compromise the machines and
gain access to the backend systems database or files. Additionally, if users are not able to connect to the server
LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the
server machines.
The network topology for SAP Supplier Lifecycle Management is based on the topology used by the SAP
NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver
Security Guide also apply to SAP Supplier Lifecycle Management.
For more information, see the following information on the SAP Help Portal at help.sap.com/netweaver SAP
NetWeaver Platform SAP NetWeaver 7.0 including Enhancement Package 2 Security Information SAP
NetWeaver Security Guide or in the corresponding documentation for higher releases of SAP NetWeaver:
Security Guides for Connectivity and Interoperability Technologies
Details about network and communication security that are specific to SAP Supplier Lifecycle Management are
described in the following sections of this document.
8.1
Communication Channel Security
To establish the communication between SAP Supplier Lifecycle Management buy side and sell side, you have the
following options:
(WSRM)
NetWeaver PI)
Remote function calls (RFCs), mostly background RFCs (bgRFCs)
Note
From a security point of view, the options using asynchronous enterprises services are preferable.
Communication between SAP Supplier Lifecycle Management and its back-end systems, SAP ERP and
SAP SRM, or with a leading SAP ERP system is always based on remote function calls (RFCs).
Communication between SAP Supplier Lifecycle Management and Master Data Governance (MDG) can be
based on WSRM or SAP NetWeaver PI.
More Information
For more information about SAP NetWeaver Process Integration, see the section Enterprise Services
Security.

PUBLIC
39
For information about the configuration of the above communication channels, see SAP Help Portal at
help.sap.com/slc SAP NetWeaver 7.0 including Enhancement Package 2 Configuration and Deployment
Information Configuration Guide Basic Settings for SAP Supplier Lifecycle Management or the
corresponding documentation for higher releases of SAP NetWeaver under:
Point-to-Point Enablement
SAP NetWeaver Process Integration
Technical Basic SettingsDefine RFC Connections
The table below shows the communication paths used by SAP Supplier Lifecycle Management, the protocol used
for the connection, and the type of data transferred.
Table 18: Communication Paths
Communication Path
Protocol Used
Type of Data Transferred Data Requiring Special

Protection
Front-end client using a Web
HTTPS
All application data
browser to AS ABAP
Communication between sell
side and buy side
Passwords, personal data,

bank data, tax data
You have the following options:
Passwords, personal data,

bank data, tax data
RFC (in some cases

synchronous)
Enterprise services using SAP

NetWeaver PI
WSRM
Communication between buy RFC (in some cases synchronous)
side and back ends or
Personal data, bank data,

tax data
between buy side and leading

SAP ERP
Communication between buy WSRM or SAP NetWeaver PI
side and MDG
Personal data, bank data,

tax data
The Dynamic Information and Action Gateway (DIAG) and RFC connections can be protected using Secure
Network Communications (SNC). HTTPs connections are protected using the Secure Sockets Layer (SSL)
protocol.
More Information
For more information about SNC and SSL, see SAP Help Portal at help.sap.com SAP NetWeaver Platform SAP
NetWeaver 7.0 including Enhancement Package 2 Application Help SAP Library SAP NetWeaver SAP
NetWeaver by Key Capability Security Network and Transport Layer Security Transport Layer Security on the
AS ABAP or the corresponding documentation for higher releases of SAP NetWeaver.
For more information about bgRFCs, see SAP Help Portal at help.sap.com SAP NetWeaver Platform SAP
NetWeaver by Key Capability Application Platform by Key Capability Platform-Wide Services Connectivity
Components of SAP Communication Technology Classical SAP Technologies (ABAP) RFC Background
Communication bgRFC (Background Remote Function Call) or the corresponding documentation for higher
releases of SAP NetWeaver.
40
PUBLIC

8.2
Communication Destinations
To establish the communication between SAP Supplier Lifecycle Management buy side and sell side, you have the
following options:
(WSRM)
NetWeaver PI)
Remote function calls (RFCs)
Cross-system communication is required to enable the following processes running between the buy side and the
sell side:
Supplier registration
Supplier data maintenance
Supplier portfolio management
Supplier qualification
Task processing in activity management
For more information, see chapter 4, Security Aspects of Data, Data Flow, and Processes.
Enterprise Services (SOA) Communication

To enable cross-system communication based on the Service-Oriented Architecture (SOA), you must create
technical users with the following roles:
Table 19
User
System
Process
PFCG Role
<SOA User 1>
Buy side
Supplier
Buy-Side SOA Inbound Processing in Registering Suppliers (/
registration
SRMSMC/SOA_SUP_REG_BUYSIDE)
This user is required to execute inbound SOA calls that transfer
the supplier registration request from the sell side to the buy side.
<SOA User 2>
Sell side
Supplier
Sell-Side SOA Inbound Processing in Registering Suppliers
registration
(/SRMSMC/SOA_SUP_REG_SELLSIDE)
This user is required to execute inbound SOA calls that trigger the
rejection e-mail to be sent to potential suppliers after they have
been rejected on the buy side, for example, as the negative result
of an approval workflow on the buy side.
<SOA User 3>
Buy side
Supplier data
Buy-Side SOA Inbound Processing when Transferring Supplier
maintenance,
Data (/SRMSMC/SOA_SUP_MNGT_BUYSIDE)
including task
This user is required to execute inbound SOA calls on the buy
processing, in
activity
side.
management
<SOA User 4>
Sell side
Supplier data
Sell-Side SOA Inbound Processing when Transferring Supplier
maintenance,
Data (/SRMSMC/SOA_SUP_MNGT_SELLSIDE)
including task
This user is required to execute inbound SOA calls on the sell side.
processing, in

PUBLIC
41
activity
management
<SOA User 5>
Buy side
Supplier
Buy-Side SOA Inbound Processing in Qualifying Suppliers (/
qualification
SRMSMC/SOA_SUP_QUAL_BUYSIDE)
the supplier qualification response from the sell side to the buy
side.
<SOA User 6>
Sell side
Supplier
Sell-Side SOA Inbound Processing in Qualifying Suppliers ( /
qualification
SRMSMC/SOA_SUP_QUAL_SELLSIDE)
the supplier qualification request from the buy side to the sell
side.
Note
The above roles only contain the required business authorizations. Depending on the technology you use for
system communication, the following additional roles are required:
For point-to-point (P2P) communication using WSRM, also assign the Web Service Consumer role
(SAP_BC_WEBSERVICE_CONSUMER) to the technical users.
For communication through an SAP NetWeaver Process Integration Server, assign the Exchange
Infrastructure: Service User for Application Systems role (SAP_XI_APPL_SERV_USER).
RFC Communication
In SAP Supplier Lifecycle Management, you can use RFC connections as an alternative to SOA communication to
enable communication between the sell side and the buy side, and also between SAP Supplier Lifecycle
Management and its back-end systems. For the RFC connections to work, they must have been assigned to their
respective communication process types in the target systems, that is, in SAP ERP, SAP SRM, or on the sell side
of SAP Supplier Lifecycle Management.
To enable cross-system communication between the buy side and the sell side of SAP SLC and between the buy
side of SAP SLC and its back-end systems, you must create several technical users of the user type Service in all
systems that are involved in the communication. Note that, for security reasons, you must create a separate
technical user for each communication process type. The roles that you assign to these technical users are
specific to the combination of a communication process type and the target system of the RFC. These RFC roles
contain authorizations to execute RFCs (authorization object S_RFC) as well as application-specific authorizations
for inbound processing in the receiving system.
Note
42
The RFC connections listed below mostly use background RFCs (bgRFCs).
The entries in the S/A column indicate whether an RFC call is synchronous (S) or asynchronous (A).
PUBLIC

Table 20: Communication Destinations Specific to the Registering Suppliers Process (Communication Process Type Supplier
Registration)
Process Step
Direction of RFC
S/A
RFC Function Modules
Call
Role of RFC User (Target

System)
Transfer registration
SAP SLC sell side A
request from sell side
to buy side
/SRMSMC/ROS_REQUEST_INBOUND
Buy-Side RFC Inbound

Processing in Registering
to buy side
Suppliers
(/SRMSMC/
RFC_SUP_REG_BUYSIDE)
Send rejection e-mail if
SAP SLC buy
potential supplier was
side to sell side
/SRMSMC/
Sell-Side RFC Inbound
ROS_REGISTRATION_RESP
Processing in Registering
rejected on buy side
Suppliers
(/SRMSMC/
RFC_SUP_REG_SELLSIDE)
Table 21: Communication Destinations Specific to the Qualifying Suppliers Process (Communication Process Type Supplier
Qualification)
Process Step
Direction of RFC S/A
Call
Transfer qualification
SAP SLC buy
request from buy side
side to sell side

System)
/SRMSMC/SQQ_CREATE

Processing in Qualifying
to sell side
Suppliers
(/SRMSMC/
RFC_SUP_QUAL_SELLSIDE
)
Transfer qualification
SAP SLC sell side A
response from sell side
to buy side
/SRMSMC/SQR_UPDATE

to buy side
Suppliers
(/SRMSMC/
RFC_SUP_QUAL_BUYSIDE)
Reopen qualification
SAP SLC buy
response on sell side,
side to sell side
/SRMSMC/SQR_REOPEN

using data (request for
Suppliers
clarification) from buy
(/SRMSMC/
side
RFC_SUP_QUAL_SELLSIDE
)
Update qualification
SAP SLC sell side A
response on buy side
to buy side
/SRMSMC/SQR_RESUBMIT

using data (clarification
Suppliers
from supplier) from sell
(/SRMSMC/
side

RFC_SUP_QUAL_BUYSIDE)
PUBLIC
43
Table 22: Communication Destinations for Transfer of Supplier Data between SAP SLC Buy Side and Sell Side (Communication
Process Type Supplier Data Management)
Process Step
Call
Initial upload of
SAP SLC buy
supplier(s) from sell
side to sell side
side to buy side if sell
deployed on SUS

System)
/SRMSMC/SUPPLIER_GETLIST
/SRMSMC/SUPPLIER_GETDATA
side is deployed on

Processing when Transferring
the Supplier Data
(/SRMSMC/
SUS
RFC_SUP_MNGT_SELLSIDE
)
Send rejection e-mail if
SAP SLC buy
changes to supplier
side to sell side
/SRMSMC/SUPPLIER_MAIN_CONF

data were rejected on
the Supplier Data
buy side
(/SRMSMC/
)
Upon approval of
SAP SLC buy
registration request on
side to sell side
/SRMSMC/SUPPLIER_CREATE
/SRMSMC/
buy side, transfer
SUP_CREA_SSIDE_RFCWRAP
supplier data and

the Supplier Data
(/SRMSMC/
create supplier on sell
side
Transfer standard
SAP SLC buy
product classification
side to sell side
/SRMSCM/SPC_PUBLISH

codes from buy side to
the Supplier Data
sell side
(/SRMSMC/
)
Transfer changes to
SAP SLC sell
supplier data from sell
side to buy side
/SRMSMC/SUPPLIER_MAIN_REQ

side to buy side
the Supplier Data

(/SRMSMC/
Transfer supplier
SAP SLC sell
attachments from sell
side to buy side
/SRMSMC/ATTACHMENT_SEND

side to buy side
the Supplier Data

(/SRMSMC/
Transfer changes to
SAP SLC buy
supplier data to sell
side to sell side
side
/SRMSMC/SUPPLIER_CHANGE
/SRMSMC/
SUP_CHG_SSIDE_RFCWRAP

the Supplier Data
(/SRMSMC/
44
PUBLIC

Process Step
Call

System)
)
Transfer key mapping
SAP SLC sell
data (supplier ID) from
side to buy side
/SRMSMC/
SUPPL_CHANGE_CALLBACK

the Supplier Data
sell side to buy side - as

response to transfer of
(/SRMSMC/
changes to supplier
data
Table 23: Communication Destinations for Upload and Transfer of Supplier Data Between SAP Supplier Lifecycle Management
and SAP ERP (Communication Process Type Supplier Data Management)
Process Step
Call
If Customer Vendor
SAP SLC buy
Integration (CVI) is
side to SAP ERP

System)
SMC_SUPPLIER_GETLIST_BP
SMC_SUPPLIER_GETDATA_BP
used: Perform initial
RFC Inbound Processing in

ERP with CVI when
Transferring Supplier Data
upload of suppliers
from SLC (SAP_ERP_SLC
from SAP ERP to SAP
_RFC_SUP_MNGT_BP)
SLC
If CVI is used:
SAP SLC buy
SMC_SUPPLIER_CREATE_BP
Distribute supplier data side to SAP ERP
ERP with CVI when
to SAP ERP

_RFC_SUP_MNGT_BP)
If CVI is used:
SAP SLC buy
Distribute changes to
side to SAP ERP
SMC_SUPPLIER_CHANGE_BP
SMC_SUPPLIER_CHANGE_BP_RFCW
supplier data to SAP
RAP
ERP

ERP with CVI when
_RFC_SUP_MNGT_BP)
If CVI is used:
SAP SLC buy
Distribute updates to
side to SAP ERP
SMC_SUPPLIER_UPDATE_BP
SMC_SUPPLIER_UPDATE_BP_RFCW
RAP
ERP

ERP with CVI when
_RFC_SUP_MNGT_BP)
SAP ERP to SAP
data from SAP ERP to
SLC buy side
SAP SLC - as response

to transfer of changes
to supplier data to SAP
ERP

/SRMSMC/

the Supplier Data
(/SRMSMC/
PUBLIC
45
Process Step
Call
If CVI is not used:
SAP SLC buy
Perform initial upload
side to SAP ERP

System)
SMC_SUPPLIER_GETLIST
SMC_SUPPLIER_GETDATA
of suppliers from SAP

ERP to SAP SLC

ERP when Transferring
Supplier Data from SLC
(SAP_ERP_SLC_
RFC_SUP_MNGT)
If CVI is not used:
SAP SLC buy
SMC_SUPPLIER_CREATE
Distribute supplier data side to SAP ERP
to SAP ERP

(SAP_ERP_SLC_
RFC_SUP_MNGT)
If CVI is not used:
SAP SLC buy
Transfer of changes to
side to SAP ERP
SMC_SUPPLIER_CHANGE
SMC_SUPPLIER_CHANGE_RFCWRAP
supplier data from SAP

SLC to SAP ERP

(SAP_ERP_SLC_
RFC_SUP_MNGT)
Request creation of
SAP SLC buy
supplier data in
side to SAP ERP
SMC_SUPPLIER_CREATE_MD

Leading SAP ERP

(SAP_ERP_SLC_
RFC_SUP_MNGT)
Request changes to
SAP SLC buy
supplier data in
side to SAP ERP
SMC_SUPPLIER_UPDATE_MD_RFCW
RAP
Leading SAP ERP

(SAP_ERP_SLC_)
RFC_SUP_MNGT)
Transfer of changes of
SAP ERP to SAP
supplier data from
SLC buy side
/SRMSMC/
SUPPL_MODIFY_BY_MD_SYS
Leading SAP ERP to
the Supplier Data
SAP SLC buy side
(/SRMSMC/RFC_
SUP_MNGT_BUYSIDE)
Transfer of changes of
SAP SLC buy
supplier data from SAP
side to SAP ERP
SMC_SUPPLIER_MODIFY_SLC
(depends on customers roles

in SAP ERP)
SLC buy side to

Leading SAP ERP
46
PUBLIC

Process Step
Call
Replicate certificate
SAP SLC buy
types from SAP SLC
side to sell side

System)
/SRMSMC/CRT_REPLICATE

buy side to sell side
the Supplier Data (/SRMSMC/
)
Replicate purchasing
SAP SLC buy
categories from SAP
side to sell side
/SRMSMC/PUC_REPLICATE

SLC buy side to sell
the Supplier Data (/SRMSMC/
side
)
Retrieve SAP ERP
SAP SLC buy
purchasing
side to SAP ERP
BBP_RFC_READ_TABLE

organization and
account group in SAP
(SAP_ERP_SLC_
ERP and make it
RFC_SUP_MNGT)
available as input help

in Customizing activity
Define System
Landscape and BackEnd Specific
Distribution Data on the
buy side
Retrieve SAP SRM
SAP SLC buy
purchasing
side to SAP SRM
BBP_OM_FIND_PURCH_ORG_EXT

SRM IC when Transferring
organization and
accounting group in
(SAP_SRM_
SAP SRM and make it
SLC_RFC_SUP_MNGT)
available as input help

in Customizing activity
Define System
buy side
Table 24: Communication Destinations for Upload and Transfer of Supplier Data Between Buy Side of SAP Supplier Lifecycle
Management and SAP SRM (Communication Process Type Supplier Data Management)
Process Step
Call
Perform initial upload
SAP SLC buy
of suppliers from SAP
side to SAP SRM
SRM to SAP SLC buy

side


System)
BBP_SUPPLIER_GETLIST
BBP_SUPPLIER_GETDATA

(SAP_SRM_SLC_
PUBLIC
47
Process Step
Call

System)
RFC_SUP_MNGT)
Distribute supplier data SAP SLC buy
from SAP SLC buy side
BBP_SUPPLIER_CREATE
side to SAP SRM

to SAP SRM

(SAP_SRM_SLC_
RFC_SUP_MNGT)
Transfer changes to
SAP SLC buy
side to SAP SRM
BBP_SUPPLIER_CHANGE
BBP_SUPPLIER_CHANGE_RFCWRAP
SRM (update business

partner & contact

(SAP_SRM_SLC_
person)
RFC_SUP_MNGT)
SAP SRM to SAP
data from SAP SRM to
SLC buy side
/SRMSMC/
SAP SLC buy side - as
the Supplier Data
response to transfer of
(/SRMSMC/
changes to supplier
data to SAP SRM

Retrieve SAP SRM
SAP SLC buy
purchasing
side to SAP SRM
BBP_OM_FIND_PURCH_ORG_EXT

organization and make
it available as input
(SAP_SRM_SLC_
help in Customizing
RFC_SUP_MNGT)
activity Define System

buy side
Table 25: Communication Destinations for Supplier Evaluation
Process Step
Direction of RFC
S/A
RFC Function Module
Role of RFC User
/SRMSMC/SRS_CREATE_ASYNC
Call
Creation of follow-on
Local call within
documents to supplier
SAP SLC buy-side
Processing in Supplier
evaluation requests
system
Evaluation
(/SRMSMC/BG_SUP_
EVAL_BUYSIDE)
Trigger of creation of
Back-end system
S/A
/SRMSMC/EV_EVENT_INBOUND
evaluation response for (for example, SAP
Processing in Supplier
event-driven evaluation ERP, SAP SRM,
Evaluation
non-SAP system,
depending on
customer's BAdI
48
PUBLIC
(/SRMSMC/BG_SUP_
EVAL_BUYSIDE)

Process Step
Direction of RFC
S/A
RFC Function Module
Role of RFC User
Call
implementation) to
SAP SLC buy-side
system
Table 26: Communication Destinations Specific to the Managing Activities Process (Communication Process Type "Supplier
Data Management"
Process Step
Call
Transfer task from buy
SAP SLC buy
side to sell side
side to sell side

System)
/SRMSMC/TSK_REPLICATE

the Supplier Data
(/SRMSMC/
)
Submit task from sell
SAP SLC sell side A
side to buy side after
to buy side
/SRMSMC/TSK_INT_REPLICATE

the task was processed
the Supplier Data
by supplier on the sell
(/SRMSMC/
side
Resend task from buy
SAP SLC buy
side to sell side after
side to sell side
/SRMSMC/TSK_RESEND

the text in the task was
the Supplier Data
modified on the buy
(/SRMSMC/
side (request for
clarification)
Resubmit task from sell SAP SLC sell side A

side to buy side after
/SRMSMC/TSK_INT_RESEND
to buy side

the task was processed
the Supplier Data
again on sell side
(/SRMSMC/
(clarification from
supplier)
Overview of the RFC Roles Used in the Tables Above:

Table 27
Description of Role
Name of Role
Buy-Side RFC Inbound Processing when Transferring the
/SRMSMC/RFC_SUP_MNGT_BUYSIDE
Supplier Data
Sell-Side RFC Inbound Processing when Transferring the
/SRMSMC/RFC_SUP_MNGT_SELLSIDE
Supplier Data
Buy-Side RFC Inbound Processing in Qualifying Suppliers
/SRMSMC/RFC_SUP_QUAL_BUYSIDE
Sell-Side RFC Inbound Processing in Qualifying Suppliers
/SRMSMC/RFC_SUP_QUAL_SELLSIDE

PUBLIC
49
Description of Role
Name of Role
Buy-Side RFC Inbound Processing in Registering Suppliers
/SRMSMC/RFC_SUP_REG_BUYSIDE
Sell-Side RFC Inbound Processing in Registering Suppliers
/SRMSMC/RFC_SUP_REG_SELLSIDE
Buy-Side RFC Inbound Processing in Supplier Evaluation
/SRMSMC/BG_SUP_EVAL_BUYSIDE
RFC Inbound Processing in ERP with CVI when Transferring
SAP_ERP_SLC_RFC_SUP_MNGT_BP

RFC Inbound Processing in ERP when Transferring Supplier
SAP_ERP_SLC_RFC_SUP_MNGT
Data from SLC
Note
This role can also be used when SAP ERP is the leading
system.
RFC Inbound Processing in SRM IC when Transferring
SAP_SRM_SLC_RFC_SUP_MNGT
For more information about how to implement RFC connections, about RFC users, and about the roles required,
see SAP Help Portal at help.sap.com/slc <release> Configuration and Deployment Information
Configuration Guide Basic Settings for SAP Supplier Lifecycle Management Technical Basic Settings Define
RFC Connections Defining Process-Specific RFC Connections .
50
PUBLIC

Internet Communication Framework (ICF)

Security
The security concept for users accessing Internet Communication Framework (ICF) services involves the
following:
Start Authorizations for ICF Services

For each of the Web Dynpro ICF services, a string has been defined on the Service Data tab as the SAP
Authoriziation. To enable a user with a specific role to access an ICF service, the authorization object SICF
must be assigned to the role and the string must be specified in the authorization object. The system then
checks whether users have the appropriate roles and the parameter settings in the authorization object
S_ICF.
Activation of Relevant ICF Services

You activate only those ICF services in transaction SICF that are required for the applications running in your
system.
For a list of the services required in SAP Supplier Lifecycle Management, see SAP Help Portal at
help.sap.com <release> Configuration and Deployment Information Configuration Guide Basic
Settings for SAP Supplier Lifecycle Management Technical Basic Settings Activate Services .
Creation of External Aliases

We recommend that you create external aliases for all ICF services. This has the following advantages:
You can avoid modifying SAP content; modifications can be overwritten by future software updates. For
example, if you define logon data directly on the ICF service, this data could be overwritten. In SAP
Supplier Lifecycle Management, you have to specify logon data for the following services:
Table 28
/default_host/sap/bc/bsp/srmsmc/
Frontend Server for Supplier Registration
ros_ext
/default_host/sap/bc/bsp/srmsmc/
SLC Applic. for Supplier Evaluation by Appraisers
eva_cmn
Without User ID
Note
For these ICF services, XSRF protection must be deactivated.
You can hide the path of the service in the URL.
You can create several external aliases for one service. This can be useful, for example, in a system
where the same ICF service is used in several clients.
For information about how to do this and for configuration of these services, see SAP Help Portal at
help.sap.com/slc <release> Configuration and Deployment Information Configuration Guide
Important Settings for ICF Services .
If your firewalls use URL filtering, note the URLs used for the services and adjust your firewall settings accordingly.
For more information, see SAP Help Portal at help.sap.com/netweaver SAP NetWeaver Platform SAP
NetWeaver by Key Capability Application Platform by Key Capability Platform-Wide Services Connectivity

Internet Communication Framework (ICF) Security
PUBLIC
51
Components of SAP Communication Technology Communication Between ABAP and Non-ABAP Technologies
Internet Communication Framework Development Server-Side Development Creating and Configuring ICF
Services Activating and Deactivating ICF Services or the corresponding documentation for higher releases of
SAP NetWeaver.
For more information about ICF security, see SAP Help Portal at help.sap.com/netweaver SAP NetWeaver
Platform SAP NetWeaver 7.0 including Enhancement Package 2 Security Information SAP NetWeaver
Security Guide Security Guides for Connectivity and Interoperability Technologies RFC/ICF Security Guide
the corresponding documentation for higher releases of SAP NetWeaver.
52
PUBLIC
or

Internet Communication Framework (ICF) Security
10 Data Storage Security
All data is stored in the buy-side and sell-side databases of the SAP Supplier Lifecycle Management system. In
addition, some processes when maintaining supplier master data enable storage of supplier master data and
contact person data in the databases of SAP SRM and SAP ERP.
Attachments
Attachments are stored in the SAP Content Server. This server allows attachment folders to be assigned either of
the following storage categories:
Storage of data in database: BS_ATF_DB
Storage of data on HTTP content server: BS_ATF
To display the storage category set for your system, see Customizing Implementation Guide under CrossApplication Components Processes and Tools for Enterprise Applications Reusable Objects and Functions for
BOPF Environment Dependent Object Attachment Folder Maintain Attachment Type Schema .
Cookies
The application uses a Web browser. The SAP Web AS must issue cookies and accept them.

Data Storage Security
PUBLIC
53
11
Data Protection
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance
with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different
countries. This section describes the specific features and functions that SAP provides to support compliance
with the relevant legal requirements and data privacy.
This section and any other sections in this Security Guide do not give any advice on whether these features and
functions are the best method to support company, industry, regional or country-specific requirements.
Furthermore, this guide does not give any advice or recommendations with regard to additional features that
would be required in a particular environment; decisions related to data protection must be made on a case-bycase basis and under consideration of the given system landscape and the applicable legal requirements.
Note
In the majority of cases, compliance with data privacy laws is not a product feature.
SAP software supports data privacy by providing security features and specific data-protection-relevant
functions such as functions for the simplified blocking and deletion of personal data.
SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken
from any given legal source.
Glossary
Table 29
Term
Definition
Personal data
Information about an identified or identifiable natural person
Business purpose
A legal, contractual, or in other form justified reason for the

processing of personal data. The assumption is that any
purpose has an end that is usually already defined when the
purpose starts.
Blocking
A method of restricting access to data for which the primary

business purpose has ended.
Deletion
Deletion of personal data so that the data is no longer

usable.
Retention period
The time period during which data must be available.
End of purpose (EoP)
A method of identifying the point in time for a data set when

the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization.
Where-used check (WUC)
A simple check to ensure data integrity in case of potential

blocking. The WUC checks whether any dependent data for a
certain customer, supplier, central business partner, etc.
exists. If dependent data exists, that is, if the data is still
54
PUBLIC

Data Protection
Term
Definition
required for business activities, the system does not block
the customer, supplier, or central business partner. If you still
want to block the data, the dependent data must be deleted
by using the existing archiving and deletion tools or by using
any other customer-specific solution.
Some basic requirements that support data protection are often referred to as technical and organizational
measures (TOM). The following topics are related to data protection and require appropriate TOMs:
Access control: Authentication features as described in section User Administration and Authentication.
Authorizations: Authorization concept as described in section Authorizations.
Read access logging: as described in section Read Access Logging below.
Transmission control as described in Security Aspects of Data, Data Flow, and Processes and in Network and
Communication Security
Input Control: The business objects in SAP SLC have fields on the user interface that show which user has
created or changed the business object and when this change was performed. There is no additional logging.
Availability control as described in
Section Data Storage Security
SAP NetWeaver Database Administration documentation
SAP Business Continuity documentation in the SAP NetWeaver Application Help under
Oriented View Solution Life Cycle Management SAP Business Continuity
Function-
Separation by purpose: Is subject to the organizational model implemented and must be applied as part of
the authorization concept.
Caution
The extent to which data protection is ensured depends on secure system operation. Network security,
security note implementation, adequate logging of system changes, and appropriate usage of the system
are the basic technical requirements for compliance with data privacy legislation and other legislation.
Configuration of Data Protection Functions

Certain central functions that support data protection compliance in SAP Supplier Lifecycle Management are
available in Customizing for Cross-Application Components under Data Protection Authorization
Management General Settings and under Data Protection Deletion of Data Deletion of Business Partner
Data .
11.1
Deletion of Personal Data
SAP Supplier Lifecycle Management (SAP SLC) might process data (personal data) that is subject to the data
protection laws applicable in specific countries as described in SAP Note 1825544.
SAP SLC uses the standard archiving and deletion functions that is available for the business partner
functionality. For more information, see the application help for SAP SLC on SAP Help Portal at help.sap.com/
slc20 Application Help Buy Side: Activities for Purchasers Managing the Supplier Portfolio Deleting and

Data Protection
PUBLIC
55
Archiving Suppliers Deleting Business Partners . Therefore, SAP SLC does not deliver an end of purpose check
(EoP) nor a where-used check (WUC).
Blocking of Personal Data

In SAP Supplier Lifecycle Management, personal data is stored with the business object central business partner.
With SAP Note 2053237, you can implement code that allows your SAP SLC system to make use of the central
lock that has been set for a central business partner.
Relevant Application Objects and Available Deletion Functionality

Table 30
Application
Detailed Description
Provided Deletion Functionality
SAP Supplier Lifecycle Management
Application help for SAP SLC on SAP
Transaction used for deletion: SARA
Help Portal at
Archiving object relevant for deletion:
(SAP SLC)
Application Help
for Purchasers
Portfolio
Suppliers
help.sap.com/slc20
Buy Side: Activities
Managing the Supplier
CA_BUPA
Deleting and Archiving

Archiving
Archiving and
Deleting Business Partner Data
11.2
Read Access Logging
If no trace or log is stored that records which business users have accessed data, it is difficult to track the
person(s) responsible for any data leaks to the outside world. The Read Access Logging (RAL) component can be
used to monitor and log read access to data and provide information such as which business users accessed
personal data, for example, of a business partner, and in which time frame.
In RAL, you can configure which read-access information to log and under which conditions. For SAP Supplier
Lifecycle Management, sample configuration for RAL can be implemented with SAP Note 2052337.
For more information about RAL, see Read Access Logging (RAL) in the documentation for SAP NetWeaver.
56
PUBLIC

Data Protection
12
Security for Additional Applications
Attachments
The attachment types that you can use in SAP Supplier Lifecycle Management are:
General attachments
Certificates
Supplier logos
You can adjust settings for attachments, such as restricting the allowed MIME types, in Customizing for SAP
Supplier Lifecycle Management under the following paths:
Buy Side
Supplier Portfolio Management
Supplier Attachments
Define Supported MIME Types .
Buy Side Supplier Qualification Basic Settings for Supplier Qualification

Attachments Used for Qualification .
Buy Side
Activity Management
Sell Side
Supplier Data Maintenance
Sell Side
Activity Management
Define MIME Types for
Define MIME Types for Attachments .

Define Supported MIME Types .
Define MIME Types for Attachments .
Note
Attachments are never opened immediately. Instead, users can choose whether to open the attachments
or download them to their computers.
Attachments uploaded by suppliers are only transferred from the sell side to the buy side; attachments
uploaded by category managers and by activity managers on the buy side are not transferred to the sell
side.
Virus Scan for Attachments

You can activate virus scans that check attachments before they are uploaded and stored in the database. To do
this, you must have an external virus scanner installed. You can perform a virus scan on the sell side and on the
buy side. The virus scan is performed in the following cases:
When attachments are uploaded from the user interface, on the sell side or on the buy side; to enable these
checks, activate the virus scan profile /SIHTTP/HTTP_UPLOAD.
When attachments are transferred from the sell side to the buy side; to enable these checks, activate the
virus scan profile /SRMSMC/FND_CFG/FILE_UPLOAD.
You must make the Customizing settings for the virus scan profile both on the buy side and the sell side:
Buy Side
In Customizing for SAP Supplier Lifecycle Management under
Lifecycle Management Virus Scan Interface
Buy Side
Basic Settings for SAP Supplier
Sell Side
Basic Settings for SAP Supplier
Sell Side
In Customizing for SAP Supplier Lifecycle Management under
Lifecycle Management Virus Scan Interface
Note
The virus scan profile /SIHTTP/HTTP_UPLOAD is always used for Business Server Pages. For more
information, see SAP Help Portal at help.sap.com/netweaver

SAP NetWeaver
PUBLIC
57
7.0 including Enhancement Package 2 Security Information Security Guide SAP NetWeaver Security
Guide Security Guides for SAP NetWeaver According to Usage Types Security Aspects for Usage Type
DI and Other Development Technologies Security Aspects for BSP or the corresponding documentation
for higher releases of SAP NetWeaver.
More Information
See SAP Help Portal at help.sap.com/netweaver under SAP NetWeaver Platform SAP NetWeaver 7.0 including
Enhancement Package 2 Application Help SAP Library <Language> SAP NetWeaver SAP NetWeaver By
Key Capability Security System Security Virus Scan Interface or the corresponding documentation for
higher releases of SAP NetWeaver.
58
PUBLIC

13
Dispensable Functions with Impacts on

Security
To minimize security risks, you can decide not to use the following functions:
Supplier Registration on Sell Side

You can decide to create supplier data on the buy side only or transfer supplier data from back-end systems, and
not allow suppliers to register on the sell side.
Supplier Data Maintenance on Sell Side

You can decide to maintain supplier data on the buy side only and not allow suppliers to maintain their own data
on the sell side.
Appraiser Without System User in Supplier Evaluation

You can decide to not enable the function that allows appraisers who do not have a user ID to fill out evaluation
responses. If you do enable this function, the appraisers without user ID receive a link to the evaluation via e-mail.
They are logged on with a technical user that is common to all appraisers without user ID.
By default, this function is deactivated. You can activate it in Customizing for SAP Supplier Lifecycle Management
under Buy Side Supplier Evaluation Basic Settings for Supplier Evaluation Activate Appraisers Without User
ID .

Dispensable Functions with Impacts on Security
PUBLIC
59
14 Enterprise Services Security
The following sections in the SAP NetWeaver Security Guide and documentation are relevant for all enterprise
services delivered with SAP Supplier Lifecycle Management:
Web Services Security

For more information, see SAP Help Portal at help.sap.com/netweaver SAP NetWeaver Platform SAP
NetWeaver 7.0 including Enhancement Package 2 Security Information SAP NetWeaver Security Guide
Security Guides for Connectivity and Interoperability Technologies Web Services Security or the
corresponding documentation for higher releases of SAP NetWeaver.
Recommended WS Security Scenarios

For more information, see help.sap.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7.0
including Enhancement Package 2 Application Help SAP Library SAP NetWeaver by Key Capability
Security Recommended WS Security Scenarios or the corresponding documentation for higher releases
of SAP NetWeaver.
SAP NetWeaver Process Integration Security Guide

For more information, see help.sap.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7.0
including Enhancement Package 2 Security Information SAP NetWeaver Security Guide Security Guides
for SAP NetWeaver According to Usage Types Security Guide for Usage Type PI or the corresponding
documentation for higher releases of SAP NetWeaver.
We recommend that you use SAP NetWeaver Process Integration (PI) or Web Services Reliable Messaging
(WSRM) for enabling secure communication between the buy side and the sell side. For details about system
communication using enterprise services in cross-system communication, see section Communication
Destinations.
60
PUBLIC

Enterprise Services Security
15
Security-Relevant Logging and Tracing
SAP Supplier Lifecycle Management uses application logging to log all changes to supplier and user master data.
To analyze the application log, use transaction SLG1, which is part of the logging and tracing mechanisms
provided by SAP NetWeaver. For more information, see SAP Help Portal at help.sap.com/netweaver SAP
NetWeaver Platform SAP NetWeaver 7.0 including Enhancement Package 2 Security Information SAP
NetWeaver Security Guide Security Aspects for System Management Auditing and Logging or the
corresponding documentation for higher releases of SAP NetWeaver.
The data transferred using background remote function calls (bgRFCs) are monitored. For more information, see
SAP Help Portal at help.sap.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7.0 including
Enhancement Package 2 Application Help SAP Library SAP NetWeaver SAP NetWeaver by Key Capability
Application Platform by Key Capability Platform-Wide Services Connectivity Components of SAP
Communication Technology Classical SAP Technologies (ABAP) RFC Background Communication bgRFC
(Background Remote Function Call) or the corresponding documentation for higher releases of SAP NetWeaver.

Security-Relevant Logging and Tracing
PUBLIC
61
62
PUBLIC
www.sap.com

SAP Supplier Lifecycle Management 2.0: Document Version: 1.1 - 2014-08-18

Uploaded by

Document Informationclick to expand document informationSLC

Document Informationclick to expand document information

Copyright:

Available Formats

SAP Supplier Lifecycle Management 2.0: Document Version: 1.1 - 2014-08-18

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP Supplier Lifecycle Management 2.0: Document Version: 1.1 - 2014-08-18

Uploaded by

Copyright:

Available Formats

Security Guide

Document version:1.1 2014-08-18

SAP Supplier Lifecycle Management 2.0

SAP Supplier Lifecycle Management 2.0

Emphasized words or expressions

Textual cross-references to an internet address

Hyperlink to an SAP Note, for example, SAP Note 123456

Cross-references to other documentation or published works

Output on the screen following a user action, for example, messages

Source code or syntax quoted directly from a program

SAP Supplier Lifecycle Management 2.0

Keys on the keyboard

SAP Supplier Lifecycle Management 2.0

Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Security Aspects of Data, Data Flow, and Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Session Security Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Internet Communication Framework (ICF) Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Security for Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Dispensable Functions with Impacts on Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Enterprise Services Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Security-Relevant Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

SAP Supplier Lifecycle Management 2.0

SAP Supplier Lifecycle Management 2.0

Why is Security Necessary

SAP Supplier Lifecycle Management 2.0

Before You Start

Fundamental Security Guides

Scenario, Application, or Component Security Guide

Most Relevant Sections or Specific Restrictions

<select the Security Guide that

corresponds to your SAP SLC release>

using SRM Server 7.01 or higher

SAP Business Suite Applications

<select the Security Guide that corresponds to your SAP SLC

SAP Business Suite Applications

<select the Security Guide that corresponds to your SAP SLC

SAP Business Suite Applications

SAP Master Data

<select the Security Guide that corresponds to

your SAP SLC release>

Important SAP Notes

SAP Note Number

SAP Supplier Lifecycle Management:

Add-on installation note

Installing SRMSMC 200 on NW

SAP Supplier Lifecycle Management 2.0

Release Information Note

Inactive Services in the Internet

The ICF Services are inactive when SAP Web

Application Server is installed. Selected

SAP Supplier Lifecycle Management 2.0

SAP Note Number

Authorizations for the system user (WF-