Preview only show first 10 pages with watermark. For full document please download

Manage Tdms Execution Release 1.0 Administrator's Guide

Rating
Date

August 2018
Size

1.7MB
Views

4,340
Categories

Computers & electronics Software Computer utilities Security management software

Transcript

Administrator's Guide Version: 1.0 – 2014-07-02 Manage TDMS Execution Release 1.0 CUSTOMER Typographic Conventions Type Style Description Example Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Textual cross-references to other documents. 2 Example Emphasized words or expressions. EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Example Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Example Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. EXAMPLE Keys on the keyboard, for example, F 2 or E N T E R . Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Typographic Conventions Document History Before you start working with this document, make sure you have the latest version. You can find the latest version at the following location: http://service.sap.com/tdms The following table provides an overview of the most important document changes: Version Date Change 1.0 2014-07-02 First version of the document Manage TDMS Execution Document History Introduction © 2013 SAP AG. All rights reserved. 3 Table of Contents 1 Introduction .................................................................................................................................................... 6 2 Business Scenarios ........................................................................................................................................ 7 3 3.1 3.2 3.3 3.4 3.5 Setup of SAP Fiori System Landscape with ABAP Environment ...........................................................26 Components of the System Landscape .............................................................................................................. 27 Client ....................................................................................................................................................................... 27 ABAP Front-End Server ........................................................................................................................................ 27 ABAP Back-End Server ......................................................................................................................................... 27 Database ................................................................................................................................................................ 27 4 4.1 Implementation ............................................................................................................................................29 User Management Concept .................................................................................................................................. 29 4.1.1 Users in ABAP Front-End System ....................................................................................................... 29 4.1.2 Users in ABAP Back-End System ........................................................................................................30 4.1.3 Setup of Catalogs, Groups, and Roles in the SAP Fiori Launchpad .................................................30 Implementation Tasks on Front-End Server: ...................................................................................................... 33 4.2.1 Activate ICF Services of UI5 Application ............................................................................................. 33 4.2.2 Front-End Server: Activate OData Services ....................................................................................... 33 4.2.3 Copy Template Business Role to Create Role with Launchpad Catalog and Group ....................... 33 4.2.4 Add Start Authorizations for OData Service to Business Role ......................................................... 34 4.2.5 Front-End Server: Assign Role with OData Service Authorization to Users .................................... 35 Implementation Tasks on Back-End Server........................................................................................................ 35 4.3.1 Assign RFC Authorization to User ....................................................................................................... 35 4.3.2 Back-End Server: Assign Role with OData Service Authorization to User ...................................... 36 Implementation Tasks for Manage TDMS Execution ......................................................................................... 36 4.4.1 Front-End Server: Activate OData Services ....................................................................................... 37 4.2 4.3 4.4 5 5.1 5.2 5.3 5.4 5.5 5.6 Configuration ............................................................................................................................................... 39 Setup of SAP Fiori Launchpad.............................................................................................................................. 39 Activate OData Services for SAP Fiori Launchpad ............................................................................................. 39 Activate SICF Services for SAP Fiori Launchpad ok.......................................................................................... 40 Assign Administrator Role for SAP Fiori Launchpad to Administrator User ................................................... 41 Assign Role with Launchpad Start Authorization to End Users ........................................................................ 41 Configure a Logout Screen for the SAP Fiori Launchpad (Optional) ................................................................ 42 6 6.1 6.2 Security ........................................................................................................................................................ 44 Overview .................................................................................................................................................................44 Access .................................................................................................................................................................... 45 6.2.1 Secure System Access ......................................................................................................................... 45 Communication .....................................................................................................................................................46 6.3.1 Network and Communication Security Overview ..............................................................................46 6.3.2 Communication Encryption .................................................................................................................46 6.3.3 OData and HTTP Methods ................................................................................................................... 47 6.3 4 Introduction © 2013 SAP AG. All rights reserved. Manage TDMS Execution Table of Contents 6.4 6.5 6.3.4 URL Rewriting ........................................................................................................................................47 6.3.5 Internet Communication Framework Security ...................................................................................47 6.3.6 Session Security Protection ................................................................................................................ 48 Users ...................................................................................................................................................................... 49 6.4.1 User Administration and Authentication ........................................................................................... 49 6.4.2 User Authentication and Single Sign-On ............................................................................................. 51 6.4.3 Authorizations ...................................................................................................................................... 53 Logging ...................................................................................................................................................................55 6.5.1 Security Relevant Logging and Tracing...............................................................................................55 6.5.2 Services for Security Lifecycle Management .....................................................................................55 7 7.1 7.2 Operations ..................................................................................................................................................... 57 Monitoring SAP Fiori Apps ....................................................................................................................................57 Troubleshooting .................................................................................................................................................... 58 7.2.1 General Tips .......................................................................................................................................... 58 7.2.2 Launchpad and Launchpad Designer ................................................................................................. 58 7.2.3 SAP NetWeaver Gateway .................................................................................................................... 59 7.2.4 Search ................................................................................................................................................... 59 7.2.5 SAP Fiori Apps ...................................................................................................................................... 59 7.2.6 SAP Fiori Apps in General .................................................................................................................... 59 8 Support ......................................................................................................................................................... 60 Manage TDMS Execution Table of Contents Introduction © 2013 SAP AG. All rights reserved. 5 1 Introduction Welcome to Manage TDMS Execution, an easy-to-use and adaptable enterprise app for managing your TDMS runs. You can now start setting up your solution. About this Document Use the Administrator's Guide as the central starting point for your implementation and monitoring activities. This document provides information about the following topics:  The Manage TDMS Execution business scenarios  An overview of the system landscape and the relevant software components  How you set up your solution  System security  Monitoring system tasks after you go live  Troubleshooting and support Target Audience This guide is intended for persons who perform administrative functions for companies that are in the process of setting up Manage TDMS Execution. It is also meant for consultants, who assist companies during the initial setup. More Information For more information about the technical aspects of SAP Fiori and SAP Fiori apps, see the SAP Help Portal at http://help.sap.com  SAP Business Suite  SAP Fiori for SAP Business Suite. 6 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Introduction 2 Business Scenarios Manage TDMS execution is a transactional Fiori app to help you execute and monitor your active TDMS packages and troubleshoot frequent errors. With this application, you can view the following information:  Your active migration packages with the relevant status for each package  Summary information about the progress of critical activities  System landscape details for each package  Transfer information about records and tables transferred You can also troubleshoot the most common errors that occur during a TDMS package execution. Application Tile Figure 1: The Launchpad Tile In the Fiori Launchpad tile for the TDMS Fiori app, you can view the number of active packages to which you are registered. The number can be displayed in the following colors:  Red - if any package has an error  Gray - if a package requires user action  Green - If all packages are executed correctly Manage TDMS Execution Business Scenarios Administrator's Guide © 2013 SAP AG. All rights reserved. 7 Master Panel Figure 2: The Master Panel on a Tablet Device Figure 3: The Master Panel on a Phone Device 8 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Business Scenarios All your active packages are listed on the master panel. For each package, you can view the following information:  Migration solution  Project name  Active phase  Package ID and status (error, requires user action, or running state)  Package created date The package status has the following values: : Indicates that user action is required for the package. The required user action could involve starting the Process Execution Manager (PEM) or completing the Dialog PEM block from the TDMS Web UI. : Indicates errors in the package : Indicates a package in which PEM is currently running. Summary You can view the package summary information about the TDMS execution on this screen. You can also view the progress and status of all critical activities in a package. Figure 4: The Summary Tab The top half of the Summary screen displays details of any pending user actions to complete the package execution. The lower half of the screen displays the status of activities in progress. Manage TDMS Execution Business Scenarios Administrator's Guide © 2013 SAP AG. All rights reserved. 9 Figure 5: Pending User Actions on the Summary Screen Activities in Process indicates whether any activities are currently getting executed. Errors indicates that the package contains errors and that you can view detailed information in the activity error log. You can also open the Troubleshoot Issues screen to check if the errors can be fixed from the Fiori app. For more information, see the section Troubleshoot Issues in this document. Dialog PEM Block indicates whether you need to execute any dialog activities from the TDMS Web UI. Currently, you can only execute the dialog activities from the TDMS Web UI. PEM indicates whether the Process Execution Manager (PEM) is currently running. The PEM executes the PEM blocks available for execution in the background. You can view the progress of the following critical activities:  Package Settings  Data Deletion in the receiver system  Data Selection for Fill Header tables  Data Selection for All tables  Data Scrambling  Data Transfer  Post Processing 10 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Business Scenarios Activities Figure 6: The Activities Tab The Activities tab displays the list of activities for the current active phase of the package. The color of the tab indicates whether any activities are in error. The tab color is red if even one activity has the status Error. The tab color is green if there are no errors with any activities. The activities table displays the following information:  Activity Name  Status of Activity  Progress of activity  Runtime The activity statuses are indicated by the following icons: – Completed – Error – Warning – Scheduled – Running – Hold Up You can filter the list of activities based on the status. After you select an activity row, you can navigate to the Activity Log. Manage TDMS Execution Business Scenarios Administrator's Guide © 2013 SAP AG. All rights reserved. 11 Figure 7: The Activity Log The color of the log messages indicates the severity of the message. The log messages are displayed in the following colors:  Green for success or information messages  Red for errors  Orange for warnings You can filter the messages based on their severity level. Systems The Systems tab displays the systems involved in the TDMS package and the percentage of job utilization. While monitoring the TDMS execution, you can view the details about the following systems in your landscape:  Sender system (client): Provides the data supply for the non-production system. The production system is typically used as the sender system.  Central system (client): Stores the settings and Customizing for the setup of the non-production system. (The central system must be on SAP NetWeaver 7.0 or higher.)  Control system (client): Triggers and monitors almost all the activities for SAP TDMS. (The control system must be on SAP NetWeaver 7.0 or higher.)  Receiver system (client): Receives the data from the production system. The non-production system can be a system shell or a full copy of the production system. 12 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Business Scenarios Figure 8: The Systems Tab The Systems tab displays the following information:  The systems that are a part of the system landscape used for the package run  The dialog and background job utilization for the TDMS execution for each system Database Parameters You can display the database parameters for each system on the System tab by choosing the particular row. Manage TDMS Execution Business Scenarios Administrator's Guide © 2013 SAP AG. All rights reserved. 13 Figure 9: The Database Parameters You can view the current values for database parameters on this screen. The database parameters are visible only for the system running on Oracle, MSSQL, or MaxDB. Transfer Info You can view the data transfer statistics for your package on this screen; 14 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Business Scenarios Figure 10: The Transfer Info Tab The Transfer tab displays the following information:  Portions for transfer  Records for transfer  Records transferred  Data transfer size  Tables for transfer  Tables in process You can additionally view high-level progress information about the tables being transferred in this package. Troubleshoot Issues If there are errors in a package, choose the Troubleshoot pushbutton from the footer toolbar to navigate to the Troubleshoot Issues screen in the Fiori app. Manage TDMS Execution Business Scenarios Administrator's Guide © 2013 SAP AG. All rights reserved. 15 Figure 11: The Troubleshoot Pushbutton On the Troubleshoot Issues screen, you can carry out the following activities:  Restart failed background activities  Fix the Duplicate Key error by executing the Change Write Behavior troubleshooter  Troubleshoot the Time Limit Exceeded error by executing the Change Table Size Category troubleshooter.  Check the overall RFC status and verify the user and authorization statuses for each system.  Refresh the RFC connections 16 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Business Scenarios Figure 12: Troubleshoot Issues Failed Background Activities On the top half of the Troubleshoot Issues screen, you can view a table with a list of failed background activities that you can restart. Manage TDMS Execution Business Scenarios Administrator's Guide © 2013 SAP AG. All rights reserved. 17 Figure 13: Failed Background Activities Errors to Be Resolved Using Troubleshooters The frequent errors that can be resolved are displayed in this section along with the time the error last occurred and the frequency of the error. Figure 14: Errors to Be Resolved Using Troubleshooters 18 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Business Scenarios Time Limit Exceeded Error Figure 15: Change Table Size Category Troubleshooter This error is displayed when the migration objects exceed the time limit during the execution of the Data Selection activity. When you enter the troubleshooter screen, can view a list of objects that failed with this error and their table size categories (Large, Medium, or Small). To rectify this error, change the size category of the object from small to large and choose Save. To change the table size category of multiple objects, select the checkboxes next to each object and choose the Change pushbutton. Choose the table size category for all the selected objects from the popover. Save your entries. Duplicate Key Error The Data transfer activity can fail during a TDMS run due to duplicate key errors while inserting data into the receiver system. You can correct such errors by changing the method of inserting data into the database. By default, SAP TDMS uses the INSERT statement to write the data into the receiver system, but, when you face duplicate key errors, change the Write behavior to a MODIFY statement. You can use this screen to change the Write behavior. The screen displays a list of objects or tables that failed due to duplicate key issues. Select the required behavior and save your entries. You can change the Write behavior of multiple objects by choosing the CHANGE pushbutton. Manage TDMS Execution Business Scenarios Administrator's Guide © 2013 SAP AG. All rights reserved. 19 Change Settings Figure 16: The Change Settings Pushbutton The Manage TDMS Execution application allows you to change the settings of a package at any point during a run. You can make the following changes:  Change table size category  Change the maximum number of parallel jobs for tables  Change the number of jobs for activities  Start or stop data selection, data transfer or data deletion 20 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Business Scenarios Change Table Size Category Figure 17: Change Table Size Category On this screen, you can change the table size category of the top migration objects so that they do not end in the Time Limit Exceeded error during data selection. The list of objects to monitor are available in the maintenance table CNVOTDMS_TOPOBJS in your TDMS Control system. You can maintain the list of objects using the transaction SM30. To carry out a mass change for all objects, select the checkboxes next to the required objects and choose Change in the footer toolbar. A popover appears where you can select the appropriate write behavior. The option you select is automatically set for all selected objects on the Change Table Size Category screen. Choose Save to save the changes to the backend system. You can choose Cancel if you do not want to save any unsaved changes. Manage TDMS Execution Business Scenarios Administrator's Guide © 2013 SAP AG. All rights reserved. 21 Change the Maximum Number of Parallel Jobs for Tables Figure 18: Change the Maximum Number of Parallel Jobs for Tables You can change the maximum number of parallel jobs for tables on this screen. You can make the change for tables that are currently in process or for objects that are maintained in the maintenance table CNVOTDMS_TOPOBJS. Save your entries. Change the Number of Jobs for Activities You can change the number of jobs assigned to the activity and to the systems on this screen. Save your entries. 22 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Business Scenarios Figure 19: Change the Number of Jobs for Activities Start/Stop Activities On this screen, you can start or stop the following critical activities:  Data Selection  Data Deletion  Data Transfer This screen displays the current status, progress, and runtime of the activities listed above. You can start or stop the activity based on the current status of the activity. Manage TDMS Execution Business Scenarios Administrator's Guide © 2013 SAP AG. All rights reserved. 23 Figure 20: Start/Stop Activities Send Email Using this option, you can compose an email from the Fiori application. You can view important information about the selected package in the body of the email. Figure 21: Send Email To Webdynpro This pushbutton takes you to the current package in the TDMS work center for seamless execution. The Webdynpro option is only available if you access the TDMS Fiori app from a desktop. 24 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Business Scenarios Prerequisites To install the Webdynpro navigation feature:  You have created an HTTP connection (connection type H) to the TDMS backend system with the name SAP_TDMS in the frontend server.  You have installed the software components UI2_7XX 100 SP04 or higher and UI2_FND 100 SP04 or higher in the TDMS backend system. Manage TDMS Execution Business Scenarios Administrator's Guide © 2013 SAP AG. All rights reserved. 25 3 Setup of SAP Fiori System Landscape with ABAP Environment This section provides an overview of the high-level system landscape and key components required for the Manage TDMS Execution app. In the SAP Fiori system landscape with ABAP environment, you can use transactional apps. Set up the system landscape to enable SAP Fiori before you start to implement an app. An app requires front-end components (providing the user interface and the connection to the back end) and back-end components (providing the data). The front-end components and the back-end components are delivered in separate products and have to be installed in a system landscape that is enabled for SAP Fiori. The following figure shows the detailed system landscape for SAP Fiori transactional apps. Figure 22:System Landscape for the SAP Fiori App for SAP TDMS 26 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Setup of SAP Fiori System Landscape with ABAP Environment 3.1 Components of the System Landscape Depending on the system landscape, the following components are used: 3.2 Client To be able to run SAP Fiori apps, the runtime environment (such as the browser) of the client must support HTML5. 3.3 ABAP Front-End Server The ABAP front-end server contains all the infrastructure components to generate an SAP Fiori app-specific UI for the client and to communicate with the SAP Business Suite back-end systems. The UI components and the gateway are based on SAP NetWeaver. Typically, both are deployed on the same server. The central UI component is a framework that provides the common infrastructure for all SAP Fiori apps: SAP Fiori launchpad is the basis of all SAP Fiori UIs, and provides fundamental functions for SAP Fiori apps such as logon, surface sizing, navigation between apps, and role- based app catalogs. End-users access the SAP Fiori apps from the SAP Fiori launchpad. The specific UIs for the apps are delivered as SAP Business Suite productspecific UI add-on products, which must be additionally installed on the front-end server. SAP Gateway handles the communication between the client and the SAP Business Suite back end. SAP Gateway uses OData services to provide back-end data and functions, and processes HTTPS requests for OData services. The transactional apps, which are updating data in the SAP Business Suite systems, use this communication channel. 3.4 ABAP Back-End Server In the ABAP back-end server, the SAP Business Suite products are installed, which provide the business logic and the back-end data, including users, roles, and authorizations. The add-ons for the SAP Fiori apps are continuously released in Support Packages. The back-end server is based on SAP NetWeaver. 3.5 Database SAP HANA is an in-memory database platform that you can use to analyze large volumes of data in real-time. anyDB stands for any database that stores the data for the back-end server. For transactional apps, any database can be deployed instead of SAP HANA. Manage TDMS Execution Setup of SAP Fiori System Landscape with ABAP Environment Administrator's Guide © 2013 SAP AG. All rights reserved. 27 3.5.1.1 TDMS System Landscape Requirements Before you start to implement the app, ensure that your system landscape has been set up to enable SAP Fiori. This also implies that the front-end and back-end components for your app are already available in this system landscape: Landscape Requirements Details SAP Fiori System Landscape Option for Transactional App See the current chapter for details. Configuration of Front-End Server Configuration of SAP Fiori Infrastructure Back-End Components Delivered with (Product Version Stack) SAP TDMS 4.0 SP07 or higher Front-End Components Delivered with (Product Version Stack) SAP Fiori for SAP TDMS 1.0 SP00 Ensure that the front-end component of the app is in place on your front-end server. It is automatically installed with the following UI-Add-On Front-End Server: Front-End Component of App (Software Component) UICSLO0. For more information about the installation of front-end components, see Installation of Product-Specific UI Components (SAP NW 7.31) and Installation of Product-Specific UI Components (SAP NW 7.4) on the SAP Help Portal by choosing http://help.sap.com  SAP Business Suite  SAP Fiori for SAP Business Suite  Setup of SAP Fiori System Landscape  . Setup of SAP Fiori System Landscape with ABAP Environment  Installation  Setup of Frontend Server  Installation of Product-Specific UI Components (SAP NW 7.31) and Installation of Product-Specific UI Components (SAP NW 7.4). 3.5.1.2 Required SAP Notes To run the Manage TDMS Execution app, ensure that the following SAP Notes are available: Back-End/Front-End Server SAP Note Number Description General Note 2019006 Release Information Note for SAP Fiori App for TDMS 4.0 28 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Setup of SAP Fiori System Landscape with ABAP Environment 4 Implementation App Implementation for Transactional Apps For the following procedures, you need information from the product documentation, such as technical names of services, roles, and so on. Prerequisites before Implementation You have set up the SAP Fiori infrastructure. For more information, see Chapter 5: Configuration. 4.1 User Management Concept SAP Fiori apps adopt the user management and authentication mechanisms provided by SAP NetWeaver ABAP . Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to the applications. The following sections comprise information about user administration and authentication that specifically applies to SAP Fiori apps. 4.1.1 Users in ABAP Front-End System To use SAP Fiori apps, users need authorizations on the front-end server (in the SAP Fiori launchpad) and on the back-end server. Features Authorizations and Roles in SAP NetWeaver Gateway Fiori applications communicate with the ABAP back-end system through OData services, which must be activated during system installation. In addition to authorization in the back-end system, users must be granted authorization to access the HTML 5-based Fiori applications and the OData services in SAP NetWeaver Gateway. Fiori applications therefore require users and roles in SAP NetWeaver Gateway. A Gateway PFCG role contains start authorizations for OData Services. SAP will not deliver these roles to customers. Manage TDMS Execution Implementation Administrator's Guide © 2013 SAP AG. All rights reserved. 29 Note They must have the same user name as the users in the ABAP back-end system. User mapping is not supported. For this purpose, you can use Central User Administration (CUA) or identity management systems. For more information, see Add Start Authorizations for OData Service to Business Role. 4.1.2 Users in ABAP Back-End System Existing users are relevant for the ABAP back-end system. The authorizations required for a particular application are provided using a PFCG role delivered for each application. SAP delivers back-end PFCG roles for every transactional application. Theses roles provide authorizations for the OData service of the apps. For every role, authorizations need to be granted according to the customer’s roles and authorization concept. For transactional apps, the back-end role does not comprise authorizations for business data to be displayed in the app. It is assumed that these authorizations will be provided by the customer. 4.1.3 Setup of Catalogs, Groups, and Roles in the SAP Fiori Launchpad The Fiori launchpad is the access point to apps on mobile or desktop devices. The apps are organized through the entities displayed in the following graphic and explained in the following text: : Figure 23: SAP Fiori Launchpad: Content Concept 30 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Implementation Catalog: Set of apps you want to make available for one role. Depending on the role and the catalog assigned to the role, the user can browse through the catalog, choose apps from this catalog, and add them to the entry page of the SAP Fiori launchpad. Technically, apps are represented by the following:  KPI tiles to launch the app  App launcher tiles to launch the app. Target mappings referencing the actual navigation targets. The navigation targets are UI5 applications defined in transaction LPD_CUST in the SAP GUI of the front-end server. Group: Subset of catalog that contains the apps visible on the Fiori launchpad entry page. Which tiles are displayed on a user’s entry page depends on the group assigned to the user’s role. In addition, the user can personalize the entry page by adding or removing apps to pre-delivered groups or self-defined groups. Roles (PFCG): Contains references to catalogs and groups and provides users with access to the apps in these groups and catalogs. The entities delivered by SAP are divided into technical entities and business entities: Technical catalogs and technical PFCG roles Contain apps per component. Business catalogs, business catalog groups, and business PFCG roles Contain apps for a specific role. For more information, see Front-End Server: Enable App for Access in SAP Fiori Launchpad . Technical Catalog (TC) Technical catalogs contain all target mappings and app launcher tiles relevant for an application, for example, SAP TDMS. As an administrator, you can use them as a repository to create your own role-specific business catalogs. Technical PFCG Role (TCR) Technical PFCG roles contain references to technical catalogs, and they allow users to access the apps contained in these catalogs. Business Catalog (BC) Business catalogs contain a sample collection of target mappings and app launcher tiles relevant for a business role. The content of the business catalog is a subset of the content of the technical catalog. This subset reflects the authorization requirements of a certain business user. Manage TDMS Execution Implementation Administrator's Guide © 2013 SAP AG. All rights reserved. 31 Business Catalog Group (BCG) Business catalog groups contain a set of applications from a business catalog that are displayed to a user by default on the entry page of the SAP Fiori launchpad. Users can adjust groups by adding or removing apps. Business PFCG Role (BCR) A business PFCG role contains references to business catalogs and business catalog groups. Once you – as an administrator – assign the business PFCG role to a user, the user sees the apps included in the business catalog group on the entry page of the SAP Fiori launchpad. Through the business catalog referenced, users have access to further relevant role-specific apps. The user can select the apps from the catalog to make them available directly on the entry page. Back-End Entities For more information about back-end PFCG roles, see Users in ABAP Back-End System. Activities Use the technical catalogs delivered by SAP as repositories to create your own catalogs as an administrator. To display specific apps to a user by default in the entry page of the SAP Fiori launchpad, create a group. Then add apps from your catalog to the group. Both the catalog and the group must be assigned to users. Do this by assigning groups and catalogs to users’ PFCG roles. The business PFCG roles with the assigned catalogs and groups serve as examples based on which you can create you own business catalogs, groups, and roles. 32 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Implementation 4.2 Implementation Tasks on Front-End Server: 4.2.1 Activate ICF Services of UI5 Application Procedure 1. Run transaction Maintain Services (SICF) on the front-end server. 2. Press F8. 3. Navigate to the following path default_host  sap  bc  ui5_ui5  sap . 4. Under this node, navigate to the UI5 application for your app. For more information on the UI5 application per app, see the app-specific documentation in the section SAP Fiori Apps. 5. To activate the service (UI5 application), choose Service/host  activate . 4.2.2 Front-End Server: Activate OData Services Procedure 1. Run transaction Activate and maintain services (/IWFND/MAINT_SERVICE) on the front-end server. 2. Choose Add Service. 3. Enter the system alias of your back-end system. 4. In the External Service Name field, enter the technical name of the OData service for your app without the version number. For more information on the OData service per app, see the app-specific documentation in the section SAP Fiori Apps. 5. In the Version field, enter the version number. 6. Choose Get Services. 7. Choose Add Selected Services. 8. Enter a technical name for the service in your customer namespace. 9. Assign a package or choose Local Object. 10. Choose Execute to save the service. 11. On the Activate and maintain services screen, check if the system alias is maintained correctly. If not delete the alias and add the correct one. 4.2.3 Copy Template Business Role to Create Role with Launchpad Catalog and Group You must perform this step and the following authorization- and-role-related tasks on the front-end server to equip the user with all rights needed for the app. SAP delivers business roles for users of SAP Fiori apps. Business roles provide access to a sample of apps relevant for specific business users. The authorization for your app is included in the business role delivered by SAP. Manage TDMS Execution Implementation Administrator's Guide © 2013 SAP AG. All rights reserved. 33 For more information on roles, catalogs, and groups for SAP Fiori Launchpad, see Setup of Catalogs, Groups, and Roles in the SAP Fiori Launchpad. Procedure 1. Open transaction Role Maintenance (PFCG). 2. Copy the business role for your app to your customer namespace. 4.2.4 Add Start Authorizations for OData Service to Business Role A user trying to consume an OData service needs two types of authorizations: Authorizations on the back-end system For the back-end side, an example role is provided. For more information, see Assign PFCG Role with OData Service Authorization to User. Authorizations on SAP NetWeaver Gateway For the Gateway, no example role is provided, as the technical names are entered during the activation of the service. Caution Adding single OData service authorizations provides additional security, especially if SAP NetWeaver Gateway is set up as separate hub. By specifying the services explicitly in the role menu, you control which requests on behalf of a user can pass the SAP NetWeaver Gateway. If you use a wildcard, users can call all activated services. SAP therefore recommends not using wildcard authorizations in productive environments. Prerequisites You have activated the ODATA service and have called it at least once before assigning start authorizations. For more information, see Front-End Server: Activate OData Services. You have copied the business role of your app to your namespace. For more information, see Copy Template Business Role to Create Role with Launchpad Catalog. Procedure To create a role with OData start authorizations on the front-end server, proceed as follows: 1. In the Role Maintenance transaction (PFCG), edit the business role you copied to your namespace. For more information, see Copy Template Business Role to Create Role with Launchpad Catalog. 2. On the Menu tab, open the menu of the pushbutton for adding objects (+ pushbutton). Choose the object type Authorization Default. 3. In the Service window, choose TADIR Service from the menu for the Authorization Default. Specify the following values: Program ID: R3TR Object Type: IWSG 34 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Implementation 4. In the table, enter the name of the OData service you have activated for your app. For more information on the OData services per app, see the app-specific documentation in the section SAP Fiori Apps. 5. Enter the name as follows: _, for example, ZLEAVEREQUEST_0002. 6. On the Authorization tab, choose the pushbutton next to Profile Name to generate the authorization profile for the role. 7. Choose Change Authorization Data, and then Generate. 4.2.5 Front-End Server: Assign Role with OData Service Authorization to Users Prerequisites You have assigned the start authorization to the business role for your app. For more information, see Add Start Authorizations for OData Service to Business Role. Procedure 1. Open transaction Role Maintenance (PFCG). 2. On the User tab, assign the business role of your app to the user by specifying the user ID. 4.3 Implementation Tasks on Back-End Server Note User names in the ABAP back-end server must be identical to the corresponding user names in the ABAP front-end server. User mapping is not supported. For this purpose, you can use Central User Administration (CUA) or identity management systems. 4.3.1 Assign RFC Authorization to User If the OData back-end service is located on a remote back end, users need permission to perform the RFC call on the back-end system. Prerequisites You have created a user on the front-end system. Procedure 1. In the User Maintenance transaction (SU01) under Information  Information System, check if the user has the required authorizations S_RFC and S_RFCACL for trusted RFC. Manage TDMS Execution Implementation Administrator's Guide © 2013 SAP AG. All rights reserved. 35 2. If the user does not have the authorizations, assign a role including the RFC authorization objects S_RFC and S_RFCACL to the back-end user that corresponds to the front-end user. 4.3.2 Back-End Server: Assign Role with OData Service Authorization to User You assign the OData service authorization for your app to a user. You can also create a PFCG role that contains multiple OData start authorizations. For example, you can include the start authorizations for all HR apps, based on the technical catalog for HR. Procedure 1. Run transaction Role Maintenance (PFCG) to copy the back-end authorization role required for your app to your customer namespace. For more information about the technical role name relevant for your app, see the app-specific documentation in the section SAP Fiori Apps. 2. Edit the copied business role. 3. On the Menu tab, open the menu of the pushbutton for adding objects (+ pushbutton) and choose the object type Authorization Default. 4. From the Authorization Default menu, choose TADIR Service and enter the following data: o Program ID: R3TR o Object Type: IWSV 5. In the table, enter the name of the activated OData service. For more information about the OData service for your app, see the app-specific documentation in the section SAP Fiori Apps. 6. On the Authorization tab, choose the pushbutton next to Profile Name to generate the authorization profile for the role. 7. Chose Change Authorization Data. 8. Choose Save and then Generate. 9. Run transaction User Maintenance (SU01) and assign the role to user. If the user does not yet have the business authorizations required to use the app, perform the following steps: 1. Open transaction User Maintenance (SU01). 2. On the Authorization tab, choose Generate Profile next to the profile name. 3. Choose Maintain Authorization Data. 4. On the Authorization Details screen, choose the Generate symbol. 4.4 Implementation Tasks for Manage TDMS Execution The following sections list tasks that have to be performed to implement the Manage TDMS Execution app. The tables contain the app-specific data required for these tasks: 36 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Implementation 4.4.1 Front-End Server: Activate OData Services Component Technical Name UICSLO01 TDMS_MANAGE_EXEC_SRV 1.0 For more information about activating OData services, see Front-End Server: Activate OData Services. 4.4.1.1 Front-End Server: Activate UI5 Application Component Technical Name UI5 Application TDMS_EXEC_MAN For more information about how to activate the UI5 application (ICF service), see Activate ICF Services. 4.4.1.2 Front-End Server: Enable App for Access in SAP Fiori Launchpad There are several steps to be performed to enable the app for access in the SAP Fiori launchpad. You require the listed data to perform these steps. For more information about the steps to be performed, see Setup of Catalogs, Groups, and Roles in the Fiori Launchpad. Component Technical Name Semantic Object DataTransferPackage Business Role SAP_TDMS_BCR_SYSADMIN_T Business Catalog SAP_TDMS_BC_SYSADMIN_T Business Catalog Group SAP_TDMS_BCG_SYSADMIN_T Technical Role SAP_TDMS_TCR_T Technical Catalog SAP_TDMS_TC_T LPD_CUST Role UICSLO01 LPD_CUST Instance TRANSACTIONAL Manage TDMS Execution Implementation Administrator's Guide © 2013 SAP AG. All rights reserved. 37 4.4.1.3 Front-End and Back-End Server: Assign Role with OData Service Authorization to Users To restrict access to OData services to specific users, you have to assign roles (including OData service authorization for the app) to your users. You have to make the assignment on the back-end and on the front-end server: On the back-end server, a dedicated authorization role (PFCG role) for the OData service is delivered as an example. You can adjust this role according to your needs. On the front-end server, you can assign the OData service authorization to a new or existing role, such as a business role that has been adjusted according to your needs. OData Service (Version Number) Back-End Server: Delivered Authorization Role (PFCG Role) Front-End Server: Authorization Role TDMS_MANAGE_EXEC_SRV (0001) SAP_TDMS_EXEC_MAN_APP Use an existing role or create a new one. For more information about authorization roles and assigned OData services, see Roles, Users, and Authorizations on Back-End Server. 38 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Implementation 5 Configuration Once the complete infrastructure for SAP Approve All has been installed, you must now perform the required configuration activities for these components. These are described in further detail in this chapter. Configuration of SAP Fiori Infrastructure To be able to install single apps in your SAP Fiori system landscape, you have to configure the SAP Fiori infrastructure. 5.1 Setup of SAP Fiori Launchpad The SAP Fiori launchpad is the entry point to the apps, from desktop and mobile devices. You need to configure the SAP Fiori launchpad so that users can access those apps that have been assigned to their respective role. For detailed information about the configuration tasks for the Fiori launchpad, see the following documentation: For SAP NetWeaver 7.31, see SAP Library for User Interface Add-On 1.0 on SAP Help Portal at http://help.sap.com/nw-uiaddon  Application Help  SAP Library  SAP Fiori Launchpad  Initial Launchpad Configuration . For SAP NetWeaver 7.4, see SAP Help Portal at http://help.sap.com/nw74  Application Help  UI Technologies in SAP NetWeaver  UI Frameworks based on HTML5, JavaScript and CSS  SAP Fiori Launchpad  Initial Launchpad Configuration . 5.2 Activate OData Services for SAP Fiori Launchpad The activation of the OData services and of the ICF services are required to initially set up the SAP Fiori launchpad and the SAP Fiori launchpad designer. SAP NetWeaver Gateway provides the infrastructure for the OData services used by the SAP Fiori launchpad, and the Fiori apps. An OData service has to be enabled in SAP NetWeaver Gateway which establishes a mapping between the technical OData service name and the corresponding back-end service. Procedure 1. Run transaction Activate and maintain services (/IWFND/MAINT_SERVICE) on the front-end server. 2. Use the system alias of your local system when activating the following services: Note Do not activate the /UI2/LAUNCHPAD service. This service is not relevant for SAP Fiori. The service names listed below are concatenations of the namespace /UI2/ and the technical names of the individual services. Enter these concatenations when adding new services in transaction /IWFND/MAINT_SERVICE. When searching for services, you need to search either by namespace or by technical name. Manage TDMS Execution Configuration Administrator's Guide © 2013 SAP AG. All rights reserved. 39 /UI2/PAGE_BUILDER_CONF /UI2/PAGE_BUILDER_PERS /UI2/PAGE_BUILDER_CUST /UI2/INTEROP /UI2/TRANSPORT The services are activated in your customer namespace, with the following technical names, for example: ZINTEROP ZPAGE_BUILDER_CONF ZPAGE_BUILDER_CUST ZPAGE_BUILDER_PERS ZTRANSPORT 3. Call each service once by selecting it in transaction Activate and maintain services (/IWFND/MAINT_SERVICE), then choosing Call Browser in the screen area ICF Nodes. Select the OData node, not the SDATA node. You have called a service successfully when an XML document is displayed without any error messages. Note When you call a service, a hash key is generated in the background. The hash key is required for the generation of authorization profiles under Assign Administrator Role for SAP Fiori Launchpad to Administrator User. 4. You can verify the hash key generation in table USOBHASH in transaction Data Browser (SE16). In the selection screen, specify the following: o R3TR in the PGMID field o IWSG in the Object field o The technical service name in the OBJ_NAME field o The hash key should be displayed in the NAME column of the results table. 5.3 Activate SICF Services for SAP Fiori Launchpad ok In addition to the ICF services that correspond to the OData services you have to activate the following ICF services manually. Procedure 1. Run transaction Maintain Services (SICF) on the front-end server. 2. In the menu under Service/host  Activate, activate the services under the following subtrees: /default host/sap/bc/ui2/nwbc/ /default_host/sap/bc/ui2/start_up /default_host/sap/bc/ui5_ui5/sap/ar_srvc_launch /default_host/sap/bc/ui5_ui5/sap/ar_srvc_news /default_host/sap/bc/ui5_ui5/sap/arsrvc_upb_admn 40 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Configuration /default_host/sap/bc/ui5_ui5/ui2/ushell /default_host/sap/public/bc/ui2 /default_host/sap/public/bc/ui5_ui5 Note In the Activation of ICF Services dialog box, choose Yes with the hierarchy icon to activate all child nodes under a service. 5.4 Assign Administrator Role for SAP Fiori Launchpad to Administrator User You copy the administrator role for the SAP Fiori launchpad delivered by SAP and assign it to your administrator user. The administrator is then authorized to use the SAP Fiori launchpad designer. Prerequisites You have created an administrator user who needs extensive authorizations, such as S_SERVICE, S_DEVELOP, /UI2/CHIP, and S_CTS_SADM. If applicable, create the user with the ID the user already has in the back end. Procedure 1. Run transaction Role Maintenance (PFCG) to copy the role SAP_UI2_ADMIN_700 to your customer namespace. 2. On the Menu tab, open the menu of the pushbutton for adding objects (+ button). Select the object type Authorization Default. 3. Choose TADIR Service from the menu for the Authorization Default. Specify the following values: o Program ID: R3TR o Object Type: IWSG 4. In the table, enter the names of your activated services in the form _, for example ZINTEROP_0001 and ZPAGE_BUILDER_CONF_0001. For the list of the activated services, see Activate OData Services for SAP Fiori Launchpad. 5. On the Authorizations tab, choose Propose Profile Name next to the Profile Name field. 6. Choose Change Authorization Data and then Generate. You have generated a role with five IWSG authorizations and five IWSV authorizations. The IWSV authorizations are included in the role delivered by SAP, so they are not in your customer namespace. 7. Assign the new role to your administrator user. 5.5 Assign Role with Launchpad Start Authorization to End Users SAP delivers a predefined role with start authorizations for the SAP Fiori launchpad. Prerequisites You have created a user in transaction SU01, using the same user ID as on the back-end server. Manage TDMS Execution Configuration Administrator's Guide © 2013 SAP AG. All rights reserved. 41 Procedure 1. Run transaction Role Maintenance (PFCG) to copy the role SAP_UI2_USER_700 to your customer namespace. 2. On the Menu tab, open the menu of the button for adding objects (+ button). Choose the object type Authorization Default. 3. Choose TADIR Service from the menu for the Authorization Default. Specify the following values: o Program ID: R3TR o Object Type: IWSG 4. In the table, enter the following services: o ZINTEROP_0001 o ZPAGE_BUILDER_PERS_0001 5. On the Authorizations tab, choose Propose Profile Name next to the Profile Name field. 6. Choose Change Authorization Data and then Generate. 7. Assign the new role to your test user. 5.6 Configure a Logout Screen for the SAP Fiori Launchpad (Optional) After users log out from the SAP Fiori launchpad, the browser displays a generic logout screen. You can configure a custom HTML page that is displayed as logout screen. Procedure 1. On the SAP Fiori front-end server that runs the SAP Fiori launchpad, start transaction Maintain Services (transaction SICF). 2. On the start screen, choose External Aliases. 3. Select a host in the hierarchy that you want to be the root node of the alias, and choose Create New External Alias. 4. Enter the following data: External Alias: /sap/public/bc/icf/logoff Trg Element: /sap/public/bc/icf/logoff 5. On the Error Pages  Logoff Page  tab page: In Redirect, enter the URL of the logout page in HTML format. 6. Save your entries. More Information For SAP NetWeaver 7.31, see SAP Library for SAP NetWeaver on SAP Help Portal at http://help.sap.com/nw731  Application Help  Function-Oriented View  Application Server Application Server Infrastructure  Connectivity  Components of SAP Communication Technology  Communication Between ABAP and NonABAP Technologies  Internet Communication Framework  Development  Server-Side Development  Creating and Configuring ICF Services  External Aliases . For SAP NetWeaver 7.4, see SAP Library for SAP NetWeaver on SAP Help Portal at http://help.sap.com/nw74  Application Help  Function-Oriented View  Application Server  Application Server Infrastructure Functions and Tools of SAP NetWeaver Application Server  Connectivity  Components of SAP 42 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Configuration Communication Technology  Communication Between ABAP and Non-ABAP Technologies  Internet Communication Framework  Development  Server-Side Development  Creating and Configuring ICF Services  External Aliases Configuration Overview. Manage TDMS Execution Configuration Administrator's Guide © 2013 SAP AG. All rights reserved. 43 6 Security 6.1 Overview When running SAP TDMS, you may want to ensure that your data and processes support your business needs without allowing unauthorized access to critical information. You may also want to prevent loss of information or processing time through user errors, negligence, or an attempted manipulation of your system. The SAP Fiori app for SAP TDMS – Manage TDMS Execution – provides for your security requirements. Because the Manage TDMS Execution app deals with business data from your core business processes, it adheres to the highest security and quality requirements. This section describes all the security-relevant information that you need to run Manage TDMS Execution, The system landscape for the Manage TDMS Execution app is built from multiple components, such as SAP Test Data Migration Server and SAP NetWeaver Gateway, so the corresponding component security guides also apply. Related Links SAP Test Data Migration Server Security Guide SAP NetWeaver Gateway Security 2.0 SAP Security Guides 44 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Security 6.2 6.2.1 Access Secure System Access Secure system access for Manage TDMS Execution involves password, user, and password policies, as well as special considerations for mobile devices. With Manage TDMS Execution, you can access many of the main functions of your SAP Test Data Migration Server (TDMS). Changes made on this application are automatically updated in the system over the Internet, online, and in real time. The application connects to the SAP TDMS backend system using HTTPS, and the same user, password, and password policies apply when connecting from a personal computer or a mobile device. Special Considerations Recommendation Because mobile devices are at a greater risk of being lost or stolen, we strongly recommend that you configure your mobile devices to use the security features provided by the relevant mobile device platform. Enable an additional PIN (personal identification number) code to enable users to lock their devices and prevent unauthorized users from accessing data. Enable remote management software allowing you to remotely lock mobile devices or wipe the data from them. Recommendation We strongly recommend that each mobile device have only a single dedicated user. Manage TDMS Execution Security Administrator's Guide © 2013 SAP AG. All rights reserved. 45 6.3 Communication 6.3.1 Network and Communication Security Overview The following table shows the communication channels used by the SAP Fiori app Manage TDMS Execution, the protocol used for the connection, and the type of data transferred. Communication Path Protocol Type of Data Transferred Data Requiring Special Protection Web browser acting as frontend client to SAP NetWeaver Gateway HTTP/HTTPS Application data and security credentials Security credentials SAP NetWeaver Gateway to SAP TDMS backend system RFC Application data (authentication via trusted RFC) Application data (depending on individual security requirements and the criticality of the data) 6.3.2 Application data (depending on individual security requirements and the criticality of the data) Communication Encryption All communication channels should be encrypted in order to ensure confidentiality and integrity of data. HTTP connections can be protected through Transport Layer Security (TLS). RFC connections can be protected through Secure Network Communications (SNC). Demilitarized Zone Internet access to your SAP TDMS backend system from the SAP Fiori app Manage TDMS Execution can be secured by means of an application-level gateway in the corporate network Demilitarized Zone (DMZ). This is described in the SAP NetWeaver Security Guide. In the following sections of this chapter, the application-level gateway is referred to as the reverse proxy. Related Links SAP NetWeaver Gateway, see Encrypted Communication Channels Transport Layer Security (SAP NetWeaver Security Guide version 7.3 EHP 1) Application-Level Gateways Provided by SAP (SAP NetWeaver Security Guide version 7.3 EHP 1) 46 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Security Using Multiple Network Zones ((SAP NetWeaver Security Guide version 7.3 EHP 1) 6.3.3 OData and HTTP Methods Because SAP Fiori app Manage TDMS Execution uses the Open Data Protocol (OData) to access data, the reverse proxy must be configured to allow certain HTTP methods. SAP Fiori app Manage TDMS Execution accesses backend data via OData. OData is a standardized protocol for creating and consuming data APIs. OData builds on core protocols like HTTP and commonly accepted methodologies like REST. The result is a uniform way to expose full-featured data APIs. RESTful web services rely on HTTP semantics. Thus they use PUT and DELETE HTTP methods for update and delete operations. If a reverse proxy is used, it must be configured to allow those HTTP methods for the SAP NetWeaver Gateway OData services. 6.3.4 URL Rewriting Recommendation We recommend that you configure URL rewrite rules. SAP NetWeaver Gateway OData services may return some Gateway absolute URLs. When these services are accessed through a reverse proxy, these URLs may be invalid and/or disclose system information (protocols, hostname, port numbers). Therefore, it is recommended to configure URL rewrite rules at the reverse proxy level. The data to process can be identified through its Content-Type HTTP header. The following content should be processed: text/HTML application/XML application/JSON 6.3.5 Internet Communication Framework Security The SAP Fiori app Manage TDMS Execution consists of SAP NetWeaver Gateway OData services and HTML5/SAP UI5-based web-enabled content managed by the Internet Communication Framework (transaction SICF) You must activate the ICF services required for the applications that you want to use. Manage TDMS Execution Security Administrator's Guide © 2013 SAP AG. All rights reserved. 47 Note You can also activate these services during the technical configuration. Note Besides the activation of ICF nodes for the OData services gateway, you need to activate the OData services themselves, within the gateway configuration. For more information about ICF and OData service activation, see the chapters on Setup and Configuration in this guide.. Related Links RFC/IFC Security Guide (for SAP NetWeaver Gateway 7.3 EHP 1) 6.3.6 Session Security Protection Recommendation For NetWeaver version 7.0 and higher, it is recommended to activate HTTP security session management using transaction SICF_SESSIONS. In particular it is recommended to activate extra protection of security-related cookies. The HttpOnly flag instructs the browser to deny access to the cookie through client side script. As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party. The Secure flag tells the browser to send the cookie only if the request is being sent over a secure channel such as HTTPS. This helps protect the cookie from being passed over unencrypted requests. These additional flags are configured through the following profile parameters: Profile Parameter Recommended Value Description Comment icf/set_HTTPonly_flag_o n_cookies 0 Add HttpOnly flag Client-dependent login/ticket_only_by_http s 1 Add Secure flag Not client-dependent Note Logout is not available to users on NetWeaver versions below 7.02. Upgrading to NetWeaver 7.02 or higher is recommended. 48 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Security Related Links Activating HTTP Security Session Management on AS ABAP 6.4 6.4.1 Users User Administration and Authentication The SAP Fiori app Manage TDMS Execution adopts the user management and authentication mechanisms provided by the SAP NetWeaver platform, specifically SAP NetWeaver Application Server ABAP. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to the applications except in certain aspects such as authentication. The SAP NetWeaver Application Server ABAP Security Guide contains the following information: User management The user management concept, the tools used for user management, and the types of users required User Authentication and Single Sign-On The authentication options supported and how they are integrated with SAP Single Sign-On mechanisms Authorization and roles An overview of the authorization concept for mobile applications, authorization settings, network and communication security, and standard authorization roles Standard Authorization Objects A summary of password-related security issues The SAP NetWeaver Application Server ABAP Security Guide is available on the SAP Help Portal, or via the link in Related Links. The applications use the following user management concepts: Users in the Backend System (SU01, PFCG) Existing users are relevant for the backend system. The authorizations required for a particular application are provided using a PFCG role delivered for each application. For more information, see Authorizations and Roles in this guide. Manage TDMS Execution Security Administrator's Guide © 2013 SAP AG. All rights reserved. 49 Note If you enable users who never directly access the backend system, you should create these users in the backend system without a password. This protects them against attacks that exploit incorrect or insecure password handling (these users are unlikely to change the initial password if they do not actually need to). Users in SAP NetWeaver Gateway (SU01, PFCG) Users also require a user ID for the SAP NetWeaver Gateway layer. They must have the same username as the users in the backend system. The user requires certain authorizations that allow the services of the application to be triggered in the backend. If you copy the users from the backend users, note the following recommendations: If you use SSO2 logon tickets to authenticate the requests from the mobile device on SAP NetWeaver Gateway, you should copy the user without any password. This protects against attacks based on incorrect or insecure password handling. The same recommendations apply if you prefer to create users from scratch. If users already exist in SAP NetWeaver Gateway, these steps are not relevant. Authentication can be carried out with the same credentials as for the existing application. To authenticate users, you can set up integration with your existing SSO solution based on SAP Logon Tickets or SAML. The user name in the system that issues the logon tickets has to be the same as the user name for the Gateway system and backend system. Related Links SAP NetWeaver Application Server ABAP Security Guide User Authentication and Single Sign-On [page 10] The SAP Fiori app Manage TDMS Execution supports the following authentication and single sign-on mechanisms. 6.4.1.1 User Creation and Authorization Assignment Follow this procedure to create users and assign authorizations to them: 1. Create users on the SAP NetWeaver Gateway system and on the application backend system. 2. Decide on your preferred mechanism for user authentication and SSO. 3. Create dedicated authorizations for application users in the Gateway system. 6.4.1.2 User Management Tools For information about the tools used for user management and user administration with these applications, refer to the documentation, User and Role Administration of AS ABAP. 50 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Security Note For user notification about initial logon and activation, a user management tool is often used to send out an e-mail containing the necessary logon information. Related Links User and Role Administration of AS ABAP 6.4.1.3 User Types You may have to employ different security policies for different types of users. For SAP Fiori, the following minimum user types are required: Individual user Individual users provide access to an application and to administrative tasks. Technical user Technical users enable data communication between systems. Related Links User Types 6.4.1.4 User Data Synchronization Users must have the same user name in SAP NetWeaver Gateway as they do in the backend system. You can use the Central User Administration (CUA) or your existing identity management system to ensure user names on both systems match. 6.4.2 User Authentication and Single Sign-On The SAP Fiori app Manage TDMS Execution supports the following authentication and single sign-on mechanisms. 6.4.2.1 SAML 2.0 Single Sign-On The Security Assertion Markup Language (SAML) version 2.0 is a standard for the communication of assertions about principals, typically users. Manage TDMS Execution Security Administrator's Guide © 2013 SAP AG. All rights reserved. 51 The assertion can include the means by which a subject was authenticated, attributes associated with the subject, and an authorization decision for a given resource. SAML version 2.0 is an SAP-recommended single sign-on (SSO) solution, which provides cross-domain SSO, single log-out (SLO), and identity federation capabilities. It requires an Identity Provider (IdP) in the landscape. Related Links SAML 2.0 6.4.2.2 SAP Logon Tickets (MYSAPSSO2) SAP Fiori supports the use of logon tickets for SSO. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) within the same domain as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the ticket. Note The SAP ticket is passed in the MYSAPSSO2 cookie. The initial SAP system and SAP NetWeaver Gateway must be in the same domain in order to have the cookie correctly transmitted. Note User names must match between the systems using the ticket and the SAP NetWeaver Gateway. Related Links Authentication on the AS ABAP 6.4.2.3 X.509 Client Certificates An X.509 client certificate is a digital “identification card” for use in the Internet, also known as a public-key certificate. A user who accesses the SAP Web Application Server and presents a valid certificate is authenticated on the server using the TLS protocol. The information contained in the certificate is passed to the server and the user is logged on to the server based on this information. User authentication takes place in the underlying protocols and no user ID and password entries are necessary. Related Links Using X.509 Certificates 52 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Security 6.4.2.4 SAP NetWeaver Gateway Username and Password This authentication method can include authenticating with a standard login form and HTTP basic authentication. Authenticating with a standard login form The ICF login class, /UI2/CL_SRA_LOGIN, is available in package /UI2/SRVC_INFRA. It provides a login form with an SAP Fiori theme. Optional language and client selection can be configured. In order to leverage ICF system login in the SAP Fiori app TDMS Execution, the login must be configured at least on the following nodes: /sap/bc/ui2/start_up /sap/bc/ui5_ui5/ui2/launchpage /sap/bc/ui5_ui5/ui2/tilechips SAP Fiori UI add-ons nodes /sap/bc/ui5_ui5 /sap/xxx It is possible to achieve simpler configuration through higher ICF nodes. However, this may potentially affect other applications. HTTP Basic Authentication Basic authentication is an HTTP standard authentication method designed to allow a web browser or other web client to provide credentials in the form of a user ID and password when making a request to a server system. Basic authentication is supported by the majority of Web clients and is the authentication mechanism that can be implemented with the least additional effort. Related Links System Logon Basic Authentication (User ID and Password) 6.4.3 Authorizations The SAP Fiori app Manage TDMS Execution uses the authorization concept provided by the SAP NetWeaver Application Server ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to the SAP Fiori app Manage TDMS Execution. The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on the Application Server ABAP (AS ABAP). Manage TDMS Execution Security Administrator's Guide © 2013 SAP AG. All rights reserved. 53 Gateway Roles and Authorizations All HTML 5–based applications communicate with the ABAP backend through OData services, which must be activated during system installation. In addition to authorization in the backend ERP system, users must be granted authorization to access the HTML 5-based applications and the OData services in the SAP NetWeaver Gateway. For more information about how to configure the gateway for OData channel users or gateway users, see SAP Help Portal at http://help.sap.com/nw > SAP Gateway > Security Information > English > SAP Netweaver Gateway Security Guide > Authorizations in the SAP System > Roles in the SAP NetWeaver Gateway Landscape, Related Links SAP NetWeaver Gateway Security Guide Role Administration (SAP NetWeaver 7.3 EHP1 ) 54 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Security 6.5 Logging 6.5.1 Security Relevant Logging and Tracing For more information about security logs for the SAP NetWeaver Gateway, see “Logging in SAP NetWeaver Gateway” section of the SAP NetWeaver Gateway Developer Guide for SAP NetWeaver Gateway SP06. Related Links SAP NetWeaver Gateway Developer Guide 6.5.2 Services for Security Lifecycle Management The following services are available from Active Global Support to assist you in maintaining security in your SAP systems on an ongoing basis: Security Chapter in the EarlyWatch Alert (EWA) Report This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you the following: Whether SAP Security Notes have been identified as missing on your system In this case, analyze and implement the identified SAP Notes if possible. If you cannot implement the SAP Notes, the report should be able to help you decide on how to handle the individual cases. Whether an accumulation of critical basis authorizations has been identified In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not, correct the situation. If you consider the situation okay, you should still check for any significant changes compared to former EWA reports. Whether standard users with default passwords have been identified on your system In this case, change the corresponding passwords to non-default values. Security Optimization Service (SOS) The Security Optimization Service can be used for a more thorough security analysis of your system, including the following: Critical authorizations in detail Security-relevant configuration parameters Critical users Manage TDMS Execution Security Administrator's Guide © 2013 SAP AG. All rights reserved. 55 Missing security patches This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-site service. We recommend you use it regularly (for example, once a year) and in particular after significant system changes or in preparation for a system audit. Security Configuration Validation The Security Configuration Validation can be used to continuously monitor a system landscape for compliance with predefined settings, for example, from your company-specific SAP Security Policy. This primarily covers configuration parameters, but it also covers critical security properties such as the existence of a non-trivial Gateway configuration or making sure standard users do not have default passwords. Security in the RunSAP Methodology / Secure Operations Standard With the E2E Solution Operations Standard Security service, a best practice recommendation is available on how to operate SAP systems and landscapes in a secure manner. It guides you through the most important security operation areas and links to detailed security information from SAP’s knowledge base wherever appropriate. Related Links EarlyWatch Alert SAP Security Optimization Service Portfolio SAP Security Notes End To End Change Control Management, see the Configuration Validation section Run SAP Methodology, see sections 2.6.3, 3.6.3, and 5.6.3 56 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Security 7 Operations This guide covers the general steps to take when operating SAP Fiori apps. Where necessary, these instructions refer to app-specific documentation. 7.1 Monitoring SAP Fiori Apps SAP NetWeaver Gateway plays an important role within the system landscape for SAP Fiori apps. Therefore, monitoring SAP NetWeaver Gateway is essential for monitoring SAP Fiori apps. SAP NetWeaver Gateway SAP Solution Manager 7.1 SP04 or higher supports a root-cause analysis for SAP NetWeaver Gateway. For more information, see https://service.sap.com/support  SAP Solution Manager  Run SAP like a Factory  Application Operations  End-to-End Root Cause Analysis. Also, see SAP Note 1478974. For more information about monitoring SAP NetWeaver Gateway, see the following documentation: For SAP NetWeaver 7.31, see the SAP Library for SAP NetWeaver Gateway 2.0 SPS 08 on SAP Help Portal at http://help.sap.com/nwgateway20  System Administration and Maintenance Information  Technical Operations for SAP NetWeaver  SAP NetWeaver Gateway Technical Operations Guide. For SAP NetWeaver 7.40, see the SAP Help Portal at http://help.sap.com/nw74 Application Help  FunctionOriented View  SAP NetWeaver Gateway Foundation (SAP_GWFND)  SAP NetWeaver Gateway Foundation Technical Operations Guide. For more information about the error log for SAP NetWeaver Gateway hub, see the following documentation: For SAP NetWeaver 7.31, see the SAP Library for SAP NetWeaver Gateway 2.0 SPS 08 on SAP Help Portal at http://help.sap.com/nwgateway20  System Administration and Maintenance Information  Technical Operations for SAP NetWeaver  SAP NetWeaver Gateway Technical Operations Guide  Supportability  Error Log . For SAP NetWeaver 7.40, see the SAP Help Portal at http://help.sap.com/nw74  Application Help  FunctionOriented View  SAP NetWeaver Gateway Foundation (SAP_GWFND)  SAP NetWeaver Gateway Foundation Technical Operations Guide  Supportability  Error Log . User Interface Add-On for SAP NetWeaver For more information about administrative tasks, see the following documentation: For SAP NetWeaver 7.3, see SAP Library for User Interface Add-On 1.0 on SAP Help Portal at http://help.sap.com/nw-uiaddon  System Administration and Maintenance Information -> Administration Guide. For SAP NetWeaver 7.4, see the documentation on SAP Help Portal at http://help.sap.com/nw74  Application Help  UI Technologies in SAP NetWeaver  UI Frameworks based on HTML5, JavaScript and CSS  SAP NetWeaver User Interface Services  Administration Guide. For more information about problem solving related to the SAP Fiori launchpad, see the following documentation: Manage TDMS Execution Operations Administrator's Guide © 2013 SAP AG. All rights reserved. 57 For SAP NetWeaver 7.31, see SAP Library for User Interface Add-On 1.0 on SAP Help Portal at http://help.sap.com/nw-uiaddon  Application Help  SAP Library  SAP Fiori Launchpad  Troubleshooting. For SAP NetWeaver 7.4, see the documentation on SAP Help Portal at http://help.sap.com/nw74  Application Help  UI Technologies in SAP NetWeaver  UI Frameworks based on HTML5, JavaScript and CSS  SAP Fiori Launchpad  Troubleshooting. 7.2 Troubleshooting 7.2.1 General Tips Make sure the following is done: Components, Support Packages, and SAP Notes are installed. Communication channels are configured. All relevant OData services and ICF nodes are active. Roles and authorizations are assigned. 7.2.2 Launchpad and Launchpad Designer Symptom: Launchpad does not display catalogs. Symptom: Launchpad does not start. For general information about troubleshooting launchpad and launchpad designer, see the following: For SAP NetWeaver 7.31, see SAP Library for User Interface Add-On 1.0 on SAP Help Portal at http://help.sap.com/nw-uiaddon Application Help SAP Library SAP Fiori Launchpad Troubleshooting . For SAP NetWeaver 7.4, see the documentation on SAP Help Portal at http://help.sap.com/nw74 Application Help UI Technologies in SAP NetWeaver UI Frameworks based on HTML5, JavaScript and CSS SAP Fiori Launchpad Troubleshooting . Symptom: Launchpad designer does not start. Possible Causes Solution SAP NetWeaver Gateway is not active. Activate SAP NetWeaver Gateway. ICF node for launchpad is not active. Configure SAP Fiori launchpad. Services for launchpad are not active. Configure SAP Fiori launchpad. User is not authorized to start launchpad. Assign roles and authorizations. For example, the error log shows HTTP error 401 Unauthorized. SAP NetWeaver Gateway not available. SAP Note1797736 ABAP back end not available. For example, the error log shows HTTP error 5nn. 58 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Operations Symptom: Launchpad designer does not display catalogs. Possible Causes Solution User is not authorized to display catalogs. Assign roles and authorizations. 7.2.3 SAP NetWeaver Gateway For more information, see SAP Note 1797736. 7.2.4 Search Symptom: Search does not display results. Symptom: Search field is not displayed. For more information, see Setup of SAP Fiori Search. 7.2.5 SAP Fiori Apps 7.2.6 SAP Fiori Apps in General Symptom: A specific app is not displayed in the launchpad. Symptom: App does not start. Symptom: App does not display any data. Symptom: App Launcher does not display dynamic data for app (counter or similar). Possible Causes Solution User is not authorized to display the app. Assign roles and authorizations. Check the browser log. Check the SAP NetWeaver Gateway error log (transaction /iwfnd/error_log). Check if the back end is connected. Symptom: The app displays data of other users or data that is created by another user ID. Symptom: Error message “Your user is not configured properly. Please contact system administrator”. Possible Causes Solution Trusted RFC not configured correctly. Communication Between ABAP Front-End and ABAP Back-End Server Manage TDMS Execution Operations Administrator's Guide © 2013 SAP AG. All rights reserved. 59 8 Support System administrators are the single point of contact for SAP Support to supply your company with solutions to issues that arise in your system. SAP Approve All provides all the tools that you as a system administrator require to manage support of your users. Support Desk Management Support Desk Management enables you to set up an efficient internal support desk for your support organization that seamlessly integrates your end users, internal support employees, partners, and SAP Active Global Support specialists with an efficient problem resolution procedure. For support desk management, you need the methodology, management procedures, and tools infrastructure to run your internal support organization efficiently. Remote Support Setup SAP support needs to be able to work remotely to achieve the highest efficiency and availability. Therefore, all required support tools must be remotely accessible for SAP support. For more information on how to set up remote connections, see the SAP Support Portal on SAP Service Marketplace at http://service.sap.com/access-support Available Connection Types . Recommendation For SAP NetWeaver Gateway and SAP back-end systems, the following connection types are a good starting point: o HTTP Connect ‒ URLAccess o R/3 Support o Connection types enabling the access to the operating system For Sybase Control Center, you should activate HTTP URL access as a minimum. Problem Message Handover When creating a message, you need to distinguish between back-end application related issues and issues with the mobile components. For the back-end related issues, use the standard application component hierarch for SAP TDMS 4.0. Mobile apps and related technology components have been assigned to the component CA-TDMMOB: 60 Administrator's Guide © 2013 SAP AG. All rights reserved. Manage TDMS Execution Support www.sap.com/contactsap SAP Approve All Administrator's Guide © 2013 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System ads, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Manage Tdms Execution Release 1.0 Administrator's Guide

Rating

Date

Size

Views

Categories

Share

Transcript

Forgot your password?.