AdminGuideMSSAddOnEHP5 V2
AdminGuideMSSAddOnEHP5 V2
AdminGuideMSSAddOnEHP5 V2
0
Using SAP Enhancement Package 5 for SAP ERP 6.0
Target Audience Consultants Administrators Others
SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 34 F +49/18 05/34 34 20 www.sap.com
Copyright 2009 SAP AG. All rights reserved. Java is a registered trademark of Sun Microsystems, Inc No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Disclaimer Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. Any Java Source Code delivered with this product is only to be used UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Documentation in the SAP Service Marketplace You can find this documentation at the following Internet address:
service.sap.com/instguides
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components.
by SAPs Support Services and may not be modified or altered in any way.
Typographic Conventions
Type Style Example Text Represents Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options. Cross-references to other documentation Example text Emphasized words or phrases in body text, titles of graphics and tables Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE. Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, source code as well as names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries. Keys on the keyboard, for example, function keys (such as F2) or the ENTER key.
Icons
Icon Meaning Caution Example Note Recommendation Syntax
EXAMPLE TEXT
Example text
Example text
<Example text>
EXAMPLE TEXT
History of Changes
The Master Guide is regularly updated in SAP Service Marketplace at http://service.sap.com/instguides. Make sure you have the latest version of the Master Guide by checking SAP Service Marketplace immediately before starting the installation. The following table provides an overview of the most important changes that were made in the latest versions. Master Guide Version 1.00 (June 2011) 2.00 (August 2012) Name changed to Administrators Guide and other minor ammendments and updates. Important Changes
June 2011
Contents
History of Changes ................................................................................ 4
5.4 Authorizations ................................................................................ 24 5.5 Session Security Protection ......................................................... 27 5.6 Network and Communication Security ........................................ 28
5.6.1 Network Security ............................................................................... 29 5.6.2 Communication Destinations ........................................................... 29
5.7 Internet Communication Framework Security ............................ 32 5.8 Security-Relevant Logging and Tracing ...................................... 36
1 Getting Started
1 Getting Started
1.1 About this Document
Purpose
This Master Guide is the central source of information for the technical implementation of Manager Self-Service (WDA), available with Manager Self-Service Add-On 1.0 based on SAP enhancement package 5 for SAP ERP 6.0. It provides cross-scenario implementation information as well as scenario-specific information. You can use the Master Guide to get an overview of Manager Self-Service (WDA) and its software units from a technical perspective. The Master Guide is a planning tool that helps you to design your system landscape and it refers you to the detailed documentation that is required, mainly: Installation guides for single software units SAP Notes Configuration documentation SAP Library documentation
This Master Guide is a single source of information for the documentation that is available to support the installation and operation of Manager Self-Service (WDA). Therefore, this Master Guide contains all of the following: Planning Information [page 7] The first two chapters of the Master Guide provide you with the most important information regarding the implementation of Manager Self-Service (WDA) including an overview of the related planning information, its software units, the system landscape and the overall implementation sequence. Installation Information [page 13] This chapter gives you an overview of the installation components and the sequence in which they are installed, as described in detail in the Installation Note 1576982 of Manager Self-Service Add-On 1.0. Operation Information [page 14] This chapter provides you with the most relevant information needed for the operation of Manager Self-Service (WDA). Security Information [page 16] This chapter provides you with the information that you require to operate Manager SelfService (WDA) securely. Upgrade Information [page 37] This chapter provides you with the latest upgrade information.
Constraints
This Master Guide primarily discusses the overall technical implementation of Manager SelfService (WDA), rather than its subordinate components. This means that additional software dependencies might exist without being mentioned explicitly in this document. You can find more information on component-specific software dependencies in the corresponding installation guides.
June 2011
1 Getting Started
http://service.sap.com/platforms To access the Platform Availability Matrix directly, enter http://service.sap.com/pam. http://service.sap.com/securityguide http://www.sdn.sap.com/irj/sdn/ha http://service.sap.com/performance http://service.sap.com/sp-stacks
http://www.sdn.sap.com/irj/sdn/i18n
June 2011
1 Getting Started
It should be considered that there are several documents available to support the installation of your product and its enhancement packages including: Master Guide Installation Guide Installation Guide: SAP Enhancement Package Installation Using SAP Enhancement Package Installer (SAPehpi) 7.02 Troubleshooting and Administration for Installations Using SAPehpi (ABAP) Practical Guide for How to Install SAP Enhancement Packages You can find all these guides on SAP Service Marketplace under service.sap.com/instguides where the installation guides of your products are located.
June 2011
1 Getting Started
1555377
For Flex Team View, Correction to MSSDIREC Report to Accept User Corrections in Skills & Profile Matchup Components Technical Enhancement for Sideby-Side Comparison Nakisa Enhancements for MSS LPD: Function Module for Displaying Launchpad Two-Level Menu and Corrections to the Layout PFCG/WDA: Dump Using AutoDetect Short Profile for Object Type P BP ERP05 COMMON PARTS enhancements for MSS Add-On 1.0 This Note is required only when using MSS Add-On in SAP Enterprise Portal. This Note should be applied before installing the BP Manager Self Service Add-On 1.0. This Note is required only when using the embedded Organizational Chart Visualization provided by Nakisa.
1433225
June 2011
Manager Self-Service (WDA) is available in two deployment options: SAP NetWeaver Portal role Business Package MSS Add-On 1.0 Manager Self-Service in SAP NetWeaver Business Client (NWBC) Some parts of the information in this Master Guide only apply to one of the two MSS (WDA) deployment options. Where this occurs, a comment is provided at the beginning of each such section, explaining which deployment option is valid. If not stated otherwise, the information given in the different sections of the Master Guide applies to both Manager Self-Service (WDA) deployment options.
Service (WDA)
The Software Units required for Manager Self-Service (WDA) are as follows: Software components Application components (Portal Content, etc.) Third-party components (external products)
Table: Software units for Manager Self-Service (WDA): Type of Component Software Component Software Component Software Component Software Component Software Component Component SAP_ABA 702 SAP_BS_FND 702 WEBCUIF 701 EA_HR 6.05 SAP_HR 6.04 Required for the Following Features Only
10
June 2011
EA-HR_MSS 1.0 ERECRUIT 605 Business Package SAP MSS Add-On 1.0 Organizational Chart Visualization by Nakisa (EMBORGCH605) Adobe Flash Player E-Recruiting applications in the Manager roles Deployment option SAP NetWeaver Portal Hierarchical team representation for the Team View application (optional) Team View and Talent Management applications and Xcelsius dashboards in the Reports launchpad
External Product
BF
BF BF BF BF BF
EA-HR 605
BF
BF
SAP_HR 604
SAP NW EP Core
Portal Content
You need to activate the Business Function HCM_PD_UI_1 when you want to use the embedded Organizational Chart Visualization provided by Nakisa. For more information see Organizational Chart Visualization in Manager Self-Services Note 1433225.
11
June 2011
We strongly recommend that you use a minimal system landscape for test and demo purposes only. For performance, scalability, high availability, and security reasons, do not use a minimal system landscape as your production landscape.
Process
Implementation Sequence Step Action [Required Documentation] 1 Installation of SAP enhancement package 5 for SAP ERP 6.0 on the SAP ECC server [Installation Guides] [external link] 2 3 SAP NetWeaver Portal with SAP NetWeaver 702 Installation of the MSS Add-On 1.0 on the SAP ECC server [MSS Add-On 1.0 Installation Note 1576982] 4 Activation of all required business functions. As a minimum, you have to activate the MSS Add-On business function HCM_MSS_WDA_1. Installation of BP ERP common parts 1.51 SP04 package Installation of the BP MSS Add-On 1.0 Only for deployment option SAP portal Only for deployment option SAP Portal Only for deployment option SAP Portal Note the prerequisites that have to be fulfilled before the installation (the required software components and notes) Remarks/Subsequent Steps
5 6
12
June 2011
3 Installation Information
3 Installation Information
This chapter gives you an overview of the installation process and the required component versions that have to be installed for Manager Self-Service (WDA). You need to install the stated versions of the following components: Software Component SAP_BASIS 702 SP07 Software Component SAP_ABA 702 SP07 Software Component SAP_BS_FND 702 SP05 Software Component WEBCUIF 701 SP04 Software Component SAP_HR 6.04 SP035 Software Component EA_HR 6.05 SP012 Software Component EA-HR_MSS 1.0 Software Component EMBORGCH605 (Where you use the embedded Organizational Chart Visualization provided by Nakisa.) For the latest component version and patch level requirements, see the MSS Add-On 1.0 Installation Note 1576982.
For the implementation of the MSS Add-On 1.0, you need the SAINT [external link] tool. There is no specific installation sequence required for the above mentioned software components.
For more detailed information on the installation process, see the MSS AddOn 1.0 Installation Note 1576982. After the installation of the technical software units for Manager Self-Service (WDA), you may also have to install the following components (as required): Portal Content Business Package MSS Add-On 1.0 (for deployment option SAP NetWeaver Portal) Organizational Chart Vizalisation by Nakisa (for the hierarchical team representation for the Team View application) Adobe Flash Player (for Team View, Time Recording Status for My Team and applications from Talent Management; if you want to use the Xcelsius dashboards in the Reports launchpad, you require Adobe Flash Player version 9 or higher) SAP NetWeaver 7.0 BI Content Add-On 5 SP01 (for BI reports in the Reports launchpad) Extension for SAP NetWeaver 7.02 BI Content Add-On (for Xcelsius dashboards in the Reports launchpad)
You also need to activate business function HCM, Manager Self-Service on Web Dynpro ABAP (HCM_MSS_WDA_1).
13
June 2011
4 Operation Information
4 Operation Information
This chapter provides you with the most important information regarding the operation of Manager Self-Service (WDA). Within the management of SAP Technology, monitoring is an essential task. A section has therefore been devoted solely to this subject. You can find more information about the underlying technology in the SAP NetWeaver Technical Operations Manual on SAP Help Portal at help.sap.com/nw for SAP NetWeaver 7.0 (including Enhancement Package 2) SAP NetWeaver 7.0 Library English SAP NetWeaver LibraryAdministrators Guide Technical Operations Manual for SAP NetWeaver.
14
June 2011
4 Operation Information
(type, created by/on, etc.). Each log in the database also has the attributes Object and Subobject. These attributes describe the application which wrote the log, and classify this application. For Manager Self-Service (WDA), no specific Log Objects / Sub-objects exist. Data tracking is available for some applications in Manager Self-Service (WDA), see also chapter Security-Relevant Logging and Tracing [page 36].
The release strategy and information regarding support packages for Manager Self-Service (WDA) is explained in SAP Note 1582553.
15
June 2011
5 Security Information
5 Security Information
This chapter of the Master Guide provides an overview of the security-relevant information that applies to Manager Self-Service (WDA). The following deployment options are available for Manager Self-Service (WDA): Business Package for MSS Add-On 1.0 This Business Package is a classic SAP Business Package that runs in the SAP NetWeaver Portal. The Portal role consists of worksets and iViews based on Web Dynpro ABAP technology. Manager Self-Service in SAP NetWeaver Business Client The role structure for this deployment option is maintained in the back-end system with the SAP role maintenance transaction PFCG. All applications available with this role are based on Web Dynpro ABAP technology.
Some parts of the security information in this chapter only apply to one of the MSS (WDA) deployment options. Where this occurs, a comment is provided at the beginning of each such section, explaining which deployment option is valid. If not stated otherwise, the security information in this chapter applies to both MSS deployment options. See also: For more information about the roles in SAP NetWeaver Portal, see SAP Library for SAP ERP on SAP Help Portal at http://help.sap.com/erp Cross-Application Functions in SAP ERP Roles Business Packages (Portal Content). For more information about the roles in SAP NetWeaver Business Client, see SAP Library for SAP ERP on SAP Help Portal at http://help.sap.com/erp CrossApplication Functions in SAP ERP Roles Roles in SAP NetWeaver Business Client. For more information about SAP NetWeaver Business Client, see SAP Library for SAP NetWeaver on SAP Help Portal at http://help.sap.com/netweaver SAP NetWeaver by Key Capability Application Platform by Key Capability ABAP Technology UI Technology SAP NetWeaver Business Client.
Reference to General Information in the SAP ERP Central Component Security Guide
The following security-related topics from the SAP ERP Central Component Security Guide are valid for SAP ERP Central Component in general and are also valid for Manager Self-Service (WDA): Before You Start This topic provides an overview of other Security Guides that are a basis for the SAP ERP Central Component Security and of important SAP Notes regarding security.
16
June 2011
5 Security Information
User Data Synchronization This topic provides an overview of the user synchronization strategy if several components or products are integrated.
Integration in Single Sign-On Environments This topic provides an overview of the single sign-on (SSO) mechanisms that are used by SAP ERP Central Component.
Communication Channel Security The topic provides an overview of the communication channels used by SAP ERP Central Component, the protocol used for the connection, and the type of data transferred.
Data Storage Security This topic provides an overview of any critical data that is used by SAP ERP Central Component and the security mechanisms that apply.
Enterprise Services Security This topic provides an overview of the security aspects of the enterprise services that are delivered with SAP ERP Central Component.
Services in Lifecycle Management for Security This topic provides an overview of services provided by Active Global Support that are available to assist you in maintaining security in your SAP systems on an ongoing basis. For more information, see the SAP ERP Central Component Security Guide in SAP Library for SAP ERP on SAP Help Portal at http://help.sap.com/erp for ERP Central Component Enhancement Package 5 under SAP ERP Cross-Application Functions SAP ERP Security Guides SAP ERP Central Component Security Guide.
17
June 2011
5 Security Information
User Management [page 22] This section contains information about the user types that are required by Manager Self-Service (WDA) and standard users for Manager Self-Service (WDA).
Integration into Single Sign-On Environments [page 24] This topic describes how the Manager Self-Service (WDA) supports Single Sign-On mechanisms.
Authorizations [page 24] This section provides an overview of the authorization concept that applies to Manager Self-Service (WDA).
Session Security Protection [page 27] This section provides information about activating secure session management, which prevents JavaScript or plug-ins from accessing the SAP logon ticket or security session cookie(s).
Network and Communication Security [page 28] This section provides an overview of the communication paths used by Manager Self-Service (WDA) and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level: o o Network Security [page 29] Communication Destinations [page 29]
Internet Communication Framework Security [page 32] This section provides an overview of the Internet Communication Framework (ICF) services that are used by Manager Self-Service (WDA).
Security-Relevant Logging and Tracing [page 36] This section provides an overview of the logging and tracing mechanisms that apply to Manager Self-Service (WDA).
18
June 2011
5 Security Information
For a list of additional security-relevant SAP Hot News and SAP Notes, see also SAP Service Marketplace at http://service.sap.com/securitynotes.
19
June 2011
5 Security Information
Additional Information
For more information about specific topics, see the Quick Links shown in the table below. Content Quick Link on SAP Service Marketplace or SDN http://sdn.sap.com/irj/sdn/security http://service.sap.com/securityguide http://service.sap.com/notes Related SAP Notes http://service.sap.com/securitynotes http://service.sap.com/pam http://service.sap.com/securityguide http://service.sap.com/solutionmanager http://sdn.sap.com/irj/sdn/netweaver http://www.sdn.sap.com/irj/sdn/adobe
Released Platforms Network Security SAP Solution Manager SAP NetWeaver SAP Interactive Forms by Adobe
20
June 2011
5 Security Information
BI Server (optional)
SAP NetWeaver 7.02 Usage Type BI
SAP ECC Server (with SAP Enhancement Package 5 for SAP ERP 6.0 and MSS Add-On 1.0)
As the graphic shows, Manager Self-Service (WDA) can be used with SAP NetWeaver Portal or with either of the two SAP NetWeaver Business Client flavors: NWBC for HTML NWBC for Desktop
For more information, see SAP Library for SAP NetWeaver on SAP Help Portal at http://help.sap.com/netweaver SAP NetWeaver by Key Capability Application Platform by Key Capability ABAP Technology UI Technology SAP NetWeaver Business Client Overview . For more information about the technical system landscape, see the resources listed in the table below. Topic Technical description for SAP ERP and the underlying components such as SAP NetWeaver High availability Guide/Tool Master Guide Quick Link on SAP Service Marketplace or SDN http://service.sap.com/instguides
http://sdn.sap.com/irj/sdn/ha
21
June 2011
5 Security Information
http://sdn.sap.com/irj/sdn/landscapedesign http://sdn.sap.com/irj/sdn/security
Also note the sections on user administration and authentication in the SAP ERP Central Component Security Guide in SAP Library for SAP ERP on SAP Help Portal at http://help.sap.com/erp for SAP ERP Central Component Enhancement Package 5 under SAP ERP Cross-Application Functions SAP ERP Security Guides SAP ERP Central Component Security Guide User Administration User Data Synchronization Integration in Single Sign-On Environments
22
June 2011
5 Security Information
User Management Tools Tool User maintenance for ABAPbased systems (transaction SU01) Role maintenance (transaction PFCG) Detailed Description You use the user maintenance transaction to generate users in the ABAPbased systems. You use the role maintenance transaction to generate profiles for your self-service users. For more information, see User and Role Administration of AS ABAP. User Management Engine with SAP NetWeaver AS Java You use this User Management Engine for creating Portal users. For more information, see User Management Engine. Used for the Business Package for MSS Add-On 1.0 Comment Used for both MSS deployment options
For the Business Package deployment option, it is necessary to perform user mapping for the users in the ABAP system and the Portal. For more information, in the SAP Library documentation for Manager Self-Service (WDA), see under Technical Description and Configuration of MSS (WDA) Configuration: Business Package for Manager Self-Service (WDA) Assigning Portal Roles to Users.
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively must change their passwords on a regular basis, but not those users for which background processing jobs run. The user types required for the Manager Self-Service (WDA) are individual users, such as: Dialog users (Used for SAP GUI for Windows or RFC connections) Internet users (Same policies apply as for dialog users, but used for Internet connections).
For more information about these user types, see section User Types in the SAP NetWeaver AS ABAP Security Guide.
For the Business Package for MSS Add-On 1.0, it is recommended that you set up the connection between the SAP NetWeaver Portal and the connected systems (ECC system, J2EE Engine, BI system) so that each individual user has access. This does not apply to Manager Self-Service in SAP NWBC. For more information, see section Communication Destinations [page 29].
23
June 2011
5 Security Information
Standard Users
For Manager Self-Service (WDA), no standard users are delivered.
5.4 Authorizations
Manager Self-Service (WDA) uses the authorization concept provided by the SAP NetWeaver AS ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP also apply to Manager SelfService (WDA). The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engines user administr ation console on the AS Java.
For more information about how to create roles, see in the SAP NetWeaver Library on SAP Help Portal at http://help.sap.com/nw under Role Administration.
24
June 2011
5 Security Information
For Manager Self-Service (WDA), we highly recommend that you use the HCMspecific structural authorization check in addition to the general SAP authorization check. For more information see SAP Library for SAP ERP on SAP Help Portal at http://help.sap.com/erp SAP ERP Central Component Human Resources HR Tools Authorizations for Human Resources Structural Authorization Check.
Standard Roles
The table below shows the standard roles that are used for authorizations by Manager SelfService (WDA). Standard Roles for Manager Self-Service (WDA) Role SAP_ASR_MANAGER Description Authorizations for the functions of the PA-AS component (HR Administrative Services) for line managers. Authorizations for line managers in Manager Self-Service (WDA) for applications used to approve leave requests and working times from Employee Self-Service (WDA). Authorizations for managers relating to Talent Management activities. For more information, see Manager in Talent Management [external link]. The structural authorization profile TMS_MAN_PROF is also available as a template for the manager. For more information, see Customizing for Talent Management and Talent Development under Basic Settings Authorizations in Talent Management Define Structural Authorizations. SAP_RCF_MANAGER SAP_MANAGER_MSS_OTH_NWBC Authorizations for the Manager role, which enables access to SAP E-Recruiting Authorizations for remote system applications including applications from SAP E-Recruiting Authorizations for the applications of the HR Manager Training role of the SAP Learning Solution component Authorizations for the applications of the Manager role of the SAP Learning Solution component
SAP_TIME_MGR_XX_ESS_WDA_1
SAP_TMC_MANAGER
SAP_HR_LSO_HR-MANAGER
SAP_HR_LSO_MANAGER
25
June 2011
5 Security Information
SAP_FI_TV_WEB_APPROVER
Authorizations for applications of the Travel Approver role of the SAP Travel Management component Authorizations for applications of the manager role of the Personnel Cost Planning component Authorizations for MSS (WDA) applications
SAP_HR_CPS_DET_PLAN_L_SR_NWBC
SAP_MANAGER_MSS_SR_NWBC_2
The composite role SAP_MANAGER_MSS_NWBC_2, which contains the single roles listed above, is required for the SAP NetWeaver Business Client deployment option of Manager Self-Service (WDA).
26
June 2011
5 Security Information
For more information about the fields for the authorization objects K_CCA, K_ORDER, and K_PCA, see SAP Note 15211. Apart from these authorization objects, both Manager Self-Service (WDA) deployment options use the authorization objects from the following application areas or application components: Human Capital Management [external link] See the SAP ERP ECC Security Guide at Human Capital Management Authorizations. SAP E-Recruiting [external link] See the SAP ERP ECC Security Guide at Human Capital Management Talent Management SAP E-Recruiting Authorizations. HCM Processes and Forms [external link] See the SAP ERP ECC Security Guide at Human Capital Management Personnel Administration (PA) HCM Processes and Forms Authorizations. Travel Management [external link] See the SAP ERP ECC Security Guide at Accounting Financial Accounting Travel Management (FI-TV).
More Information
For more information, see the SAP Help Portal BI Content documentation for Human Resources at http://help.sap.com SAP NetWeaver SAP NetWeaver by Key Capability Information Integration by Key Capability BI Content BI Content 705 Human Resources Organizational Management ODS Objects.
27
June 2011
5 Security Information
For more information, including a list of the relevant profile parameters and detailed instructions, see Activating HTTP Security Session Management on AS ABAP in the AS ABAP security documentation.
For more information and detailed instructions, see Session Security Protection [external link] in the AS Java Security Guide.
28
June 2011
5 Security Information
The network topology for Manager Self-Service (WDA) is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to Manager Self-Service (WDA). Details that specifically apply to Manager Self-Service (WDA) are described in the following topics: Network Security [page 29] This topic describes the recommended network topology for Manager Self-Service. It shows the appropriate network segments for the various client and server components and where to use fire walls for access protection. It also includes a list of the ports needed to operate Manager Self-Service. Communication Destinations [page 29] This topic describes the information needed for the various communication paths, for example, which users are used for which communications. For more information, see the following sections in the SAP NetWeaver Security Guide: Network and Communication Security Security Guides for Connectivity and Interoperability Technologies
29
June 2011
5 Security Information
Table 1: Connection Destinations for Manager Self-Service in NWBC Destination Delivered No SAP_ECC_HumanResources Type ABAP connection Recommended User Authorizations n/a Description System alias for the ECC HCM system System alias for the ECC HCM system System alias for the ECC FI system for Financials applications System alias for the ECC FI system for Financials applications System alias for the SAP ERecruiting system System alias for the SAP ERecruiting system System alias for connecting to BW system
No SAP_ECC_HumanResources_HTTP
HTTP connection
n/a
No SAP_ECC_FINANCIALS
ABAP connection
n/a
No SAP_ECC_FINANCIALS_HTTP
HTTP connection
n/a
No SAP_EREC_TalentManagement
ABAP connection
n/a
No SAP_EREC_TalentManagement_HTTP
HTTP connection
n/a
No SAP_BW
HTTP connection
n/a
Business Package for MSS Add-On 1.0 For this deployment option, you need to set up the system landscape for which you assign the required system aliases. This is required for the iViews to connect to the appropriate back-end systems. Table 2 shows an overview of the system aliases used by the applications in the Business Package for MSS Add-On 1.0.
30
June 2011
5 Security Information
Table 2: System Aliases Used in the BP for MSS Add-On 1.0 Destination Delivered Type Entry in Portal System Landscape Administration Entry in Portal System Landscape Administration Entry in Portal System Landscape Administration Entry in Portal System Landscape Administration Recommended User Authorization n/a Description
Yes
System alias for the ECC HCM system System alias for the ECC Financials system System alias for the SAP E-Recruiting system System alias for connecting to the BW system
Yes
n/a
Yes
n/a
SAP_BW
Yes
n/a
For this deployment option, you also have to set up the required SAP Java Connector (JCo) connections on the Web Dynpro J2EE server. This is required in case you have work items coming from other systems into the Universal Worklist (UWL).
You only have to set up the JCo Connections for those areas from which you want to have work items in the UWL for the manager. The table below gives you an example of JCo Connections required for the Leave and ClockIn/Out work item retrieval. Table 3: Example JCo Connections Required for the BP for MSS Add-On 1.0 Destination SAP_R3_HumanRe sources SAP_R3_HumanRe sources_MetaDa ta Delivered Type Recommended User Authorization SSO ticket Description JCo connection for the HCM system JCo connection for the HCM system
Yes
JCo connection
Yes
JCo connection
Service user
More Information
For the Business Package for MSS Add-On 1.0, see the documentation in SAP Library for SAP ERP Add-Ons for Manager Self-Service Add-On 1.0 under SAP ERP Central Component Cross-Application Functions in SAP ERP Roles Business Packages (Portal Content) Business Package for MSS Add-On 1.0 Configuration: MSS (WDA) in SAP NetWeaver Portal Setting Up the System Landscape Setting Up JCo Connections for MSS
31
June 2011
5 Security Information
For MSS (WDA) applications (CA-MSS-HCM): HRMSS_HOMEPAGE HRMSS_COMPETENCY_LONG_VIEW HRMSS_TEAM_DETAIL HRMSS_TALENT_HOME_PAGE HRMSS_EMPOVERVIEW_TEAMVIEWER HRMSS_EMP_OVERVIEW_PROFILE hrmss_Organizational_profile HRMSS_ORGPROFILE_TEAMVIEWER HRMSS_POSITION_PROFILE HRMSS_POSPROFILE_TEAMVIEWER hrmss_side_by_side HRMSS_OADP_REPORTING HRMSS_REPORTING_LAUNCHPAD HRMSS_A_CATS_APPROVAL_1 hrmss_a_cico_appr HRMSS_TEAM_PAGE hrmss_timevacation_timeaccount
For applications from HCM Processes and Forms (PA-AS): asr_form_display asr_mass_start_process asr_pa_pd_processes_display
32
June 2011
5 Security Information
For applications from Cross-Application Time Sheet (CA-TS) and Personal Time Management (PT): HRMSS_A_CATS_APPROVAL HRESS_A_PTARQ_LEAVREQ_APPL HRESS_A_LEA_TEAM_CALENDAR
For applications from Talent Management and Talent Development (PA-TM): HRTMC_EMPLOYEE_PROFILE HRTMC_LONG_PROFILE hrtmc_side_by_side HRTMC_TA_ASSESSMENT HRTMC_TA_DASHBOARD HRTMC_TA_DEV_PLAN hrtmc_teamviewer
For applications from Performance Management (PA-PD-PM): HAP_MAIN_DOCUMENT HAP_START_PAGE_POWL_UI_MSS HAP_A_PMP_GOALS HAP_A_PMP_OVERVIEW HAP_A_PMP_MAIN
For applications from Enterprise Compensation Management (PA-ECM): HCM_ECM_PLANNING_OVERVIEW_OIF HCM_ECM_PLANNING_UI_GAF HCM_ECM_PROFILE_OIF HCM_ECM_SIDEBYSIDE_OIF HCM_ECM_TEAMVIEWER_OIF
33
June 2011
5 Security Information
For applications from SAP E-Recruiting (PA-ER): default_host/sap/bc/erecruiting/dataoverview hrrcf_a_dataoverview hrrcf_a_requi_monitor hrrcf_a_req_assess hrrcf_a_tp_assess hrrcf_a_qa_mss hrrcf_a_substitution_manager hrrcf_a_substitution_admin
You activate the services in Customizing for SAP E-Recruiting at Technical Settings User Interfaces Manager Involvement Specify E-Recruiting Services for MSS. For applications from Travel Management (FI-TV): FITV_POWL_APPROVER FITV_TRIP_FORM FITV_POWL_PERSONALIZATION
34
June 2011
5 Security Information
For applications from the Financials (FI) application area: QISR_UI_STATUSOVERVIEW FPB_EXP_OVERVIEW FCOM_PBC_MONITOR FPB_VARIANCE_MONITOR_OVERVIEW FCOM_EQM_MONITOR FPB_LINEITEM_MONITOR_OVERVIEW
Activities
Use the transaction SICF to activate these services. If your firewalls use URL filtering, then take note of the URLs used for the services and adjust your firewall settings accordingly.
More Information
For more information, see Activating and Deactivating ICF Services in the SAP NetWeaver Library documentation. For more information about ICF security, see the RFC/ICF Security Guide.
35
June 2011
5 Security Information
For the AS Java (relevant for the Business Package for MSS Add-On 1.0): o Tracing and Logging
For Manager Self-Service (WDA) data tracking is activated for the profile applications that are in the standard delivery: Employee Profile Organization Profile Position Profile
For more information, see in the SAP Customizing Implementation Guide (transaction SPRO) under Personnel Management Manager Self-Service (WDA) Data Tracking.
You will only be able to see the Customizing settings for Manager SelfService (WDA) if the required business function HCM_MSS_WDA_1 is activated in the relevant system.
36
June 2011
6 Upgrade Information
6 Upgrade Information
For regularly updated release and upgrade information, see the following SAP Notes: Note Number 1582553 1588625 Title / Description Release Strategy for the ABAP Add-On EA-HR_MSS 1.0 Release information for Manager Self-Service Add-On 1.0
37
June 2011
7 Solution-Wide Topics
7 Solution-Wide Topics
In this section, you find a table with the references to information about the main technologies used for Manager Self-Service (WDA).
List of References
The following table lists references to technologies used for Manager Self-Service (WDA): Title Web Dynpro ABAP Where to Find SAP Library for SAP NetWeaver on SAP Help Portal at http://help.sap.com/netweaver for SAP NetWeaver 7.0 including Enhancement Package 2 SAP NetWeaver 7.0 Library (including Enhancement Package 2) English SAP NetWeaver SAP NetWeaver by Key Capability Application Platform by Key Capability ABAP Technology UI Technology Web UI Technology Web Dynpro ABAP SAP Library for SAP NetWeaver on SAP Help Portal at http://help.sap.com/netweaver for SAP NetWeaver 7.0 including Enhancement Package 2 SAP NetWeaver 7.0 Library (including Enhancement Package 2) English SAP NetWeaver SAP NetWeaver by Key Capability Application Platform by Key Capability ABAP Technology UI Technology Web UI Technology Floorplan Manager for Web Dynpro ABAP
Floorplan Manager
38
June 2011
8 References
8 References
List of Documents
The following table lists all documents mentioned in this Master Guide: Title SAP NetWeaver Security Guide Where to Find SAP Library for SAP NetWeaver on SAP Help Portal at http://help.sap.com/netweaver for SAP NetWeaver 7.0 including Enhancement Package 2 SAP NetWeaver 7.0 Library (including Enhancement Package 2) English SAP NetWeaver Administrators Guide SAP NetWeaver Security Guide SAP Library for SAP NetWeaver on SAP Help Portal at http://help.sap.com/netweaver for SAP NetWeaver 7.0 including Enhancement Package 2 SAP NetWeaver 7.0 Library (including Enhancement Package 2) English SAP NetWeaver Administrators Guide SAP NetWeaver Security Guide Security Guides for SAP NetWeaver According to Usage Types SAP NetWeaver Application Server ABAP Security Guide SAP Library for SAP NetWeaver on SAP Help Portal at http://help.sap.com/netweaver for SAP NetWeaver 7.0 including Enhancement Package 2 SAP NetWeaver 7.0 Library (including Enhancement Package 2) English SAP NetWeaver Administrators Guide SAP NetWeaver Security Guide Security Guides for SAP NetWeaver According to Usage Types SAP NetWeaver Application Server Java Security Guide SAP Library for SAP NetWeaver on SAP Help Portal at http://help.sap.com/netweaver for SAP NetWeaver 7.0 including Enhancement Package 2 SAP NetWeaver 7.0 Library (including Enhancement Package 2) English SAP NetWeaver Administrators Guide SAP NetWeaver Security Guide Security Guides for Connectivity and Interoperability Technologies RFC/ICF Security Guide SAP Library for SAP ERP on SAP Help Portal at http://help.sap.com/erp for ERP Central Component Enhancement Package 5 under SAP ERP CrossApplication Functions SAP ERP Security Guides SAP ERP Central Component Security Guide
39
June 2011
8 References
SAP Library for SAP NetWeaver on SAP Help Portal at http://help.sap.com/netweaver for SAP NetWeaver 7.0 including Enhancement Package 2 SAP NetWeaver 7.0 Library (including Enhancement Package 2) English SAP NetWeaver SAP NetWeaver by Key Capability Application Platform by Key Capability ABAP Technology UI Technology SAP NetWeaver Business Client Overview
40
June 2011
9 Media List
9 Media List
The following table provides you with the information, on which data carrier you can find the software for the MSS Add-On 1.0: Installable Software Unit EA-HR_MSS 1.0 Media Name CD51040897
41
June 2011