Security Guide: SAP Access Control 12.0 THE BEST RUN. SECURITY GUIDE PUBLIC Document Version:

Size: px

Start display at page:

Download "Security Guide: SAP Access Control 12.0 THE BEST RUN. SECURITY GUIDE PUBLIC Document Version:"

Cecilia Gregory
5 years ago
Views:

SECURITY GUIDE PUBLIC Document Version: 1.0.

2 Content 1 Document History Introduction Before You Start Technical System Landscape Network and Communication Security Communication Channel Security Trusted/Trusting RFC Relationships Communication Destinations Integration with Single Sign-On Environments Data Storage Security Trace and Log Files Configuring NW VSI in the Landscape User Administration and Authentication User Management Non-SAP Fiori Technology SAP Fiori Launchpad Application Security Business Catalog Roles for FLP Delivered Business Roles Authorization Object Names Authorization Objects and Relevant Fields Authorization Fields Values for ACTVT Field Values for GRAC_ACTRD Field Business Roles and Authorization Objects Roles Relevant Across All Capabilities Role Management Access Request Emergency Access Management Access Risk Analysis Workflow Data Protection P U B L I C Content

3 8.1 Information Retrieval Framework (IRF) Read Access Log (RAL) Business Entities Roles and Authorization Objects Data Archiving Archiving GRACTUSAGE Table Records Archiving GRC Requests Archiving EAM Logs Content P U B L I C 3

4 1 Document History Note Before you start the implementation, make sure you have the latest version of this document. You can find the latest version at: Version Date Description 1.00 March 2018 Initial Release 1.01 October 2018 Updated component diagram for Technical System Landscape. 4 P U B L I C Document History

5 2 Introduction SAP Access Control is an enterprise software application that enables organizations to control access and prevent fraud across the enterprise, while minimizing the time and cost of compliance. The application streamlines compliance processes, including access risk analysis and remediation, business role management, access request management, emergency access maintenance, and periodic compliance certifications. It delivers immediate visibility of the current risk situation with real-time data. The security guide provides an overview of the application relevant security information. You can use the information in this document to understand and implement system security, and to understand and implement the application security features. Target Audience The security guide is written for the following audience, and requires existing knowledge of SAP security model and of PFCG, SU01, and Customizing tools: Technology consultants System administrators About this Document This Security Guide covers the following main security areas: Network and system security This area covers the system security issues and addresses them in the following sections: Network and Communication Security Communication Channel Security Communication Destinations Integration with Single Sign-on (SSO) Environments Data Storage Security User Administration Trace and Log Files Application Security Delivered roles Authorization objects Data Protection Data retention Data deletion Data archiving Introduction P U BL IC 5

6 3 Before You Start Access Control uses SAP NetWeaver, SAP NetWeaver Portal, and SAP NetWeaver Business Warehouse. Therefore, the corresponding security guides and other documentation also apply. Refer to the following security guides on SAP NetWeaver Application Server for ABAP Security Guide SAP BW Security Guide (Business Warehouse) Important SAP Notes Make sure that you have the up-to-date version of each SAP Note, available at 6 P U B L I C Before You Start

7 4 Technical System Landscape The following is the component diagram for SAP Access Control Technical System Landscape P U BL IC 7

8 5 Network and Communication Security You can use the information in this section to understand and implement the network and communication security for SAP Access Control. Network SAP Access Control is based on SAP NetWeaver technology. Therefore, for information about network security, see the respective sections in the SAP NetWeaver Security Guide at > Security Guide. For more information, see the following sections in the SAP NetWeaver Security Guide: Network and Communication Security Security Aspects for Connectivity and Interoperability 5.1 Communication Channel Security Use The following table contains the communication paths, the connection protocol, and the transferred data type used by the access control solution: Communication Path Protocol Type of Data Transferred Data Requiring Special Protection SAP NetWeaver ABAP server using SAP GUI DIAG All application data Logon data SAP NetWeaver Portal HTTP/HTTPS All application data Logon data DS Extraction (application server to BI system) Application server to BI system RFC All application data Logon data HTTP/HTTPS All application data Logon data 8 P U B L I C Network and Communication Security

9 Communication Path Protocol Type of Data Transferred Data Requiring Special Protection BI system to application server HTTP/HTTPS All application data Logon data BusinessObjects Enterprise Server TCP/IP All application data Logon data SAP NetWeaver Business Client HTTP/HTTPS All application data Logon data DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTPS connections are protected using the Secure Sockets Layer (SSL) protocol. More Information Transport Layer Security in the SAP NetWeaver Security Guide Using the Secure Sockets Layer Protocol with SAP NetWeaver Application Server ABAP 5.2 Trusted/Trusting RFC Relationships Use You can set up trusted and trusting Remote Function Call (RFC) relationships between two SAP systems. This allows secure RFC connections between the systems without sending passwords for logging on. The logon user must have the corresponding authorization object S_RFCACL in the trusting system. This trusted relationship is not specific to GRC applications, and is a function of SAP NetWeaver. More Information Trusted/Trusting Relationships Between SAP Systems on the SAP Help Portal under RFC Programming in ABAP. Network and Communication Security P U BL IC 9

10 5.3 Communication Destinations The table lists the RFC authorization objects and values you must add to the RFC user to allow Access Control to communicate with other SAP and non-sap solutions. Object Description Authorization Field Value S_RFC Authorization check for RFC Access ACTVT 16 N/A RFC_NAME /GRCPI/* BAPT RFC1 SDIF SDIFRUNTIME SDTX SUNI SUSR SUUS SU_USER SYST SYSU RFC_TYPE FUGR S_TCODE Authorization check at transaction start TCD SU01 S_TABU_DIS Table maintenance ACTVT 3 DICBERCLS &NC& SC SS ZV&G ZV&H ZV&N S_TOOLS_EX Tools Performance Monitor AUTH S_TOOLS_EX_A S_GUI Authorization for GUI activities ACTVT * 10 P U B L I C Network and Communication Security

11 Object Description Authorization Field Value S_USER_AGR Authorizations: role check ACTVT * ACT_GROUP * S_USER_AUT User Master Maintenance: Authorizations ACTVT * AUTH * OBJECT * S_USER_GRP User Master Maintenance: User Group ACTVT * CLASS * S_USER_PRO User Master Maintenance Authorization Profile ACTVT * PROFILE * S_USER_SAS User Master Maintenance: System-Specific Assignments ACTVT ACT_GROUP * CLASS * PROFILE * SUBSYSTEM * S_USER_SYS User Master Maintenance: System for Central User Maintenance ACTVT 78 SUBSYSTEM * S_USER_TCD Authorizations: transactions in roles TCD * S_USER_VAL Authorizations: filed values in roles AUTH_FIELD * AUTH_VALUE * OBJECT * S_DEVELOP ABAP Workbench ACTVT * DEVCLASS OBJNAME OBJTYPE SUSO /GRCPI/* FUGR Network and Communication Security P U BL IC 11

12 Object Description Authorization Field Value P_GROUP * S_ADDRESS1 Central address management ACTVT ADGRP BC01 PLOG Personnel planning INFOTYP ISTAT * OTYPE * PLVAR * PPFCODE * SUBTYP * P_TCODE HR: Transaction code TCD SU Integration with Single Sign-On Environments SAP Access Control: supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver Application Server ABAP. supports the security guidelines for user management and authentication described in the SAP NetWeaver Application Server Security Guide. leverages the SAP NetWeaver ABAP Server and SAP NetWeaver Portal infrastructure. Secure Network Communications (SNC) For more information about SNC, see Secure Network Communications (SNC) in the SAP NetWeaver Application Server Security Guide. 12 P U B L I C Network and Communication Security

13 SAP Logon Tickets For more information about SAP Logon Tickets, see SAP Logon Tickets in the SAP NetWeaver Application Server Security Guide. Client Certificates For more information about X.509 Client Certificates, see Using X.509 Client Certificates on the SAP Help Portal ( ). 5.5 Data Storage Security Master data and transaction data is stored in the database of the SAP system on which the application is installed. Data storage occurs in Organizational Management, Case Management and in separate tables for this purpose. In some applications, you can upload documents into the system. The default document management system (DMS) for storing data is the SAP Content Server and Knowledge Provider (KPro) infrastructure. Once uploaded, the documents can be accessed using a URL. The application security functions govern authorization for accessing the URL directly in the portal. To prevent unauthorized access to the document through copying and sending the URL, a URL is only valid for a given user and for a restricted amount of time (the default is two hours). If you choose to implement a different document management system, the data storage security issues are deferred to that particular DMS. 5.6 Trace and Log Files For information about trace and log files, see the SAP Access Control 12.0 Admin Guide at help.sap.com/grc-ac. 5.7 Configuring NW VSI in the Landscape Access Control provides the ability to upload documents. We recommend you scan all documents for potential malicious code before you upload them. You can use the NetWeaver Virus Scan Interface (NW VSI) to scan the documents. For more information, see SAP Virus Scan Interface in the SAP NetWeaver Library. Network and Communication Security P U BL IC 13

14 6 User Administration and Authentication SAP Access Control relies on the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver AS for ABAP Application Server. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server for ABAP Security Guide also apply to SAP Access Control. 6.1 User Management Non-SAP Fiori Technology User management for SAP Access Control uses the mechanisms provided with the SAP NetWeaver Application Server for ABAP, such as tools, user types, and password concept. For more information, see the Security Guide for SAP NetWeaver Application Server for ABAP. User Administration Tools This table shows the tools available for user management and administration. Tool Description User maintenance for ABAP-based systems (transaction SU01) Role maintenance with the profile generator for ABAP-based systems (PFCG) Central User Administration (CUA) for the maintenance of multiple ABAP-based systems For more information about the authorization objects provided by SAP Access Control, see the Authorization Objects sections. For more information about, see the Delivered Roles sections. For central administration tasks User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular 14 P U B L I C User Administration and Authentication

15 basis, but not those users under which background processing jobs run. These are the user types required for SAP Access Control: Individual users Dialog users - used for SAP GUI for Windows Internet users - used for Web Applications Technical users Service users are dialog users who are available for a large set of anonymous users Communication users are used for dialog-free communication between systems Background users are used for processing in the background SAP Fiori Launchpad SAP Fiori launchpad is a shell that hosts SAP Fiori apps, and provides the apps with services such as navigation, personalization, embedded support, and application configuration. SAP Access Conrol 12.0 uses the on-premise implementation, therefore users and authentication are maintained using the the mechanisms provided with the SAP NetWeaver Application Server for ABAP. Fore more information, see the SAP NetWeaver Application Server for ABAP Security Guide. User Administration and Authentication P U BL IC 15

16 7 Application Security The information in this section explains the application authorizations model and concepts. Access Control leverages the standard SAP NetWeaver, SAP NetWeaver Application Server ABAP, and SAP NetWeaver Portal user management and authorization. The security information for SAP NetWeaver, SAP NetWeaver Application Server ABAP, and SAP NetWeaver Portal also apply. For information about SAP NetWeaver, SAP NetWeaver Application Server ABAP, and SAP NetWeaver Portal see the SAP NetWeaver, SAP NetWeaver Application Server ABAP, and SAP NetWeaver Portal security guides. Prerequisites You have knowledge of the following tools, terms, and concepts: ABAP Application Server Customizing activities (transaction SPRO) PFCG SU01 Portal User Administration Content Administration Portal Roles Business Client Menu of PFCG roles SAP Fiori Launchpad (FLP) For more information about Access Control concepts and features, see the SAP Access Control 12.0 Application Help at Customizing Front-end Screens and Menus You can configure user-specific front-end screens and menus in the Customizing activities accessed from the SPRO transaction. Caution SAP does not recommend you customize the information architecture because if SAP provides updates to the content, then such changes update only the standard SAP-delivered repository and Launchpads. The changes do not directly update any customized versions. You carry out the configuration activities from the transaction SPRO, SAP Reference IMG Governance, Risk, and Compliance General Settings Maintain Customer Specific Menus. 16 P U B L I C Application Security

17 Privacy Concerns Notify your users as required by your company's privacy policy that user information such as first Name, last Name, address, roles, and other personal information is stored by the program GRAC_REPOSITORY_OBJECT_SYNC. Maintaining Authorizations Access Control uses object level authorizations. Authorizations are granted to users based on the authorizations of specific roles and the authorization objects assigned to those roles. To maintain the authorizations, you use PFCG and the information in this guide about the delivered roles and authorization objects. SAP provides a set of sample roles for Access Control, which include recommended authorizations. You can create your own PFCG roles or copy the sample roles to your customer namespace. Then modify them as needed. 7.1 Business Catalog Roles for FLP This information relevant for customers who have implemented SAP Fiori Launchpad (FLP). SAP Fiori launchpad is a shell that hosts SAP Fiori apps, and provides the apps with services such as navigation, personalization, embedded support, and application configuration. Role administrators make tile catalogs and groups available on the end user's page by assigning tile catalogs and tile groups to a PFCG role to which users can be assigned. Users logging on to the launchpad see all assigned groups on their home page, and when users open the catalog section, they can access all tiles in the assigned catalogs. SAP Access Control delivers the following business catalog roles for the FLP. Roles for SAP Fiori Launchpad Name Description SAP_GRC_BCR_CMPLNCMGR_T Compliance Manager SAP_GRC_BCR_EMPLOYEE_T Access Control Employee SAP_GRC_BCR_MANAGER_T Request Approver SAP_GRC_BCR_REQADMINTR_T Access Control Administrator SAP_GRC_BCR_SCRTYMGR_T Security Manager For more information, see: SAP Fiori Launchpad Application Security P U BL IC 17

18 SAP Fiori Launchpad - Security Aspects 7.2 Delivered Business Roles Access Control leverages the SAP NetWeaver authorization model and assigns authorizations to users based on roles. The following sample roles are delivered with the application. You must copy them into your own namespace to use them. Feature Role Name Description All AC SAP_GRAC_ALL Super administrator for Access Control. Note You must assign this role to the WF-BATCH user. All AC SAP_GRAC_BASE Gives basic authorizations required for all AC users. You must assign this role to all AC users. All AC SAP_GRAC_REPORTS Ability to run all AC reports and have the display access for all drill-downs. All AC SAP_GRAC_NWBC Gives the authorizations to launch NWBC. You must assign this role to all AC users. All AC SAP_GRAC_SETUP Gives authorizations to set up and customize AC. All AC SAP_GRAC_DISPLAY_ALL Gives display-only access to all master data and application data. Role Management SAP_GRAC_ROLE_MGMT_USER Role management business user Role Management SAP_GRAC_ROLE_MGMT_DESIGNER Role management designer Role Management SAP_GRAC_ROLE_MGMT_ROLE_OWNER The Role Management role owner Access Request SAP_GRAC_ACCESS_REQUESTER The role for the access request end user Access Request SAP_GRAC_ACCESS_APPROVER The role for the access request approver Access Request SAP_GRAC_ACCESS_REQUEST_ADMIN The role for the access request administrator Emergency Access Management Emergency Access Management SAP_GRAC_SUPER_USER_MGMT_ADMIN SAP_GRAC_SUPER_USER_MGMT_OWNER This administrator role is for centralized firefighting This owner role is for centralized firefighting 18 P U B L I C Application Security

19 Feature Role Name Description Emergency Access Management Emergency Access management Emergency Access Management Emergency Access Management Emergency Access Management SAP_GRAC_SUPER_USER_MGMT_CNTLR SAP_GRAC_SUPER_USER_MGMT_USER SAP_GRIA_SUPER_USER_MGMT_ADMIN SAP_GRIA_SUPER_USER_MGMT_USER SAP_GRC_SPM_FFID This controller role is for centralized firefighting This firefighter user role is for centralized firefighting This firefighter admin role is for plug-in firefighting This firefighter user role is for plug-in firefighting This service role is for ID-based firefighting. Assign this role to users to create firefigher IDs. Access Risk Analysis SAP_GRAC_RULE_SETUP This role has the authorization to define access rules Access Risk Analysis SAP_GRAC_RISK_ANALYSIS This role has the authorization to perform access risk analysis Access risk analysis SAP_GRAC_ALERTS This role has the authorization to generate, clear and delete access risk alerts Access Risk Analysis SAP_GRAC_CONTROL_OWNER This role has the authorization to create mitigating controls. Access Risk Analysis SAP_GRAC_RISK_OWNER This role has the authorization to run access risk maintenance and access risk analysis. Access Risk Analysis SAP_GRAC_CONTROL_MONITOR This role has the authorization to run risk analysis, mitigating control assignment, and assign mitigating controls to an access risk. Access Risk Analysis SAP_GRAC_CONTROL_APPROVER This role is used for control and control assignments. It has the authorization to run risk analysis, mitigating control assignment, and workflow approval for access risk alerts. Access Risk Analysis SAP_GRAC_FUNCTION_APPROVER This role is the delivered agent for workflow in access control. It has authorization to approve, create, read, update, and delete workflow requests. Workflow SAP_GRC_MSMP_WF_ADMIN_ALL Administrator role for MSMP workflows Workflow SAP_GRC_MSMP_WF_CONFIG_ALL Configurator role for MSMP workflows Application Security P U BL IC 19

20 7.3 Authorization Object Names Access Control authorizations for roles are maintained by the assignment of authorization objects. Note For use with Fiori fact sheets, verify that the following authorization objects are in place: Mitigation Control GRAC-MITC, Role GRAC-ROLED, Risk GRAC-RISK, User GRAC-USER The table lists the authorization objects delivered with the application: Object Description 1 GRAC_ACTN This object grants the authorization to perform different actions. 2 GRAC_ALERT This object allows you to generate, clean up, and create alerts. 3 GRAC_ASIGN The object allows you to assign owner types to firefighter IDs. 4 GRAC_BPROC The object allows you to create, read, update, and delete business processes, and to assign business processes to risks and functions. 5 GRAC_BGJOB The object allows you to execute background jobs. 6 GRAC_CGRP This object allows to maintain an Access Control Custom Group. 7 GRAC_CPROF The object allows you to create, read, update, and delete SoD critical profiles. 8 GRAC_CROLE The object allows you to create, read, update, and delete SoD critical roles. 9 GRAC_EMPLY The object allows you to restrict activities based on the following attributes: cost center, department, company, location. You use this object to maintain authorization for attributes not in the in the GRAC_USER object. 10 GRAC_FFOBJ The object allows you to restrict creation of FFID or FFROLE based on system user ID, system, or activity. 11 GRAC_FFOWN The object allows you to create, read, update, and delete FFID owners based on the owner type, user ID, or system ID. 12 GRAC_FUNC The object allows you to maintain authorizations for the SoD function based on the following attributes: activity, function ID, action (SOD transaction), and permission. 13 GRAC_HROBJ The object allows you to restrict activities for the HR object based on specific attributes: activity, connector ID, HR object type, HR object ID. 14 GRAC_MITC The object allows you to maintain mitigation controls. 20 P U B L I C Application Security

21 Object Description 15 GRAC_ORGRL The object allows you to maintain SoD organization rules. 16 GRAC_OUNIT The object allows you to maintain org units for access control. 17 GRAC_OWNER The object allows you to maintain owners in access control. 18 GRAC_PROF The object allows you to maintain the SoD profile. 19 GRAC_RA The object allows you to perform risk analysis. You can specify if the user has authorizations to only execute risk analysis, or has administrator rights. 20 GRAC_RCODE The object allows you to maintain the reason code. 21 GRAC_REP The object allows you to excute all reports. 22 GRAC_REQ The object allows you to maintain access requests. 23 GRAC_RISK The object allows you to maintain SoD access risk. 24 GRAC_RLMM The object allows you to perform role mass maintenance. 25 GRAC_ROLED This object allows you to enforce authorizations for accessing roles during role definition. 26 GRAC_ROLEP This object allows you to control which roles a user can request. 27 GRAC_ROLER This object allows you to perform role risk analysis. 28 GRAC_RSET The object allows you to create, read, update, and delete SoD rule sets. 29 GRAC_SUPP The object allows you to create, read, update, and delete SoD supplementary rules. 30 GRAC_SYS The object allows you authorize access to specific connectors or systems based on application type and system ID. 31 GRAC_SYSTM This object allows system level access to Access Control. 32 GRAC_USER The object allows you to restrict activities based on the following attributes: user group, user ID, connector, user group, orgunit. 33 GRFN_CONN This object allows you to access connectors in CCITS (the GRC integration engine). Application Security P U BL IC 21

22 7.4 Authorization Objects and Relevant Fields The authorization objects for Access Control use specific authorization fields. The following table lists the authorization fields that are available for each authorization object: Object Fields GRAC_ACTN GRAC_ALERT GRAC_ASIGN GRAC_BGJOB GRAC_BPROC GRAC_CGRP GRAC_CPROF GRAC_CROLE GRAC_EMPLY GRAC_FFOBJ GRAC_FFOWN GRAC_ACTN GRFNW_PRC GRAC_ALRTT GRAC_OWN_T GRAC_BGJOB GRAC_BPROC GRAC_CGRP GRAC_CPROF GRAC_CROLE GRAC_COMP GRAC_COSTC GRAC_DEPT GRAC_LOCTN GRAC_FFOBJ GRAC_SYSID GRAC_OWN_T GRAC_SYSID GRAC_USER 22 P U B L I C Application Security

23 Object Fields GRAC_FUNC GRAC_HROBJ GRAC_MITC GRAC_ORGRL GRAC_OUNIT GRAC_OWNER GRAC_PROF GRAC_RA GRAC_RCODE GRAC_REP GRAC_ACT GRAC_FUNC GRAC_PRM GRAC_HROBJ GRAC_HRTYP GRAC_SYSID GRAC_MITC GRAC_OUNIT GRAC_ORGRL GRAC_OUNIT GRAC_OUTYP GRAC_CLASS GRAC_OUNIT GRAC_OWN_T GRAC_SYSID GRAC_USER GRAC_PROF GRAC_SYSID GRAC_OTYPE GRAC_RAMOD GRAC_REPT GRAC_RSCOD GRAC_SYSID GRAC_REPID Application Security P U BL IC 23

24 Object Fields GRAC_REQ GRAC_RISK GRAC_RLMM GRAC_ROLED GRAC_ROLEP GRAC_ROLER GRAC_RSET GRAC_RT GRAC_BPROC GRAC_FNCAR GRAC_RQFOR GRAC_RQINF GRAC_RQTYP GRAC_BPROC GRAC_RISK GRAC_RLVL GRAC_RSET GRAC_RTYPE GRAC_RLMMT GRAC_ACTRD GRAC_BPROC GRAC_LDSCP GRAC_RLSEN GRAC_RLTYP GRAC_ROLE GRAC_BPROC GRAC_OUNIT GRAC_RLTYP GRAC_ROLE GRAC_SYSID GRAC_OUNIT GRAC_ROLE GRAC_ROTYP GRAC_SYSID GRAC_RSET GRAC_RQTP GRAC_TN 30 GRAC_SUPP 24 P U B L I C Application Security

25 Object Fields GRAC_SYS GRAC_SYSTM GRAC_USER GRAC_APPTY GRAC_ENVRM GRAC_SYSID GRACSYSACT GRAC_SYSID GRAC_CLASS GRAC_OUNIT GRAC_SYSID GRAC_USER GRAC_UTYPE 34 GRFN_MSMP Note To allow users to view access request data in reports, you must assign this authorization object and the activity A5 (display report) to their role Authorization Fields This section covers the technical names for the authorization fields and their descriptions. For information about the fields that are relevant for specific authorization objects, see Authorization Objects and Relevant Fields. Field Name Description 1 GRAC_ACT Action 2 GRAC_ACTRD Activities 3 GRAC_ALRTT Alert type 4 GRAC_APPTY Application type 5 GRAC_BPROC Business process 6 GRAC_BSUBP Subprocess Application Security P U BL IC 25

26 Field Name Description 7 GRAC_CLASS User group 8 GRAC_COMP Company 9 GRAC_COSTC Cost center 10 GRAC_CPROF Profile name 11 GRAC_CROLE Role name 12 GRAC_CTRID SOD control ID 13 GRAC_DEPT Department 14 GRAC_ENVRM System environment 15 GRAC_FFOBJ Description for user ID or role 16 GRAC_FNCAR Functional area 17 GRAC_FUNC Function ID 18 GRAC_HROBJ HR object ID 19 GRAC_HRTYP HR object type 20 GRAC_LDSCP Connector group 21 GRAC_LOCTN Location 22 GRAC_MITC SOD control ID 23 GRAC_MON Owner description 24 GRAC_OLVL Resource extension 25 GRAC_ORGRL Organization rule ID 26 GRAC_OTYPE Object types for authorization 27 GRAC_OUNIT HR object ID 28 GRAC_OUTYP Object type for assigned organization 29 GRAC_OWN_T Owner type 30 GRAC_PRM SOD resource 31 GRAC_PROF Profile name 32 GRAC_RAMOD Risk analysis mode 26 P U B L I C Application Security

27 Field Name Description 33 GRAC_REPID Report name 34 GRAC_REPT Report type 35 GRAC_RISK Access risk ID 36 GRAC_RLMMT Type for role mass maintenance 37 GRAC_RLSEN Role sensitivity 38 GRAC_RLTYP Role type 39 GRAC_RLVL SOD risk level 40 GRAC_ROLE Role name 41 GRAC_ROTYP Role type for risk analysis 42 GRAC_ROWN Owner description 43 GRAC_RQFOR Request for single or multiple user 44 GRAC_RQINF Request Information 45 GRAC_RQSOD SOD option for request 46 GRAC_RQTYP Request type 47 GRAC_RSCOD Title/Short name 48 GRAC_RSET Rule set ID 49 GRAC_RTYPE Access risk type 50 GRAC_SYSID Connector ID 51 GRAC_TN Template Name 52 GRAC_USER User ID 53 GRAC_USRTY Role type for request approver 54 GRAC_UTYPE User type Values for ACTVT Field The ACTVT (or Activity) field is used by almost every Access Control authorization object. The values you select for the ACTVT field controls the actions the role can perform with the authorization object, such as delete or execute. Application Security P U BL IC 27

28 Note The GRAC_ROLED authorization object does not use the ACTVT field; it uses the custom attribute: GRAC_ACTRD. For more information, see Values for GRAC_ACTRD Field [page 29]. The following table lists the values you can select for the ACTVT field based on the authorization object: Authorization Object Valid Activity Values 1 GRAC_ALERT Delete, Execute, Archive, Deactivate 2 GRAC_ASIGN Create or generate, Change, Display, Delete, Administer 3 GRAC_BPROC Create or generate, Change, Display, Delete, Execute, Assign 4 GRAC_BGJOB Create or generate, Display, Delete, Administer 5 GRAC_CGRP Create or generate, Change, Display, Delete, Execute 6 GRAC_CPROF Create or generate, Change, Display, Delete, Execute, Assign 7 GRAC_CROLE Create or generate, Change, Display, Delete, Execute, Assign 8 GRAC_EMPLY Create or generate, Change, Display, Delete, Execute, Administer, Assign, Copy 9 GRAC_FFOBJ Create or generate, Change, Display, Delete 10 GRAC_FFOWN Create or generate, Change, Display, Delete, Archive, Administer 11 GRAC_FUNC Create or generate, Change, Display, Delete, Execute, Generate, Assign 12 GRAC_HROBJ Create or generate, Change, Display, Delete, Execute, Assign 13 GRAC_MITC Create or generate, Change, Display, Delete, Assign 14 GRAC_ORGRL Create or generate, Change, Display, Delete, Activate or Generate, Execute, Assign 15 GRAC_OUNIT Create or generate, Change, Display, Delete, Execute, Assign 16 GRAC_OWNER Create or generate, Change, Display, Delete, Archive, Administer, Assign 17 GRAC_PROF Create or generate, Change, Display, Delete, Execute, Assign 18 GRAC_RA Execute, Administer 19 GRAC_RCODE Create or generate, Change, Display, Delete 20 GRAC_REP Execute 28 P U B L I C Application Security

29 Authorization Object Valid Activity Values 21 GRAC_REQ Create or generate, Change, Display, Administer, Copy 22 GRAC_RISK Create or generate, Change, Display, Delete, Execute, Generate, Assign 23 GRAC_RLMM Perform 24 GRAC_ROLEP Assign 25 GRAC_ROLER Execute, Assign 26 GRAC_RSET Create or generate, Change, Display, Delete, Execute, Assign 27 GRAC_RT Create or generate, Change, Display, Delete 28 GRAC_SUPP Create or generate, Change, Display, Delete 29 GRAC_SYS Create or generate, Change, Display, Delete, Execute, Assign 30 GRAC_SYSTM Execute Access Control reports 31 GRAC_USER Create or generate, Change, Display, Delete, Execute, Assign 32 /GRCPI/001 * (asterisk) or blank (empty) Values for GRAC_ACTRD Field The GRAC_ACTRD field is used by the GRAC_ROLED authorization object for role definition. Use Scenario: Ticket Number in BRM The Ticket Number functionality in BRM allows you to attach ticket numbers to the workflow for role changes. The V8 value in the GRAC_ACTRD field enables the user to edit and overwrite the ticket number in all role methodology steps. Without this value, the user can only enter or change the ticket number when the role is in Create mode or in Completed status. Authorization Object Field Value Description GRAC_ROLED GRAC_ACTRD V8 - Overwrite Ticket Number The V8 value enables the user to edit the ticket number in all role methodologies. Application Security P U BL IC 29

30 7.5 Business Roles and Authorization Objects This section lists and explains the delivered roles and relavant authorization objects for SAP Access Control Some roles are relevant for all access control capabilities, whereas some roles are only relevant for specific capabilities. The information in the following sections is divided by capabilities. 30 P U B L I C Application Security

31 7.5.1 Roles Relevant Across All Capabilities The following table lists the delivered roles that are relevant across all Access Control capabilities, and the relevant authorization objects: Role Objects SAP_GRAC_ALL GRAC_ALERT GRAC_ASIGN GRAC_BGJOB GRAC_BPROC GRAC_CGRP GRAC_CPROF GRAC_CROLE GRAC_EMPLY GRAC_FFOWN GRAC_FUNC GRAC_HROBJ GRAC_MITC GRAC_ORGRL GRAC_OUNIT GRAC_OWNER GRAC_PROF GRAC_RA GRAC_RCODE GRAC_REP GRAC_RISK GRAC_RLMM GRAC_ROLED GRAC_ROLEP GRAC_ROLER GRAC_RSET GRAC_RT GRAC_SUPP GRAC_SYS GRAC_SYSTM GRAC_USER GRFN_CONN SAP_GRAC_BASE GRAC_BGJOB GRAC_REQ GRAC_USER S_START Application Security P U BL IC 31

32 Role Objects SAP_GRAC_DISPLAY_ALL GRAC_CPROF GRAC_CROLE GRAC_EMPLY GRAC_FFOBJ GRAC_FFOWN GRAC_FUNC GRAC_HROBJ GRAC_MITC GRAC_ORGRL GRAC_OUNIT GRAC_OWNER GRAC_PROF GRAC_RCODE GRAC_REQ GRAC_RISK GRAC_ROLED GRAC_RSET GRAC_RT GRAC_SUPP GRAC_SYS GRAC_SYSTM GRAC_USER GRFN_CONN 32 P U B L I C Application Security

33 Role Objects SAP_GRAC_REPORTS GRAC_ALERT GRAC_ASIGN GRAC_BPROC GRAC_CPROF GRAC_CROLE GRAC_EMPLY GRAC_FFOBJ GRAC_FFOWN GRAC_FUNC GRAC_HROBJ GRAC_MITC GRAC_ORGRL GRAC_OUNIT GRAC_OWNER GRAC_PROF GRAC_RA GRAC_RCODE GRAC_REP GRAC_REQ GRAC_RISK GRAC_ROLED GRAC_ROLER GRAC_RSET GRAC_SUPP GRAC_SYS GRAC_SYSTM GRAC_USER GRFN_CONN Role Management The following table lists the delivered roles and the relevant authorization objects for role management. Application Security P U BL IC 33

34 Role Name Objects SAP_GRAC_ROLE_MGMT_ADMIN GRAC_CPROF GRAC_CROLE GRAC_FUNC GRAC_ORGRL GRAC_OWNER GRAC_RA GRAC_REP GRAC_RISK GRAC_RLMM GRAC_ROLED GRAC_RSET GRAC_SYS GRAC_SYSTM GRAC_SUPP GRFN_CONN SAP_GRAC_ROLE_MGMT_DESIGNER GRAC_CPROF GRAC_CROLE GRAC_FUNC GRAC_ORGRL GRAC_OWNER GRAC_RA GRAC_REP GRAC_RISK GRAC_ROLED GRAC_RSET GRAC_SYS GRAC_SYSTM GRAC_SUPP GRFN_CONN SAP_GRAC_ROLE_MGMT_ROLE_OWNER GRAC_REP GRAC_ROLED GRAC_SYSTM GRFN_CONN SAP_GRAC_ROLE_MGMT_USER GRAC_ROLED GRFN_CONN 34 P U B L I C Application Security

35 7.5.3 Access Request The following table lists the delivered roles and the relevant authorization objects for access request: Role Name Objects SAP_GRAC_ACCESS_APPROVER GRAC_CPROF GRAC_CROLE GRAC_EMPLY GRAC_FUNC GRAC_ORGRL GRAC_RA GRAC_REQ GRAC_RISK GRAC_ROLED GRAC_ROLEP GRAC_RSET GRAC_SUPP R GRAC_SYS GRAC_SYSTM GRAC_USE SAP_GRAC_ACCESS_REQUEST_ADMIN GRAC_CPROF GRAC_CROLE GRAC_EMPLY GRAC_FUNC GRAC_ORGRL GRAC_OWNER GRAC_RA GRAC_REP GRAC_REQ GRAC_RISK GRAC_ROLED GRAC_ROLEP GRAC_RSET GRAC_RT GRAC_SUPP GRAC_SYS GRAC_SYSTM GRAC_USER Application Security P U BL IC 35

36 Role Name Objects SAP_GRAC_ACCESS_REQUESTER GRAC_EMPLY GRAC_REQ GRAC_ROLED GRAC_ROLEP GRAC_SYS GRAC_SYSTM GRAC_USER Emergency Access Management Emergency Access Management is available in centralized and decentralized (plug-in) implementations. The role information is separated by the implementation scenario in the following sections. Roles for Centralized Firefighting The following table lists the delivered roles and the relevant authorization objects for centralized emergency access management: Role Name Objects SAP_GRAC_SUPER_USER_MGMT_ADMIN GRAC_ASIGN GRAC_OWNER GRAC_RCODE GRAC_REP GRAC_ROLED GRAC_USER SAP_GRAC_SUPER_USER_MGMT_CNTLR GRAC_ASIGN GRAC_OWNER GRAC_REP SAP_GRAC_SUPER_USER_MGMT_OWNER GRAC_ASIGN GRAC_OWNER GRAC_RCODE GRAC_ROLED GRAC_USER 36 P U B L I C Application Security

37 Role Name Objects SAP_GRAC_SUPER_USER_MGMT_USER GRAC_RCODE GRAC_USER GRFN_CONN Roles for Decentralized Firefighting For decentralized (plug-in) firefighting scenarios, the following roles are delivered. Role Name Authorizations SAP_GRIA_SUPER_USER_MGMT_ADMIN /GRCPI/001 - GRAC Authorization Object to extend FF Validity Period ACTVT field value: 70 or * (asterisk) SAP_GRIA_SUPER_USER_MGMT_USER Transactions: /GRCPI/GRIA_EAM and SU53 Application Security P U BL IC 37

38 7.5.5 Access Risk Analysis The following table lists the delivered roles and the relevant authorization objects for access risk analysis: Role Name Objects SAP_GRAC_ALERTS GRAC_ALERT GRAC_CPROF GRAC_CROLE GRAC_FUNC GRAC_HROBJ GRAC_ORGRL GRAC_PROF GRAC_RA GRAC_REP GRAC_RISK GRAC_ROLED GRAC_ROLER GRAC_RSET GRAC_SUPP GRAC_USER GRFN_CONN SAP_GRAC_CONTROL_APPROVER GRAC_ALERT GRAC_CPROF GRAC_CROLE GRAC_FUNC GRAC_HROBJ GRAC_MITC GRAC_ORGRL GRAC_OUNIT GRAC_OWNER GRAC_PROF GRAC_RA GRAC_REP GRAC_RISK GRAC_ROLED GRAC_ROLER GRAC_RSET GRAC_SUPP GRAC_USER 38 P U B L I C Application Security

39 Role Name Objects SAP_GRAC_CONTROL_MONITOR GRAC_CPROF GRAC_CROLE GRAC_FUNC GRAC_HROBJ GRAC_MITC GRAC_ORGRL GRAC_OUNIT GRAC_OWNER GRAC_PROF GRAC_RA GRAC_REP GRAC_RISK GRAC_ROLED GRAC_ROLER GRAC_RSET GRAC_SUPP GRAC_USER SAP_GRAC_CONTROL_OWNER GRAC_CPROF GRAC_CROLE GRAC_FUNC GRAC_HROBJ GRAC_MITC GRAC_ORGRL GRAC_OUNIT GRAC_OWNER GRAC_PROF GRAC_RA GRAC_REP GRAC_RISK GRAC_ROLED GRAC_ROLER GRAC_RSET GRAC_SUPP GRAC_USER SAP_GRAC_FUNCTION_APPROVER GRAC_FUNC GRAC_SYSTM GRFN_CONN Application Security P U BL IC 39

40 Role Name Objects SAP_GRAC_RISK_ANALYSIS GRAC_CPROF GRAC_CGRP GRAC_CROLE GRAC_FUNC GRAC_HROBJ GRAC_ORGRL GRAC_PROF GRAC_RA GRAC_REP GRAC_RISK GRAC_ROLED GRAC_ROLER GRAC_RSET GRAC_SYSTM GRAC_SUPP GRAC_USER GRFN_CONN SAP_GRAC_RISK_OWNER GRAC_FUNC GRAC_HROBJ GRAC_ORGRL GRAC_OWNER GRAC_PROF GRAC_RA GRAC_REP GRAC_RISK GRAC_ROLED GRAC_ROLER GRAC_RSET GRAC_SUPP GRAC_USER 40 P U B L I C Application Security

41 Role Name Objects SAP_GRAC_RULE_SETUP GRAC_CPROF GRAC_CROLE GRAC_FUNC GRAC_ORGRL GRAC_REP GRAC_RISK GRAC_RSET GRAC_SUPP GRAC_SYS GRAC_SYSTM GRFN_CONN Workflow The following table lists the delivered roles and the relevant authorization objects for workflow: Role Name Object SAP_GRC_MSMP_WF_ADMIN_ALL SAP_GRC_MSMP_WF_CONFIG_ALL GRFN_MSMP GRFN_MSMP Application Security P U BL IC 41

42 8 Data Protection The following user data from ERP and non-erp systems is synchronized to, and stored in, the Access Control system: Authorization data (role, user, profiles, HR objects), which contains the user IDs, IDs, telephone numbers, address, organizational assignments, etc. User logs and activity information The Access Control solution supports the SAP Information Lifecycle Management (ILM) framework to maintain data protection. This chapter describes how to use ILM to carryout blocking and destruction of data as required by data protection policies. Setting Up ILM 1. Use transaction SFW5 to activate Information Lifecycle Management (ILM). Note SAP NetWeaver Information Lifecycle Management is a product that requires its own license. After licensing, you have to activate this product. 2. Select the components that will use the ILM functionality: GRC, GRC-AC. Use transaction SPRO, and complete the activity: Global ILM Enablement, under SAP Reference IMG -> Governance, Risk, and Compliance -> General Settings-> Blocking and Deletion 3. Maintain the fiscal year variant for Access Control. Use transaction SPRO, and open activity: Maintain Configuration Settings, under SAP Reference IMG -> Governance, Risk, and Compliance -> Access Control. Configure parameter 6001: Fiscal Year Variant. 4. Configure the ILM rules for data retention. Access Control provides ILM objects that enhance archiving objects with information for data retention. An ILM object contains the settings for the ILM rules. These rules are read by Access Control while data processing and, based on the rule condition, personal data is blocked and deleted. Use transaction SPRO, complete the activity: ILM Entity Settings, under SAP Reference IMG -> Governance, Risk, and Compliance -> General Settings-> Blocking and Deletion ILM Policy Creation To establish the Residence Rules and the Retention rules, use transaction IRMPOL. For any Residence Rule (if blocking is required), use Audit area GRC. To designate objects to be blocked or destroyed (based on business need and legal requirements), use transaction SPRO, and maintain the activity: Maintain Legal Entity, under SAP Reference IMG -> Governance, Risk, and Compliance -> General Settings-> Blocking and Deletion. 42 P U B L I C Data Protection

43 Blocking and Unblocking To verify you have configured your data blocking, use transaction GRAC_DATA_BLOCK. To unblock data, use transaction GRAC_DATA_UNBLOCK. Select the ILM object, and then click execute. Select a record and click Unblock. Objects remain unblocked until the next scheduled execution of the blocking job blocks them again. Destruction Use transaction code ILM_DESTRUCTION to verify your destruction policies. Select Data from the Database and identify the ILM object. Use test mode. Logs Use transaction code SLG1 to verify the logs. Verification Open Access Control and check the dates to see if your policies and rules are operating as intended. For example, if you set up the data to be blocked after 2 years, check if any data is shown if you search for dates older than 2 years. Use ABAP Program GRFN_PI_DBTABLOG_COPY_DES to look at a Simple deletion report to delete contents of GRC plugin system DB table /GRCPI/GRIA_AM_DBLOG 8.1 Information Retrieval Framework (IRF) The Information Retrieval Framework (IRF) allows you to search for and retrieve all personal data of a specified data subject. The search results are displayed in a comprehensive and structured list containing all personal data of the data subject specified, subdivided according to the purpose for which the data was collected and processed. For information about IRF, setting up the data model used by IRF, and retrieving personal data using IRF, see the Information Retrieval Guide attached to SAP Note: Data Protection P U BL IC 43

44 8.2 Read Access Log (RAL) Access Control does not deliver Read Access Logging (RAL) configurations and log conditions. 8.3 Business Entities The table below lists the business entities for Access Control. Note Blocking Required (RST). End of residence time varies. Destruction Required (RTP) after end of retention time. All business entities listed below require destruction after the end of the retention time. Business Entities Legal Entity or Business Entity ILM Object Component Blocking Required (RST) Archiving Required Country Flag Available Access Request GRAC_ARQ GRC-AC Yes Yes No Action Usage GRAC_ACT GRC-AC Yes Yes No Ad-Hoc Issue GRFN_AI_DE STRUCTION GRC Yes No Yes Automated Monitoring Job GRFN_AM_JOB_D ESTRUCTION GRC Yes No Yes Background Report Data GRFN_REP_DATA_ DESTRUCTION GRC No No No Business Rule STRUCTION GRC Yes No No Datamart TION GRC Yes No No Emergency Access Management GRAC_EAM GRC-AC Yes Yes No Evaluation: Survey GRFN_BR_DE GRFN_DATA MART_DESTRUC GRFN_SUR VEY_DESTRUC TION GRC Yes No Yes 44 P U B L I C Data Protection

45 Legal Entity or Business Entity ILM Object Component Blocking Required (RST) Archiving Required Country Flag Available Master Data Change Request (MDCR) STRUCTION GRC No No No Notes History GRFN_MDCR_DE GRFN_NOTES_DE STRUCTION GRC Yes No Yes Planner - Plan GRFN_PLAN_DE STRUCTION GRC Yes Yes No Policy TION GRC Yes No Yes Role Assignment TION GRC Yes No Yes User Delegation GRFN_POL ICY_DESTRUC GRFN_ROLE_AS SIGN_DESTRUC GRFN_DELE GATE_DESTRUC TION GRC No No No 8.4 Roles and Authorization Objects Verify the end-user can no longer access the personal data stored in blocked process tables. Authorization can be given to specific users (like auditors) to read the personal data from blocked process tables. Roles created for ILM administrators and Auditors Role Description Authorization Object Authorization Field Field Value Purpose SAP_GRC_ILM_AD MINISTRATOR Assign SAP_GRC_FN _ALL (power user) using SU01 Assign role SAP_GRC_SP GRC ILM Administrator GRFN_USER ACTVT 5 Blocking 69 Destruct Data Protection P U BL IC 45

46 Role Description Authorization Object Authorization Field Field Value Purpose C_CRS_IS SUE_ADMIN (cross regulation issue admin) at entity level on any corporate node in organization hierarchy. 95 Unblocking SAP_GRC_ILM_AU DITOR GRC ILM Auditor GRFN_USER ACTVT 94 Only the ILM auditor can have this activity to protect the blocked data. If you have created custom roles with authorization object GRFN_USER and activity set to * then it must be removed and specific activities must be named. To view blocked data These authorizations must be provided to users for different activities. Authorization objects and Activities used Authorization Object Authorization Field Field Value Description GRFN_USER ACTVT 5 Lock 69 Discard 94 Only the ILM Auditor can have this activity to protect the blocked data. Override 46 P U B L I C Data Protection

47 Authorization Object Authorization Field Field Value Description 95 Unlock 8.5 Data Archiving ILM-enabled Archiving Objects GRC supports the SAP Information Lifecycle Management (ILM) framework for retention management. The following table shows the available GRC archiving objects: GRC ILM-enabled Archiving Objects Archiving Objects Description ILM Object Condition field Reference field GRACEAM Archiving for GRC AC Emergency Access Management (EAM) Logs GRCAC_EAM FFLOG_ID LOGON_TIME GRACACTUS GRFNMSMP Archiving for GRC AC Action usage - GRA CACTUSAGE table records Archiving for GRC AC Requests GRAC_ACT ACTION_USAGE_ID EXECUTION_DATE GRCAC_ARQ PROCESS_ID FINISHED_AT Archiving GRACTUSAGE Table Records Use archiving object GRACACTUS for archiving GRACTUSAGE table records. Before using the archiving object for the first time, verify if the GRC Customizing activities under Blocking and Deletion have been completed to enable the Information Lifecycle Management (ILM) capabilities. When you use the archiving object GRACTUS, data is archived from the following tables: Table and Programs affected by GRACACTUS Tables GRACACTUSAGE Programs GRAC_ACTUSAGE_ARCHIVE_WRITE GRAC_ACTUSAGE_ARCHIVE_DELETE GRAC_ACTUSAGE_ARCHIVE_READ Data Protection P U BL IC 47

48 8.5.2 Archiving GRC Requests Use archiving object GRFNMSMP for archiving GRC AC Requests. Before using the archiving object for the first time, verify if the GRC Customizing activities under Blocking and Deletion have been completed to enable the Information Lifecycle Management (ILM) capabilities. When you use the archiving object GRFNMSMP, data is archived from the following tables: Tables affected by GRFNMSMP Tables GRFNMWRTINST GRFNMWRTINSTAPPL GRFNMWRTMSGLG GRFNMWRTARCHCONF GRACREQ GRACREQPROVLOG GRACREQOWNER GRACREQUSER GRACREQUSERADR GRACREQUSERGROUP GRACREQUSERPARAM GRACREQPROVITEM GRACREVITEM GRACREQOMOBJITEM GRACSODREVIEW GRACFUNUSAGE GRACSODUSERROLE GRACUARBUSRLSNAP Programs Affected by GRFNMSMP Programs GRFNMW_ARCHIVE_WRITE 48 P U B L I C Data Protection

49 Programs GRFNMW_ARCHIVE_DELETE GRFNMW_ARCHIVE_RELOAD GRFNMW_ARCHIVE_READ Archiving EAM Logs Use archiving object GRACEAM for archiving Emergency Access Management (EAM) logs. Before using the archiving object for the first time, verify if the GRC Customizing activities under Blocking and Deletion have been completed to enable the Information Lifecycle Management (ILM) capabilities. When you use the archiving object GRACEAM, data is archived from the following tables: GRACAUDITLOG GRACACTUSAGE GRACSYSTEMLOG GRACCHANGELOG GRACOSCMDLOG GRACROLEFFLOG GRACFFLOG GRACFFREPMAPP The following are the programs affected by GRACEAM. GRAC_EAM_ARCHIVE_WRITE GRAC_EAM_ARCHIVE_DELETE GRAC_EAM_ARCHIVE_READ Data Protection P U BL IC 49

50 Important Disclaimers and Legal Information Hyperlinks Some links are classified by an icon and/or a mouseover text. These links provide additional information. About the icons: Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this: The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information. SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct. Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information. Beta and Other Experimental Features Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up. The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP. Example Code Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct. Gender-Related Language We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders. 50 P U B L I C Important Disclaimers and Legal Information

51 Important Disclaimers and Legal Information P U BL IC 51

52 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see for additional trademark information and notices. THE BEST RUN