PDF Sec Guide Ehsm 6.0 en
Uploaded by
PaulPDF Sec Guide Ehsm 6.0 en
Uploaded by
PaulSECURITY GUIDE | CUSTOMER
Document Version: 6.0.6 – 2017-12-13
Security Guide for SAP EHS Management
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN
Content
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1 About this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Target Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Why is Security Necessary?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
1.4 Overview of the Main Sections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1 Fundamental Security Guides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Important SAP Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.2 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
User Administration and User Management Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
User Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Standard Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.3 User Data Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
4.4 Integration into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
5.1 Role and Authorization Concept for SAP EHS Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
5.2 Authorizations for RFC Calls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
5.3 Standard Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Scenario Health and Safety. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Scenario Environment Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Scenario Product Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.4 Standard Authorization Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Scenario Health and Safety. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Scenario Environment Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Scenario Product Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
5.5 Critical Combinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5.6 Creating Custom Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
6 Session Security Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
6.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
6.2 Session Security Protection on the AS ABAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Security Guide for SAP EHS Management
2 CUSTOMER Content
6.3 Session Security Protection on the AS Java. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7.2 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Secure Offline Communication with SAP Interactive Forms by Adobe. . . . . . . . . . . . . . . . . . . . . 45
7.3 Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
7.4 Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
7.5 Communication Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
8 Internet Communication Framework Security for Health and Safety. . . . . . . . . . . . . . . . . . . . 48
9 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
10 Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
10.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
10.2 Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
10.3 Technical and Organizational Measures to Ensure Data Protraction. . . . . . . . . . . . . . . . . . . . . . . . . 52
10.4 Deletion of Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
10.5 Information Retrieval. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
10.6 Read Access Logging of Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Read Access Logging for Incident Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
10.7 Change Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
11 Security for Additional Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
12 Dispensable Functions with Impacts on Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
13 Other Security-Relevant Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
13.1 SAP NetWeaver Business Client as User Front End. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
13.2 Documents (Including Virus Scanner). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
13.3 Forms and E-Mails Containing Java Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
13.4 Security Settings for the Report Incident App. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
14 Security-Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
15 Services for Security Lifecycle Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
15.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
15.2 Security Chapter in the EarlyWatch Alert (EWA) Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
15.3 Security Optimization Service (SOS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
15.4 Security Configuration Validation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
15.5 Security in the RunSAP Methodology / Secure Operations Standard. . . . . . . . . . . . . . . . . . . . . . . . 67
15.6 More Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Security Guide for SAP EHS Management
Content CUSTOMER 3
1 Introduction
1.1 About this Document
The Security Guide provides an overview of the security-relevant information that applies to SAP EHS
Management.
Caution
This guide does not replace the administration or operation guides that are available for productive
operations.
1.2 Target Audience
Caution
This guide does not replace the administration or operation guides that are available for productive
operations.
● Technology consultants
● Security consultants
● System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation
Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle,
whereas the Security Guides provide information that is relevant for all life cycle phases.
You can find the guides as specified in the table below:
Overview of Guides for SAP EHS Management
Guide Definition Link
Master Guide The central starting point for the tech SAP Help Portal at http://
nical implementation of the SAP EHS
help.sap.com/ehs-com
Management add-on. Get an overview
of SAP EHS Management, its software
units, system landscapes, and find im
portant SAP Notes.
Security Guide for SAP EHS Management
4 CUSTOMER Introduction
Guide Definition Link
Operations Guide Information for technical and solution
consultants as well as support special
ists and system administrators about
managing and maintaining your SAP
applications to run optimally.
Sizing Guide Information for system administrators,
technical project managers, and con
sultants about sizing, calculation of
hardware requirements, such as CPU,
disk and memory resource.
1.3 Why is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, the demands on
security are also on the rise. When using a distributed system, you need to be sure that your data and
processes support your business needs without allowing unauthorized access to critical information. User
errors, negligence, or attempted manipulation of your system should not result in loss of information or
processing time. These demands on security apply likewise to component extension 6.0 for SAP Environment,
Health, and Safety Management (SAP EHS Management). To assist you in securing SAP EHS Management, we
provide this Security Guide.
Data protection is very important in the following examples:
● In incident management, you have critical person-related information regarding absences or injuries.
● In risk assessment, personal data about the risk assessment lead and the other persons involved in a risk
assessment are displayed.
Component extension 6.0 for SAP EHS Management assumes that agreements for storage of personal data are
covered in individual work contracts. This also applies to notifications on initial data storage.
Note
Several business processes within SAP EHS Management use SAP Business Workflow and e-mail inbound
and outbound processing. It is not recommended that you grant the corresponding system users (such as
WF_BATCH for Workflow System or SAPCONNECT for e-mail inbound processing) all authorizations of the
system (SAP_ALL). In addition, this document describes the required authorizations and configuration for
supporting business processes using SAP Business Workflow and the e-mail inbound and outbound
scenario within the SAP EHS Management solution.
Security Guide for SAP EHS Management
Introduction CUSTOMER 5
1.4 Overview of the Main Sections
The Security Guide comprises the following main sections:
● Before You Start
○ This section contains information about why security is necessary, how to use this document, and
references to other Security Guides that build the foundation for this Security Guide.
● Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by SAP
EHS Management.
● Security Aspects of Data, Data Flow and Processes
This section provides an overview of security aspects involved throughout the most widely-used processes
within SAP EHS Management.
● User Administration and Authentication
○ This section provides an overview of the following user administration and authentication aspects:
○ Recommended tools to use for user management
○ User types that are required by SAP EHS Management
○ Standard users that are delivered with SAP EHS Management
○ Overview of the user synchronization strategy, if several components or products are involved
○ Overview of how integration into Single Sign-On environments is possible
● Authorizations
○ This section provides an overview of the authorization concept that applies to SAP EHS Management.
● Session Security Protection
○ This section provides information about activating secure session management, which prevents
JavaScript or plug-ins from accessing the SAP logon ticket or security session cookie(s).
● Network and Communication Security
○ This section provides an overview of the communication paths used by SAP EHS Management and the
security mechanisms that apply. It also includes our recommendations for the network topology to
restrict access at the network level.
● Internet Communication Framework Security
○ This section provides an overview of the Internet Communication Framework (ICF) services that are
used by SAP EHS Management.
● Application-Specific Virus Scan Profile (ABAP)
○ This section provides an overview of the behavior of the AS ABAP when application-specific virus scan
profiles are activated.
● Data Storage Security
○ This section provides an overview of any critical data that is used by SAP EHS ManagementSAP EHS
Management and the security mechanisms that apply.
● Data Protection
○ This section provides information about how SAP EHS Management protects personal or sensitive
data.
● Security for Third-Party or Additional Applications
○ This section provides security information that applies to third-party or additional applications that are
used with SAP EHS Management.
Security Guide for SAP EHS Management
6 CUSTOMER Introduction
● Dispensable Functions with Impacts on Security
○ This section provides an overview of functions that have impacts on security and can be disabled or
removed from the system.
● Enterprise Services Security
○ This section provides an overview of the security aspects that apply to the enterprise services
delivered with SAP EHS Management.
● Other Security-Relevant Information
○ This section contains information about:
○ SAP NetWeaver Business Client as a user front end
○ Interactive forms
○ E-mails with PDF attachments
○ Documents (including virus scanner)
● Security-Relevant Logging and Tracing
○ This section provides an overview of the trace and log files that contain security-relevant information,
for example, so you can reproduce activities if a security breach does occur.
● Services for Security Lifecycle Management
○ This section provides an overview of services provided by Active Global Support that are available to
assist you in maintaining security in your SAP systems on an ongoing basis.
● Appendix
○ This section provides references to further information.
Security Guide for SAP EHS Management
Introduction CUSTOMER 7
2 Before You Start
2.1 Fundamental Security Guides
SAP EHS Management is built from the following components:
● SAP NetWeaver
● SAP BI
● SAP Embedded Search (SAP NetWeaver Enterprise Search)
● SAP BusinessObjects
● SAP Interactive Forms
Therefore, the corresponding Security Guides also apply to the SAP EHS Management. Pay particular attention
to the most relevant sections or specific restrictions as indicated in the table below.
Application of Components
Scenario, Application or Component Security Guide
SAP NetWeaver 7.0 Security Guides (Complete)
SAP NetWeaver Business Client
SAP Basis / Web AS Security Guides
SAP Business Connector Security Guide
SAP NetWeaver Business Warehouse Security Guides
SAP BusinessObjects (formerly, SAP Business User)
SAP Interactive Forms solution Security Guides
SAP NetWeaver Enterprise Search 7.2.Security Guide
2.2 Important SAP Notes
The most important SAP Notes that apply to the security of SAP EHS Management are shown in the table
below.
Important SAP Notes
Title SAP Note Comment
128447 Trusted/Trusting Systems
510007 Setting up SSL on the Web Application
Server ABAP
Security Guide for SAP EHS Management
8 CUSTOMER Before You Start
Title SAP Note Comment
517484 Inactive Services in the Internet Com
munication Framework
1367252 SAP NetWeaver Enterprise Search 7.2:
Security Guide.
1590784 EHSM: Necessary changes in the At
tachment Folder Customizing
For a list of additional security-relevant SAP Hot News and SAP Notes, see also SAP Support Portal at https://
support.sap.com/securitynotes .
For more information about specific topics, see the Quick Links as shown in the table below.
Quick Links
Content Link
Security http://scn.sap.com/community/security
Related SAP Notes
https://support.sap.com/notes
https://support.sap.com/securitynotes
Product Availability Matrix http://support.sap.com/release-upgrade-maintenance/
pam.html
SAP Solution Manager https://support.sap.com/solutionmanager
SAP NetWeaver http://scn.sap.com/community/netweaver
Security Guide for SAP EHS Management
Before You Start CUSTOMER 9
3 Technical System Landscape
The figure below shows an overview of the technical system landscape for SAP EHS Management.
For more information about the technical system landscape of SAP EHS Management, as well as integrated
systems, see the SAP EHS Management Master Guide on the SAP Help Portal at http://help.sap.com/ehs-com.
Figure 1: Process Integration System Overview depicts which functional modules are integrated into SAP EHS
Management processes and can reside on separate systems. The systems can be connected via RFC.
We assume that the central system for master data will provide the initial setup of Customizing and master
data for SAP EHS Management via Customizing transports and ALE replication (such as material master and
plants).
Process Integration System Overview
For these RFC calls, we recommend you distribute the SAP EHS Management users to the other systems as
needed to read HR data, for example, and to enable Single Sign-On (SSO) for those users.
For more information about the technical system landscape, see the resources listed in the table below.
Security Guide for SAP EHS Management
10 CUSTOMER Technical System Landscape
Technical System Landscape Resources
Link on the SAP Support Portal or
Topic Guide/Tool SCN
Technical description for SAP EHS Master Guide http://help.sap.com/ehs-com
Management
and the underlying components such
as SAP NetWeaver
High availability See applicable documents http://scn.sap.com/docs/DOC-7848
Technical landscape design See applicable documents http://scn.sap.com/docs/DOC-8140
Security See applicable documents http://scn.sap.com/community/secur
ity
Security Guide for SAP EHS Management
Technical System Landscape CUSTOMER 11
4 User Administration and Authentication
4.1 Introduction
SAP EHS Management uses the user management and authentication mechanisms provided with the SAP
NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP and Java. Therefore, the
security recommendations and guidelines for user administration and authentication as described in the SAP
NetWeaver Application Server ABAP Security Guide [SAP Library] and SAP NetWeaver Application Server Java
Security Guide [SAP Library] also apply to SAP EHS Management.
In addition to these guidelines, we include information about user administration and authentication that
specifically applies to SAP EHS Management in the following topics:
● User Management
This topic lists the tools to use for user management, the types of users required, and the standard users
that are delivered with SAP EHS Management.
● User Data Synchronization
SAP EHS Management shares user data with:
○ SAP EHS Management system
○ BI system
○ Other ERP systems (HR, PM, QM, and CS)
This topic describes how the user data is synchronized with these other sources.
● Integration into Single Sign-On Environments
This topic describes how SAP EHS Management supports Single Sign-On mechanisms.
4.2 User Management
User management for SAP EHS Management uses the mechanisms provided with the SAP NetWeaver
Application Server ABAP and Java, for example, tools, user types, and password policies. For an overview of
how these mechanisms apply for SAP EHS Management, see the sections below. In addition, we provide a list of
the standard users required for operating SAP EHS Management.
4.2.1 User Administration and User Management Tools
The table below shows the tools to use for user management and user administration with SAP EHS
Management.
Security Guide for SAP EHS Management
12 CUSTOMER User Administration and Authentication
User Management and Administration Tools
Tool Detailed Description
User and role maintenance with SAP NetWeaver AS ABAP For more information, see Users and Roles (BC-SEC-USR) on
(transactions SU01 and PFCG) SAP Help Portal at http://help.sap.com.
User Management Engine with SAP NetWeaver AS Java For more information, see User Management Engine on SAP
Help Portal at http://help.sap.com.
Central User Administration (CUA) Use the CUA to centrally maintain users for the various sys
tems used by SAP EHS Management.
Set user for Enterprise Search data extraction (report Embedded Search extraction user and extraction roles have
ESH_EX_SET_EXTRACTION_USER to be set up with this report
Manage analysis authorizations (transaction RSECADMIN) Provides all necessary tools to maintain analysis authoriza
tions
4.2.2 User Types
It is often necessary to specify different security policies for different types of users. For example, your policy
may specify that individual users who perform tasks interactively have to change their passwords on a regular
basis, but not those users under which background processing jobs run.
The user types that are required for SAP EHS Management include:
● Individual users:
○ Dialog users are used for the dialog processing and for the RFC connection to the Adobe Document
Service (ADS), for example. (Used for SAP GUI for Windows or RFC connections.)
○ Communication users are used for e-mail inbound processing (such as SAPCONNECT).
○ Background users are used for Embedded Search extraction, BI extraction and the SAP Business
Workflow Engine (such as WF-BATCH).
For more information about these user types, see User Types on SAP Help Portal at http://help.sap.com in the
SAP NetWeaver AS ABAP Security Guide.
4.2.3 Standard Users
The table below shows the standard users that are necessary for operating SAP EHS Management.
Standard Users
System User ID Type Password Description
SAP EHS Management Business Processing Dialog User To be entered Business User of SAP
ERP System User EHS Management
Security Guide for SAP EHS Management
User Administration and Authentication CUSTOMER 13
System User ID Type Password Description
SAP EHS Management Business Processing Dialog User To be entered Business User of SAP
BI System User for Reporting EHS Management
functionality mapped to the Busi
ness Processing User
in SAP EHS
Management ERP Sys
tem
SAP EHS Management E-mail Inbound Proc Communication user Not needed User to process the in
ERP System essing user coming e-mails of SAP
EHS Management
SAP EHS Management BI Extractor User Background user Not needed User for the BI extrac
ERP System tion of SAP EHS
Management data
SAP EHS Management Embedded Search Ex Background user Not needed User for the Embedded
ERP System tractor User
Search extraction will
be created via report
ESH_EX_SET_
EXTRACTION_USER
SAP EHS Management Workflow Engine batch Background user Not needed User for the back
ERP System user ground processing of
workflows in SAP EHS
Management
SAP EHS Management PRC Worklist Genera Background user Not needed User for the back
ERP System tion User ground processing of
product compliance
worklists
SAP EHS Management PRC Automated Background user Not needed User for the back
ERP System Change Processing ground automated
User processing of compli
ance data changes in
the product compli
ance area
SAP EHS Management PRC Supplier Change Background user Not needed User for the back
ERP System Monitor ground monitoring of
changes in supplier to
material assignment
SAP EHS Management Automatic Data Collec Background user Not needed EM-BATCH user with
ERP System tion User the role
SAP_BC_BMT_WFM_S
ERV_USER for the au
tomatic collection of
environmental data
You need to create the users after the installation.
Security Guide for SAP EHS Management
14 CUSTOMER User Administration and Authentication
Recommendation
Users are not automatically created during installation. In consequence, there is no requirement to change
their user IDs and passwords after the installation.
4.3 User Data Synchronization
To avoid administrative effort, you can employ user data synchronization in your system landscape.
Since SAP EHS Management is based on SAP NetWeaver, all the mechanisms for user data synchronization of
SAP NetWeaver are available for SAP EHS Management.
4.4 Integration into Single Sign-On Environments
SAP EHS Management supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver.
Therefore, the security recommendations and guidelines for user administration and authentication as
described in the SAP NetWeaver Security Guide on SAP Help Portal at http://help.sap.com also apply to SAP
EHS Management.
The most widely-used supported mechanisms are listed below:
● Secure Network Communications (SNC)
SNC is available for user authentication and provides an SSO environment when using the SAP GUI for
Windows or Remote Function Calls.
● SAP logon tickets
SAP EHS Management supports the use of logon tickets for SSO when using a Web browser as the front-
end client. In this case, users can be issued a logon ticket after they have authenticated themselves with
the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an
authentication token. The user does not need to enter a user ID or password for authentication, but can
access the system directly after the system has checked the logon ticket.
● Client certificates
As an alternative to user authentication with a user ID and passwords, users using a Web browser as a
front-end client can also provide X.509 client certificates to use for authentication. In this case, user
authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol)
and no passwords have to be transferred. User authorizations are valid in accordance with the
authorization concept in the SAP system.
For more information about the available authentication mechanisms, see User Authentication and Single Sign-
On on SAP Help Portal at http://help.sap.com in the SAP NetWeaver Library.
Security Guide for SAP EHS Management
User Administration and Authentication CUSTOMER 15
5 Authorizations
5.1 Role and Authorization Concept for SAP EHS
Management
SAP EHS Management uses the authorization concept provided by the SAP NetWeaver AS ABAP or AS Java.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP and SAP NetWeaver AS Security Guide Java also apply to SAP EHS Management.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For
role maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management
Engine’s user administration console on the AS Java.
Note
For more information about how to create roles, see Role Administration [SAP Library].
5.2 Authorizations for RFC Calls
In SAP EHS Management, multiple BAPIs and RFC-enabled function modules are used to create, update, and
read the data of other SAP applications from (optional) other ERP systems. Thus, the authorization for using
these BAPIs and function modules (via Web Dynpro, for example), should be restricted to users who are
intended to have these authorizations and corresponding access to the data. For more information about
creating roles and the authorization concept, see AS ABAP Authorization Concept on SAP Help Portal at http://
help.sap.com → SAP NetWeaver 7.4.
5.3 Standard Roles
The table below shows the standard roles that are used by SAP EHS Management.
SAP EHS Management delivers simultaneous end user roles for the ERP system to synchronize the menu
structures for end users, regardless of whether the user has decided to use a Web browser or NetWeaver
Business Client (NWBC) as a front end.
The following standard roles support the processes of SAP EHS Management. Technically, the services of these
roles are of the following types: Web Dynpro ABAP, Power Object Worklist (POWL), Report Launchpad, BI
queries, BI dashboards based on Adobe Flash Player and transactions. Unless shown in the table below, the
Security Guide for SAP EHS Management
16 CUSTOMER Authorizations
roles are delivered without authorization profiles. The authorization profiles are then generated from these
roles.
Standard Roles
Role Description
SAP_EHSM_MASTER Master PFCG role for all incident management, risk assess
ment and product safety and stewardship functionality. This
role is intended for use as a copy template for the menu
structures of the end user roles that are currently assigned.
SAP_EHSM_PROCESS_ADMIN End user role for the person who is technically responsible
for the workflow-based processes of EHS Management. This
role assigns the menu structure in NWBC to the end user
and the necessary authorizations in the ERP system.
This role can receive workflow items.
SAP_EHSM_HSS_BW_ANALYTICS End user role for the person who analyzes incidents and risk
assessments, as well as the executed processes. This role
contains the navigation point Analytical Reports that in
cludes the report launchpad for the health and safety work
area with access to all dashboards and queries.
For this role, a SAP Business Warehouse (BW) system with
BI Content for SAP EHS Management must be installed.
SAP_EHSM_FND_WF_BI_EXTR System user role for the extraction of BI data. This role con
tains the authorization profiles needed to extract the work
flow data for workflow reporting in BI.
Security Guide for SAP EHS Management
Authorizations CUSTOMER 17
Role Description
SAP_EHSM_FND_WF_PERMISSION System user role for the Workflow Engine. This role contains
the additional authorization profiles needed to process the
workflows in the background.
The users who process the workflows in the background
should, in addition to the SAP_EHSM_FND_WF_PERMIS
SION role, be assigned the
SAP_BC_BMT_WFM_SERV_USER role.
For processing incident management workflows, the users
should also receive the same authorizations as the
SAP_EHSM_HSS_INCIDENT_MANAGER role.
For processing risk assessment workflows, the users should
also receive the same authorizations as the
SAP_EHSM_HSS_ENVMGR, SAP_EHSM_HSS_HYGIENIST,
and SAP_EHSM_HSS_SAFEMGR.
For processing environmental management workflows, the
users should also receive the same authorizations as the
SAP_EHSM_HSS_ENVMGR,
For processing product compliance workflows, the users
should also receive the same authorizations as the roles
SAP_EHSM_PRC_COMPL_ENG, SAP_EHSM_PRC_COMPO
NENT_ENG, and SAP_EHSM_PRC_BASMAT_SPEC.
SAP_EHSM_HSS_EML_REC System user role for the e-mail recipient. This role contains
the authorization profiles needed to receive and process e-
mails.
SAP_EHSM_FND_MIGRATION End user role for the migration. You use this role to access
the Legacy System Migration Workbench. Depending on the
content you want to migrate, you still need to configure and
assign the corresponding business role (including the pro
files).
For example, to access the incident business object and mi
grate the incident content, you also need the
SAP_EHSM_HSS_INCIDENT_MANAGER role assigned
(along with the corresponding profiles).
Note
To restrict access to data for users who execute analytical reports (BI Content), proceed as follows:
1. Flag the necessary InfoObjects as being authorization–relevant.
2. Adjust the queries.
3. Define the necessary analysis authorizations.
4. Assign the authorizations to users.
For more information, see the Security Guide for SAP NetWeaver BI.
Security Guide for SAP EHS Management
18 CUSTOMER Authorizations
5.3.1 Scenario Health and Safety
The roles in the tables below are relevant for managing incident, managing EHS risk, and managing chemicals
for health and safety processes.
Standard Roles for Managing Incidents
Role Description
SAP_EHSM_HSS_INCIDENT_MANAGER / End user role for the incident manager. This role assigns the
menu structure in NWBC to the end user and the necessary
authorizations in the ERP system.
This role can receive workflow items.
SAP_EHSM_HSS_INCIDENT_REPORTER / End user role for the incident reporter. This role assigns the
menu structure in NWBC to the end user and the necessary
authorizations in the ERP system.
SAP_EHSM_HSS_INCIDENT_NOTIFIED / End user role for a person who is notified during the process
ing of an incident. This role assigns the menu structure in
NWBC to the end user and the necessary authorizations in
the ERP system.
This role can receive workflow items.
SAP_EHSM_HSS_INCIDENT_ESH_EXTR System user role for the Embedded Search extraction. This
role contains the authorization profiles needed to extract the
BO incident for the Embedded Search.
SAP_EHSM_HSS_INCIDENT_BI_EXTR System user role for the BI extraction. This role contains the
authorization profiles needed to extract the BO incident for
incident reporting in BI.
SAP_EHS_INC_REPORINCIDENT_APP System user role for the users of the app Report Incident.
This role contains authorization proposals needed to use the
app Report Incident.
Standard Roles for Managing EHS Risks
Role Description
SAP_EHSM_HSS_ENVMGR End user role for the environmental manager. This role as
signs the menu structure in NWBC to the end user and the
necessary authorizations in the ERP system.
SAP_EHSM_HSS_HYGIENIST End user role for the industrial hygienist. This role assigns
the menu structure in NWBC to the end user and the neces
sary authorizations in the ERP system.
SAP_EHSM_HSS_SAFEMGR End user role for the safety manager. This role assigns the
menu structure in NWBC to the end user and the necessary
authorizations in the ERP system.
SAP_EHSM_HSS_LINEMGR End user role for the line manager. This role assigns the
menu structure in NWBC to the end user and the necessary
authorizations in the ERP system.
Security Guide for SAP EHS Management
Authorizations CUSTOMER 19
Role Description
SAP_EHSM_HSS_RAS_BI_EXTR System user role for the BI extraction. This role contains the
authorization profiles needed to extract the risk assessment
data for risk assessment reporting in BI.
SAP_EHSM_HSS_HSMGRCORP End user role for the corporate health and safety manager.
This role assigns the menu structure in NWBC to the end
user and the necessary authorizations in the ERP system.
SAP_EHSM_HSS_SMPLTECH End user role for the sampling technician. This role assigns
the menu structure in NWBC to the end user and the neces
sary authorizations in the ERP system.
Standard Roles for Managing Chemicals
Role Description
SAP_EHSM_HSS_HAZSUBMGR End user role for the hazardous substance manager. This
role assigns the menu structure in NWBC to the end user
and the necessary authorizations in the ERP system.
For further details see role documentation.
SAP_EHSM_HSS_CHEMAPPR End user role for the chemical approver. This role assigns the
menu structure in NWBC to the end user and the necessary
authorizations in the ERP system.
For further details see role documentation.
SAP_EHSM_HSS_SDSCLERK End user role for the safety datasheet clerk. This role assigns
the menu structure in NWBC to the end user and the neces
sary authorizations in the ERP system.
For further details see role documentation.
SAP_EHSM_HSS_CHEMREQ End user role for the chemical requestor. This role assigns
the menu structure in NWBC to the end user and the neces
sary authorizations in the ERP system.
For further details see role documentation.
5.3.2 Scenario Environment Management
In the environment management component, for the automatic data collection to be set up, an RFC connection
has to be configured in the source system to use the EM-BATCH user for system access. In the target system,
the user EM-BATCH should be used for running the automatic data collection process. The EM-BATCH user
should have the SAP_BC_BMT_WFM_SERV_USER role with Execution activity authorizations for the S_RFC
authorization object.
Security Guide for SAP EHS Management
20 CUSTOMER Authorizations
Additionally, the EM-BATCH user should have Maintain activity authorizations for the EHENV_SCEN
authorization object for the relevant locations to be able to store the collected data in the target system. These
authorizations can be configured in a Z-role derived from the SAP_EHSM_HSS_ENVMGR master role.
The standard system is delivered with a restriction on the number of imported data records with their
corresponding number of external source tags per single run of the automatic data import. If you try to import
more than 1.000.000 data records with up to 1.000 external source tags in a single run of the automatic
import, the system will stop the import with a warning message.
The roles in the table below are relevant for managing emissions.
Standard Roles for Managing Emissions
Role Description
SAP_EHSM_HSS_ENVMGR End user role for the environmental manager. This role as
signs the menu structure in NWBC to the end user and the
necessary authorizations in the ERP system.
SAP_EHSM_ENV_TECHNICIAN End user role for the environmental technician. This role as
signs the menu structure in NWBC to the end user and the
necessary authorizations in the ERP system.
5.3.3 Scenario Product Compliance
The roles in the table below are relevant for managing product compliance.
Standard Roles for Managing Product Compliance
Role Description
SAP_EHSM_ADMINISTRATOR Administrator role for the person who monitors changes in
master data for product compliance, compliance objects,
and the application log. This person also corrects data is
sues, enters data for customers and suppliers, and manually
imports incoming documents either from the front-end sys
tem or from an application server.
SAP_EHSM_PRC_COMPL_CONSUMER End user role for the compliance consumer. This role can be
adapted for use as four different sub-roles: purchasing
agent, sales and services representative, mechanical engi
neer, and electrical engineer. This user role is responsible for
maintaining awareness of regulations and compliance re
quirements and, depending on the purpose, can be responsi
ble for maintaining product knowledge and data, configuring
customer orders, scheduling service requests, research, and
evaluating product data, or designing, testing and analysis of
components.
Security Guide for SAP EHS Management
Authorizations CUSTOMER 21
Role Description
SAP_EHSM_PRC_COMPL_MGR End user role for the compliance manager. This user role
monitors compliance-related programs for product lines,
and defines policies and procedures for other departments
to ensure compliance. The compliance manager approves
the manufacturing processes and equipment that will be
used in production, and supervises design compliance.
SAP_EHSM_PRC_COMPL_ENG End user role for the compliance engineer. This user role
monitors daily operations that contribute to ensuring com
pliance. The compliance engineer is responsible for the com
pany compliance data set. He or she maintains compliance
data in cooperation with the engineering teams, and cooper
ates with the compliance manager for up-to-date informa
tion about regulations. This role is involved in material-based
and component-based engineering changes and new prod
uct reviews.
SAP_EHSM_PRC_COMPONENT_ENG End user role for the component engineer. This user role se
lects and works with electrical or other components to be in
corporated into future products, and handles management
and documentation of purchased components. The compo
nent engineer approves parts obtained externally, works
closely with vendors, and ensures compliance by following
the established procedures and policies.
SAP_EHSM_PRC_BASMAT_SPEC End user role for the basic material specialist. This user role
is responsible for the selection of appropriate materials and
surfaces for design parts, and approves their release for use.
The basic material specialist decides the specific application
of materials and surfaces, and maintains the material data
base.
SAP_EHSM_PRC_BW_ANALYTICS End user role for the person who analyzes product safety
and stewardship assessments, as well as the executed proc
esses. This role contains the navigation point Analytical Re
ports that includes the report launchpad for the product
safety and stewardship work area with access to all dash
boards and queries.
For this role, a SAP Business Warehouse (BW) system with
BI Content for SAP EHS Management must be installed.
SAP_EHSM_PRC_AUTO_CHANGE_PROC System user role for the automated change processing. This
role contains the authorization profiles needed to determine
compliance information that is affected by a relevant change
and executing the worklist of pending compliance informa
tion.
SAP_EHSM_PRC_REG_CHG_WLIST_PRO System user role necessary for background processing of
PRC Regulatory Change Worklist Generation (program
R_EHPRC_WL_REGCHG_GENERATE) and PRC Regulatory
Change Worklist Post Processing (program
R_EHPRC_WL_REGCHG_POST_PROC).
Security Guide for SAP EHS Management
22 CUSTOMER Authorizations
Role Description
SAP_EHSM_PRC_SUPPL_CHNG_PROC This role contains as a suggestion all relevant authorization
data necessary for background processing of PRC Supplier
Change Processing.
Supplier Change Monitor
The program R_EHPRC_PBB_SUPPL_CHNG_MON is exe
cuted in background processing in order to monitor changes
in supplier to material assignment and to start the workflow
'Decide and Prepare for Assessment' if necessary.
SAP_BCV_USER System user role for the display of Business Context Viewer
(BCV). This role contains the authorization profiles and me
nus needed to display a BCV side panel and the BCV config-
uration.
SAP_BCV_ADMIN System user role for the administration of Business Context
Viewer (BCV). This role contains the authorization profiles
and menus needed to administrate the BCV configuration.
SAP_EHSM_PRC_BI_EXTR System user role for the BI extraction. This role contains the
authorization profiles needed to extract the compliance data
for Product and Stewardship reporting in BI.
SAP_EHSM_PRC_EML_REC System user role for the e-mail recipient. This role contains
the authorization profiles needed to receive and process e-
mails.
5.4 Standard Authorization Objects
The tables below show the security-relevant authorization objects that are used by SAP EHS Management.
Standard Authorization Objects
Authorization Object Field Value Description
EHFND_CHDC (Change ACTVT 03 (Display) Activity
Document)
Security Guide for SAP EHS Management
Authorizations CUSTOMER 23
Authorization Object Field Value Description
BO_NAME EHFND_LOCATION (Loca Business Object Name
tion)
EHHSS_INCIDENT (Incident)
EHHSS_INCIDENT_ACTION
(Incident Action)
EHHSS_RISK_ASSESSMENT
(Risk Assessment)
EHHSS_RAS_ACTION (Risk
Assessment Action)
EHHSS_RISK (Risk)
EHHSS_AGENT (Agent)
EHHSS_JOB (Job)
EHFND_DATA_AMOUNT
(Amount)
EHFND_DATA_SERIES (Data
Series)
EHFND_CHEMICAL (Chemi
cal)
EHFND_LOC ACTVT 01 (Create or generate) Activity
(Location) 02 (Change)
03 (Display)
06 (Delete)
A3 (Change status)
LOCAUTHGRP Location Authorization
Group
LOCBUSAREA Business Area
LOCCOMP Company Code
LOCCOST Cost Center
LOCPLANT Plant ID
LOCSTATUS 01 (New) Location Status
02 (Active)
03 (Inactive)
04 (Historic)
LOCTYPE Location Type
Security Guide for SAP EHS Management
24 CUSTOMER Authorizations
Authorization Object Field Value Description
EHFND_DCTR ACTVT 01 (Create or generate) Activity
(Default Controls) 02 (Change)
03 (Display)
06 (Delete)
S_PB_CHIP ACTVT 01 (Create or generate) Activity
(Chips for side panel) 02 (Change) (03 and 16 are needed for
displaying the information in
03 (Display)
the side panel)
06 (Delete)
16 (Execute)
Security Guide for SAP EHS Management
Authorizations CUSTOMER 25
Authorization Object Field Value Description
CHIP_NAME X-SAP-WDY- Web Dynpro ABAP: CHIP ID
CHIP:EHFNDWD
CHIP_LOC_STRUCT
X-SAP-WDY-
CHIP:EHHSSWD
CHIP_ASSWRKF_LOC_LIST
X-SAP-WDY-
CHIP:EHHSSWD
CHIP_INC_LOC_LIST
X-SAP-WDY-
CHIP:EHHSSWD
CHIP_RSK_LOC_LIST
X-SAP-WDY-
CHIP:EHHSSWD
CHIP_RSK_LOC
X-SAP-WDY-CHIP:EHHS
SUCWCHP_ASSWRKF
X-SAP-WDY-CHIP:EHHS
SUCWCHP_INC_LOC
X-SAP-WDY-CHIP:EHHS
SUCWCHP_APPRCHEM
X-SAP-WDY-CHIP:EHFN
DUCWCHP_EASYWORKLIST
X-SAP-WDY-CHIP:EHFN
DUCWCHP_LAUNCHPAD
X-SAP-WDY-
CHIP:FND_UI_CHM_SAFETY
_INSTR_CHIP
X-SAP-WDY-
CHIP:BSSP_SW_FEEDS
X-SAP-WDY-
CHIP:BSSP_SW_ACTIVITIES
X-SAP-WDY-
CHIP:BSSP_NOTES
X-SAP-WDY-CHIP:
EHFND_UI_CHM_OVP_ALOC
_VB_CHIP
X-SAP-WDY-CHIP:
EHFND_UI_CHM_OVP_APPR
_LOC_CHIPX-SAP-WDY-
Security Guide for SAP EHS Management
26 CUSTOMER Authorizations
Authorization Object Field Value Description
CHIP:
EHFND_UI_CHM_SAFETY_IN
STR_CHIPX-SAP-WDY-CHIP:
EHHSSUCWCHP_SPLCP
X-SAP-WDY-CHIP: EHHS
SUCWCHP_SPLCP_HEAT
MAP
X-SAP-WDY-CHIP:EHHS
SUCWCHP_SPLPH
S_PB_PAGE ACTVT 01 (Create or generate) Activity
(Configuration for side panel 02 (Change)
and home pages)
03 (Display)
06 (Delete)
CONFIG_ID EHFND_LOC_OIF_SIDE_PAN Configuration Identification
EL
EHFND_CHM_SIDE_PANEL
EHHSS_HAZ
SUBMGR_HOMEPAGE
EHHSS_HYGIENIST_HOME
PAGE
EHHSS_INC_MANAGER
_HOMEPAGE
EHHSS_HSMGRCORP_HOM
EPAGE
EHHSS_SMPLTECH_HOME
PAGE
PERS_SCOPE 0 (No Personalization Web Dynpro: Personalization
1 (User))
2 (View Handle)
4 (All)
5 (Configuration)
EHFND_DTS ACTVT 01 (Create or generate) Activity
(Data Series) 02 (Change)
03 (Display)
06 (Delete)
Security Guide for SAP EHS Management
Authorizations CUSTOMER 27
Authorization Object Field Value Description
LOCAUTHGRP Location Authorization
Group
LOCBUSAREA Business Area
LOCCOMP Company Code
LOCPLANT Plant ID
LOCSTATUS 01 (New) Location Status
02 (Active)
03 (Inactive)
04 (Historic)
LOCTYPE Location Type
EHFND_WFT (Workflow ACTVT 16 (Execute) Activity
Tools)
TCD All transactions of workflow Transaction Code
tools
EHFND_WFF (Workflow and EHSM_COMP HSS (Health and Safety) Component of EHS Manage
Processes) ment
PURPOSE Process Purpose (see Cus Process Purpose
tomizing activity Specify
Process Definitions)
EHSM_PVAR Process Variant (see Cus Name of Process Variant
tomizing activity Specify
Process Definitions)
EHSM_PCACT CANCELPROC (Cancel Proc Activity of Task or Process
ess)
EHFND_EXPP ACTVT 01 (Create, Generate) Activity
EHFND_EXPP Configured Export Profile
(Export Profile)
EHFND_CHM ACTVT 01 (Create or generate) Activity
(Chemical) 02 (Change)
03 (Display)
06 (Delete)
EHFND_REGL ACTVT 01 (Create or generate) Activity
(Regulatory List Content) 02 (Change)
03 (Display)
06 (Delete)
The following table contains authorization objects that are relevant for SAP EHS Management if you integrate
the system with other SAP components.
Security Guide for SAP EHS Management
28 CUSTOMER Authorizations
Authorization Objects for Integration
Authorization Object General Settings Further Information
P_ORGIN Display authorizations are required for See Customizing for SAP EHS
specific infotypes. Management under Foundation for
(HR: Master data)
EHS Management Integration
Human Resources Integration Check
Authorizations for Person Information
P_ORGXX Activation of the check by this authori
zation object is required. P_ORGXX can
(HR: Master data - extended check) be used in addition to or instead of the
check by the authorization object HR:
Master Data.
P_APPL Display authorizations are required for
specific infotypes.
(HR: Applicants)
B_BUPA_RLT Authorizations are required for the fol
lowing BP roles:
(Business partner: BP roles)
CBIH10 - External person
HEA010 - Physician
HEA030 - Health center (hospital)
B_BUPA_FDG Special authorization check for individ
ual field groups in the business partner
(Business partner: field groups) dialog box.
5.4.1 Scenario Health and Safety
The authorization objects in the tables below are relevant for managing incident, managing EHS risk, and
managing chemicals for health and safety processes.
Security Guide for SAP EHS Management
Authorizations CUSTOMER 29
Authorization Objects for Incident Management
Authorization Object Field Value Description
EHHSS_INC1 (Incident) ACCESS_LEV 000 (Basic Information / Incident Access Level
Standard Data)
For more information about
001 (Person Involved Access) creating and assigning ac
cess levels to tabs, see the
002 (Injury / Illness Access)
Customizing activities under
003 (Confidential Access)
SAP EHS Management
004 (Date of Birth Access) Incident Management
General Information :
Create Incident Access Levels
Assign Access Levels to Tabs
ACTVT 01 (Create or generate) Activity
02 (Change) Note that activity Reopen has
been added with version 2.0.
03 (Display)
If you have already used this
06 (Delete) authorization object in ver
sion 1.0, you may want to up
60 (Import)
date your roles with this addi
C5 (Reopen) tional activity.
INC_CATEG 001 (Incident) Incident Category
002 (Near Miss)
003 (Safety Observation)
INC_STATUS '' Incident Record Status
00 (Void)
01 (New)
02 (In Progress)
03 (Closed)
04 (Re-opened)
ORGUNIT_ID Organizational Unit ID
PLANT_ID Plant ID
EHHSS_INC2 (Incident Re ACTVT 01 (Create or generate) Activity
port)
02 (Change)
03 (Display)
06 (Delete)
FORM_NAME All forms for reporting Form Name
Security Guide for SAP EHS Management
30 CUSTOMER Authorizations
Authorization Object Field Value Description
ORGUNIT_ID Organizational Unit ID
PLANT_ID Plant ID
EHHSS_INC3 (Incident ACTVT 02 (Change) Activity
Group)
03 (Display)
06 (Delete)
NM_GROUP EHHSS_NMG_UNS_ACTION Near Miss Group
(Unsafe action)
EHHSS_NMG_UNS_COND
(Unsafe condition)
EHHSS_NMG_UNS_EQU
(Unsafe equipment)
EHHSS_NMG_UNS_USE_EQ
U (Unsafe use of equipment)
SO_GROUP EHHSS_SOG_DOC_PROC_N Safety Observation Group
F (Documented procedure
not followed)
EHHSS_SOG_FAIL_USE_PE
(Failure to use personal pro
tective equipment)
EHHSS_SOG_HORSEPLAY
(Horseplay)
EHHSS_SOG_UNS_LIF_CAR
(Unsafe lifting or carrying)
EHHSS_SOG_UNS_USE_ETV
(Unsafe use of equipment,
tool or vehicle)
EHHSS_SOG_UNS_USE_MA
T (Unsafe use of material)
EHHSS_SOG_USE_DEF_ETV
(Use of defective equipment,
tool or vehicle)
EHHSS_SOG_USE_DEF_MAT
(Use of defective material)
Security Guide for SAP EHS Management
Authorizations CUSTOMER 31
Authorization Object Field Value Description
INC_GROUP EHHSS_IGR_DEVIATION Incident Group
(Deviation)
EHHSS_IGR_NOT_OF_VIOL
(Notice of Violation)
EHHSS_IGR_OCC_INC (In
jury/Illness)
EHHSS_IGR_RELEASE (Re
lease)
INC_NO_GRP 001 (Incident) Incident Category
002 (Near miss)
00w3 (Safety observation)
EHHSS_INC5 (Incident by ACTVT 01 (Create or generate) Activity
Location)
02 (Change)
03 (Display)
06 (Delete)
LOCTYPE Business Unit Location Type
Equipment
Production Unit
Site
Work Center
LOCSTATUS 01 (New) Location Status
02 (Active)
03 (Inactive)
04 (Historic)
LOCAUTHGRP Unrestricted Access Location Authorization
Group
LOCPLANT Plant ID
LOCCOST Cost Center
LOCCOMP Company Code
LOCBUSAREA Business Area
LOCCOUNTRY Country
LOCREGION Region
Security Guide for SAP EHS Management
32 CUSTOMER Authorizations
Authorization Object Field Value Description
EHHSS_CLR (Allowance to ACTVT 16 (Execute) The execute authorization is
Change Limits for Analytic required to be able to main
Reports) tain limits for analytical re
porting. Only those users
who have this authorization
have an entry in the report
launchpad that allows users
to maintain the limits.
S_TABU_DIS DICBERCL EHMI (Incident) Authorization Group
EHMF (Foundation)
ACTVT Activity
S_PROGRAM P_GROUP EHINCXML (XML reports) Authorization group ABAP/4
program
EHFNDPRG (Foundation pro
gram authorization)
EHFNDWFT(Workflow tools)
EHHSSINC (Incident man
agement)
P_ACTION SUBMIT User action ABAP/4 program
Authorization Objects for Risk Assessment
Authorization Object Field Value Description
EHHSS_AGT ACTVT 01 (Create or generate) Activity
(Agent) 02 (Change)
03 (Display)
06 (Delete)
EHFND_CTRL ACTVT 01 (Create or generate) Activity
(Control Master Data) 02 (Change)
03 (Display)
06 (Delete)
EHFND_DSC EHFND_DSCC DSC_MAPPING_021 Dynamic Statement Creation
enabled fields
(Dynamic Statement Crea
tion in Control Master Data)
EHHSS_JOB ACTVT 01 (Create or generate) Activity
(Job) 02 (Change)
03 (Display)
06 (Delete)
Security Guide for SAP EHS Management
Authorizations CUSTOMER 33
Authorization Object Field Value Description
EHHSS_PEP ACTVT 03 (Display) Activity
PERSA Personnel Area
(Personal Exposure Profile)
BTRTL Personnel Subarea
EHHSS_RAS ACTVT 01 (Create or generate) Activity
(Risk Assessment, Risks, 02 (Change)
Controls on Risks and Con
03 (Display)
trol Inspections)
06 (Delete)
A8 (Process mass data)
RAS_TYPE EHHSS_RAT_ENV (Environ Risk Assessment Type
ment)
EHHSS_RAT_HEA (Health)
EHHSS_RAT_JHA (Job Haz
ard Analysis)
EHHSS_RAT_SAF (Safety)
LOCAUTHGRP Location Authorization
Group
LOCPLANT Plant ID
LOCCOST Cost Center
LOCCOMP Company Code
LOCBUSAREA Business Area
EHHSS_RASP ACTVT 01 Create or generate Activity
(Proposal of Health Surveil 02 Change
lance Protocol in Risk As
03 Display
sessment)
06 Delete
HSP_TYPE Health Surveillance Protocol
Type
EHHSS_HSP ACTVT 01 Create or generate Activity
(Health Surveillance Protocol 02 Change
Master Data)
03 Display
06 Delete
HSP_TYPE Health Surveillance Protocol
Type
COUNTRY Country Key
Security Guide for SAP EHS Management
34 CUSTOMER Authorizations
Authorization Object Field Value Description
REGIO Region (State, Province,
County)
S_TABU_DIS DICBERCL EHMR (Risk Assessment) Authorization Group
S_PROGRAM P_GROUP EHFNDPRG (Foundation pro Authorization group ABAP/4
program
gram authorization)
EHFNDWFT (Workflow tools)
EHHSSRAS (Risk Assess
ment)
P_ACTION SUBMIT User action ABAP/4 program
Authorization Objects for Chemicals for Health and Safety Processes
Authorization Object Field Value Description
EHFND_CHM ACTVT 01 (Create or generate) Activity
(Chemical) 02 (Change)
03 (Display)
06 (Delete)
EHFND_CHA ACTVT 01 (Create or generate) Activity
(Chemical Approval) 02 (Change)
03 (Display)
06 (Delete)
EHFND_DCTR ACTVT 01 (Create or generate) Activity
(Default Controls) 02 (Change)
03 (Display)
06 (Delete)
Security Guide for SAP EHS Management
Authorizations CUSTOMER 35
Authorization Object Field Value Description
EHFND_DSC EHFND_DSCC DSC_MAPPING_000 EHFND_DSC
(Dynamic Statement Crea DSC_MAPPING_001 (Dynamic Statement Crea
tion) tion)
DSC_MAPPING_002
DSC_MAPPING_003
DSC_MAPPING_004
DSC_MAPPING_005
DSC_MAPPING_006
DSC_MAPPING_007
DSC_MAPPING_008
DSC_MAPPING_009
DSC_MAPPING_010
DSC_MAPPING_011
DSC_MAPPING_012
DSC_MAPPING_013
DSC_MAPPING_014
DSC_MAPPING_015
DSC_MAPPING_016
DSC_MAPPING_017
DSC_MAPPING_018
DSC_MAPPING_019
DSC_MAPPING_020
DSC_MAPPING_021
EHFND_RCH ACTVT 01 (Create or generate) Activity
(Request Chemical) 02 (Change) (01 and 02 are needed for us
ing the service “request
03 (Display)
chemical approval”
06 (Delete)
EHFND_VEN ACTVT 01 (Create or generate) Activity
(Vendor) 02 (Change)
03 (Display)
06 (Delete)
Security Guide for SAP EHS Management
36 CUSTOMER Authorizations
Authorization Object Field Value Description
EHHSS_SI ACTVT 01 (Create or generate) Activity
(Safety Instruction) 02 (Change)
03 (Display)
06 (Delete)
EHFND_SPL ACTVT 03 (Display) Activity
(Sample Management) 16 (Execute)
23 (Maintain)
EHSM_COMP Component of EHS Manage
ment
LOCAUTHGRP Location Authorization
Group
LOCPLANT Plant ID
LOCCOST Cost Center
LOCCOMP Company Code
LOCBUSAREA Business Area
EHFND_SPLM ACTVT 01 (Create or generate) Activity
(Sampling Method) 02 (Change)
03 (Display)
06 (Delete)
S_TABU_DIS DICBERCL EHMR (Risk Assessment) Authorization Group
S_PROGRAM P_GROUP EHFNDPRG (Foundation pro Authorization group ABAP/4
program
gram authorization)
EHFNDWFT (Workflow tools)
EHHSSRAS (Risk Assess
ment)
P_ACTION SUBMIT User action ABAP/4 program
In addition to the authorization objects in the table above, the standard authorization objects under 5.4 are also
relevant for managing chemicals for health and safety processes.
5.4.2 Scenario Environment Management
The authorization objects in the table below are relevant for managing emissions.
Security Guide for SAP EHS Management
Authorizations CUSTOMER 37
Authorization Objects for Environment Management
Authorization Object Field Value Description
EHFND_REQ ACTVT 03 (Display) Activity
23 (Maintain)
REQDOMAIN Compliance Requirement
Domain
LOCCOUNTRY Country
LOCREGION Region
EHENV_SCEN ACTVT 03 (Display)23 (Maintain) Activity
76 (Enter)
LOCTYPE Location Type
LOCSTATUS Location Status
LOCAUTHGRP Location Authorization
Group
LOCPLANT Plant ID
LOCCOST Cost Center
LOCCOMP Company Code
LOCBUSAREA Business Area
LOCCOUNTRY Country
LOCREGION Region
S_PB_CHIP CHIP_NAME X-SAP-WDY- Web Dynpro ABAP: CHIP ID
CHIP:EHENV_CHIP_EN
TER_VALUES
X-SAP-WDY-CHIP:EHEN
VUCWCHP_ISSUESWORK
LIST
5.4.3 Scenario Product Compliance
The authorization objects in the table below are relevant for managing product compliance.
Security Guide for SAP EHS Management
38 CUSTOMER Authorizations
Authorization Objects for Product Compliance
Authorization Object Field Value Description
EHPRC_CMWL (Compliance ACTVT 01 (Create or generate) Activity
Management Worklist
(CMWL)) 02 (Change)
03 (Display)
06 (Delete)
WL_CAT REG_CHG (Follow-Up Regu Worklist Category
latory Change)
EHPRC_CPM (RCS: Cam ACTVT 01 (Create or generate) Activity
paign Usage)
02 (Change)
03 (Display)
EHPRC_OLM1 (RCS: Object ACTVT 01 (Create or generate) Activity
List Usage)
02 (Change)
03 (Display)
EHPRC_OLGR See IMG activity Specify Ob Object List Group
ject List Groups under SAP
EHS Management -> Product
Compliance -> General Con
figuration
EHPRC_CDO: RCS: Authori ACTVT 01 Create or generate Activity
zation Object for Compliance
02 Change
Object
03 Display
06 Delete
REQ Compliance Requirement
(Check)
REV_STATUS Compliance Data Revision
Status
CDCATEGORY Compliance Data Category
S_PB_CHIP ACTVT 03 (Display) Activity
(ABAP Page Builder: CHIP) 16 (Execute) Needed for displaying infor
mation on the side panel
CHIP_NAME X-SAP-WDY-CHIP:/BCV/ Web Dynpro ABAP: CHIP ID
CHIP*
X-SAP-WDY-
CHIP:EHPRC_CW_BCV_CHIP
1
EHPRCWDCHIP_SPBN
Security Guide for SAP EHS Management
Authorizations CUSTOMER 39
Authorization Object Field Value Description
S_PB_PAGE ACTVT 03 (Display) Activity
(ABAP Page Builder: Page Needed for displaying infor
Configuration) mation on the side panel
CONFIG_ID /BCV/SIDEPANEL Configuration Identification
PERS_SCOPE 1 (User)) Web Dynpro: Personalization
BCV_SPANEL ACTVT 16 (Execute) Activity
(Execute Side Panel) Needed for displaying infor
mation on the side panel
BCV_CTXKEY EHPRC_COMPL_DATA Context Key
BCV_USAGE ACTVT US (Use) Activity
(Business Context Viewer us Needed for displaying infor
age) mation on the side panel
BCV_QRYVW ACTVT 03 (Display) Activity
(Query View) Needed for displaying infor
mation on the side panel
BCV_CTXKEY EHPRC_COMPL_DATA Context Key
BCV_QRYVID ID of Query View
BCV_QUERY ACTVT 03 (Display) Activity
(Query) Needed for displaying infor
mation on the side panel
BCV_CTXKEY EHPRC_COMPL_DATA Context Key
BCV_QRY_ID Query ID
BCV_QUILST ACTVT 03 (Display) Activity
(Overview) Needed for displaying infor
mation on the side panel
BCV_CTXKEY EHPRC_COMPL_DATA Context Key
BCV_QUIKID ID of Overview
5.5 Critical Combinations
The EHFND_WFT authorization object activates buttons in the BI dashboard Process Dashboard that start an
object-based navigation to the workflow tools. The navigation targets are only delivered with the standard role
SAP_EHSM_PROCESS_ADMIN. In consequence, this authorization shall not be assigned to any users apart from
those who are assigned the SAP_EHS_PROCESS_ADMIN role.
Security Guide for SAP EHS Management
40 CUSTOMER Authorizations
5.6 Creating Custom Roles
The SAP EHS Management roles that are delivered contain specific configuration such as object-based
navigation (OBN). In consequence, customizing these roles has a certain level of complexity. Custom roles can
easily be created as follows without losing their specific configuration:
1. Create your custom PFCG role.
2. Copy the menu structure from the SAP_EHSM_MASTER role or the others that are delivered.
3. Generate the authorization profile.
4. Assign the custom role to end users.
Security Guide for SAP EHS Management
Authorizations CUSTOMER 41
6 Session Security Protection
6.1 Introduction
To increase security and prevent access to the SAP logon ticket and security session cookie(s), we recommend
activating secure session management.
We also highly recommend using SSL to protect the network communications where these security-relevant
cookies are transferred.
6.2 Session Security Protection on the AS ABAP
To activate session security on the AS ABAP, set the corresponding profile parameters and to activate the
session security for the client(s) using the transaction SICF_SESSIONS.
For more information, a list of the relevant profile parameters, and detailed instructions, see http://
help.sap.com under SAP Business Suite Special Topics HTTP Session Security Protection Activating
HTTP Security Session Management on AS ABAP [SAP Library] in the AS ABAP security documentation.
6.3 Session Security Protection on the AS Java
On the AS Java, set the HTTP Provider properties as described here: http://help.sap.com under Technology
Administration Application management Web Container HTTP Provider Service .
Security Guide for SAP EHS Management
42 CUSTOMER Session Security Protection
7 Network and Communication Security
7.1 Introduction
Your network infrastructure is extremely important in protecting your system. Your network needs to support
the communication necessary for your business needs without allowing unauthorized access. A well-defined
network topology can eliminate many security threats based on software flaws (at both the operating system
level and application level) or network attacks such as eavesdropping. If users cannot log on to your application
or database servers at the operating system or database layer, then there is no way for intruders to
compromise the machines and gain access to the backend system’s database or files. Additionally, if users are
not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security
holes in network services on the server machines.
The network topology for SAP EHS Management is based on the topology used by the SAP NetWeaver
platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security
Guide also apply to SAP EHS Management. Details that specifically apply to SAP EHS Management are
described in the following topics:
● Communication Channel Security
This topic describes the communication paths and protocols used by SAP EHS Management.
● Network Security
This topic describes the recommended network topology for SAP EHS Management. It shows the
appropriate network segments for the various client and server components and where to use firewalls for
access protection. It also includes a list of the ports needed to operate the <scenario, component,
application>.
● Communication Destinations
This topic describes the information needed for the various communication paths, for example, which
users are used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security [SAP Library]
● Security Guides for Connectivity and Interoperability Technologies [SAP Library]
7.2 Communication Channel Security
The table below shows the communication channels used by SAP EHS Management the protocol used for the
connection and the type of data transferred.
Security Guide for SAP EHS Management
Network and Communication Security CUSTOMER 43
Communication Data Paths and Protocols
Data Requiring Special Pro
Communication Path Protocol Used Type of Data Transferred tection
NetWeaver Business Client to RFC PFCG Roles including their
SAP EHS Management appli menu structure
cation server
NetWeaver Business Client to HTTPS User Interfaces in Web Dyn
SAP EHS Management appli pro ABAP, POWL, Report
cation server Launchpad
Web Browser to SAP EHS HTTPS User Interfaces in Web Dyn
Management application pro ABAP, POWL, Report
server Launchpad
Web Browser to SAP EHS HTTPS Transactions of SAP EHS
Management application Management Workflow Tools
server if SAP GUI for HTML is
used
Frontend client using SAP DIAG Transactions of SAP EHS
GUI for Windows in NetWea Management Workflow Tools
ver Business Client to SAP
EHS Management applica
tion server
NetWeaver Business Client to HTTPS BI queries
BI System
Web Browser to BI System HTTPS BI queries
Adobe Flash Player to BI sys HTTPS BI dashboards
tem
Forms Processing uses HTTPS to Adobe Document XML content of the forms Standard ADS setup required
Adobe Document Service Service
E-mail Inbound Handling SMTP Inbound e-mail with interac Standard setup for inbound
tive form as attachment e-mail
E-mail Outbound Processing Outbound e-mail with inter Standard setup for BCS
(Standard Business Commu active form as attachment
nication Service [BCS] used)
RFC Connection to IMDS RFC IMDS Data, MDS Files, Re
System quest Files, result Files
SAP Product Stewardship Web Service Consumption Compliance data from SAP
Network – integration of an based on SOAP Product Stewardship Net
on demand solution for prod work
uct compliance
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP
connections are protected using the Secure Sockets Layer (SSL) protocol. SOAP connections are protected
with Web services security.
Recommendation
We strongly recommend using secure protocols (SSL, SNC) whenever possible.
Security Guide for SAP EHS Management
44 CUSTOMER Network and Communication Security
Caution
1. We recommend using the same protocol – either HTTP or HTTPS – consistently in all communication
channels. This means all the deployed objects have to be configured in exactly the same way regarding
HTTP(S) throughout. This is done especially to avoid problems caused by JavaScript-based
communication between the single layers.
2. We strongly recommend using the protocol HTTPS instead of HTTP on the communication channels to
protect the transferred data against unauthorized access.
3. We strongly recommend activating Secure Network Communication (SNC) for the non-HTTP
communication channels to protect the transferred data against unauthorized access.
For more information, see Transport Layer Security and Web Services Security in the SAP NetWeaver Security
Guide on SAP Help Portal at http://help.sap.com/nw.
7.2.1 Secure Offline Communication with SAP Interactive
Forms by Adobe
The inquiry forms used in incident management can contain sensitive and confidential data. These forms are
sent via e-mail, for example, to an external party (such as a doctor or expert) that is unknown within the system
and has no system account. To protect this data from unauthorized users, encryption becomes necessary. The
data to be encrypted is the e-mail text, the PDF data, or both.
If you do not already use an encryption function, you can configure SAPconnect to send e-mails via a secure e-
mail gateway application that is capable of encrypting outbound and inbound e-mails. For more information,
see SAP Help Portal for SAP NetWeaver under SAP NetWeaver 7.0 (2004s) SAP NetWeaver Library
Administrator’s Guide Technical Operations Manual for SAP NetWeaver Administration of SAP NetWeaver
Systems AS ABAP (Application Server for ABAP) Administration SAPconnect Communication Interface .
Note that in SAPconnect Communication Interface under More Information, you can find general information
about SAPconnect.
SAP EHS Management is not delivered with third-party components.
7.3 Network Security
SAP EHS Management is designed to run in the LAN network segment by default. Running SAP EHS
Management in multiple network segments is supported with the options provided by SAP NetWeaver AS
ABAP and SAP NetWeaver AS Java.
SAP EHS Management strictly uses the default services and ports of SAP NetWeaver AS ABAP and SAP
NetWeaver AS Java for the communication channels. For more information about the services and ports used
by SAP NetWeaver, see the topics in the SAP Help Portal under Technology → SAP NetWeaver Platform → 7.0
EHP3 in the SAP NetWeaver Security Guide.
SAP EHS Management requires the Adobe Document Service (ADS) and e-mail processing. There are no
further requirements for the default setup.
Security Guide for SAP EHS Management
Network and Communication Security CUSTOMER 45
7.4 Ports
SAP EHS Management runs on SAP NetWeaver and uses the ports from the AS ABAP or AS Java. For more
information, see SAP Help Portal, the topics under SAP NetWeaver Platform→7.0 EHP3for AS ABAP Ports [SAP
Library] and AS Java Ports [SAP Library] in the corresponding SAP NetWeaver Security Guides. For other
components, for example, SAPinst, SAProuter, or the SAP Web Dispatcher, see also the document TCP/IP
Ports Used by SAP Applications, which is located on SAP Developer Network at http://scn.sap.com/
community/security under Infrastructure Security Network and Communications Security .
7.5 Communication Destinations
The table below shows an overview of the communication destinations used by SAP EHS Management.
Connection Destinations
Destination Delivered Type User, Authorizations Description
<HR system> No RFC HR authorizations of Connection to HR cli
all standard SAP EHS ent
Management user
roles
<PM system> No RFC PM authorizations of Connection to PM cli
all standard SAP EHS ent
Management user
roles
<CS system> No RFC CS authorizations of all Connection to CS cli
standard SAP EHS ent
Management user
roles
<QM system> No RFC QM authorizations of Connection to QM cli
all standard SAP EHS ent
Management user
roles
<BuPa system> No RFC BuPa authorizations of Connection to busi
all standard SAP EHS ness partner client
Management user
roles
<AC system> No RFC AC authorizations of all Connection to AC cli
standard SAP EHS ent
Management user
roles
<GRC system> No RFC SAP EHS Management Connection to GRC cli
does not provide GRC ent
authorizations
Security Guide for SAP EHS Management
46 CUSTOMER Network and Communication Security
Destination Delivered Type User, Authorizations Description
<MOC system> No RFC SAP EHS Management Connection to MOC cli
does not provide MOC
ent
(3, H) authorizations
(ABAP/3- and
HTTP/H-Connection)
<EHS system> No RFC SAP EHS Management Connection to client
provides authorization for SAP EHS
proposals for Occupa Management as part of
tional Health in SAP SAP ERP
EHS Management as
part of SAP ERP.
For more information about GRC authorizations, see the SAP BusinessObjects Governance, Risk, and
Compliance (GRC) Security Guide.
For detailed information about communication destinations, see Customizing for SAP EHS Management under
Foundation for EHS Management Integration Specify Destinations for Integration .
For communication details, see also the SAP Interactive Forms Solution Security Guides and the standard
setup of SAP Business Workflow.
Security Guide for SAP EHS Management
Network and Communication Security CUSTOMER 47
8 Internet Communication Framework
Security for Health and Safety
You should only activate those services that are needed for the applications running in your system.
Use the transaction SICF to activate these services.
● For the services that are relevant for the back-end system of Component extension 6.0 for SAP
Environment, Health, and Safety Management, see the SAP Note 2133413 .
● For the services that are relevant for the front-end system of Component extension 6.0 for SAP
Environment, Health, and Safety Management, activate the following UI5 services under /
default_host/sap/bc/ui5_ui5/sap/:
○ ehs_ctl_inspect (Inspect Safety Controls)
○ ehs_safety_info (Retrieve Safety Information)
○ repincidentsoh (Report Incident)
These apps are delivered with SAP Fiori 2.0 for SAP EHS Management.
If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
For more information, see Activating and Deactivating ICF Services in the SAP NetWeaver Library on SAP Help
Portal at http://help.sap.com/nw75.
For more information about ICF security, see the RFC/ICF Security Guide in the SAP NetWeaver Library on SAP
Help Portal at http://help.sap.com/nw75.
Security Guide for SAP EHS Management
48 CUSTOMER Internet Communication Framework Security for Health and Safety
9 Data Storage Security
SAP EHS Management does not store any data itself beyond the data that is stored by the infrastructure used
on SAP NetWeaver Application Server ABAP and SAP NetWeaver Application Server Java.
The data storage security of SAP NetWeaver and components installed on that base is described in the SAP
NetWeaver 7.0 Security Guide.
All business data in SAP EHS Management is stored in the system database. This business data is protected by
the authorization concept of SAP NetWeaver and SAP EHS Management. In some special cases, business-
relevant data is stored in another location such as a file system. The special cases are listed below:
Whitelists
Depending on the technology you are using, you may encounter security issues when trying to display links
that are not explicitly added to the whitelist. For more information about defining whitelist entries, see the SAP
NetWeaver documentation at help.sap.com → SAP NetWeaver Business Client 7 Security Aspects 7.8
Whitelist .
XML-Export Interface for Non-BW Analytics
The XML-Export Interface for non-BW Analytics exports XML data to the application server on the following
logical directory/file name:
XML-Export Interface
Component Logical Directory/File Name
Incident Management EHHSS_BO_XML_EXPORT_PATH / EHHSS_INCI
DENTS_XML
You can set the physical location using transaction FILE. The exported XML file can be downloaded from the
application server. The directories used for the export on the application server and for the file download need
to be protected against unauthorized third-party access, since the export file may contain person-related or
otherwise confidential information.
Knowledge Management
SAP EHS Management uses standard SAP NetWeaver technology for uploading and downloading documents
(such as Web Dynpro ABAP controls or Internet Communication Framework (ICF) services). These documents
are checked into the defined storage system (content repository) using the Knowledge Provider (KPro).
For more information about security with regards to Knowledge Management, see SAP Knowledge
Management Security Guides
Security Guide for SAP EHS Management
Data Storage Security CUSTOMER 49
10 Data Protection
10.1 Introduction
Data protection is associated with numerous legal requirements and privacy concerns. In addition to
compliance with general data privacy acts, it is necessary to consider compliance with industry-specific
legislation in different countries. This section describes the specific features and functions that SAP EHS
Management provides to support compliance with the relevant legal requirements and data privacy.
Note
In SAP EHS Management, you can enter any data in free text fields and you can upload attachment
containing personal data. Free text fields are meant for entering comments, recommendation or any other
business-related information. They are not meant to contain any personal data and, therefore, are not
considered in any recording, logging, blocking, or deletion which can be performed for fields containing
personal data.
This section and any other sections in this Security Guide do not give any advice on whether these features and
functions are the best method to support company, industry, regional or country-specific requirements.
Furthermore, this guide does not give any advice or recommendations with regard to additional features that
would be required in a particular environment; decisions related to data protection must be made on a case-by-
case basis and under consideration of the given system landscape and the applicable legal requirements.
Note
In the majority of cases, compliance with data privacy laws is not a product feature. SAP software supports
data privacy by providing security features and specific data-protection-relevant functions such as
functions for the simplified blocking and deletion of personal data. SAP does not provide legal advice in any
form. The definitions and other terms used in this guide are not taken from any given legal source.
10.2 Glossary
Relevant Terms for Data Protection and Privacy
Term Definition
Blocking A method of restricting access to data for which the primary
business purpose has ended.
Security Guide for SAP EHS Management
50 CUSTOMER Data Protection
Term Definition
Consent The action of the data subject confirming that the usage of
his or her personal data shall be allowed for a given purpose.
A consent functionality allows the storage of a consent re
cord in relation to a specific purpose and shows if a data
subject has granted, withdrawn, or denied consent.
Deletion The irreversible destruction of personal data.
End of purpose (EoP) A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization (for example, tax auditors).
Personal data Any information relating to an identified or identifiable natu
ral person ("data subject"). An identifiable natural person is
one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, men
tal, economic, cultural, or social identity of that natural per
son
Purpose A legal, contractual, or in other form justified reason for the
processing of personal data. The assumption is that any pur
pose has an end that is usually already defined when the
purpose starts.
Residence period The period of time between the end of business and the end
of purpose (EoP) for a data set during which the data re
mains in the database and can be used in case of subse
quent processes related to the original purpose. At the end
of the longest configured residence period, the data is
blocked or deleted. The residence period is part of the over
all retention period.
Retention period The period of time between the end of the last business ac
tivity involving a specific object (for example, a business
partner) and the deletion of the corresponding data, subject
to applicable laws. The retention period is a combination of
the residence period and the blocking period.
Security Guide for SAP EHS Management
Data Protection CUSTOMER 51
Term Definition
Sensitive personal data A category of personal data that usually includes the follow
ing type of information:
● Special categories of personal data, such as data reveal
ing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, genetic
data, biometric data, data concerning health or sex life
or sexual orientation, or personal data concerning bank
and credit accounts.
● Personal data subject to professional secrecy
● Personal data relating to criminal or administrative of
fenses
● Personal data concerning insurances and bank or credit
card accounts
Where-used check (WUC) A process designed to ensure data integrity in the case of
potential blocking of business partner data. An application's
where-used check (WUC) determines if there is any depend
ent data for a certain business partner in the database. If de
pendent data exists, this means the data is still required for
business activities. Therefore, the blocking of business part
ners referenced in the data is prevented.
10.3 Technical and Organizational Measures to Ensure Data
Protraction
Some basic requirements that support data protection are often referred to as technical and organizational
measures (TOM). The following topics are related to data protection and require appropriate TOMs in the
component extension 6.0 for SAP EHS Management:
● Access control: Authentication features as described in section User Administration and Authentication.
● Authorizations: Authorization concept as described in section Authorizations
● Communication security: as described in section Network and Communication Security
● Availability controls as described in:
○ Section Data Storage Security
○ SAP NetWeaver Database Administration documentation
○ SAP Business Continuity documentation in the SAP NetWeaver Application Help under Function-
Oriented View Solution Life Cycle Management SAP Business Continuity
● Separation by purpose: Is subject to the organizational model implemented and must be applied as part of
the authorization concept.
Security Guide for SAP EHS Management
52 CUSTOMER Data Protection
Caution
The extent to which data protection is ensured depends on secure system operation. Network security,
security note implementation, adequate logging of system changes, and appropriate usage of the system
are the basic technical requirements for compliance with data privacy legislation and other legislation.
10.4 Deletion of Personal Data
In the handling personal data, it is necessary to comply with general data protection regulation and industry-
specific legislation in different countries. A typical requirement in certain countries and regulations is that
personal data shall no longer be handled after the specified, explicit, and legitimate purpose of the processing
of personal data has ended. Data that has reached its end of purpose (EoP) must be deleted if no other
retention periods are specified in legislation, such as retention periods for occupational health documents. If
there are legal requirements to retain personal data after the end of purpose, this data needs to be blocked.
Blocked data is retained in the database, but only persons with special authorizations can view it.
To enable complex scenarios, SAP simplifies the existing deletion functionality to cover data objects that are
personal data by default. For this purpose, SAP uses SAP Information Lifecycle Management (ILM) to help you
set up a compliant information lifecycle management process in an efficient and flexible manner. The SAP
Information Lifecycle Management component supports the entire software lifecycle, including the storage,
retention, blocking, and deletion of data.
All applications register either an EoP check in the Customizing settings for the blocking and deletion of
application data, such as the customer and vendor master or the business partner, or a where-used check
(WUC). Component extension for SAP EHS Management delivers end of purpose (EoP) checks and uses SAP
ILM to support the deletion of personal data as described in the following sections.
Application Objects and Available Deletion Functionality
The following tables list the relevant application objects and the available deletion functionality for Incident
Management, Risk Assessment, and Environment Management.
For more information about application objects and deletion functionality in component extension for SAP EHS
Management, see the product assistance on the SAP Help Portal at http://help.sap.com/ehs-com. Open the
Application Help and go to:
● Incident Management Technical Solution Information Data Archiving in Incident Management
● Risk Assessment Technical Solution Information Data Archiving in Risk Assessment
● Environment Management Technical Solution Information Data Archiving in Environment
Management
● Product Compliance Technical Information Data Archiving in Product Compliance
Security Guide for SAP EHS Management
Data Protection CUSTOMER 53
Application Objects and Available Deletion Functionality in Incident Management
Application Objects Provided Deletion Functionality
Incidents Archiving object EHHSS_INC
Incident Summary Reports Archiving object EHHSS_ISR
Application Objects and Available Deletion Functionality in Risk Assessment
Application Objects Provided Deletion Functionality
Risk Revisions Archiving object EHHSS_RSV
Risks Archiving object EHHSS_RSK
Risk Assessments Archiving object EHHSS_RAS
Safety Instructions Archiving object EHHSS_SI
Control Evaluations Archiving object EHHSS_CEVL
Control Inspections Archiving object EHHSS_CINS
Control Replacements Archiving object EHHSS_CRPL
Sampling Campaigns Archiving object EHHSS_SPLC
Samplings Archiving object EHFND_SPLG
Chemical Approvals Archiving object EHFND_CHA
Assignment of Person to Locations Archiving object EHFND_LOCP
Assignment of Person to Jobs Archiving object EHFND_JOBP
Sampled Persons Data destruction object EHFND_SPLP
Application Objects and Available Deletion Functionality in Environment Management
Application Objects Provided Deletion Functionality
Compliance Scenario Actions Archiving object EHENV_SAC
Application Objects and Available Deletion Functionality in Product Compliance
Application Objects Provided Deletion Functionality
Worklists for compliance assessment Archiving object EHPRC_WLCA
Worklists for regulatory changes Archiving object EHPRC_WLRC
Intenational Material Data Sheets (IMDS) Archiving object EHPRC_MDS
Compliance data records Archiving object EHPRC_COD
Security Guide for SAP EHS Management
54 CUSTOMER Data Protection
Application Objects Provided Deletion Functionality
Campaigns Archiving object EHPRC_CMP
E-mail assignments Archiving object EHPRC_PSA
Assessments and BOM transfers Archiving object EHPRC_PBB
Deletion Report and Job Dependencies
Product Compliance provides the deletion report R_EHPRC_DPP_CLEANUP which verifies if any CDOs that are
marked as end of business are used in any composition or supplier listing. If this is the case, it changes the
lifecycle status to active which prevents the CDO from being archived.
End of Purpose (EoP) Check
An end of purpose check determines whether data is still relevant for business activities based on the retention
period defined for the data. The retention period of data consists of the following phases:
● Phase one: The relevant data is actively used.
● Phase two: The relevant data is actively available in the system.
● Phase three: The relevant data needs to be retained for other reasons.
The following end of purpose checks are available for component extension for SAP EHS Management:
End of Purpose Checks in Incident Management
Application End of Purpose Check Further Information
Incident Management (EHS_INC) EHHSS_INC_EOP_CHECK_BP The check determines whether the
business partner is used in:
● Incidents
● Tasks in incidents
End of Purpose Checks in Risk Assessment
Application End of Purpose Check Further Information
Health and Safety (EHS_HS) EHHSS_HS_EOP_CHECK_BP The check determines whether the
business partner is used in:
● Risk assessments
● Tasks in risk assessments
● Risks
● Control inspections
● Control evaluations
● Control replacements
Security Guide for SAP EHS Management
Data Protection CUSTOMER 55
Application End of Purpose Check Further Information
Health and Safety (EHS_HS_EXPO EHHSS_EXP_EOP_CHECK_BP The check determines whether the
SURE) business partner is assigned to:
● Job positions
● Location positions
● Samplings as sampled person
End of Purpose Checks in Environment Management
Application End of Purpose Check Further Information
Environment Management (EHS_ENV) EHENV_EOP_CHECK_BP The check determines whether the
business partner is used in tasks of cat
egory Action.
End of Purpose Checks in Product Compliance
Application Name End of Purpose Check Further Information
EHSM_PRC CL_EHPRC_CUSTOMER_EOP_CHECK The check determines whether the cus
tomer is used in campaigns.
CL_EHPRC_VENDOR_EOP_CHECK The check determines whether the sup
plier is used in:
● Campaigns
● Supplier parts (CDOs)
● Supplier responses
You register the application for an end of purpose check in Customizing under Cross-Application
Components Data Protection Blocking and Unblocking of Data Business Partner Define and Store
Application Names for EoP Check .
Configuration of Data Protection Functions
Certain central functions that support data protection compliance are grouped in Customizing for Cross-
Application Components under Data Protection.
You configure the settings related to the blocking and deletion of business partner master data in Customizing
under Cross-Application Components Data Protection Blocking and Unblocking of Data Business
Partner .
Security Guide for SAP EHS Management
56 CUSTOMER Data Protection
10.5 Information Retrieval
Data subjects have the right to get information regarding their personal data undergoing processing, including
the reason (purpose) for processing.
The SAP NetWeaver component Information Retrieval Framework (IRF) can be used to carry out a cross-
application search for personal data of a specified data subject. The data is retrieved from the system and
displayed in a structured, easy-to-read list, subdivided according to the purposes for which the data was
initially collected and processed.
Note
To be able to use the IRF, you must set up your own data model which is the basis for the retrieval process.
Once your data model is set up, you can start the actual data collection process.
For more information about the Information Retrieval Framework, see the SAP NetWeaver documentation on
the SAP Help Portal at http://help.sap.com/nw74. In the Application Help section, open the SAP NetWeaver
Library: Function-Oriented View documentation and go to Solution Lifecycle Management Information
Retrieval Framework .
10.6 Read Access Logging of Personal Data
Legislation requires logging of read and write access of person-related sensitive data.
You can use the Read Access Logging (RAL) component to monitor, to log, and to update read access to
person-related sensitive data, and to provide information such as which business users accessed person-
related sensitive data (for example, fields related to bank account data), and when they did so.
In RAL, you can configure which person-related sensitive data you want to log and how to log it.
SAP delivers sample configurations for applications. You can display the configurations in the system by
performing the following steps:
1. In the Read Access Logging Manager (transaction SRALMANAGER), on the Administration tab page,
choose Configuration.
2. Choose the desired channel, for example, WebDynpro.
3. Choose Search.
○ The system displays the available configurations for the selected channel.
4. Choose Display Configuration for detailed information on the configuration.
Note
For a list of the delivered log domains, see the product assistance at SAP Help Portal under http://
help.sap.com/erp. Open the Application Help and go to SAP ERP Cross-Application Functions Cross-
Application Components Data Protection Security Safeguards Regarding Data Protection Read Access
Logging (RAL) .
Security Guide for SAP EHS Management
Data Protection CUSTOMER 57
Prerequisites
Before you can use the delivered RAL configurations, the following prerequisites are met:
● You have checked the required particular kernel and SAP GUI version that are described in 1969086 .
● The RAL configurations have been activated.
● You have enabled RAL in each system client.
More Information
For more information, see Read Access Logging (RAL) in the documentation for SAP NetWeaver on SAP Help
Portal at http://help.sap.com/netweaver. Choose an SAP NetWeaver platform and open the function-oriented
view of the application help. You can find the documentation about read access logging under Security
System Security System Security for SAP NetWeaver Application Server ABAP Only Read Access Logging .
For up-to-date information on the delivered RAL configurations, see 2347271 .
For more information on delivered log conditions in component extension 6.0 of SAP EHS Management, see the
following chapter of this Security Guide.
10.6.1 Read Access Logging for Incident Management
Incident Management logs data of illnesses or injuries that are maintained in the Edit Incident screen (web
dynpro application EHHSS_INC_REC_OIF_V3). Since this information is potentially sensitive and access to this
information is in some cases legally regulated, you can use RAL to log the date when the data was accessed
and by whom.
Security Guide for SAP EHS Management
58 CUSTOMER Data Protection
In the following configurations, the following fields are logged:
Fields for Read Access Logging
Configuration Fields Logged Business Context
Involved Person - Basic Information <concatenate name> Logs basic information of the person
who is involved in the incident,
● Injured Person Name
● Phone Number
● Email
Role(s)
Incident Type
Privacy Case
Injured on Site
Injured on Duty
Additional Criteria
Fatality
Location of Death
Cause of Death
Statement of Involved Person
Involved Person - Injury-Illness Informa <concatenate name> Logs information on the injuries or the
tion illness of the person who is involved in
● Injured Person Name the incident.
● Phone Number
● Email
Classification
Injury/Illness Type
Injury/Illness Description
Body Part
Body Part Description
Body Side
Security Guide for SAP EHS Management
Data Protection CUSTOMER 59
Configuration Fields Logged Business Context
Involved Person - Treatment Informa <concatenate name> Logs information on the treatment of
tion the person who is involved in the inci
● Injured Person Name dent.
● Phone Number
● Email
First Physician
Further Treatment Provider
Treatment Beyond First Aid
Emergency Room
Inpatient Overnight
Unconsciousness
Immediate Resuscitation
Comment
To First Aid
To Further Treatment
Involved Person - Reports and <concatenate name> Logs the files of reports and documents
that are assigned to the involved per
Documents ● Injured Person Name son.
● Phone Number
● Email
File Name (of report forms)
File Name (of documents)
Incident - Reports and Documents File Name (of report forms) Logs the files of reports and documents
that are assigned to the incident.
Reference (Report forms of person ref
erences)
File Name (of documents)
Reference (documents of person refer
ences)
10.7 Change Logging
Personal data may be subject to changes. If these changes are logged, you can check which employee made
which change and when. Component extension for SAP EHS Management generates change documents for
changes in specific fields of the relevant objects that contain personal data.
Under Display Change Document Objects (transaction SCDO), you can find the delivered change document
objects. (EHS change document objects start with EH*.) Under Maintain Logging Setting (transaction
S_AUT01), you can specify the fields to be logged.
Security Guide for SAP EHS Management
60 CUSTOMER Data Protection
For objects for which you activated the change logging, you can access the change documents by choosing the
relevant entry from the You can also link. You can enter parameters to limit the changes that are displayed. To
view change documents, you need the authorization object EHFND_CHDC. In addition, under Evaluate New
Audit Trail (transaction S_AUT10) in Enhancement Mode, you can display all changes for the change document
objects in SAP EHS Management.
More Information
● For more information about the use of change documents in component extension for SAP EHS
Management, see the Product Assistance documentation on the SAP Help Portal at http://help.sap.com/
ehs-comp. Select your release, open the Product Assistance, and go to Foundation for EHS Management
(EHS-MGM-FND) Technical Solution Information Creation of Change Documents .
● For more technical information about logging changes, see the SAP NetWeaver documentation on the SAP
Help Portal at http://help.sap.com/nw. Select your release, and in the Application Help section, open the
SAP NetWeaver Library: Function-Oriented View. Go to Other Services Audit Trail (BC-SRV-ASF-AT)
Changing Table and Data Element Logging .
● For more information about change documents, see the SAP NetWeaver documentation on the SAP Help
Portal at http://help.sap.com/nw. Select your release, and in the Security section, open the SAP NetWeaver
Security Guide. Go to Security Guides for SAP NetWeaver Functional Units Security Guides for the
Application Server Security Guides for AS ABAP SAP NetWeaver Application Server ABAP Security
Guide Auditing and Logging Logging of Specific Activities Logging Using Change Documents .
Security Guide for SAP EHS Management
Data Protection CUSTOMER 61
11 Security for Additional Applications
For security information about Adobe Flash Player used by the BI dashboards, refer to the SAP NetWeaver
Business Warehouse Security Guide.
For security information about the Embedded Search used by SAP EHS Management, refer to the SAP
NetWeaver Enterprise Search 7.2 Security Guide.
Security Guide for SAP EHS Management
62 CUSTOMER Security for Additional Applications
12 Dispensable Functions with Impacts on
Security
SAP EHS Management can be integrated with HR Time Management in Customizing. If the personnel time
management (PT) integration is activated, time data (including absences) from HR is displayed in the incident.
An additional option is available to directly create HR Absences from the incident. For all actions (such as read
or create), HR authorizations are checked.
Security Guide for SAP EHS Management
Dispensable Functions with Impacts on Security CUSTOMER 63
13 Other Security-Relevant Information
13.1 SAP NetWeaver Business Client as User Front End
For more information about SAP NetWeaver Business Client (SAP NWBC) with PFCG connection, see the SAP
NetWeaver documentation on SAP Help Portal at http://help.sap.com/nw74. Go to section Application Help and
open the documentation for UI Technologies in SAP NetWeaver. Go to SAP NetWeaver Business Client SAP
NetWeaver Business Client Administration Guide Security Aspects .
13.2 Documents (Including Virus Scanner)
SAP EHS Management uses standard SAP NetWeaver technology for uploading and downloading documents
(such as Web Dynpro ABAP controls or Internet Communication Framework (ICF) services). These documents
are checked into the defined storage system (content repository) using the Knowledge Provider (KPro).
Using the standard NetWeaver technology, you can use the standard NetWeaver virus scan interface (VSI) to
check documents (including attachments) for viruses. To do this, you must have installed and configured a
virus scanner. It is highly recommended that you integrate a virus scanner. For more information, see http://
help.sap.com/saphelp_nw74/helpdata
13.3 Forms and E-Mails Containing Java Script
The Interactive forms of SAP EHS Management can contain Java Script. Therefore, Java Script must be
enabled in Adobe Acrobat Reader.
In addition, e-mails with PDF attachments that contain Java Script must not be filtered out in the e-mail
inbound and outbound process.
13.4 Security Settings for the Report Incident App
You use the mobile service for SAP Fiori to implement the app Report Incident. For more information on the
security settings of the mobile service for SAP Fiori, see the SAP Help Portal at http://help.sap.com. There,
search for SAP Cloud Platform, mobile service for SAP Fiori User Guide.
Security Guide for SAP EHS Management
64 CUSTOMER Other Security-Relevant Information
14 Security-Relevant Logging and Tracing
SAP EHS Management uses all logging and tracing functionality provided by the SAP NetWeaver AS ABAP and
AS Java. Refer to the NetWeaver Security Audit and Logging documentation at http://help.sap.com/
saphelp_nw74/helpdata.
The inbound e-mail process logs the data in the application log. For more information about the object and sub-
object, see Customizing for SAP EHS Management under Incident Management Print Forms and Interactive
Forms Define Inbound Processing for E-Mails .
Security Guide for SAP EHS Management
Security-Relevant Logging and Tracing CUSTOMER 65
15 Services for Security Lifecycle
Management
15.1 Introduction
The following services are available from Active Global Support to assist you in maintaining security in your
SAP systems on an ongoing basis.
15.2 Security Chapter in the EarlyWatch Alert (EWA) Report
This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you:
● Whether SAP Security Notes have been identified as missing on your system.
In this case, analyze and implement the identified SAP Notes if possible. If you cannot implement the SAP
Notes, the report should be able to help you decide on how to handle the individual cases.
● Whether an accumulation of critical basis authorizations has been identified.
In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not,
correct the situation. If you consider the situation okay, you should still check for any significant changes
compared to former EWA reports.
● Whether standard users with default passwords have been identified on your system.
In this case, change the corresponding passwords to non-default values.
15.3 Security Optimization Service (SOS)
The Security Optimization Service can be used for a more thorough security analysis of your system, including:
● Critical authorizations in detail
● Security-relevant configuration parameters
● Critical users
● Missing security patches
This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-site
service. We recommend you use it regularly (for example, once a year) and in particular after significant system
changes or in preparation for a system audit.
Security Guide for SAP EHS Management
66 CUSTOMER Services for Security Lifecycle Management
15.4 Security Configuration Validation
The Security Configuration Validation can be used to continuously monitor a system landscape for compliance
with predefined settings, for example, from your company-specific SAP Security Policy. This primarily covers
configuration parameters, but it also covers critical security properties like the existence of a non-trivial
Gateway configuration or making sure standard users do not have default passwords.
15.5 Security in the RunSAP Methodology / Secure
Operations Standard
With the E2E Solution Operations Standard Security service, a best practice recommendation is available on
how to operate SAP systems and landscapes in a secure manner. It guides you through the most important
security operation areas and links to detailed security information from SAP’s knowledge base wherever
appropriate.
15.6 More Information
For more information about these services, see:
● EarlyWatch Alert: http://support.sap.com/support-programs-services/services/earlywatch-alert.html
● Security Optimization Service / Security Notes Report: https://support.sap.com/support-programs-
services/services/security-optimization-services
● Comprehensive list of Security Notes: http://support.sap.com/securitynotes
● Configuration Validation, E2E Standard for Change Control Management: https://support.sap.com/
support-programs-services/methodologies/support-standards
● RunSAP Roadmap .
Security Guide for SAP EHS Management
Services for Security Lifecycle Management CUSTOMER 67
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Beta and Other Experimental Features
Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.
Security Guide for SAP EHS Management
68 CUSTOMER Important Disclaimers and Legal Information
Security Guide for SAP EHS Management
Important Disclaimers and Legal Information CUSTOMER 69
www.sap.com/contactsap
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form
or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for
informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for
additional trademark information and notices.
THE BEST RUN
You might also like
- How To Avoid Running Out of Available File Names When ArchivingNo ratings yetHow To Avoid Running Out of Available File Names When Archiving1 page
- Windows and Unix Command Line EquivalentsNo ratings yetWindows and Unix Command Line Equivalents3 pages
- LABOR RELATIONS Compiled by Clintmaratas v.4100% (2)LABOR RELATIONS Compiled by Clintmaratas v.4182 pages
- Citrix Desktop Server Administrator's Guide PDFNo ratings yetCitrix Desktop Server Administrator's Guide PDF68 pages
- Study Plan Cisco Ccent Ccna Icnd1 100 105No ratings yetStudy Plan Cisco Ccent Ccna Icnd1 100 10510 pages
- PT Activity 8.6.1: CCNA Skills Integration Challenge: Topology DiagramNo ratings yetPT Activity 8.6.1: CCNA Skills Integration Challenge: Topology Diagram7 pages
- Certification Exam Objectives: Mobility+ Beta Exam (MB1-001) Live Exam (MB0-001)No ratings yetCertification Exam Objectives: Mobility+ Beta Exam (MB1-001) Live Exam (MB0-001)17 pages
- Presentation On Voip: Computer NetworksNo ratings yetPresentation On Voip: Computer Networks16 pages
- Western Digital WDBZVM0060JWT - User Manual0% (1)Western Digital WDBZVM0060JWT - User Manual166 pages
- Installing, Configuring, and Administering Microsoft Windows XP Professional (Text Book)No ratings yetInstalling, Configuring, and Administering Microsoft Windows XP Professional (Text Book)595 pages
- Microsoft Windows Server 2012-70-410 With R2 Updates NewNo ratings yetMicrosoft Windows Server 2012-70-410 With R2 Updates New15 pages
- Dell™ Enterprise Reporter 2.6: Installation and Deployment GuideNo ratings yetDell™ Enterprise Reporter 2.6: Installation and Deployment Guide68 pages
- Code of Ethics and Standards of Professional ConductNo ratings yetCode of Ethics and Standards of Professional Conduct13 pages
- Performance Tuning Guide For Mellanox Network Adapters100% (1)Performance Tuning Guide For Mellanox Network Adapters22 pages
- Cyber Security Curriculum Quantum Learnings 2020No ratings yetCyber Security Curriculum Quantum Learnings 20202 pages
- From CIA To Apt An Introduction To Cyber SecurityNo ratings yetFrom CIA To Apt An Introduction To Cyber Security148 pages
- Set Up and Configure A Cloud Environment in Google Cloud Challenge Lab100% (1)Set Up and Configure A Cloud Environment in Google Cloud Challenge Lab3 pages
- Cisco CCNP Security 300-210 Exam QuestionsNo ratings yetCisco CCNP Security 300-210 Exam Questions21 pages
- SAP Supply Chain Management 70 Security GuideE100% (1)SAP Supply Chain Management 70 Security GuideE45 pages
- Https Theerplearning - Com Free-Materials - 10No ratings yetHttps Theerplearning - Com Free-Materials - 10122 pages
- SAP Supplier Lifecycle Management 2.0: Document Version: 1.1 - 2014-08-18No ratings yetSAP Supplier Lifecycle Management 2.0: Document Version: 1.1 - 2014-08-1863 pages
- Operations Guide For SAP Access Control 10.1, SAP Process Control 10.1, and SAP Risk Management 10.1No ratings yetOperations Guide For SAP Access Control 10.1, SAP Process Control 10.1, and SAP Risk Management 10.140 pages
- Security Guide For SAP Assurance and Compliance Software For SAP S4HANA - 1.5 SP00No ratings yetSecurity Guide For SAP Assurance and Compliance Software For SAP S4HANA - 1.5 SP00204 pages
- Administration Guide For SAP PaPM 3.0 SP26No ratings yetAdministration Guide For SAP PaPM 3.0 SP2674 pages
- Security Guide Sap Businessobjects Process Control 3.0 / Risk Management 3.0No ratings yetSecurity Guide Sap Businessobjects Process Control 3.0 / Risk Management 3.060 pages
- Salesforce Security Impl Guide 250220 194102No ratings yetSalesforce Security Impl Guide 250220 194102332 pages
- SAP Access Control 12.0 SP11: User Guide - PUBLIC 2020-12-15No ratings yetSAP Access Control 12.0 SP11: User Guide - PUBLIC 2020-12-15252 pages
- Certification Study Guide IBM Tivoli Access Manager For E-Business 6.0 Sg247202No ratings yetCertification Study Guide IBM Tivoli Access Manager For E-Business 6.0 Sg247202272 pages
- China Plastic Chair in Furniture Suppliers, Plastic Chair in Furniture Manufacturers From China OnNo ratings yetChina Plastic Chair in Furniture Suppliers, Plastic Chair in Furniture Manufacturers From China On11 pages
- Lovair - L-990 (991 992) Sensor Tap - Parts ListNo ratings yetLovair - L-990 (991 992) Sensor Tap - Parts List1 page
- Engineering Science For BS MBS3211: 3. ElectricityNo ratings yetEngineering Science For BS MBS3211: 3. Electricity64 pages
- Why Do We Need One?: According To Richard Girling's Book Rubbish!No ratings yetWhy Do We Need One?: According To Richard Girling's Book Rubbish!3 pages
- Sizing and Selection of Grounding TransformersDecision Criteria100% (2)Sizing and Selection of Grounding TransformersDecision Criteria5 pages
- An Investigation of Cranial Motion Through A Review of Biomechanically Based Skull Deformation LiteratureNo ratings yetAn Investigation of Cranial Motion Through A Review of Biomechanically Based Skull Deformation Literature8 pages
- Rebooting The Indian Startup Ecosystem: A Case Study by T-HubNo ratings yetRebooting The Indian Startup Ecosystem: A Case Study by T-Hub3 pages
- Living and Non Living Things DLP Final Exam Prepared by Jessica Carolino...No ratings yetLiving and Non Living Things DLP Final Exam Prepared by Jessica Carolino...5 pages
- BS 2nd Shift Time Table Wef 11-12-2023 (1st, 5th, 7th Semester)No ratings yetBS 2nd Shift Time Table Wef 11-12-2023 (1st, 5th, 7th Semester)3 pages