SAP GTS guide

Security GuideSAP Global Trade Services 10.1

Target Audience ■ Technical Consultants ■ System Administrators

PUBLICDocument version: 1.0 – 2012-06-15

SAP AGDietmar-Hopp-Allee 16

69190 WalldorfGermany

T +49/18 05/34 34 34F +49/18 05/34 34 20

www.sap.com

© Copyright 2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

DisclaimerSome components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited, as is any decompilation of these components.Any Java™ Source Code delivered with this product is only to be used by SAP Support Services and may not be modified or altered in any way.

2/52 PUBLIC 2012-06-15

Typographic Conventions

Example Description

<Example> Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your <User Name>”.

ExampleExample

Arrows separating the parts of a navigation path, for example, menu options

Example Emphasized words or expressions

Example Words or characters that you enter in the system exactly as they appear in the documentation

http://www.sap.com Textual cross-references to an internet address

/example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web

123456 Hyperlink to an SAP Note, for example, SAP Note 123456

Example ■ Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options.

■ Cross-references to other documentation or published works

Example ■ Output on the screen following a user action, for example, messages ■ Source code or syntax quoted directly from a program ■ File and directory names and their paths, names of variables and parameters, and

names of installation, upgrade, and database tools

EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE

EXAMPLE Keys on the keyboard

2012-06-15 PUBLIC 3/52

http://www.sap.com

http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=123456&_NLANG=en&_NVERS=0


Document History

CAUTION

Before you start the implementation, make sure you have the latest version of this document.

You can find the latest version on SAP Service Marketplace at: http://service.sap.com/swdc

SAP Software Download SAP Software Download Center Installations and Upgrades Installations and

Upgrade Guides - Entry by Application Group Analytics Governance, Risk, and Compliance Global Trade

Services <Release> Security Guide .

The following table provides an overview of the most important document changes.

Version Date Description

1.0 2012-06-15 Public

4/52 PUBLIC 2012-06-15

http://service.sap.com/swdc

Table of Contents

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 2 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 3 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 4 User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 19

4.1 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4.2 User Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4.3 Integration Into Single Sign-On Environments . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 5 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 6 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6.1 Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6.2 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

6.3 Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Chapter 7 Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 8 Security for Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Chapter 9 Dispensable Functions with Impacts on Security . . . . . . . . . . . . . . . . . . . 37

Chapter 10 Enterprise Services Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Chapter 11 Trace and Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Chapter 12 Other Security-Relevant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Chapter A Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

A.1 Additional Related Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

2012-06-15 PUBLIC 5/52

Chapter B Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

B.1 The Main SAP Documentation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6/52 PUBLIC 2012-06-15

1 Introduction

CAUTION

This guide does not replace the administration or operation guides that are available for productive

operations.

This document is not included as part of the Installation Information, Configuration Guides, or

Technical Operation Manuals. Such guides are only relevant for a certain phase of the software life

cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.

Why is Security Necessary

With the increasing use of distributed systems and the Internet for managing business data, the demands

on security are also on the rise. When using a distributed system, you need to be sure that your data

and processes support your business needs without allowing unauthorized access to critical

information.

Data protection is of particular importance in the area of sanctioned party list (SPL) screening, for

example, where sensitive data from Human Capital Management of SAP ERP (SAP ERP HCM) should

not be able to be viewed or modified by unauthorized persons. This access to sensitive data can be

controlled by the enhanced authorization concept that enables administrators to restrict the

authorized users to specifically selected users from one foreign trade organization, for example. The

security measures available ensure that the SPL screening results of business partners from “sensitive”

countries can only be viewed or modified by employees who are either from the same country or from

the same country group

User errors, negligence, or attempted manipulation on your system should not result in loss of

information or processing time. These demands on security apply likewise to the business scenarios of

SAP Global Trade Services. To assist you in securing the SAP Global Trade Services, we provide this

Security Guide.

About This Document

The Security Guide provides an overview of the security-relevant information that applies to the SAP

Global Trade Services.

Since SAP Global Trade Services is based on and runs SAP NetWeaver technology, read the Security

Guide for SAP NetWeaver at http://help.sap.com/nw703 Security Information Security Guide . All

Security Guides published by SAP are available on SAP Service Marketplace at http://

service.sap.com/securityguide

1 Introduction

2012-06-15 PUBLIC 7/52

http://help.sap.com/nw703

http://service.sap.com/securityguide


The Security Guide for SAP Global Trade Services contains security-relevant information about the

following application areas within SAP Global Trade Services

■ Customs Processing

■ Compliance Management

■ Preference Processing

■ Letter of Credit

■ Restitution

■ Electronic Compliance Reporting

This guide is also valid for the export-specific product that is based on SAP Global Trade Services, called

SAP Customs Processing for Automated Export Systems (SAP Customs Processing for AES) that is

currently available for processing exports using the electronic Customs processes with ATLAS Ausfuhr

of the German Customs authorities.

Security in the context of these application areas of SAP Global Trade Services comprises the following

aspects

■ User authentication

■ Support of Single Sign-On

■ Administration and checking of user authorization to prevent unauthorized access to saved data

■ General access control, including protection of the system against unauthorized external access

■ Safeguarding of data against unauthorized access when business data is being exchanged between

SAP Global Trade Services and external systems

In many cases, the required information has already been provided in other Security Guides and in

configuration and installation information. In these cases, we have provided a reference to the relevant

sections within these guides.

Overview of the Main Sections

The Security Guide comprises the following main sections:

■ Before You Start

This section contains information about why security is necessary, how to use this document, and

references to other Security Guides that build the foundation for this Security Guide.

■ Technical System Landscape

This section provides an overview of the technical components and communication paths that

are used by the SAP Global Trade Services.

■ User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

● Recommended tools to use for user management.

● User types that are required by the SAP Global Trade Services.

● Overview of how integration into Single Sign-On environments is possible.

■ Authorizations

1 Introduction

8/52 PUBLIC 2012-06-15

This section provides an overview of the authorization concept that applies to the SAP Global

Trade Services.

■ Network and Communication Security

This section provides an overview of the communication paths used by the SAP Global Trade

Services and the security mechanisms that apply. It also includes our recommendations for the

network topology to restrict access at the network level.

■ Data Storage Security

This section provides an overview of any critical data that is used by the SAP Global Trade Services

and the security mechanisms that apply.

■ Security for Third-Party or Additional Applications

This section provides security information that applies to third-party or additional applications

that are used with the SAP Global Trade Services.

■ Trace and Log Files

This section provides an overview of the trace and log files that contain security-relevant

information, for example, so you can reproduce activities if a security breach does occur.

■ Appendix

This section provides references to further information.

SAP Global Trade Services is based on SAP standard technology of SAP NetWeaver 7.0. This means that

only the official precepts of the SAP security strategy are used. The standard tools and mechanisms of

the SAP NetWeaver platform are used.

1 Introduction

2012-06-15 PUBLIC 9/52

This page is left blank for documents that are printed on both sides.

2 Before You Start

Fundamental Security Guides

The SAP Global Trade Services is an add-on to SAP NetWeaver and its application platform usage types.

Therefore, the corresponding Security Guides also apply to the SAP Global Trade Services. Refer to the

following specific SAP NetWeaver Security Guides depending on your system landscape as indicated in

the table below. All Security Guides can be accessed at http://help.sap.com/nw703 Security

Information Security Guide

Fundamental SAP NetWeaver Security Guides for SAP Global Trade Services

Security Guide Most-Relevant Sections or Specific Restrictions

SAP NetWeaver 7.0 including Enhancement Package 3

You can use the overall Security Guide for generic topics, for example, User Administration and Authentication or Network and Communication Strategy

Application Server (AS) for ABAP

Necessary for general security issues of basis SAP NetWeaver technology for SAP Global Trade Services

Optional SAP NetWeaver Security Guides for SAP Global Trade Services

Security Guide According to Usage Types and Specific Topics Most-Relevant Sections or Specific Restrictions

Business Intelligence (BI)

Depending upon whether you use BI functions with SAP Global Trade Services for analyzing your processes

Application Server (AS) for Java

When using printing functionality that utilizes the Adobe Document Server (ADS)

SAP Interactive Forms Solution Security Guide

When using print forms in SAP Global Trade Services, for example Customs forms in SAP Customs Management, in addition to the AS for JavaFor more information, see http://help.sap.com/nw703 Security Information Security Guide

Security Guide for SAP NetWeaver According to Usage Types SAP Interactive Forms Based On Adobe Software Security GuideFor more information about security-related information for the Adobe Reader, see SAP Note 853497.

NOTE

Although SAP Global Trade Services does not use interactive forms, the above-mentioned Security Guide does contain security-related information on topics that are related to

2 Before You Start

2012-06-15 PUBLIC 11/52




Security Guide According to Usage Types and Specific Topics Most-Relevant Sections or Specific Restrictions

setting up standard RFC destinations for communicating with the Adobe Document Server and for printing standard Adobe forms in Customs communication processes.

For a complete list of the available SAP Security Guides, see SAP Service Marketplace at http://

service.sap.com/securityguide.

Important SAP Notes

The most important SAP Notes that apply to the security of the SAP Global Trade Services are shown

in the table below.

Important SAP Notes

SAP Note Number Title Comment

1501945 Secure Configuration SAP NW This note contains information about how the NetWeaver platform can be configured securely.

797108 Virus scan interface (VSI): Changes and releases

SAP Notes about configuration information for the virus scanner interface for virus checking attachments, for example in the electronic communication with the authorities.

851789 Virus-scan-profiles delivered by SAP SAP Notes about configuration information for the virus scanner interface for virus checking attachments, for example in the electronic communication with the authorities.

817623 Integrating a virus scan in SAP applications SAP Notes about configuration information for the virus scanner interface for virus checking attachments, for example in the electronic communication with the authorities.

853497 Adobe Acrobat Reader creates temporary files

SAP Note about using the Acrobat Reader for displaying Adobe attachments or document previews.

In addition, you can find a list of security-relevant SAP Hot News and SAP Notes on the SAP Service

Marketplace at https://service.sap.com/securitynotes.

Additional Information

For more information about specific topics, see the Quick Links as shown in the table below.

2 Before You Start

12/52 PUBLIC 2012-06-15








https://service.sap.com/securitynotes

Quick Links to Additional Information

Content Quick Link on the SAP Service Marketplace or SDN

Security http://sdn.sap.com /irj/sdn/security

http://service.sap.com/security

Security Guides https://service.sap.com/securityguide

Related SAP Notes https://service.sap.com/notes

Released Platforms https://service.sap.com/pam

https://service.sap.com/platforms

Network Security https://service.sap.com/securityguide

https://ervice.sap.com/network

SAP Solution Manager https://service.sap.com/solutionmanager

SAP NetWeaver http://sdn.sap.com /irj/sdn/netweaver

2 Before You Start

2012-06-15 PUBLIC 13/52

http://sdn.sap.com/irj/sdn/security


https://service.sap.com/securityguide

https://service.sap.com/notes

https://service.sap.com/pam

https://service.sap.com/platforms

https://service.sap.com/securityguide

https://ervice.sap.com/network

https://service.sap.com/solutionmanager

http://sdn.sap.com/irj/sdn/netweaver


3 Technical System Landscape

The diagram below shows an overview of the technical system landscape for the software components

for running the processes in SAP Global Trade Services.

Figure 1: Overview of the technical system landscape for running the processes in SAP Global Trade

Services

With SAP Global Trade Services, you have an add-on application that receives its data from a feeder

system, such as SAP ERP. You can also use non-SAP systems as a feeder system. If you are using an SAP

system as your feeder system, then the software components SAP_ABA und SAP_BASIS of SAP

NetWeaver ABAP Stack in the feeder system are mandatory together with the plug-in specific to SAP

Global Trade Services called SLL_PI 900_* to facilitate communication between the systems. In the

system for SAP Global Trade Services, you also need software component SAP_AP in addition to the

SAP_ABA and SAP_BASIS.

In addition to connecting the feeder systems through the plug-in that communicates with SAP Global

Trade Services by Remote Function Calls, you can use interfaces for other system connections. For

processing customs procedures, you can use process data from SAP Transportation Management in

addition to the logistics data of SAP ERP. The system connection to SAP Transportation Management


2012-06-15 PUBLIC 15/52

is facilitated by SOA services. However, if you are using a non-SAP system, these components are not

required.

■ Compliance Management

The Compliance Management area enables you to comply with national and international trade

regulations, combining embargo checks, legal import and export controls, and sanctioned party

list screening. You can, for example, upload sanctioned party lists in XML file format from third-

party data providers and screen your business partners against these sanctioned party lists. You

can fully integrate the screening process of your feeder system SAP ERP. There you can integrate

these checks into your logistics processes of materials management and sales and distribution. You

can also choose to integrate sanctioned party list checks into the processes of the finance and

human resources modules of SAP ERP as well as the industry solution for financial accounting.

■ Customs Management

The Customs Management area enables you to directly communicate with Customs offices and

adhere to the regulations of these national authorities in cross-border trade when placing goods

in specific Customs procedures. To facilitate this communication, you need to install converter

software. The converter software has its own security guidelines to which you must adhere. This

converter software facilitates the mapping of SAP IDocs to EDIFACT messages for the customs

offices to read and, in turn, receive EDIFACT messages from, which are then converted to SAP

IDocs for SAP Customs Management.

The security measures required for communication with third parties in IDoc format are described

in the SAP NetWeaver Application Server Security Guides. Communication between the EDI

converter and SAP Global Trade Services takes place using standard ALE technology and RFC

destinations. For more information about the security measures for this technology, see the SAP

NetWeaver Security Guide.

You can print out Adobe forms for customs processes, and to do so you require a connection to

the Adobe Document Server. Communication with the Adobe Document Server takes place using

standard RFC destinations, and role and user administration.

■ Preference Processing

The Preference Processing area facilitates traders in indicating their goods for preferential customs

treatment. This involves handling inbound and outbound long-term vendor declarations as well

as determining the preferential status of goods based on long-term vendor declarations and/or the

preference determination process. The preferential status is based on long-term vendor

declarations relevant for goods externally procured. Goods with procurement types for inhouse

production and mixed origin because they were partially produced inhouse and procured

externally, the preference determination is used in addition for determining the preferential status.

The preference determination is based on procedures and rules for Harmonized System codes in

preference agreements. Both, the preference agreements and the codes for classifying the products

can be uploaded from a third-party data provider.


16/52 PUBLIC 2012-06-15

■ Letter of Credit

The Letter of Credit area enables traders to mitigate financial risks by working with letters of credit

in standard inbound and outbound processes. The letters of credit ensure that shipping dates and

costs, for example, are agreed and assured by both the importer and the exporter and their

representing banks.

■ Restitution Handling

The Restitution Handling area enables exporters to apply for export refunds on common

agricultural products. This includes managing and monitoring bank securities and export licenses

in a legally compliant manner.

■ Electronic Compliance Reporting

The Electronic Compliance Reporting area enables companies within the European Union to

create Intrastat declarations for the authorities. In these Intrastat declarations a company can

report goods movements with other states or statistical regions of the European Union of which

information is required by the statistical authorities of a country.

For more information about the technical system landscape, see the resources listed in the table below.

More Information About the Technical System Landscape

Topic Guide/ToolQuick Link to the SAP Service Marketplace or SDN

Technical description for the SAP Global Trade Services and the underlying technological components such as SAP NetWeaver.

Master Guide http://service.sap.com/swdc

Installations and Upgrades Installation and Upgrade Guides SAP Solutions for Governance, Risk and Compliance SAP Global Trade Services <Release>

Installation and Upgrade

High availability High Availability for SAP Solutions http://sdn.sap.com /irj/sdn/ha

Technical landscape design See applicable documents http://sdn.sap.com /irj/sdn/

landscapedesign

Security See applicable documents http://service.sap.com/ security


2012-06-15 PUBLIC 17/52


http://sdn.sap.com/irj/sdn/ha

http://sdn.sap.com/irj/sdn/landscapedesign

http://sdn.sap.com/irj/sdn/landscapedesign



4 User Administration and Authentication

The SAP Global Trade Services uses the user management and authentication mechanisms provided

with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP.

Therefore, the security recommendations and guidelines for user administration and authentication

as described in the SAP NetWeaver Security Guide also apply to the SAP Global Trade Services. For more

information, see http://help.sap.com/nw703 Security Information Security Guide Security Guide for

SAP NetWeaver According to Usage Type SAP NetWeaver Application Server ABAP Security Guide .

In addition to these guidelines, we include information about user administration and authentication

that specifically applies to the SAP Global Trade Services in the following topics:

■ User Management

This topic lists the tools to use for user management, the types of users required, and the standard

users that are delivered with the SAP Global Trade Services.

■ User Data Synchronization

The SAP Global Trade Services shares user data with [list sources]. This topic describes how the

user data is synchronized with these other sources.

■ Integration Into Single Sign-On Environments

This topic describes how the SAP Global Trade Services supports Single Sign-On mechanisms.

4.1 User Management

User management for the SAP Global Trade Services uses the mechanisms provided by the SAP

NetWeaver AS ABAP, for example, tools, user types, and password policies. For an overview of how

these mechanisms apply for the SAP Global Trade Services, see the sections below.

User Administration Tools

The table below shows the tools to use for user management and user administration with the SAP

Global Trade Services.

User Management Tools

Tool Description Requirements

User and role maintenance with the AS ABAP (Transactions SU01, PFCGUser Management Engine with the AS Java

For more information about Identity Management, see the following topics of the SAP ERP Central Component Security Guide

See SAP NetWeaver Security Guide.


4.1 User Management

2012-06-15 PUBLIC 19/52


Tool Description Requirementsat http://help.sap.com SAP Business Suite SAP ERP SAP ERP Central Component Security Information

Security Guide SAP Security Guides - SAP ERP <Release> SAP ERP <Release> Security Guides SAP ERP Central Component Security Guide User Management and Authentication User Administration : ■ User and Role Administration of

Application Server ABAP

■ User Management Engine

User Types

It is often necessary to specify different security policies for different types of users. For example, your

policy may specify that individual users who perform tasks interactively have to change their passwords

on a regular basis, but not those users under which background processing jobs run.

The user types that are required for the SAP Global Trade Services include:

■ Individual users:

● Dialog users are used for SAP GUI for Windows and are required for individual interactive

system access with SAP Global Trade Services

■ Technical users:

● Service users are used for as dialog user but for larger, anonymous groups of users such as

service and support employees.

● Communication users are used for dialog-free communication for RFC calls. It is required for

communication between the feeder system and SAP Global Trade Services as well as between

SAP Global Trade Services and the converter technology.

● Background users are used for starting and monitoring background processing of business

transactions.

For more information about these user types, see the SAP NetWeaver Security Guide at http://

help.sap.com/nw703 SAP NetWeaver 7.0 including Enhancement Package 3 Security Information Security Guide

(English) SAP NetWeaver Security Guide Security Guide for SAP NetWeaver According to Usage Type Security

Guide for Usage Type AS SAP NetWeaver Application Server ABAP Security Guide User Management User

Types .

Standard Users

There are no standard users delivered with SAP Global Trade Services. The system administrator creates

the standard dialog users and assigns roles to these users.

Template roles are available for user administrators in SAP Global Trade Services. These template roles

include, for example, a role for legal control specialist that can be used for export control in the US.

The user administrator can use this template role delivered with the system as the basis for creating


4.1 User Management

20/52 PUBLIC 2012-06-15

http://help.sap.com



individually-tailored roles for a specific company. This may involve assigning authorizations to the

user profile that only allow the user to work with specific document types or legal regulation(s). This

is useful in a sensitive environment such as legal controls, where, for example, data protection is of the

utmost importance and only specific employees are allowed to access, display or, indeed, change

particular data.

For more information about these standard users, see the SAP NetWeaver Security Guide at http://

help.sap.com/nw703 SAP NetWeaver 7.0 including Enhancement Package 3 Security Information Security Guide

(English) SAP NetWeaver Security Guide SAP NetWeaver Application Server ABAP Security Guide User

Administration and Authentication User Management Protecting Standard Users .

Password Rules

For more information about SAP NetWeaver password rules, see the SAP NetWeaver Security Guide at

http://help.sap.com/nw703 SAP NetWeaver 7.0 including Enhancement Package 3 Security Information

Security Guide (English) SAP NetWeaver Security Guide Security Guide for SAP NetWeaver According to Usage

Type Security Guide for Usage Type AS SAP NetWeaver Application Server ABAP Security Guide User

Administration and Authentication User Authentication:

■ Logon and Password Security in the ABAP System

■ Preventing Unauthorized Logons

■ Recognizing and Preventing Multiple Dialog User Logons

■ Authentication Security for SAP Shortcuts

■ Additional Information on User Authentication

4.2 User Data Synchronization

With SAP Global Trade Services you can use the options for user data synchronization that are provided

by SAP NetWeaver.

For more information about the user data synchronization in SAP NetWeaver, see the SAP NetWeaver

Security Guide at http://help.sap.com/nw703 Security Information Security Guide Security Guide for SAP

NetWeaver According to Usage Type SAP NetWeaver Application Server ABAP Security Guide AS ABAP

Authorization Concept Central User Administration

4.3 Integration Into Single Sign-On Environments

The application supports the Single Sign-On (SSO) mechanisms that are provided by the SAP NetWeaver

AS ABAP and AS Java. Therefore, the security recommendations and guidelines for user administration

and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide and SAP

NetWeaver Application Server Java Security Guide also apply to the application.

The most widely-used supported mechanisms are listed below.


4.2 User Data Synchronization

2012-06-15 PUBLIC 21/52





■ Secure Network Communications (SNC)

SNC is available for user authentication and provides for an SSO environment when using the SAP

GUI for Windows or Remote Function Calls.

■ SAP logon tickets

The application supports the use of logon tickets for SSO when using a Web browser as the frontend

client. In this case, users can be issued a logon ticket after they have authenticated themselves with

the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems)

as an authentication token. The user does not need to enter a user ID or password for authentication

but can access the system directly after the system has checked the logon ticket.

■ Client certificates

As an alternative to user authentication using a user ID and passwords, users using a Web browser

as a frontend client can also provide X.509 client certificates to use for authentication. In this case,

user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL

Protocol) and no passwords have to be transferred. User authorizations are valid in accordance

with the authorization concept in the SAP system.

For more information about the available authentication mechanisms, see the SAP NetWeaver Security

Guide at http://help.sap.com/nw703 SAP NetWeaver 7.0 including Enhancement Package 3 Security

Information Security Guide (English) SAP NetWeaver Security Guide Security Guide for SAP NetWeaver According

to Usage Type Security Guide for Usage Type AS SAP NetWeaver Application Server ABAP Security Guide User

Administration and Authentication User Authentication Integration in Single Sign-On Environments .


4.3 Integration Into Single Sign-On Environments

22/52 PUBLIC 2012-06-15


5 Authorizations

The recommendations and guidelines for authorizations as described in the SAP NetWeaver Security

Guide also apply to the SAP Global Trade Services. For more information about the authorization

concept, see the SAP NetWeaver Security Guide at http://help.sap.com/nw703 Security Information

Security Guide Security Guide for SAP NetWeaver According to Usage Types SAP NetWeaver Application Server

ABAP Security Guide SAP Authorization Concept .

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles.

For role maintenance, use the profile generator (transaction PFCG) on the SAP NetWeaver AS ABAP.

Using authorizations you can limit users’ access to the system and therefore protect transactions and

programs from unauthorized access

NOTE

You must decide which user should have authorization to display, change, or delete critical data.

That is, for example, vital for Human Resources data in the sanctioned party list screening for

data protection reasons. For more information about the authorization control see SAP Library

for SAP Global Trade Services at http://help.sap.com/grc Global Trade Services <Release>

Application Help Compliance Management Sanctioned Party List Screening .

Standard Roles

The table below shows the standard roles that are used by SAP Global Trade Services.

Single Roles for Business Processes

Role Description

/SAPSLL/LEG_ARCH SAP GTS: Archiving

/SAPSLL/LEG_CM SAP GTS: Case Management

/SAPSLL/LEG_LCE_APP SAP GTS: Legal Control - Export: Specialist

/SAPSLL/LEG_LCI_APP SAP GTS: Legal Control - Import: Specialist

/SAPSLL/LEG_LOC_APP SAP GTS: Letter of Credit Processing: Specialist

/SAPSLL/LEG_RES_APP SAP GTS: Restitution Specialist

/SAPSLL/LEG_SPL_APP SAP GTS: Sanctioned Party List Screening: SpecialistThis role is relevant for the sanctioned party list screening features for SAP GUI.

/SAPSLL/LEG_SPL_AUD SAP GTS: Sanctioned Party List Screening: Screener (Auditor)This role is relevant for the sanctioned party list screening features for SAP GUI.

/SAPSLL/LEG_SPL_FI_APP SAP GTS: Sanctioned Party List Screening Financial Accounting: Specialist

5 Authorizations

2012-06-15 PUBLIC 23/52


http://help.sap.com/grc

Role DescriptionThis role is relevant for the sanctioned party list screening features for SAP GUI.

/SAPSLL/LEG_SPL_FS_APP SAP GTS: Sanctioned Party List Screening Financial Services: SpecialistThis role is relevant for the sanctioned party list screening features for SAP GUI.

/SAPSLL/LEG_SPL_HRAPP_APP SAP GTS: Sanctioned Party List Screening Human Resources/Applicants: SpecialistThis role is relevant for the sanctioned party list screening features for SAP GUI.

/SAPSLL/LEG_SPL_HREMP_APP SAP GTS: Sanctioned Party List Screening Human Resources/Employee: SpecialistThis role is relevant for the sanctioned party list screening features for SAP GUI.

/SAPSLL/LEG_SPL_LO_APP SAP GTS: Sanctioned Party List Screening Logistics: SpecialistThis role is relevant for the sanctioned party list screening features for SAP GUI.

/SAPSLL/LEG_SYS_COMM SAP GTS: Basis Administration

/SAPSLL/LEG_RFC Communication Role for RFC Authorization

/SAPSLL/UIX_LEG_SPL_INFREQUENT Sanctioned Party List Screening for Infrequent UsersThis role can only be used by the sanctioned party list screening Web-UI.

/SAPSLL/UIX_LEG_SPL_MANAGER Sanctioned Party List Screening for Compliance ManagerThis role can only be used by the sanctioned party list screening Web-UI.

/SAPSLL/UIX_LEG_SPL_SPECIALIST Sanctioned Party List Screening for Compliance SpecialistThis role can only be used by the sanctioned party list screening Web-UI.

/SAPSLL/UIX_LEG_SPL_SUPER Sanctioned Party List Screening for Power UserThis role can only be used by the sanctioned party list screening Web-UI.

/SAPSLL/UIX_LEG_SPL_AUDITOR Sanctioned Party List Screening for AuditorThis role can only be used by the sanctioned party list screening Web-UI.

/SAPSLL/WCR_CU_EXP_SPECIALIST Export Specialist Customs Management

/SAPSLL/WCR_CU_IMP_SPECIALIST Import Specialist Customs Management

/SAPSLL/WCR_CU_SCP_SPECIALIST Specialist for Inventory-Managed Customs Procedures in Customs Management

/SAPSLL/WCR_CU_EMC_SPECIALIST Specialist for Exise Movement Control in Customs Management

/SAPSLL/WCR_CU_CLS_SPECIALIST Specialist for Product Classification in Customs Management

/SAPSLL/WCR_CU_MDT_SPECIALIST Master Data Specialist in Customs Management

/SAPSLL/WCR_ECR_SPECIALIST Intrastat Declarations Specialist in Electronic Compliance Reporting

/SAPSLL/WCR_GTS_HOME Main Entry for SAP Global Trade ServicesThis role is only relevant for Web-UI features.

/SAPSLL/WCR_RI_PRE_SPECIALIST Preference Processing Specialist

Standard Authorization Objects

Standard Authorization Objects for Business Processes

Authorization Object Field Description

GTS_SPLEXT ■ /SAPSLL/LR (Legal Regulation) ■ /SAPSLL/OR (Foreign Trade Organizational

Unit) ■ ACTVT (Activity)

Legal Control: Sanctioned Party List: Author. LegReg + FTORG

5 Authorizations

24/52 PUBLIC 2012-06-15


GTS_SPL ■ /SAPSLL/LR (Legal Regulation) ■ ACTVT (Activity)

Leg. Control: Sanctioned Party List: Auth. f. Legal Regulatn

GTS_SPL_UI ■ /SAPSLL/LR (Legal Regulation) ■ ACTVT (Activity)

In addition to the overall values mentioned below the table, you can use the following values with this authorization object: ■ 08 for Display change documents

■ 16 for Execute (e.g. SPL-Screening) ■ 43 for Release (e.g. Blocked BP or CD) ■ 91 for Reactivate (e.g. Reactivate a SPL-

entity) ■ A9 for Send (e.g. Forward or escalate

function) ■ DL for Download

■ H1 for Deactivate (e.g. Deactivate a SPL-entity)

■ UL for Upload

GTS_RES ■ /SAPSLL/LR (Legal Regulation) ■ ACTVT (Activity)

Restitution: Authorization for Legal Regulation

GTS_REX ■ /SAPSLL/LR (Legal Regulation) ■ /SAPSLL/OR (Foreign Trade Organizational

Unit) ■ ACTVT (Activity)

Legal Control: Re-Export: Authorization GG + FTORG

GTS_PR_LRG ■ /SAPSLL/LR (Legal Regulation) ■ ACTVT (Activity)

Customs Product Master: Authorization for Legal Regulation

GTS_PRE ■ /SAPSLL/LR (Legal Regulation) ■ ACTVT (Activity)

Preference Processing: Authorization for Legal Regulation

GTS_LOC ■ /SAPSLL/LR (Legal Regulation) ■ ACTVT (Activity)

Letter of Credit Processing: Legal Regulation

GTS_LMGM ■ /SAPSLL/LR (Legal Regulation) ■ /SAPSLL/LT (License Type) ■ ACTVT (Activity)

Authorization for Legal Regulation / License Type

GTS_LM_FTO ■ /SAPSLL/OR (Foreign Trade Organizational Unit)

■ ACTVT (Activity)

License: Authorization for Foreign Trade Organizational Unit

NOTE

Authorization check for licenses:When you display or change business objects that are set up with the technical object of the license, the system checks whether the user has authorization for the assigned foreign trade organizations. The system uses a technical license to cover the following business objects:

5 Authorizations

2012-06-15 PUBLIC 25/52


■ Licenses in the legal control export and the legal control import

■ Authorizations and securities during the processing of customs procedures and transit procedures

■ Securities during the restitution

■ Letters of credit during letter of credit processing

Therefore, you must assign the authorization object GTS_LM_FTO to each foreign trade organizational unit in the authorization maintenance for individual users.

GTS_LLNS ■ /SAPSLL/TS (Numbering Scheme for Customs Tariff System)


Numbering Scheme: Authoriz. for Tariff Syst. Struct. Segment

GTS_LDT ■ /SAPSLL/LR (Legal Regulation) ■ ACTVT (Activity)

Leg. Cntrl: License Determination: Auth. f. Legal Regulation

GTS_EMB ■ /SAPSLL/LR (Legal Regulation) ■ ACTVT (Activity)

Legal Control: Embargo: Authorization for Legal Regulation

GTS_CUS ■ /SAPSLL/LR (Legal Regulation) ■ ACTVT (Activity)

Customs Processing: Authorization at Legal Regulation Level

GTS_CD_LRG ■ /SAPSLL/LR (Legal Regulation) ■ ACTVT (Activity)

Customs Document: Authorization for Legal Regulation

GTS_CD_FTO ■ /SAPSLL/OR (Foreign Trade Organizational Unit)


Customs Document: Authorization for Foreign Trade Org. Unit

GTS_CD_CDT ■ /SAPSLL/ED (Document Type) ■ ACTVT (Activity)

Customs Document: Authorization for Document Type

GTS_BP_LRG ■ /SAPSLL/LR (Legal Regulation) ■ ACTVT (Activity)

Customs Business Partner: Authorization for Legal Regulation

GTS_BO_LRG ■ /SAPSLL/LR (Legal Regulation) ■ /SAPSLL/BY (BOP Category) ■ ACTVT (Activity)

Customs Worklist: Authoriz. for Legal Regul./Worklist Catgy

GTS_AU_INT ■ /SAPSLL/AU (Administrative Unit) ■ ACTVT (Activity)

Preference Processing: Internal Authorization for Admin.Unit

GTS_AU_EXT ■ /SAPSLL/AU (Administrative Unit) ■ ACTVT (Activity)

Preference Processing: External Authorization for Admin.Unit

/ECRS/POI ■ /ECRS/RPC (Country of Declaration (ISO Code))

■ /ECRS/POI (Provider of Information ID) ■ ACTVT (Activity)

Edit Provider of Information

5 Authorizations

26/52 PUBLIC 2012-06-15


/ECRS/RP ■ /ECRS/RPC (Country of Declaration (ISO Code))


Edit Intrastat Declarations

/ECRS/DVI ■ /ECRS/RPC (Country of Declaration (ISO Code))


Edit Default Values for Import

/ECRS/WL ■ /ECRS/RPC (Country of Declaration (ISO Code))


Edit Worklist

NOTE

The values for the determining fields that are specific to SAP Global Trade Services starting

with /SAPSLL/* are variables. You can determine the variables, for example, based on the business

process.

For the ACTVT field, you can use the standard values, for example the following:

■ 01 for create

■ 02 for change

■ 03 for display

■ 06 for delete

Additional authorization objects are necessary for functions from the underlying SAP NetWeaver basis

for SAP Global Trade Services, for example, when working with ALV lists. Also specific authorization

objects are needed for additional basis technology applied in SAP Global Trade Services, for example,

when using functions of SAP Case Management.

5 Authorizations

2012-06-15 PUBLIC 27/52


6 Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your network needs

to support the communication necessary for your business and your needs without allowing

unauthorized access. A well-defined network topology can eliminate many security threats based on

software flaws (at both the operating system and application level) or network attacks such as

eavesdropping. If users cannot log on to your application or database servers at the operating system

or database layer, then there is no way for intruders to compromise the machines and gain access to

the database or files of the backend system. Additionally, if users are not able to connect to the server

LAN (local area network), they cannot exploit well-known bugs and security holes in network services

on the server machines.

The network topology for SAP Global Trade Services is based on the topology used by the SAP

NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP

NetWeaver Security Guide also apply to SAP Global Trade Services. Details that specifically apply to the SAP

Global Trade Services are described in the following topics:

■ Communication Channel Security

This topic describes the communication paths and protocols used by SAP Global Trade Services.

■ Network Security

This topic describes the security requirements for communication destinations that you should

consider for SAP Global Trade Services. It shows the appropriate network segments for the various

client and server components and where to use firewalls for access protection. It also includes a

list of the ports needed to operate SAP Global Trade Services.

■ Communication Destinations

This topic describes the information needed for the various communication paths, for example,

which users are used for which communications.

For more information, see the following topics in the SAP NetWeaver Security Guide at http://

help.sap.com/nw703 Security Information Security Guide :


■ Security Guides for Connectivity and Interoperability Technologies

6.1 Communication Channel Security

Since communication channels are used to transfer various business data, you should protect them

from unauthorized access. SAP provides general recommendations and technology to protect your

system landscape based on SAP NetWeaver.


6.1 Communication Channel Security

2012-06-15 PUBLIC 29/52



CAUTION

To achieve a secure system landscape, you should activate Secure Network Communication (SNC)

for RFC and Secure Socket Layer (SLL) protocol.

The following table shows the communication channels used by SAP Global Trade Services, the

protocol used for the connection, and the type of data transferred.

The table below shows the communication paths used by SAP Global Trade Services, the protocol used

for the connection, and the type of data transferred.

Communication Paths for Business Processes of SAP Global Trade Services

Communication Path Protocol Used Type of Data TransferredData Requiring Special Protection

Front-end client using SAP GUI for Windows to AS ABAP

DIAG All application data Passwords

Application to feeder system, for example, plug-in

RFC Master data and business transaction data

N/A

Application server to third-party application

HTTP System ID, client, and host name

System information (that is, host name)

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP

connections are protected using the Secure Sockets Layer (SSL) protocol.

For more information, see the SAP NetWeaver Security Guide at http://help.sap.com/nw703 Security

Information Security Guide Network and Communication Security Transport Layer Security .

■ Enabling SSL (HTTPS) for SAP NetWeaver Application Server 7.0

The electronic exchange of business data between SAP Global Trade Services and a connected

external system, for example, the converter system for communication processes with the Customs

authorities, must also be protected from unauthorized access. As far as the automatic

authentication of the participating systems is concerned, SAP Global Trade Services relies on the

exchange of certificates, which guarantees state-of-the-art security. The communication within

the system landscape for SAP Global Trade Services can be made secure using HTTPS (SSL).

For more information, SSL (HTTPS) for SAP NetWeaver Application Server 7.03 see the following

topics of the SAP NetWeaver Security Guide at http://help.sap.com/nw703 SAP NetWeaver 7.0

including Enhancement Package 3 Security Information Security Guide (English) SAP NetWeaver Security Guide

Network and Communication Security Transport Layer Security(See section Additional Information) Using

SLL .

6.2 Network Security

SAP Global Trade Services is based on SAP NetWeaver. Therefore, the relevant Security Guides for SAP

NetWeaver are also relevant for SAP Global Trade Services. For more information about network

security of the underlying SAP NetWeaver, see the SAP NetWeaver Security Guide at http://


6.2 Network Security

30/52 PUBLIC 2012-06-15




help.sap.com/nw703 Security Information Security Guide Network and Communication Security and in

particular the following topics:

■ Network Services

This topic contains information about services and ports used by SAP NetWeaver.

■ Using Firewall Systems for Access Control

This topic contains information about contains information about firewall settings.

■ Using Multiple Network Zones

This topic contains information about the network segments in which individual parts of your

application are to be set up.

For an overview of the network security used in the individual application areas of SAP Global Trade

Services, see the section Technical System Landscape of the SAP Global Trade Services Security Guide.

6.3 Communication Destinations

For connecting your SAP Global Trade Services with the feeder systems of the logistics processes or the

converter system for the communication with the authorities, you must set up the system

communication. For more information, see the Configuration Information for SAP Global Trade

Services on SAP Service Marketplace at http://service.sap.com/swdc SAP Installations and Upgrades

Installations and Upgrades - Entry by Application Group SAP Solutions for Governance, Risk and Compliance SAP

Global Trade Services <Release> Installation and Upgrade .

CAUTION

Users and authorizations for connection destinations can cause high security flaws if used

carelessly. Therefore, note the following security rules for communication between two systems:

■ Use the user types system and communication.

■ Assign only the minimum required authorizations to the user.

■ Choose a secure and secret password for the user system

■ Store only connection user logon data for users of type.

■ Choose trusted system functionality when ever possible instead of storing connection user logon

data.


6.3 Communication Destinations

2012-06-15 PUBLIC 31/52




7 Data Storage Security

SAP Global Trade Services is based on SAP NetWeaver. Therefore, the information for data storage

security for SAP NetWeaver also applies to SAP Global Trade Services. For more information, see the

SAP NetWeaver Security Guide at http://help.sap.com/nw703 SAP NetWeaver 7.0 including Enhancement

Package 3 Security Information Security Guide SAP NetWeaver Security Guide Network and Communication

Security

7 Data Storage Security

2012-06-15 PUBLIC 33/52



8 Security for Additional Applications

The additional applications you might use with SAP Global Trade Services include converter software

for which the software provider has its own security guidelines. These have been tried and tested by

SAP and you should refer to these guidelines when implementing converter software for

communication with customs, for example.

8 Security for Additional Applications

2012-06-15 PUBLIC 35/52


9 Dispensable Functions with Impacts on Security

All activated functions that are delivered with SAP Global Trade Services are necessary to run the

business scenarios and processes. There are no dispensable functions impacting security.

9 Dispensable Functions with Impacts on Security

2012-06-15 PUBLIC 37/52


10 Enterprise Services Security

The following chapters in the SAP NetWeaver Security Guide are relevant for all enterprise services delivered

with application:

http://service.sap.com/securityguide SAP NetWeaver 7.0x Security Guides (Complete) SAP

NetWeaver 7.0 EhP3 Security Guides (Online Version)

■ User Administration and Authentication


■ Security Guide for Usage Type PI

■ Web Services Security

■ Security Guide Communication Interfaces

■ Security Guides for Operating System and Database Platforms

■ Security Aspects for System Management

■ Enabling Application-to-Application Processes: Security Aspects

■ Enabling Business-to-Business Processes: Security Aspects

For more information about special security requirements for Web services, see the Developer’s Guides

at http://help.sap.com/nw703 SAP NetWeaver 7.0 including Enhancement Package 3 Development

Information Developer’s Guides Fundamentals Using Java Core Development Tasks Providing and Consuming Web

Services Web Service Toolset Web Services Security .

10 Enterprise Services Security

2012-06-15 PUBLIC 39/52




11 Trace and Log Files

Changes to master data and transactions in SAP Global Trade Services can be made using change

documents. Errors in process flows are logged using the standard SAP Application Log tool.

For more information about the use and setup of application logs in general, see SAP Library for SAP

NetWeaver at http://help.sap.com/nw703 SAP NetWeaver 7.0 including Enhancement Package 3 SAP

Library SAP NetWeaver SAP NetWeaver by Key Capability Solution Life Cycle Management by Key Capability

See section Integration -> Application LogApplication Log (BC-SRV-BAL)

For auditing user action SAP Global Trade Services uses standard SAP NetWeaver technology for its

system logs and traces. For more information, see the Technical Operations Guide for SAP NetWeaver

at http://help.sap.com/nw703 SAP NetWeaver 7.0 including Enhancement Package 3 SAP Library SAP

NetWeaver SAP NetWeaver by Key Capability Solution Life Cycle Management by Key Capability Security and

User Administration Additional System Security Security Audit Log Tools

The application logs for SAP Global Trade Services are included in the SAP Global Trade Services

Operation Guide. For more information, see http://service.sap.com/swdc Installations and

Upgrades Installation and Upgrade Guides Analytics Governance, Risk, and Compliance Global Trade Services

<Release>

SAP Global Trade Services also provides change documents for the following objects to file all changes

made to these objects. The change documents can be accessed from the object-specific monitors in the

application due to their relation of the process. SAP Global Trade Services uses the SAP NetWeaver

technology for change documents.

■ /SAPSLL/BOPHD (GTS: Bill of Product) – Bill of Materials for Restitution Handling

■ /SAPSLL/BP (Business Partner)

■ /SAPSLL/CTSGEN (Legal and Logistics Services: Customs Tariff Numbers) – Tariff Numbers

■ /SAPSLL/CUHD (SLL: Customs Document / Shipment) – Customs Documents, Customs Declarations and

Customs Shipments

■ /SAPSLL/CUPED (GTS: Header for Period Entries) – Supplementary Customs Declaration

■ /SAPSLL/LCLIC (SLL: Legal Control: License) – License for Legal Control in the Compliance

Management Area

■ /SAPSLL/LCPRO (Project Master) – Projects for License Assignment in Legal Control in the Compliance

Management Area

■ /SAPSLL/LC_CUSB (GTS: Duty Rates) – Customs Duty Rates

■ /SAPSLL/PR – (Customs Product)

■ /SAPSLL/PREVD (GTS: Vendor Declarations) – Long-Term Vendor Declarations


2012-06-15 PUBLIC 41/52




■ /SAPSLL/TSPL (Legal & Logistics Services: LC: SPL Master (Header Data)) – Master Data for Sanctioned

Party List Screening in the Compliance Management Area

For information about the use of change documents in general, see SAP Library for SAP NetWeaver at

http://help.sap.com/nw703 Function-Oriented View SAP NetWeaver by Key Capability Application

Platform by Key Capability ABAP Technology ABAP Workbench (BC-DWB) BC Extended Applications Function

Library.


42/52 PUBLIC 2012-06-15


12 Other Security-Relevant Information

Virus Checking of Document Attachments

SAP Global Trade Services provides the opportunity to check documents that are attached to messages

or XML files for data upload with a virus scanner before they are stored in the data base.

For checking uploaded files against viruses, the following virus scan profiles that are delivered by SAP

must be activated:

■ ● /SCET/GUI_UPLOAD

■ ● /SIHTTP/HTTP_UPLOAD

To use these profiles, you must have configured a virus scanner correctly. For more information, see

SAP Customizing in your SAP Global Trade Services by entering transaction code SPRO and choosing

SAP Reference IMG SAP NetWeaver Application Server System Administration Virus Scanner Interface .

In addition, refer to the following SAP Notes about configuration information for the virus scanner

interface.

■ 797108 (Virus scan interface (VSI): Changes and releases)

■ 851789 (Virus-scan-profiles delivered by SAP)

■ 817623 (Integrating a virus scan in SAP applications)

Activated virus scan profiles without a correctly configured virus scanner result in error messages

during the file upload in SAP Global Trade Services.

12 Other Security-Relevant Information

2012-06-15 PUBLIC 43/52





A Appendix

A.1 Additional Related Guides

You can use the following guides for SAP Global Trade Services for additional information about the

system landscape and its requirements:

■ Master Guide

■ Operation Guide

■ Configuration Guide

You can access these guide on SAP Service Marketplace at http://service.sap.com/swdc SAP

Installations and Upgrades Installations and Upgrades Installation and Upgrade Guides Analytics Governance, Risk

and Compliance SAP Global Trade Services <Release>

You can find more guides related to the SAP NetWeaver platform on SAP Service Marketplace at

http://service.sap.com/installnw703 .

A Appendix

A.1 Additional Related Guides

2012-06-15 PUBLIC 45/52


http://service.sap.com/installnw703


B Reference

B.1 The Main SAP Documentation Types

The following is an overview of the most important documentation types that you need in the various

phases in the life cycle of SAP software.

Cross-Phase Documentation

SAPterm is SAP’s terminology database. It contains SAP-specific vocabulary in over 30 languages, as

well as many glossary entries in English and German.

■ Target group:

● Relevant for all target groups

■ Current version:

● On SAP Help Portal at http://help.sap.com Additional Information Glossary (direct

access) or Terminology (as terminology CD)

● In the SAP system in transaction STERM

SAP Library is a collection of documentation for SAP software covering functions and processes.

■ Target group:

● Consultants

● System administrators

● Project teams for implementations or upgrades


● On SAP Help Portal at http://help.sap.com

The security guide describes the settings for a medium security level and offers suggestions for raising

security levels. A collective security guide is available for SAP NetWeaver. This document contains

general guidelines and suggestions. SAP applications have a security guide of their own.

■ Target group:


● Technology consultants

● Solution consultants


● On SAP Service Marketplace at http://service.sap.com/securityguide

Implementation

The master guide is the starting point for implementing an SAP solution. It lists the required installable

units for each business or IT scenario. It provides scenario-specific descriptions of preparation,

B Reference


2012-06-15 PUBLIC 47/52

http://help.sap.com

http://help.sap.com


execution, and follow-up of an implementation. It also provides references to other documents, such

as installation guides, the technical infrastructure guide and SAP Notes.

■ Target group:


● Project teams for implementations


● On SAP Service Marketplace at http://service.sap.com/instguides

The installation information describe the technical implementation of an installable unit, taking

into account the combinations of operating systems and databases. It does not describe any business-

related configuration.

■ Target group:





Configuration Documentation – is available in SAP Solution Manager or as Configuration Guides.

SAP Solution Manager is a life-cycle platform. One of its main functions is the configuration of business

and IT scenarios. It contains Customizing activities, transactions, and so on, as well as documentation.

■ Target group:





● In SAP Solution Manager

● For Configuration Guides at http://service.sap.com/swdc SAP Installations and Upgrades

Installations and Upgrades - Entry by Application Group SAP Solutions for Governance, Risk and Compliance

SAP Global Trade Services <Release> Installation and Upgrade .

The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system. The

Customizing activities and their documentation are structured from a functional perspective. (In order

to configure a whole system landscape from a process-oriented perspective, SAP Solution Manager,

which refers to the relevant Customizing activities in the individual SAP systems, is used.)

■ Target group:


● Project teams for implementations or upgrades


● In the SAP menu of the SAP system under Tools Customizing IMG

B Reference


48/52 PUBLIC 2012-06-15

http://service.sap.com/instguides



Production Operation

The technical operations manual is the starting point for operating a system that runs on SAP

NetWeaver, and precedes the solution operations guide. The manual refers users to the tools and

documentation that are needed to carry out various tasks, such as monitoring, backup/ restore, master

data maintenance, transports, and tests.

■ Target group:




The solution operations guide is used for operating an SAP application once all tasks in the technical

operations manual have been completed. It refers users to the tools and documentation that are needed

to carry out the various operations-related tasks.

■ Target group:






Upgrade

The upgrade information in the master guide is the starting point for upgrading the business and

IT scenarios of an SAP solution. It provides scenario-specific descriptions of preparation, execution, and

follow-up of an upgrade. It also refers to other documents, such as the upgrade guides and SAP Notes.

■ Target group:


● Project teams for upgrades



The upgrade information describe the technical upgrade of an installable unit, taking into account

the combinations of operating systems and databases. It does not describe any business-related

configuration.

■ Target group:





Release notes are documents that contain short descriptions of new features in a particular release or

changes to existing features since the previous release. Release notes about ABAP developments are the

B Reference


2012-06-15 PUBLIC 49/52





technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide

(IMG).

■ Target group:

● Consultants



● On SAP Service Marketplace at http://service.sap.com/releasenotes

● In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)

Documentation in the SAP Service MarketplaceYou can find this document at the following address: http://service.sap.com/securityguide

B Reference


50/52 PUBLIC 2012-06-15

http://service.sap.com/releasenotes


SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +49/18 05/34 34 34F +49/18 05/34 34 20www.sap.com

© Copyright 2012 SAP AG. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.