1. No category

Security Guide
SAP Integrated Business Planning
Document Version: 1.0 – 2015-03-10
SAP Integrated Business Planning 5.0
CUSTOMER
Copyright
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or
registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product
and service names mentioned are the trademarks of their respective companies. Please see
http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information
and notices.
2
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Integrated Business Planning 5.0
Copyright
Typographic Conventions
Type Style
Description
Example
Words or characters quoted from the screen. These include field names, screen titles,
pushbuttons labels, menu names, menu paths, and menu options.
Textual cross-references to other documents.
Example
Emphasized words or expressions.
EXAMPLE
Technical names of system objects. These include report names, program names,
transaction codes, table names, and key concepts of a programming language when they
are surrounded by body text, for example, SELECT and INCLUDE.
Example
Output on the screen. This includes file and directory names and their paths, messages,
names of variables and parameters, source text, and names of installation, upgrade and
database tools.
Example
Exact user entry. These are words or characters that you enter in the system exactly as they
appear in the documentation.
<Example>
Variable user entry. Angle brackets indicate that you replace these words and characters
with appropriate entries to make entries in the system.
EXAMPLE
Keys on the keyboard, for example, F 2 or E N T E R .
SAP Integrated Business Planning 5.0
Typographic Conventions
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
3
Document History
4
Version
Date
Change
1.0
2015-03-10
Initial version
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Integrated Business Planning 5.0
Document History
Contents
1
Introduction ....................................................................................................................................................6
2
Technical System Landscape .......................................................................................................................8
3
3.1
3.2
3.3
Security Aspects of Data, Data Flow and Processes ............................................................................... 10
Communication Channel Security ....................................................................................................................... 10
Communication Destinations ............................................................................................................................... 10
Data Integration ......................................................................................................................................................11
HANA Cloud Integration .........................................................................................................................................11
Data Upload Using the Data Integration App .......................................................................................................11
Uploading Files to the IBP Add-In for Microsoft Excel .........................................................................................11
Data Export by REST-based API........................................................................................................................... 12
Web Browser – Cloud Solution Communication ................................................................................................ 12
4
4.1
4.2
User Management and Authentication ...................................................................................................... 13
User Management ................................................................................................................................................. 13
Integration into Single Sign-On Environments .................................................................................................... 13
5
5.1
5.2
5.3
Authorizations .............................................................................................................................................. 15
Initial User Provisioning ......................................................................................................................................... 15
Standard Roles ....................................................................................................................................................... 15
Standard Authorization Objects ........................................................................................................................... 18
6
Session Security Protection ...................................................................................................................... 24
7
7.1
7.2
7.3
7.4
Data Protection and Data Privacy ..............................................................................................................25
Deletion of Personal Data ..................................................................................................................................... 26
Sensitive Personal Data ....................................................................................................................................... 26
Disclosure of the Personal Data of Individuals ................................................................................................... 26
SAP Jam Integration ..............................................................................................................................................27
SAP Integrated Business Planning 5.0
Contents
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
5
1
Introduction
Target Audience
This security guide provides an overview of the security-relevant information that applies to SAP Integrated
Business Planning 5.0. The target groups of this security guide are the following:

Key users of SAP Integrated Business Planning

Administrators

User administrators
Why Is Security Necessary?
With the increasing use of distributed systems and the internet for managing business data, the demands on
security are also on the rise. When using a distributed system, you need to be sure that your data and processes
support your business needs without allowing unauthorized access to critical information. User errors,
negligence, or attempted manipulation of your system should not result in loss of information or processing time.
These demands on security apply likewise to SAP Integrated Business Planning. To assist you in securing the
applications of SAP Integrated Business Planning, we provide this security guide.
Overview of the Main Sections
The Security Guide comprises the following main sections:

Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by
SAP Integrated Business Planning.

Security Aspects of Data, Data Flow and Processes
This section provides an overview of security aspects involved in the most widely-used processes within SAP
Integrated Business Planning and the security aspects of data integration.

User Management and Authentication
This section provides an overview of the following user administration and authentication aspects:
o User types that are required by SAP Integrated Business Planning
o Overview of how integration into Single Sign-On environments is possible

Authorizations
This section provides an overview of the authorization concept that applies to SAP Integrated Business
Planning, and lists the standard roles and authorization objects delivered by SAP.

Session Security Protection
This section provides information about activating secure session management, which secures access to the
SAP logon ticket and security session cookies

6
Data Protection and Data Privacy
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Integrated Business Planning 5.0
Introduction
This section provides information about how SAP Integrated Business Planning protects personal or sensitive
data.
SAP Integrated Business Planning 5.0
Introduction
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
7
2
Technical System Landscape
SAP Integrated Business Planning 5.0 is a cloud offering that runs in the SAP Public Cloud.
Since cloud solutions from SAP deal with business data from your core business processes, SAP adheres to the
highest security and quality requirements, as follows:

The business data is stored securely in SAP data centers.

Users who require access to the business data must authenticate themselves, and their identity must be
verified by user and access management. Users can only perform actions for which they have authorizations.

Customer data always belongs to the customer.
You can access your SAP Integrated Business Planning cloud solution with the following devices:

Desktop computer: browser-based internet access from your network

Portable computers

Mobile devices
Access to cloud solutions from SAP is provided through a unique and customer-specific URL. Communication is
implemented by means of a reverse proxy component in the SAP data center. The reverse proxy is the SAP Web
Dispatcher, which is developed and maintained by SAP Cloud Support. The communication between the devices
and the SAP Cloud is secured and protected by state-of-the-art open cryptographic standards and protocols such
as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). The clients and the SAP Integrated Business
Planning system communicate through an add-in for Microsoft Excel and a web browser.
SAP Integrated Business Planning also integrates with SAP HANA Cloud Integration (SAP HCI). SAP HCI directly
connects to on-premise systems to extract and securely move data from source systems to SAP Integrated
Business Planning target tables through HTTPS. SAP HCI can also be used for exporting SAP Integrated Business
Planning calculation scenarios.
Furthermore, SAP Integrated Business Planning integrates with SAP Jam, thus providing a collaborative decisionmaking solution that brings together people, information, and proven business approaches to drive fast and
valuable results. SAP Jam enables you to collaborate with other members of your team and to keep track of your
processes and process-related tasks. The communication between SAP Integrated Business Planning and SAP
Jam is secured by HTTPS.
ETL tools can receive SAP Integrated Business Planning key figures for consumption through a RESTful web
service API via HTTPS.
SAP Integrated Business Planning is powered by SAP HANA. All customer data is stored in the HANA database
and data is protected by the security infrastructure and operational procedures of SAP Cloud powered by SAP
HANA.
The figure below shows the main components of SAP Integrated Business Planning. Identity and Authentication
Management (IAM), as well as Authorization Management are based on SAP NetWeaver technology.
The figure below shows an overview of the technical system landscape for SAP Integrated Business Planning 5.0.
8
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Integrated Business Planning 5.0
Technical System Landscape
For more information regarding the components and functions of SAP Integrated Business Planning, see the
application help for SAP Integrated Business Planning at http://help.sap.com/ibp50.
SAP Integrated Business Planning 5.0
Technical System Landscape
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
9
3
Security Aspects of Data, Data Flow and
Processes
3.1
Communication Channel Security
The table below shows the communication channels used by SAP Integrated Business Planning, the protocol used
for the connection, and the type of data transferred. All communication channels (HTTP) support channel
encryption (HTTPS) trough TLS and SSL protocols.
Communication Path
Protocol Used
Type of Data Transferred
Data Requiring Special
Protection
Front-end client using a
web browser to Gateway
/SAP Integrated
Business Planning
HTTPS
All application data
All confidential data
Excel client to SAP
Integrated Business
Planning
HTTPS
All application data
All confidential data
HANA Cloud Integration
HTTPS
All application data
All confidential data
SAP Jam
HTTPS
Social media integration
Personal data,
confidential data
3.2
Communication Destinations
The table below shows an overview of the communication destinations used by SAP Integrated Business Planning.
Destination
Type
Description
User, authorizations
Source system
(connection via HCI)
HTTPS
Data import using HANA
Cloud Integration
Data import user
(technical user)
File upload using the Data
Integration app
HTTPS
File upload in CSV Format
Special authorizations are
required (see chapter
Authorizations)
SAP Jam
HTTPS
Collaboration
Business user
10
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Integrated Business Planning 5.0
Security Aspects of Data, Data Flow and Processes
3.3
Data Integration
To be able to fully exploit the functions provided by SAP Integrated Business Planning, you can integrate business
processes and data between your on-premise applications (for example, SAP ERP or SAP APO) and SAP
Integrated Business Planning. This section provides an overview of the security aspects of data integration.
HANA Cloud Integration
The HANA Cloud Integration tool enables users to import data to and export data from SAP Integrated Business
Planning. For information about the security aspects of these data flows, see the HANA Cloud Integration security
guide on SAP Help Portal at http://help.sap.com/hci_ds/.
Data Upload Using the Data Integration App
You can use the Data Integration app to upload data to SAP Integrated Business Planning in a CSV file or using an
FTP client.
The special authorizations required for data uploads are contained in specific standard front-end and back-end
roles delivered by SAP. For more information, see chapter Authorizations.
For general information about authorizations, see the application help on SAP Help Portal at
http://help.sap.com/ibp50/.
Uploading Files to the IBP Add-In for Microsoft Excel
The IBP Add-In for Microsoft Excel allows users to save planning views to their computers, make changes to the
files offline, and upload the files back to the system. Users can also share excel sheets (favorites or templates)
with other users.
During uploads, the Excel content gets converted into an internal format. During the upload to and download from
the backend, no virus scan is performed on the Excel content. With the sharing function, it is theoretically possible
to spread virus infections from one device to the other. To avoid that, it should be ensured that all devices on
which the Excel clients for SAP Integrated Business Planning are running have local virus scanners in place.
To avoid damages caused by virus-infected files, users should perform a virus scan on the files before uploading
them.
When users share favorites with other users, the system temporarily erases all figures for security reasons. When
a recipient opens a shared favorite, the system checks for the required authorizations before loading the figures.
For more information about favorites, see the application help on SAP Help Portal at http://help.sap.com/ibp50/
 Application Help  Interactive Planning in Microsoft Excel  Creating Planning View Favorites.
SAP Integrated Business Planning 5.0
Security Aspects of Data, Data Flow and Processes
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
11
Data Export by REST-based API
You can use a REST-based API for exporting data from SAP Integrated Business Planning.
To authenticate and invoke this RESTful service, users must have authorization to view all planning data for the
source planning area. For more information, see the Data Export Guide for SAP Integrated Business Planning on
SAP Help Portal at http://help.sap.com/ibp50/.
Web Browser – Cloud Solution Communication
All communication between the web browser/clients and the cloud solution is encrypted and authenticated based
on standard SSL and TLS protocols.
12
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Integrated Business Planning 5.0
Security Aspects of Data, Data Flow and Processes
4
User Management and Authentication
User management and authentication in SAP Integrated Business Planning 5.0 is based on the mechanisms
provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP.
4.1
User Management
In SAP Integrated Business Planning, user management functions are available for users in the form of dedicated
apps which users can access from the SAP Fiori launchpad.
For more information, see the application help on SAP Help Portal at http://help.sap.com/ibp50.
User Types
The following table lists the user types that are required for SAP Integrated Business Planning:
User Type
Description
Business user
A user type for normal interactive users. Business users always have to change
their initial password during the first logon. The properties of the passwords are
determined by the assigned security policy.
Note
Users can only change their initial passwords on the logon screen of the
launchpad, but not in Microsoft Excel.
Technical user
A user type for non-interactive usage, either predefined by SAP for technical
operations, or resulting from the creation of communication arrangements.
Support user
A user type for interactive support used by SAP Cloud Services to access the
system as part of incident processing.
4.2
Integration into Single Sign-On Environments
SAP Integrated Business Planning supports authentication mechanisms provided by SAP NetWeaver.
Anonymous access is not supported.
To log on to your SAP Integrated Business Planning system, the following authentication methods are supported:
SAP Integrated Business Planning 5.0
User Management and Authentication
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
13

Logon using user ID and password.
By default, a strong security policy for passwords is pre-configured in your solution, based on SAP’s product
security standard. You as a user administrator can set an initial password for new users.

Logon using SAML 2.0 assertion for front-end Single Sign-On (SSO)
SAP Integrated Business Planning supports the use of logon tickets for SSO when using a web browser as the
front-end client. In this case, users can be issued a logon ticket after they have authenticated themselves with
the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an
authentication token. The user does not need to enter a user ID or password for authentication but can access
the system directly after the system has checked the logon ticket.

Logon using client certificate (X.509) as logon certificate
As an alternative to user authentication using a user ID and passwords, users using a web browser as a frontend client can also provide X.509 client certificates to use for authentication. In this case, user authentication
is performed on the web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords
have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP
system.
The IBP Add-In for Microsoft Excel supports user authentication by a client certificate. You can specify the
certificate to be used when setting up a connection to the server. In the Edit Connection dialog box select the
Client Certificate checkbox, choose Select Certificate and select the relevant certificate (corresponding to your
SNC name). The SNC name needs to be specified for each user created in the User Management app, under SNC
Data on the SNC tab page.
14
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Integrated Business Planning 5.0
User Management and Authentication
5
Authorizations
SAP Integrated Business Planning uses the authorization concept provided by the SAP NetWeaver AS ABAP. The
SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For more
information about roles and authorizations, see the application help on SAP Help Portal at
http://help.sap.com/ibp50.
5.1
Initial User Provisioning
You are provided with a super user for SAP Integrated Business Planning, which has all the necessary
authorizations for setting up your system. With this user, you can create your users and assign the required roles.
Please note that you should not use this super user in a productive environment. Once you have finished setting
up your users and roles, the super user should be deactivated.
5.2
Standard Roles
SAP delivers standard roles containing the authorizations needed for using the applications of SAP Integrated
Business Planning, including web-based applications (apps) and the IBP Add-In for Microsoft Excel. For general
information about using and changing standard roles, see the application help on SAP Help Portal at
http://help.sap.com/ibp50.
Users of a web-based application need both front-end authorizations (to have access to the launchpad tile) and
back-end authorizations (to be able to use functions and to have access to data).
The following table lists the standard roles containing the authorizations for using the various applications and
accessing data in SAP Integrated Business Planning.
Standard Roles
Business
Role/Use
Front-End Role
Authorizations
Back-End Role
Authorizations
Demand
planner
Demand Planner –
Apps
Authorization for
accessing the following
apps on the launchpad:
Back-End Role for Manage
Demand Sensing Issues App
Authorizations
required for using
the Manage
Demand Sensing
Issues app
SAP_IBP_BCR_DE
MANDPLANNER_T
- Manage Demand
Sensing Issues
- Manage Forecast
Models
SAP_IBP_DMDSENS_MON
_APP
Back-End Role for Manage
Forecast Models App
SAP_IBP_MFM_MAN_APP
SAP Integrated Business Planning 5.0
Authorizations
Authorizations
required for using
the Manage
Forecast Models
app
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
15
Business
Role/Use
Front-End Role
Authorizations
Back-End Role
Authorizations
Custom alert
administrator
Custom Alerts –
Apps
Authorization for
accessing the following
apps on the launchpad:
Back-End Role for Define
Custom Alerts App
Authorizations
required for using
the Define
Custom Alerts
app
SAP_IBP_BCR_ALE
RT _T
SAP_IBP_ALERT_DEF_APP
- Define Custom Alerts
- Subscribe to Custom
Alerts
- Monitor Custom
Alerts
Back-End Role for
Subscribe to Custom Alerts
App
SAP_IBP_ALERT_SUB_APP
Back-End Role for Monitor
Custom Alerts App
SAP_IBP_ALERT_MON_AP
P
General
planner
General Planner –
Apps
SAP_IBP_BCR_PLA
NNER_T
Authorization for
accessing the following
apps on the launchpad:
Back-End Role for General
Planner
SAP_IBP_PLANNER_APP
- Dashboard
- Analytics
- Change History
Authorizations
required for using
the Subscribe to
Custom Alerts
app
Authorizations
required for using
the Monitor
Custom Alerts
app
Authorizations
for the following:
using all
algorithms in the
add-in for
Microsoft Excel
- Creating and
managing
scenarios in the
add-in for
Microsoft Excel
- Cases
- Tasks
- Favorites
- Collaboration
- Using the
following apps:
- Dashboard
- Analytics
- Change History
- Cases
- Tasks
- Favorites
- Collaboration
Administrator
Administrator –
Apps
SAP_IBP_BCR_AD
MIN_T
Authorization for
accessing the following
tiles on the launchpad:
- Data Integration
- Process Modeling
- Configuration
- Transport Planning
16
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Back-End Role for
Administrator
SAP_IBP_ADMIN_APP
Authorizations
for managing
catalogs, groups,
and tiles using
the launchpad
designer
- Using all
SAP Integrated Business Planning 5.0
Authorizations
Business
Role/Use
Front-End Role
Authorizations
Back-End Role
Models
Authorizations
functions of the
add-in for
Microsoft Excel
- Download Excel AddIn
- Using functions
of the following
apps:
- Data Integration,
- Process
Modeling
- Configuration
- Transport
Planning Models
User
administrator
User Administrator
– Apps
SAP_IBP_BCR_US
ERADMIN_T
Authorization for
accessing the following
apps on the launchpad:
Back-End Role for User
Administrator
SAP_IBP_USRADM_APP
- User Management
Authorizations
required for user
administration
functions
- Roles
- Visibility Filters
Basic
functions
Basic Functions –
Apps
SAP_IBP_BCR_BA
SIC_T
Authorization for
accessing the following
tiles:
Back-End Role for Basic
Functions
SAP_IBP_BASIC
- User Profile
and for editing
the user’s own
user data in the
User Preferences
app
- Application Help
All
applications
SAP Role for IBP All Apps
SAP_IBP_TCR_T
Data access
SAP Integrated Business Planning 5.0
Authorizations
Technical role;
authorization for
accessing all apps on
the launchpad
Authorizations
required for
accessing the
launchpad
Back-End Role for All
Applications
SAP_IBP_ALL_APP
Back-End Role for Data
Access
All application
authorizations
required for using
the Add-In for
Microsoft Excel
and all apps of
SAP Integrated
Business
Planning. This
role should not be
assigned to any
user in a
productive
environment.
All authorization
objects related to
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
17
Business
Role/Use
Front-End Role
Authorizations
Back-End Role
Authorizations
SAP_IBP_DATA_ACCESS
data access, with
no authorization
data specified. By
defining values
for these
authorization
objects, you can
control access to
data.
Back-End Role for
Accessing All Data
All authorizations
related to
accessing data in
SAP Integrated
Business
Planning
SAP_IBP_DATA_ACCESS_
ALL
5.3
Standard Authorization Objects
The table below lists the standard authorization objects provided for SAP Integrated Business Planning.
You can use these objects to define your own roles in the Roles app. For information, see the application help on
SAP Help Portal at http://help.sap.com/ibp50.
Standard Authorization Objects
Authorization Object
Object Description
Field
Field Description
Possible Values
IBP_OPERTR
Controls
authorization for
using algorithms in
the add-in for
Microsoft Excel
ALGORITHM
Values for this field
specify the range of
algorithms the user
can use in the addin for Microsoft
Excel.
STAT_FCST (Statistical
Forecasting)
Controls
authorization for
attribute
combinations
ACTVT
Activity
01 (Create or Generate):
Allows users to add new
combinations of
attribute values to a
planning view in the addin for Microsoft Excel
(Algorithms)
IBP_ATTRIB
(Attribute
Combinations)
INV_OP (Inventory
Optimization)
SPLY_PLN (Supply
Planning)
06 (Delete):
Allows the deletion of
attribute value
combinations from a
planning view in the add-
18
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Integrated Business Planning 5.0
Authorizations
Authorization Object
Object Description
Field
Field Description
Possible Values
in for Microsoft Excel
IBP_HIST
(Change History)
IBP_IMPRT
(Data Import)
Controls
authorization for
the change history
function
ACTVT
Controls
authorization for
the data
integration
function
ACTVT
Activity
23 (Maintain):
Allows access to the
change history function
Activity
03 (Display):
Allows users to display
data load reports on the
Data Integration user
interface
16 (Execute):
Allows data import into
the application using a
.zip file containing your
manifest (.xml) and data
files (.csv)
IBP_MODEL
(Model
Configuration)
IBP_FCSMOD
(Forecast Model
Management)
Controls
authorization for
model
configuration
functions
ACTVT
Controls
authorization for
specific forecast
models within a
planning area
ACTVT
Activity
03 (Display):
Allows the display of
planning models in the
Configuration app
Activity
02 (Change):
Allows users to change
an existing forecast
model or to create a new
forecast model
03 (Display):
Allows users to display
existing forecast models
16 (Execute):
Allows forecasting with
the forecast models
specified either in a
simulation or in the
background
IBP_KEYFIG
(Key Figures)
SAP Integrated Business Planning 5.0
Authorizations
Controls
authorization for
specific key figures
within a planning
IBP_PLAREA
Planning Area
IBP_FCSTMO
Forecast Model
Name
ACTVT
Activity
03 (Display):
Allow users to display
key figures within a
planning area
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
19
Authorization Object
Object Description
Field
Field Description
area.
Possible Values
23 (Maintain):
Allow users to change
key figures within a
planning area
IBP_MD
(Master Data
Management)
Controls
authorization for
master data.
IBP_PLAREA
Planning Area
IBP_KFID
Key Figure ID
ACTVT
Activity
03 (Display):
Allows the user to view
master data in the addin for Microsoft Excel
23 (Maintain):
Allows the user to add or
copy master data in the
add-in for Microsoft
Excel
IBP_PVIEW
(Planning View
Personalization)
Controls
authorization
regarding planning
view templates and
layouts in the addin for Microsoft
Excel
ACTVT
Activity
23 (Maintain)
IBP_PV_OBJ
Planning View
Object
TEMPLATE (Planning
View Template):
Allows the user access
to the functions of the
Template Admin group
in the IBP ribbon of the
add-in for Microsoft
Excel
LAYOUT (Planning View
Layout):
Allows the user access
to the functions of the
Layout tab in the
Planning View Settings
dialog in the add-in for
Microsoft Excel
IBP_PRCESS
(Process Modeling)
IBP_RESCOD
(Reason Codes)
20
Controls
authorization for
using the process
modeling function
ACTVT
Controls
authorization for
using specific
IBP_RESCOD
Activity
23 (Maintain):
Allows the user to
access the process
modeling function to
create planning process
templates, instances,
work flows, and steps.
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Reason Code ID
The values defined for
this field control the
range of reason codes
that a user is allowed to
SAP Integrated Business Planning 5.0
Authorizations
Authorization Object
Object Description
Field
Field Description
reason codes
IBP_SNPSHT
(Snapshots)
Controls
authorization
regarding
snapshot
generation.
Possible Values
use in the add-in for
Microsoft Excel.
ACTVT
Activity
07 (Activate, generate):
Allows the user to
generate snapshots of
key figures
08 (Execute again):
Allows the user to redo
snapshots, overriding
the most recent data
captured by a previous
snapshot with the
current values
IBP_SCNRIO
(User-Defined
Scenarios)
IBP_KF_VER
(Version-Dependent
Key Figure
Permissions)
Controls
authorization for
user-defined
scenarios
ACTVT
Controls versiondependent
permissions for
viewing and editing
key figures.
IBP_ACTVT
To use versiondependent
permissions, you
need to activate
them in the
Configuration app,
under Manage
Global
Configurations
(parameter group
SCENARIO,
parameter name
PERMISSIONS).
SAP Integrated Business Planning 5.0
Authorizations
Activity
23 (Maintain):
Allows the user to create
or manage scenarios
using the corresponding
buttons in the Scenario
group of the IBP ribbon
in the add-in for
Microsoft Excel.
Activity
I1 (View):
Allows users to view key
figures in the version
specified. The users can
only view the key figures
for which they have a
view permission defined
in the authorization
object IBP_KEYFIG (Key
Figures).
I2 (Scenario Edit):
Allows users to save
changes to user-defined
scenarios
I3 (Edit):
Allows users to save
changes to the version
specified and the base
version. The users can
only edit the key figures
for which they have an
edit permission defined
in the authorization
object IBP_KEYFIG (Key
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
21
Authorization Object
Object Description
Field
Field Description
Possible Values
Figures).
IBP_MD_VER
(Version-Dependent
Master Data
Permissions)
Controls versiondependent master
data permissions.
IBP_PLAREA
Planning Area
IBP_VRSIO
Version ID
IBP_ACTVT
Activity
I1 (View):
Allows the user to
display master data
records in the version
specified
The global master
data permissions
specified in the
authorization
object IBP_MD
(Master Data
Management)
override the
version-dependent
permissions.
I4 (Manage Records):
Allows the user to
display, create, update
and delete all master
data records in the
version specified
I5 (Edit Records):
Allows the user to
display and update all
master data records in
the version specified
I6 (Manage Own
Records):
Allows the user to
display all records, to
create records, and to
update and delete the
user's own records in
the version specified
IBP_MDTYP
Planning Object
Type
IBP_PLAREA
Planning Area
IBP_VRSIO
Version ID
ACTVT
Activity
(Versions)
Controls
authorization for
version
management
IBP_VISFLT
Controls
IBP_VF_ID
IBP_VRSIO
22
23 (Maintain):
Allows the user to
promote a planning
version to the base
version, copy the base
version to a version, and
to display the status of
version processes in the
add-in for Microsoft
Excel.
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Visibility Filter ID
The visibility filter
SAP Integrated Business Planning 5.0
Authorizations
Authorization Object
Object Description
(Visibility Filters)
authorization for
viewing master
data in the form of
visibility filters
SAP Integrated Business Planning 5.0
Authorizations
Field
Field Description
Possible Values
specified in this field
controls the range of
master data visible to a
user for a particular
planning area.
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
23
6
Session Security Protection
Users of SAP Integrated Business Planning run the applications in the SAP Fiori launchpad. The launchpad
encapsulates SAP NetWeaver session management that secures access to the SAP logon ticket and security
session cookies. Secure Sockets Layer (SSL) is used to protect the network communications where these
security-relevant cookies are transferred. Idle sessions are terminated automatically.
24
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Integrated Business Planning 5.0
Session Security Protection
7
Data Protection and Data Privacy
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance
with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different
countries. This section describes the specific features and functions that SAP provides to support compliance
with the relevant legal requirements and data privacy.
This section and any other sections in this Security Guide do not give any advice on whether these features and
functions are the best method to support company, industry, regional or country-specific requirements.
Furthermore, this guide does not give any advice or recommendations with regard to additional features that
would be required in a particular environment; decisions related to data protection must be made on a case-bycase basis and under consideration of the given system landscape and the applicable legal requirements.
Note
In the majority of cases, compliance with data privacy laws is not a product feature.
SAP software supports data privacy by providing security features and specific data-protection-relevant
functions such as functions for the simplified blocking and deletion of personal data.
SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not
taken from any given legal source.
Glossary
Term
Definition
Personal data
Information about an identified or identifiable natural person.
Business purpose
A legal, contractual, or in other form justified reason for the processing of personal
data. The assumption is that any purpose has an end that is usually already defined
when the purpose starts.
Blocking
A method of restricting access to data for which the primary business purpose has
ended.
Deletion
Deletion of personal data so that the data is no longer usable.
Retention period
The time period during which data must be available.
End of purpose (EoP)
A method of identifying the point in time for a data set when the processing of
personal data is no longer required for the primary business purpose. After the
EoP has been reached, the data is blocked and can only be accessed by users with
special authorization.
Some basic requirements that support data protection are often referred to as technical and organizational
measures (TOM). The following topics are related to data protection and require appropriate TOMs:

Access control: Authentication features as described in section User Management and Authentication [Page
13].

Authorizations: Authorization concept as described in section Authorizations [Page 15].

Communication security: as described in section Security Aspects of Data, Data Flow and Processes [Page
10].
SAP Integrated Business Planning 5.0
Data Protection and Data Privacy
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
25

Availability control as described in section Technical System Landscape [Page 8]

Separation by purpose: is subject to the organizational model implemented and must be applied as part of
the authorization concept.
Caution
The extent to which data protection is ensured depends on secure system operation. Network security,
security note implementation, adequate logging of system changes, and appropriate usage of the system
are the basic technical requirements for compliance with data privacy legislation and other legislation.
7.1
Deletion of Personal Data
SAP Integrated Business Planning might process data (personal data) that is subject to the data protection laws
applicable in specific countries. All kinds of data that is extracted into SAP Integrated Business Planning and all
business planning data that relates to personal data can be deleted using the standard functions provided by SAP
Integrated Business Planning. You can first delete the business plans related to personal data, and afterwards the
personal master data as well. For more information about the deletion of planning data and master data, see the
application help for SAP Integrated Business Planning on SAP Help Portal at http://help.sap.com/ibp50.
Note that only planning data/master data of views that are connected to the SAP Integrated Business Planning
back end can be securely deleted from the databases in SAP Integrated Business Planning. For this reason you
should make sure that Excel sheets that contain business planning data in general and personal data specifically
should be secured by the security mechanisms of Microsoft Office (for example password protection) and the
client operative system (such as hard drive encryption). Also common client protection tools such as virus
scanners on the clients are highly recommended.
7.2
Sensitive Personal Data
Sensitive personal data is a category of personal data that needs special handling. The definition of what qualifies
as sensitive personal data may differ for different legal areas or industries. Sensitive data may for example be
information on racial or ethnic origin, political opinions, or bank and credit accounts. SAP Integrated Business
Planning is not designed to store and process this kind of data.
7.3
Disclosure of the Personal Data of Individuals
Data privacy regulations may also require the provisioning of information on what is stored about an individual
person. The standard functions of SAP Integrated Business Planning can be used for this purpose.
26
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Integrated Business Planning 5.0
Data Protection and Data Privacy
7.4
SAP Jam Integration
SAP Integrated Business Planning enables integration with SAP Jam. This channel allows you to share business
objects and documents that may contain sensitive information with external users. For information about
protecting this data, see SAP Help Portal at http://help.sap.com/nw-uiaddon -> Application Help. In SAP Library
choose Social Media Integration -> Information for Administrators -> Security.
SAP Integrated Business Planning 5.0
Data Protection and Data Privacy
CUSTOMER
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
27
www.sap.com/contactsap
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of
SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies. Please see http://www.
sap.com/corporate-en/legal/copyright/index.epx#trademark for
additional trademark information and notices.