Whitepaper

Complying with SAP Security Requirements Using Winshuttle Transaction

Summary
This white paper describes how the Winshuttle technology architecture enforces stringent, native SAP security requirements around enterprise data access. The paper is written for technical decision makers (TDMs) and architects to assist in evaluating Winshuttle Transaction compatibility with security policies in the SAP environment.

2011 Winshuttle, LLC. All rights reserved. 1/11

www.winshuttle.com

Introduction
The SAP Business Suite contains sensitive corporate data that is essential to running your day-to-day business, while addressing dynamic business initiatives and regulatory compliance requirements. This white paper discusses in detail how Winshuttle maintains full compatibility with SAP security requirements and complies with information security best practices. It will also explain how Winshuttle supports SAPs extensive authorization functionality which protects Transactions and data from unwanted access and use. Winshuttle Transaction records the manual steps that a user takes to complete any SAP Transaction and then maps the relevant SAP fields to an Excel spreadsheet, easily creating a business process template. This template can then be run, on demand, to shuttle data between Excel and SAP, thus automating any process, while maintaining native SAP security and authorizations. Although Winshuttle products reside outside of the core SAP system, Transaction uses the SAP Remote Function Call (RFC) communication protocol to perform uploads and downloads. Transaction uploads data to the SAP system by first creating a SHUTTLE file (.TxR) recording of the SAP Transaction, then by mapping the SAP data fields to Excel fields, and finally by running the SHUTTLE file to load the Excel or Access data into the SAP Transaction. A secure connection is established with the SAP system using the users SAP logon both while creating the SHUTTLE file recording and when running the SHUTTLE file to load data. Transaction protects SAP Transactional data in a manner that meets regulatory compliance requirements such as Sarbanes-Oxley (SOX), by preserving SAPs role-based security. For SAP, this ensures that data management is performed by authorized users only on a least privileged access basis.

Winshuttle Security Architecture

The Winshuttle security architecture uses the SAP RFC API (librfc) to connect Microsoft Office Excel or a Web form to the SAP Business Suite. The SAP RFC API interacts with the application layer of the SAP system using SAP RFC communication protocol.

Complying with SAP Security Requirements Using Winshuttle Transaction

Figure 1: Winshuttle Security Architecture Using the RFC API, Transaction issues a single function call to SAP at runtime to enable synchronous communication between Transaction and the SAP server. In this case, the receiving SAP system must be active and able to accept and process RFC calls. For more information about the SAP RFC API, go to: http://help.sap.com/saphelp_nw04/helpdata/en/22/04280f488911d189490000e829fbbd/ content.htm

Winshuttle Transaction Security Workflow

In order to perform user-enabled data loading, it is critical to apply the proper controls, security, and workflows to ensure that SAP Transactional data is fully protected end-to-end. A good data governance best practice to follow is to ensure that any software that is integrated with SAP to perform data loads must be SAP-certified. Tested by SAP, Winshuttle Transaction has received the Powered by SAP NetWeaver and SAP Certified Integration certifications. Transaction works natively with SAP security technology and uses standard SAP authorization profiles to restrict user access, preserving SAP security standards at all times. With Transaction, there are no back doors. Figure 2 demonstrates the security workflow that Transaction uses to log on to the SAP system and communicate with SAP via the RFC communication protocol to perform uploads and downloads.

Complying with SAP Security Requirements Using Winshuttle Transaction

Figure 2: Transaction security workflow

1.

When the Transaction user logs on, they are authenticated using their credentials from the SAP server as if they are logging on to the SAP server using SAP GUI.

2. The Transaction user requires RFC authorization in SAP to allow remote access to SAP functions. User RFC authorization is controlled by the SAP authorization object S_RFC. See the Transaction Authorization Requirements section below for more information. 3. The users SAP system credentials provide the authorization to run Transaction with a specific SAP Transaction. This ensures that the Transaction user can transfer data only to the SAP Transactions to which the user is authorized. For example, in order to create additional master records, the user must be authorized to run the MM01 Transaction. In addition, Winshuttles Central product enables SAP system administrators to establish finegrained control of usage for Transaction users. See the Central section below for more information.

Complying with SAP Security Requirements Using Winshuttle Transaction

4. Transaction reads data from one or several Excel files or Access tables, converts the data from its source format to the SAP target format, and performs an RFC CALL Transaction function in SAP. If the Transaction cannot be finished due to a lack of required data, data inconsistencies, or for any technical reason, SAP rolls back the Transaction in a way similar to a manual Transaction update. 5. When the CALL Transaction is completed, either a success or failure message is passed from SAP to Transaction. Transaction writes the messages returned by SAP for each CALL Transaction back into the Excel file or Access Table.

Other Transaction Security Features

In addition to the Transaction security workflow described above, Transaction provides other security features and products, such as: Winshuttle Runner: Runner allows any authorized SAP user to securely manage SAP business processes using predefined Transaction templates and query files, which are built using Winshuttles other products, Transaction and QUERY. With Runner, a user can move data and any errors in the data are immediately flagged in the Excel file and can be easily corrected and reprocessed. SHUTTLE file Locking: When a SHUTTLE file is created, the user has the option to set up a password to protect the file from unauthorized access. When a SHUTTLE file is passwordprotected, the user must type in the password each time in order to edit the file. Automatic Backup Copies: Transaction can automatically store a backup copy of the current SAP data to an Excel worksheet or Access table prior to loading data with the SHUTTLE file. This copy can be used to undo mass data change mistakes and to provide a complete before and after audit trail. Logging and Reporting: SAP maintains an audit trail for all Transaction changes and updates, just as it does for manual input. In addition, Transaction maintains an activity log at a summary level for each run on either the users computer or on a network share. The activity log can be viewed by using the Transaction Log Viewer. The Log Viewer lists each of the stored SHUTTLE file log files including SHUTTLE file name, date and time of the run, SAP system, run reason, number of records processed, and number of errors identified. Winshuttle Central: Central delivers the controls, security and traceability that enable enterprises to deploy Winshuttles data solutions across the organization. In addition to using the standard SAP controls, security profiles and audit trails, Central provides added controls and auditing for the interaction of Winshuttles products with the SAP Business Suite. Central provides this functionality using the Microsoft SharePoint framework, providing native integration to Microsoft technologies including Active Directory, Excel, and Access. Central offers the ideal integration and control point between the Winshuttle, SAP, and Microsoft product families. SAP BAPI Support: Winshuttle Direct for SAP BAPI allows a technical user to access relevant BAPIs from the BOR and map the fields to a Microsoft Excel spreadsheet, easily creating a SHUTTLE file that can act as a template for any SAP business process.

Complying with SAP Security Requirements Using Winshuttle Transaction

Transaction Authorization Requirements

Transaction Authorization via SAP GUI:
Transaction cannot run a Transaction if you cannot run that Transaction in the SAP GUI. If you do not have access to a particular Transaction, please obtain authorization for it before you record or run that Transaction in Transaction.

Remote Function Calls (RFC) Authorization:

Transaction makes RFC calls to SAP. You must have this additional access assigned to you. In most cases, these authorizations are already assigned to you. The following objects with the indicated values should be in your SAP user profile for working with Transaction.

For the S_RFC Authorization Object:

Field RFC_TYPE Field ACTVT Field RFC_NAME Value FUGR (function group) Value 16 (execute) or *

The following values are required for running shuttle files:

SYST, SRFC, SUSO, RFC1, RFCH, SBDC, ATSV, STTF, SDTX The following additional values are required for recording shuttle files: SBDR, SCAT, STTM, SDTX

Table Level Authorizations:

Transaction can get logs, extended comments, field descriptions, and messages during debug process. For this, the user must have access to few tables. Table level access is controlled by authorization object S_TABU_DIS. Transaction needs access to these tables: T100, TFDIR, DD03L, DD04L, TSTCT, D020T, and DD03M. To enable this access, please setup the following authorization:

Authorization Object: S_TABU_DIS

Field Authorization Group (DICBERCLS) = SS, &NC& Field Activity (ACTVT) = 03 (Display only)

GUI Scripting Authorizations:

In addition to RFC calls, Transaction also provides access to the SAP system using the SAP GUI Scripting mode. Users can check that they have the correct authorizations in SAP from within the Transaction UI.

Complying with SAP Security Requirements Using Winshuttle Transaction

Summary
Loading data into and extracting data from your SAP system is a critical activity that requires the proper controls, security and workflows. In order to be adequately protected, it is best to use existing security profiles and controls. Additionally, Governance, Risk and Compliance (GRC) best practices require complete traceability of these activities.

Winshuttle is the ERP Usability Company, providing software products that enable business users to work with SAP directly from Excel, Web forms and other interfaces without any programming. Winshuttle focuses on a simple fact when using SAP applications, time is money. Winshuttles usability solutions radically accelerate SAP user Transactions, saving and redirecting millions of dollars for SAPs customers every day. These financial benefits are achieved by significantly reducing employee and contractor costs and increasing resources to address more strategic priorities. Hundreds of customers use Winshuttle to make their SAP lives easier. Headquartered in Bothell, Washington, Winshuttle has offices in the United Kingdom, France, Germany, and India. For more information, visit www.winshuttle.com.

Corporate Headquarters
Bothell, WA Tel + 1 (800) 711-9798 Fax + 1 (425) 527-6666 www.winshuttle.com

United Kingdom

London, U.K. Tel +44 (0) 208 704 4170 Fax +44 (0) 208 711 2665 www.winshuttle.co.uk

Germany

Bremerhaven, Germany Tel +49 (0) 471 140840 Fax +49 (0) 471 1701902 www.winshuttle-software.de

France

Maisons-Alfort, France Tel +33 (0) 148 937 171 Fax +33 (0) 143 683 768 www.winshuttle.fr

India

Research & Development Chandigarh, India Tel +91 (0) 172 465 5941 www.winshuttle.in

Complying with SAP Security Requirements Using Winshuttle Transaction