SAP Master Governance Serity Guide PDF

PUBLIC
2019-06-27
SAP Master Data Governance Security Guide

© 2019 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN

Content
1 SAP Master Data Governance Security Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5 User Management and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

5.1 User Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.2 User Data Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.3 Integration into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
6 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
7 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

7.1 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
7.2 Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7.3 Communication Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7.4 Use of Virus Scanners. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
8 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
9 Enterprise Services Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
10 Security-Relevant Logs and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
11 Segregation of Duties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
12 Authorization Objects and Roles Used by SAP Master Data Governance. . . . . . . . . . . . . . . . . .22
12.1 Authorization Objects and Roles Used by SAP MDG, Consolidation and Mass Processing. . . . . . . . . 22
MDC_PROOT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
MDC_PFILT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
MDC_MASS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
MDC_ADMIN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
MDC_LOAD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
MDC_MASSBS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
12.2 Authorization Objects and Roles Used by SAP MDG, Central Governance. . . . . . . . . . . . . . . . . . . . .30
Master Data Governance for Business Partner (CA-MDG-APP-BP). . . . . . . . . . . . . . . . . . . . . . . 32
Master Data Governance for Supplier (CA-MDG-APP-SUP). . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Master Data Governance for Customer (CA-MDG-APP-CUS). . . . . . . . . . . . . . . . . . . . . . . . . . . 36

2 PUBLIC Content
Master Data Governance for FI Contract Account (CA-MDG-APP-CA). . . . . . . . . . . . . . . . . . . . . 39
Master Data Governance for Material (CA-MDG-APP-MM). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Master Data Governance for Financials (CA-MDG-APP-FIN). . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Master Data Governance for Custom Objects (CA-MDG-COB). . . . . . . . . . . . . . . . . . . . . . . . . . 43
13 Change Settings of Generated MDG Database Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
14 Deletion of Personal Data in Master Data Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
15 Read Access Logging (RAL) in MDG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Content PUBLIC 3
1 SAP Master Data Governance Security
Guide
The following guide covers the information that you require to operate SAP Master Data Governance securely.
To make the information more accessible, it is divided into a general part, containing information relevant for all
components, and a separate part for information specific for individual components.

4 PUBLIC SAP Master Data Governance Security Guide
2 Introduction
This guide does not replace the administration or operation guides that are available for productive operations.
Target Audience
● Technology consultants
● Security consultants
● System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation
Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle,
whereas the Security Guide provides information that is relevant for all life cycle phases.
Why Is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, the demands on
security are also on the rise. When using a distributed system, you need to be sure that your data and
processes support your business needs without allowing unauthorized access to critical information. User
errors, negligence, or attempted manipulation of your system should not result in loss of information or
processing time. These demands on security apply likewise to Master Data Governance. To assist you in
securing Master Data Governance, we provide this Security Guide.
Since Master Data Governance is based on and uses SAP NetWeaver technology, it is essential that you consult
the Security Guide for SAP NetWeaver on the SAP Help Portal.
Overview of the Main Sections
The Security Guide comprises the following main sections:
● Before You Start [page 7]

This section contains information about why security is necessary, how to use this document, and
references to other Security Guides that build the foundation for this Security Guide.
● Technical System Landscape [page 8]
This section provides an overview of the technical components and communication paths that are used by
Master Data Governance.
● User Management and Authentication [page 9]
This section provides an overview of the following user administration and authentication aspects:
○ Recommended tools to use for user management

Introduction PUBLIC 5
○ User types that are required by Master Data Governance
○ Standard users that are delivered with Master Data Governance
○ Overview of the user synchronization strategy
○ Overview of how integration into Single Sign-On environments is possible
● Authorizations [page 13]
This section provides an overview of the authorization concept that applies to Master Data Governance.
● Network and Communication Security [page 14]
This section provides an overview of the communication paths used by Master Data Governance and the
security mechanisms that apply. It also includes our recommendations for the network topology to restrict
access at the network level.
● Data Storage Security [page 17]
This section provides an overview of any critical data that is used by Master Data Governance and the
security mechanisms that apply.
● Enterprise Services Security [page 18]
This section provides an overview of the security aspects that apply to the enterprise services delivered
with Master Data Governance.
● Security-Relevant Logs and Tracing [page 19]
This section provides an overview of the trace and log files that contain security-relevant information, for
example, so you can reproduce activities if a security breach does occur.

6 PUBLIC Introduction
3 Before You Start
Use
This table contains the most important SAP notes concerning the safety of Master Data Governance.
Title SAP Note Comment
Code injection vulnerability in UAC_AS 1493809 MDG and XBRL

SIGNMENT_CONTROL_TEST
Data can be displayed without authori 1489976 MDG (Financial Master Data Gover
zation nance, CA-MDG-APP-FIN)

Before You Start PUBLIC 7
4 Technical System Landscape
For information about the technical system landscape, see the sources listed in the table below.
Subject Guide/Tool Quick Link to SAP Help Portal
Technical description of Master Data Master Guide SAP Help Portal SAP Master Data
Governance and the underlying techni
Governance
cal components, such as SAP NetWea
ver
High availability High Availability for SAP Solutions http://sdn.sap.com/irj/sdn/ha
Design of technical landscape See available documents http://sdn.sap.com/irj/sdn/landscape

design
Security See available documents http://sdn.sap.com/irj/sdn/security
 Note
If you intend to use a portal in your landscape, ensure that the embedding enterprise portal frame has the
same domain as the embedded web dynpro application.
To check the settings, call up the technical help in the web dynpro application (right mouse click, then
select Technical Help). On the Browser tab, check if the Parent window is accessible indicator is marked.

8 PUBLIC Technical System Landscape
5 User Management and Authentication
Master Data Governance uses the user management and authentication mechanisms of the SAP NetWeaver
platform, and in particular, SAP NetWeaver Application Server. Therefore, the security recommendations and
guidelines for user management and authentication that are described in the security guide for SAP NetWeaver
Application Server for ABAP Security Guide also apply to Master Data Governance.
In addition to these guidelines, we also supply information on user management and authentication that is
especially applicable to Master Data Governance in the following sections:
● User Administration [page 9]

This section details the user management tools, the required user types, and the standard users that are
supplied with Master Data Governance.
● User Data Synchronization [page 11]
The components of Master Data Governance can use user data together with other components. This
section describes how the user data is synchronized with these other sources.
● Integration into Single Sign-On Environments [page 11]
This section describes how Master Data Governance supports single sign-on-mechanisms.
5.1 User Administration
Master Data Governance user management uses the mechanisms provided by SAP NetWeaver Application
Server for ABAP, such as tools, user types, and the password concept. For an overview of how these
mechanisms apply for Master Data Governance, see the sections below. In addition, we provide a list of the
standard users required for operating components of Master Data Governance.
User Administration Tools
The following table shows the user administration tools for Master Data Governance.
Tool Description
User maintenance for ABAP-based systems (transaction For more information on the authorization objects provided
SU01) by the components of Master Data Governance, see the
component specific section.
Role maintenance with the profile generator for ABAP-based For more information on the roles provided by Master Data
systems (PFCG) Governance, see the component specific section.
Central User Administration (CUA) for the maintenance of For more information, see Central User Administration.
multiple ABAP-based systems

User Management and Authentication PUBLIC 9
User Management Engine for SAP NetWeaver AS Java Administration console for maintenance of users, roles, and
(UME) authorizations in Java-based systems and in the Enterprise
Portal. The UME also provides persistence options, such as
ABAP Engine. For more information, see User Management
Engine.
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy
may specify that individual users who perform tasks interactively have to change their passwords on a regular
basis, but not those users under which background processing jobs run.
User types required for Master Data Governance include, for example:
● Individual users
○ Dialog users
Dialog users are used for SAP GUI for Windows.
○ Internet users for Web applications
Same policies apply as for dialog users, but used for Internet connections.
● Technical users:
○ Service users are dialog users who are available for a large set of anonymous users (for example, for
anonymous system access via an ITS service).
○ Communication users are used for dialog-free communication between systems.
○ Background users can be used for processing in the background.
Standard Users
The following table shows the standard users that are necessary for operating Master Data Governance.
System User ID Type Password Additional Informa

tion
SAP Web Application (sapsid)adm SAP system adminis Mandatory SAP NetWeaver instal
Server trator lation guide
SAP Web Application SAP Service (sap SAP system service Mandatory SAP NetWeaver instal
Server sid)adm administrator lation guide
SAP Web Application SAP Standard ABAP See SAP NetWeaver SAP NetWeaver secur
Server Users (SAP*, DDIC, security guide ity guide
EARLYWATCH,
SAPCPIC)
SAP Web Application SAP Standard SAP See SAP NetWeaver SAP NetWeaver secur
Server Web Application security guide ity guide
Server Java Users

10 PUBLIC User Management and Authentication
System User ID Type Password Additional Informa
tion
SAP ECC SAP Users Dialog users Mandatory The number of users
depends on the area of
operation and the busi
ness data to be proc
essed.
 Note
We recommend that you change the passwords and IDs of users that were created automatically during the
installation.
5.2 User Data Synchronization
By synchronizing user data, you can reduce effort and expense in the user management of your system
landscape. Since Master Data Governance is based on SAP NetWeaver, you can use all of the mechanisms for
user synchronization in SAP NetWeaver here. For more information, see the SAP NetWeaver Security Guide on
SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver.
 Note
You can use user data distributed across systems by replicating the data, for example in a central directory
such as LDAP.
5.3 Integration into Single Sign-On Environments
Master Data Governance supports the single sign-on (SSO) mechanisms provided by SAP NetWeaver
Application Server for ABAP technology. Therefore, the security recommendations and guidelines for user
management and authentication that are described in the SAP NetWeaver Security Guide also apply to Master
Data Governance.
Master Data Governance supports the following mechanisms:
Secure Network Communication (SNC)
SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for
Windows or Remote Function Calls.
SAP Logon Tickets
Master Data Governance supports the use of logon tickets for SSO when using a Web browser as the front-end
client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial

User Management and Authentication PUBLIC 11
SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an
authentication token. The user does not need to enter a user ID or password for authentication, but can access
the system directly once it has checked the logon ticket. For more information, see SAP Logon Tickets in the
Security Guide for SAP NetWeaver Application Server.
Client Certificates
As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front-
end client can also provide X.509 client certificates to use for authentication. In this case, user authentication
is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol). No passwords have to
be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.
For more information see Client Certificates in the Security Guide for SAP NetWeaver Application Server. For
more information about available authentication mechanisms, see SAP Library for SAP NetWeaver under User
Authentication and Single Sign-On.

12 PUBLIC User Management and Authentication
6 Authorizations
Master Data Governance uses the authorization concept of SAP NetWeaver Application Server ABAP.
Therefore, the security recommendations and guidelines for authorizations that are described in the Security
Guide for SAP NetWeaver Application Server ABAP also apply to Master Data Governance. You can use
authorizations to restrict the access of users to the system, and thereby protect transactions and programs
from unauthorized access.
The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users
based on roles. For role maintenance in SAP NetWeaver Application Server ABAP, use the profile generator
(transaction PFCG), and in SAP NetWeaver Application Server for Java, the user management console of the
User Management Engine (UME). You can define user-specific menus using roles.
 Note
For more information about creating roles, see Role Administration.
Standard Roles and Standard Authorization Objects
SAP delivers standard roles covering the most frequent business transactions. You can use these roles as a
template for your own roles.
For a list of the standard roles and authorization objects used by components of Master Data Governance, see
the section of this document relevant to each component.
 Note
Before using the roles listed, you may want to check whether the standard roles delivered by SAP meet
your requirements.
Authorizations for Customizing Settings
You can use Customizing roles to control access to the configuration of Master Data Governance in the SAP
Customizing Implementation Guide (IMG).

Authorizations PUBLIC 13
7 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support
the communication necessary for your business and your needs without allowing unauthorized access. A well-
defined network topology can eliminate many security threats based on software flaws (at both the operating
system and application level) or network attacks such as eavesdropping. If users cannot log on to your
application or database servers at the operating system or database layer, then there is no way for intruders to
compromise the devices and gain access to the backend system’s database or files. Additionally, if users are
not able to connect to the server LAN (local area network), they cannot exploit known bugs and security holes
in network services on the server machines.
The network topology for Master Data Governance is based on the topology used by the SAP NetWeaver
platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security
Guide also apply to Master Data Governance. Details that relate directly to SAP ERP Central Component are
described in the following sections:
● Communication Channel Security [page 14]

This section contains a description of the communication channels and protocols that are used by the
components of Master Data Governance.
● Network Security [page 15]
This section contains information on the network topology recommended for the components of Master
Data Governance. It shows the appropriate network segments for the various client and server
components and where to use firewalls for access protection. It also contains a list of the ports required for
operating the subcomponents of Master Data Governance.
● Communication Destinations [page 15]
This section describes the data needed for the various communication channels, for example, which users
are used for which communications.
7.1 Communication Channel Security
Communication channels transfer a wide variety of different business data that needs to be protected from
unauthorized access. SAP makes general recommendations and provides technology for the protection of your
system landscape based on SAP NetWeaver.
The table below shows the communication channels used by Master Data Governance, the protocol used for
the connection, and the type of data transferred.
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Application server to applica RFC, HTTP(S) Integration data Business data

tion server

14 PUBLIC Network and Communication Security
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Application server to applica HTTP(S) Application data For example, passwords,

tion of a third party adminis business data
trator
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP
connections are protected using the Secure Sockets Layer protocol (SSL protocol).
 Recommendation
We strongly recommend that you use secure protocols (SSL, SNC).
7.2 Network Security
Since Master Data Governance is based on SAP NetWeaver technology, for information about network security,
see the corresponding sections of the SAP NetWeaver Security Guide at http://help.sap.com Technology
Platform SAP NetWeaver Release/Language SAP NetWeaver Security Guide Network and
Communication Security Network Services :
If you provide services in the Internet, you should protect your network infrastructure with a firewall at least.
You can further increase the security of your system or group of systems by placing the groups in different
network segments, each of which you then protect from unauthorized access by a firewall. You should bear in
mind that unauthorized access is also possible internally if a malicious user has managed to gain control of one
of your systems.
Ports
Master Data Governance is executed in SAP NetWeaver and uses the ports of AS ABAP or AS Java. For more
information see the corresponding security guides for SAP NetWeaver in the topics for AS ABAP Ports and AS
Java Ports. For information about other components, such as SAPinst, SAProuter, or SAP Web Dispatcher, see
the document TCP/IP Ports Used by SAP Applications in SAP Developer Network at http://
sdn.sap.com/irj/sdn/security under Infrastructure Security Network and Communications Security .
7.3 Communication Destinations
The use of users and authorizations in an irresponsible manner can pose security risks. You should therefore
follow the security rules below when communicating between systems:
● Employ the user types system and communication.

● Grant a user only the minimum authorizations.

Network and Communication Security PUBLIC 15
 Note
For information on authorization objects, see Authorization Objects and Roles Used by SAP Master
Data Governance [page 22].
● Choose a secure password and do not divulge it to anyone else.

● Only store user-specific logon data for users of type system and communication.
● Wherever possible, use trusted system functions instead of user-specific logon data.
7.4 Use of Virus Scanners
If you upload files from application servers into Master Data Governance and you want to use an virus scanner,
a virus scanner must then be active on each application server. For more information, see SAP Note 964305
(solution A).
 Note
● Work through the Customizing activities in the Implementation Guide under the Virus Scan Interface
node.
● When doing this, use the virus scan profile /MDG_BS_FILE_UPLOAD/MDG_VSCAN, which is delivered
for Master Data Governance.
When you upload files from the front-end into Master Data Governance, the system uses the configuration you
defined for virus scan profile /SIHTTP/HTTP_UPLOAD. For more information, see SAP Note 1693981 .

16 PUBLIC Network and Communication Security
8 Data Storage Security
Use
Using Logical Paths and File Names to Protect Access to the File System
Master Data Governance saves data in files in the file system. Therefore, it is important to explicitly provide
access to the corresponding files in the file system without allowing access to other directories or files (also
known as directory traversal). This is achieved by specifying logical paths and file names in the system that
map to the physical paths and file names. This mapping is validated at runtime and if access is requested to a
directory that does not match a stored mapping, then an error occurs. In the application-specific part of this
guide, there is a list for each component of the logical file names and paths, where it is specified for which
programs these file names and paths apply.
Activating the Validation of Logical Paths and File Names
The logical paths and file names are entered in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-dependent). To determine
which paths are used by your system, you can activate the appropriate settings in the Security Audit Log.
More Information
● Logical File Names

● Protecting Access to the File System
● Security Audit Logs
For information about data storage security, see the SAP NetWeaver Security Guide at http://help.sap.com
SAP NetWeaver Release/Language SAP NetWeaver Library Administrator’s Guide NetWeaver
Security Guide Security Guides for the Operating System and Database Platforms

Data Storage Security PUBLIC 17
9 Enterprise Services Security
The following section in the NetWeaver Security Guide is relevant for Master Data Governance:
● Recommended WS Security Scenarios

18 PUBLIC Enterprise Services Security
10 Security-Relevant Logs and Tracing
The trace and log files of Master Data Governance use the standard mechanisms of SAP NetWeaver. For more
information, see the relevant sections in the SAP NetWeaver Security Guide.
Related Information
Auditing and Logging

Tracing and Logging

Security-Relevant Logs and Tracing PUBLIC 19
11 Segregation of Duties
Use
Segregation of duties can be achieved by assigning roles to users and in addition by a strict separation of the
user groups for the workflow.
Activities
Assigning Roles to Users
You can assign roles to a user using the following transactions:
● User Maintenance SU01

Use this transaction to assign one or more roles to one user.
● Role Maintenance PFCG
Use this transaction to assign one or more users to one role.
Separating User Groups for the Workflow
Depending on the component of Master Data Governance you intend to configure, use the following
Customizing activities to separate the user groups:
● MDG-M, MDG-F
Run the Customizing activity under Master Data Governance Central Governance General Settings
Process Modeling Workflow Rule-Based Workflow Configure Rule-Based Workflow .
For further information, see:
○ Configuring Master Data Governance for Material
○ Configuring Master Data Governance for Financials
● MDG-S
Run the Customizing activity under Master Data Governance Central Governance Master Data
Governance for Supplier Workflow Assign Processor to Change Request Step Number in BRFplus for
Supplier .
For further information, see Configuring Master Data Governance for Supplier
● MDG-C
Depending on the change request step, run the following Customizing activities under:
○ Master Data Governance Central Governance General Settings Process Modeling Workflow
Other MDG Workflows Assign Processor to Change Request Step Number (Simple Workflow)
○ Master Data Governance Central Governance Master Data Governance for Customer Workflow
Assign Processor to Change Request Step Number in BRFplus for Customer
For further information, see Configuring Master Data Governance for Customer.
● MDG-BP

20 PUBLIC Segregation of Duties
Rule-Based Workflow Configure Rule-Based Workflow
For further information, see Configuring Master Data Governance for Business Partner
● MDG-FICA
Rule-Based Workflow Configure Rule-Based Workflow
For further information, see Configuring Master Data Governance for FI Contract Account
For information about the corresponding roles, see the documents listed below:
● Authorization Objects Used by Master Data Governance [page 30]

● Supplier Master Data Governance (CA-MDG-APP-SUP) [page 34]
● Customer Master Data Governance (CA-MDG-APP-CUS) [page 36]
● Material Master Data Governance (CA-MDG-APP-MM) [page 40]
● Financial Master Data Governance (CA-MDG-APP-FIN) [page 42]
● Custom Objects (CA-MDG-COB) [page 43]
● Master Data Governance for FI Contract Account (CA-MDG-APP-CA) [page 39]

Segregation of Duties PUBLIC 21
12 Authorization Objects and Roles Used by
SAP Master Data Governance
This chapter provides information about authorization objects and roles used by:
● Authorization Objects and Roles Used by SAP MDG, Central Governance [page 30]
● Authorization Objects and Roles Used by SAP MDG, Consolidation and Mass Processing [page 22]
12.1 Authorization Objects and Roles Used by SAP MDG,

Consolidation and Mass Processing
Authorization Objects
SAP MDG, consolidation and mass processing uses the authorization objects listed below.
Authorization Object Description
MDC_PROOT [page 24] Consolidation Root Permissions
MDC_PFILT [page 26] Consolidation Cluster Permissions
MDC_MASS [page 26] Mass Update Permissions
MDC_ADMIN [page 27] Administrative permissions
MDC_LOAD [page 28] Load Permissions
MDC_MASSBS [page 29] Mass Maintenance Permissions
B_BUPA_RLT Business Partner: BP Roles
B_BUPA_GRP Business Partner: Authorization Groups
S_BGRFC Authorization Object for NW bgRFC
M_MATE_MAR Material Master: Material Types
M_MATE_MAT Material Master: Materials
M_MATE_WGR Material Master: Material Groups
B_BUPR_BZT Business Partner Relationships: Relationship Categories

22 PUBLIC Authorization Objects and Roles Used by SAP Master Data Governance
C_KLAH_BKL Authorization for Classification
C_TCLA_BKA Authorization for Class Types
C_TCLS_BER Authorization for Org. Areas in Classification System
C_TCLS_MNT Authorization for Characteristics of Org. Area
F_KNA1_BED Customer: Account Authorization
F_KNA1_GEN Customer: Central Data
F_LFA1_BEK Vendor: Account Authorization
F_LFA1_GEN Vendor: Central Data
 Caution
To use SAP MDG, consolidation and mass processing in combination with the functions of SAP MDG, central
governance, see the required authorization objects in the documents listed below:
● Authorization Objects and Roles Used by SAP MDG, Central Governance [page 30]
● Master Data Governance for Business Partner (CA-MDG-APP-BP) [page 32]
● Master Data Governance for Supplier (CA-MDG-APP-SUP) [page 34]
● Master Data Governance for Customer (CA-MDG-APP-CUS) [page 36]
Standard Roles
Frontend Launchpad Role Name
SAP_MDC_BCR_BUPA_DATA_SPEC_T Business Partner Master Data Specialist
SAP_MDC_BCR_PROD_DATA_SPEC_T Material Master Data Specialist
SAP_MDC_BCR_MASTERDATA_ADMIN_T Master Data Administrator (Consolidation) - Apps
SAP_MDC_TCR_T SAP Role for MDG, Consolidation - Transactional Apps
Backend Authorization Role Name
SAP_MDC_ADMIN_APP_04 MDG, Consolidation and Mass Processing: Administrator
SAP_MDC_DISP_BP_APP_04 MDG, Consolidation and Mass Processing: Business Partner

Display

Authorization Objects and Roles Used by SAP Master Data Governance PUBLIC 23
Backend Authorization Role Name
SAP_MDC_SPEC_BP_APP_04 MDG, Consolidation and Mass Processing: Business Partner

Specialist
SAP_MDC_DISP_BP_NONE_BS_APP_04 MDG, Consolidation and Mass Processing: Business Partner

Non-SAP-BS Display
SAP_MDC_SPEC_BP_NONE_BS_APP_04 MDG, Consolidation and Mass Processing: Business Partner

Non-SAP-BS Specialist
SAP_MDC_DISP_MM_APP_04 MDG, Consolidation and Mass Processing: Material Display
SAP_MDC_SPEC_MM_APP_04 MDG, Consolidation and Mass Processing: Material Special

ist
SAP_MDC_ADMIN_CUSTOBJ_APP_04 MDG, Consolidation and Mass Processing: Custom Objects

Administrator
SAP_MDC_DISP_CUSTOBJ_APP_04 MDG, Consolidation and Mass Processing: Custom Objects

Display
SAP_MDC_SPEC_CUSTOBJ_APP_04 MDG, Consolidation and Mass Processing: Custom Objects

Specialist
12.1.1 MDC_PROOT
Use
This document describes details of the authorization object MDC_PROOT.
Features
The activities listed below are assigned to the authorization object.
Activity Text Authorization
01 Create or gener Create consolidation process

ate

02 Change Run consolidation process
The Start, Retry, Rollback, and Save buttons become active.
 Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.
03 Display Display consolidation process
06 Delete Delete consolidation process
The Delete button becomes active.
31 Confirm Continue consolidation process after a process step has been executed
● The Continue button becomes active.

● If the process pauses at a check point, the Continue button stays active only if
the activity 31 Confirm is permitted.
 Note
36 Extended mainte Adjust configuration within the process UI for the current process
nance
The Adjust link is displayed.
37 Accept Continue consolidation process after a matching step that still contains open
match groups
● The Continue button becomes active.

● If the process pauses at a check point and still open match groups exist, the
Continue button stays active only if the activity 37 Accept is permitted.
 Caution
In addition, the activity 31 Confirm has to be permitted.
 Note

12.1.2 MDC_PFILT
Use
This document describes details of the authorization object MDC_PFILT.
 Note
The authorization object is only relevant for consolidation processes.
To create a process, select a Data Source, which is a combination of Source System, Data Package, and a
Status.
Features
The attribute Source Filter MDC_FILTER is assigned to the authorization object: Depending on the permitted
value the processes are displayed in the process list and the sources are displayed in the Sources dialog box
during the process creation.
 Note
The attribute Source Filter of the authorization object corresponds to the field Data Package on the UI.
12.1.3 MDC_MASS
Use
This document describes details of the authorization object MDC_MASS.
Features
01 Create or gener Create mass processes

ate

02 Change Run mass processes
The Start, Retry, Rollback and Save buttons become active.
 Note
03 Display Display mass processes
06 Delete Delete mass processes
31 Confirm Continue or rollback mass processes after a process step has been executed.
The Continue button and the Rollback button become active.
 Caution
If the process pauses at a check point, the Continue button and the Rollback
button stay active only if the activity 31 Confirm is permitted.
 Note
36 Extended mainte Adjust configuration within the process UI for the current process
nance
The Adjust link is displayed.
12.1.4 MDC_ADMIN
Use
This document describes details of the authorization object MDC_ADMIN
Features

02 Change Change process parameters in the process UI like:
● Adapter for a process step

● Adapter Configuration
● Check Point
● Data Sources: Selection on Create screen
● Delete Source Data or Keep Source Data: Selection on Create screen
06 Delete Delete processes permanently.
 Note
Without this authorization a user cannot delete processes permanently but
can only mark process for deletion.
 Note
As an alternative you can run the transaction MDC_ADMIN_DELETE in the
backend system to delete processes with an inconsistent status.
60 Import Run the report MDC_BP_TRANSFORM_SOURCE_DATA.
This report transforms customer and vendor data to business partner data dur
ing the data import.
12.1.5 MDC_LOAD
Use
This document describes details of the authorization object MDC_LOAD
Features
01 Add or Create Create data import

02 Change Change parameters of data import
03 Display Display data import
06 Delete Delete data import
16 Execute Execute data import
61 Export Execute data export
12.1.6 MDC_MASSBS
Use
This document describes details of the authorization object MDC_MASSBS
Features
01 Add or Create Create mass maintenance processes
02 Change Run mass maintenance processes
The Start, Retry, Rollback, and Save buttons become active.
 Note
Either the Start or the Continue button is displayed, depending on whether
the process has started or not.
03 Display Display mass maintenance processes
06 Delete Delete mass maintenance processes

31 Confirm Continue or rollback mass maintenance processes after a process step has been
executed.
The Continue button and the Rollback button become active.
 Caution
If the process pauses at a check point, the Continue button and the Rollback
button stay active only if the activity 31 Confirm is permitted.
 Note
Either the Start or the Continue button is displayed, depending on whether
the process has started or not.
12.2 Authorization Objects and Roles Used by SAP MDG,

Central Governance
The following authorization objects are used by all components of Master Data Governance.
 Note
To obtain more detailed information about specific authorization objects proceed as follows:
1. Choose SAP Menu Tools ABAP Workbench Development Other Tools Authorization
Objects Objects (Transaction SU21).
2. Select the authorization object using and then choose .

3. On the Display authorization object dialog box choose Display Object Documentation.
MDG_MDF_TR Master Data: Transport
MDG_IDM Key Mapping
USMD_CREQ Change Request
USMD_MDAT Master Data
USMD_MDATH Hierarchies

USMD_UI2 UI Configuration
DRF_RECEIVE Authorization for outbound messages for receiver systems
DRF_ADM Create Outbound Messages
CA_POWL Authorization for iViews for personal object worklists
BCV_SPANEL Execute Side Panel
BCV_USAGE Usage of Business Context Viewer
MDG_DEF Data Export
MDG_DIF Data Import
S_DMIS Authority object for SAP SLO Data migration server
S_ARCHIVE Archiving
The following values are assigned to the authorization fields: The following authorization field values are required to dis
play archived change requests:
● ARCH_OBJ: USMD_CR
● APPLIC: CA
● ACTVT: DISPLAY
 Caution
For information about component specific authorization objects, see the corresponding sections:
● Master Data Governance for Business Partner (CA-MDG-APP-BP) [page 32]

● Master Data Governance for Supplier (CA-MDG-APP-SUP) [page 34]
● Master Data Governance for Customer (CA-MDG-APP-CUS) [page 36]
● Master Data Governance for Material (CA-MDG-APP-MM) [page 40]
● Master Data Governance for Financial (CA-MDG-APP-FIN) [page 42]
● Master Data Governance for Custom Objects (CA-MDG-COB) [page 43]
Standard Role
Role Name
SAP_MDG_ADMIN Master Data Governance Administrator
This role contains authorizations needed for administrative tasks and for setting up a base configuration in all
components of Master Data Governance. Some authorizations enable critical activities. If multiple users in your

organization are entrusted with the administration and configuration of Master Data Governance, we
recommend that you split the role into several roles, each with its own set of authorizations. The role does not
contain the authorizations for the respective master data transactions.
Enterprise Search
To use the Enterprise Search users have to be assigned to the role SAP_ESH_SEARCH Enterprise Search Hub
(Composite): Authorizations for searching.
12.2.1 Master Data Governance for Business Partner (CA-

MDG-APP-BP)
Use
Master Data Governance for Business Partner mainly uses the authorization objects of the business objects
Business Partner, the authorization objects of the Application Framework for Master Data Governance, and the
authorization objects of the Data Replication Framework.
 Note
This authorization object is optional. You need to assign
this authorization object only if master data records are
to be specifically protected.
B_CCARD Payment Cards
BCV_QUILST Overview
DC_OBJECT Data Cleansing
BCV_PERS Personalize BCV UI for Query View
BCV_QRYVW Query View
BCV_QUERY Query

BCV_QVWSNA Query View Snapshot
S_START Start Authorization Check for TADIR Objects
S_PB_CHIP ABAP Page Builder: CHIP
S_PB_PAGE ABAP Page Builder: Page Configuration
 Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 30].
Standard Roles
Role Name
SAP_MDGBP_MENU_04 Master Data Governance for Business Partner: Menu
SAP_MDGBP_DISP_04 Master Data Governance for Business Partner: Display
SAP_MDGBP_REQ_04 Master Data Governance for Business Partner: Requester
SAP_MDGBP_SPEC_04 Master Data Governance for Business Partner: Specialist
SAP_MDGBP_STEW_04 Master Data Governance for Business Partner: Data Steward
If you want to restrict the authorizations for users or roles to specific values, run the Customizing activity under
Master Data Governance, Central Governance General Settings Data Modeling Define Authorization
Relevance per Entity Type and define which entity types and attributes are authorization relevant.
More Information
If you use the optional feature address screening, see the corresponding security guide under http://
help.sap.com/fra .
For details on the address screening, see Address Screening.

12.2.2 Master Data Governance for Supplier (CA-MDG-APP-
SUP)
Use
Master Data Governance for Supplier does not have dedicated authorization objects, but instead uses the
authorization objects of the business objects Business Partner and Vendor, the authorization objects of the
Application Framework for Master Data Governance, and the authorization objects of the Data Replication
Framework.
 Note
DC_OBJECT Data Cleansing
F_LFA1_APP Vendor: Application Authorization
F_LFA1_BEK Vendor: Account Authorization
 Note
F_LFA1_BUK Vendor: Authorization for Company Codes
F_LFA1_GEN Vendor: Central Data
F_LFA1_GRP Vendor: Account Group Authorization
M_LFM1_EKO Purchasing organization in supplier master data
BCV_PERS Personalize BCV UI for Query View
BCV_QRYVW Query View

BCV_QUERY Query
BCV_QUILST Overview
BCV_QVWSNA Query View Snapshot
S_START Start Authorization Check for TADIR Objects
S_PB_CHIP ABAP Page Builder: CHIP
S_PB_PAGE ABAP Page Builder: Page Configuration
C_DRAD_OBJ Create/Change/Display/Delete Object Link
C_DRAW_DOK Authorization for document access
C_DRAW_STA Authorization for document status
C_DRAW_TCD Authorization for document activities
C_DRAW_TCS Status-Dependent Authorizations for Documents
 Caution
Standard Roles
Role Name
SAP_MDGS_MENU_04 Master Data Governance for Supplier: Menu
SAP_MDGS_DISP_06 Master Data Governance for Supplier: Display
SAP_MDGS_REQ_06 Master Data Governance for Supplier: Requester
SAP_MDGS_SPEC_06 Master Data Governance for Supplier: Specialist
SAP_MDGS_STEW_04 Master Data Governance for Supplier: Data Steward
SAP_MDGS_VL_MENU_04 Master Data Governance for Supplier (ERP Vendor UI): Menu
SAP_MDGS_LVC_MENU_04 Master Data Governance for Supplier (Lean Request UI):

Menu
SAP_MDGS_LVC_REQ_04 Master Data Governance for Supplier (Lean Request UI): Re
quester

More Information
help.sap.com/fra .
12.2.3 Master Data Governance for Customer (CA-MDG-APP-

CUS)
Use
Master Data Governance for Customer does not have dedicated authorization objects, but instead uses the
authorization objects of the business objects Business Partner and Customer, the authorization objects of the
Application Framework for Master Data Governance, and the authorization objects of the Data Replication
Framework.
 Note
Depending on whether you use the Master Data Governance for Customer on a hub system or on a client
system a different set of authorization objects is required.
Authorization Object Description Hub Client

Sys Sys
tem tem
B_BUPA_GRP Business Partner: Authorization x x

Groups
 Note
This authorization object is optional. You need to assign this
authorization object only if master data records are to be spe
cifically protected.
B_BUPA_RLT Business Partner: BP Roles x x
B_BUPR_BZT Business Partner Relationships: Re x x

lationship Categories

Sys Sys
tem tem
B_CCARD Payment Cards x x
DC_OBJECT Data Cleansing x
F_KNA1_APP Customer: Application Authorization x x
F_KNA1_BED Customer: Account Authorization x x
 Note
This authorization object is optional. You do not need to as
sign this authorization object if no master records are to be
specifically protected.
F_KNA1_BUK Customer: Authorization for Com x x

pany Codes
F_KNA1_GEN Customer: Central Data x x
F_KNA1_GRP Customer: Account Group Authori x x

zation
MDGC_LCOPY Copy Customer Master Data from — x

MDG Hub
V_KNA1_BRG Customer: Account Authorization x x

for Sales Areas
V_KNA1_VKO Customer: Authorization for Sales x x

Organizations
BCV_PERS Personalize BCV UI for Query View x x
BCV_QRYVW Query View x x
BCV_QUERY Query x x
BCV_QUILST Overview x x
BCV_QVWSNA Query View Snapshot x x
S_START Start Authorization Check for TADIR x x

Objects
S_PB_CHIP ABAP Page Builder: CHIP x x
S_PB_PAGE ABAP Page Builder: Page Configura- x x

tion

Sys Sys
tem tem
C_DRAD_OBJ Create/Change/Display/Delete Ob x x

ject Link
C_DRAW_DOK Authorization for document access x x
C_DRAW_STA Authorization for document status x x
C_DRAW_TCD Authorization for document activi x x

ties
C_DRAW_TCS Status-Dependent Authorizations x x

for Documents
 Caution
Standard Roles
Role Name
SAP_MDGC_MENU_04 Master Data Governance for Customer: Menu
SAP_MDGC_DISP_05 Master Data Governance for Customer: Display
SAP_MDGC_REQ_05 Master Data Governance for Customer: Requester
SAP_MDGC_SPEC_05 Master Data Governance for Customer: Specialist
SAP_MDGC_STEW_04 Master Data Governance for Customer: Data Steward
SAP_MDGC_CL_MENU_04 Master Data Governance for Customer (ERP Customer UI):

Menu
SAP_MDGC_LCC_MENU_04 Master Data Governance for Customer (Lean Request UI):

Menu
SAP_MDGC_LCC_REQ_04 Master Data Governance for Customer (Lean Request UI):

Requester
If you want to restrict the authorizations for users or roles to specific values, go to Create Authorizations for
Data Model and define which entity types and attributes are authorization relevant.

More Information
help.sap.com/fra .
12.2.4 Master Data Governance for FI Contract Account (CA-

MDG-APP-CA)
Use
Master Data Governance for FI Contract Accounts mainly uses the authorization objects of the business
objects DRF_0036 Contract Account.
F_KKVK_VKT FI-CA Contract Acct: Contract Acct Type Authorization
F_KKVK_BUK FI-CA Contract Account: Company Code Authorization
F_KKVK_BEG FI-CA Contract Account: Authorization Group
F_KKVK_FDG Contract Account: Authorization for Individual Field Groups
F_KK_LOCK FI-CA Processing Locks
 Caution
Standard Roles
Role Name
SAP_MDGFICA_DISP Master Data Governance for Contract Account: Display
SAP_MDGFICA_REQ Master Data Governance for Contract Account: Requester
SAP_MDGFICA_SPEC Master Data Governance for Contract Account: Specialist
SAP_MDGFICA_STEW Master Data Governance for Contract Account: Data Stew

ard

12.2.5 Master Data Governance for Material (CA-MDG-APP-

MM)
Master Data Governance for Material does not have dedicated authorization objects, but instead uses, for
example, the authorization objects of the Material Master and the Application Framework for Master Data
Governance.
K_TP_VALU Transfer Price Valuations
M_MATE_MAF Material Master: Material Locks
M_MATE_MAT Material Master: Material
M_MATE_MAR Material Master: Material Type
M_MATE_WGR Material Master: Material Group
M_MATE_STA Material Master: Maintenance Status
M_MATE_MTA Material Master: Change Material Type
M_MATE_WRK Material Master: Plant
M_MATE_MAN Material Master: Central Data
M_MATE_NEU Material Master: Create
M_MATE_BUK Material Master: Company Codes
M_MATE_VKO Material Master: Sales Organization/Distribution Channel
M_MATE_LGN Material Master: Warehouse Numbers
C_KLAH_BKL Authorization for Classification
C_KLAH_BSE Authorization for Selection
C_TCLA_BKA Authorization for Class Types
C_DRAD_OBJ Create/Change/Display/Delete Object Link

C_DRAW_DOK Authorization for document access
C_DRAW_TCD Authorization for document activities
C_DRAW_TCS Status-Dependent Authorizations for Documents
C_DRAW_BGR Authorization for authorization groups
C_DRAW_STA Authorization for document status
C_FVER_WRK PP-PI: Production Version - Plant
DRF_RECEIV Authorization for outbound messages for receiver systems
DRF_ADM Create Outbound Messages
PLM_SPUSR Superuser by Object Type
 Note
You need this authorization object for the object type
PLM_MAT only if the search object connector of SAP Net
Weaver Enterprise Search is created for the following
Enterprise Search software components:
● PLMWUI
● Software components that include PLMWUI
For more information about SAP NetWeaver Enterprise

Search, see SAP NetWeaver Enterprise Search.
C_AENR_BGR CC Change Master – Authorization Group
C_AENR_ERW CC Eng. Chg. Mgmt. Enhanced Authorization Check
C_AENR_RV1 CC Engineering change mgmt – revision level for material
BCV_QUILST Overview
 Caution
Standard Roles
Role Name
SAP_MDGM_MENU_06 Master Data Governance for Material: Menu

Role Name
SAP_MDGM_DISP_06 Master Data Governance for Material: Display
SAP_MDGM_REQ_06 Master Data Governance for Material: Requester
SAP_MDGM_SPEC_06 Master Data Governance for Material: Specialist
SAP_MDGM_STEW_06 Master Data Governance for Material: Data Steward
12.2.6 Master Data Governance for Financials (CA-MDG-APP-

FIN)
USMD_DIST Distribution
 Note
This authorization object is used if you have not acti
vated business function MDG_FOUNDATION.
(Switch: FIN_MDM_CORE_SFWS_EHP5)
USMD_EDTN Edition
 Caution
Standard Roles
Role Description
SAP_MDGF_ACC_DISP_07 Master Data Governance for Financials: Accounting Display
SAP_MDGF_ACC_REQ_07 Master Data Governance for Financials: Accounting Reques

ter

Role Description
SAP_MDGF_ACC_SPEC_07 Master Data Governance for Financials: Accounting Special

ist
SAP_MDGF_ACC_STEW_04 Master Data Governance for Financials: Accounting Data

Steward
SAP_MDGF_CO_DISP_04 Master Data Governance for Financials: Controlling Display
SAP_MDGF_CO_REQ_06 Master Data Governance for Financials: Consolidation Re

quester
SAP_MDGF_CO_SPEC_04 Master Data Governance for Financials: Consolidation Spe

cialist
SAP_MDGF_CO_STEW_04 Master Data Governance for Financials: Consolidation Data

Stewar
SAP_MDGF_CTR_DISP_04 Master Data Governance for Financials: Controlling Display
SAP_MDGF_CTR_REQ_06 Master Data Governance for Financials: Controlling Reques

ter
SAP_MDGF_CTR_SPEC_04 Master Data Governance for Financials: Controlling Special

ist
SAP_MDGF_CTR_STEW_04 Master Data Governance for Financials: Controlling Data

Steward
12.2.7 Master Data Governance for Custom Objects (CA-

MDG-COB)
You can use the following authorization objects for Master Data Governance for Custom Objects.
USMD_DIST Replication
USMD_DM Data Model

USMD_EDTN Edition Type
 Caution
Standard Role
Role Name
SAP_MDGX_MENU_04 Master data governance for self-defined objects
SAP_MDGX_FND_SAMPLE_SF_05 Master Data Governance for Custom Objects - Flight Data

Model (MDG 8.0)

13 Change Settings of Generated MDG
Database Tables
Use
The SAP system generates database tables for the entities of all defined data models. The settings of these
database tables are the following:
● Buffering and log of data changes is switched on.

● Display and maintenance is allowed with restrictions.
Activities
To change these settings of generated MDG database tables run the transaction MDG_TABLE_ADJUST.
The results of the transaction are listed in the transaction SLG1 (Analyse Application Log), using Object FMDM
and Subobject ADJUST_TABLE.
 Caution
● You have to execute the transaction in each system manually.

● After a model activation it might be necessary to execute the transaction again.
More Information
For more information see SAP note 1828363 .

Change Settings of Generated MDG Database Tables PUBLIC 45
14 Deletion of Personal Data in Master Data
Governance
Use
For personal data processed in the Master Data Governance (MDG) application, you can use SAP
Information Lifecycle Management (ILM) to control the blocking and deletion of personal data. For more
information, see the application help for SAP ERP at http://help.sap.com/erp2005_ehp_08 on the SAP Help
Portal under Application Help SAP Library SAP ERP Cross-Application Functions Cross-Application
Components Data Protection .
Relevant Application Object
Application Provided Deletion Functionality
MDG Change Requests Archiving object USMD_CR
For more information about the application object, see the application help for SAP Master Data Governance
on the SAP Help Portal at https://help.sap.com/mdg91 under Application Help SAP Master Data
Governance Deletion of Personal Data in Master Data Governance (MDG) Data Archiving in Master Data
Governance .
Configuration: Simplified Blocking and Deletion
● You configure the settings related to the blocking and deletion of business partner, customer, and supplier
master data in Customizing under Cross-Application Components Data Protection Deletion of Data
Deletion of Business Partner Data .
● For information on defining ILM rules, seethe application help for SAP ERP at http://help.sap.com/
erp2005_ehp_08 on the SAP Help Portal under Application Help SAP Library SAP ERP Cross-
Application Functions Cross-Application Components SAP Information Lifecycle Management
Using ILM Retention Management in the Application System Editing ILM Policies Editing Retention
Rules .
● For information on defining End of Purpose checks, see the application help for SAP ERP at http://
help.sap.com/erp2005_ehp_08 on the SAP Help Portal under Application Help SAP Library SAP ERP
Cross-Application Functions Cross-Application Components Data Protection End of Purpose (EoP)
Check .

46 PUBLIC Deletion of Personal Data in Master Data Governance
End of Purpose
Master Data Governance for Business Partner (MDG-BP), Master Data Governance for Supplier (MDG-S), and
Master Data Governance for Customer (MDG-C) are applications that are providing a workflow-based
governance process for business partners. Within this process, the applications MDG-BP, MDG-S, and MDG-C
do not store business partners permanently. In any case, MDG-BP, MDG-S, and MDG-C do not process
business partners with the end of purpose indicator assigned.
For Master Data Governance, consolidation and Master Data Governance, mass processing, we recommend to
use only business partner records that are not selected for End of Purpose (EoP).
The MDG, consolidation application and the MDG, mass processing application do not process business
partners with the end of purpose indicator assigned.
For MDG, consolidation, we recommend to delete source data after the end of the consolidation process.
Storage of Personal Data
All Master Data Governance applications store data only temporarily.
Changes to Personal Data
The system logs changes to personal data using change documents.
In transaction BP, choose Extras Change History For This Partner Select Changed Fields .
In the Master Data Governance for Business Partner (MDG-BP), Master Data Governance for Supplier (MDG-S),
and Master Data Governance for Customer (MDG-C) applications, select a single business partner from the
result list, choose Change Documents to compare Old Value and New Value in the Change Documents table.
To get information on change documents for Master Data Governance, consolidation you can use Track Mass
Changes.
 Note
Note that change documents is a basic function provided by SAP NetWeaver.
Read Access Logging for MDG
For information on Read Access Logging in MDG, seeRead Access Logging (RAL) in MDG [page 49].
For generic information on Read Access Logging in SAP ERP, see also the Security Guide for SAP ERP on the
SAP Help Portal at http://help.sap.com/erp2005_ehp_08 under Security Security Guide SAP ERP
Central Component Security Guide Data Protection Read Access Logging .

Deletion of Personal Data in Master Data Governance PUBLIC 47
Enhancements
● For Master Data Governance for Custom Objects, we do not recommend that you enhance personal data in
your own objects. If it is necessary, you need to ensure that enhanced data is archived and deleted for the
End of Purpose (EoP) goal.
● For Master Data Governance, central governance, we recommend to use backend tables of SAP-BP for
enhancements and enhance the MDG data model accordingly.

48 PUBLIC Deletion of Personal Data in Master Data Governance
15 Read Access Logging (RAL) in MDG
MDG enables read access logging for the following functions and interface types:
Data Replication Based on SOA
RAL Configuration Description
MDG_MDC_BANK_DETAILS_OUT_WEB_SERVICES Bank Details
MDG_MDC_PAYMENTCARD_OUT_WEB_SERVICES Payment Card Details
MDG_MDC_BANK_DETAILS_IN_WEB_SERVICES Bank Details
MDG_MDC_PAYMENTCARD_IN_WEB_SERVICES Payment Card Details
WebDynpro for ABAP Application
MDG_BP_BANK_ACCOUNT_WEB_DYNPRO Bank Details for Business Partner
MDG_BUSINESS_PARTNER_CARD_PCA_MASTER_WEB_DYNP Payment Card Details

RO
MDG_BP_PAYMENTCARD_CCARD_WEB_DYNPRO Payment Card Details
MDG_CUSTOMER_BANK_ACCOUNT_WEB_DYNPRO Bank Details for Customer
MDG_SUPPLIER_BANKACCOUNT_WEB_DYNPRO Bank Details for Supplier
MDG_CUSTOMER_PAYMENTCARD_PCA_MASTER_WEB_DYNPR Payment Card Details for Customer

O
MDG_CU_PAYMENTCARD_CCARD_WEB_DYNPRO Payment Card Details for Customer
MDG BP Display Change Documents Change Documents
User Interface Based on Gateway Service
MDG/CMP_BANK_SAPGATEWAY Bank Details
For generic information on Read Access Logging in SAP ERP, see the application help for SAP ERP on the SAP
Help Portal at http://help.sap.com/erp2005_ehp_08 under Application Help SAP Library SAP ERP
Cross-Application Functions Cross-Application Components Data Protection Read Access Logging
(RAL) .

Read Access Logging (RAL) in MDG PUBLIC 49
For generic information on Read Access Logging in SAP ERP, see also the Security Guide for SAP ERP on the
SAP Help Portal at http://help.sap.com/erp2005_ehp_08 under Security Security Guide SAP ERP
Central Component Security Guide Data Protection Read Access Logging .
For more MDG-specific information on Read Access Logging, see the Security Guide for Master Data
Governance on the SAP Help Portal at https://help.sap.com/mdg91 under Security Security Guide
Deletion of Personal Data in Master Data Governance .

50 PUBLIC Read Access Logging (RAL) in MDG
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

Important Disclaimers and Legal Information PUBLIC 51
www.sap.com/contactsap
© 2019 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.
THE BEST RUN

SAP Master Governance Serity Guide PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

SAP Master Governance Serity Guide PDF

Caricato da

Copyright:

Formati disponibili

PUBLIC

SAP Master Data Governance Security Guide

THE BEST RUN

1 SAP Master Data Governance Security Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

3 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5 User Management and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

7 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

8 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

9 Enterprise Services Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

10 Security-Relevant Logs and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

11 Segregation of Duties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

SAP Master Data Governance Security Guide

13 Change Settings of Generated MDG Database Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

14 Deletion of Personal Data in Master Data Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

15 Read Access Logging (RAL) in MDG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

SAP Master Data Governance Security Guide

SAP Master Data Governance Security Guide

Why Is Security Necessary?

Overview of the Main Sections

The Security Guide comprises the following main sections:

● Before You Start [page 7]

SAP Master Data Governance Security Guide

SAP Master Data Governance Security Guide

Title SAP Note Comment

Code injection vulnerability in UAC_AS­ 1493809 MDG and XBRL

SAP Master Data Governance Security Guide

Subject Guide/Tool Quick Link to SAP Help Portal

High availability High Availability for SAP Solutions http://sdn.sap.com/irj/sdn/ha

Design of technical landscape See available documents http://sdn.sap.com/irj/sdn/landscape­

Security See available documents http://sdn.sap.com/irj/sdn/security

SAP Master Data Governance Security Guide

● User Administration [page 9]

5.1 User Administration

User Administration Tools

SAP Master Data Governance Security Guide

System User ID Type Password Additional Informa­

SAP Master Data Governance Security Guide

5.2 User Data Synchronization

5.3 Integration into Single Sign-On Environments

Master Data Governance supports the following mechanisms:

Secure Network Communication (SNC)

SAP Logon Tickets

SAP Master Data Governance Security Guide

SAP Master Data Governance Security Guide

For more information about creating roles, see Role Administration.

Standard Roles and Standard Authorization Objects

Authorizations for Customizing Settings

SAP Master Data Governance Security Guide

● Communication Channel Security [page 14]

7.1 Communication Channel Security

Application server to applica­ RFC, HTTP(S) Integration data Business data

SAP Master Data Governance Security Guide

Application server to applica­ HTTP(S) Application data For example, passwords,

We strongly recommend that you use secure protocols (SSL, SNC).

7.2 Network Security

7.3 Communication Destinations

● Employ the user types system and communication.

SAP Master Data Governance Security Guide

● Choose a secure password and do not divulge it to anyone else.

7.4 Use of Virus Scanners

SAP Master Data Governance Security Guide

Activating the Validation of Logical Paths and File Names

Code injection vulnerability in UAC_AS 1493809 MDG and XBRL

Design of technical landscape See available documents http://sdn.sap.com/irj/sdn/landscape

System User ID Type Password Additional Informa

Application server to applica RFC, HTTP(S) Integration data Business data

Application server to applica HTTP(S) Application data For example, passwords,

SAP_MDC_SPEC_MM_APP_04 MDG, Consolidation and Mass Processing: Material Special

01 Create or gener Create consolidation process