Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2019-06-27
2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
12 Authorization Objects and Roles Used by SAP Master Data Governance. . . . . . . . . . . . . . . . . .22
12.1 Authorization Objects and Roles Used by SAP MDG, Consolidation and Mass Processing. . . . . . . . . 22
MDC_PROOT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
MDC_PFILT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
MDC_MASS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
MDC_ADMIN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
MDC_LOAD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
MDC_MASSBS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
12.2 Authorization Objects and Roles Used by SAP MDG, Central Governance. . . . . . . . . . . . . . . . . . . . .30
Master Data Governance for Business Partner (CA-MDG-APP-BP). . . . . . . . . . . . . . . . . . . . . . . 32
Master Data Governance for Supplier (CA-MDG-APP-SUP). . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Master Data Governance for Customer (CA-MDG-APP-CUS). . . . . . . . . . . . . . . . . . . . . . . . . . . 36
The following guide covers the information that you require to operate SAP Master Data Governance securely.
To make the information more accessible, it is divided into a general part, containing information relevant for all
components, and a separate part for information specific for individual components.
This guide does not replace the administration or operation guides that are available for productive operations.
Target Audience
● Technology consultants
● Security consultants
● System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation
Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle,
whereas the Security Guide provides information that is relevant for all life cycle phases.
With the increasing use of distributed systems and the Internet for managing business data, the demands on
security are also on the rise. When using a distributed system, you need to be sure that your data and
processes support your business needs without allowing unauthorized access to critical information. User
errors, negligence, or attempted manipulation of your system should not result in loss of information or
processing time. These demands on security apply likewise to Master Data Governance. To assist you in
securing Master Data Governance, we provide this Security Guide.
Since Master Data Governance is based on and uses SAP NetWeaver technology, it is essential that you consult
the Security Guide for SAP NetWeaver on the SAP Help Portal.
Use
This table contains the most important SAP notes concerning the safety of Master Data Governance.
Data can be displayed without authori 1489976 MDG (Financial Master Data Gover
zation nance, CA-MDG-APP-FIN)
For information about the technical system landscape, see the sources listed in the table below.
Technical description of Master Data Master Guide SAP Help Portal SAP Master Data
Governance and the underlying techni
Governance
cal components, such as SAP NetWea
ver
Note
If you intend to use a portal in your landscape, ensure that the embedding enterprise portal frame has the
same domain as the embedded web dynpro application.
To check the settings, call up the technical help in the web dynpro application (right mouse click, then
select Technical Help). On the Browser tab, check if the Parent window is accessible indicator is marked.
Master Data Governance uses the user management and authentication mechanisms of the SAP NetWeaver
platform, and in particular, SAP NetWeaver Application Server. Therefore, the security recommendations and
guidelines for user management and authentication that are described in the security guide for SAP NetWeaver
Application Server for ABAP Security Guide also apply to Master Data Governance.
In addition to these guidelines, we also supply information on user management and authentication that is
especially applicable to Master Data Governance in the following sections:
Master Data Governance user management uses the mechanisms provided by SAP NetWeaver Application
Server for ABAP, such as tools, user types, and the password concept. For an overview of how these
mechanisms apply for Master Data Governance, see the sections below. In addition, we provide a list of the
standard users required for operating components of Master Data Governance.
The following table shows the user administration tools for Master Data Governance.
Tool Description
User maintenance for ABAP-based systems (transaction For more information on the authorization objects provided
SU01) by the components of Master Data Governance, see the
component specific section.
Role maintenance with the profile generator for ABAP-based For more information on the roles provided by Master Data
systems (PFCG) Governance, see the component specific section.
Central User Administration (CUA) for the maintenance of For more information, see Central User Administration.
multiple ABAP-based systems
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy
may specify that individual users who perform tasks interactively have to change their passwords on a regular
basis, but not those users under which background processing jobs run.
User types required for Master Data Governance include, for example:
● Individual users
○ Dialog users
Dialog users are used for SAP GUI for Windows.
○ Internet users for Web applications
Same policies apply as for dialog users, but used for Internet connections.
● Technical users:
○ Service users are dialog users who are available for a large set of anonymous users (for example, for
anonymous system access via an ITS service).
○ Communication users are used for dialog-free communication between systems.
○ Background users can be used for processing in the background.
Standard Users
The following table shows the standard users that are necessary for operating Master Data Governance.
SAP Web Application (sapsid)adm SAP system adminis Mandatory SAP NetWeaver instal
Server trator lation guide
SAP Web Application SAP Service (sap SAP system service Mandatory SAP NetWeaver instal
Server sid)adm administrator lation guide
SAP Web Application SAP Standard ABAP See SAP NetWeaver SAP NetWeaver secur
Server Users (SAP*, DDIC, security guide ity guide
EARLYWATCH,
SAPCPIC)
SAP Web Application SAP Standard SAP See SAP NetWeaver SAP NetWeaver secur
Server Web Application security guide ity guide
Server Java Users
SAP ECC SAP Users Dialog users Mandatory The number of users
depends on the area of
operation and the busi
ness data to be proc
essed.
Note
We recommend that you change the passwords and IDs of users that were created automatically during the
installation.
By synchronizing user data, you can reduce effort and expense in the user management of your system
landscape. Since Master Data Governance is based on SAP NetWeaver, you can use all of the mechanisms for
user synchronization in SAP NetWeaver here. For more information, see the SAP NetWeaver Security Guide on
SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver.
Note
You can use user data distributed across systems by replicating the data, for example in a central directory
such as LDAP.
Master Data Governance supports the single sign-on (SSO) mechanisms provided by SAP NetWeaver
Application Server for ABAP technology. Therefore, the security recommendations and guidelines for user
management and authentication that are described in the SAP NetWeaver Security Guide also apply to Master
Data Governance.
SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for
Windows or Remote Function Calls.
Master Data Governance supports the use of logon tickets for SSO when using a Web browser as the front-end
client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial
Client Certificates
As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front-
end client can also provide X.509 client certificates to use for authentication. In this case, user authentication
is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol). No passwords have to
be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.
For more information see Client Certificates in the Security Guide for SAP NetWeaver Application Server. For
more information about available authentication mechanisms, see SAP Library for SAP NetWeaver under User
Authentication and Single Sign-On.
Master Data Governance uses the authorization concept of SAP NetWeaver Application Server ABAP.
Therefore, the security recommendations and guidelines for authorizations that are described in the Security
Guide for SAP NetWeaver Application Server ABAP also apply to Master Data Governance. You can use
authorizations to restrict the access of users to the system, and thereby protect transactions and programs
from unauthorized access.
The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users
based on roles. For role maintenance in SAP NetWeaver Application Server ABAP, use the profile generator
(transaction PFCG), and in SAP NetWeaver Application Server for Java, the user management console of the
User Management Engine (UME). You can define user-specific menus using roles.
Note
SAP delivers standard roles covering the most frequent business transactions. You can use these roles as a
template for your own roles.
For a list of the standard roles and authorization objects used by components of Master Data Governance, see
the section of this document relevant to each component.
Note
Before using the roles listed, you may want to check whether the standard roles delivered by SAP meet
your requirements.
You can use Customizing roles to control access to the configuration of Master Data Governance in the SAP
Customizing Implementation Guide (IMG).
Your network infrastructure is extremely important in protecting your system. Your network needs to support
the communication necessary for your business and your needs without allowing unauthorized access. A well-
defined network topology can eliminate many security threats based on software flaws (at both the operating
system and application level) or network attacks such as eavesdropping. If users cannot log on to your
application or database servers at the operating system or database layer, then there is no way for intruders to
compromise the devices and gain access to the backend system’s database or files. Additionally, if users are
not able to connect to the server LAN (local area network), they cannot exploit known bugs and security holes
in network services on the server machines.
The network topology for Master Data Governance is based on the topology used by the SAP NetWeaver
platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security
Guide also apply to Master Data Governance. Details that relate directly to SAP ERP Central Component are
described in the following sections:
Communication channels transfer a wide variety of different business data that needs to be protected from
unauthorized access. SAP makes general recommendations and provides technology for the protection of your
system landscape based on SAP NetWeaver.
The table below shows the communication channels used by Master Data Governance, the protocol used for
the connection, and the type of data transferred.
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP
connections are protected using the Secure Sockets Layer protocol (SSL protocol).
Recommendation
Since Master Data Governance is based on SAP NetWeaver technology, for information about network security,
see the corresponding sections of the SAP NetWeaver Security Guide at http://help.sap.com Technology
Platform SAP NetWeaver Release/Language SAP NetWeaver Security Guide Network and
Communication Security Network Services :
If you provide services in the Internet, you should protect your network infrastructure with a firewall at least.
You can further increase the security of your system or group of systems by placing the groups in different
network segments, each of which you then protect from unauthorized access by a firewall. You should bear in
mind that unauthorized access is also possible internally if a malicious user has managed to gain control of one
of your systems.
Ports
Master Data Governance is executed in SAP NetWeaver and uses the ports of AS ABAP or AS Java. For more
information see the corresponding security guides for SAP NetWeaver in the topics for AS ABAP Ports and AS
Java Ports. For information about other components, such as SAPinst, SAProuter, or SAP Web Dispatcher, see
the document TCP/IP Ports Used by SAP Applications in SAP Developer Network at http://
sdn.sap.com/irj/sdn/security under Infrastructure Security Network and Communications Security .
The use of users and authorizations in an irresponsible manner can pose security risks. You should therefore
follow the security rules below when communicating between systems:
For information on authorization objects, see Authorization Objects and Roles Used by SAP Master
Data Governance [page 22].
If you upload files from application servers into Master Data Governance and you want to use an virus scanner,
a virus scanner must then be active on each application server. For more information, see SAP Note 964305
(solution A).
Note
● Work through the Customizing activities in the Implementation Guide under the Virus Scan Interface
node.
● When doing this, use the virus scan profile /MDG_BS_FILE_UPLOAD/MDG_VSCAN, which is delivered
for Master Data Governance.
When you upload files from the front-end into Master Data Governance, the system uses the configuration you
defined for virus scan profile /SIHTTP/HTTP_UPLOAD. For more information, see SAP Note 1693981 .
Use
Using Logical Paths and File Names to Protect Access to the File System
Master Data Governance saves data in files in the file system. Therefore, it is important to explicitly provide
access to the corresponding files in the file system without allowing access to other directories or files (also
known as directory traversal). This is achieved by specifying logical paths and file names in the system that
map to the physical paths and file names. This mapping is validated at runtime and if access is requested to a
directory that does not match a stored mapping, then an error occurs. In the application-specific part of this
guide, there is a list for each component of the logical file names and paths, where it is specified for which
programs these file names and paths apply.
The logical paths and file names are entered in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-dependent). To determine
which paths are used by your system, you can activate the appropriate settings in the Security Audit Log.
More Information
For information about data storage security, see the SAP NetWeaver Security Guide at http://help.sap.com
SAP NetWeaver Release/Language SAP NetWeaver Library Administrator’s Guide NetWeaver
Security Guide Security Guides for the Operating System and Database Platforms
The following section in the NetWeaver Security Guide is relevant for Master Data Governance:
The trace and log files of Master Data Governance use the standard mechanisms of SAP NetWeaver. For more
information, see the relevant sections in the SAP NetWeaver Security Guide.
Related Information
Use
Segregation of duties can be achieved by assigning roles to users and in addition by a strict separation of the
user groups for the workflow.
Activities
Depending on the component of Master Data Governance you intend to configure, use the following
Customizing activities to separate the user groups:
● MDG-M, MDG-F
Run the Customizing activity under Master Data Governance Central Governance General Settings
Process Modeling Workflow Rule-Based Workflow Configure Rule-Based Workflow .
For further information, see:
○ Configuring Master Data Governance for Material
○ Configuring Master Data Governance for Financials
● MDG-S
Run the Customizing activity under Master Data Governance Central Governance Master Data
Governance for Supplier Workflow Assign Processor to Change Request Step Number in BRFplus for
Supplier .
For further information, see Configuring Master Data Governance for Supplier
● MDG-C
Depending on the change request step, run the following Customizing activities under:
○ Master Data Governance Central Governance General Settings Process Modeling Workflow
Other MDG Workflows Assign Processor to Change Request Step Number (Simple Workflow)
○ Master Data Governance Central Governance Master Data Governance for Customer Workflow
Assign Processor to Change Request Step Number in BRFplus for Customer
For further information, see Configuring Master Data Governance for Customer.
● MDG-BP
For information about the corresponding roles, see the documents listed below:
This chapter provides information about authorization objects and roles used by:
● Authorization Objects and Roles Used by SAP MDG, Central Governance [page 30]
● Authorization Objects and Roles Used by SAP MDG, Consolidation and Mass Processing [page 22]
Authorization Objects
SAP MDG, consolidation and mass processing uses the authorization objects listed below.
Caution
To use SAP MDG, consolidation and mass processing in combination with the functions of SAP MDG, central
governance, see the required authorization objects in the documents listed below:
● Authorization Objects and Roles Used by SAP MDG, Central Governance [page 30]
● Master Data Governance for Business Partner (CA-MDG-APP-BP) [page 32]
● Master Data Governance for Supplier (CA-MDG-APP-SUP) [page 34]
● Master Data Governance for Customer (CA-MDG-APP-CUS) [page 36]
Standard Roles
12.1.1 MDC_PROOT
Use
Features
Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.
31 Confirm Continue consolidation process after a process step has been executed
Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.
36 Extended mainte Adjust configuration within the process UI for the current process
nance
The Adjust link is displayed.
37 Accept Continue consolidation process after a matching step that still contains open
match groups
Caution
In addition, the activity 31 Confirm has to be permitted.
Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.
Use
Note
To create a process, select a Data Source, which is a combination of Source System, Data Package, and a
Status.
Features
The attribute Source Filter MDC_FILTER is assigned to the authorization object: Depending on the permitted
value the processes are displayed in the process list and the sources are displayed in the Sources dialog box
during the process creation.
Note
The attribute Source Filter of the authorization object corresponds to the field Data Package on the UI.
12.1.3 MDC_MASS
Use
Features
Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.
31 Confirm Continue or rollback mass processes after a process step has been executed.
Caution
If the process pauses at a check point, the Continue button and the Rollback
button stay active only if the activity 31 Confirm is permitted.
Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.
36 Extended mainte Adjust configuration within the process UI for the current process
nance
The Adjust link is displayed.
12.1.4 MDC_ADMIN
Use
Features
Note
Without this authorization a user cannot delete processes permanently but
can only mark process for deletion.
Note
As an alternative you can run the transaction MDC_ADMIN_DELETE in the
backend system to delete processes with an inconsistent status.
This report transforms customer and vendor data to business partner data dur
ing the data import.
12.1.5 MDC_LOAD
Use
Features
12.1.6 MDC_MASSBS
Use
Features
Note
Either the Start or the Continue button is displayed, depending on whether
the process has started or not.
31 Confirm Continue or rollback mass maintenance processes after a process step has been
executed.
Caution
If the process pauses at a check point, the Continue button and the Rollback
button stay active only if the activity 31 Confirm is permitted.
Note
Either the Start or the Continue button is displayed, depending on whether
the process has started or not.
Authorization Objects
The following authorization objects are used by all components of Master Data Governance.
Note
To obtain more detailed information about specific authorization objects proceed as follows:
1. Choose SAP Menu Tools ABAP Workbench Development Other Tools Authorization
Objects Objects (Transaction SU21).
USMD_MDATH Hierarchies
USMD_UI2 UI Configuration
S_ARCHIVE Archiving
The following values are assigned to the authorization fields: The following authorization field values are required to dis
play archived change requests:
● ARCH_OBJ: USMD_CR
● APPLIC: CA
● ACTVT: DISPLAY
Caution
For information about component specific authorization objects, see the corresponding sections:
Standard Role
Role Name
This role contains authorizations needed for administrative tasks and for setting up a base configuration in all
components of Master Data Governance. Some authorizations enable critical activities. If multiple users in your
Enterprise Search
To use the Enterprise Search users have to be assigned to the role SAP_ESH_SEARCH Enterprise Search Hub
(Composite): Authorizations for searching.
Use
Authorization Objects
Master Data Governance for Business Partner mainly uses the authorization objects of the business objects
Business Partner, the authorization objects of the Application Framework for Master Data Governance, and the
authorization objects of the Data Replication Framework.
Note
This authorization object is optional. You need to assign
this authorization object only if master data records are
to be specifically protected.
BCV_QUILST Overview
BCV_QUERY Query
Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 30].
Standard Roles
Role Name
If you want to restrict the authorizations for users or roles to specific values, run the Customizing activity under
Master Data Governance, Central Governance General Settings Data Modeling Define Authorization
Relevance per Entity Type and define which entity types and attributes are authorization relevant.
More Information
If you use the optional feature address screening, see the corresponding security guide under http://
help.sap.com/fra .
Use
Authorization Objects
Master Data Governance for Supplier does not have dedicated authorization objects, but instead uses the
authorization objects of the business objects Business Partner and Vendor, the authorization objects of the
Application Framework for Master Data Governance, and the authorization objects of the Data Replication
Framework.
Note
This authorization object is optional. You need to assign
this authorization object only if master data records are
to be specifically protected.
Note
This authorization object is optional. You need to assign
this authorization object only if master data records are
to be specifically protected.
BCV_QUERY Query
BCV_QUILST Overview
Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 30].
Standard Roles
Role Name
SAP_MDGS_VL_MENU_04 Master Data Governance for Supplier (ERP Vendor UI): Menu
SAP_MDGS_LVC_REQ_04 Master Data Governance for Supplier (Lean Request UI): Re
quester
More Information
If you use the optional feature address screening, see the corresponding security guide under http://
help.sap.com/fra .
Use
Authorization Objects
Master Data Governance for Customer does not have dedicated authorization objects, but instead uses the
authorization objects of the business objects Business Partner and Customer, the authorization objects of the
Application Framework for Master Data Governance, and the authorization objects of the Data Replication
Framework.
Note
Depending on whether you use the Master Data Governance for Customer on a hub system or on a client
system a different set of authorization objects is required.
Note
This authorization object is optional. You do not need to as
sign this authorization object if no master records are to be
specifically protected.
BCV_QUERY Query x x
BCV_QUILST Overview x x
Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 30].
Standard Roles
Role Name
If you want to restrict the authorizations for users or roles to specific values, go to Create Authorizations for
Data Model and define which entity types and attributes are authorization relevant.
If you use the optional feature address screening, see the corresponding security guide under http://
help.sap.com/fra .
Use
Authorization Objects
Master Data Governance for FI Contract Accounts mainly uses the authorization objects of the business
objects DRF_0036 Contract Account.
Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 30].
Standard Roles
Role Name
Authorization Objects
Master Data Governance for Material does not have dedicated authorization objects, but instead uses, for
example, the authorization objects of the Material Master and the Application Framework for Master Data
Governance.
Note
You need this authorization object for the object type
PLM_MAT only if the search object connector of SAP Net
Weaver Enterprise Search is created for the following
Enterprise Search software components:
● PLMWUI
● Software components that include PLMWUI
BCV_QUILST Overview
Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 30].
Standard Roles
Role Name
If you want to restrict the authorizations for users or roles to specific values, run the Customizing activity under
Master Data Governance, Central Governance General Settings Data Modeling Define Authorization
Relevance per Entity Type and define which entity types and attributes are authorization relevant.
Authorization Objects
USMD_DIST Distribution
Note
This authorization object is used if you have not acti
vated business function MDG_FOUNDATION.
(Switch: FIN_MDM_CORE_SFWS_EHP5)
USMD_EDTN Edition
Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 30].
Standard Roles
Role Description
If you want to restrict the authorizations for users or roles to specific values, run the Customizing activity under
Master Data Governance, Central Governance General Settings Data Modeling Define Authorization
Relevance per Entity Type and define which entity types and attributes are authorization relevant.
Authorization Objects
You can use the following authorization objects for Master Data Governance for Custom Objects.
USMD_DIST Replication
Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 30].
Standard Role
Role Name
If you want to restrict the authorizations for users or roles to specific values, run the Customizing activity under
Master Data Governance, Central Governance General Settings Data Modeling Define Authorization
Relevance per Entity Type and define which entity types and attributes are authorization relevant.
Use
The SAP system generates database tables for the entities of all defined data models. The settings of these
database tables are the following:
Activities
To change these settings of generated MDG database tables run the transaction MDG_TABLE_ADJUST.
The results of the transaction are listed in the transaction SLG1 (Analyse Application Log), using Object FMDM
and Subobject ADJUST_TABLE.
Caution
More Information
Use
For personal data processed in the Master Data Governance (MDG) application, you can use SAP
Information Lifecycle Management (ILM) to control the blocking and deletion of personal data. For more
information, see the application help for SAP ERP at http://help.sap.com/erp2005_ehp_08 on the SAP Help
Portal under Application Help SAP Library SAP ERP Cross-Application Functions Cross-Application
Components Data Protection .
For more information about the application object, see the application help for SAP Master Data Governance
on the SAP Help Portal at https://help.sap.com/mdg91 under Application Help SAP Master Data
Governance Deletion of Personal Data in Master Data Governance (MDG) Data Archiving in Master Data
Governance .
● You configure the settings related to the blocking and deletion of business partner, customer, and supplier
master data in Customizing under Cross-Application Components Data Protection Deletion of Data
Deletion of Business Partner Data .
● For information on defining ILM rules, seethe application help for SAP ERP at http://help.sap.com/
erp2005_ehp_08 on the SAP Help Portal under Application Help SAP Library SAP ERP Cross-
Application Functions Cross-Application Components SAP Information Lifecycle Management
Using ILM Retention Management in the Application System Editing ILM Policies Editing Retention
Rules .
● For information on defining End of Purpose checks, see the application help for SAP ERP at http://
help.sap.com/erp2005_ehp_08 on the SAP Help Portal under Application Help SAP Library SAP ERP
Cross-Application Functions Cross-Application Components Data Protection End of Purpose (EoP)
Check .
Master Data Governance for Business Partner (MDG-BP), Master Data Governance for Supplier (MDG-S), and
Master Data Governance for Customer (MDG-C) are applications that are providing a workflow-based
governance process for business partners. Within this process, the applications MDG-BP, MDG-S, and MDG-C
do not store business partners permanently. In any case, MDG-BP, MDG-S, and MDG-C do not process
business partners with the end of purpose indicator assigned.
For Master Data Governance, consolidation and Master Data Governance, mass processing, we recommend to
use only business partner records that are not selected for End of Purpose (EoP).
The MDG, consolidation application and the MDG, mass processing application do not process business
partners with the end of purpose indicator assigned.
For MDG, consolidation, we recommend to delete source data after the end of the consolidation process.
In transaction BP, choose Extras Change History For This Partner Select Changed Fields .
In the Master Data Governance for Business Partner (MDG-BP), Master Data Governance for Supplier (MDG-S),
and Master Data Governance for Customer (MDG-C) applications, select a single business partner from the
result list, choose Change Documents to compare Old Value and New Value in the Change Documents table.
To get information on change documents for Master Data Governance, consolidation you can use Track Mass
Changes.
Note
For information on Read Access Logging in MDG, seeRead Access Logging (RAL) in MDG [page 49].
For generic information on Read Access Logging in SAP ERP, see also the Security Guide for SAP ERP on the
SAP Help Portal at http://help.sap.com/erp2005_ehp_08 under Security Security Guide SAP ERP
Central Component Security Guide Data Protection Read Access Logging .
● For Master Data Governance for Custom Objects, we do not recommend that you enhance personal data in
your own objects. If it is necessary, you need to ensure that enhanced data is archived and deleted for the
End of Purpose (EoP) goal.
● For Master Data Governance, central governance, we recommend to use backend tables of SAP-BP for
enhancements and enhance the MDG data model accordingly.
MDG enables read access logging for the following functions and interface types:
For generic information on Read Access Logging in SAP ERP, see the application help for SAP ERP on the SAP
Help Portal at http://help.sap.com/erp2005_ehp_08 under Application Help SAP Library SAP ERP
Cross-Application Functions Cross-Application Components Data Protection Read Access Logging
(RAL) .
For more MDG-specific information on Read Access Logging, see the Security Guide for Master Data
Governance on the SAP Help Portal at https://help.sap.com/mdg91 under Security Security Guide
Deletion of Personal Data in Master Data Governance .
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.