Security Aspects for the Configuration of the Option to Give Feedback
There are several security aspects you need to consider when configuring the option to give feedback.
| Authorization Object | Field | Value | Description |
|---|---|---|---|
|
S_ADMI_FCD |
S_ADMI_FCD |
PADM |
These authorizations are required to allow the ICM to load the ChipCert.pse file. |
|
S_APPL_LOG |
ACTVT |
03 |
These authorizations are required to display the entries that the end-user feedback function writes to the application log. |
|
ALG_OBJECT |
/UI2/BE |
||
|
ALG_SUBOBJ |
/UI2/INTEROP |
||
|
S_DATASET |
ACTVT |
06 |
These authorizations are required to import the ChipCert.pse file and the Baltimore CyberTrust Root.cer certificate. |
|
33 |
|||
|
34 |
|||
|
FILENAME |
* |
||
|
PROGRAM |
SAPLSSFM |
||
|
SAPLSSFP |
|||
|
SAPLSSFR |
|||
|
S_DEVELOP |
ACTVT |
03 |
These authorizations are required to import the ChipCert.pse file and the Baltimore CyberTrust Root.cer certificate. |
|
DEVCLASS |
/UI2/SERVICES_INTEROP_700 |
||
|
OBJNAME |
Leave empty |
||
|
OBJTYPE |
SMIM |
||
|
P_GROUP |
Leave empty |
||
|
S_GUI |
ACTVT |
61 |
These authorizations are required to display the entries that the end-user feedback function writes to the application log. |
|
S_RFC_ADM |
ACTVT |
02 |
These authorizations are required to create an RFC connection to the SAP cloud service that collects the end-user feedback. |
|
ICF_VALUE |
Leave empty |
||
|
RFCDEST |
SAP_USER_FEEDBACK_HTTPS |
||
|
RFCTYPE |
Leave empty |
||
|
S_RZL_ADM |
ACTVT |
01 |
These authorizations are required to import the ChipCert.pse file and the Baltimore CyberTrust Root.cer certificate. |
|
S_TABU_DIS |
ACTVT |
02 |
These authorizations are required to import the ChipCert.pse file. |
|
DICBERCLS |
SCUS |
This is done to remove the specific authorizations needed to set up the end-user feedback. After removing transaction /UI2/FEEDBACK_SETUP, you need to regenerate the authorization profile in transaction PFCG
The program to configure the option to give feedback performs security-relevant steps.
In the Configuration of RFC Connections (transaction SM59), the program creates HTTP destination SAP_USER_FEEDBACK_HTTPS under HTTP Connections to External Server.
- Create secure store and forward (SSF) application USRFDB.
- Import the file ChipCert.pse into the corresponding personal security environment (PSE) SSF USRFDB. The tool takes the file from the MIME repository.
- Import certificate Baltimore CyberTrust Root.cer
into SSL-Client (ANONYM).
All feedback data is transferred to SAP via an HTTPS encrypted connection. To make sure the data is only sent to the legitimate SAP service, the certificate of the target server is verified. To trust SAP’s service, you need to import the certificate of the issuing certification authority (CA) “Baltimore CyberTrust”. Note that this trust is client-independent.
You can import this certificate automatically using the checkbox provided by the program /UI2/USER_FEEDBACK_SETUP. The tool takes the certificate from the MIME repository.
You can also import the certificate manually:
- Start the Object Navigator (SE80) and click the MIME Repository toggle button.
- In the navigation tree, choose
SAP 
PUBLIC USRFDB Baltimore CyberTrust Root.cer 
- Download the file Baltimore CyberTrust Root.cer.
- Start the Trust Manager (transaction STRUST).
- Open SSL client (Anonymous).
- Import the certificate Baltimore CyberTrust Root.cer.
After the import, the program triggers the Internet Connection Manager (ICM) to take the Baltimore CyberTrust Root.cer certificate into account. This means that outgoing HTTPS connections to servers with certificates issued by the "Baltimore CyberTrust Root" certificate authority are allowed.
For more information on SSF and PSE, see SAP Library for SAP
NetWeaver on SAP Help Portal at http://help.sap.com/netweaver
Application Help Function-Oriented View Security Digital Signatures and Encryption .