Security and Authorizations (SAP Library - Product Catalog and Online Store on the Internet (LO-MD-AM))

Security and Authorizations

Use

Security

SAP provides an interface to third-party SET (Secure Electronic Transaction) software. The SET protocol guarantees the safety of payment card purchases made over open networks such as the Internet. The comprehensive SET specification is based on advanced encryption technology, including digital certificates that electronically confirm the identity of each party involved in an electronic transaction (the customer, the retailer, and the clearing institution). The retailer does not see the customer's credit card information, but instead receives verification from the clearing institution. Customers are assured that their credit card information remains secure, and the retailer is guaranteed to receive payment from the clearing house.

Because the customers can be identified, they must be certified by a certification authority. This is usually done with "electronic wallet" software, which is a browser plug-in available from a bank or clearing institution, for example. The customer is required by the SET standard to have an electronic wallet in order to pay for merchandise, so if you want to use SET, then you must expect your customers to have electronic wallets.

If customers do not have electronic wallets, they can still pay with credit cards via the SSL protocol instead of SET.

You can also have the system automatically send sales transaction verifications to customers via email so they have a record of the transactions.

Authorizations

Authorization checks fall into two categories:

Identification of online store customers who will be making purchases (customer, password, and possibly email address).

You can specify whether this information must be entered when the customer first enters the store or later when he or she is about to make a purchase. First-time customers can register and define a password which they can change at any time. (You can use the transaction SU05 to create, change, and delete passwords for users. In order to explicitly identify the customer, enter the object type KNA1 along with the customer number.)

Normal R/3 authorization checks. All authorizations need to be maintained for the R/3 user with which the Internet Application Component logs on to the R/3 System via the Interaction Transaction Server (ITS). This logon is usually specified in the service file. The authorization checks include:

Authorization to create/update/display customer records

Authorization to create sales orders

Authorization to start the online store (W_ONLSTORE)

Authorizations to read the product catalog (W_PCAT_MTN for general catalog data and W_PCAT_LAY for the layout areas).

If the R/3 user has no read authority for a given layout area, then neither this layout area nor any of its subordinate layout areas will be displayed. Thus, authorizations can be used to define different views of the Internet catalog. In addition, they can be used to protect layout areas from Internet access while they are in development.

W_PCAT_MTN, W_PCAT_LAY and W_ONLSTORE are authorization objects which must be used for authorization maintenance.