Quantcast
Channel: SCN : Discussion List - Security
Viewing all 2353 articles
Browse latest View live

username and password issue in SAP GUI logon-Please help

June 10, 2014, 9:10 am
$
0
0

Hello,

 

Usually I download the tx.sap file from my work system it downloads and opens the main screen directly.( password is disabled for us). Now when I connect from home(home system through VPN) ,i can download tx.sap file from my company's SAP web portal ,but when I open the same through SAP GUI on my system it pops up a password screen- the issue is my employee ID is already populated in the username tab, but when I provide my domain password (i tried all my passwords),it throws an error -you do not require a password, now when i try without a password it shows fill in all required entry fields. Please assist.

Search

unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

June 4, 2014, 7:20 am
$
0
0

unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

Options of login module "DigestLoginModule"

June 10, 2014, 9:35 pm
$
0
0

Hello Experts,

 

I am configuring a login policy using "DigestLoginModule" at http://<host:port>/nwa/auth . I would like to use option for skew time. What is the correct option for skew time?

 

Thanks & Regards,

Ankit Srivastava

Default User Parameters in SAP SOLUTION MANAGER 7.1

June 11, 2014, 12:39 am
$
0
0

Hi,

 

I want some default parameters automatically be assigned to new users when they are created instead of manually adding every time in su01 transaction code. Do you know how to configure this?

 

SAP SOLUTION MANAGER 7.1

SAP_BASIS7020012SAPKB70212SAP Basis Component

 

I try settings in SSM_CUST for user-exit Z_USERS_TRANSFER and SAP_USERS_TRANSFER, but it's don't work.

 

 

Thank you.

Post EHP7 upgrade "issues" (or things I just don't understand)

June 11, 2014, 3:29 pm
$
0
0

Hello Security Gurus,

 

I've run through SU25 post EHP7 implementation and have found the following inconsistencies within my roles now that i cannot find any info on in other posts, forgive me if the information is already out there.

 

Issue #1: In our ECC system, we have a number of Transactions with S_RFC as a checked object in this form:

     ACTVT: 16

     RFC_NAME:

     RFC_TYPE:

               Leaving the RFC_NAME and RFC_TYPE blank so we can adjust in PFCG in read and merge mode. After the upgrade, when I read and                merge, I lose all entries we 'maintained' for S_RFC object. Does anyone know if this object no longer allows maintenance in PFCG and                what the reasons for this may be? Is there a workaround to keep it as is in the old system?

 

Issue #2: We have 2 Transactions: RBDAPP01 & RSEOUT00, which in our original ECC system brought in objects: S_DEVELOP, S_DATASET AND S_PROGRAM. However, in the upgraded EHP7, when I do a read and merge, I lose all those values. When I look in USOBT_C in the original system, I DO NOT see the objects S_DEVELOP, S_DATASET AND S_PROGRAM, but they are indeed listed in PFCG.

 

     My question is: If SU24 does NOT contain a check for an authorization object, is there any other way that object can be automatically added in PFCG in the Expert Mode for Profile Generation - Read old status and merge with new data? Images below are to illustrate this issue:

 

In PFCG after doing a Read and Merge:

S_Dataset=PFCG.jpg

 

In USOBT_C, as you can see S_DATASET isn't associated to RBDAPP01:

 

usobt-rbdapp01.jpg

 


Thanks for your time,
Chris

BPC : User receives error while copying environment

June 12, 2014, 9:39 am
$
0
0


The user recevies error in BPC while copying environment.

The error is : Falied to activate SAP Netweaver BI Infoobject for dimension.

 

Kindly help me in resolving the issue.

Restrict Users from Changing Spool Request Attributes

June 12, 2014, 9:52 am
$
0
0

Is there a way to restrict users from changing the Retention Period from our Default Setting of 8 Days to "Do Not Delete" when running a background job ?  I thought maybe S_SPO_ACT would be an option but was wrong.

 

Thank You !

Unable to send SMS message from SAP

June 12, 2014, 9:01 pm
$
0
0

Dear All,

 

I have done Standard SAP Configuration of SMS through HTTP with Third Party SMS Gateway with the help of available guides. During HTTP node configuration, i have given all the details of SMS service provider along with registered template message.

 

When i pass this registered message in entire URL, i am getting SMS text message in my mobile with spaces where ever applicable. But after i gave the same text message in my HTTP node configuration, i am not receiving any message in my mobile. In SOST, status showing as successful and message went up to Service provider only not to the given mobile number. Below is the successful delivery message.

 

*********************************************

Message successfully transferred to service agent

Message no. XS723

Diagnosis

The message to recipient SMS:XXXXXXXXXX was transferred to a service agent for sending.

The SAP system cannot receive and process status messages about successful or failed delivery from this service agent. Therefore, you cannot expect further information about this message in the SAP system.

System Response

Processing was completed as normal.

The confirmation from the service agent when the message was transferred was: 20140612171836XXXXX

There may be other ways of obtaining further information about the delivery of the message by the service agent using this specification.

Procedure

No action is necessary.

**********************************************

 

Difference I noticed in SCOT (double click on HTTP node) is entire message is showing as a single word which was the reason it was not delivered to mobile. B'cos registered message length is of 5 words length.

 

Instead of space between the 5 words if i gave %20, i am receiving the SMS message in my mobile successfully.

 

Please suggest if any settings needs to be done to avoid this space issue so that system should consider the message with individual words and not single word.

 

Rgds,

Durga.

Search

"SUIM>User>Users by Complex Selection Criteria>by Role" question

June 15, 2014, 11:01 pm
$
0
0

Hi all,

 

Suppose the situation is:

 

Composite role ZCR contains single role ZSR (profile T-001) . Composite role ZCR assigned to below two users with different expire date (both users are not locked and not expire):
UserA - 01.01.2013
UserB - 01.01.2024

 

(Case 1) SUIM -> User -> Users by Complex Selection Criteria -> by Role (either specify ZCR or ZSR) the result is:
UserA
UserB

 

(Case 2) SUIM -> User -> Users by Complex Selection Criteria -> by Profiles (T-001) the result is:
UserB

 

Is SUIM has error or other assumption on Case 1?   I expected the result is UserB only.

 

I knew there is program PRGN_COMPRESS_TIMES to remove assignment which have already expire and all the related tables.  Please let me know if the result in case 1 is SAP standard or can be fixed by OSS notes?  Thanks.

 

Regards,
Donald

SCU3 Activity 02 on S_TABU_DIS Auth Group SA?

June 9, 2014, 6:07 am
$
0
0

Hi,

 

We recently moved from EHP5 to EHP7 and an additional check is done when using transaction SCU3 for S_TABU_DIS / Group SA / Activity 02.

 

We have 2 Z tables maintained by our data team; 2 Z transactions allows for the table maintenance via SM30; both tables have been associated to a Z authorisation group.

 

Since EHP7 has been implemented we can no longer view the log on these tables.

 

SU53 and traces are listing the need for S_TABU_DIS Activity 02 for the SA Auth group; that group is created by SAP and covers quite a few other tables; I have tried to limit the access to the log table DBTABLOG via S_TABU_NAM but it is still not working.

 

I can't understand why activity 02 should be required at all in that scenario and can't find any related OSS Note.

 

Has anyone come accross a similar issue. I am not sure why a change activity shoudl be required when I only want to display the change log.

 

thank you

 

Coco

Message server security in ABAP systems

June 17, 2014, 3:03 am
$
0
0

Hi All,

 

I would like to know how to secure the external message server port and what are the relevant parameters for this.

 

I am aware that we can secure the internal message server port (denoted by parameter rdisp/msserv_internal) using the ms/acl_info file wherein only the app servers of the same ABAP system can connect internally to it.

 

Has anyone secured both external and internal message server ports in their landscape? Kindly provide your useful feedback on this so that we can secure the message server in our landscape as well.


Need help on deciding SSO Strategy

June 17, 2014, 5:29 am
$
0
0

Hi All,

Can you please guide me on deciding upon a SSO strategy for BW , BPC, HANA and Business Objects.

 

Thanks,

Shyam

Safe to use SQL-Anywhere Version 9?

June 17, 2014, 5:45 am
$
0
0

I have inherited a server running SQL-Anywhere Version 9,  I believe that version is end-of-life. I'm trying to come up with good arguments for replacing that version with a newer one, but the boss isn't interested in replacing it. Can anyone help me with arguments?

F9I7 reverse option not showing

June 17, 2014, 5:40 am
$
0
0

Hello Gurus,

 

I have an issue where users are trying to execute F9I7 tcode for payment items.After executing when the user is trying to reverse the item under the posting option reverse option is showing "greyed out"

 

Can some one help if they have an idea on the same issue.

SAP ECC EHP 4 to EHP 7 Upgrade

January 13, 2014, 5:07 am
$
0
0

Hi Experts,

 

Currently my client is using ECC 6.0 EHP 4 . And now they are planning to upgrade EHP 4 to EHP 7.

 

Could you please advice what will be the impact from Security front and what things we have to take care care of.

I am unable to find appropriate documents/discussions that will tell me if it has any impact on SAP Security infrastructure.

 

Kind Regards,

Krishna Mohan.

Search

Auth. object S_Develop problem

June 17, 2014, 5:17 am
$
0
0

Hello Experts,

I have the following problem:

I would like to use the authority object s_develop to authorize user to execute some reports, but every user has to display all reports. ( with Transaction SE38)

 

So I put 2 different forms of s_develop into one user role.

First form:

ACTVT: 16

DEVCLASS: *

OBJNAME: *

OBJTYPE: PROG

P_GROUP: FI*

 

Second form:

ACTVT: 03

DEVCLASS: *

OBJNAME: PROG

OBJTYPE: P_GROUP: *

 

The problem is that both forms complement each other, so every user can display AND execute all reports.

Is there somehow a possibility to implement my requirements from above with the authority Object S_Develope or is this a bug and there exists a SAP Note?

 

Thank you for your Help!
Best regards

Enrico

Work Order Reporting using I_BEGRP as a selection criteria

June 17, 2014, 9:41 am
$
0
0

Hello all,

 

I am having a small problem regarding the authorization object I_BEGRP, which appears at general data informed tab at equipment level. The situation is as described below:

Our client has several subcontractors working with Maintenance Work Orders in the system, and in order to control that each subcontractor does only access to their own data (equipment, work orders, etc.) different authorization group has been used to assign each of the equipment.

Problem is now when the client needs to be able to know the list of MWO per subcontractor.

 

The need is clear: for a user that is not restricted by this authorization group, it cannot be usedas a selection criteria to obtain a list of WO of a certain subcontractor.

 

I have seen that it can be shown in the equipment standard report IH08, but only as exit data, but not as entry selection criteria, but neither for MWO (IW39) nor for notifications (IW29) it can be used as an entry selection criteria.

 

Can someone help me with this issue? is the only solution to make a custom development, and to copy program RIAUFK20 in order to allow this field as an input?

 

Thank you very much for your help.

 

 

BR,

Francesc.

SAP NWSSO 2.0 SNC/Kerberos Funktioniert nicht

June 17, 2014, 3:45 am
$
0
0

Hallo,

 

Ich habe ein Problem mit der Umsetzung des des des SAP NWSO 2.0.

Es wäre toll wenn mir jemand helfen könnte.

Ich habe die Secure Login Library Installiert und Auf den Servicebenutzer eingestellt.

Desweiteren Habe ich in der STRUST das SNC SAPCryptolib Zertifikat erstellt und in der RZ10 die Parameter für die Verwendung des SNC eingestellt.

 

Profil-Parameter

Wert

snc\enable

1

snc\gssapi_lib

$(DIR_EXECUTABLE)$(DIR_SEP)

$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)

snc/identity/as

p:CN=KerberosSSO@swflsap.lan

snc/data_protection/max

3

snc/data_protection/min

2

snc/data_protection/use

3

snc/r3int_rfc_secure

1

snc/r3int_rfc_qop

8

snc/accept_insecure_cpic

1

snc/accept_insecure_gui

1

snc/accept_insecure_rfc

1

snc/permit_insecure_start

1

snc/force_login_screen

0

 

Anschließend den Server durchgestartet und dann auf dem Client den Secure Login Client Intalliert.                                                          

Nach dem Restart des Clients dann die Einstellungen für das SNC im SAP Logon Pad gemacht und auf den p:CN=KerberosSSO@swflsap.lan eingestellt.


Anschließend noch den Benutzer in der SU01 auf den Microsoftbenutzer gemappt.


doch ich erhalte beim Anmelden immer folgende Fehlermeldung:


Fehlermeldung_Kerberos_Ticket_faild.png


Ich würde mich über eine Schnelle Antwort freuen.


Gruß

Yannik J.

Security Admin can deactivate Authorization Object (Standard)

June 18, 2014, 9:43 am
$
0
0

Security Gurus,

 

I am facing a unique situation with regards to Security Admin’s access in Production to deactivate authorization objects.

 

The Security Admin in Production when opens a role in PFCG, then goes to Authorization tab and tries to deactivate authorization objects with different status, the results are as follows:

 

- Authorization Object (Manually) : Cannot deactivate/ or activate

- Authorization Object (Maintained) : Cannot deactivate/ or activate

- Authorization Object (Changed): Cannot Deactivate/ or activate

- Authorization Object (Standard): Can Deactivate, but cannot activate

 

So the Security Admin can deactivate “Authorization Object (Standard)”, however it cannot reactivate the same or any other authorization object.

 

The trace is not picking up any check when “Authorization Object (Standard)” is Deactivated, however for every other failed deactivation & re-activation it is showing missing authorization for S_USER_VAL (which is assigned as all ‘’, i.e. No authorization). S_USER_AGR is assigned with 02 access, which is coming in for user assignment.

 

Do you think it is a bug, or there is a way to that deactivation of “Authorization Object (Standard)” can be limited without affecting access for user assignment ?

Job role design - transaction role and auth object role

June 5, 2014, 9:27 pm
$
0
0

Hi all, please kindly comment following job role design:

 

(1) transaction role:

Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA.   CO: maintain cost center, internal order   HR: maintain org structure, personnel management.
The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.

 

(2) authorization role

Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role.  Objects of HR in HR role.
Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....

 

User will be assigned transaction role + auth object role.   For example, user of company A to perform MM and CO functions will be assigned
with MM transaction role + company A MM role + company A CO role.

 

Please let me know the pros and cons of above design.  Thanks.

 

Regards,

Donald

 

* I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role

Viewing all 2353 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>