As every year, we near the time of license auditing. And since the "old" SLAW has more bugs than you could probably put in only one transaction, I went out in search of something new.
It seems, there's a completely new version up, LAW 2.0. But there doesn't seem to be one for SAP_BASIS 731.
Is there a reason for that?
Am I missing someting?
Hi Experts,
We have been facing an issue where users have roles assigned indirectly(position/job/org unit).
I have checked the relationship between position/org unit and job to find if there are any roles assigned to these position(HRP 1001).
To my surprise there are no roles assigned to any of the position,org unit or job.
Our production system is linked with CUA(Solman) and role assignment is selected as Global.
I have checked both the systems and couldn't find any roles assigned to the position/org unit/job.
These roles are assigned to the users in the year 2005?
I would like to know
1.) How these roles got assigned to the system? Any logs are there to track it down?
2.) either we have to change the CUA setting to local and to run the RHAUTUPD_NEW in production system?
or to run the report RHAUTUPD_NEW in CUA system? am i following the right approach?
Kindly advise and let us know suggestions on this?
Thanks a lot in advance for your help.
Hi Experts,
We are integrating AD with SAP Application. we have OU=SAP under which user's created and one group ESS.
under OU=SAP around 10 user's created and from diff OU's we added around 100 user's to ESS Group as a member.
so user's are Member of CN=ESS,OU=SAP,DC=XXXXXX,DC=com
user's created under SAP OU Synched to SAP Application but the Member of ESS Group are not synching.
We have flat hierarhcy Readonly datasource xml so could you please help me , how i can allow member of group by editing the xml file and what need to be added.
Please do help we stuck not able achive this scenario.
As an alternaive if somebody worked on deep hierarchy please let us know how to allow 5 diff selected OU's users of same active direcory to access SAP Application.
Regards,
Mahesh Kumar M
Dear Experts,
We need to access ECC Transactions from CRM UI. But every time it asks for a username and password. So we want to setup SSO.
Can anyone provide me the steps to setup SSO between CRM and ECC Webgui?
Regards
Arun
Hello experts,
We have a std. CJI3 report. In this report I have created a layout (see screen shot) and I want a user to access only that data of the report which comes with this layout.
Kindly suggest if there is a way to control the access in this way.
I though of creating z-report using call transaction function (to call cji3) and use screen variant for it.. but I dont want to go this way..
Kindly suggest.
Thank You.
Regards
Saurabh
Hi experts
I'd like to know if there's a way to generate Authorization Profile Name automatically, with an auto-increment based approach.
The code that I'd like to be auto-generated inside the system is the "Profile Name" showed below in the posted screenshot.
Hope my question was clear enough to let you answer me properly. Let me know if you need further information.
Thanks n advance,
Jacopo.
Hello ,
We've configured security autid via parameters below :
rsau/max_diskspace/per_day: 1996800K
rsau/max_diskspace/local 2048000K
rsau/max_diskspace/per_file 665600K
rsau/enable 1
rsau/selection_slots 30
rsau/local/file D:\usr\sap\FKP\DVEBMGS00\log\++++++++.AUD
FN_AUDIT ++++++++######.AUD
DIR_AUDIT D:\usr\sap\FKP\DVEBMGS00\log
In our production system and we repaired security audit screens with abap consultants . Then we could activate audit log for 30 slots . It works very well . We restarted system several times and we didn't get any problem about security configuration .
After a few months , we restarted the system and the slots which we add later changed to inactive .You can see SM20 logs below :
Application Server Stopped
Application Server Started
Audit Configuration Changed
Audit: Slot 1: Class 191, Severity 2, User USER1, Client 200,
Audit: Slot 2: Class 191, Severity 2, User USER2 , Client 200,
Audit: Slot 3: Class 191, Severity 2, User USER3, Client 200,
Audit: Slot 4: Class 191, Severity 2, User USER4, Client 200,
Audit: Slot 5: Class 191, Severity 2, User USER5, Client 200,
Audit: Slot 6: Class 191, Severity 2, User USER6, Client 200,
Audit: Slot 7: Class 191, Severity 2, User USER7, Client *,
Audit: Slot 8: Class 191, Severity 2, User USER8, Client *,
Audit: Slot 9: Class 191, Severity 2, User USER9, Client *,
Audit: Slot 10: Class 191, Severity 2, User USER10, Client *,
Audit: Slot 11 Inactive
Audit: Slot 12 Inactive
Audit: Slot 13 Inactive
Audit: Slot 14 Inactive
Audit: Slot 15 Inactive
Audit: Slot 16 Inactive
Audit: Slot 17 Inactive
Audit: Slot 18 Inactive
Audit: Slot 19 Inactive
Audit: Slot 20 Inactive
Audit: Slot 21 Inactive
Audit: Slot 22 Inactive
Audit: Slot 23 Inactive
Audit: Slot 24 Inactive
Audit: Slot 25 Inactive
Audit: Slot 26 Inactive
Audit: Slot 27 Inactive
Audit: Slot 28 Inactive
Audit: Slot 29 Inactive
Audit: Slot 30 Inactive
We didn't change any parameters or audit configuration before restart but as I said , after restart audit configuration has changed.
Does anyone has an idea about why audit configuration has changed ?
Thanks & Regards
Ozlem Otunctemur
Hi Friends,
We have a requirement where, for users having a specific role, under VA03 transaction (sales order display), ‘net value’ should not be visible. Our client is on SAP version 4.6C.
Though we found enough literatureon how few condition types can be masked for select users, any specific inputs
on the below are highly appreciated:
Ideas on alternative means to achieve this (like creating a transaction variant for VA03, creating copy program with required fields masked etc.) are welcome if shared with details on approach, limitations etc.
Regards,
Jagan
Gurus,
Does anyone know which functional (PP, MM, PM, QM, SD, LE, WM) roles should we or normally assign to user as the back end system. A quick answer would be really appreciated... A good link or Roles list would be great...I have found some roles when I search *NWBC* assigned those but did not worked because use was not able to see the functionalities on the NWBC client screen then I have create some MENU based roles and assigned and it worked....But I like to know the proper roles for each functional either single or composite role....Thanks Gurus
Dear Friends,
Good Day!
I have a strange requirement in SAP BI Reporting authorization.
I have suppose 10 free characteristics in my query, COMPANY CODE is one of them, so requirement is when End user executes query without COMPANY CODE in report output he should able to see all the data for all the company codes but when COMPANY CODE is there in the drill down he can see the only relevant data for his company code assigned in Analysis Authorization.
So based on report output we need to develop authorizations.
Please reply if any suggestions.
Thanks & Regards,
Rajdeep.
Hi,
we trying to implement SAP SSO with x.509 certificates for HTTPS access (NWBC)
Environment is: Windows 7 clients, Internet explorer, Netweaver ABAP 7.31 on Win 2008 r2, Win PKI.
I've done the following steps:
1. Configured SAP to accept certificates.
2. Created certificate template "SAPSSO" in our PKI (Build from AD information, Subject name contains "Fully distinguished name", include e-mail, include User principal name in subject alternative name)
3. Started certmgr.msc on my client and requested a new certificate from the "SAPSSO" template.
The new cert is stored on my client in my certifcatelist in certmgr.msc (later this should be done with AD autoenrollment)
4. Activated the certmap service in SICF https://mysapserver/sap/bc/webdynpro/sap/certmap
5. Open the certmap service in my browser an link the certificate with my sap username.
6. Check entry in table USREXTID. The certmap service created an "DN" (distinguished name) entry for me.
EMAIL=firstename.lastname@company.com, CN=Firstname Lastname, OU=User, OU=town, OU=AG, OU=DE, DC=company, DC=net
7. Import Master certificate in STRUST
From this point everything is working fine for my user.
Now i want to generate the entries of the USREXTID table with the RSUSREXT report.
The report generates the SAP Username as part of the DN.
For example i am able to build this DN with RSUSREXT:
EMAIL=firstename.lastname@company.com, CN=MYSAPUSERNAME, OU=User, OU=town, OU=AG, OU=DE, DC=company, DC=net
But this DN does not match my DN in my certificate!
My problem is now, i do not have my username in the DN of my certificate. Because of this, i cannot generate the tableentries with this report.
In this KBA Andre FIscher is talking about implementing policy modules for the certificate template to be able to generate the Windows
sAMAccountName into the DN.
"Reading other attributes than common name or fully distinguished name from the AD is a little bit trickier and requires a custom policy module."
I accived to change the template, that the principalname=MYADUSERNAME is added as an subject alternative name in my certificate.
But i dont know how to fill the USREXTID table to match SANs in my certificate.
Does anyone has an solution for the AD certificate template to generate the AD account name in the DN?
Or does anyone know how to fill the USREXTID table that the principalname is matched?
(PS: SAP Username and AD name is the same for all of our users)
Kind regards
Manuel
Hello,
Need to Restrict Revoke Close Option in Tcode CO02 (Under Functions - Restrict Processing - Revoke Close) through Role/Object Level. Can any one suggest how to control this . Need to give access for CO02 for 5 Users , but only 2 Users can able to do Revoke Close Option , other 3 Users should not able to do this activity.
BR,
Murali
Dear Experts,
MM02 Tcode security issue
NOTE: But we need to remove the attachment list view authorization could you please give solution for blocking the attachment list & create attachment
we are trace the tcode through ST01 But we are finding those objects S_BDS_DS , S_ALV_LAYO, S_GUI Three objects only for this i checked and blocked the object it will not work
please help me to sort out issue .
Best Regards
Suresh M
Hello Dear,
I am trying to add a KF in a Dataview from in APO under transaction /n/SAPAPO/SDP8B, but I am not getting a Complete button to save the changes (as shown below from Q environment). I tried like opening the client, getting temporary SAP ALL & SAP ALL NEW roles , but its not working.
It worked fine in Quality environment, but not in Live system. Is there any setting to be activated or any pertinent authorisation object to be added or activated ?
Please help.
Regards
Rahul Chitte
Hi Gurus,
We are having a issue in BEX query. As per design, our IT team can copy Z queries to Y queries and modify/create Y queries in production but they cannot update/change Z queries.
One of the query is having structure and BW IT team is trying to copy that query to Y namespace but they can't edit the structure/key figure within that new Y query. But if we give them Z query access in S_RS_COMP then they modify that Y query/structure. They can copy other Z queries to Y which don't have structures without problem
Click on tab Rows/Columns
Try to modify the Key figures under section
‘column’
Can anyone please help how should we proceed ?
Regards,
Salman
Hi experts
I'd like to know if there's a way to generate Authorization Profile Name automatically, with an auto-increment based approach.
The code that I'd like to be auto-generated inside the system is the "Profile Name" showed below in the posted screenshot.
Hope my question was clear enough to let you answer me properly. Let me know if you need further information.
Thanks n advance,
Jacopo.
HI
I am very new to SAP and was hoping for some guidance :
As an administrator I created an external command in sm69 - a unix script that delete files on the app server.
it works fine for me , with an admin profile
I wanted to allow one of the developer to execute this unix script using tcode sm69
I created a role to which I granted SM69 transaction and assigned the role to him.
he is able to access the sm69 tcode.
However - he cannot actually execute any of the external commands there , not even the SAP supplied ones.
( getting an error that he is not authorize to execute the external command )
Is there any additional authorization that I am missing ?
thanks you
Orna
Hello Colleagues,
after certificate maintenance (renew) under ABAP at Trust Manager (Transaction STRUSTSSO2) is there any system restart, ICM service restart (still) required?
System is SAP PI 7.31
Under discussion Logon Failed using SSL Client Certificate I had read "... in future releases this is automated (by triggering a PSE cache invalidation; no ICM restart required ...".
Is this similart to Java Systems?
Many thank in advance!
Regards,
Jochen
Hi together
In different Retail systems we have (now) the object M_MATE_NEU which is used o.e. in transaction mm41.
Until now we inserted the object in the roles whit mm41 because is needed to create new products, etc...
But in my opinion this object is not necessary because you can control the creation with M_MATE_MAR or M_MATE_MAT.
There you can use the ACTVT to control the authorization (01, 02, 03).
I would like to deactivate the object in the SU24 for the transactions MM41, etc.
Has anyone had experience with M_MATE_NEU?
Thank you
Best Regards
Tobias
Can anybody tell me how to obtain a correct list of users with developer keys. There are currently two ways of getting a list of users with developer Keys
(1)Generate a list through the SAP support portal.
(2)Obtain a list of names in the DEVACCESS table.
Which is the correct method to use? my understanding was that all developer keys are on the "SAP support portal", and once a user uses their developer key the entry is added to the DEVACCESS table, is this correct?
