Hi all.
I'm having trouble deleting of users with sap_all and sap_new. I am using the FM PRGN_INTERFACE_USER but is not solving the .Passo following parameters: Profile: sap_all, user: ALEBWSEMBPS, action: 'D' and perform_checks: 'X'. Anyone have any idea what is happening. Have sy-SUBRC = 0 return.
Thank you and regards.
Erlon Lourenço
hi all,
I just learned about Unified Connectivity (UCON) from this document: How-To Video Guides for More RFC Security with Unified Connectivity (UCON)
However if I try to run tcode UCONPHTL it is not available in my NetWeaver 731 SP03 system.
Is this new functionality only available in 7.4 version? If it is available also in 73 version what level of SP do I need to use the functionality?
thanks,
m./
Hello,
our EWA complained Gateway Security Settings.
Gateway Access Control List (reg_info/sec_info) contains trivial entries
Parameter gw/acl_mode can be set to 1. SAP recommends setting gw/acl_mode to 1
So we set parameter gw/acl_mode to 1 which had the effect that default for files reginfo and secinfo got more restricted.
If gw/acl_mode=0 default is:
reginfo:
P TP=*
secinfo:
P TP=* USER=* USER-HOST=* HOST=*
If gw_acl_mode=1 default is:
reginfo:
P TP=* HOST=local
P TP=* HOST=internal
secinfo:
P TP=* USER=* USER-HOST=local HOST=local
P TP=* USER=* USER-HOST=internal HOST=internal
With these settings all is rejected so that created own files, that are less restrictive:
reginfo:
P TP=* HOST=local ACCESS=local,x.xx.*.*,%%RFCSERVER%%
P TP=* HOST=internal ACCESS=local,x.xx.*.*,%%RFCSERVER%%
secinfo:
P TP=* USER=* HOST=local,x.xx.*.*,%%RFCSERVER%% USER-HOST=local,x.xx.*.*,%%RFCSERVER%%
P TP=* USER=* HOST=internal,x.xx.*.*,%%RFCSERVER%% USER-HOST=internal,x.xx.*.*,%%RFCSERVER%%
All hosts from our network should have access.
But still we get reject messages in gateway log:
V Mon Aug 25 2014 20:01:17:721 created convid=52867721 (conn=11, act=23)
C Mon Aug 25 2014 20:01:17:721 client INIT (convid=52867721, lu=hostname.domain, tp=sapgw00, type=R3_CLIENT)
O Mon Aug 25 2014 20:01:17:721 open client connection (lu=%%RFCSERVER%%, tp=IGS.SID, type=R3_CLIENT)
R Mon Aug 25 2014 20:01:17:721 reject client: TP=IGS.SID not registered
Or:
V Fri Aug 22 2014 16:34:50:803 created convid=73395803 (conn=2, act=3)
C Fri Aug 22 2014 16:34:50:803 client INIT (convid=73395803, lu=hostname.domain, tp=sapgw00, type=R3_CLIENT)
O Fri Aug 22 2014 16:34:50:803 open client connection (lu=%%RFCSERVER%%, tp=WEBADMIN, type=R3_CLIENT)
R Fri Aug 22 2014 16:34:50:803 reject client: TP=WEBADMIN not registered
O Fri Aug 22 2014 16:34:50:803 open client connection (lu=hostname.domain, addr=x.xx.xxx.xxxx, tp=sapgw00, type=R3_CLIENT)
C Fri Aug 22 2014 16:34:50:803 STATISTIC (convid=73395803), bytes sent 0
C Fri Aug 22 2014 16:34:50:803 STATISTIC (convid=73395803), client sent 0 bytes in 0 packages
C Fri Aug 22 2014 16:34:50:803 STATISTIC (convid=73395803), server sent 0 bytes in 0 packages
V Fri Aug 22 2014 16:34:50:803 removed convid=73395803 (conn=2, act=2)
What does this mean? I maintained both files and added "%%RFCSERVER%%", but this didn't help.
Typically access works like this:
V Mon Aug 25 2014 20:01:17:453 created convid=52865453 (conn=23, act=22)
C Mon Aug 25 2014 20:01:17:453 client INIT (convid=52865453, lu=hostname.domain, tp=sapgw00, type=R3_CLIENT)
O Mon Aug 25 2014 20:01:17:453 open client connection (lu=hostname, addr=x.xx.xxx.xxxx, tp=sapdp00, type=R3_CLIENT)
C Mon Aug 25 2014 20:01:17:453 client ALLC (convid=52865453)
C Mon Aug 25 2014 20:01:17:453 client SEND (convid=52865453, length=28000)
C Mon Aug 25 2014 20:01:17:453 client SEND (convid=52865453, length=28000)
C Mon Aug 25 2014 20:01:17:453 send data to server (convid=52865453, length=28000, req_length=32000)
O Mon Aug 25 2014 20:01:17:453 open server connection (lu=hostname, addr=x.xx.xxx.xxxx, tp=sapdp00, type=R3_CLIENT)
But in rejected case there comes no "addr=...", just lu.
How do I have to maintain reginfo and secinfo to get this work?
Regards,
Julia
Hi All...
I am a QM consultant ...Have some problem reg authorization...
we have 2 level of authorization in QM module.
Where 1st level is only allowed to record the results, they should not be allowed reopen the closed results and edit the result. This we tried to do by using the result record status (Tcode for results recording QE01). but not able to restrict the users. the thing is when user enter the result and after doing the valuaiton & closing the status becomes - 5. after that the user should not be allowed to reopen means status - 2. How to do it???
Please share some inputs....
srini
Hi
During a recent review of GRC rule sets for HR, I came across certain OM Tcodes for which Object PLOG is not being checked, instead only P_ORGIN is being checked in the ruleset. i.e the SOD analysis will get all the users for having the Tcode & P_ORGIN values, irrespective of whether they have PLOG defined in their profile. (for e.g - Tcodes like PO14 & PO01, included in HR05 function, P_ORGIN values are being checked)
On further testing it was observed that one can make changes in certain OM infotypes (IT1000), irrespective of P_ORGIN values. i.e only on the basis change access provided for PLOG. These changes where not reflected on the PA side though. for e.g I could create a Job with values only for PLOG, However I couldnot assign the same t a person, since P_Orgin was missing.
However on assigning only P_ORGIN without PLOG, I was unable to execute the transaction
While I understand that P_ORGIN would be necessary due to the PA-OM integration, I am trying to validate which is the more crucial object.
Hence I request inputs from Security team memebers who have handled HR-authorisations to share their insights on which of the objects - PLOG or P_ORGIN is more relevant for OM tcodes, It would be even great if we can debate which object should be enabled in GRC
Hi All,
We some times see that though there is no authorization error, functional consultants when they execute tcode ' SU53 ' they get the result as ' S_USER_PRO ' auth object. As most of them doesn't have clear idea on technical side, they come to us saying when they try to populate a value during Material master creation or so, the form doesn't go forward but rather remains.
When they checked if this is related to auth error by typing SU53, it shows ' S_USER_PRO ' auth object with some value. At times, it becomes difficult to explain them it's not an auth error. My question is why does this auth object remain in SU53 output though the issue is not related to it.
Thanks,
MJ
hi!
passwords of our internet users are stored in BAPIUSW01-PASSWORD as a password hash. The hash is calculated by the system-call XXPASSNET.
After we changed the password ruleset (kernel parameters login/min_password_digits and so on), hashes generated previously are no valid passwords anymore. The call returns an empty hexpass. In other words: no user can login anymore.
Is there a way to calculate a hash from a given string (=password) in the same way as XXPASSNET does? I already tried FM MD5_CALCULATE_HASH_FOR_CHAR or CALCULATE_HASH_FOR_CHAR, but they do not return the same result. Looks like XXNETPASS does not use MD5 or SHA1 but something else?
We authenticate using BAPI_PAR_EMPLOYEE_CHECKPASSWOR, which calls FM WWW_USER_AUTHORITY - inside, there is XXNETPASS called.
Thanks for all information 
Roland
Hi Experts,
We have upgraded our BW system from Release 7.0 to 7.3. As part of Security post upgrade activity I ran Migration steps,
RSECADMIN-Extras->Migrations->Migration:Release 7.0 to Release 7.3. and later SU25 steps too.
I fixed the Roles appeared in SU25 Step 2C and made below Characteristics as auth relevant,
0TCAACTVT
0TCAIPROV
0TCAVALID
But I have few doubts before Quality movement,
1) Do I need to Run the Migration steps again in Quality and Production?
RSECADMIN-Extras->Migrations->Migration:Release 7.0 to Release 7.3
2) Do I need to transport only above Characteristics to Quality and Production or need to transport all the Characteristics and Analysis Authorization?
3) How to transport Characteristics?
Please provide your views.
Regards
Parag
Dear Gurus,
During my testing on DEV (ECC+ISU ) regarding creation of Inquiry Document (T code:VA11) I got runtime error as I saved the document. I intimated ABAPER about this issue than he suggested me that this can be resolved by Basis Team through any OSS note.
Runtime error screen shot illustrates Error Analysis section in which it is mentioned that such error occurs when transferring SAP Sales Orders
to CRM . Later in procedure for removing this problem it has recommended that Maintain Table CRMPAROLTP in SAP System as described in SAP note 691710. (Refer attached Word File ). According to Basis Team they have implemented course of action provided in relevant OSS Note but same error is coming as I am saving the document.
This issue has been forwarded to SAP AG team as well but from last 5 days no action has taken yet. Due to this error I am getting far from my project deadline . Still I could not understand why such error contradict with CRM Table exists.
Kindly cooperate in resolving this issue urgently.
Thanks
Hi All,
Has anyone been able to restrict the ability to Save definition (Report-> Save Definition) but allowing a user to save data.
I have been playing around with auth object K_KEB_REP and Activity L0.
If I remove this activity - yes the user cannot save definition but they loose alot of other functionality from the "Report" menu like Saving data, exporting and so fourth.
I only want to restrict the Save Definition option
Is there a way to do this??
Hello,
I am attempting to import a third party keystore in to an SAP PI 7.1 Java instance using the URL below as the process for importing. While attempting to import I am receiving the error below. I am currently running using the unlimited local_policy.jar file so should be able to import a key of any encryption strength. Assistance would be appreciated. Thank you.
Procedure for Importing Keystore:
How to Load keys and certificates in SAP PI 7.3, SAP PO 7.3 EHP1 NWA's Key Storage
Keystore Import Error Message:
ERROR: -> ID21108: ASN.1 creation error: iaik.asn1.CodingException: Length: Too large ASN.1 object: 109
Hi all,
I have created a new roles, which needs to be assigned to all the users in the BI. I have teh list of users but i need to copy all of them manually and assign that users with this role!!
Is there any way in which i can use any abap programs/ function module were in i can assign this single role too all the list of users in the bi system!!
Thanks
Pooja
On analysing the Autho Objects enabled in GRC for Organisation mgmt module of HR I notice that :
1. A key OM Authorisation Object 'PLOG' is disabled and instead P_ORGIN is Active. for e.g - Tcodes like PO14 & PO01, included in HR05
2. In some instances the values of field 'Otype' for PLOG are inadequate for e.g. A.) for Tcodes- PPOC, PPOCE only values C & P have been included which are inadequate. B) Tcode PP01 - only C & P are enabled.
My Concern :
P_ORGIN controls PA modules in HR & also maybe getting called due to integration between PA & OM. However, without PLOG object , OM tcodes cannot be executed. On testing I find that without P_ORGIN I can still make changes on the OM side, but PLOG is mandatory (these changes maynot get reflected in PA side due to missing P_ORGIN). Hence I am trying to understand why PLOG is disabled in standard ruleset for certain OM tcodes.
I have tried numerous searches on SCN/ net to find any relevant notes / updates on these objects & treatment in GRC , but barring a few notes wherein new tcodes have been included in some function ids, I donot get any reference.( for e.g in Note 1083611, PPOC is updated with Autho object P_ORGIN, but not PLOG! )
Since I am neither a developer/programmer or functional consultant working actively on any project right now, I donot have any means to raise an incident in SAP market place.
Hence requesting the experts to please provide insight
Hello,
IdoubtifI canconfigureSNCconnectionsin the followingenvironment:
-clientinsapgui(windowsandmac)
-server is AS400SAP_BASIS731 and606SAP_APPL
If possiblewhichwhereI canfind documentationon the configuration ofthe server?
Best regards!
Hi Experts,
I am creating roles for SAP SEM-BCS and I am stuck at maintaining authorization data for the object R_UC_TASK.
My requirement is to restrict at profit center level. So I have assigned Role VERSION to field Profit center in UCWB and saved it. Now I have 2 versions, 1 cons unit, 1 cons group which is less than seven fields. As per my understanding now Profit center should be available in PFCG. But I don't see Profit center values to maintain in PFCG. Please advise if I am missing anything here.
I appreciate your help.
THanks,
Chakravarthi
Hello Colleagues,
in our SAP PI 7.31 Dual-Stack system we facing following error "ERROR: -> Cannot export - JAVA is not the current PSE provider!" under Netweaver Administrator (NWA) -- > Certificates and Keys: Key Storage, if we executing button "Export View to PSE" for view "ICM_SSL_*".
As by default for ABAP and Dual-Stack systems, profile parameter "ssl/pse_provider" is set to ABAP.
How we are able to solve that issue?
Many thanks in advance!
Regards,
Jochen
Dear Expert,
I would like to control some of user id which cannot use in particular time (e.g.: peak hour). Could you advice if there are any configure setting which can setup login time limit in particular user id? (e.g.: CUA, if yes. could you advice?) Thanks very much!
Rdgs,
Emily
Hi experts,
A user is triying to plan data in an IP template, but he can not do it due to a lack of authorization.
I have checked this user in RSECADMIN and he is able to execute the query, but when he opens the IP template, write the variables and execute, he gets an authorization error. I guess some authorization element is missing, any help would be appreciate!
Thanks
Gurus,
Does anyone know which functional (PP, MM, PM, QM, SD, LE, WM) roles should we or normally assign to user as the back end system. A quick answer would be really appreciated... A good link or Roles list would be great...I have found some roles when I search *NWBC* assigned those but did not worked because use was not able to see the functionalities on the NWBC client screen then I have create some MENU based roles and assigned and it worked....But I like to know the proper roles for each functional either single or composite role....Thanks Gurus
Hi All,
Could I know how could we manage the users access and roles in SAP and review them regularly to make sure that there are no system breaches? I usually use SUIM, but it I'm looking for a report that I could run for multiple users against any new roles assigned. It would be great if someone could share with us his experience.
Best Regards,
Abdulla AlQassimi