Quantcast
Channel: SCN : Discussion List - Security
Viewing all 2353 articles
Browse latest View live

Structural role assignment in SRM

July 28, 2010, 10:50 am
$
0
0

Hi all,

 

This is my first post, I hope I will find an answer to my question.

 

We are about to implement SRM and our security strategy is to use the structure to assign the roles to the position and to the org unit. We did this in our ECC system and it works as expected, however in SRM the relationship between the employees and the user ID via Infotype 0105 doesn't exist. In the SRM structure the relation is with the BP, does anyone know if there is a program like PFCG_TIME_DEPENDENCY in SRM to update the users roles base on their position assignment.

 

I tried many things like USER_GEN, BBP_BP_OM_INTEGRATE but it doesn't seem to do what I'm looking for. Also, does anyone know what is the purpose of attribut role. I tried to assign role to this attribut but it seems useless.

 

Thanks,

Search

How to get all the auth objects into a role which are belong to specific auth class

September 3, 2014, 4:59 am
$
0
0

Hi Team,

 

I have a requirement that, create a role with all the authorization objects which belongs to FI module.

So in FI authorization class we have total 247 authorization objects. Now how I should get these authorization objects into a role directly ? (without using Manually option because it consumes lots of time). Please help me out to solve the issue.

Thanks in advance.

Requirement to separate roles with only difference in profit center group

September 2, 2014, 10:44 pm
$
0
0

Hi Team,

 

We have a requirement, where we need to separate access for users belonging to 2 different user groups in ECC system. For 2 user group only difference in org values is in profit center group, all other org values i.e. Company code, Plant etc. are same.

 

Please suggest any possible option to achieve it.

Mass deletion of SAP roles from users

September 4, 2014, 5:41 am
$
0
0

Hello All,

 

i need to delete all assinged roles from a big number of users. I know the users but not the roles which the users have. I need to delete all roles from the users-id's.

I know SU10 and i can select all my needed users. But in the role tab i can not work with roles-names like Z* to delete. I can select all z*-roles and select "remove" but when i click to save, i get the message no changes made on the users???

 

Any idea?

 

Gruß

Toni

mm02 tcode attacment list remove procedure

August 21, 2014, 10:49 pm
$
0
0

Dear Experts,

 

MM02 Tcode security issue

 

  1. In MM02, mention the material number and choose the Basic view & click on "Attachment list" as shown below
  2. Once you click on attachment, you can see the attachment list in pop-up where you can select & view the documents.

NOTE: But we need to remove the attachment list view authorization could you please give solution for blocking the attachment list & create attachment

we are trace the tcode  through ST01 But we are finding those objects S_BDS_DS , S_ALV_LAYO,  S_GUI  Three objects only for this i checked and blocked the object it will not work

 

please help me to sort out issue .

 

Best Regards

Suresh M

PFCG: copy menus with option Import from file

September 5, 2014, 12:40 am
$
0
0


Hi Gurus,

 

I need to assign my workbooks to a role. I came across the option of import from file and also checked OSS note 389675. Does anybody know how can we create YOUR_OWN_NODE described in this OSS note. Also is there any other option to upload workbooks to Menus without doing it manualy ?

Kindly help on this.

 

Thanks

Pushpa

To Restrict the Authorization to create new Version in ME22n for particular Users

September 5, 2014, 12:43 am
$
0
0

Dear Experts,

 

In Me22n there is version Tab. When ever users are creating a new purchase order (PO) it is mandatory to create new version. But whenever there is a modification in Purchase order (PO) it is creating new version for the same PO. Moreover users want to create version by only particular user (MMAT3) but not by MMAT2 when they are performing modifications. Can i know the Authorization object related to version Tab in Purchase Order (PO) of Transactions (ME21n, ME22n,ME23n) to Restrict to MMAT2 Users. So,they will be restricted creating new version while when they performing modifications for the same PO.

I have monitored many Posts and forms to know the version tab object in above transactions. But I cannot find it to restrict. Please suggest me a solution to restrict.

 

Thanks,Regards,

Harsha.

RFC - System /Service User Authorizations

September 5, 2014, 4:24 am
$
0
0

Hi Experts,

 

We are in need of providing correct authorizations for RFC-System & Service users in our SAP system.

Currently we have SAP_ALL & SAP_NEW profile for these users, which has to be removed as per audit requirements.

We are tracing user's (one by one) authorization via ST01 & adding all the objects into a single role.

Is it the correct approach? Is there any other way to trace multiple user ids?

Waiting for valuable your feedback!

 

 

Regards,

Nivin

Search

For SU01 automatically addition of field extension with "0" in child system

September 5, 2014, 7:25 am
$
0
0


Hi

 

Ids and roles are created through CUA and then it is distributed in the child systems. However in one of the child system, the users are automatically assigned a value 0 in extension field of SU01. This is then not allowing the program RSEOUT01 to be executed in the CUA system.

 

We checked the error message in SCUL and it says " No telephone number entered ".

 

Can anybody help?

 

 

Regards

Is it possible to authenticate the SAP GUI user against LDAP ( no SSO )

September 5, 2014, 12:19 pm
$
0
0

Hi

 

I was under the impression that you can user LDAP to authenticate your SAP GUI user . ( so users do not have to maintain and remember multiple passwords )..

However - note #603208  claims that this is not possible.


This is quite an old note , is this still true ?




note #793191 ( FAQ ) says :


9. Can I synchronize user passwords?

 

Response: No.

 

The password cannot be synchronized. For more information, see Note 603208.



and note #603208 says :


A comparison of the production password with a directory is not possible.
The following reasons are responsible for this:

  • The password is not stored in the plain text or in in "enciphered" form, neither in SAP Web Application Server nor in the directory, rather is is stored as a "hash value" that is calculated from the password that is entered. The function used for this is especially designed so that the password CANNOT be reconstructed from the hash value.
    For technical reasons, the user master synchronization cannot therefore extract the plain text of the password and send this to another system.
  • The user's password has a size that is known only to the user. Even the system administrator and database administrator cannot obtain any information about the password.
    A comparison in plain text form would violate this basic rule. For this reason, the use of a hash value is a generally applied standard.
  • Often the adjustment of passwords in several systems is equated with the term "Single Sign-On".
    However, this term must only be applied if the user logs on once and this logon information is transferred within the system infrastructure.
    The SAP Web Application Server supports real Single Sign-Ons (note 138498).

the 'import proposal' option for the LDAPMAP transaction is disabled

September 5, 2014, 8:14 am
$
0
0

Hi

 

I am trying to set LDAP authentication for my SAPGUI users - so they can login with their Active Directory logon/password

 

At the Mapping stage I am trying to import a proposal - but the Utilities --> Import proposal  option is greyed out

In fact everything is disabled but the 'Export XML'

 

Any idea what is missing ?

I am SAP_ALL profile - so I don't think its authorization

 

We have NetWeaver 7.0  SP 16   ( 7.2 Kernel )

 

thanks

Orna

Need help on deciding SSO Strategy

June 17, 2014, 5:29 am
$
0
0

Hi All,

Can you please guide me on deciding upon a SSO strategy for BW , BPC, HANA and Business Objects.

 

Thanks,

Shyam

Authentication user in LDAP without configuration?

September 6, 2014, 2:08 pm
$
0
0

Hi

 

I would like check (validate) user name and password at active domain.

I found FM LDAP_SIMPLEBIND.

When used LDAP_SIMPLEBIND to validate user name and password at domain, I got error message (CONFIG_ERROR: Error in the configuration in the SAP system (for example, a non-existent LDAP server ID was specified).


Is in the SAP some FM only for validate user name and password without configure LDAP in SAP or some next unnecessary things?

In C# is simple code without some configuration. Only:

using(var context =newPrincipalContext(ContextType.Domain,"mydomain")){
return context.ValidateCredentials(username, password);}


Thank you

Organization level control on Role

September 11, 2014, 4:13 am
$
0
0

Dear security gurus.

 

I have 2 business roles in company and 2 subsidiaries under HQ.

Each company have

- Accout clerk

- Account manager

 

HQ's clerk&manager: be able to check all company's data.

Subsidiary's clerk&manager: be able to check ONLY their own company's data

 

In this case, I have to create these 6 roles, because

company code restriction can be controled only by role, not user.

Am I correct?

 

1.HQ's manager(Company code: *)

2.HQ's clerk(Company code: *)

3.Subsidiary1's clerk(Company code: 1)

4.Subsidiary1's manager(Company code: 1)

5.Subsidiary2's clerk(Company code: 2)

6.Subsidiary2's manager(Company code: 2)

 

Yoshi

Internet access to ECC environment

September 12, 2014, 4:23 am
$
0
0

Hi, guys

 

Currently our end-users logs to our ECC environment from our network, with SNC access and SSO via Kerberos (with Microsoft Kerberos library gsskrb5.dll)

 

Now we're planning to grant SAPGUI access to some users to our ECC environment through Internet. Our planned landscape would be the next:

 

     SAPGUI (end-user) --> SNC (WAN) --> Firewall --> SAProuter (in DMZ) --> Firewall --> ECC

 

 

SNC connection MUST be used between SAPGUI and SAProuter, so any other traffic or connection attempts would be rejected by our SAProuter.

 

This network topology is currently used in our SAP Support Channel connection, but there's a SAProuter at SAP side. Is it possible to allow connections from end-users directly to our SAProuter using Internet access? Would be a security hole in our organization? Is it necessary to install any additional software (SNC-certified software by SAP)? What do you think about IP-rules in our firewall (only allows connection to a IP range)?

 

Any recommendation or best-practice is welcomed.

 

Best regards,

 

Sergio Sánchez

Search

Role Assignment to Workflow Tasks

September 12, 2014, 7:24 am
$
0
0

Hi Experts,

 

Any hints on below requirement please :

Details:

1. For a role in transaction PFCG, I don't see the Workflow tab

2. For the same role in transaction SUIM, I can see the Workflow tab and the tasks assigned.

3. Now, I have a list of workflow tasks and I need to assign Role X, Role Y to all of them

What is the correct and best way out to do this

- Role-Task Assignment ::: Is it enough if I add all the workflow tasks in SUIM transaction(workflow tab) for both roles X,Y

or

- Task-Role Assignment ::: Can I assign both Roles X,Y in pftc transaction for each of the workflow tasks

or

- Both need to be done

 

Thanks in advance ...

~Ali~

Pay Update restriction

September 11, 2014, 9:27 am
$
0
0

Hello,   I have the following requirements 1- A user  should not be able to update their own information 2- The same  user should not be able  to display  the payroll info for each person in their department I have tried  P_PERNR  with the following values : AUTHC = R, M PSIGN = I INFTY = * SUBTY = * AUTHC = W, S, D, E PSIGN = E INFTY = 0008 SUBTY = * with no luck Thanks for your help Osama Khalifa

mm02 hide tabs and fields

September 12, 2014, 3:55 am
$
0
0


Hi Guys,

 

ive been asked to give some people acces to mm02 but they can ony acces the mrp2 tab and the net requirements calculations

 

 

is that possible ?

 

i found in authorisations to only show mrp tabs  but they only want mrp2 tab and the net requirements calculations

 

Thanks in advance

 

Btw this is my first post here  we started with sap since June we are Live

Allowed SAP_all profile in PRD ECC server

May 23, 2014, 10:52 pm
$
0
0

Dear Team,

 

We are getting the Yellow rating in EWA , I wanted to know how much user with SAP_all Profile is allowed .

 

s11.jpg

 

How we can remove the Yellow rating from EWA.

 

RK

Maximum no. of Profiles exceeded and not working even after deleting roles from User

July 8, 2014, 4:42 am
$
0
0

Hi Everyone,

 

I have a similar issue, Maximu no. of profiles are exceeded for an user for a Child system(User is created in CUA system) and when I am deleting the roles from User for the Child system form CUA system, I am able to delete the roles. But the issue is, I am not able to see the changes being reflected for that User in the Child system. IDOCs in SCUL Tcode is again showing "Maximum number of profiles for user exceeded"

 

What can be done to resolve this?

 

Regards,

Shruti

Viewing all 2353 articles
Browse latest View live
Search