Hi everyone, I have the following issue.

I'm filling the fields of organization levels, and i ran to a specific field that is 2 characters defined. For that org. level I need to set a value of ' ' (single quote, space, single quote), but the problem is that I can only input up to 2 characters, which will only get '  (single quote, space)

Is there any way to find a one char or two char value that does the same job? Or is there any way to bypass the 2 char input limitation?

Thanks in advance.

I'll appreciate any help you could give me.

Hi SAP Experts,

I have problem with my BW system, when i tried to used SUIM:

SUIM - User - Users by Complex Selection Criteria - By Role

Error message appears:

"Variant SAP&_ACTVGRP of program RSUSR002 is not the current version"

Is there anyone have experience with this problem. Please help me to solve this problem.

Best Regards,

Husin

hello, i found a check list SAP security-auditing in SUIM. i searched some of them in internet but my mind confused.

i think it can be very helpful checklist for people working in SAP security-auditing.

if you have time, can you tell me please what these reports mean? with 1-2 sentences.

( i know they are a bit much but i think it can be realy good source for people wants to work in SAP security- auditing like me.)

Thank you very much

Regards..

SUIM--->>>>

1)  S_TCODE = SM36,Authorization Object 1: S_BTCH_ADM = Y; Authorization Object 2: S_BTCH_JOB = * for Job Operations and * for Summary of jobs for a group; Additional selection criteria – Unlocked users only

2)  S_TCODE = SM37; Authorization Object 1: S_BTCH_JOB JOBACTION = *; Additional selection criteria – Unlocked users only

3)  S_TCODE = SM35; Authorization Object 2: S_BDC_MON1=*, Additional selection criteria – Unlocked users only

4)  S_TCODE = SE18; Additional selection criteria – Unlocked users only

5)  S_TCODE = SE19; Additional selection criteria – Unlocked users only

6)  S_TCODE = SM69; Authorization Object 1: S_RZL_ADM= 01; Additional selection criteria – Unlocked users only

7)  S_TCODE =SM49; Authorization object1: S_LOG_COM, COMMAND Value: #*; POSYSTEM Value: #*; R/3 Value: #* additional selection criteria: unlocked users only

8)  Authorization object 1: S_RFC; RFC_TYPE: FUGR; RFC_NAME: #*; activity: 08; additional selection criteria: unlocked users only

9)  S_TCODE = SECR;” “authorization object1: S_IMG_ACTV, Project no: 900; ACTVT = 02; IMG Value = #*” “authorization object2: S_PRO_AUTH Project no: 900 ACTVT: 03” “additional selection criteria: unlocked users only

10)  S_TCODE=SU01: Additional selection criteria – Unlocked users only

11)  S_TCODE=SU01; 2: Authorization object 1: S_USER_AUT; ACTVT Value=03 or 08” Additional selection criteria – Unlocked users only

12)  S_TCODE=SU02; Additional selection criteria – Unlocked users only

13)  S_TCODE=SU03; Additional selection criteria – Unlocked users only

14)  S_TCODE=SU10; Additional selection criteria – Unlocked users only

15)  S_TCODE=RZ10; Authorization object 1: S_DATASET, ACTVT Value = *; Authorization object 2: S_RZL_ADM ACTVT Value = 01 or 03; Additional selection criteria – Unlocked users only.

16)  S_TCODE =SE16; Authorization object1: S_TABU_DIS, Authorization group = SC, ACTVT =02; Additional selection criteria: unlocked users only

17)  S_TCODE = SNRO; authorization object1: S_NUMBER, Value = #*, ACTVT = 01, 02, 11; 3: Additional selection criteria – Unlocked users only

18)  S_TCODE = SCC4; authorization object1: S_TABU_DIS Table Maintenance (via standard tools such as SM30), ACTVT = 01, 02, 03; authorization group = SS; Additional selection criteria – Unlocked users only

19)  Authorization object 1:S_ADMI_FCD, Value: SP01 or SPOR; authorization object 2: S_SPO_ACT Value = ATTR (change attributes of protected spool request) or BASE (see protected spool requests in the output controller [determine whether the spool request exists], display request attributes) and DELE (delete request manually) or REPR (output protected spool request more than once); authorization object 3: S_TMS_ACT (Actions on TemSe objects); STMSOWNER Value  = GRP (external TemSe objects in own) or OWN (own TemSe objects) authorization object 3 = S_TMS_ACT: Additional selection criteria – Unlocked users only

20)  S_TCODE = SCCL; authorization object 1: S_CLNT_IMP, Activity = 21, 60; authorization object 2: S_TABU_CLI, Cross Client Indicator = #*; Additional selection criteria – Unlocked users only

21)  S_TCODE = SCCL; authorization object 1: S_CLNT_IMP, Activity = 21, 60; authorization object 2: S_TABU_CLI, Cross Client Indicator = #*; Additional selection criteria – Unlocked users only

22)  S_TCODE =SM31;” “authorization object 1: S_TABU_DIS, ACTVY =01,” authorization object 2:  “S_TABU_CLI CLIIDMAINT =x”: “additional selection criteria: unlocked users only

23)  S_TCODE =SM30;” “authorization object 1: S_TABU_DIS, ACTVY =01 or ACTVY =02,” authorization object 2:  “S_TCODE =S_TABU_CLI, CLIIDMAINT =x”: “additional selection criteria: unlocked users only

24)  Authorization object 1: “S_TCODE =SA38 or SE38;” “2: authorization object S_PROGRAM Value =SUBMIT: “additional selection criteria: unlocked users only

25)  S_TCODE =SA38 or SE38;” “2: authorization object S_PROGRAM Value =SUBMIT: “additional selection criteria: unlocked users only.

26)  Authorization object 1: S_TRANSPRT Value = 43

27)  S_TCODE = SE01; authorization object 1: S_TRANSPRT Value:1, 2; authorization object 2: S_DATASET Actvt: 06,33,34

28)  S_TCODE = SE03; authorization object 1: S_TRANSPRT Value: 06,43 ; authorization object 2: S_CTS_ADMI Value: TABL

29)  S_TCODE = SE10; authorization object 1: S_TRANSPRT Value: 01, 02; authorization object 2: S_DATASET Value: 06, 33, 34.

30)  S_TCODE = SCC4; authorization object 1: S_CLNT_IMP Value: 21, 60: Additional selection criteria – Unlocked users only

31)  S_TCODE: SM12; authorization object 1: S_C_FUNCT Value = *; activity value = 16; authorization object 2: S_ENQUE; S_ENQ_ACT Value = *.

Hello friends,

Can some one tell me how can i create a new authorization group for programs/reports. I need to use this value in authorization Object S_PROGRAM > filed P_GROUP.

On SAP help, i understand table TPGP should be updated.. But should i update table directly OR there is some additional transaction available ?

(I am not talking about authorization group for tables)

thanks

ashish

Edited by: ashish vikas on Jan 7, 2011 7:17 PM

Edited by: ashish vikas on Jan 7, 2011 7:19 PM

Hi All ,

I need some suggestion on how to identify the which Characteristic is authorization relevant for the respective infocube.

Example when a user execute a query  through BEX example U_ABC_MFA01_0006  in RSA1 the multiprovider assign to 3 info cube is they any table  or transaction where i can identify user required which relevant characteristic for the cube  (like company code , organizational key etc)  to execute the report . 

At the moment we are doing trace and finding the table RSECVAL   to identify the the role .

Hi all,

I have got a question: an upcoming release update from 4.6 to ECC6.0 will of course also affect authorizations.

Can I analyze the affected roles in the system before I execute SU25? and if so, how? Or do I have to wait for the results from that SU25?

It would be great to get an impression of the work that needs to be done before I "press the button".

Thanks for any helpful answer.

Hi,

we trying to implement SAP SSO with x.509 certificates for HTTPS access (NWBC)

Environment is: Windows 7 clients, Internet explorer, Netweaver ABAP 7.31 on Win 2008 r2, Win PKI.

I've done the following steps:
1. Configured SAP to accept certificates.

2. Created certificate template "SAPSSO" in our PKI (Build from AD information, Subject name contains "Fully distinguished name", include e-mail, include User principal name in subject alternative name)

3. Started certmgr.msc on my client and requested a new certificate from the "SAPSSO" template.

  The new cert is stored on my client in my certifcatelist in certmgr.msc (later this should be done with AD autoenrollment)

4. Activated the certmap service in SICF https://mysapserver/sap/bc/webdynpro/sap/certmap

5. Open the certmap service in my browser an link the certificate with my sap username.

6. Check entry in table USREXTID. The certmap service created an "DN" (distinguished name) entry for me.

EMAIL=firstename.lastname@company.com, CN=Firstname Lastname, OU=User, OU=town, OU=AG, OU=DE, DC=company, DC=net

7. Import Master certificate in STRUST

From this point everything is working fine for my user.

Now i want to generate the entries of the USREXTID table with the RSUSREXT report.

The report generates the SAP Username as part of the DN.

For example i am able to build this DN with RSUSREXT:

EMAIL=firstename.lastname@company.com, CN=MYSAPUSERNAME, OU=User, OU=town, OU=AG, OU=DE, DC=company, DC=net

But this DN does not match my DN in my certificate!

My problem is now, i do not have my username in the DN of my certificate. Because of this, i cannot generate the tableentries with this report.

In this KBA Andre FIscher is talking about implementing policy modules for the certificate template to be able to generate the Windows

sAMAccountName into the DN.

"Reading other attributes than common name or fully distinguished name from the AD is a little bit trickier and requires a custom policy module."

Single Sign-On for SAP NetWeaver Leveraging X.509 Certificate Auto Enrollment in Microsoft Active Directory

I accived to change the template, that the principalname=MYADUSERNAME is added as an subject alternative name in my certificate.

But i dont know how to fill the USREXTID table to match SANs in my certificate.

Does anyone has an solution for the AD certificate template to generate the AD account name in the DN?

Or does anyone know how to fill the USREXTID table that the principalname is matched?

(PS: SAP Username and AD name is the same for all of our users)

Kind regards

Manuel

We have a system that contains some old Batch Input sessions, that have not been processed.

Looking in SM35 I find sessions with status New, Errors, In processing, In Background or Creating. Some of the sessions are locked, but most of them are unlocked.

I would appreciate your help to answer the below questions:

1)  What is the risk of having these old Batch Input Sessions ?

2) What is the best approach to mitigate the risk ?

3) What is best practice for governance of Batch Input ?

Hi,

I have a query regarding one of the applications functionality. We have the sandbox portal running on EHP5 and Dev Portal running on EHP7.

There is an application which runs fine on Sandbox Portal but the same application doesn't work on Dev Portal even when the application parameters and system aliases are set properly. The application flow/navigation is not happening under EHP7.

Could anyone pls let me know what could be the proper resolution to this. 

Regards,

Yuvraj

Dear Security Experts,

I need your kind help in case you can support about a problem which is preventing us to use a quite critical (UK HMRC Gov site) web service based application which use to work like a charm till before replacing SSL certificate downloaded from web service application host.

What we see changed is that:

WITH PREVIOUS SSL CERTIFICATE NO PROBLEM:

at expiry (as required by certificate+host owner) we used to download new certificate from ‘https://emcs.ws.hmrc.gov.uk’ and after importing it in SAP with STRUST and testing it we had no problem absolutely and we noticed that Target Host here under was matching website URL indicated for using the webservice we needed

WITH NEW SSL EV (Extended Validation) WE ARE BLOCKED INSTEAD:

after downloading new certificate from ‘https://emcs.ws.hmrc.gov.uk’ and importing it in SAP as always we cannot work anymore and notice two following problems:

a) Target Host hereunder does not match anymore the website URL ‘https://emcs.ws.hmrc.gov.uk’ we used to know and from where we download the new certificate itself:

and when our app calls the webservice normally expected to know URL emcs.ws... the new Target Host dispalys instead (it has a page for human manual login...)

b) application fails with different kinds of errors reported in SMICM logs (SSL_ERROR_SSL, SSSLERR_SSL_CONNECT related to icxxconn.c): in the logs we can see details of SSL NI-sock parameters from our  local=IP:PORT(normally high>50000) and web service host that we need to call at peer=23.223.63.18:443

Web service providers states that issue that the endpoints we need to submit to are unchanged and remain as detailed on page 1 of the ‘EMCS Guide to Web Services’ document published at http://www.hmrc.gov.uk/softwaredevelopers/emcs/emcs-guide.pdf. For example, if we still send a message to WS https://emcs.ws.hmrc.gov.uk/EMCS/SubmitDraftMovement/3. However, the relevant certificate authentication is at ‘emcs.ws.hmrc.gov.uk’ level.

Thank you in advance for kind indications about what would you check at our SAP side in order to recover web service communication with new certificate installed and diagnostics given (for a.m. I apologize as I am no SAP Security expert but only local project demand manager).

Kind regards,

Aldo

Hello,

Need to Restrict Revoke Close Option in Tcode CO02 (Under Functions - Restrict Processing - Revoke Close) through Role/Object Level.  Can any one suggest how to control this .    Need to give access for CO02 for 5 Users , but only 2 Users can able to do Revoke Close Option , other 3 Users should not able to do this activity.

BR,

Murali

Hi gurus,

We have some users that have functions that the validation date is expired (these functions belong to the production environment). However, even if the functions are outdated, the user is stil having access to the authorization object that belongs to these outdated functions.

I already delete the PRD system from CUA, and assign again.

When i create a copy from the original user, the validation date of the function works.

Anyone can help me please?

thanks!!!

Cleiton Folster Eli.

Hi all,

recently there was a blog post by Lars Fasel on using metasploit to search for vulnerable SAP systems on the internet. However, this blog post has been removed, most likely by a moderator.
For me it's not clear why this has happened. There was no disclosure of an 0-day vulnerability. Instead, the blog highlighted how common it is to mistakenly expose service of a SAP system on the internet. In my opinion this kind of information should be widely available so administrators can take the necessary steps to solve these security issues. Or even better be aware of them and don't make the mistake in the first place. However, instead of publishing this information it is removed from SCN. This feels like trying to establish some security by obscurity, which clearly doesn't work!

Any other opinions on this? Am I totally wrong with my interpretation?

Best,

Christian

Hello,   I have the following requirements 1- A user  should not be able to update their own information 2- The same  user should not be able  to display  the payroll info for each person in their department I have tried  P_PERNR  with the following values : AUTHC = R, M PSIGN = I INFTY = * SUBTY = * AUTHC = W, S, D, E PSIGN = E INFTY = 0008 SUBTY = * with no luck Thanks for your help Osama Khalifa

Hello all !

I'm encountering an issue while testing the connection to a HTTPS Webservice

Considering HTTPS and SSL have been installed correctly in our SAP system and the HTTPS is activated (green flag in SMICM)

I have done the following things :

1) I have configured a logical port in SOAMANAGER

Within the Consumer Security TAB (X.509 SSL Client PSE)

I put DFAULT value in the SSL Client PSE (STRUST)

the authentification Method is sapsp:HTTPX509

In the transport settings Port is 443 (port of HTTPS is configured differently in our SAP system)

2) In transaction STRUST I added the certificate of my webservice (imported from Firefox)

in the SSL client (Standard), there is a own certificate self signed by SAP Trust Community for my SAP instance

There I imported my certificate from the Webservice I need to reach and added it to the certificate list.

3)When I ping my WebService,

I receive the following Log in SMICM ==> (Trace Level 3)

[Thr 1286]   SSL NI-sock: local=xxx  peer=xxxx:443

[Thr 1286] <<- SapSSLSetNiHdl(sssl_hdl=116c58850, ni_hdl=129)==SAP_O_K

[Thr 1286] ->> SapSSLSetSessionCredential(sssl_hdl=116c58850, &cred_name=116c58810)

[Thr 1286]   SapISSLComposeFilename(): Filename = "/usr/sap/XXX/DVEBMGS50/sec/SAPSSLC.pse"

[Thr 1286]   SecudeSSL_SetSessionCred(): request for default client credentials

[Thr 1286] <<- SapSSLSetSessionCredential(sssl_hdl=116c58850)==SAP_O_K

[Thr 1286]      in: cred_name = "/usr/sap/XXX/DVEBMGS50/sec/SAPSSLC.pse"

[Thr 1286] IcmConnInitClientSSL: using pse /usr/sap/XXX/DVEBMGS50/sec/SAPSSLC.pse, show client certificate if available

[Thr 1286] ->> SapSSLSetTargetHostname(sssl_hdl=116c58850, &hostname=116c587d0)

[Thr 1286] <<- SapSSLSetTargetHostname(sssl_hdl=116c58850)==SAP_O_K

[Thr 1286]      in: hostname = "www.XXX.xx" (hostname of my webservice)

[Thr 1286] ->> SapSSLSessionStart(sssl_hdl=116c58850)

[Thr 1286]   SapISSLUseSessionCache(): Creating NEW session (0 cached)

[Thr 1286] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST

[Thr 1286]    session uses PSE file "/usr/sap/XXX/DVEBMGS50/sec/SAPSSLC.pse"

[Thr 1286] No Secude Error present in trace stack!

[Thr 1286]   SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"

[Thr 1286]   No certificate request received from Server

[Thr 1286] <<- ERROR: SapSSLSessionStart(sssl_hdl=116c58850)==SSSLERR_SSL_CONNECT

[Thr 1286] ->> SapSSLErrorName(rc=-57)

[Thr 1286] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT

[Thr 1286] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00010077} [icxxconn_mt.c 1989]

[Thr 1286] ->> SapSSLSessionDone(&sssl_hdl=1107eebd8)

[Thr 1286] <<- SapSSLSessionDone()==SAP_O_K

[Thr 1286]      in: sssl_hdl   = 116c58850

[Thr 1286]          ... ni_hdl = 129

Could you tell me what's wrong ? or what I'm missing ?

The certificate I added is wrong ? is it a server certificate when you import it from firefox yourself ? Or I need to ask a "Client Certificate" ?

Do they need to sign anything ?

I'm a bit lost...

Many Thanks !!!

Kr,

Jonathan,

Hi people,

Im having some issues when it comes with locked clients, i recently created a Roadmap for a new Project in SOLMAN PRD.

I first used RMAUTH to create the project (when client was open, since its not in production yet) and then asigned a roadmap through SOLAR_PROJECT_ADMIN, and i didnt add any Variant or Roles, at this point you're able to view the project on RMMAIN.

I've been trying to edit other projects and it seems that the client its now locked, since it shows a warning about it, but when i try to do some customising on that new project i can actually add nodes or subnodes with locked client.

So my question is, Is there any way we can customize a project or roadmap with locked clients? there are some small customising that wont really need a transport at all, what does SAP suggest?, is there something wrong with my project?, because i can add and delete nodes from RMAUTH without any transport.

Thank you for the advice.

Hi All,

In a number of diffeernt Basis Release 7 systems, i have come across many cases where users are getting auth errors and when they send me the SU53 it is showing S_USER_GRP with activity 05 (Lock) is missing for the user group of the user that experiences the problem.

In nearly all cases, the error cannot be addressed without assigning this object and values even though the transaction(s) in question has nothing what so ever to do with any security related transactions.

Has any one come across this before and found out the underlying reason why?

I suspect it is something similar to the frequent appearence of object S_CTS_ADMI in SU53s in earlier releases.

Thanks,

Mark

Hi All

I have an issue where a SAP user appears to be receiving role assignments from some HR-ORG object erroneously.

I have checked the user's HR positions and organisational assignments and they do not have any roles assigned.

I also checked the job and no roles are assigned there as well.

Where could these roles be coming from if they are not coming from the position or org unit?

User currently has direct role assignments in SU01 except for 3 roles which appear as indirect assignments (HR assignments) in SU01.

Is this is a bug and is there a note to fix it?

Please could someone let me know why this is happening.

Thanks

Ran

Hi Everyone,

I have a similar issue, Maximu no. of profiles are exceeded for an user for a Child system(User is created in CUA system) and when I am deleting the roles from User for the Child system form CUA system, I am able to delete the roles. But the issue is, I am not able to see the changes being reflected for that User in the Child system. IDOCs in SCUL Tcode is again showing "Maximum number of profiles for user exceeded"

What can be done to resolve this?

Regards,

Shruti

Hello everybody,

I am currently redesigning the authorization concept in our company and have encountered some difficulties with the composite roles. The idea was to create a composite role for each workplace and then assign this composite role to the user.

Now, it turns out that in the accounting department people are assigned to more than one workplace so that they need to have more than one composite role.

Example:

Workplace 1: Accounts Payable for company A

Workplace 2: Accounts Payable for company B

(I cannot put these two in one composite role, as another accountant may be responsible for company A and C).

According to our new concept, the composite roles of workplace 1 and 2 have the same single roles, except with different authorization values on the company code level. Therefore, both composite roles have the same user menus.

If I assign those two composite roles to one user, he will see the same folders twice (or even more times, if more composite roles are assigned).

Is there any way to merge these two menus? Could the parameter CONDENSE_MENU in the table SSM_CUST help? Though I am a little concerned regarding the performance since the menus are quite big.

Does anybody have any suggestions or experiences?

Regards,

Silvia Schroeder