Quantcast
Channel: SCN : Unanswered Discussions - Security
Viewing all 1636 articles
Browse latest View live

Strust tcode asks for a System PSE password

June 19, 2013, 4:04 am
$
0
0

Hi all,

 

everytime which i issue the strust transaction, i get a pop up window to write the System PSE password.

I know this password and when i write this password, i get the strust screen.

 

My question is, how can i save this password and avoid that everytime that i issue the strust transcaction code, do not ask me for the password.

 

I know that inside the strust transaction, i have there the button to set password but i'm not sure if this will solve the problem. It asks me for the old password and new one but i think that the old pwd is the same as the new one, so if this was the issue, it will not ask me for the password.

 

Thanks in advance!

 

Br,

 

Jim

Search

BOM change from master recipe

June 19, 2013, 6:33 am
$
0
0

Hello ,

 

I would like to restrict BOM change from recipe.

I did all below steps but it is not working , please suggest options as far as security is concerned.

 

  • Configuration change of message 29  358 – change from Error to Warning when BOM change is attempted.
  • Made BOM changes via a Change Number mandatory – remove authorization object C_STUE_NOH from roles
  • Add transactions CC01/2 to Data maintenance roles to enable change master creation (see  roles in  App B)
  • Remove BOM create and change authorization from users with C202 but not CS02 access – remove authorization object C_STUE_BER        ACTVT 1 & 2- Comment: When we made this change it does not allow to change even master recipe.

 

 

Requirement : I would like to restrict BOM change from master recipe but BOM should be in display mode.

 

Please suggest.

RFC failing with SNC enabled option

June 19, 2013, 8:45 am
$
0
0

Hello Experts ,

 

RFC from CRM --> ERP is failing when i enable SNC , error is indicated below :

 

"Connection closed(no data)" -

 

After exchangin the certifcates i get different erro :

"When executing a remote function call , an error occured"

 

I checked the dev_rfc but no information.

 

Steps i carried are as followed :

 

  1. SNC name of ERP in CRM RFC.
  2. SNC name of CRM in ERP in SNC0 (Tx).

 

Please let me know if i missing something.

 

Thanks
Dev

how to lock custom authorization obj ?

June 19, 2013, 2:27 pm
$
0
0

i have a custom auth object which is assigned to few roles..!! what are the ways to restrict access to this custom auth object without removing it from roles..!! i cant delete the auth object as i need to do this restriction for few days only....!! do we have option to lock auth obj anywhr ??

SNC name for AD sub domain users

June 19, 2013, 6:46 pm
$
0
0

Hi Experts,

 

We'd like to use SAPGUI SSO with Kerberos.

ERP is installed under AD root domain (ROOT.COM) in the forest.

Users are belongs to AD sub domain (SUBDOM.COM) in the same forest.

 

ERP is installed under ROOT.COM, service user is SAPService<SID>@ROOT.COM.

SNC name in user profile (SU01) is p:testuser@SUBDOM.COM

SAP Logon entry for SSO has SNC name, p:SAPService<SID>@ROOT.COM.

 

Then user tries to log on via the entry for SSO, the error message "No user exists with SNC name "p:testuser@SUBDOM.COM""

I guess user's SNC name should be changed but I couldn't find what should be changed.

 

Kindly advise what setting is missing in our environment.

 

best regards,

Megumi

SSL server certificate Query

June 20, 2013, 1:13 am
$
0
0

Hello Experts

 

Need to know the whether SSL client certificate is based on
SSL server certificate.

 

Below is a scenario for this.

 

  1. We have a SSL server certificate from a well-known CA
    authority.
  2. Need to create SSL client certificate for the ADS
    configuration.
  3. Now in order to be secured enough, need to know that this
    certificate will be based on the SSL server certificate which we have acquired
    from the trusted CA?
  4. If not then what should be done in order to get a trusted
    SSL Client Certificate or the systems (ABAP) own certificate is enough for this
    task?

 

Regards

Prateek

SSL configuration between SAP PI and Third Party tomcat applicationnot working

June 20, 2013, 4:59 am
$
0
0

Hi Experts,

 

We are configuring SSL between SAP PI7.1 and third party application based on tomcat. Both are in same domain.

 

The communication between SAP PI and tomcat is happening thorough communication channel

 

My query is

  • Can we use Self signed certificate exchange between both the application?
  • We tried with self signed certificate we have imported SSL server certificate from STRUST PI in to tomcat application and also imported public key of view from NWA and tomcat certificate to STRUST and NWA.
  • Using self sign certificate the tomcat application is giving error as

     senderChannel '4bb4bae47bfa34db85ce289daae33f4d': Catching exception calling messaging system; nested exception is:

     com.sap.engine.interfaces.messaging.api.exception.MessagingException: Error transmitting the message over HTTP. Reason:      java.lang.RuntimeException: Error while silently connecting: org.w3c.www.protocol.http.HttpException: Peer certificate rejected by      ChainVerifier"

  • When we user SAP signed public key (valid for 8 weeks only) and SAP server CA then scenario is working fine

Can you please suggest the method by which we should go either self signed or CA certificate?

Also which certificate should we import in tomcat whether it is from STRUST or NWA?

 

Thanks in advance

 

Regards,

Aditya

Ecatt script for Org Values updating for derived roles

June 20, 2013, 6:56 am
$
0
0

Hello Gurus

 

I have build the ECATT scripts for mass roles and users creation, but when it comes to ORG Values updation for the derived roles i am getting struck as i need to update around 2000 roles ORG Values. Can someone please throw some light on the same how to get it done?

 

Thanks

Maltesh J

Search

How to find all authorization checks in custom FM

June 20, 2013, 11:37 am
$
0
0

Hi Guys,

We are on Ecc 6.0 Enhp4 and we have the necessity to review the roles assigned to some users especially those used for RFC connection (infact they have SAP_ALL, also if they are defined as communication user and not as dialog).

Our porblem is that these RFC users launch numerous custom function modules (FM) which recall other (standard and custom) function/bapi. In order to create a specific authorization role we have to know which are the authority checks that are inserted in all FMs.

Please can you give us an help on this problem?

Thanks

Bob  

User Comparision Showing Red inspite of running PFUD

June 21, 2013, 4:19 am
$
0
0

Hello Experts,

 

I ham facing a strange situation where all roles in BW 7.3 production box are showing withe status as "Yellow". When I am running pfcg_time_dependency" the status is still the same both in foreground and background and status is still the same. . I am afraid somebody must have transported the Assignment and Personalization data .I have a had a look at  http://scn.sap.com/thread/3168913 but unable to get the right fix .

 

Is there a solution for the bug in my system ? Would be good to know . I am afraid if the role status is yellow , users will not have the most current status of profile into their user master 

 

Reg,

Anthony

Java Security Warning

June 24, 2013, 5:06 am
$
0
0

Hi,

 

After installing java7u21 i am facing with a java pop up everytime i log in the PDM system and access Portfolio and Project Management(PPM) --> open a project and switch to "Graphic". If i choose that " I accept the risk and want to run this app" and "Do not show this again for this app", no matter how many i will open after that this pop up won't appear until the next log on in the system.

What kind of certificates do i need to solve this problem and what are the steps when creating the certificate for this?

 

2.JPG

 

Thanks,

 

Dacian M

VF03 and K_PCA no authorisation. Trace file return code = 4

June 25, 2013, 1:20 am
$
0
0

Hi

 

We are currently on EHP6 with SP5. We are trying to secure transaction VF03 to only allow users to view billing documents from a particular Profit Centre Group using object K_PCA.

 

The object K_PCA is set too CHECK in SU24 and when we run a trace the return code = 4. The user should therefore not be able to see the billing document.

In this case the function module is ignoring the RC = 4 and the user is able to view all billing documents.

 

The security role contains the following in RESPAREA.

 

Actions for CO-OM Authorizatio *

Cost Element                   *

CO-OM Responsibility Area      PHSCGBR499999

 

The Authority Check is held in function module COTB_AUTHORITY_CHECK_GENERAL

 

 

User Trace Below...

 

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGB450013;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGB350005;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGB250000;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGB150000;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGBGB;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGB350005;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGB250000;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGB150000;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGBGB;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGB250000;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGB150000;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGBGB;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGB150000;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGBGB;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGBGB;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGBR403216;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGBR350001;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGBR203200;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGBR150000;KSTAR= ;

K_PCA      RC=4  CO_ACTION=0000;RESPAREA=PHSCGBZGBRESP;KSTAR= ;

Auth on MR21 per plant

June 23, 2013, 11:33 am
$
0
0

Dear Colleagues,

 

 

I need to suppress
MR21 per plant. Is there any standard solutions to do this?

 

 

 

 

 

Regards,

 

 

Harry

Problem in Optimising the use of K_PCA for Profit Center Restriction

June 25, 2013, 9:12 pm
$
0
0

HI,

 

We are currently working on ECC EHP6. I have started working on the security part recently and therefore need help.

 

We have a scenario where for a transaction/set of transactions a user should be restricted to one profit center and for another transaction/set of transaction he should be allowed for multiple profit center, including the profit center used in first case.

 

The set of transaction in both the scenarios will not contain any common t-codes.

 

For testing purpose, I created a role, say R1, assigned t-code F-02 and under K_PCA object assigned P1 as the allowed profit center. Then I created a role R2, assigned t-code FB50 and under K_PCA object assigned P2 & P3 as the allowed profit center. Now I assigned both these roles to a user  TEST1.

 

 

The problem arises when I login as user TEST1 and execute transaction F-02, it allows me to work upon all the 3 profit centers P1, P2 & P3. Same is the case when I use the transaction FB50.

 

As I am not finding a way out to implement the restriction as mentioned above, I am not not able to implement the bigger picture mentioned in the 2nd paragraph.

 

Regards,

Hrishav

Issue in SAP Security PFCG Merge option

June 25, 2013, 11:11 pm
$
0
0

Hi All,

 

I am facing an issue with " Read old Data and merge with new Data  option " in PFCG. The issue is described below.

 

I have created a Role in which i added a t-code SU01 and this t code has got the below authorization default values for the object S_USER_SAS being maintained.

 

S_USER_SAS < Standard new>

ACT_GROUP: < EMPTY >

ACTVT : 01,06,022

Class: ABC

Profile: < EMPTY >

Subsystem : < Empty >

 

and this particular object has been added into my newly created role and i have maintained this object as below.

 

S_USER_SAS < maintained new >

ACT_GROUP: Z_SD_TEST

ACTVT : 01,06,022

Class: ABC

Profile: *

Subsystem : *

 

After which i have added a tcode Su10 and this t code has got the below authorization default values for S_USER_SAS.

S_USER_SAS

ACT_GROUP: < EMPTY > <Standard new >

ACTVT : 01,06,022

Class: Super

Profile: < EMPTY >

Subsystem : < Empty >

 

So the above object has been added into my role and i have maintained the object as below.

S_USER_SAS < maintained new >

ACT_GROUP: Z_MM_TEST

ACTVT : 01,06,022

Class: Super

Profile: *

Subsystem : *

 

and finally below are the objects which are in my role.

S_USER_SAS<Maintained >--SU10              S_USER_SAS <Maintained>-----SU01

ACT_GROUP: Z_SD_TEST                          ACT_GROUP : Z_MM_TEST

ACTVT : 01,06,022                                      ACTVT : 01,06,22

Class: Super                                              Class: ABC

Profile: *                                                     Profile : *

Subsystem : *                                            Subsytem: *

 

Now when i remove the t code SU01, the maintained authorization S_USER_SAS which is coming from SU01 is not getting removed, rather it is showing me the status as below.

 

S_USER_SAS <maintained New>                        S_USER_SYS  < Maintained Old >

Act_Group: Z_MM_TEST                                      Act_Group:Z_SD_TEST         

ACTVT:01,06,22                                                  Actvt: 01,06,22

Class:ABC                                                          Class: Super

Profile : *                                                             Profile: *

Subsystem:*                                                       Sub System: *

 

Could you please let me know why even after i am deleting the t code Su01 from Role Menu , the transaction whose authorization default values caused the maintained authorization has to be removed, but it is not done.......

 

Thanks and Regards,

Nagarjuna Srivatsa.

Search

How to skip authority check tcode XK01, XK02

June 26, 2013, 3:00 am
$
0
0

Hi guys,

I'm facing a issue related to authority check tcode as bellow, please let me a suggestion:

 

Requirement from my customer:

One user haven't authority on tcode XK01, XK02 but can update data  through a Zprogram(use BDC to call transaction XK01, XK02).

 

I have created BDC completely but when executing, the system show error message about authority.

Please suggest a user exist or workaround to skip this authority check step.

 

Best regards,

DucTV.

UD not possible, But the UD change field is updated which should not happen

June 26, 2013, 5:50 am
$
0
0

Hi Experts,

 

Could you please help on the below query.

 

As per the business we have restricted UD creation(Through transaction QA11)access in a role. We have restricted field value L in the authorization object Q_UD_CODE. Now as expected user is unable to perform UD, But UD change field is updating with the user name which shoud not be happend.

 

When the user is trying to change the UD or create the UD it is giving an authorization error. But the UsgDec.Changed by field is updating with the user name.

 

Could any one please help me how can we stop updating the UsgDec.Changed by field with the user name. Do we need to restrict any object field value.

 

Kind Regards,

Krishna Mohan Panchangam

Trust relationship between more SAP Systems

June 26, 2013, 11:48 pm
$
0
0

Hi SAP Specialists,

 

I configured Trust relationship between more SAP Systems. I have the problem that for some systems the trust is not working because the SAPSYS.PSE is not readable.

 

Trust between SAP NetWeaver AS ABAP 7.31 (lets say system ABC) and SAP SOLUTION MANAGER 7.1 (system DEF) is working fine, but when I try to connect for example a  SAP ECC 6.0 (System GHI) to ABC. I receive an error message at the SSO2 test.

 

First when I execute the transaction SSO2 in GHI system I get a pop up error saying Internal Error. I confirm the error and receive the usual window with the checks made by the SSO2 transaction, See also in the attached print screen.

I checked the RFC connections, there are all working, also the authorisation test is working fine in both directions.

You can see in the attached print screen that the SAPSYS.PSE file can not be red.

 

Does anybody know why?

 

Kind Regards,

Andrei Stefanescu

Problem in changing vehicle status through IQ02

June 27, 2013, 11:23 am
$
0
0

Hi All,

Please suggest me on below issue.

Business users can block vehicle for some internal purpose through IQ02.

System checks authorization objects B_USERST_T  and B_USERSTAT while setting vehicle status.

Even though vehicle is blocked by one department users (marketing) it is possible to change the status to other by different department users(quality).

And there are some other cases also happening like this.

 

Now user is compliant that as it is blocked by their department it should not be blocked to some other status by different department.

 

Kindly help on resolving above issue.

how to search authorization objects by field?

June 27, 2013, 12:55 pm
$
0
0

A developer wrote a custom report.  It uses some fields that are sensitive.  I tell developer he must write AUTHORITY-CHECK into the code and then he asks me "ok... I will do that, but which authorization objects should I check?".   Well both of us don't know how to find auth objects containing certain fields.

 

Best I can think of is searching USOBT table.  if no match, search USOBT_C table.  then if no match, conclude that no existing auth objects use that field.   But is there a better way?   maybe SE80 or some workbench tools?

 

Basically how do ABAP developers know which authorization objects need to be checked in a custom program/report?

Viewing all 1636 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>