We don't give auditors access to our systems...
↧
Re: Unpersonalized users
↧
Re: Unpersonalized users
What is the point of training these users if, after the four weeks are up, they will never touch SAP again? I do get the concern about the churn created by constantly creating and then invalidating accounts every four weeks. Seems like something IdM could help with, but I haven't used that tool so wouldn't know for sure.
↧
↧
Re: Unpersonalized users
My current organization does not give external auditors access to the systems, so we have to pull the data for them. At my previous customer organization, external auditors, like everyone else who wanted an SAP account, were required to have HR records, and the auditor role was assigned to the audit org unit.
Shared IDs for *auditors*? <smh> They better hope no auditor like me comes along one of these years.
Gretchen
↧
Re: Unpersonalized users
Wise!
We are audited by the State annually, and in the fourteen years I have been with my current employer, managing our SAP system, only once has a State auditor asked for direct access to the system. Every other year they just ask for reports or extracts from it and are happy to let us provide them. Actually, most years the auditors don't even talk to IT; Finance deals with them and it is Finance that asks us for the extracts and reports. We have had a couple years, though, where the auditors wanted to look at things like the history of all transports to production in the course of a given year, and then they picked two (seemingly at random) and asked for the documented approval chain for them.
A few years ago our internal auditor asked for access, and so we do have an auditor role for that. However, as that person is an employee, they would have an account anyway for ESS purposes, so it was just a matter of adding the additional role.
↧
Re: Check which authentication method a user has used
I assume you can't restrict the ICF node to SAML only? The used authentication method is contained in the server object, attribute IF_HTTP_SERVER~AUTHENTICATION_METHOD. The challenge is that it has the last one, e.g. if you authenticate using basic authentication and then you get redirected and the next authentication is with the security session the attribute will have a value of 10 instead of 1.
↧
↧
Re: Unpersonalized users
The idea is that they (treinee, apprentice) are on a training for two to three years and are working with most departments (not IT of course ) for a while to get an complete overview of processes in a company. Most employees did that (me oo) at the beginning of their career.
They would use a department trainee user and switch to the next department user when they switch to the next department.
↧
Re: Unpersonalized users
Normally I make auditors sit with me and extract the data to stop them pulling tables and data without the context. It's frustrating as once the put a risk in a report that is invalid it takes a lot of effort and grief to explain why their assessment is wrong or there is a control in place already
but then I worked on a few government systems and the internal auditors has legislation or frameworks that gave them the right to access all data. Its amusing when they demand a generic user to use in their team which contradicts a heap of items they would mark as a violation for anyone else
LIke Gretchen, I would be concerned with an external auditor supporting shared account with modify access. An xls spreadsheet to track probably would not stand up in court to prove who had access and if fraud occurred to identify which person of the group had access. Possibly a password change each time might reduce it but I suspect the team leader would track password.
does the system have SSO in place as well?
↧
Re: Unpersonalized users
It seems to me that it would be easier, then, to still assign them their own named user accounts, which follow them for the duration of their stay at the company. Just switch the role assignments as appropriate as they change departments for their apprenticeship.
↧
Re: Possibility to allow only digit based passwords in NetWeaver ABAP
Hi,
why do you want to restrict only to numbers? Is it for mobile apps? You can allow passwords only with digits but why would you disable other characters?
Cheers
↧
↧
Role description change
Hey all,
I have a question for all of you here: I want to make changes in the description of a master role and further to the derived roles. Is there a shortcut where i can update the description in master role and it get updated in all the derived roles....
Thanks
Gagan
↧
Need to know regarding Authroization object S_PROGNAM
Hi Experts,
During upgrade we have found switchable authorization object S_PROGNAM is getting checked in BW while trying to activate a data source through SE38. However, we have not found out any transaction in SU22 which is tied with this authorization object.
My question is for which transaction authorization object S_PROGNAM needs to be checked and maintained ?
Also, will this authorization object S_PROGNAM also needed in ECC and needs to be checked and maintained for any transaction?
Thanks
Somnath
↧
LX16 Restriction to Specific Warehouse Numbers
Hi Experts,
Currently i am facing a weired situation in restricting the transaction LX16 for one of client. Basic scenario is
1) User wants to exeute LX16 for only specified warehouse numbers/ plants
2) Same user should have access to see the inventory for all warehouse numbers/ Plants
In both the scenarios, from ST01, i noticed that auth object L_LGNUM is being checked. I have create two roles here
Role 1 - Gives access to LX16 and restricting L_LGNUM to Specific WH number
Role 2 - Gives access to other WH display transactions like LS03N with L_LGNUM is '*'
As per the basic security concept, the display role is overwriting Role 1 and user is able to execute LX16 for other WH numbers as well.
Any idea how can we restrict the access? Your help is highly appriciated.
Thanks,
Krish
↧
Re: Need to know regarding Authroization object S_PROGNAM
Hi
That object is part of a reinforced control on submitted program.
S_PROGRAM authorization check was only taking place if the program is assigned to an authorization group.
1946079 - Initial Authorization Check in Function SUBMIT_REPORT
The programmatic submit of reports is secured by the authorization group the report is assigned to. In case the authorization group is empty, the report may be executed without an initial authorization check.
With this note we provide the following functional improvements:
- New authorization and API provided by class CL_SABE, method AUTH_CHECK_PROGNAM. In detail the API wraps the following functionality:
- Authorization object S_PROGNAM to be used as a switchable authorization.
- Authorization scenario BC_GENERIC_REPORT_START.
- The change in function SUBMIT_REPORT to invoke CL_SABE and as such provide an initial authorization check in case the check is turned on.
Regards
↧
↧
Re: Need to know regarding Authroization object S_PROGNAM
Hi Expert,
Could you please let me know how to check if the report is secured by the authorization group or it has empty authorization?
↧
Re: Need to know regarding Authroization object S_PROGNAM
You can check it in SE38 [attribute]... and find that most of the programs do no have an auth. gpe defined !
Check that great thread on that subject => How safe is S_PROGRAM?
↧
Re: Need to know regarding Authroization object S_PROGNAM
Dear all,
There were some complaints about this thread as Somnath has not done enough own research and expects others to do it. OK, normally this will be moderated, but this special case is very new and does have a discussion value for others about how SAP in future introduces optional authority-checks or activates recommended checks without intruding on the existing authorization conce^pt directly.
There is a big difference between S_PROGRAM and S_PROGNAM.
The real big difference is not the distinction between program groups (if maintained, which is a very blunt concept) but rather program names (which is always known).
To activate this concept you need to actively enable it for the application, but that only works for applications which support it.
This is controlled via the SACF ( SAP Authorization Control Framework) (for optional activation of checks).
Basically, if an authorization control is "retro fitted", then it is only checked in the coding if the customer actively enables it and the scenario supports it.
This is primarily used by the SAP Security Notes mechanism if these security notes don't eliminate functionality but rather introduce missing authority-checks to control the use of the functionality.
You can control this in transaction SACF as of 7.40 (backporting to earlier releases is difficult to implement IMO, so rather upgrade if you want to use it).
Upgrade to EhP7 works quite smoothly at the moment with the latest kernels to accompany it.
Cheers,
Julius
↧
Re: Communication vs. System User Types
When I read your answers I feel like I hardly know anything in SAP security. 
↧
↧
Re: Communication vs. System User Types
Well... you used the search (winner) and now you know this (another winner), so you will be fine.. :-)
↧
Re: Could not validate SPNEGO token.java.lang.Exception: Checksum error.
The Wizard configuration can be handled via a keytab file, if you don't have keytab file then you have to supply all the values manually in SPNEGO wizard.
Also you can check with the klist command in CMD to see if you are getting a ticket from the server where you have configured SPNEGO.
klist
klist purge - to clear out all the issued tickets.
Thanks,
Kamal
↧
SSF signature using SHA1 and digtal certificate
Hello
May assist me I have a requirement that I sign data in an internal table using a certificate and then append the detached signature to a file which is to be sent to the bank. I have managed to import the certificate and i am signing using ssf_krn_sign, however the bank says the digital signature being produced is too long, its supposed to be 128 characters, we are using SHA1 algorithm BTW.
Regards
Florence
↧