Thanks Martin. I've got similar article. May be useful to others too. https://scn.sap.com/thread/1317802
↧
Re: Restrict user login on multiple terminals
↧
Re: Authorization concept migration from SAP HCM to Success factors Employee Central
Hi Jasraj,
What we did for access to Employee Profile was map certain roles in our HR system individualy to SF roles. These SF roles are passed in our core data file in the custom06 field into EP.
There are usually certain roles specific to certain groups which can be mapped.
Does this help?
↧
↧
Determining Proper Authority Checks for Custom Transactions
Hi Folks
I have a requirement to create a role for access to a custom report. How can I determine which authority checks I need to tell the developer to include in the code? S_TCODE, S_PROGRAM, S_TABU_NAM seem like the minimum but I am not sure how I would know if anything is missing. Any suggestions are greatly appreciated!
↧
Re: Determining Proper Authority Checks for Custom Transactions
Hi Akshay,
The authorisation checks that you build into the new reports should be based on the requirements for possible data access restrictions and/or ensuring secure controls to specific data that is being viewed in that report. A high level example might be if the report is showing information that would be found in a financial document then the user should have the appropriate authorisations to view those accounting documents. If they should only be able to see accounting documents for company code 1000 then you can include an authority check for the authorisation object F_BKPF_BUK and restrict the access within the roles to the the necessary company codes.
A good place to start might be to look at the authorisation checks that are proposed for similar transactions. You can check these proposals through SU24 and also add them to your custom transactions with predefined values where necessary.
↧
Re: Determining Proper Authority Checks for Custom Transactions
HI,
i agree with Patrick. however I would also like to mention that you better not use the basic authorizations you mention (s_tabus_nam and s_program). These basic authorizations should not be used in functional authorization restrictions. ( I assume the newly created report is functional).
LOoking at the report itself it can aslo give you clues on with org level you want it to be restricted.
I Hope this helps!
↧
↧
Re: Determining Proper Authority Checks for Custom Transactions
Akshay Shah wrote:
S_TCODE, S_PROGRAM, S_TABU_NAM seem like the minimum
Actually none of these are good candidates for a report type of custom code.
- S_TCODE will be checked by SAP in the kernel when the tcode which starts the report is executed by the user.
- S_PROGRAM is automatically checked IF the report is assigned to a program group. But that is much the same as the tcode start authorization and is more of a pain than anything else...
- S_TABU_NAM should only be checked if the report can browse or change customizing tables. That is unlikely, but even then you should call the API FM VIEW_AUTHORITY_CHECK and not directly check S_TABU_NAM.
I have a "little" tool which we built for our own developments and some customer projects. If you past your code here or tell me which application data the report is working with, then I can tell you which objects and APIs to call.
Cheers,
Julius
↧
Re: Program for tracking and reporting self role assignments and changes to roles
Hi Pavan,
I found a standard report RSUSR100 which will report profile assignments.
Is there any such report which can be used to track role assignments (apart from CDHDR and CDPOS) ? and also for tracking any changes done to roles through PFCG ! ....
Thanks,
Karthik
↧
Re: Program for tracking and reporting self role assignments and changes to roles
Hi Shingley
RSSCD100_PFCG
Please go through the below post , it may be helpful to you
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/90/c3e45b841f214ca32fcc17f7eb059e/content.htm
↧
Re: Program for tracking and reporting self role assignments and changes to roles
Hi Deepak,
I just want to develop a custom program with all these features just for automatic report generation and send it to Audit via mail as an attachment, so that the manual process is reduced.
Do you have any idea about the tables involved for these activities ?
Thanks,
Shingley
↧
↧
Re: Program for tracking and reporting self role assignments and changes to roles
Hi Shingley
is your issue sorted out??
or still looking for any thing in specific ?
Cheers
Pavan M
↧
Re: Program for tracking and reporting self role assignments and changes to roles
Within the SUIM you can find the helpfull reports -> change documents by user/role/profile...
↧
SU01 User copy issue after Upgrade to ECC 6
Hi All,
Recently we have upgraded our SAP system from 4.6C to ECC 6(EHP 6). After the upgrade, when we are trying to copy any new user ID from an existing user ID through SU01, the roles that are preassigned to the existing user are not getting copied to the new user.
All the Indirect role assignments are not getting copied. There is no issues with the roles that are manually assigned to the user. For example if a user has 3 direct role assignments and 5 indirect role assignments and if we are trying to copy a new user from this existing user, only the 3 direct assignment roles are getting copied to the new user. The indirect role assignments are not getting copied.
Whereas the same scenario is working fine in the older version 4.6C. Please let me know what could be the probable reason for this kind of issue.
Thanks in advance.
Regards,
Lakshmi Ganipineni.
↧
Re: LDAP with ABAP System SSO
Hello
Sorry for providing inaccurate information.
I did just check at a customer site configuration.
I've re-read the SAP note and it is clear about it.
Best regards
↧
↧
Re: SU01 User copy issue after Upgrade to ECC 6
HI Lakshmi
All the Indirect role assignments are not getting copied.
Unless the SU01 account happens to be assigned to the HR structure where the indirect access comes from, doesn't this sound look a good thing?
Regards
Colleen
↧
Re: SU01 User copy issue after Upgrade to ECC 6
Hi,
as Colleen mentioned this seems right. So if user has a valid link to employee record (inforecord 105) then he/she will get all roles based on org. assignment when PFUD is executed next time. If older version was copying indirectly assigned roles then it was wrong. I quickly tried to find a note related to this behavior but I could not find any.
Martin
↧
Re: Validating Archive Link secKey from C#
Hi,
I am also facing the same problem.
Everything seems to be in line with SAP documentation, but the secKey is still not validating properly.
First I compute the hash from the message. The text form of message is similar on both sides of communication (SAP and Content Server). Then the message goes to be signed. It results in PKCS#7 message encoded with base64 sent in secKey by SAP.
On CS side I decode secKey and parse PKCS7 message. I find there messageDigest and the message itself. There is a first confusion: should the messageDigest or the message be the subject for verification? I put both of them to verification and it fails all the time.
Has anyone any ideas what can be wrong in this way?
↧
were do we find the report on system users now that rsusr0009 is not working anymore
tried usr003 but that only gives me the system parameters,
I want to check SAP*, DIDIC etc System wide like before,
what
↧
↧
Re: were do we find the report on system users now that rsusr0009 is not working anymore
Scroll down........ or pull the parameter pane up... 
↧
Re: were do we find the report on system users now that rsusr0009 is not working anymore
Hi Auke
If you are looking at Report RSUSR009. then
Report RSUSR009 is now obsolete and has been replaced by report RSUSR008_009_NEW.
Thanks
↧
Vulnerabilities of Samba
We have just had an IT audit carried out on our SAP landscape. A critical rating was raised for Samba software installed on our Unix (AIX 6.1) servers, as the current version of Samba installed on our Unix servers(3.0.3) is out of date and has vulnerabilities which aren't considered acceptable.
We havebeen recommended to upgrade Samba to the latest stable version(4.0.7).
Our Unix boxes have AIX 6.1 installed with the latest version of Samba software certified by IBM (3.0.4). IBM do not support the latest version of Samba and only ships Samba version 3. Unless we install the latest version of Samba (4.0.7) this status will remain as critical. We use Samba to link our Central Instance (Unix) with Additional Application servers (Windows).
Has anyone experience the same issues during an IT audit? Can anyone advise us on what steps we can take to resolve the above? Is there any other software that we can use instead of Samba that is certified with SAP?
At the moment our only solution is to firewall the whole SAP Landscape, which is a hugh task.
Look forward to your suggestions
Vickie
↧