Did you license SAMBA via SAP? That is thenat most a support case for SAP, but more so for IBM.
I don't see the connection between your problem with IBM support and this here SAP developer network.. ;-)
Cheers,
Julius
↧
Re: Vulnerabilities of Samba
↧
Re: Connection to a double-stack system when the TGT is expired
Hi Tim,
While starting production system work process goes into ended state.
I found following error in work process log as
ERROR -> sncFAcquirecred()==sncerr_gssapi
no crentials found
key table not found
could't acquire accepting credentials
Our PRD is configured for SSO.
Please suggest on this to resolve the issue.
Thanks,
Bharath
↧
↧
Re: Regd: ECC 6.0: Issue with User Compare
Hi,
Does the role have a profile generated?
Is the role a derived role? If it is, is is in sync with the parent/master?
↧
Re: SAP Licenses
Hi Dodia,
You can find a direct answer to your question from SAP here. Navigate to page 7 and it states:
- SAP gives express notice that the accessing of a system by more
than one person using one and the same named user constitutes
a breach.
- A named user’s password may be passed on to another person
only in exceptional cases (if, for example, the named user is
on vacation or is absent due to sickness, or if the employment
relationship with the named user has been terminated).
Hope this is answers your question.
Regards,
Pranaam
↧
Re: Regd: ECC 6.0: Issue with User Compare
Hello Alex,
Yes the Role is generated and I can see the signal as Green as well and even the user compare button is showing the status as green in pfcg but still not getting updated to the user.
well, we use all kinds of role but the result is same.
Regards,
Deepak M
↧
↧
How to avoid standard Authorization checks in BAPI_MATERIAL_SAVEREPLICA
Hi Experts,
Currently we are using standard BAPI "BAPI_MATERIAL_SAVEREPLICA" to build material master. We are facing an issue when security roles come into picture. As of now the accounting view and costing view access is only given to Finance user but the material needs to be created by the inventory person. We have built a custom tcode to look into default data from custom tables and populate in all the views of material master.
Since this BAPI is doing a standard authority check the Inventory user is not able to create the material as he does not have authorization to costing view (code=G) or accounting view.
My Question : Is there a way to bypass the standard authorization check by BAPI so that my custom material create program will not check the authorizations of the user and create the part in one go. Do i need to copy the satandard BAPI and build a ZBAPI with input parameter of "NO_AUTHORITY" to avoid any authoruization check when creating a material master ?
Any sugestions/Comments will be appreciated. Thanks in advance.
Alen
↧
Re: SAP Licenses
if, for example, the named user is on vacation or is absent due to sickness
Woah! I had to go an ly down for a moment when I read that.
That is actually a major problem out in the wild. I had no idea is was acceptable from a licensing perspective. Holiday is not an exceptional situation though and with SSO there is no password anyway.
There are better solutions such as substitution management for this. No reason to break audit trails for who did what in the system.
Cheers,
Julius
↧
Re: SU25 - Step2B Result clarification needed
Hello Bernhard,
Thank you for the above information, it is really helpful.
I am currently performing SAP Security upgrade fromECC EHP3 to EHP6 in our Sandbox system.
Below are few of the highlights of SU25 results:
1> Step 2A -> Provided a huge list of output, mentioning below details on the screen:
Applications to be compared: abc
Applications changed with default values: pqr
Applications to be compared manually (2B): xyz
Now, I have never seen SU25 2A output in such a way. Even before this output was displayed on the screen, message appeared at the bottom: Transferring default values (abc of xyz applications compared). Does it say 2A made changes?
2> Step 2B: The output only consisted of custom tcodes, though there were some standard tcodes for which sap proposed was changed in previous release.
Can you please advise me on the above?
Thanks,
Sunny Doshi
↧
Re: How to avoid standard Authorization checks in BAPI_MATERIAL_SAVEREPLICA
Hi,
you can use a workflow trick. There is a RFC destination for workflow that has predefined user WF-BATCH. This user has a traditionally broad authorization. Because you have a custom transaction you can just call that BAPI with specified RFC destination. The only disadvantage of this approach is that change log will contain WF-BATCH instead of actual user who created material. This causes some issues with attribution. Your custom transaction could create additional log but it's not ideal.
Cheers
↧
↧
Re: How to avoid standard Authorization checks in BAPI_MATERIAL_SAVEREPLICA
If you have a local transaction context and not calling the BAPI remotely, then you can set the indicators in SU24 to "no check" in the same way as other normal transactions.
Cheers,
Julius
↧
Re: How to avoid standard Authorization checks in BAPI_MATERIAL_SAVEREPLICA
Yeah, much better solution. Always forget about this.
Cheers
↧
Structural Authorizations Issue
Thank you Brent & Dimitri for the clear solution. I have pasted screenshot documents I apologize if am taking more time of yours.
Here when I login to test id and maintain the user it is giving me an authorization error
↧
Structural Authorizations Issue
I even face the same error when I don't use FM. The example below is for another profile to the same user
In the two profile assigned to the user one is to display all students and other is to maintain students in their department. Just to add one more info earlier the BADI HRBAS00_STRUAUTH was active but now we have deactivated the BADI
New Profile
↧
↧
Re: Structural Authorizations Issue
Hi Mohammed,
For sanity's sake, could you trace your actions when maintaining students with user TESTGPC (use transaction STAUTHTRACE).
I would just like to verify whether we are seeing a structural authorization error or whether it's simply 'standard' authorization that's messing with us here.
Also, when you're maintaining the student in your example above and the error message turns up. Is this student's object ID visible in the authorization view at all? (report RHAUTH00 or in t-code HRAUTH).
↧
Unable to access buttons in header of Performance Assistant
We have just upgraded our DEV client to EHP7 & Unicode. In doing that I see that some of the buttons in at the header of the Performance Assistant are not available now. Therefore, one cannot click on and execute the functionality associated with a given button. For example, our functional consultants often use this button to jump through to the IMG and the applicable configuration point:
Under the impression that access to this button (and others) is controlled via security access. Following that lead, I have set a trace via ST01 to see if I could isolate the perceived security failure, but have not made much progress on isolating the issue.
Can anyone shed some light on the control of access to these buttons? Happy to go and dig further, just soliciting the experts for some direction or thoughts.
Thanks,
Jason
↧
Password Related Query
Hello,
Currently we are facing the following issue.
Users are coming through the SAP Portal( 7.01 ), for which UME is the R/3 system( ECC 6 ).
Some of them are getting," Password has expired. " as per login/password_expiration_time=30 days. Till this point everything is correct.
However when they try to change the password; they get," You are not allowed to change the password. ".
The most surprising thing is..... after getting the above message they are able to log in with the old password.
Can you please help me to find out the root cause?
Thanks & Regards,
Vinay
↧
Re: User able to access PU00 Tcode even though its not assigned.
Hi All,
I have created the test users via Secatt script and after creation I did not validate the test users roles, by mistake secatt has assigned same role to all the user, which caused the issue.
Thanks for your interest and responses. I am closing this thread.
Regards,
Krishna R
↧
↧
SAP Assertion Ticket remains in browser after Portal logoff
Hi,
we've upgraded our SAP ERP backend from ERP 6.05 on NW7.02 to ERP 6.07 on NW7.4. And we have NW Portal 7.02 connected to it for ESS/MSS scenarios. Since we do not wish to migrate to the new Java based ESS/MSS we have not upgraded the portal to NW7.4
Apparently, from 7.30 onwards the SAP ABAP backend issues an SAP Assertion Ticket even when the login/create_sso2_ticket = 0. The problem is that this ticket / cookie is not deleted from the browser (it looks like SAP_SESSIONID_SID_CLNT) so when a users logs off from the portal and logs in as a new user the backend connection is created using the already existing ticket!
Two questions as I can't seem to find the answer yet:
1. how can we prevent from the SAP Assertion Ticket even being created
2. if we can't prevent this, how can we make sure it is deleted during the portal log off (similar to the MYSAPSSO2 ticket/cookie)
Much obliged
Marcel Rabe
↧
Re: SU25 UPG ENHP : how to find modified roles?
Hi Sunny
there are still 3 std tcodes which were changed in previous release with no SAP defaults change in new release; and they did not show up in Step 2B.
They will only appear in Step 2B if both you and SAP made changes to the transaction since the last time you ran SU25
. I shall execute Su25 -> Step 3 (after i finish 2a to 2d); this step will carry complete (and not the only changes made in 2A, 2B) table data USOBX_C + USOBT_C and move to further tiers.
Step 3 is to bundle a transport of SU24. It will transport entire tables. You can complete this after Step 2B if you wish to as 2A and 2B update SU24. However, you may prefer to finish all of Step 2 incase you manually go to SU24 to make additional changes as you are fixing your roles (i.e. you may find an issue with your own build and choose to rectify it)
Step 3 transports: USOBT_C; USOBX_C; PRGN_STAT; USOBT_TSTMP; and USOBX_TSTMP. The *TSTMP tables in latest release replace the TCODE_MOD and USOB_MOD tables and are used to determine what was updated.
This will help to remove the message from QA/PRD 'If you have already used the Profile Generator in a previous Release,you should use transaction SU25 (steps 2A to 2C) to transfer the new.....'
Yes - as that setting is driven by a value in table PRGN_CUST for STAT_GRP=001 and (STEP_NR= 001 or 002) to see if either entry has the value in field RELEASE as the same value as current system release. If the RELEASE value is less the message will appear. By transporting the table in Step 3 it clears this issues across all your systems.
So is there a need to move this TR as well or Step 3 is good enough?
My solution: first do with Step 3, if correct changes are available in next tier then do not move 2B TR.
Am not quite sure why custom transaction codes appeared in SU25 - someone else might be able to offer an opinion here. However, running Step 3 just helps you create a transport. It will not change the flag settings in the tables that determine output in any of Step 2. You can come in and run Step 3 whenever you want to retransport all of SU24 across your landscape (tiers)
c. Appreciate if you can share the test phase strategy for this upgrade i.e. regression test with functional team / business performing test for all business scenarios / test cases.
This one is something you will need to discuss with your project on what they believe adequate testing is. You need to look at what roles are impacted and what the change to the access was. At the end of the day how does your site test security?
Regards
Colleen
↧
Re: Regd: ECC 6.0: Issue with User Compare
Hi Deepak
In SU01 - does the profiles tab contain the corresponding generated profile for the role that you did user compare for?
For tables - you can look at the AGR_USERS (for role - ensure the assignments are within validity date); USR04 will have an entry for the user with all profiles assigned; AGR_1016 will give your role to profile mapping; USRBF* is the user buffer; UST04/UST12 will give more profile and user information.
What does it look like for one user when you go into SU56 - if you expand out their authorisations for the object do you see the values? What value do you have for auth/new_buffering (assume 4)?
Is this for a small group of users or for all users? If a small number, do the users have a large number of roles assigned? Is there a chance you have user buffer overflow from too many profiles assigned?
Regards
Colleen
↧