Hi,
the reason why you haven't got answer for your 1st question so far is that it's trivial and it can be easily answered by reading SAP documentation.
For the second question it always depends on situation. If you want to avoid manual work then using groups to manage authorizations for multiple users is a good idea.
Cheers
HI Expert
As a part of Audit I hace cleaned up all Tranaction Code & Authorisation Objects . But I am facing one pecuilare situation . If I add any of the T Code in the existing role many authorisation objects are added to the role .
I am able to figure out the reason
It is because it merge new Data which is default Configuration . I want to change it to "Ëdit Old Status" so that any new object is not added .
Please advise.
This thread is locked so that no one can tell you how to change the radio button cursor and that you stay locked in that popup until you get yourself some basic training in PFCG before you attempt to use it further. Otherwise you are going to create a very big mess there!
Thread locked.
Security Forum Moderator
It seems to be no wrong in that as the time is different. Anyway, moved from Internationalization and Unicode to Security
G. Lakshmipathi
Hi Shaligram,
about what licenses do you talk? The licenses for the SAP application servoer or the SSO product (if any)?
Regards,
Patrick
in the first structural profile you used the RH_GET_MANAGER_ASSIGNMENT FM to determine what org. unit the user is managing. in the second you hard-coded the position of the user as a starting point for the structural profile.
I'd suggest making the structural profile ZCUST_DYN with the O as starting point (as before) and use the ZSTADVIS evaluation path instead of the O_S_P one you used before.
Hi Patrick,
Sorry, couldn't get back to you yesterday.
The user is a dialog user.
Regarding the security policy..... I didn't get, which things you are referring to.
Thanks & Regards,
Vinay
Hi Vinay,
in SAP ABAP systems with Basis 7.31 (7.03) and later, there is the ability to assing security policies to users which are not based on the profile parameters. There profile parameters are only the default. In such systems it may be that the profile tells expire=30 but the profile assinged to the user might tell something different.
BTW: could you please check the value of login/password_change_waittime? it should be 1 or at least less than 30.
If your SAP basis is elder than 7.31 and the user can login in via SAPGUI with username and an expired password without being required to change his password and he is a dialog user, I would suggest you open a support ticket.
Regards,
Patrick
Hi Patrick,
Thanks for the 7.31 related information. I wasn't aware of the Security Policy.
I checked, we are below that.
And regarding the parameter..... it has been set to 1.
Thanks & Regards,
Sachhidanand
Rama,
We have Post authorisations locked down in separate roles. This is why our business is happy for all users in centralised financial operations (split into three main Company Code groupings) to be able to Park in any other Co Code.
Mistakes will always happen and will be reversed by the relevant users.
Thanks again for your input.
Regards,
Colin
Hi All,
Tcodes: F-02, FB01, F-07, F-06, F-04, FB50 were unfortunately we have given authorization to many user.
Question: Where I can find out in one screen: Roles, with t-code and whether that Role has been assigned or not to the user ID.
I am expecting the result (Below) once I give the input as F-02. Kindly provide the t.code or path to find the below result.
| T.code | Role | User ID | |
| 1 | F-02 | ||
| 2 | |||
| 3 |
Kindly advise How can remove the authorization (above t.codes) to un-necessary users ? or advise your valuable suggestions.
Thanks in advance.
Kind regards,
Mariks.
Hi,
You won't find one individual report to give you this information, but there are several reports/tools that together will provide this information.
The User Information System (transaction SUIM) provides a variety of access related reports. You will probably want to start with the 'Roles by Complex Criteria' report and enter the tcode and if appropriate z* in the role field. Once in this report you can select individual roles and see what users they are assigned to. You can find out more information on the User Information System at User Information System - Identity Management - SAP Library
Another useful reporting tool would be the overview report in PFCG. You could use the output from above in the selection parameters of the overview screen to identify which of the roles containing those transaction codes are assigned to a user.
Hi,
Maybe the damage is not too bad and the users that have the transaction wrongly assigned to them did not execute them? You can check by looking at the STAD data (and/or Sm20 audit log if this is activated).
A standard overview with this kind of useful information is not (yet?) available as far as I know. But you can combine table/report output and create a customized report like Patrick's example. Or use tooling that are available on the market for Security concept audits/analysis.
Hi Markis
If all the codes mentioned above are present in role menu, then you can use tables
agr_tcodes and agr_users and a bit vlookup can help you.
if not , then SUIM can help you
Business process owners and security analysts with the help of SOD can tell you which users can have which access.
Cheers
You first need to find out from the change request what the intention was, and then how it got into the wrong roles.
I faintly suspect that you are using composite roles and "doctored" the wrong single or that single was "poached" by wrong composites.
When I see things like this happening I always check to see whether there is a concept (design) error and whether this noticed error is just the tip of the iceberg.
From experience, it is 9 times out of 10 more efficient to redesign than to try to fix a mess of composite problems.
My 2 cents (you need to provide more information!),
Julius
BTW: The new associate level exam is quite easy and you need 59% to pass. If you do your homework and have 3 years experience then you should be fine. What I like about it is that you actually have to know some of the objects by name and what they actually do.
The professional level exam will be available again in 2014 some time. You should understand all the SAP system security aspects (also infrastructure topics), understand the concept (not invent your own...) and have some experience with them to be able to pass.
If you have lots of experience with disasters and manual maintenance of authorizations then you will not pass either of the exams. Certainly if you maintain your roles with "edit old status" then it will be very difficult to pass....
Cheers,
Julius
Hi,
basically only signing format provided by ABAP AS out of the box is PKCS#7. On input it takes a binary blob. SSF02 takes a file from your PC and it signs it. It does not perform any manipulation of input (e.g. modifying XML document). What you can see on that screen is an output of signing in PCKS#7 format.
Cheers
The relevant courses for the certification are : ADM940_010, ADM950_010, ADM900_010, and SAPTEC_010. I am not sure if these are sufficient or we require additional course.
Has anyone undergone the certification yet. It will be good to hear the experience.
Rgd,
Kailash
Yep. If you have done those 3 courses, read the docs and ideally 3 years experience then you will be fine.
adm900 is also new. If in doubt, go for that one...
cheers,
Julius
Thank you Julius.