Quantcast
Channel: SCN: Message List - Security
Viewing all 5338 articles
Browse latest View live

Terminal name not displayed in SM20

April 21, 2016, 3:21 am
$
0
0

Hello,

 

There's a user called SOLMANCONFIG that keeps getting locked in my (Solution Manager) system. It's getting called by some rogue RFC (could be external - this SolMan installation is connected to 30+ systems) which does not have the correct credentials for the ID.

 

Turned SM19 audit log for the ID yesterday.

 

Id got locked today once again.

 

Generated the audit log for a short time period around the time of locking, in SM20.

 

Results as attached.

 

solmanconfig.PNG

 

As you can see, there's nothing in the "Terminal" column! It's not there in the detailed display either.

 

This problem has bugged me for quite a while now. Would really appreciate any help that would let me fix this. Mind you, this could be an RFC call from a satellite system, so checking the RFC destinations maintained in my own landscape (i.e. contents of the RFCDES table) might not be enough.

 

EDIT : If I recall correctly, there are also some profile parameters that need to be enabled to generate detailed logs in SM19/20. Is that relevant here?

Search

Re: Terminal name not displayed in SM20

April 21, 2016, 3:57 am
$
0
0

Hi

 

In most cases blank terminal entry means: its from internal system.

You can enter into message details to see "Work Process Number" and "Work Process Type" responsible for this.

Maybe in process dev trace you will find something useful.

 

To see IPs in logs you can play with parameter: rsau/ip_only.

 

Regards

Przemek

Re: su01 - netweaver 7.4 indirect role assignments from composite are not blue

April 21, 2016, 4:18 am
$
0
0

Thank You Bernhard ! 

 

I had searched around notes etc.  and could not find anything related

 

All the best

 

Dan.

Where used list of Roles

April 21, 2016, 4:20 am
$
0
0

Hi Experts,

 

We have a requirement to identify all roles being hardcoded, used in exit, tables etc to achieve specific functionality. I have the list of roles from Production system. Is it possible to get the where used list for Roles ?

 

Any help is appreciated.

 

Thanks in Advance.

Disable SAP GUI login

April 21, 2016, 5:50 am
$
0
0

Hi All,

 

I want to prevent end-users of CRM and BI, from logging in, via SAP logon pad.is there any parameter or Security policy, which can achieve this.

 

i think login/disable_password_logon, will also prevent a user from logging though url. However, there is no SSO, so end-users of CRM and BI use password in CRM and BI specific urls.


Regards

Plaban




Re: Disable SAP GUI login

April 21, 2016, 7:22 am
$
0
0

Hi Plaban, I also hear this requirement once in a while and therefore did some research some months ago.

 

The clear result of my research was: no - at least not in a straight forward way.

 

The answer from SAP would probably be: "Build your authorization roles carefully and do not give any S_TCODE to those users". But of course life is not always that simple.

 

So what we thought about (and dismissed):

  • Don't install SAP GUI (hahaha)
  • Close firewalls for SAP ports (hmhmhm)
  • Do authentication to web applications only with SAML2 and deactivate the users' passwords (but there are some SAP Shortcut generating SAP web applications that will bypass this measure) (ohohoh)

 

By questioning the requirement and educating about SAP's authorization concepts we were always able to satisfy people (sufficiently) without "locking down" SAP GUI.

Regards,

Lutz

How to Transport the changes for SU24_AUTO_REPAIR

April 21, 2016, 1:49 pm
$
0
0

Hi Folks,

 

We recently had an issue with one the Authorization field  (CLASS) where it  being converted to Org field automatically due to the of  GRC Plugin installation in the child system.

 

I had run the program SU24_AUTO_REPAIR to remove the incorrectly defined SAP Org Level field , but system didn't prompt  to save these changes in the Transport request so that the changes can be moved to Quality and Production.

 

Could you please let me know how do i Transport these changes to Q and P.

 

BR

Rakesh

email domain change

April 21, 2016, 10:30 pm
$
0
0

My organization's domain is being changed - I understand that we need to update all scripts that we use to reflect the new domain.

Apart from that , is there any SAP report to mass update all user email ids from old domain to the new domain ?

Search

Re: How to Transport the changes for SU24_AUTO_REPAIR

April 21, 2016, 11:41 pm
$
0
0

Refer to sap note 1539556 part [3] how to deploy changes into Q and P  1539556 - FAQ | Administration of authorization default values

Re: Denied message for ACCESS to registered program SLD

April 15, 2016, 8:04 am
$
0
0

Hello Julius,

thanks for the recommendation for gw/reg_no_conn_info. Since I already read all the notes but could not make up my mind which value to set and finally was completely confused I will set the value to 127.

Cheers

Michael

 

Message was edited by: Michael Schulte Although this single Problem is solved now two further questions related to this topic arouse. First I'll explain the Situation what I'm talking about:     - all Systems are running in Simulation mode (!)     - Registered program=reg_prog is installed on reg_host     - Reg_prog registers at host_a of System A     - The registered program is configured in SM59 on System B with gateway of host_a We defined this rule in the reginfo on host_a: P TP=reg_prog  HOST=reg_host  CANCEL=local,internal ACCESS=host_b local,internal Question 1: With this rule the acess was denied. We had to add "local,internal" to the parameter HOST (-> HOST=local,internal,reg_host)  although the registration is only done from host_reg. This seems to be a little bit strange, however, is this conclusion correct? Question 2: Now we have the case that we initially do not know if there are remote Systems which want to use the registered program. Per Default we define the rule  for the Gateway on host_a like this:     P TP=reg_prog  HOST=reg_host  CANCEL=local,internal ACCESS=local,internal When we did so we received this denied  message:     reginfo denied client: TP=reg_prog, ACCESS=localhost (127.0.0.1) And now we have no idea who tries to execute reg_prog through the Gateway on host_a.

Re: Where used list of Roles

April 21, 2016, 11:47 pm
$
0
0

Not quite sure about your requirement. Roles are assigned to users not to exits? or tables?

 

However you can use S_BCE_68001399 to get a Where Used list of roles assigned to users.

Restricting Create & Release of WBS Element at t-code CJ20N level

April 22, 2016, 11:51 am
$
0
0

Hi Experts,

 

We have a requirement to restrict Create & Release of WBS Elements at t-code CJ20N level. I am unable to figure out which authorization objects should I restrict for these functionalities, can you please advise?

 

 

 

Thank you & Regards,

 

Krishna

Re: Restricting Create & Release of WBS Element at t-code CJ20N level

April 22, 2016, 12:48 pm
$
0
0

Hi Experts,

 

I just want to inform that I was able to restrict Create & Release of WBS element at the t-code CJ20N level using the auth object C_PROJ_KOK.

 

 

Thank you & Regards,

 

Krishna

Issue when implementing notes - report "PRGN_COMPRESS_TIMES"

April 23, 2016, 12:33 am
$
0
0

Dear Friends,


Hi,


I have questions about report PRGN_COMPRESS_TIMES.


I implemented SAP notes 1416149 & 1692243 manually on a system R/3 4.7. All side-effects & prerequisites notes have been implemented too (manual activities also done)


But we have an issue when we try to install the note 1692243. We get the message "Corrections incompletely..." for the function module "PRGN_CHECK_ROLE_ASGM_IN_CUA":


 

We tried to find a solution w/o success. Could you help?


When we confirm the changes and get an error during the activation of report "PRGN_COMPRESS_TIMES":




We tried to find a solution w/o success. Could you help?


Thank you for your help.

 

Best regards,

Zobair

Re: Issue when implementing notes - report "PRGN_COMPRESS_TIMES"

April 23, 2016, 2:17 am
$
0
0

In SE80 for class CL_SUSR_BASIC_TOOLS -> Method CHECK_USER_GRP_REQUIRED -> Definitions -> Attributes -> Visibility is set to public.

Search

Role Modify

April 23, 2016, 4:44 am
$
0
0

We have one request to modify role(adding field value in auth. object) and we have added it. when transporting that role, getting error "role XXXXX type is undetermined" can any body please suggest, how to fix this issue?

Re: Role Modify

April 23, 2016, 5:13 am
$
0
0

this is a known issue. Please check snote 770358

 

thanks,

Re: Issue when implementing notes - report "PRGN_COMPRESS_TIMES"

April 23, 2016, 5:17 am
$
0
0

Hi Michael,

 

Thank you for your reply.

 

Method CHECK_USER_GRP_REQUIRED doesn't exist :-(


Why? Any idea?


Thank you.

 

Re: Where used list of Roles

April 23, 2016, 6:06 am
$
0
0

Please elaborate more clearly about your issue .Could you please let us know is this issue was resolve , If yes , Please let us know.

Re: Issue when implementing notes - report "PRGN_COMPRESS_TIMES"

April 24, 2016, 1:06 am
$
0
0

Check SAP Notes 1416149 and 1692243. They are not released for 4.7.

Viewing all 5338 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>