Have you checked the PSE Import function in STRUST?
Regards,
Patrick
↧
Re: ERROR: local PSE does not match original in database
↧
Re: How to block the multiple logons with NWBC?
Hi Frederic,
for Protocol reasons it is not feasible to check for a single login (which is your intended behaviour I guess). Reason here is, that for SAP-GUI we have a permanet TCP connection. The Protocol itself gives us a clear statement, there is a new login coming (someone launching the SAP-GUI to connect to the backend instead of for instance just opening a new mode).
This features is not part of the HTTP protocol. There just opening a new window for an already existing session will lead to same execution flow as a direct acccess from a new window on the protocol layer. In fact even the IP can change in HTTP without the app loosing the connection (you may try it in bigger WLANs, moving from one section to an other if the IP changes the SAP-GUI wil break but the HTTP session will stay). So just checking the IP is not feasible either without breaking one of the main features of the HTTP protocol.
If you could provide more info on the use case, there may be some other option to avoid the issue you are facing.
regards,
Patrick
↧
↧
Re: ERROR: local PSE does not match original in database
Sure. Tried two ways:
a)
1. Delete existing System-PSE
2. Import SAPSYS.PSE
3. System-PSE remains empty (red x)
Leaving STRUST and calling it again: No System-PSE
b)
1. Create new System-PSE ok - everything is in place
2. Import needed SAPSYS.PSE
3. Certificate field is populated with that data
Leaving STRUST and calling it again: The imported SAPSYS.PSE data is gone and System-PSE is coming up with newly created certificate data
Example:
1. Create New
Inhaber CN=SID
Aussteller CN=SID
Seriennummer 20131211053554
Gültig von 11.12.2013 05:35:54 bis 01.01.2038 00:00:01
Prüfsumme BE:7D:67:FE:7F:F6:8B:85:C5:63:BF:BC:74:BE:7D:4D:67:FE
2. After Import
Inhaber CN=SID
Aussteller CN=SID
Seriennummer 00
Gültig von 01.10.1997 00:00:00 bis 01.01.2038 00:00:00
Prüfsumme 8E:0F:BC:54:98:5D:02:84:CB:F0:BE:7D:4D:67:32:80:62:CD
3. Leaving STRUST and re-entering
Inhaber CN=SID
Aussteller CN=SID
Seriennummer 20131211053554
Gültig von 11.12.2013 05:35:54 bis 01.01.2038 00:00:01
Prüfsumme BE:7D:67:FE:7F:F6:8B:85:C5:63:BF:BC:74:BE:7D:4D:67:FE
Saving the PSE leads to an export to file dialog...
Distributing doesn't help either
↧
Re: Recommended Settings for the Security Audit Log (SM19 / SM20)
Dear Frank,
indeed it would be nice to be able to define own (customer-specific) event codes. But we would be able to stick to the existing (and "old") codes. We just need to create entries and I was just wondering whether that is OK ...
I prefer Security Audit Log over other mechanisms because of its distributed setup (7 application server envolved!) and because it is NOT a database mechanism, so does not require a COMMIT and does not interfere with the existing LOW logic ... .
Best regards,
Ralf
↧
Authorization Object for field KNTTP in transaction ME51N
Dear gurus,
I want to limit user access to account assignment category in transaction ME51N, lets say user should not authorize to input account assignment category K in PR line item. I have difficulty to find the authorization object for that particular field, could someone help me?
↧
↧
Re: Password Related Query
Hi Gaddam,
the solution you mentioned is not the solution to the second issue cited. This has been a fix for the issue, that a user was unable to change his password, even though it was expired (initial issue mentioned in this thread). The issue that had been pointed out to which I did refer to was the ability to log in with an expired password without even been asked for to change the password. Are you sure this was caused by the same issue or have you been unable to reproduce the issue?
regards,
Patrick
↧
Re: Password Related Query
Hi Patrick,
Let me explain you what was happening.
When the users were trying to change their password; the faulty code was changing the Password Change Date( Usr02 ) to the current date & that too before changing the password value.
Now after looking at this new date it was assuming,
1) already the user has changed the password today & login/password_change_waittime=1
so was giving," You are not allowed to change the password. ". Frankly speaking, this is somewhat misleading message.
2) the password is valid, not expired( new Password Change Date-today's date ).
Hope, this helps.
Thanks & Regards,
Sachhidanand
↧
Re: Authorization Object for field KNTTP in transaction ME51N
Hi,
your requirement is too granular. There is no standard object for this. But good news is that ME51N is relatively easy to enhance. So you need to build in additional authorization check for custom object.
Cheers
↧
Not able to generate correct absence quota using RPTQTA00
Hello Experts,
I need you help in knowing the solution for incorrect generation of absence quota using RPTQTA00.
Write now, absence quota is being generated manually in my company , so i would like to implement RPTQTA00 for generation of absence quotas every year just by executing RPTQTA00.
I have done all the configurations:
001 Permit Quota Generation Without Time Evaluation V_556A_B
002 Specify Rule Groups for Quota Type Selection Feature QUOMO
003 Set Personnel Subarea Groupings for Time Recording V_001P_H
004 Base entitlement V_T559E
005 Validity interval of absence quota type T559V
006 Deduction interval of absence quota type V_T559D
007 Define Rules for Reducing Quota Entitlements T559M
008 Define rounding rule V_T559R
009 Define Generation Rules for Quota Type Selection V_T559L
Now after configuring the above tables and executing RPTQTA00, the out coming is just double the constant absence quota defined.
i have configured absence quota to be as 18, its creating quota as 36.
also the start and end date of the quota is coming to be the start and end date of the respective caendar year , but the end deduction date is coming out to be end of the next year.
please help, as in where i am lacking .
↧
↧
Re: Recommended Settings for the Security Audit Log (SM19 / SM20)
Thanks!
Kind regards,
Ralf
↧
Re: STAUTHTRACE
Hi Ameet,
Thank you for giving valuable information.
Tcode [STAUTHTRACE] does not exists in my server [EHP -4] .
Kindly tell me in which EHP, it is available.
------
Regards,
Vijay
↧
How to post SAML 2.0 assertion in IDP SSO to SICF service.
Dear Techies
Can you please help me resolve an urgent issue when trying to use SAML 2.0 assertion. The ultimate aim is to get this working with UI5 / OData
as our ABAP server is not at a high enough Netweaver level to make use of OAuth 2.0 and SAML bearer assertion.
I am in the process of configuring SAML 2.0 assertion on a NW 7.02 SP 13 ABAP system with an external identity provider, Cloudminder.
The solution needs to be achieved Front End Channel i.e. HTTP POST/HTTP REDIRECT bindings
I have the following basic scenario working:
1) Configure SICF service to use SAML 2.0
2) Access service e.g. https://<hostname>:<port>/sap/bc/ping
3) Identity provider logon page displayed. Credentials entered
4) ACS endpoint reached successfully
5) User is redirected to service in 2)
I am have struggles achieving the next more challenging scenario.
The service needs to be called using Identity Provider SSO via a Service Mediation Layer.
The Service Mediation Layer will authenticate the user directly with the Cloudminder identity provider in advance
and receive a valid SAML 2.0 assertion token.
The SML will then call the service on the SAP Service Provider with the SAML 2.0 assertion token, and the
user is successfully authenticated on SAP without having to access identity provider logon page.
At this point in time SAP is completely ignoring the SAML 2.0 assertion and always directs the user to the logon page.
I am attempting to simulate the SAML 2.0 post in a rest client without success.
Operation: HTTP POST URL: https://<hostname.:<port>/sap/bc/ping?SAMLResponse=<encoded SAML 2.0>&RelayState=<encoded state>
Additional header parameters that have been tried without success are:
Content-Type: application/x-www-form-urlencoded
Content-Length: 11684
Connection: keep alive
Host: <hostname>
I attach a structure of SAML 2.0 response with dummy values.
Many thanks in advance for advice that leads to a successful resolution.
Mike
↧
Where used SAP users
Hi,
It is possible to list where an user is used?
For example, if a user is used on a job or a RFC.
Thanks,
Nuno Sousa
↧
↧
Re: STAUTHTRACE
Hello Vijay,
Its available within EHP6 release.
Many other features & auth checks have been provided by SAP within this release. Eg Tcode: SECPOL [auth objects S_SECPOL & S_SECPOL_A].
Thanks,
Sunny Doshi
↧
Re: How to get No of Users Logged in Server SAP NW 7.3
Hello Krishna,
Do you have any idea about SAP Portal activity reports? how many users are logged into the SAP Portal last/this month? How can i get the list of users were logged into SAP Portal last month?
Thanks,
Naveen
↧
Re: Where used SAP users
Hi
For jobs you can check in table TBTCP => field AUTHCKNAM
For RFC you can check table RFCDES => Field OPTIONS, tag U=
Regards
↧
Re: Where used SAP users
That assumes you know the client where the call or job is spawned from.
The correct tool if you only know the user or want to find the users is SM19 (security audit log).
With a bit of effort you can also extract useful information from the stat-collectors (table MONI and associate files) to get up and running fast enough if the SM19 log was not active before hand.
However Nuno should provide a bit more information about why this is wanted to get a more detailed answer and also show that some search was done before popping the question - as many aspects of this question have been answered before here or have infos in help.sap.com and service.sap.com.
If Nuno does not provide more details or follow-up and nothing interestig turns up then I will delete the whole thread as it just creates noise for others who do search.
Cheers,
Julius
↧
↧
Re: Where used SAP users
Dear Nuno ,
your question is not very clear , but according to my understand you need to generate report about all users you have
it could be by
1- system measurement report -- use USMM t-code
execute System measurement
check the log and Statistics
sample of generated report
2- by using SUIM T-code
select 
click Execute
Best Regards
AhMeD
↧
Re: Periodic Update to Derived roles
Hi,
The only other workable solution is to remove the inheritance relationships for the derived roles & process them all manually. From what you are saying I expect this will increase the effort.
The golden rule of using derived roles is that field values remain consistent. If they don't then you have to rework your role concept or promote the fields to org levels as Meta has mentioned. If you do the latter then I expect that there would be some additional rework (e.g. if you have different activity combinations for various permutation of variable field values) but in the long run it would be supporting the concept that you based your role design around.
↧
Re: Need to set authorizations through coding
Hi,
I agree with Sougata and Matthew about the idea of trying to achieve this. I would not recommend this approach. If your security team find updating authorisations tedious then I suggest that they you get new ones who will perform the job they are being paid to do & will work with you to understand what the BDC sessions are doing and supporting this through standard mechanisms. This is really not a big piece of work and much smaller than finding errors in a piecemeal fashion.
You could automate the process of picking up an authorisation error message (how you would do it would depend on which SAP version you are on), updating appropriate role/s in production but that would end up with users getting all sorts of spurious (and likely high privileged) access and you would have a control gap so wide that you could drive a bus through it.
↧