Actually, this is the best solution, you can delete roles as Peeyush described, without need of PRGN_COMPRESS_TIMES program.
↧
Re: Removing roles using SU10
↧
Re: Removing roles using SU10
Hi ,
But in the PRGC_COMPRESS_TIMES Program please select the option "Delete Expired Assignments", and I suggest please try for one user and then do for all the other users.
When we did for mass users we faced some issues with that, so requesting you to try it for one user and then do for all the others users if its worked.
Thanks!
↧
↧
Re: Periodic Update to Derived roles
Hi Julius
Merry Christmas!
Referring to your comment:
"or take it on the nose that you will have to maintain a few fields locally in the role data."
Does this mean the org levels in derived roles should be maintained locally (i.e. within the field in the authorisation object)? If so, I know we can change the text for the yellow authorisation object description and add notes to the long text description but I feel that it still may cause some confusion and possibly be cancelled using the reset org level program should somebody see the dark maintained colour in the field or see actual values in AGR_1251.
If it's not this then I'm not quite following :-(
Best wishes
David
↧
Re: Periodic Update to Derived roles
Hi DB,
No. That is not what I meant.
If you don't use derived roles then you have the freedom to maintain a few non-org fields in the roles if you do want to make the decision in the role and dont want to be forced into making an org-level out of it.
eg. display all movement types but post only some and use MIGO for both.
Cheers,
Julius
↧
SAP HR - How to Give access to expats and Impats PERNR through a structural profil ?
Dear all,
I have some difficulties to make a structural profil to give access to employee (P) through Central Person (CP)
In our Company, some employees are expatriates to another country.
These employees have two pernr.
One pernr for expatriate.
One pernr for impatriate.
These pernr are linked with the Central person (relationship A209/B209)
The HR users have geographical perimeter. (Derivation by country)
When a employee is impatriate to host country, The local HR user request to access to the expatriate Folder (PA30) of this employee, but this folder is out of the HR perimeter.
I created a new role, a new structural profil and the evalution path below :
Object Relationship Priority Rel.Object.type
Type
O B 003 Incorporates * S
S A 008 Holder * P
P A 209 Is filled by * CP
CP B 209 Has employment contract 1 P
When I launch the programs RHBAUS02 and RHBAUS00
In the result (HRAUTH), I have all the objects for Central Person.
I have the Impatriate pernr.
But I don't have the expatriate pernr.
I have the first PERNR
O B 003 Incorporates * S --> OK
S A 008 Holder * P --> OK
I have the impatriate PERNR
CP B 209 Has employment contract 1 P --> OK
But I don't have the expatriates PERNR
CP B 209 Has employment contract 1 P --> KO
In the transaction PP01 or PPSS, I am able to see the relationships between CP and P (or P to CP)
In the PPOSE, the first PERNR and the expatriate are not in the same view.
I am not sure if this is the problem, and I don't know how to give access to expatriate pernr.
Have you ever had this issue.
Have you any advices to help me ?
Thanks in advance.
Mickael.
↧
↧
Re: In BW 3.5 - Making an Customer Auth Obj and Organizational Item
Hello Julius,
First, thank you for your reply. I have returned from Holiday.
In reply to your last question, there is no upgrade planned. The current plan is to stay with BW 3.5 until a Global Warehouse strategy is adopted. At that point the data will be migrated and the system will be shutdown.
The situation is the following:
- The developer has produced a report that is generic in scope; meaning it pulls data from all sales organizations.
- The desire is to have users groups by sales organization so the data they have returned is for their sales organization only. Basically, I see my data and you see your data, but we cannot see the data of the other.
- What the developer has done is create a new Authorization object: YZZV_SO. The field for this object is SALESORG. The desire is to have this field become an Organizational Level so that each group of users can have their sales organization coded in a derived role. All of the other Authorization Objects are the same across all Sales Organization Groups. So, the Template/Derived role concept is appropriate.
I need to research if this field is used elsewhere in other roles. Any assistance in how to accomplish this would be appreciated.
Happy New Year!
Rich
↧
Re: user validity expiring notification should come while login by user?
Hi,
just another hint:
Please, check notes 1793961 & 1656965 for automated actions according to the checks like in RSUSR200.
Best Regards,
Holger
↧
Weak SSL Cipher
Hi Security Experts,
While running vulnerability scans before deploying new Application servers NW 7.31 ABAP, kernel 401 for windows. we are getting weak ssl cipher supported error with port
5$$14 SAP MMC listener https port. We have SSL configured with default parameters. \
Can you suggest steps to increase the SSL strength of this port. Worst case, can you suggest steps to disable this port.
the OS is windows 2008 R2 x64,
regards
Yogesh
↧
Re: Weak SSL Cipher
I'm not sure how you could set the ciphersuite for sapstartsrv. You can disable the HTTPS port by following instructions given in SAP note 1036107.
↧
↧
Re: Weak SSL Cipher
Since the SAP instance specific sapstartsrv is using the instance profile you could try to set ssl/ciphersuites according to SAP note 510007 and see if it helps.
↧
Re: In BW 3.5 - Making an Customer Auth Obj and Organizational Item
Hi Rich,
Based on your latest reply, Please try to create a new customized authorization object by using t code RSSM instead of using SU21.
Here Salesorg field is by default Organizational field.
Steps to create BW Auth objects.
1. Please make sure characteristic value (0salesorg) is authorization relevant or if not make that one as "Authorization Relevant" under Business Explorer tab of RSD1 t code.
Note: if you are using customized sales org by copying standard characteristic value of Salesorg then make sure to maintain that value as Auth Relevant.
2. Go to RSSM and Specify the name of Customized auth object and click on create.
3. Select the sales org char value from right hand side pane and move it to left hand side.then save the Object.
4. Add the newly created auth object in to required roles then Sales org field by default will be appeared as organizational field from there you can derive the as per your requirement.
I hope this will helps to your requirement.
Thanks,
Siva
↧
Re: Weak SSL Cipher
Thank you, I will add the parameter and see if that fixes this problem.
looking at the details of the parameter, my worry is if this will break something which is working. I believe this parameter change will apply to all communication http/https which is happening over other SAP ports as well. I would do some tests but is there something you suggest I look at.
↧
Re: Weak SSL Cipher
Yes that parameter will affect ICM services as well. Apart from testing the impact, I have no other recommendations.
↧
↧
Re: Weak SSL Cipher
Yogesh-
Follow this SAP note:
510007 - Setting up SSL on Web Application Server ABAP
and set appropriate values for ssl/ciphersuites and ssl/client_ciphersuites. While setting these params make sure you check all your certificate based connections and make sure that they support the similar level encryption. Thanks
↧
Re: Weak SSL Cipher
Thank you for this information. After analyzing the parameters, I am worried it will generate a whole lot of work. Adding cipher control on the SSL communication. We have over 20+ production SAP and non-sap system communication with each other via http/https. I don't want to add additional complication to the already complex setup.
Samuli earlier explained that SAP note 1036107 has steps to disable https communication, I could not find steps to disable the communication, I do see steps on how to enable https for SAP MC. But I checked my system, most of the settings described are not there still I see in most of our systems 5$$14 is there.
Would you be so kind to provide steps on how to disable this service.
regards
Yogesh
↧
Re: Weak SSL Cipher
Login to the HTTP port (5xx13) of your SAP MC using a browser. A Java applet is launched and that is why you need to have a working Java runtime. In the Java applet select menu entry Tools -> Settings... and uncheck "Use HTTPS".
↧
Re: Weak SSL Cipher
Correct, you can even delete the indicator from tools--> settings.
Also, refer to 1439348 - Extended security settings for sapstartsrv :
"Restrict network access
Another option is to restrict the remote access via the network to ports 5XX13 / 5XX14 of the sapstartsrv agents to a minimum level required for operation. For example, restrict it so that only the sapstartsrv of a system can communicate with each other, and the Webservice clients used (SAP MMC, SAP MC, ...) from the computers from which they are operated (for example, Administrator Desktop PC). In addition to pure network routing measures, current sapstartsrv (as of 720 patch 45) offer the option to specify network ACL lists using the profile parameters service/http/acl_file and service/https/acl_file. After you set the profile parameters or change the ACL lists, you must restart the affected sapstartsrv to activate the changes. Note 1495075 describes the syntax of the ACL files."
↧
↧
Re: Weak SSL Cipher
That checkbox is already disabled when I connect via http. I connect via https and disable it but the access point is still there. I stopped and restarted the SAP service but same result.
I guess what you are suggesting is to switch the SAP MC connection to https/http but it is not disabling the SAP service listening on 5$$14. My problem is that this access point is available, we have a scan going on via a 3rd party which is scanning this port and finding that it allows weak ciphers.
How can I disable this access point altogether is still a question. From what I could find so far is that once I enable SSL, it automatically enables the 50014 https service. Not sure how to disable it. I will try and reverse engineer the note SAP note 1036107 suggested by Samuli if that works but in case you have other ideas.
Yogesh
↧
Re: Weak SSL Cipher
Hi Yogesh,
your original issue was that SSL was allowing some weak cipher suits to be used for connection. For example you really do not want to use suites that use 3DES. This is a common issue and you just need to disable these weak suites. The only issue you could get from disabling these weak suites is if you have a really really old client that does not support new crypto primitives such as block cipher AES and hash function SHA-1. What happens during initialization of connection is that client and server agree on cipher suite that will be used to protect connection. You just want to configure server that it won't allow some suites to be used. Hence you could have a situation when old client supports only weak cipher suites and server does not want to use any of these. Hence the connection fails because they can't agree on cipher suite.
Honestly, disabling HTTPS access to MC sounds like a really terrible idea. Basically, your auditors are saying that they do not like you accessing this sensitive service over weak cipher suites. Your answer is that let's not use any encryption at all. Hence you are trying to resolve one minor issue by introducing much bigger issue. Do you really think that auditors will be happy with your solution? Regardless what auditors think you should really want to protect it and you should not access it over HTTP.
Cheers
↧
Re: PFCG restriction: how to restrict security team from self assignment of roles?
Vijay, You can do it. Put the Security team in one user group and then restrict them under object S_USER_GRP and S_USER_AGR / S_USER_PRO (if required) but the assignment values 22, 78 like that.. Hope this helps to start.. Regards, Daya
↧