Hi Vijay
Restrict the security group by a assigning to a auth group with the object S_USER_GRP
with values 22 and 78 and class (auth group)
Cheers
Pavan M
↧
Re: PFCG restriction: how to restrict security team from self assignment of roles?
↧
Re: PFCG restriction: how to restrict security team from self assignment of roles?
Yes thats true, but that will not enable my peer who is in same grp to assign a role to me. Hence this solution will not work.
I should be able to assign role to my peer who is in same grp or vice versa but I must not self assign.
↧
↧
Re: user validity expiring notification should come while login by user?
Hope this document will guide you to achieve what you are looking for..
↧
Re: PFCG restriction: how to restrict security team from self assignment of roles?
Using the standard concept you'll have to get creative with your S_USER_GRP and a supporting set of roles. This will have a maintenance overhead. A couple of alternatives are:
1. Have someone outside the team have access to grant them to users within the group (and be strict about enforcing user groups)
2. Run a detective report on a weekly basis to see who has done self-assignments (most commonly operated control that I have seen).
↧
Re: Weak SSL Cipher
Hi Martin,
Thank you.
One thing I don't understand, why only this port is giving this weak cipher issue. We have ssl enabled which means it will be effective for all ports. We have standard 443 https ports but this issue does not show up there. Anyway right now we have both http and https access to SAP MC, I am trying to disable https for this port, so nothing worse than what we currently have, which seemingly does not seem possible. I even got confirmation from SAP that if you select SSL, this port gets active by default and there is no way of disabling it.
Of-course I am not putting off fixing this, but currently cannot put in the efforts of changing something which may have a widespread impact. We will plan in a big list of changes based on its priority.
I will close the thread, thank you all for your inputs.
Yogesh
↧
↧
Re: user validity expiring notification should come while login by user?
Hi Dayanand,
Thank you so much your rapid and appropriate replay, I will try to implement as per your document solutions and let you know if I can achieved.
Regards,
Suresh B
↧
Re: Structural Authorisations - Connection to It0105
Hi Niels,
Thanks you for the reply, In answer to some of your ideas
For the 2nd user ID there is NO personnel number of any kind, the ID has just been attached to a position number that is only related to the 'additional org unit'
e,g
Position XXRD0000009 Helen Salter 2nd Id for Sickness
Planning Status Active
Relationships 01 S 50224919 1
1.1.2000 - 3.12.9999 A 003 belongs to O 50224761 XXRD
8.6.2012 - 31.12.9999 A 008 Holder US SLATERH1 Slater
8.6.2012 - 31.12.9999 B007 is describe AG ZS:HR SICKNESS ABSENCE
So here is the evidence as there is no IT0105 available, we have used the position to identify the person
Non Payroll staff can be set up with a personnel number, looks like it would be easier for us to persuade the HR people that this needs to be done
thanks for your help
Regards
Debbie
↧
Re: Weak SSL Cipher
Then sapstartsrv is not behaving the same way as ICM is, sounds like a bug to me. I guess sapstartsrv is not even respecting the ssl/ciphersuites parameter.
↧
Re: Weak SSL Cipher
Hi,
I still believe that leaving it as is is a better option than disabling HTTPs connection. I know that it will "resolve" one of your issues but it's not right. It's just dump following of recommendation from audit.
As Samuli mentioned I would raise a ticket with SAP. I would ask how you can control SSL cipher suites used by sapstartsrv. Before raising a ticket I would double check what cipher suites are offered by standard HTTPS port used for serving various web based services and port 5xx14. Is it possible that your 443 port is actually open on web dispatcher or other reverse proxy and hence it gets config from somewhere else?
Cheers
↧
↧
Re: Hide sensitive attribute data and make the infoobject unavailable to some BEx report writers
Hi Linda,
I have the same issue now and just wondering if the issue was fixed?
could you please share your solution? thanks
Regards
Jia
↧
Re: PFCG restriction: how to restrict security team from self assignment of roles?
Guys, can you please looki into it. Anybody who has come across this scenario? Looking forward for your reply.
↧
Re: user validity expiring notification should come while login by user?
Hi Dayanand,
I have implemented the component enhancement and it is working fine, Thank you.
Regards,
Suresh B
↧
Re: PFCG restriction: how to restrict security team from self assignment of roles?
Vijay - I dont believe that there is a technical solution by using the SAP Authorisation concept for this. We have controlled this scenario by embedding the Firefighter tool. In summary, the Security Team have to invoke Firefighter process to modify accounts in the Basis And Security functions. The activities are logged which is the control to monitor which accounts are being modified.
All user maintenance transactions are not allocated the SAP Accounts.
The methods that are called by SU01 perform a check on User Groups versus individual users. To fulfill your requirement, you would need to build a custom solution, i.e. perhaps a user exist that performs this check in addiiton to utilzing a custom auth object.
↧
↧
Re: PFCG restriction: how to restrict security team from self assignment of roles?
Hi, as I mentioned, you will have to build a set of roles and authorisation groups that allows this segregation. Unfortunately that will mean creating auth groups and roles for each user and will incur a suitably high maintenance overhead.
↧
Re: What is the use of coupled T-code in SAP?
Hi Jana
Refer to SAP Note 358122 - Function description of transaction SE97
and also please go through to the discussions TCDCOUPLES in SCN.
Cheers
Pavan M
↧
Analysis of Authorisations
Hi,
I understand that SUIM is available to answer most related security questions, but does anyone know how I could determine which ABAP programs, classes, function modules etc are reading what infotypes without the need to work through the logic. Is there a table that lists the programs, nested programs and the corresponding tables they read?
↧
Re: Analysis of Authorisations
There is no such table in SAP.
Your next closest bet would be USOBT_C for object S_TABU_* objects but that is only as good as what the proposals for transactions etc are maintained, and they are notoriously not well maintained, even although they are very powerful to help build roles with exact proposals.
So we solved this ourselves and built a tool which scans the code of the programs, nested programs, classes, methods, function modules, subroutines etc etc... and finds all the existing authority-checks, access to tables and data which require checks, tells you which check is missing, which API to use and whether the corresponding values in USOBT_C are correct for the transactions which can reach that coding location which has or needs a check.
In some cases this might be the S_TABU* objects, but in most it is actually the application object which you need to know the values for (e.g. select of data from BKPF is scanned for a check on F_BKPF_BUK before outputting the results and use of the API instead of hardcoding the check). For infotypes it is actually quite easy as there are nice APIs, but you have to scan the code to see whether thy are used...
You get a result which then looks like this...
↧
↧
Re: Analysis of Authorisations
Hi,
as Julius mentioned you have to go through the code. If you don't want to/can't use 3rd party products then there is a simple approach of using SE11 for a DB table and use Where-used function. The problem here is that you will get some function modules that are used by other programs. So you need to use where used function for these function modules and so on. The process is annoying and also does not cover dynamic selects from the tables. It's not bullet proof but it could give you some idea which programs are accessing particular DB tables. You could also try to use code inspector (transaction SCI) for this. There is a class of tests called "Search Functs.". Here you could try to search for ABAP statements that correspond to select from DB table.
Cheers
↧
Re: Analysis of Authorisations
Many thanks for you responses, they have been really helpful
↧
create single role copy of composite role in sap security
We have a composite role Z_RUC_ALL_FICO_PAAKAYTTAJA. It includes dozens of single roles ( Approx: 30 single roles).
We would need to create a new single role which includes all transactions and authorizations from composite Z_RUC_ALL_FICO_PAAKAYTTAJA and some added transactions. Is it possible to merge those single roles in FICO_PAAKAYTTAJA to one new single role? Any best procdure ?
Need to copy all data of 30 single roles into new one single role at one shot to avoid manually work
My option is: Yes possiblity is there
first download all tcode,auth object values,Org values from AGR tables and create one single role and add all these Tcodes,org values etc
Or Create single roles and insert all profiles fo all single roles and maintain Auth data manually by refering AGR tables data.
T&R
S.N.R
↧