Hi,
Please try this.
1. Go to the UME and check what UME roles are assigned to SAP_XI_APPL_SERV_USER.
2. Mapped those UME roles you get in step 1 to the newly created custom role Z_PI_ APPL_SERV_USER.
Though the role is in ABAP side of the system, these sap standard roles have appropriate objects representation in the Java Stack. When creating custom PI/XI SAP standard roles, you also need to copy the objects from it's Java Stack.
Thanks, hope it helps.
Regards,
Santi.
We're maintaining specific sales org id's in auth object CRM_ORD_OE. We have different org unit numbers maintained in Dev system to those in Prod system.
How do others go about maintaining specific values in auth roles for this auth object? It seems strange that we would have to maintain directly in each system instead of transporting or have different roles based on the system.
Values need to be specific, so *'s can't be used.
Hi Tim,
Thanks for the information.. currently we are heavily invested in IBM Identity, federated identity and Access Management suites, based on our current infrastructure, it supports all kinds of web based sso such as "http header, certificate, SAML, openid, OAuth, spnego/Kerberos" and password synchronization to SAP systems from Active directory. Since we have the password synchronization to managed system, the user can use the windows password to login into any SAP system. Now we would like have the true sso for SAPGUI.
Since SAP NW SSO 2.0 provides more than kerberos, In my understanding we will be paying too much for the other functions and features which we already have in IBM tool set.
Is there a GSS API V2 SAP certified third party product "just the Kerberos API" which we can buy ? I guess this will reduce the cost.. ?
Thanks
Anjani Jha
Patrick,
Thanks for the link, it will help a lot.. I am going to test this integration soon.
regards
Anjani
Yes, there are companies that offer GSS API v2 SAP certified third party products 'just for Kerberos'. You can find details by searching on SAP Store (http://store.sap.com).
Also, I need to let you now that due to rules of SCN, discussion about third party products is not allowed on SCN, so posts might get deleted if details are discussed. I will discuss with you outside of SCN instead.
Thanks
Tim
I believe I have configured SNC correctly.
So when I enabled SNC and trying to login I am getting the following error
But once i remove the SNC connection options in the network tab, I am able to login
My kernel version are as this
And I am wondering if I set my PSN correctly
Could someone point in the right direction to debug the problem? tks
Hi,
Can you please check if you have logon on to PC using a domain user or not?
Also please see note 352295 for more information.
Yes I am logged an as Domain User, but now when I try to connect directly from the server SAP GUI (7.2) I am getting this error.
Hello Folks,
I try to understand the risks, if we don't have a firewall between application and database server?
End users will never access database server as per the plan.Also do you recommend firewall between QAS and PRD systems?
Since we have a secured LAN, I wonder whether these firewall settings are mandatory.In our environment the system is not connected to internet. From DR perspective, we may deploy a parallel system in another data center.
I appreciate your replies.
Thanks
Bala
The only sensible segments are DMZ <-> corporate client networks <-> protected infrastructure network. More than that is just to be stuborn and not more secure... ;-)
Even in these core segmentations you must still harden certain SAP internal components for which the ports must be open.
Cheers,
Julius
Then, have you maintained the snc name of this user in tab page SNC via SU01?
I want a way to copy one role to 60 diffrent roles
and each of these craeted new roles i want to change one authorization object with a diffrent values
for example the Orignal role Z:original
and the new roles will be:
Z:original 1
Z:original 2
Z:original 3
Z:original 4
the copied roles have one repeated authrization object called AUTH, this object should have a diffrent valueaccording to it's role
Z:original 1 -----> AUTH 1
Z:original 2 -----> AUTH 2
Z:original 3 -----> AUTH 3
Z:original 4 -----> AUTH 4
could you plesae help me with the best way to do that.
thank you,,
Thanks Laxman,
For giving an option which we can study and than implement. Though, we cannot completely remove the approval process as it will be against an ITIL process.
The actual problem which we face is first service request is created for role changes as reported by user, than RFC is created from that SR and than finally a change document is raised for that RFC by change manager. Than the role changes are done in development and moved across the systems.
This looks very lenghty process as this involves multiple team to work on a single RFC.
Is there a possible simplified solution for it.
Hi Mohd,
The Best & fast way to achieve this is SECATT Script.
1.in the tcode recording Copy the role from Z original role and at authorization tab maintain the value in authorization object.
after creating Script run it with your values. let me know in case of any issues
Regards
Kiran.S
Hi,
Usually the account group auth is deemed sufficient, from your requirements I assume that you are already using F_KNA1_GRP and then need further granularity hence the problem with GEN.
It sounds to me like this is a problem with the custom code, what exactly is not working as expected? Is the check being performed? Where is it happening, before or after the standard checks?
Hi Sameer,
I think the simplified solution is very much a process/organisational one. Streamline as much as you can from a process perspective and then as Laxman said, create the minimum workflow required to support that.
My personal view is that both change management and test management through SolMan are management conspiracies to test the spirit of hard working staff and generate unnecessary work, however if they are the tools mandated then there isn't much other option.
Thanks Julius. Regarding your comments on port, I would like to clarify bit.
Do you suggest to close the ports other than critical connections such as TMS/RFC/Printer/DB listener etc.? We don't have any plan to use web service as of now.
Bala
If you are not using something then it is better to deactivate it or leave it inactive in front end component application gateways.
The trick is to limit the attack surface at the network port level and then use the application logic of the available ports to restrict what can be done with them if they must be open.
Opening DB ports from server LAN to Client LAN is not a good example of this. But you should harden your DBs anyway. Same goes for OS systems as they might trust each other beyond SAP and use other ports for that.
DR is always a tricky thing (how to automate securely). There are some clever ways of doing this if you accept that it is pushed from SAP and monitored by the SAP system.
You should only mirror to data centers whom you trust and in the SAP world it is not realistic to encrypt the DB.
Cheers,
Julius
Hi Kiran,
As far as I remember (i did test quite a long time ago) CATT cannot manage popups, and changing an authorization field is done through a popup, so I'm afraid it cannot be used there.
This might be possible using SAPGui scripting only.
Regards
Hello
So you've got two actions to complete
1) copy a role
2) mass update authorization object in the created role
A first solution would be to download the source role and copy the generated text file.
You can then change in the copied files
- the role name
- the authorization object.
Check post Mass change of authorization objects in several roles
As stated there this method is not supported, as far as I know the structure of downloaded role is not documented.
Try this in a sandbox client and if roles are Ok transport them to the dev system.
An other way, fully automated but even less supported...
1) copy the source role using function module /SDF/PRGN_COPY_AGR
You can automate this using startrfc in a shell script (here a Windows version, far easier in Un*x).
for /l %x in (1, 1, 60) do (
startrfc -3 -h %SAP_Host% -s %system_number% -t -u %SAP_User% -p %SAP_user_pwd% -c %SAP_client% -F /SDF/PRGN_COPY_AGR -E SOURCE_AGR="Src_Role" -E TARGET_AGR="Des_Role%x"
)
Example for creating 60 role Zdummy** from role Zdummy
for /l %x in (1, 1, 60) do (
startrfc -3 -h SAP_HOST.domain.com -s 00 -t -u DDIC -p ddic_password -c 100 -F /SDF/PRGN_COPY_AGR -E SOURCE_AGR="ZDUMMY" -E TARGET_AGR="ZDUMMY%x"
)
Remark: as of kernel 7.20 startrfc program is not part of the SAP binaries, you must get it from SAP RFC SDK. (1581595 - rfcexec or startrfc fail after upgrade, 27517 - Installing RFCSDK)
2) update authorization object at DB level in table AGR_1251
Watch out, these commands are directly updating SAP data without any enqueue nor data validity control.
This should only be performed in a sandbox system and if your have some SQL knowledge.
Here is for example a query that updates in role ZDUMMY2 the value JOBACTION for object S_BTCH_JOB from '*' to 'LIST'.
update sapsr3.AGR_1251 set LOW='LIST'whereLOW = '*'andobject='S_BTCH_JOB'and FIELD = 'JOBACTION' and AGR_NAME ='ZDUMMY2' and MANDT = '100';
commit;
It is even possible to change the valued based on the role last character as you asked
update sapsr3.AGR_1251 set LOW=decode(substr(AGR_NAME, length(AGR_NAME),1), '1', 'Value for ZDUMMY1', '2', 'Value for ZDUMMY2', '3', 'Value for ZDUMMY3', '4', 'Value for ZDUMMY4', 'Value for all others')whereobject='S_BTCH_JOB'and FIELD = 'JOBACTION' and AGR_NAME like'ZDUMMY%' and MANDT = '200';
commit;
You will need to refresh SAP buffer after running the sql commands (type : /$TAB AGR_1251 in Ok Code zone).
3) you will need to regenerate the updated roles using transaction PFUD
Regards