Hi Santi,
Thanks for this useful information.
But how can i move these UME changes to production system ?
Thanks,
Sankar.
↧
Re: SAP_XI_APPL_SERV_USER unable to customize
↧
Re: monitoring issue in cua
Thanks everyone for the response. Information from ST03 or SCUL were not much helpful. I could see who ran it but could not identify which systems were deleted by the program.
We recovered the system and did not face any issues after that. So we assume it might be a mistake.
↧
↧
Re: Firewall in SAP landscape
Hi Julius,
I would slightly disagree here. Usually you will have firewalls between different protection zones, this could be only the zones you listed, however it is not uncommon and sometimes even required that you also have firewalls to split networks for prod and dev/cons systems to better control the traffic and the access to the prod systems. Especially for systems holding credit card data, this may even be required by standards. Often you will also find similiar setups for sensitive systems like HR systems. I completely agree however, that for an SAP ABAP systems having a firewall between the R3 system and the DB systems is not very helpful from a security point of view.
BTW: there are some recommendations from SAP to this regards in the security guides. Especially with regards to the placement of firewalls there is also some info here.
Kind regards,
Patrick
↧
Re: Firewall in SAP landscape
Hi Patrick,
I slightly agree with you that some control is gained by network zones for PROD / QAS / DEV systems, but the moment you have an STMS transport system, CTS+, SOLMAN monitoring, CUA / IDM, master data replication, central etc then the RFC / SAPGui / Gateway / http ports will be open between the zones anyway.
So you have a considerably slightly higher maintenance effort for the firewalls, networks and switches with only marginally slightly better control of segments (e.g. for "zoning" in gateway ACLs it is useful).
;-)
Cheers,
Julius
↧
Re: CRM_ORD_OE - org numbers in fields
Hi Richard,
I ran into the exact same problem a little while ago, where the org structure wasn't transported nor created with identical numbers throughout the landscape.
I chose to create three instances of the CRM_ORD_OE object, marked their descriptions DEV, QAS and PRD and filled them with the respective org id's. After transporting I simply deactivated the irrelevant object instances on each system so it'll always be clear to anyone maintaining or transporting these roles that the values need to be different throughout the landscape.
Om the QAS system it looks like this:
Hope this helps,
Jurjen
↧
↧
Re: Firewall in SAP landscape
Hi Julius,
as alway with security, there is no one size fits all. It depends for instance on your workforce If you have a high number of consultants working on Dev and Q, in many cases you want them not to get onto your prod systems.
However this is not the only reason. Usually a system has not only the STMS connectivity for the chain but is interconnected to other systems as well. Just one (real life) example from the past. A customer did copy his prod system to Q and then did some testing in there. However they simply forgot to reconfigure the service connections to let thempoint to the other Q systems and left them pointing to the other prod systems. As there have not been any firewalls in place, thoses connections did work. You can now guess what happened.
The reason you may want to split the zones for prod and dev often is not for the single system but really to have no business connectivity between the systems of the different zones to avoid the above, be it intentionally or by accident.
I'm with you, that if you have only one DEV/Q/Prod line with no other connectivity requirements, setting up different network zones for this may be a bit of an overkill. However I have not seen a customer so far, that had such a setup.
Regards,
Patrick
↧
Re: Firewall in SAP landscape
Normally the basis folks have a "cheat sheet" of things to do before and after system copies. Killing jobs, deactivating SCOT, etc should be on that list regardless of the network zoning, particularly if the ports for ALE and smpt are open.
Yes, I agree that whether or not the ports will be open at that point in time (still / again) depends on whether the effort and discipline involved fits the organization and possibly regulatory requirements (which I was not aware of).
Best rather not to have Credit Card data at all.. :-)
Cheers,
Julius
↧
Re: CHARM functionality for SAP role management
Thanks Alex, as you suggested we need to revisit our process.
↧
Re: Firewall in SAP landscape
Interesting discussion. I agree with "cheat sheet" regarding refresh to keep the systems out of jeopardy. Obviously I would like to minimize the impact on maintenance at the same time secure the systems as far as possible. I got your points regarding my original question. Thanks Patrick and Julius for your input.
↧
↧
Re: SNC unable to initialize
Hi Ning Li,
The thing is this I managed to get the SNC working, with out any maintaining user in su01, as I am using with out logon option in the Network tab, but only on the application server. BUT, the problem is this now, I am trying to login in to the server that is not on the domain as the sap is installed I am able to connect to the server with out the SNC enabled. Hence the earlier screenshot which I am getting the error.
↧
Re: Write access to Infotypes in the past
Hi Lars,
What does your structural profile look like exactly? Have you defined the period indicator (PDATE)?
I have a hard time figuring out whether time constraint "2" has anything to do with your issue. It seems more likely that the cause for your issue is related to the user not being authorized for the employee in that specific period of time.
Does the custom infotype have the VALDT (access auth.) switch activated? (You can check this in V_T582A for that infotype).
FYI, this is the F1 help on the VALDT field, which I think pertains to your issue:
To simplify matters, the term 'period of responsibility' will be used in the following. If, during a particular period, a person has one (or more) organizational assignment(s) for which the administrator is responsible according to his/her authorization profile, then we refer to the entire validity period of this(these) organizational assignment(s) as the 'period of responsibility'.
There are three different cases.
1. The period of responsibility begins in the future.
If the administrator has write authorization for the infotype/subtype, this is valid for all infotype records whose validity period is within the period of responsibility. Read authorization is valid for infotype records which do not extend beyond the end of the period of responsibility.
2. The period of responsibility begins before the current date. Its end date is no more than a fixed number of days before the current date
In this case, write or read authorization is valid in all periods. There are no time restrictions on the authorizations of the administrator for the relevant infotype records.
The tolerance period enables the administrator to access infotype records that he/she was previously responsible for even if his period of responsibility has changed. You set up client-specific tolerance periods during the
transaction.
3. The period of responsibility ends in the past. The end of the period of responsibility ends before the current date even if the tolerance period is taken into account.
In this case, the administrator does not have write authorization. Read authorization applies to infotype records which are not valid beyond the end of the period of responsibility.
↧
Re: Write access to Infotypes in the past
Hi D.
1. Thanks for yor answer but I'm not sure if my problem is now solved 
2. PDATE... Where do I define it? In T77S0 is no entry and in the profile too
3. The user IS authorized in that time period. Only thing by this profile is, that we modified the end date of the time slice +1 day because some policies (IT0000) are applied to the employee 1 day after he switched the organizational assignment. So we got the fact that the user has 1 Profile for time 01.01. - 30.09 and 1 profile with time 01.01. - 01.10.
That's important for some reports which are accomplished 1 year later or so...
The History Profile is the last one so the write access should be given for example at the 01.02, right?
4. The switch for the custom Infotype is activated in V_T582A
5. Point 3 in the F1 Help is correct I think but I thought if the user has read or write access I can overwrite with my profile?
BTW: Infotypes with time period 3 are working fine...
↧
Re: Write access to Infotypes in the past
Hi again Lars,
- We will get there
![]()
- the PDATE field is part of your structural profile. It's the field named Period:
![ZDIMITRI.png]()
However, I don't think the period is causing the issue here. - You were saying the user is trying to write a record in the past. When trying to write this custom infotype, what's the record's begin and end date?
Can you make a screenshot of both of the structural profiles (01.01 / 01.09 & 01.01 / 01.10). I think it will clarify things further. - OK. Do you have the possibility to turn off the VALDT switch and see if this results in your desired behavior? Even though this may not be a permanent solution, we can deduce and see whether we're on the right track.
- If you mean the Maintenance checkbox in the structural profile (see the first red arrow in my screenshot) then no. When it comes to PA infotypes you cannot overwrite read or write access within a structural profile. This maintenance is only meant for PD objects.
Could you rule out this having to do with the standard role authorization by tracing the write action (ST01 or STAUTHTRACE). That way we have further reduced other possibilities being the cause.
↧
↧
SNC connection error - no credentials were supplied
Hi Experts
I have an error when i try to configer the SNC
1. I configured the SNC on server side
Determined $SECUDIR
Dowloaded crypto.dll
rz10
snc/gssapi_lib=C:\usr\sap\SER\DVEBMGS00\exe\gssapi32.dll
snc/enable=1
snc/accept_insecure_gui=1
snc/accept_insecure_rfc=1
snc/accept_insecure_cpic=1
snc/identity/as=p:CN=SAPSER, O=SAP731, C=RU
snc/permit_insecure_start = 1
after that i used a transaction strust, where I've created a System PSE and SNC SAPCryptolib sertificates.
2. I downloaded SNC_CLIENT_ENCRYPTION from SAP and installed it.
3. I configured connection to SAP
And when I try to connect i have an error:
So what I did wrong?
log: dev_w0
Thanks a lot..
↧
Re: SNC connection error - no credentials were supplied
have you gone through the note 1525059 - Analysis of Problems Accessing a PSE via Credentials
↧
Re: SNC connection error - no credentials were supplied
Thanks Sunil Bujade
I've checked the emviroment variable, as you can see - all right.
The cred_v2 in the same directory.
↧
Re: Automate Audit Trail Report
Hello
You can schedule report RSAU_SELECT_EVENTS in background and create a variant with a dynamic date selection. The audit files themselves can also be processed quite easily with an specific ABAP (or perl/shell script). It can be possible to store the result into some specific tables.
Apply the here under note for a better layout.
1819317 - Enhancement of security audit log
Regards
↧
↧
Composite Role -> Single Role Menus
Hi Consultants,
We created Single role with role menus.
Eg: Role X -> Master Data -> General -> X [Menu]
Role Y -> Master Data -> General -> Y [Menu]
Assigned these two roles to a user, now when user access NWBC portal, he is seeing screen with WorkCentre as Master Data with both items X,Y under same General folder.
Now i have combined both the roles in a composite role. Done copy menu. Now scenario is completely changed as i got 2 separate workcentres
One work centre with Master Data -> General -> X [Menu] and another work centre with Master Data -> General -> Y [Menu]
But i want it to work in the same way as working when assigned two single roles. Kindly help with your thoughts/suggestions
Thanks in advance.
Regards,
Sai.
↧
Auth Groups called in SU53 not present in BRGRU
Hello All,
Recently I have begun to notice that when resolving issues with some of my users they will provide an SU53 that contains an auth_grp requirment that would seem to be an SAP supplied group (not a z group that we would have created) but when I go to find that group in SE54 or in SE16 in the TBRG table it is not present. Yet if I do not assign that auth_grp then the role will fail.
I guess my question is.... Is this a program level check that really has nothing to do with what auth_grps I have assigned or have come with SAP out of the box, and even though we have not truely restricted that table to the auth_grp the programmer still forced an auth check as a precaution?
exm: I have a report that is calling F_KNA1_BED (this is not maintain in SU21 so I know the program is calling it not the tcode relationship)
It is looking for Display access to Auth_Grp CR
I wanted to validate that this was an GL or other FI auth_grp yet it does not exist there.
If the above of what I have said is true would it hurt to actually create this auth_grp and secure the appropriate tables (but then I would need ot know which tables it is checking which may or may not be already secured).
Any clarification in this would be greatful (please no..read the book replies..I've read alot and this has never been really clear), and If I am not making any sense please let me know so I can try and clarify.
↧
Re: Auth Groups called in SU53 not present in BRGRU
Maintaining the value ranges is optional, there is no warning and unfortunately it is not bonus relevant either, otherwise it would be done sometimes.
The values are on the master data records themselves -> table KNA1-BEGRU in your example.
Cheers,
Julius
↧