Hi All,
Regarding this we found that this whole thing works when the user's user group is changed to Dialog from CPIC_USER.
Even if we change the user group the authorization will be the same, so I don't understand why there is no restriction when the user group is Dialog.
Can any one comment on this please ?
Thanks in advance.
Hi Arun
Ive been busy lately with sps upgrade on my client but i was keeping an eye on this thread
I believe the user group is rarely used, but for some things it's linked to authorization process
Real question is why you assigned that group to your user and last but not least are you really talking about usergroup or usertype?
let me know
cheers
a
Hi Andrea,
Thanks ! I tried after changing both User group as well as user type which you can find in logon data tab in SU01.
Kindly let me know why this user group change is restricting data getting saved in back end.
It is probably something which is hardcoded?
Hi Patrick,
After selecting the 'Record Field' option in SU01 screen, i did not get any information/confirmatory message.
It did not give me any message for webdynpro UI either, but I was able to see an entry got added to the active recording for webdynpro UI.
After I mark the fields for recordings in GUI, I come back to sralmanager and I stop the the recording and then I proceed to the configuration. I am unable to see any recordings in configuration for 'dynpro' channel.
Do you think GUI version matters? i am using 730 patch level 1.
Regards,
Pawan.
Thanks for the reply Berhard.
If i add manually, it is displaying in su01 correctly.
And yes, the user is visible in User tab of PFCG for a composite role (even before i add it manually also).
One more important thing i observed is, for some users, if i go to display mode in su01, single roles are visible.
if i go in change mode, first time the roles are visible but when i click page down button, the roles are not visible.
Please suggest.
Thanks,
Sankar.
Hi Sankar
Are you seeing the user to composite role assignment in the AGR_USERS table?
Regards
Colleen
Hi All,
It is just the user type which is making the difference, the user group change is not having any effect in this issue.
Can any one tell me the difference between User group and user type ? as this is what is making the difference. Thanks !
Hello Sankar, for the moment i haven't really a suggestion for you. I think something went wrong during your refresh. So you can open a SAP ticket. If you don't mind the condition, you can leave it like it is. It depends how many time you would/can spend to serach for a soloution. kind regads, Bernhard
Hi Greg,
Could you please eloborate your query in terms of technical presentation to answer in brief for the resolution to your issue.
Thanks,
Kumar
Hi Arun
i believe
Hi All,
I am having a training on Epiuse data sync Manager where i have to set up some authorizations(which i do not know yet).
Could you please let me know if there's any document available for Epiuse data sync Manager from SAP Security perspective.
Regards,
Mohit
Hi Colleen,
Actually in our land scape, one single role is there in many composite roles.
So by seeing the single roles, i am unable to find to which composite roles the user assigned with.
but in one case, i saw the user was assigned in PFCG, but not the composite role shown in SU01.
Thanks,
Sankar.
Hi Mohit,
Earlier i was worked for EPI-USE DSM.
Actually i have used templates in PFCG to create authorisioans for administrators, Developers, Super users, OS users like that.
| /USE/PDS3_ADMIN_USER |
| /USE/PDS3_CS_USER |
| /USE/PDS3_DEVELOPER |
| /USE/PDS3_DS_SUPER |
| /USE/PDS3_DS_USER |
| /USE/PDS3_OS_SUPER |
| /USE/PDS3_OS_USER |
| /USE/PDS3_SB_USER |
These templates will come from the Transports of DSM implementation.
Thanks,
Sankar.
I need to hit my DMZ SAP Web Dispatcher with multiple unique URLs. I am starting off using webdisp1.abc.com and webdisp2.vde.com. DNS will resolve both the Web Dispatcher Host. Following Tobias Winterhalter's Blog: Name-based virtual hosts and one SAP Web Dispatcher to access multiple SAP systems.
My question is how do I go about generating the pse so I can store both webdisp1.abc.com and webdisp2.vde.com? Do I just import the first request and initiate another certificate request using the same pse?
Example
sapgenpse gen_pse -s 2048 -p D:\<file path>\SAPSSLS.pse -r D:\<file path>\webdisp1.req CN=webdisp1.abc.com, OU=IT, O=XYZ Inc., C=US
Cheers,
Dan Mead
HI Sankar
I was trying to keep it simple - does the composite role appear in the AGR_USERS table for the user (same as roles tab and shows if single role is via inheritance or directly assigned)
You are right that two composite roles with the same single role will not tell you which role (unless validity dates are different). But you can see mapping in AGR_AGRS of the roles.
Have you executed PFUD as well?
Regards
Colleen
Hi,
I am almost 99% sure that sapgenpse does not support creating cert with alternative names. Hence I would try to generate cert using other tool such as OpenSSL (blog with examples). I am 100% sure that web dispatcher supports alternative names because one of my previous clients uses this. I can see in cert's section Extensions -> Certificate Subject Alt Names lines like
DNS Name: hostname1
DNS Name: hostname2
Cheers
Bingo - the guru should have mentioned that he is on 7.31 or higher...!
Cheers,
Julius
I suspect that you have some funny combination of login* system parameters and /or data inconsistency in USR02 which are confusing the password mechanism.
An imaginable scenario is what you have for login/password_change_for_SSO? This could be destroying the password (the user actually always has a possibility to do that, so faulty configuration could also be doing it programmatically for him).
So take a closer look at what is happening to field USR02-CODVN when this problem happens.
BTW: Calling programs can also do many stupid things with return messages. So the problem might not be USR02 related at all, or not even the APIs to perform remote logins.
Cheers,
Julius
Hi,
We've a program that we need to run ONLY IN DEVELOPMENT system (it will not be moved to QA or Prod). As all developers will have debug access, we some how want to restrict all users from changing the variable values (example - changing sy-subrc from 4 to 0) in debug. Developers should be able to debug and change variables for all other programs.
I know all variable changes during debug will be written to system log and can be retrieved from SM21. But if there is a possibility we want to restrict while changing itself.
Is it possible to achieve this using security setup?
Is it possible to achieve this using code? Can we do something like throwing an error if someone is trying to debug this program?
Thanks
Ram