Hi Felix,
1) Do know why TPFET value differs from RZ11 one?
There is a two tables TPFYPROPTY and TPFET.
1. TPFYPROPTY - In this table all standard values ( profile parameter values) will come by default ( RZ11).
2. TPFET - This table is related to you RZ10 profile parameter values
2) What does "M" means in TPFET-PSTATE?
M means Modified standard values in RZ10 profile parameters
find below link
Difference between maintaining parameter values... | SCN
Thanks
Siva
Hello,
Where can i find role SAP_BW_DEVELOPER. Im using BW 7.31.
I tried to search via pfcg or business content but ir doesnt exist.
Regards,
JM
Hi,
instead of going directly to DB tables I would suggest to try to find FM or class that provides API for you. Check class CL_SPFL_PROFILE_PARAMETER. It has method GET_ALL_PARAMETER that gives you list of all parameters. Then method GET_ALL_VALUES gives you various values for the parameter.
Cheers
Hello
Where did you get the information on TPFET-PSTATE field ?
There are modified parameters that does not have that 'M' attribute.
I've been searching all the sources that uses that table and I was not able to find the meaning of the values in that field.
It could have meant 'pending modification' => updated in profile at FS level but not yet active in instance (RZ11)... but it is not that either
Regards
You change parameter values in RZ10 and see TPFET-PSTATE value that particular parameter.
thanks
Unless you are using the NWSSO product, this isn't the correct space. If you license NWSSO, you can configure SPNEGO for ABAP to achieve your requirement. You could also access your WDAs through portal.
Greetings Samuli,
I apologize for being in the wrong space. I'll see about moving my question to a more appropriate space once I find it. It can be a challenge to find the right space in which to ask questions.
Thank you for the suggestion about accessing them through the portal. I may ask our developers to see how easy that would be to implement as that would leverage our existing environment.
Conrad Thonger
Moved to the security forum..
If I understand your requirement and my memory serves me, the start of a WYDA from a SAPGui transaction (such as SOAMANAGER) is not a logon ticket. It is a re-entry ticket to the same SID (like opening a new session or calling an internal RFC as yourself) so no authentication is required. Only difference is that it goes back via the message server and you might land on a different app server if started that way.
In the case of the user starting the WYDA directly, you can therefore configure the logon procedure independently of the SAPGui based start (meaning it won't break it) and if that scenario is portal based navigation or imbedded app in a frame, then a real SAP logon ticket issued by the portal is probably the easiest and fastest way to go.
Many customers already have SAML infrastructure in place for non-SAP applications now, so you should also first consider that before you go the logon ticket route because it means that you are not only limited to SAP.
Cheers,
Julius
Hi,
just to add to Julius' response. ABAP application server does not support Kerberos as authentication method. THe most common methods used for HTTP based apps are username/password, SAP Logon ticket and SAML. So in your case SAML is not configured and a user does not have a logon ticket. Therefore ABAP AS asks for username/password. One option would be to always go through portal that generates logon ticket that can be used to authenticate user on backend system. Another option is to try to introduce SAML into your landscape. Identity provider (IdP) can still use Kerberos for authentication but you will use SAML for backend authentication. When users hit a WD app they get redirected to IdP. IdP uses Kerberos to authenticate users and then redirects them back to backend system. Here SAML token is used to authenticate users. AD can work as SAML provider (you might need some extra license though) or you should be able to find an open source IdP with support for Kerberos. SAML solution will require some extra effort to implement.
Cheers
You could also use some other reverse proxy in front of SAP system that supports TLS 1.1 and TLS 1.2. E.g. nginx or Apache. You will loose some SAP specific features but you will gain some other nice features.
Cheers
AS ABAP supports Kerberos assuming the requirements listed in SAP note 1798979 are met. In addition to the technical requirements, licenses for NWSSO are required. SAP has implemented additional license checks in SPNEGO for ABAP.
Oh! Thank you for that information - I was not aware of that support!
@ Conrad: It is backported to 7.02 if your SP (and kernel) is high enough. If that is the case and an option for you, then it is best to move your question again to the SAP NW SSO forum or keep it here and invite the NW SSO mods to comment so that other folks who search can also find it.
Cheers,
Julius
Hi,
thanks for this update. Lately, I am generally impressed with SAP. They really invested in Netweaver platform and brought some nice features. This is not the first time that I got corrected that new version actually supports some new feature. Nice work SAP.
Cheers
Dear M. Abdul Jamil / Experts,
For the forum - Authorization by material type , I don't understand the following sentences -
"The authorization object M_MATE_MAR checks the authorization group of the material type (T134-BEGRU). You will need to ensure that your material types are linked to an authorization group.
If you go into transaction OMS2 (maintain material types) you will see a field called 'Authorization group'. This is a free text field,
please, enter here something relevant."
It's NOT worked even if I had set authorisation object for "Material Group (M_MATE_WGR)" or "Material Type (M_MATE_MAR)". For example, limited the "Material Group (M_MATE_WGR)" only for "A" but I could access the "Material Group (M_MATE_WGR)" of "B". It was the same result when setting limitation for the "Material Type (M_MATE_MAR)".
It only worked when setting the limitaion at Plant level (M_MATE_WRK), but we have to limit users to access certain Materials within the same Plant.
Any other settings are also required for the above purpose ? or Must it be added program / user exist by ABAPER ?
Many Thanks,
KH Fong
Hi Conrad,
there is not much I can add to what Samuli already said. If you want to get more info about the SAP NW SSO capabilities you can have a look at the NW SSO summary page that provides some more info on the product and capabilities.
Besides supporting what you want, it can be used with NWBC and other SAP tools as well. EVen if the software does not directly support Kerberos, the product can be used as it can act as sort of a bridge baseed on short lived X.509 certificates which are created based on a Kerberos authentication.
Regards,
Patrick
Lets see what Asrar's feedback has to say about it...
Not being on the same code page is also an attribute of the solution and many unsolved mysteries in SAP.
I think SAP tried to make a few exceptions to transactional CUA intuitive, but that does also create a bit of support type questions when strange things happen.
@ Asrar: Does this explain your problem? Can you provide more details? As an acid test you can run tcode SOUD to check for address data problems between old users and new ones - this is often a symptom.
Cheers,
Julius
Hi Venu
Is CUA the same system as where your Org Structure is?
Could the single role be inherited from elsewhere (a composite role, another position)
When you removed from org structure did you date delimit the relationship or delete it?
Regards
Colleen
Dear M. Abdul Jamil / Experts,
Actually how to set the "Authorisation group" under the "Define Attrivutes of Material Types (OMS2)" and "Define Material Groups (OMSF)" of IMG ? It was not worked and could not be selected in PFCG's tree even if I had set the value in these two transactions.
Any other settings are also required for the above purpose ? or Must it be added program / user exist by ABAPER ?
Many Thanks,
KH Fong
hi Kwok,
I just tested it. You can manage it with the help of New Authorization Object. You need to add the fields BEGRU and WERKS and assign this object to concern user.
Regards,
Dear M. Abdul Jamil,
Do you mean to add the fields BEGRU and WERKS under the authorisation object for "Material Group (M_MATE_WGR)" or "Material Type (M_MATE_MAR)" ? and How to add these fields under any object ?
Many Thanks,
KH Fong