Sonu,
I believe you will have to use the following BAPIs
BAPI_USER_GET_DETAIL
BAPI_USER_ACTGROUPS_ASSIGN
second BAPI may need modification , i.i.r.c. it overwrites instead of append.
These are used for direct role assignment so you might have to make few adjustments
Another one which you might want to explore is
BAPI_REL_CREATERELATION
Approach is to create relationships among object (i.e. HRPOSITION & AGR Activity Groups)
Regards,
Shivraj
Hi there,
I`m new to some SAP security procedures.
I want to know what is the best practice to do the following:
A user asked me to add them the following transactions.
va01
va02
zva05
mm3b
zmsk
Problem is, there is a lot of roles containing these transactions.
Whats the best way to proceed?
PS: We use GRC, so the assignment has to be SoD complient.
Thank you
Ashod
Ashod,
You have just discovered one of the drawbacks to your organization's security design. It is much easier to decide which roles to assign to users when tcodes are only granted by one role. I know, that does not help you right now, just something to keep in mind for the future.
If the role design is job based roles, it helps to know what job(s) the user is doing, so you can see which role(s) sound the closest to the user's job(s).
A method that can be a good shortcut is to ask the user (or his/her manager) if there is someone else in the workgroup who has the access your user needs, and do a Model User request. or, use SUIM to look up the roles assigned to the potential model that grant each of those tcodes.
When all else fails and you still have no idea which roles to request for the user, you might be able to appeal to the respective role approvers for assistance ( assuming these roles all *do* have a role approver requirement, and they have been doing this longer than you have, right?).
This is why it is helpful to have some job aids for the persons tasked with submitting security requests for end users when the role names are not an exact match to job titles, until such time as the organization can do a security rewrite to align them better, either at the task level or the job level, or create Business Roles in GRC that do exactly match the job titles.
Good luck!
Gretchen
Hi Stuart - I'm not seeing any brave replies to your issue yet 
We are experiencing the same for an EU instance so please update same if you solve this.
-Paul
Thanks for reply,
After lots of analysis and research(Comparing table dumps Dev. & Quality) I concluded that there is no impact as upgrade role analysis and change in Dev. is done using Dev. data(customer table) and moving same changes should not impact roles in quality and if it impacts then there is analysis error not impact of moving customer tables.
After moving them to quality completed 1 system analysis with no impact
the answer was as suspected. for EU ccertificate needs to be .eu. And the SAP NW Identity provider needs to be set up for .eu.
Download the eu certificate from the web browser from performancemanager.successfactors.eu...
Hi everyone,
we have the same problem,
we change the key length from 1024 to 2048 like in these SCN thread
How to replace the SSL server Standard PSE?
but the owner is not the same like the issuer. than we send the cert request to our provider and we got a new cert.
when we tried to import the new cert:
sapgenpse import_own_cert -p SAPSSLS.pse -c XXX.cer
following error occurs:
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (1280/0x0500) No certficate with your public k
ey found
thanks for any helps.
Regards,
Bianca
Hi Experts,
I am trying to setup Structural Authorization from HCm in BW. I am using 0HR_PA_2 and 0HR_PA_3 extractors to pull the data from HCM in 0TCA_DS01 and 0TCA_DS02. I am able to load the data for both DSO's and Authorizations are generated also via RSECADMIN.
The auth relevant info objects are
0ORGUNIT
0HRPOSITION
0EMPLOYEE
But when i run the query for test user it is giving the error "You do not have the sufficient authorization". Our security guy setup everything for the test user at the back end. Can anyone help me out to fix this problem?
Hi Folks,
Please this is urgent. I am stuck here from longtime and do not know what to do because there are no guidelines available. I have checked so many threads but nothing provides any solid help.
Thanks.
I have a requirement to upload documents and his respected fingerprint signed (SHA1WithRSA).
To achive this I am using the functions modules:
SSF_KRN_DIGEST
SSF_KRN_SIGN_BY_AS
but I can´t make it work.
I also ask for the .pem file used to generate the PSE that I'm using to sign documents.
With this pem file I execute in openSSL this following command:
#Creates Message Digest of document.txt, and the sign it with MyKey.pem
dgst -sha1 -sign MyKey.pem -out document.sign document.txt
AND THIS WORKS! Now, with this succesfull case I try to track down the problem with the FM that I'm using, and I detected that SSF_KRN_DIGEST is given me a diferent result than openssl (so I forget for sign the document for a while...).
This are the HEX value for OpenSSL (this is the one that works):
| 30 | 21 | 30 | 09 | 06 | 05 | 2B | 0E | 03 | 02 | 1A | 05 | 00 | 04 | 14 | AC |
| 37 | 25 | AC | AD | 34 | E2 | F8 | B9 | 21 | B3 | 15 | DD | 20 | 0D | 71 | 5B |
| FD | EE | EB |
And this is the HEX value of the result of FM SSF_KRN_DIGEST:
| 30 | 40 | 06 | 09 | 2A | 86 | 48 | 86 | F7 | 0D | 01 | 07 | 05 | A0 | 33 | 30 |
| 31 | 02 | 01 | 00 | 30 | 09 | 06 | 05 | 2B | 0E | 03 | 02 | 1A | 05 | 00 | 30 |
| 0B | 06 | 09 | 2A | 86 | 48 | 86 | F7 | 0D | 01 | 07 | 01 | 04 | 14 | AC | 37 |
| 25 | AC | AD | 34 | E2 | F8 | B9 | 21 | B3 | 15 | DD | 20 | 0D | 71 | 5B | FD |
| EE | EB |
As you can see, both files do countain the digest, but the metadata and padding is different. As far as I know, it should respect the ASN.1 structure, but I can figure out whats wrong with the SSF_KRN_DIGEST call.
This is my code:
* Creamos el message diggest del archivo
CALL FUNCTION 'SSF_KRN_DIGEST'
EXPORTING
b_detached = 'X'
ostr_input_data_l = lv_bin_data_len
str_hashalg = 'SHA1'
IMPORTING
ostr_digested_data_l = lv_digested_len
* CRC =
TABLES
ostr_input_data = lt_bin_data
ostr_digested_data = lt_digested_data
EXCEPTIONS
ssf_krn_error = 1
ssf_krn_noop = 2
ssf_krn_nomemory = 3
ssf_krn_opinv = 4
ssf_krn_nossflib = 5
ssf_krn_input_data_error = 6
ssf_krn_invalid_par = 7
ssf_krn_invalid_parlen = 8
ssf_fb_input_parameter_error = 9
OTHERS = 10.
Where lt_bin_data contains the document, uploaded in binary mode.
Thanks in advance.
regards.
Hi folks !
I have a questionhere,how couldhide aparametertypedin apassword, sothisis not visiblein debugmode?
Is this possible?
Thanks for help.
Nope, anybody with access to debugger can read any variables. That's why debugger in read only mode is still dangerous and access to it should be given easily.
Cheers
Hi,
SSF_KRN_DIGEST uses PKCS#7 format. That does not seem to be the case for dgst.
Cheers
Hi Martin,
Thanks for your explanation.
I imaginedit waspossible to create avalidation whenit was typedvalue(Asi doneinJavawithkeypressevent)
Thanks anyway.
Hi,
I have requirement to change User's Default Time zone but only for those who has blank entry and other will remain as it is.
I can do mass update via SU10 however to get list of user's with Blank Time zone i should have access to USR02
as per our security policy no one in organization has access to USR02 table including basis /security team.
how do i get this list in Production system?
Regards,
Satyajit
Hi,
did you try to setup trace in RSECADMIN ? if not please follow below steps to get exact authorization trace which will help you to analyze authorization error.
1) go to tcode - rsecadmin
2) go to tab - Analysis
3) Click on "Authorization Log"
4) Click on "Configure Log Recording"
4) Add user ID to be traced
once done inform user to log out once and try again. now you can read trace data under "Authorization Log"
Regards,
Satyajit
Hi,
if you can call BAPI_USER_GETLIST in SE37 then this FM allows you to search by field TZONE (time zone). Read documentation for this FM for more info how to pass values to this FM.
Cheers
Hi Shehzad
Kindly check the below details and confirm.
1. Check auth objects S_RS_COMP, S_RS_COMP1, S_RS_AUTH and S_RS_DSO as you mentioned data is coming from DSO.
2. Now check the value maintained in S_RS_AUTH and copy that value and go to RSECADMIN and in maintenance screen put that value click on display and check whether these relevant auth is maintained (this you can also check in rsecval table).
3. If every thing is fine then go to tcode - rsecadmin-> Analysis-> Check "Authorization Log" ID and put test user Id there and click on run RSRT this will take you to RSRT scrren and there you can Simple RUN or run with debug also.
Now If error came of No authorization go back and check log in that you will get to know the auth obj which is missing in analysis object.
Suggestion: Simultaneously run ST01, so that you will also get auth obj if any is missing as there may be possibilty of multi-cube so for that there is requirement of some other object.
Hope this will help.. Else please share trace results and role objects which is maintained.
One more IMP point if new query or report is created. it will take some time to synch for other users even 0BI_ALL will not work for that user, need to pass that particular values in analysis object which is required.
Thanks
Bhupinder Singh Arora
Hi I wrote a programme for removing and adding roles on mass in ECC6, our security team would now like to have this programme avialble in SAP CRM, where I have come across a bit of a snag. The FM and everything are there ok, but I get an error on the tables I am selecting from.
Table in ecc6 - T528T - Position texts
Can anyone tell me what the relevant table is in SAP CRM that would hold this information???