Quantcast
Channel: SCN : All Content - Security
Viewing all 2858 articles
Browse latest View live

RFC Error - FSCM Dispute Management

January 22, 2013, 12:45 pm
$
0
0

Using Transaction:  UDM_DISPUTE.  When the user tries to add an open item, getting

No RFC destination could be determined for the method call.

Message no. B1555

Diagnosis

No RFC destination could be determined for calling method . on the logical system CPECLNT100.

CPECLNT100 is not your logical system. No RFC destination has been stored in the relevant tables to call the method .

Procedure

Check the RFC destination assignments to logical systems for synchronous method calls

 

Is there a guide as to how to setup the rfc for this?

 

We are using this on ECC 6.0 

Search

XD02 authorization for central deletion flag

July 23, 2013, 8:58 am
$
0
0

Hi All,

 

I have come across a very strange issue with tcode XD02. The user is trying to update deletion flags for a customer but always gets the message saying

 

" Not authorized to update central deletion flag "  The strange part is even with SAP_ALL and SAP_NEW this error does not go away. I tried to run a

 

ST01 trace but nothing productive was captured in that also.

 

Appreciate if you could provide some pointers where an S&A consultant should look for this kind of error.

 

Thanks & Regrads,

 

Akshay Daniel

Customer Tables - SU25

July 24, 2013, 8:19 am
$
0
0

Hello Experts,

 

As of my understanding, the data what I am referring in XD01 is the Customer Master table KNB1.

 

But in Tcode SU25, Step 3, We have a text like "  Import Customer tables".

 

I understand very well that the Customer tables in SU25 refers to USOBX_C and USOBT_C.

 

Since the table KNB1 called as Customer Master Table, why tables USOBX_C and USOBT_C are also referred as Customer tables?


Thanks in advance.

 

Regards

Manoj

Value set role verus Derived Role.

August 1, 2013, 3:57 am
$
0
0

Hi All.

 

We are in process of implementing SAP in worldwide have more than 50 branches in different companies. We are in process of standardized authorization concept which is applicable to all companies with control point on organisation level. We approached consult for this and he success us a for value set role will help us to reduce administration task. see in attached file but when I refer knowledge base documents in Internet then they suggest us to use derived role instead of value role and I am also agree with him but this is long term so that I would like to make sure that it is perfect .

 

 

http://www.sapsecuritypages.com/transaction-value-roles/

 

http://sap.ittoolbox.com/groups/technical-functional/sap-security/sap-security-value-roles-2147196

 

 

Which one is better in long term?

 

integrating LDAP with CUA

July 8, 2013, 9:54 am
$
0
0

Hi, I have a similar problem as described in  http://scn.sap.com/thread/1281817 "Integrating SAP HR and active directory services"

 

I'm working on AIX 7.1, we installed idsldap.clt64bit63

 

Now, lslpp -L | grep -i ldap  shows

idsldap.clt64bit63.rte 6.3.0.3    C     F Directory Server - 64 bit
idsldap.cltbase63.adt 6.3.0.3    C     F Directory Server - Base Client
idsldap.cltbase63.rte 6.3.0.3    C     F Directory Server - Base Client

 

and ldap_rfc shows

 

[Fri Jul  5 19:13:48 2013]
SAP LDAP Connector, (c) 1999-2005 SAP AG, Walldorf, Germany
(for help, call with command line parameter "-help")
============================================================
Version : 2.8.8
LDAP library : International Business Machines Corp. LDAP C SDK 510
Character length in bytes  : 2
Executable type            : Optimized (singlethreaded)
Build-Release (date)       : 720 (Jul  7 2012)
Update Level : 0
Patch Number : 300
OS (release, platform)     : AIX (1, rs6000_64)
Startup time : Fri Jul  5 19:13:48 2013
Command line : ldap_rfc
…….

 

I've configured ldap_connector and run rfcexec. Test connection works fine

 

But, when I go to LDAP trans. and try logon I get

 

RFC error: Function LDAPRFC_BIND not found
Message no. LDAP032

 

And, in rfcexec command:

 

>  rfcexec -a LDAP_XXXX -g hostname -x sapgw00
Unknown function module: Function LDAPRFC_BIND not found

 

I haven't found anything about it and I guess I have to install another ldap client component. Is it true? which one?

 

In my AIX installation DVD I have

 

  1. idsldap.clt64bit63   (the one installed)
    idsldap.cltbase63
    idsldap.cltjava63
    idsldap.ent63
    idsldap.msg63.en_US
    idsldap.webadmin63
    idsldap.webadmin_max_crypto63

 

Thanks in advance

RSUSR200 - days since last logon - wrong result

August 1, 2013, 4:57 am
$
0
0

Hello,

 

I'm using report RSUSR200 in a Solution Manager 7.1 system with SPS08 via SUM to show users, which logged in in a system since yesterday.

But if I put value "1" into field "No. days since last logon", I get a list with users who last logged in 2010, 2011, 2012, 2013.

If I leave field empty and try to sort for column Logon, systems sorts column for first number, so 31.07.2013, 31.05.2011, 30.11.2011, 30.07.2013 are shown and not all dates from 2013 and then 2012.

 

What is wrong with this list?

 

Regards,

Julia

Issue in SAP Security PFCG Merge option

June 25, 2013, 11:11 pm
$
0
0

Hi All,

 

I am facing an issue with " Read old Data and merge with new Data  option " in PFCG. The issue is described below.

 

I have created a Role in which i added a t-code SU01 and this t code has got the below authorization default values for the object S_USER_SAS being maintained.

 

S_USER_SAS < Standard new>

ACT_GROUP: < EMPTY >

ACTVT : 01,06,022

Class: ABC

Profile: < EMPTY >

Subsystem : < Empty >

 

and this particular object has been added into my newly created role and i have maintained this object as below.

 

S_USER_SAS < maintained new >

ACT_GROUP: Z_SD_TEST

ACTVT : 01,06,022

Class: ABC

Profile: *

Subsystem : *

 

After which i have added a tcode Su10 and this t code has got the below authorization default values for S_USER_SAS.

S_USER_SAS

ACT_GROUP: < EMPTY > <Standard new >

ACTVT : 01,06,022

Class: Super

Profile: < EMPTY >

Subsystem : < Empty >

 

So the above object has been added into my role and i have maintained the object as below.

S_USER_SAS < maintained new >

ACT_GROUP: Z_MM_TEST

ACTVT : 01,06,022

Class: Super

Profile: *

Subsystem : *

 

and finally below are the objects which are in my role.

S_USER_SAS<Maintained >--SU10              S_USER_SAS <Maintained>-----SU01

ACT_GROUP: Z_SD_TEST                          ACT_GROUP : Z_MM_TEST

ACTVT : 01,06,022                                      ACTVT : 01,06,22

Class: Super                                              Class: ABC

Profile: *                                                     Profile : *

Subsystem : *                                            Subsytem: *

 

Now when i remove the t code SU01, the maintained authorization S_USER_SAS which is coming from SU01 is not getting removed, rather it is showing me the status as below.

 

S_USER_SAS <maintained New>                        S_USER_SYS  < Maintained Old >

Act_Group: Z_MM_TEST                                      Act_Group:Z_SD_TEST         

ACTVT:01,06,22                                                  Actvt: 01,06,22

Class:ABC                                                          Class: Super

Profile : *                                                             Profile: *

Subsystem:*                                                       Sub System: *

 

Could you please let me know why even after i am deleting the t code Su01 from Role Menu , the transaction whose authorization default values caused the maintained authorization has to be removed, but it is not done.......

 

Thanks and Regards,

Nagarjuna Srivatsa.

Role Comparisons

July 22, 2013, 2:42 am
$
0
0

Hello Everyone,

 

We are in a process of cleaning up Roles since we have a separate role for a transaction so far, which literally screwed up the process.

As a part of this activity now I have to combine the content of say for eg : 50 roles (with one Tcode each) to a Single role. After creating this new role, I would like to compare the content of this new role with the old roles to ensure that I have not missed any objects(added manually).

 

But I have no idea how can I compare my new role with 50 other roles in One go.(at least in few steps is OK.. But not in 50 steps).

 

Please advise.

 

Thanks in advance.

Search

How to restrict basis related tcodes from profile SAP_ALL

August 6, 2013, 9:34 pm
$
0
0

Hi Experts,

i am new security moduel. I want to restrict basis related t.codes from SAP_ALL but all other module tcode must be excute by Users.

please help me to sort out.

 

 

WR,

PHB

PFCG - ROLES DEFINITION FOR ABAP TEAM

August 6, 2013, 4:52 pm
$
0
0

Dear SAP Professionals,

 

I would liketo knowyour thoughts, ideas, templates and resources,onauthorizationobjectsandroles weshoulddefine and/or createin the companyforABAPdevelopment team.

 

Also, it will be very valuable being able to receive information about that definition, for BASIS team.

 

Look forward for your answer, and if you need further explanation pls feel free to make it.

 

Thanks in advance,

Rodolfo

Users password synchronization in SAP GUI Client

August 6, 2013, 10:46 pm
$
0
0

Hi All,

     We are implementing Identity and Access management, in that we are facing problem of password synchronization. Please find the detail description about the problem given below.

     We are able to create the Log on User Id and also able to change their passwords.

     But problem comes if User (or any other person) directly changes his/her password from SAP Client (using SU01 or any other relevant command).

     In such case user's password will not match with his/her IAM password.

 

     How to avoid such conflicts.

    

Thanks & Regards,

Shailesh S. Malkar.

Not able to view transaction sometimes

August 7, 2013, 7:34 am
$
0
0

We have a situation where users complain that they are able to run transaction successfully sometimes and sometimes the same transaction throws authorization error.

The PFCG time dependency job runs daily in our system.

Can some please help me figure out the cause for this and the possible solution.

 

Thanks and Regards,

Yasmin

Change Documents for Parameter Tab

August 8, 2013, 2:22 am
$
0
0

Is there any way to check Change Documents for Parameters tab in SU01 Transaction in SAP?

SNC: Using SNC to Encrypt Traffic - Client/Server (No SSO)

July 10, 2013, 2:05 pm
$
0
0

Hello everyone,

 

I am using SNC to Encrypt Client/Server GUI Traffic from Windows GUI clients to SAP AS ABAP running on Solaris 10.  SSO is not a consideration in this configuration.

 

I have read the "Installation, Configuration, and Administration Guide - SAP NetWeaver Single Sign-On SP1".  My AS ABAP System is now configured and running an SNC X.509 Configuration as described in section 3.1 (Starting on Page 19) of this document.  All well so far.  dev_w0 confirms SNC is enabled on AS ABAP.

 

My Windows GUI Installation (SAPGUI 7.30 - Patch 2) is has SNC enabled

 

On the "Network" tab of the given GUI Connection I have check "Activate Secure Network Communication" and have entered the same "SNC Name" as is entered in "snc/identity/as", which corresponds to the PSE that has been entered using STRUST (obviously).

 

The Server SNC Key is signed by a root certificate I created using "snc createroot".

 

My GUI won't allow the connection because seemingly it can't resolve the trust path back to my self-created rootCA (makes sense).

 

My question: is there any way to get the GUI to recognize and trust my self-created root-CA or am I forced into abandoning this solution and using Kerberos as described starting on Page 22 (with Section 3.2) and in this overview?

 

Many thanks for your thoughts...

Authorization Light Indicator Can't Turn into Green

August 2, 2013, 2:06 am
$
0
0

Hi Gurus / Experts,

 

I need your help,

 

I made a few role, when i try to generate it at the first time, it turn into green light, but when i changed the Company Code, it turn into red light and can't turn back into green. This is the picture

 

 

Please help me, it make me confuse.

Search

Releasing the Transport in ECC taking hell lot of time

July 4, 2012, 1:23 pm
$
0
0

Hello Masters/Gurus,

 

We have a single role funda in our organisation ( Parent and child role). Whenever We do any Security configuration ( role modification) or any kind of set up in 10 or more than a single roles and creating a transport for the same.

 

While releasing the same its taking hell lot of time ( Example I have done changes in 52 single roles and created the transport for the same, while releasing the same it took 4 and half hour to get the release that transport from the DEV system. Its horrible, so please help.

 

Could some one please suggest me on this so that we can implement something and get this problem solved for ever.

 

We have ECC 6.0 system.

 

Note: Our transport are going in bundle release ( like we define some project id while creating the transport)

 

 

If you need any more info do let me know.

 

Awaiting for you all's early & positive response on the same.

 

Regards,

Manish

 


Canonical name - mass update

May 8, 2013, 9:39 am
$
0
0

Dear community

 

I am searching for a mass update possibility for canonical names (SU01 - SNC tab).

Transaction SNC1 is not sufficient as it cannot handle small letters, only capitol letters.

 

I thought about LSMW or SHDB sessions.

 

Has anyone maybe other ideas?

 

Thanks and regards

Stefan Molzen

IGS-Call of RFC-FM PIGFARMDATA fails due to unknown missing Authorization

August 8, 2013, 9:22 am
$
0
0

Hello folks,

 

I'm having an authorization-based problem with the ESS/MSS-Teamcalendar WDA-Application which uses the resources of the Internet Graphics Server.

 

CL_IGS_DATA===================CM006    call function 'PIGFARMDATA' destination rfcdestination    exporting      type           = farm_type    tables      ddic           = m_ddictable      data           = m_datatable      content_descr  = m_content_descr      content        = m_content    exceptions      communication_failure = 1 message msg_text      system_failure        = 2 message msg_text.

 

So.... the data is sent to the pigfarm and the pigs transform it into an interactive graphic that comes back in form of an xstream. "Smart piggies! Oink! Oink!"..... This process however fails with a communication error "Fehler beim Öffnen einer RFC-Verbindung (CPIC-CALL: 'ThSAPOCMINIT' : cmRc=2 thRc", unless I assign SAP_ALL/SAP_NEW to the enduser. What makes the whole thing exceptionally nerv-wrecking for me is, that I can neither debug nor trace what's happening inside this RFC-FM (so I can't just go for ST01 and see which permissions are missing). I'm not acquainted enough with Security/Authorization stuff to just 'know' what goes wrong here, I always rely on Debugging/ST01, so I'm kind of stuck here...

 

Bottom line: how or rather with what means do I find out which authorizations are missing here without being able to trace via ST01?

 

Any help/hints/devastating criticism is welcome and appreciated

 

Cheers, Lukas

Problems using Batch Input in SU01/SU10

August 9, 2013, 3:27 pm
$
0
0

In case you're facing errors related to screen SAPLSUID_MAINTENANCE 1100 or SAPLPRGN_TREE 0121 when using Batch Input in SU01 or SU10, especially after upgrading to SAP NetWeaver Release 7.3, please be advised that this might be due to the infrastructure changes promoted in this release.

 

For further details please see note 1864062 - Problems using Batch Input.

Strange values for field USR02-UFLAG

August 9, 2013, 4:23 pm
$
0
0

This is a recurrent problem...

 

This is most likely caused by direct access to the table with db-tools, improper handling of database entries, for example: through custom programs (that might set values to this field directly in database level); it's also possible that the values have been set in debugging mode and were not adjusted afterwards by the author of this modification.

 

For further information, visit note 1887820 - Incorrect User Lock Status (UFLAG) in table USR02.

Viewing all 2858 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>