Hello Experts,

I am trying to implement structural authorization in CRM by using below method:

- Direct role assignment (User based): Roles and profiles directly assigned to User Master Records via SU01/PFCG

I have created an authorization profile for each sales org, because this is how they want to restrict the access to PPOMA.

Assigned below created role to my user and it works, I can only see in PPOMA org unit 17.

The issue comes up when I delete this role and add one for another org unit.

Somehow the old profile entries get saved, somewhere and don't clear.
Tested with another user and org unit as well, same behaviour.

Does anyone has any idea what else should be done?

Thank you.

Any help is much appreciated.

Best regards,

Elena

Dear All,

I have encountered same issue listed in thread(SU25 - Step2B Result clarification needed | SCN) where Time stamp was not being updated for Step 2A and system not allowing me to run Step 2B.

Now I have executed the Step 2A in expert mode and time stamp updated but Step 2B is not displaying any T codes.

Attached the error screenshot

Please let me know how I can get the data for Sep 2B?

CRM Web UI.

SAP CRM ABAP 7.0

WEBCUIF    701    0006    SAP Web UI Framework

When choosing a segment in a Marketing Campaign, then Edit Segmentation Model, I receive a message saying "You are not authorized to use the graphical modeler". 

I have SAP_ALL.

Anyone seen this issue before?

SAP Enterprise Threat Detection Integrated into Hewlett Packard Enterprise ArcSight

Read Daniel Magin’s blog and learn how you can use SAP Enterprise Threat Detection integrated with Hewlett Packard Enterprise (HPE) ArcSight to provide holistic monitoring capabilities for the complete IT landscape of your organization. June 1, 2016

Join our new Customer Engagement Initiative: Identity and Access Provisioning for Cloud Applications

If your company is extending business processes with SAP cloud offerings and if you are interested in identity and access provisioning for cloud applications, you are invited to join our new customer engagement initiative. Find out more. May 17, 2016

SAP Insider: An Integrated Approach to Identifying Security Risks

In his new SAP Insider article, Martin Plummer explains how the latest enhancements to SAP Enterprise Threat Detection enable integrated analysis across your landscape. May 16, 2016

The new projects of the Customer Engagement Initiative (CEI) are now open for registration until June 10th, 2016. In the area of security and identity management, don’t miss these upcoming CEI projects:

• Enterprise Threat Detection (ETD)
• Identity and Access Provisioning for Cloud Applications
• Extending SAP Identity Management Connectivity

SAP's Customer Engagement Initiative (CEI) enables you, as an SAP customer or partner, to get early insights into SAP product developments. You will have the opportunity to evaluate and discuss your ideas together with us.

CEI "Enterprise Threat Detection (ETD)"

SAP Enterprise Threat Detection offers real-time detection of security incidents as well as powerful forensics analysis. Join our new CEI if you are interested in working with us to further improve SAP Enterprise Threat Detection by adding new attack detection scenarios and enhancing the arsenal of analysis techniques to spot intruders early on. We are seeking your experience and stories in attacks against SAP or ERP systems in order to tune the tool into the solution you are expecting from SAP. Find out more and register now.

CEI "Identity and Access Provisioning for Cloud Applications"

If your company is extending business processes with SAP cloud offerings and if you are interested in identity and access provisioning for cloud applications, you are invited to join our new CEI and discuss with our team the challenges that your company is facing from an identity and access management perspective when integrating new cloud SAP and non-SAP applications with your existing IT infrastructure. Find out more and register now.

CEI "Extending SAP Identity Management Connectivity"

SAP Identity Management helps enterprises to manage user access to heterogeneous applications securely and efficiently, in alignment with their business processes and in accordance with audit and compliance requirements. This CEI is about extending connectivity to cloud solutions such as Cloud 4 Customer and Ariba as well as enabling customers and partners to build their own connectors more easily. Find out more and register now.

Register now for the initial call for the projects interesting to your organization. After that call, you decide to take the next steps in the collaboration.

US-CERT alert on SAP Cyberattack

On May 11, 2016, the Department of Homeland Security published the first-ever US-CERT Alert for cybersecurity of SAP business applications.

Nonetheless, what we do know from public sources is that there were threads on some Chinese forums related to the attack. However, is there any proof? I mean, I’m absolutely sure that cybercriminals perform attacks against SAP. I also believe that we should pay more attention to them and increase awareness. But as researchers and experts to whom the industry tends to trust, when we state that there was an attack, we ought to always provide IT community with solid proofs. I was personally involved in forensic investigation of SAP systems compromise and have no doubts that attacks are real, but I can’t disclose the details, that’s why I do not advertise that dozens of systems are under attack.

The original Invoker Servlet vulnerability

What kind of vulnerability was used and how dangerous is it?

As it was stated  in the report, the attackers used an invoker servlet vulnerability.
We were the original authors who were first to describe how exactly that this misconfiguration can be used to exploit SAP Systems and thus can lead to cyberattacks.  Firstly, the information about this misconfiguration was published by SAP in 2010. SAP stated that it would be better to disable this functionality if customers don’t use it. However, they didn’t provide any specific details about risks. In other words, the customers were not encouraged to disable it.

We [Alexander Polyakov and Dmitry Chastukhin] highlighted this issue at the BlackHat USA conference in 2011 during the talk titled  “Crushing Blow at the heart of SAP’s J2EE Engine”.

To help companies to understand why this misconfiguration has crucial importance, what it allows hackers to do, and how to prevent its exploitation, we discovered an example of a vulnerable servlet which can be exploited because of this invoker servlet misconfiguration. This vulnerability was found in CTC servlet, and it can be used to perform almost any critical action in SAP such as creating a new user or reading any table.  Later, we published a whitepaper  and delivered a series of talks on an international scale to warn people about this vulnerability and help them to securely configure it.

As the issue is not easy to identify when you have a lot of services and a set of custom applications, we introduced a free tool called  ERPScan WEBXML Checker that can be used to manually assess SAP Configurations and detect this issue as well as some others issues with J2EE web services functionality.

To make matters even worse, the vulnerability was not easy to patch either. First, it was necessary to analyze if an invoker servlet is enabled by default, then disable it and reboot the system. After that, you have to manually assess every web service (and there are 500+ of them just in a default J2EE installation) and check if invoker servlet functionality is enabled or disabled. If enabled, a task was either disable it or manually analyze a configuration file, if it is exposed any critical services which can be bypassed and then to configure it properly. Our tool also makes this process easier.

I can say that this tool was downloaded more than 300 times from our website in the last years, which may have prevented some attacks (at least I hope so). Now, as far as we know from the news articles, there are only 36 vulnerable companies and this number could be even bigger without our tool. In our turn, we, as always, tried not just to scare SAP users, but to do everything possible to protect them.

Real attacks on SAP using Invoker Servlet vulnerability

Sadly, there are no facts in this report that can be somehow proven by anybody except the original author. That is why I decided to check the facts myself.

The only interesting fact about the attack is this  -  ”The exploitation of the affected organizations’ SAP systems was publicly disclosed during 2013-2016 at a digital forum registered in China. In all cases, the individuals leveraged a publicly-known SAP application vulnerability, for which SAP had released a security patch more than five years ago.”  - So, the only thing we know from trusted report is that on some Chinese forums we can find information that cybercriminals shared the data about vulnerable systems. I didn’t believe that cybercriminals published any relevant information in the wild. Within a couple of minutes, it turns out that on of the forums where Chinese white-hat community shares data on systems they can exploit and notify vendors and victims there were examples of systems which are vulnerable to the issue that we responsively disclosed back in 2011. It was a CTC servlet which was susceptible to invoker servlet bypass vulnerability. I found out that there were 44 posts with SAP hacking examples, all of them were using the invoker servlet vulnerability together on a critical web service that was also patched by SAP. The number of attacked systems  - 44 correlates with the number of compromised companies (36 companies), taking into account that there can be multiple systems in one company. The countries involved are also the same, which allows us to conclude that we speaking about the same forum.

But the thing is that those examples were not the attacks but rather responsively disclosed issues by security experts from such companies as Baidu.

Here is one of the examples from this forum where experts share timeline of responsible disclosure:

2016-03-14：Details have been sent to manufacturers and vendors Processing
2016-03-15：Manufacturers have confirmed that the details disclosed only to manufacturers
2016-03-25：Details disclosed to the core white hat and experts in relevant fields
2016-04-04：Details to the general public a white hat
2016-04-14：Details disclosed to practice white hat
2016-04-29：Details to the public

So it turns out that most and probably all of those issues were sent to responsible authorities as listed in the status of vulnerability.  Some vulnerability statuses are “It was handed over to third party institutions (CNCERT National Internet EmergencyCenter) processing” (translation of the last field on the screenshot below).

And for most of the issues we can find that there was a coordinated work with CNCERT to notify vendors “CNVD identify and reproduce the circumstances, it has been notified to the China Mobile Group transferred CNCERT, coordinated by the subsequent disposal site management.”

While in most posts that we analyzed we see that information was responsively disclosed. However, we can’t guarantee that nobody, including the authors really used them to conduct a cyberattack.

So, now we can see that those posts were not actually examples of cyberattacks and system compromise. But! Do not think that cyberattacks on SAP do not really exist. The other thing which worth mentioning here is that one of our Network sensors of global threat intelligence platform has recently (dd 12/4/2016, 14:19-14:20) identified the attack attempt exploiting the similar kind of issue, but as it was the only example against one sensor, we left that information internally for further investigation before publishing alerts.

The last but not least.  At the end of 2014, we were asked to participate in forensic investigation project where the company was attacked via SAP vulnerability, and results of this project correlate with this data.

How big is the threat?

The matter here is not the fact of the attacks, but how many systems are vulnerable to this issue in addition to 44 systems identified, according to our investigation. Mathieu Geli – Head of SAP Threat Intelligence at ERPScan, revealed that approximately 533 systems across the globe (data obtained via non-intrusive network recon techniques leveraged by the open-source project IVRE) which are potentially vulnerable to one of the example of Invoker servlet vulnerability.

The other examples are by far more difficult to calculate. Those services can have unique names so that it’s not possible to get the final figure (approximately 500+ systems). Taking into account that most of them belong to Fortune 2000 companies, it’s quite critical issue to discuss.

Invoker servlet vulnerability – takeaways

So, at the end of the day, it doesn’t matter who was compromised and whether it was a real attack. The only thing that matters for the industry is how to prevent the issue exploitation. And I have an answer.

Information how to fix the vulnerability was published in our whitepaper, but here is a brief overview.

Prevention:

1) Update to the latest patch level that corresponds to your support package
2) Disable the vulnerable feature by changing the value of the “EnableInvokerServletGlobally” property of the JSP service on the server nodes to “false”
3) If you need to have an enabled invoker servlet for some applications, see SAP Security Note 1445998 for SAP NetWeaver Portal and SAP security Note 1467771
4) If you can’t install patches, you can check all the WEB.XML files using ERPSCAN WEB.XML Checker to find insecure configurations and locally enabled invoker servlets and manually secure all web services by adding protection to /* folder.

Recommendations

1) I was talking about it many times and continuing it especially now. A large number of SAP patches don’t exactly fix an issue as it seems to a unexperienced user. This situation  relates mostly to configuration issues. SAP closes most issues by just introducing new parameters, which SAP administrators need to manually enable. That's why one has so many difficulties with Securing SAP Systems. Simply saying, you can't just implement patch. In most cases additional configurations are required after that. That's the most important takeaway.
2) SAP gives you a lot of customization functionality, so you can build your own apps where you should manually enable security features. Going back to our example, even if you disable invoker servlet globally, it can be enabled by any of your developers or admins. So, take a closer look at the customizations, and not only in this case, but in general. Check the source code of custom programs and  authorizations for all users.
3) Finally, do not expose unnecessary services online. All of the 36 systems that may have been compromised  had an administrative service were unnecessarily exposed to the Internet.

Dear SAP security experts,

Is there a central version of report RSAU_SELECT_EVENTS (RZ20) that can show SAL events from multiple systems?

(PS. SolMan "Technical Monitoring" isn't quite the answer because function CCMS_MTE_GET_CURRENT pulls back only Alert Text and Context from events, not MsgID, Client, User, etc.  I've found TechMon useful for only aggregate alerts such as high number of entries, and trending).

(PSS I'm trying to avoid a homegrown solution like saving+concatenating spools from RSAU_SELECT_EVENTS jobs using OS scripts....)

(PSSS I suppose I could ask an ABAPer to create a Zprogram based on RSAU_SREAD_AUDITLOG_EXTERNAL but I'm hoping dear SAP has already done that and I just can't find it, or maybe they have already a ConfigVal-style BW query to grab the SAL events?)

Thanks

We have activated SNC and need to know how to capture log in sm20 for successfull logging using SNC. Also, for those users whose SNC is yet not active.

We have applied sap note "2104732 - SAL - event definition for SNC client encryption" but there are no logs that confirms user has logged through SNC or without SNC.

Please let me know if anyone has any idea.

Kernel--> 721 ext_rel 64 bit SP500

NW--> 7.02 SP15

Hi All,

Workbooks are added via PFCG in role Menu. When user is trying to display in business Analytics office or BEx, then workbooks are not appearing.

Guide me how fix this issue.

My organization's domain is being changed - I understand that we need to update all scripts that we use to reflect the new domain.

Apart from that , is there any SAP report to mass update all user email ids from old domain to the new domain ?

Hi,

We are planning to Upgarde our SOLMAN system to latest SAP Version.

CUA is configured in Solution manager system.

I would need your expertise on the impact it would have on SAP Security team

and steps we need to follow pre and post upgrade.

Thanks,

Narendra varma

Hi all,

We are trying to configure SNC in our system , we completed the till setting profile parameters.

When restarting the server after adding parameters in Instance profile the "Gateway stopped and then dispatcher also stop "

we check the added all parameters, snc/enable parameter has the problem , when # the parameter server starts fine.

We set snc/enable= 1...

Can you please help me to find what is the problem...

Thanks and Regards,

Sajmal

Hi,

Is it possible to mark an authorization profile for exclusion in OOSB without giving edit access to the table T77UA?

As per the current role design, we don't wish to provide edit access to any table in production directly. However, we would still want to use this solution of HR security where in the exclusion can be used to restrict users on structural profiles.

Please let me know if there is any other way to do this.

Br,

Anish

Hi All,

We have restricted the access to run few of the important programs which are run through transaction SE38. We have restricted this by using authorization objects S_DEVELOP and S_PROGRAM in the role which is assigned to these users.

When users having this role run any of the restricted programs in foreground (using SE38), they get an authorization error (which is what we need).

But when they execute the same program in "background" or "using variant", it is getting executed. No authorization error.

Let me know how we can restrict this.

Regards,

Susahnt

Hi Experts!

I am trying to configure extra authorization for a group of users in OB52; this field:

But I am really lost about authorizations. Do you have any tutorial so I can follow it and achieve this, or maybe you can tell me what steps should I follow?

Thank you very much.

We have requirement to restrict CS02 transaction for users to Change "Cost Center and G/L account sets"  for specific country codes. Any idea how we can do it.

Dear Experts,

We have upgraded to BW 7.4 system from 7.31. Post upgrade i am finding the below issues and not able to identify the correct resolution. Please guide me on how to analyze further.

1. Post upgrade while checking few AA's in RSECADMIN, none of the Characteristics are reflecting, meaning the AA's are blank. Tried executing the step RSECADMIN -> Extras -> Migrations -> Migration: Release 7.0 -> Release 7.3 and the values did not reflect in RSECADMIN.

2. Table RSECVAL_STRING is not populated with all the values as in RSECVAL. I hope the program RSD_XPRA_REPAIR_0TCTIOBJVL_740 which runs automatically during XPRA phase should have updated it, but in our case it has not. How to get RSECVAL_STRING updated post upgrade. Can the program RSD_XPRA_REPAIR_0TCTIOBJVL_740 be run manually, should any pre/post step be executed/verified.

3. When new AA's are created and Activated, the Characteristics and Values are getting updated in RSECVAL_STRING but the version gets updated as "M" and not as "A" as seen in RSECADMIN. Are any pre-requisite steps missed while upgrade due to which the correct Version is not reflecting in RSECVAL_STRING.

Best Regards,

Arun.

Hello Experts,

I have two queries related to Security:

1) I have a scenario where under SU53  screen shot, under S_Develop Auth Obj., I can find 5 fields as

(Missing Authorization)

ACTVT : 03

DEVCLASS: <Dummy>

OBJNAME: <Dummy>

OBJTYPE: DEBUG

P_GROUP:<Dummy>

When I checked the specific Authorization object under specific Role, I found entries as below:

ACTVT : 03

DEVCLASS: CRM*

OBJNAME: CRM*

OBJTYPE: WAPA

P_GROUP: *

Now, what are my options here to fix this issue. I need to add DEBUG Object type, if I add I need to delete the existing one and if I just add without deleting the existing one, the ACTVT field will become same for Object type DEBUG and WAPA. What if I don't want to play with current OBJTYPE type and just add the OBJTYPE DEBUG and its ACTVT? Please suggest.

2) I see that there are roles which are only there in ECC system, not there in CRM. However when we are not able to use a specific transaction in CRM, we make those changes in ECC system. My concern here, if a role is functioning fine in ECC system but when trying the same thing from CRM system(User is there in both systems), it won't work. What could be cause?

Regards

Piyush

Dear All,

I have encountered same issue listed in thread(SU25 - Step2B Result clarification needed | SCN) where Time stamp was not being updated for Step 2A and system not allowing me to run Step 2B.

Now I have executed the Step 2A in expert mode and time stamp updated but Step 2B is not displaying any T codes.

Attached the error screenshot

Please let me know how I can get the data for Sep 2B?

Hi,Friend.

    When I use the TCD scc4 to change the client setting.The systerm tell me "Transaction SCC4 is locked (in transaction SM50)".I know the transaction can be locked by sm01.but now the scc4 is not locked in sm01.can you help me ?

thanks

best regards.