Hi Guys,

I want to find the list of tocdes assigned to a role.

I checked it in table agr_1251 it gave 194tcodes.

But when checking through suim->transaction->excutable fora role it shows 202 tcodes.

COuld you please suggest me which procedure is correct or which can be employed to collect the tcodes assigned to a role.

Regards,

Adithya G

Dear All,

Our Internal security audit suggests to avoid the use of Week SSL ciphers for our SAP PI 7.0 servers.

We have followed the SAP note 510007 - Setting up SSL on Web Application Server ABAP

as mentioned in the point 6 we have added below parameter in the instance profile of application server  and restarted our server but still the issue is not resoved.

ssl/ciphersuites=MEDIUM:HIGH:EXPORT:!LOW:!eNULL

Clients are accessing our PI server through SAP Web dispatcher.

Kindly suggest the action to be taken to resolve the issue.

Please find the below comment from Audit.

-----------------------------------------------------------------------------------------------------------------------

The remote host supports the use of SSL ciphers that offer weak encryption.

Note: This is considerably easier to exploit if the attacker is on the same physical network
-----------------------------------------------------------------------------------------------------------------------

Regards,

Lalitha.

The archiving team uses SARA and other technical transactions in production to archive data, however SARA does not work unless the user is also assigned business-related authorization objects such as M_MATE_WRK and F_BKPF_BUK and countless others (depends what they are archiving)  with ACTVT=06.  But if we associate all these with SU24 to SARA and merge into their archiving role, then that role will become huge, filled with many "business" authorizations, plus.. it seems impossible to predict every authorization object that the archiving team will need to have in Production and we will be adding to this role regularly.

How do other companies handle this?  What does your archiving team role and user profiles look like in Production?

thx

Hi Team,

We have an issue.

User have problem with calender (as a input field) which is not working. I have compared with the other user for whom the things are working fine, only difference is with personalization values in SU01.

so

1) When i create an user (without any roles or anything) how the personalization values are coming automatically, and where the values maintained ?

2) Is it the correct issues what we identified, because of personalization values, because, we generally do not maintain any personalization values for the users ?

Thanks,

Sankar.

Hi

My company has upgraded from SAP4.6c to ECC6. Now I can not find out some tcodes in ECC system which are now obsolete.

Can anybody help me to find out the following alternative Tcodes in SAP ECC6.

Hi All,

I would require your assistance on the following issue at earliest.

HR key users are executing the HR standard reports by using the t-code S_PH0_48000509 Adhoc query and also with t-code SQ01. when they executing the reports, system has been checking their authorizations while executing the report and this execution time of report taking longer and also throwing a ABAP DUMP.

Hence, I gone through some blogs and also sap help about the auth object P_ABAP, as stated in the help I have provide an access to the user
with option 2 under

P_ABAP (HR: Reporting) - Authorizations for Human Resources - SAP Library

HR InfoSets for InfoSet Query (SAP Library - InfoSet Query)

But system still checking the authorization against the user in both foreground and background for above t-codes. Please assist on the same

Thanking you,

Kotesh

Hi,

Is there any way to restrict security access to post material movements to the production orders belongs to a specific plant in SAP?

Scenario:

User : A

Plants : Plant 1 and Plant 2

User A works at Plant 1

User A has access to post to material movements in Plant 1 ONLY

User A DOES not have access to create or change production order access at Plant 2.

But some how User A can post material movements at plant 1 to a production order belongs to Plant 2.

Can we avoid this from happening with security control in SAP.

Hi,

Good day to all.. I have a query regarding role transports involving Parent and derived roles.

1. I know that when we transport Derived (Child) roles, the Parent role gets included in the Transport. This I understand is the SAP standard process.

Would it be possible to provide more information related to the SAP standard process regarding this.. A link to refer would definitely help..

2. Due to the inclusion of the master(parent roles) we end up getting a lot of Transport collisions. We have approximately 100-150 Child roles per master role. As a result, though, while there might be no actual changes on the Master role, and maybe only an Org level update on the child roles for different locations, we still have to look at a lot of transport collisions, due to changes for different locations.

My question is : If we remove the Parent/Master role from the transport, would it cause any issues. Would it also affect the Inheritance in any way or cause any authorization issues later on..

Please advise..

Hello everyone!

With the transition SM04 I can display all the users active in the system who are logged on. I need to display users with name of workstation at witch the user is working who are logged on during the day and set up a filter such a way that display only those users, who worked from different workstations during the day. Any ideas?

Tnx a lot for your help!

HI everybody

An interviewer asked  that you have to assign 10 roles to user,but 9 roles it self the max no of (312) profiles, are reached.then how to assign 10 th role

what procedure you follow.Of course i have this doubt since sap career started but i was not much interest to find answer

I read  410993 note  and searched all the stuff  on net but didn't get solution.

thanks in advance.

regards

siddu

HI,

The company I currently work for is wanting to transition from <First Initial><Last Name> logons for SAP to an 8 digit employee ID.  They want to do this to try and level IDs across systems to better identify users.

Have any of you done this?

What were the problems associated with the change?

How did you convert employee ID to actual names for standard screens and reports?

What would you have done differently?

How do you currently track users across multiple systems, SAP landscapes? When, userIDs may be different across those systems?

Thanks,

What are the authorization Objects for Personnel Subareas.  What field do I fill in to specify this.

THANKS.

Gurus,

Here is my scenario.

I want my end users to be able to create their own Bex queries in the dev environment of BW. I gave them the necessary CTS authorizations. It works fine.

But, I would like to limit their access to one specific development class, so that they can not use the $TMP package or something I did not grant them with.

I can not find the authorization object to do that. I tried the S_DEVELOP, but, no success.

Can anyone help on that ?

Thanks

PY

Hi,

We are using ECC6. We have a few users that have left. If I delete those users from SU01, will it remove the transaction done by the user, including transport?

Thank you.

The SAP Product Security Response Team thanks all researchers and security IT professionals that helped with discovering and solving security vulnerabilities. Their findings have helped SAP to maintain the security and safety of its customers' and partners' SAP systems.

Our acknowledgements page lists those professionals we have worked with successfully in the past. The acknowledgements are published on a monthly basis and mention all security researchers who helped to improve the security and integrity of our customers' IT systems by respecting our disclosure guidelines. We thank all security researchers for their excellent work and hope to continue the fruitful relationship between security professionals and SAP.

April 2014

Core Security, Martin Gallo,SAP Security Note 1986895

ERPSecurity, Joris van de Vis, SAP Security Note 1940405

ERPSecurity, Joris van de Vis, SAP Security Note 1971516

ESNC, Ertunga Arsal, SAP Security Note 1940405

Onapsis, Nahuel D. Sánchez, SAP Security Note 1974016

Onapsis, Will Vandevanter, SAP Security Note1993349

Onapsis, Sergio Abraham, SAP Security Note 1929473

Onapsis, Nahuel D. Sánchez, SAP Security Note 1778940

Subgraph, David McKinney, SAP Security Note1975842

University Bremen, Christian Liebig, SAP Security Note 1975842

University Bremen, Christian Liebig, SAP Security Note 2001778

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1987413

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1985100

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1983739

Virtual Forge, Frederik Weidemann, SAP Security Note 1878371

March 2014
Emaze Networks S.p.A., Enrico Milanese, SAP Security Note 1946420

ERPSecurity, Joris van de Vis, SAP Security Note 1965610

ERPSecurity, Joris van de Vis, SAP Security Note 1884678

ESNC, Ertunga Arsal, SAP Security Note 1971238

Onapsis, Sergio Abraham, SAP Security Note 1964428

Onapsis, Sergio Abraham, Manuel Muradas, SAP Security Note 1963932

February 2014

ERPScan, Alexander Polyakov, SAP Security Note 1860923

ESNC, Ertunga Arsal, SAP Security Note 1945300

Onapsis, Sergio Abraham, SAP Security Note 1791081

Onapsis, Sergio Abraham, SAP Security Note 1768049

Onapsis, Sergio Abraham, SAP Security Note 1920323

Onapsis, Sergio Abraham, SAP Security Note 1915873

Onapsis, Sergio Abraham, SAP Security Note 1914777

Onapsis, Sergio Abraham, SAP Security Note 1911174

Onapsis, Sergio Abraham, SAP Security Note 1795463

Onapsis, Sergio Abraham, SAP Security Note 1789569

Onapsis, Sergio Abraham, SAP Security Note 1738965

Onapsis, Juan Pablo Perez Etchegoyen, Jordan Santarsieri, Pablo Muller, SAP Security Note 1939334

CyberSecurity Maldives, Shabnoon Khalid, SAP Security Note 1905408

January 2014

ERPScan, Neyolov Evgeny, SAP Security Note1828885

ERPScan, Dmitry Chastuhin, SAP Security Note1788080

Emaze Networks S.p.A., Enrico Milanese, SAP Security Note1932505

ERNW, Florian Grunow, SAP Security Note 1924853

ESNC, Ertunga Arsal, SAP Security Note 1886051

ESNC, Ertunga Arsal, SAP Security Note 1865109

Onapsis, Nahuel D. Sánchez, SAP Security Note 1894049

Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note,1865109
Onapsis,Nahuel D. Sánchez, SAP Security Note 1918333

Onapsis, Nahuel D. Sánchez, SAP Security Note1917381

Onapsis, Jordan Santarsieri, SAP Security Note 1922547

Onapsis,Jordan Santarsieri, SAP Security Note 1910914

Onapsis, Will Vandevanter, SAP Security Note 1931399

SecuRing, Krzysztof Kotowicz, SAP Security Note 1916560

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1949046

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1898046

Virtual Forge,Xu Jia, SAP Security Note 1884596

Virtual Forge, Andreas Wiegenstein, SAP Security Note1956096

December 2013

AppSecInc, Martin Rakhmanov, SAP Security Note 1927859

Compass Security, Stefan Horlacher, SAP Security Note 1908562

Compass Security, Stefan Horlacher, SAP Security Note 1908647

ERPScan, Alexander Polyakov, SAP Security Note 1852146

ERPScan, Georgy Nosenko, SAP Security Note 1773912

ERPScan, Alexey Tyurin, Nikolay Mescherin, SAP Security Note1917054

ERPSecurity, Joris van de Vis, SAP Security Note 1896642

ERPSecurity, Joris van de Vis, SAP Security Note 1900200

ERPSecurity, Joris van de Vis, SAP Security Note 1929338

ESNC, Ertunga Arsal, SAP Security Note 1782753

ESNC, Ertunga Arsal, SAP Security Note 1862392

ESNC, Ertunga Arsal, SAP Security Note 1909770

ESNC, Ertunga Arsal, SAP Security Note 1909858

Onapsis, Sergio Abraham, SAP Security Note 1911523

Onapsis, Sergio Abraham, SAP Security Note 1913554

Onapsis, Sergio Abraham, SAP Security Note 1926485

Sense of Security, Jason Edelstein, SAP Security Note 1802724

Simple solutions, Daniil Luzin, SAP Security Note 1925908

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1866296

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1896988

Virtual Forge, Frederik Weidemann, SAP Security Note 1819139

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1951875

November 2013

ERPScan, Nikolay Mescherin, SAP Security Note 1836718

ERPScan, Georgy Nosenko, SAP Security Note 1853140

ERPScan, Dmitriy Evdokimov, SAP Security Note 1864518

ERPScan, Alexey Tyurin, Nikolay Mescherin, SAP Security Note 1909665

ERPSecurity, Joris van de Vis, SAP Security Note 1903756

ERPSecurity, Joris van de Vis, SAP Security Note 1899146

ERPSecurity, Fred van de Langenberg, SAP Security Note 1898735

ESNC, Ertunga Arsal, SAP Security Note 1836314

ESNC, Ertunga Arsal, SAP Security Note 1917888

ESNC, Ertunga Arsal, SAP Security Note 1910737

ESNC, Ertunga Arsal, SAP Security Note 1907712

ESNC, Ertunga Arsal, SAP Security Note 1902986

ESNC, Ertunga Arsal, SAP Security Note 1902402

ESNC, Ertunga Arsal, Mert Suoglu, SAP Security Note 1905591

ESNC, Ertunga Arsal, SAP Security Note 1906568

ESNC, Ertunga Arsal, SAP Security Note 1843169

ESNC, Ertunga Arsal, SAP Security Note 1902611

Hacktics Advanced Security Center, Ernst & Young, Oren Hafif, Egor Pryadko,SAP Security Note 1861907

KPMG, Agus Komang, SAP Security Note 1846945

Positive Technologies, Dmitry Sklyarov, Dmitry Gutsko SAP Security Note 1902611

Simple solutions, Daniil Luzin, SAP Security Note 1861907

October 2013

ERPScan, Alexander Polyakov, SAP Security Note 1854826

ESNC, Ertunga Arsal, SAP Security Note 1868140

ESNC, Ertunga Arsal, SAP Security Note 1876343

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note 1853616

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note 1885371

Onapsis, Nahuel D. Sánchez, SAP Security Note1914778

Sense of Security, Chris Archimandritis, SAP Security Note 1911067

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1898055

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1902854

September 2013

AppSecInc, Martin Rakhmanov, SAP Security Note 1809246

AppSecInc, Martin Rakhmanov, SAP Security Note 1849356

AppSecInc, Martin Rakhmanov, SAP Security Note 1893558

AppSecInc, Martin Rakhmanov, SAP Security Note 1893561

AppSecInc, Martin Rakhmanov, SAP Security Note 1893556

AppSecInc, Martin Rakhmanov, SAP Security Note 1893440

AppSecInc, Vladimir Zakharevich, SAP Security Note 1893560

ERPScan, Alexander Polyakov, SAP Security Note 1783795

ERPScan, Dmitriy Evdokimov, SAP Security Note 1828801

ERPScan,Dmitriy Evdokimov, SAP Security Note 1879601

ERPScan, Nikolay Mescherin, SAP Security Note 1890819

ERPSecurity,Joris van de Vis, SAP Security Note 1888167

ERPSecurity,Joris van de Vis, SAP Security Note 1888502

ERPSecurity,Joris van de Vis, SAP Security Note 1672911

ERPSecurity,Joris van de Vis, SAP Security Note 1889895

ESNC, Ertunga Arsal, SAP Security Note 1842826

ESNC, Ertunga Arsal, SAP Security Note 1847590

ESNC, Ertunga Arsal, SAP Security Note 1860258

ESNC, Ertunga Arsal, SAP Security Note 1863278

ESNC, Ertunga Arsal, SAP Security Note 1881914

ESNC, Ertunga Arsal, SAP Security Note 1884512

Positive Technologies, Igor Bulatenko, SAP Security Note 1887341

Simple solutions, Daniil Luzin, SAP Security Note 1864915

Virtual Forge, Andreas Wiegenstein & Sven Neuz, SAP Security Note 1777053

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1871683

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1885611

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1896785

August 2013

akquinet AG, Ralf Kempf, SAP Security Note 1764298

Raiffeisen Informatik GmbH, Chris John Riley, SAP Security Note 1851123

ERPScan, Nikolay Mescherin, SAP Security Note 1840249

ERPSecurity, Joris van de Vis, SAP Security Note 1861791

Emaze Networks S.p.A., Enrico Milanese, SAP Security Note 1851123

ESNC, Ertunga Arsal, SAP Security Note1772529

ESNC, Ertunga Arsal, SAP Security Note 1842817

ESNC, Ertunga Arsal, SAP Security Note 1845802

ESNC, Ertunga Arsal, SAP Security Note 1847217

ESNC, Ertunga Arsal, SAP Security Note 1852955

ESNC, Ertunga Arsal, SAP Security Note 1856296

ESNC, Ertunga Arsal, SAP Security Note 1860308

ESNC, Ertunga Arsal, SAP Security Note 1873131

Hacktics Advanced Security Center, Ernst & Young, Alex Mor, SAP Security Note 1835125

Hacktics Advanced Security Center, Ernst & Young, Alex Mor, SAP Security Note 1838451

IOACTIVE Security Research Adv, Ariel M. Sanchez, SAP Security Note 1880040

Onapsis, Jordan Santarsieri, SAP Security Note 1773651

Virtual Forge, Andreas Wiegenstein & Sandra Möckel, SAP Security Note 1688229

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1847811

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1772529

Virtual Forge, Andreas Wiegenstein, Gert Kremser, Sven Neuz & Xu Jia, SAP Security Note 1861791

July 2013

Comsec Global Consulting,Moshe Zioni, SAP Security Note 1823687

ERPScan, Dmitry Chastuhin, SAP Security Note 1831022

ERPScan, Dmitry Chastuhin, SAP Security Note 1831053

ESNC, Ertunga Arsal, SAP Security Note1839699

ESNC, Ertunga Arsal, SAP Security Note1851835

ESNC, Ertunga Arsal, SAP Security Note1846653

ESNC, Ertunga Arsal, SAP Security Note1853040

ESNC, Ertunga Arsal, SAP Security Note1858474

ESNC, Ertunga Arsal, SAP Security Note1858566

ESNC, Ertunga Arsal, SAP Security Note1854252

ESNC, Ertunga Arsal, SAP Security Note1860367

ESNC, Ertunga Arsal, SAP Security Note1860278

ESNC, Ertunga Arsal, SAP Security Note1856093

ESNC, Ertunga Arsal, SAP Security Note1863091

ESNC, Ertunga Arsal, SAP Security Note1846515

ESNC, Ertunga Arsal, SAP Security Note1840304

ESNC, Ertunga Arsal, SAP Security Note1852738

ESNC, Ertunga Arsal, SAP Security Note1868012

ESNC, Ertunga Arsal, SAP Security Note1864397

Simple Solutions,Daniil Luzin, SAP Security Note 1861295

June 2013

ERPSecurity, Joris van de Vis, SAP Security Note 1836717
ERPSecurity, Joris van de Vis, SAP Security Note 1805024

ERPSecurity, Joris van de Vis, SAP Security Note 1831463

ERPSecurity, Joris van de Vis, SAP Security Note 1774432

ESNC, Ertunga Arsal, SAP Security Note1781594

ESNC, Ertunga Arsal, SAP Security Note1834935

ESNC, Ertunga Arsal, SAP Security Note1816331

ESNC, Ertunga Arsal, SAP Security Note1842218

ESNC, Ertunga Arsal, SAP Security Note1848319

ESNC, Ertunga Arsal, SAP Security Note1849744

ESNC, Ertunga Arsal, SAP Security Note1849559

ESNC, Ertunga Arsal, SAP Security Note1848996

ESNC, Ertunga Arsal, SAP Security Note1853852

ESNC, Ertunga Arsal, SAP Security Note1826162

ESNC, Ertunga Arsal, SAP Security Note1847645

KPMG,Agus Komang, SAP Security Note 1846952

Positive Technologies,Dmitry Gutsko,SAP Security Note 1844202

SEC Consult,Gerhard Wagner and Bernhard Mueller, SAP Security Note 1851914

SEC Consult,Gerhard Wagner and Bernhard Mueller, SAP Security Note 1852064

SEC Consult,Gerhard Wagner and Bernhard Mueller, SAP Security Note 1858107

Trustwerk GmbH, Ralf Nellessen, SAP Security Note 1853161

Virtual Forge, Xu Jia, SAP Security Note 1843082

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1842406

May 2013

CBACert, Commonwealth Bank of Australia,Jonathan Brossard, SAP Security Note 1791238

CBACert, Commonwealth Bank of Australia,Jonathan Brossard, SAP Security Note 1791490

ERPScan, Georgy Nosenko, SAP Security Note 1820666

ERPSecurity, Joris van de Vis, SAP Security Note 1729638

ERPSecurity, Joris van de Vis, SAP Security Note 1810809

ESNC, Ertunga Arsal, SAP Security Note1787455

ESNC, Ertunga Arsal, SAP Security Note1837030

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note1839758

Matthew Phillips, SAP Security Note1840970

Onapsis , Jordan Santarsieri, SAP SecurityNote 1829584

Positive Technologies,Pavel Toporkov, SAP Security Note 1779578

Virtual Forge,Stefan Vogel, Frederik Weidemann, SAP Security Note1718145

April 2013

March 2013

ESNC, Ertunga Arsal, SAP Security Note1771567

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note1813734

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1789823

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1786822 

Virtual Forge, Andreas Wiegenstein and Xu Jia, SAP Security Note 1806435 

ERPScan, Alexander Polyakov, SAP Security Note 1784894

ERPScan, Alexander Polyakov, SAP Security Note 1789611

ERPScan, Nikolay Mescherin, SAP Security Note 1807196

ERPScan, Alexander Polyakov, SAP Security Note 1685106

Onapsis , Nahuel D. Sánchez, SAP SecurityNote 1789611

Positive Technologies,Arseny Reutov, SAP Security Note 1820894

February 2013

Core Security Consulting Services,Martin Gallo and Francisco Falcon, SAP Security Note 1800603 

ERPScan, Dmitry Chastuhin, SAP Security Note 1757675

ERPScan, Nikolay Mescherin, SAP Security Note 1446476

ERPSecurity,Joris van de Vis, SAP Security Note 1796264

ESNC, Ertunga Arsal, SAP Security Note1750997

ESNC, Ertunga Arsal, SAP Security Note1777228

ESNC, Ertunga Arsal, SAP Security Note 1788426

ESNC, Ertunga Arsal, SAP Security Note1791089

ESNC, Ertunga Arsal, SAP Security Note1792354

ESNC, Ertunga Arsal, SAP Security Note1795948

MWR Labs, andContext IS,Dave Hartley, SAP Security Note1764994

Onapsis , Nahuel D. Sánchez, SAP SecurityNote 1757675

Virtual Forge, Frederik Weidemann, SAP Security Note 1750997

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1788614

Virtual Forge, Xu Jia, Andreas  Wiegenstein, Frederik Weidemann and Markus Schumacher, SAP Security Note 1819543

January 2013

Compass Security AG,Axel Neumann, SAP Security Note 1784770

ERPScan, Alexey Tuyrin and Dmitry Chastuhin, SAP Security Note 1412864

ERPScan, Dmitry Chastuhin, SAP Security Note 1628537

ERPScan, Dmitry Chastuhin, SAP Security Note 1729293

ERPScan, Dmitry Chastuhin, SAP Security Note 1725390

ERPSecurity, Joris van de Vis, SAP Security Note 1674132
ERPSecurity, Joris van de Vis, SAP Security Note 1794299

ESNC, Ertunga Arsal, SAP Security Note1674132

ESNC, Ertunga Arsal, SAP Security Note1779317

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note1673016

ESNC, Ertunga Arsal, SAP Security Note1776984

Finnish Communications Regulatory Authority (FICORA), Jussi, SAP Security Note1731362

Onapsis , Juan Pablo Perez Etchegoyen, SAP SecurityNote 1755108

Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1772208

Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1785747

Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1775422

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1784654

December 2012

ERPSecurity, Joris van de Vis, SAP Security Note 1771020
ERPSecurity, Joris van de Vis, SAP Security Note 1769099

ERPSecurity, Joris van de Vis, SAP Security Note 1773758

ERPSecurity, Joris van de Vis, SAP Security Note 1714607

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note1776695

ESNC, Ertunga Arsal, SAP Security Note1772498

ESNC, Ertunga Arsal, SAP Security Note1774903

ESNC, Ertunga Arsal and Anja Meiser, SAP Security Note1771204

Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1774903

November 2012

CIBER, Martin Voros, SAP Security Note, SAP Security Note 1597598

ERPScan, Alexey Tuyrin, SAP Security Note1715040

ERPScan, Alexey Tuyrin, SAP Security Note 1734986

ERPScan, Dmitry Chastuhin, SAP Security Note1679897

ERPSecurity, Joris van de Vis, SAP Security Note 1673713
ERPSecurity, Joris van de Vis, SAP Security Note 1652271

Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note, 1774568

Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note, 1758450

Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note, 1682613

Virtual Forge, Frederik Weidemann, SAP Security Note 1652271

Virtual Forge, Xu Jia, SAP Security Note 1686172

Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1768068

October 2012

ERPScan, Alexandr Polyakov, SAP Security Note1724516

September 2012

Virtual Forge, Gert Kremser, SAP Security Note 1678732

ERPScan, Alexey Tuyrin, SAP Security Note1621534

ERPSecurity, Joris van de Vis, SAP Security Note 1668224
ESNC, Ertunga Arsal, SAP Security Note 1668224

August 2012

Virtual Forge, Sebastian Schinzel, SAP Security Note 1687334

Virtual Forge, Sebastian Schinzel, SAP Security Note 1684632
Virtual Forge, Gert Kremser, SAP Security Note 1692988

Ruhr-Universität Bochum, Juraj Somorovsky,Tibor Jager, SAP Security Note 1687334
Ruhr-Universität Bochum, Juraj Somorovsky,Tibor Jager, SAP Security Note 1684632

ERPSecurity, Joris van de Vis, SAP Security Note 1727914
ERPSecurity, Joris van de Vis, SAP Security Note 1718613

ERPScan, Alexey Tuyrin, SAP Security Note 1728500
ERPScan, Alexander Polyakov, SAP Security Note 1669031

Positive Technologies,Ilya Smith, Maxim Tsoy, Kirill Mosolov, Evgeny Ryzhov, SAP Security Note 1663732

July 2012

ERPScan, Dmitry Chastuhin, SAP Security Note 1721309

ERPScan, Alexander Polyakov, Alexey Tuyrin, Alexandr Minojenko, SAP Security Note 1723641

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1686842

Virtual Forge, Andreas Wiegenstein & Frederik Weidemann, SAP Security Note 1720994

sec-1, Richard Jones, SAP Security Note 1723641

June 2012

ESNC, Ertunga Arsal, SAP Security Note 1691744

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note 1537089

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1695286
Virtual Forge, Andreas Wiegenstein, SAP Security Note 1683644
Virtual Forge, Andreas Wiegenstein, SAP Security Note 1684539

Virtual Forge, Frederik Weidemann & Markus Seibel (GM IT Business Service), SAP Security Note 1638779

ERPScan, Alexander Polyakov,  Alexey Tuyrin, Alexandr Minojenko, SAP Security Note 1707494
ERPScan, Dmitry Chastuhin, SAP Security Note 1705800

CIBER, Martin Voros, SAP Security Note 1599567

akquinet AG, Ralf Kempf, SAP Security Note 1537089

May 2012

Compass Security AG,Alexandre Herzog, 1626152

Positive Technologies,Vladimir Zarichny, 1687910

Affinion International, Sherif Mansour, SAP SecurityNote 1615019

ERPScan, Dmitry Chastuhin, SAP Security Note 1590866

ERPScan,, Alexey Tuyrin, SAP Security Note 1597066

ERPScan,, Alexey Tuyrin, SAP Security Note 1614834

ERPScan,, Dmitry Chastuhin, SAP Security Note 1675605

Zero Day Initiative, SAP Security Note 1685003

Zero Day Initiative, SAP Security Note 1662272

ERPSecurity, Joris van de Vis, SAP Security Note 1675533

ERPSecurity, Joris van de Vis, SAP Security Note 1682505

Core Security Consulting Services,Martin Gallo, 1687910

Context Information Security Ltd ,Michael Jordon, Security Note 1341333

April 2012

Xiting AG, Julius von dem Bussche, SAP SecurityNote 1647225

Affinion International, Sherif Mansour, SAP SecurityNote 1652803

CIBER, Martin Voros, SAP SecurityNote 1657200

akquinet AG, Ralf Kempf, SAP Security Note 1590651

iDefense Labs, an anonymous researcher working with VeriSign iDefense Labs,

Sybase PatchesEBF 20065, EBF 20066, EBF 20067, EBF 20068, EBF 20069 and EBF20070

March 2012

Virtual Forge, Andreas Wiegenstein, Frederik Weidemann & Sandra Möckel, SAP SecurityNote 1607850

Virtual Forge, Andreas Wiegenstein & Peter Werner, SAP SecurityNote 1580244

ERPScan, Dmitry Chastuhin, SAP SecurityNote 1656549

ERPScan, Alexey Tuyrin, SAP SecurityNote 1657891

CIBER, Martin Voros, SAP SecurityNote 1591427

Onapsi , Mariano Nunez Di Croce, SAP SecurityNote 1658947

Xiting AG, Julius von dem Bussche, SAP SecurityNote 1600755

February 2012

Virtual Forge, Sebastian Schinzel & Frederik Weidemann, SAP Security Note 1586410

Virtual Forge, Andreas Wiegenstein & Frederik Weidemann, SAP Security Note 1584930

Virtual Forge, Erich Prosche & Sandra M�ckel, SAP Security Note 1607529

Virtual Forge, Andreas Wiegenstein & Sven Neuz, SAP Security Note 1597597

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1661349

ERPSecurity, Joris van de Vis, SAP Security Note 1641329

ERPSecurity, Joris van de Vis, SAP Security Note 1644746

Zero Day Initiative, SAP Security Note 1649838

Zero Day Initiative, SAP Security Note 1649840

ESNC, Ertunga Arsal, SAP Security Note 1667805

akquinet AG, Ralf Kempf, SAP Security Note 1644043

January 2012

ERPScan, Alexey Sintsov, SAP Security Note 1619539

Virtual Forge, Andreas Wiegenstein & Peter Werner, SAP Security Note 1613621

Dezember 2011

ERPScan, Alexandr Polyakov, SAP Security Note 1568003

ERPScan, Alexey Tyurin, SAP Security Note 1594475

ERPScan, Dmitry Chastuhin, SAP Security Notes 1630293, 1584030, 1647871

Daimler TSS GmbH, Stefan Does, SAP Security Note 1647871

National Australia Bank, nabCERT Security Assurance, SAP Security Note 1583982

Virtual Forge, Markus Schumacher, SAP Security Note 1597391

Virtual Forge, Andreas Wiegenstein & Agnes Six, SAP Security Note 1576763

November 2011

ERPScan, Dmitriy Chastuchin, SAP Security Notes 1583300 , 1585527

ERPScan, Alexey Tuyrin, SAP Security Note 1595074

Virtual Forge, Andreas Wiegenstein, Gert Kremser, Sandra Moeckel, SAP Security Note 1595074

akquinet AG, Ralf Kempf, SAP Security Note 1605054

CIBER, Martin Voros, SAP Security Notes 1632020 ,1631458 , 1631460

Context Information Security Ltd , Nico Leidecker, SAP Security Note 1638811

Onapsis, Jordan Santarsieri, SAP Security Note 1589716

Xiting AG, Julius von dem Bussche, SAP Security Note 1616366

October 2011

ERPSecurity,Joris van de Vis, SAP Security Note 1577513

Virtual Forge, Andreas Wiegenstein, Xu Jia, SAP Security Note 1606808

Virtual Forge, Andreas Wiegenstein, Markus Schumacher, Sebastian Schinzel, SAP Security Note 1577513

ESNC GmbH, Ertunga Arsal, SAP Security Note 1577513

IBM, Dr. Emin Tatli, SAP Security Note 1567387

KPMG, Huynh Thien Tam, SAP Security Note 1567387

ERPScan, Dmitriy Evdokimov, SAP Security Note 1585652

VeriSign iDefense Labs, Abdul Aziz Hariri, Sybase Note 1095200

SAP Disclosure Guidelines

SAP takes the security of its products very seriously, with a comprehensive software development lifecycle process, clear quality and security standards for software development and a dedicated Product Security Response process in place as the most visible evidences of its commitment. The SAP Product Security Response team is responsible for investigating all reported security vulnerabilities, working closely with reporters of vulnerabilities and SAP product development to provide patches, and informing customers about the patches and their importance. Since the integrity and security of business operations is crucial for businesses in all industries, SAP as a provider of business software is absolutely committed to maintaining the highest possible level of security within its products.

Reporting Security Vulnerabilities

As an integral part of our continuous improvement process, we are very interested in reports on possible security vulnerabilities. However, to ensure a professional and efficient process, we ask all security researchers to adhere to the following guidelines when reporting potential security vulnerabilities.

Report the vulnerability to SAP

When you have detected a vulnerability in one of our software products – either in the latest or in a former product version – please inform us about the issue.

• Our Product Security Response team is standing by to work with you closely to discuss the vulnerability.
• A member of our team will get in touch with you shortly after receiving your message – either by e-mail or, if you wish, by telephone.
• SAP customers who want to report a vulnerability should create a customer ticket in the corresponding support system.
• All other reporters should send an email to secure@sap.com . When reporting a vulnerability to SAP, please use PGP for e-mail encryption. Get our public PGP key here .

Please give SAP sufficient time to develop suitable fixes

• Fixing security vulnerabilities can be a long and arduous process as we work to develop a patch, ensure its compatibility with all relevant software versions, run comprehensive tests to ensure that the fixes run well and do not have any side-effects, and provide it to our customers.
• As a vendor of business software we provide security fixes not only to the latest version but also for many older versions of our software products. This means that we need to develop and thoroughly test feasible patches for a broad range of product versions, which can take time.

Please do not publicize vulnerabilities until SAP customers have had time to deploy fixes

• The deployment of patches for SAP enterprise systems is usually more complicated than a software upgrade on a consumer PC. Depending on the nature of the vulnerability, the deployment of patches often is not only done by an automated update; in some cases it requires manual configuration work in the system.
• Some of our customers also have regular patching cycles, for instance on a monthly or a quarterly basis.
• In light of these circumstances, we ask all security researchers to give SAP customers sufficient time to implement patches in their SAP systems. As a rule of thumb, we suggest respecting an implementation time of three months. We ask all security researchers to not disseminate any kind of information or tools that would help to exploit the vulnerability during that time.

Legal information - terms and conditions

By submitting information about security threats and/or solution proposals (hereinafter together referred to as "Feedback") to SAP:

• You commit yourself to the principle expressed in this guideline to avoid any harm to SAP users and you therefore agree not to publicize information about threats and vulnerabilities of the SAP software before a fix and/or patch has been made available by SAP; AND
• You agree that SAP may use such Feedback to update and/or improve its software; and you grant to SAP a non-exclusive, perpetual, irrevocable, worldwide, royalty-free license, with the right to sublicense to SAP's licensees and customers, under all relevant intellectual property rights, to use, publish, and disclose such Feedback in any manner SAP chooses and to display, perform, copy, make, have made, use, sell, and otherwise dispose of SAP's and its sublicensee's products or services embodying Feedback in any manner and via any media SAP chooses, without reference to the source. SAP shall be entitled to use Feedback for any purpose without restriction or remuneration of any kind with respect to You and/or Your representatives; AND
• You further agree that SAP may decide, in its sole discretion, to list your name and other personal information that you may provide for this purpose on the Acknowledgements page, unless you express to SAP your desire not to be mentioned. You may request at any time that your name and other personal information is deleted from the Acknowledgements page.

Hi,

It is our practice to rename SAP standard roles we plan to use "as is" to our company's naming convention.  I am being told by an Mii implementer that Mii uses the standard role names in objects and that by changing these names to our convention, I will create "complications" in their implementation process.  I find this hard to believe, it would be a departure from what (little) I know about SAP and how they handle authorizations and roles.  It also seems to be very limiting when it comes to customization in the future.

Is this true?  Does Mii name standard roles inside of objects? (These "objects" were not clearly defined to me and I plan on calling a meeting so they may show me examples.)

Anyone else on Mii have this issue?

We've just started testing Ecc6 system (we are upgrading).

When displaying our existing roles for a user in SU01 we see some have missing icons for single role.

The display in SUIM (Roles by complex selection criteria) is fine.

Role with missing icon has profile in user ok.

Is this a new feature?

Hi All,

I would require your assistance on the following issue at earliest.

HR key users are executing the HR standard reports by using the t-code S_PH0_48000509 Adhoc query and also with t-code SQ01. when they executing the reports, system has been checking their authorizations while executing the report and this execution time of report taking longer and also throwing a ABAP DUMP.

Hence, I gone through some blogs and also sap help about the auth object P_ABAP, as stated in the help I have provide an access to the user
with option 2 under

P_ABAP (HR: Reporting) - Authorizations for Human Resources - SAP Library

HR InfoSets for InfoSet Query (SAP Library - InfoSet Query)

But system still checking the authorization against the user in both foreground and background for above t-codes. Please assist on the same

Thanking you,

Kotesh

Today I was reviewing some events generated for the Security Audit Log and noticed an interesting behavior.

For those who are not familiar with it, the Security Audit Log (SAL) allows SAP security administrators to keep track (via a log) of the activities performed in their SAP systems. In a future post we will discuss how to enable and configure this logging.

By default the SAL facility logs the “Terminal Name” which is either the Terminal Name (defined by the computer which performed the logged action) or the IP address of the computer that is the source of events. The IP address is only logged if the source computer does not transmit a Terminal Name with its communications.

This behavior can be abused by an attacker since filling the terminal name value in an RFC call is a task performed by the caller (the user’s machine). Having the ability to manipulate the “Terminal Name” means the attacker could try different attacks such as bruteforce attempts but have each transaction appear to come from a different terminal. Taken even further; the attacker could set an IP address (or cycle through a set of IP addresses) as the Terminal Name; meaning each request would appear to have originated from these IP addresses (as in the logs it is not possible to distinguish between an IP address that has been logged because no Terminal Name value was transmitted vs an IP addressed that has been logged as the Terminal Name).

Remediation

To fix this problem it is possible to configure the profile parameter “rsau/ip_only” and set it to 1. In this scenario whenever possible the source IP address of the event will be logged and the Terminal Name value is ignored. This change must be made to the profile file, it cannot be done using transaction RZ11.

For more information check the SAP note 1497445

Hi Experts

I want to impose an authorization check in AUT10 so that user should see all the changes particularly relevant for one plant.

Can I do so?

Regards

Soumick