Customer does not have GRC installed, and does not have security auditing turned on.  They want to create a report that allows them to select transaction code usage for a specific tcode or wildcard tcode range, by specific user or wildcard user name search, as the GRC activity report would show.  I believe they have used ST03N to get the info by one user at a time, but they want to create their own report that would give full function instead of trying to populate spreadsheets, do column joins, etc.  What are the names of the tables needed to query against?  Is there some existing ABAP report that already exists for SA38 execution available?  Hopefully the customer will implement GRC in the near future, but they have a need for a relatively quick fix as soon as possible.

Thanks in advance,

Hi,

Is there any way or settings to be made in which the R/3 system can disconnect the user when the SAP session is left idle after a certain time for specific user? I know the parameter which effects complete user if we change.

Regards

Uday

Hi Expert,

I'm trying to create a new object: MATKL to org level through program: PFCG_ORGFIELD_CREATE. But I find there are only distribute to all roles. Could you advice if it can be distribute by selected role instead of all roles? Any advice on hierarchy problem?

Rdgs,

Emily

Hi Security-Folks,

I like to discuss with you the recommended settings for the Security Audit Log (SM19 / SM20).

Here's my proposal:

Profile Parameters:

rsau/enable = 1

rsau/selection_slots = 10

rsau/user_selection = 1

Filter settings in SM19:

1. Filter: Activate everything which is critical for all users '*' in all clients  '*'.

• You may deactivate the messages of class “User master record change (32)” because you get change documents for users in transaction SUIM anyway.
• Consider to add messages AUO, AUZ, BU5, BU6, BU7, BU9, BUA, BUB BUC, BUH, AUP, AUQ
• If you maintain logical file names using transaction FILE (see note 1497003) than add messages CUQ, CUR, CUS, CUT

2. Filter: Activate everything for users 'SAP*' in all clients '*'
This includes the built-in user 'SAP*' as well as all users account names starting with 'SAP', e.g. 'SAPSUPPORTx' because of rsau/user_selection = 1

To show log entries in for user 'SAP*' only, filter by 'SAP#*' in SM20 or use report RSAU_SELECT_EVENTS instead.

3. Filter: Activate everything for other support and emergency users, e.g. 'FF*' (FireFighter) in all clients '*'

4. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients. This user should not be used in dialog mode. It's only required for specific activities while applying support packages or while importing transports (however in this case you can use another background user as well).

5. Filter: Activate everything for client '066'. This client is not used anymore and can be deleted (see  http://scn.sap.com/community/security/blog/2013/06/06/how-to-remove-unused-clients-including-client-001-and-066 ).

6. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily (see http://scn.sap.com/community/security/blog/2010/12/05/how-to-get-rfc-call-traces-to-build-authorizations-for-srfc-for-free ).

7.-10. Filter: free for other project specific purpose

What settings are you using and why?

Kind regards

Frank Buchholz

Active Global Support - Security Services

So, you want to enable SNC (without Single Sign On -- SSO) in your environment?  You have Solaris (or other UNIX) and you don't want to pay for third party libraries?

SAP has a solution for you!  But implementing the solution may be a nightmare.  SAP developed their own guide/documentation showing how to do this, but you may find following their documentation a bit troublesome.  It's for this reason I developed this document.

Applicable Notes with Prerequisites

Some notes with important pre-readings below.  There are three version prerequisites to watch out for: GUI, Kernel, SAP Basis Component.

SAP OSS Note 1561161 - Enabling SAP GUI password logon despite using SNC.  This note discusses Kernel Version and Basis Support Pack prerequisites.

SAP OSS Note 1053737 -  Versions of supported SAPGUIs

SAP OSS Note 1580808 - SAP Logon 7.20: "SNC logon w/o SSO" for connection entry

Tags below

In this document you will see the following tags used.  This section explains what you should substitute into the tag.

<SID> = Your System ID.

<Instance> = The name/number of the instance, ex: DVEBMGS## or D##.

<SPN> = Service Principal Name created in Active Directory

<ActiveDirectoryDomain> = Name of your active directory domain name (Fully Qualified - ex: DomainName.YourOrganization.org).  If you don't know what this should be, ask your Active Directory Staff.

Our situation:

OS = Solaris 10

Database = Oracle

Hardware Platform (SPARC)

You'll need to search for and download the following:

1. SNC Client Encryption/Libraries 1.0

SAP's Software Distribution Center -> Installations and Upgrades -> Search For Installations and Upgrades -> 51042493 OR

SAP's Software Distribution Center -> Installations and Upgrades -> Browse our Download Catalog -> SAP Cryptographic Software -> SNC CLIENT ENCRYPTION 1.0 -> Installation -> 51042493 (or latest version)

2 SNC Client Encryption/Libraries 1.0 SP 02

SAP's Software Distribution Center -> Support Packages and Patches -> Search Support Packages and Patches -> SLLIBRARY02_4-20008890 (This patch is for Solaris on SPARC 64 only) OR

SAP's Software Distribution Center -> Support Packages and Patches -> Search Support Packages and Patches -> SLLIBRARY02

3. Latest SAPCrypto Lib

SAP's Software Distribution Center -> Support Packages and Patches -> Browse our Download Catalog -> SAP Cryptographic Software -> SAPCryptolib for Updates

So now that you have downloaded what you need, now to get to business!

1. Server Side Installation

1. Upload all files downloaded above to your server.

2. Unzip the library you downloaded in in #1 Above.

3. In a separate folder, un-sar the file you downloaded in #2 above.

4. Inside the unzipped archive (from Step 2) you will find a folder called "SECURE_LOGIN_LIBRARY".  Inside it select the correct subfolder for your OS.  Hint "Solaris" is often referred to as sunos 5.  If you have Solaris 10 on Sparc (like us) you will want the folder called "sunos-5.10-sparc-64".

5. Inside the unzipped archive (from step 3) you will find a series of folders that match up to you operating system version.  Note the appropriate folder.

6. Go to /usr/sap/<SID>/<INSTANCE>.  Inside it create two directories (if they don't already exist): "SLL" and "security".

7. Inside the SLL folder use SAPCAR to un-sar the "SECURELOGINLIB.SAR" which is in the folder you identified in Step 4.

8. While still inside the SLL folder use SAPCAR to un-sar the "SECURELOGINLIB.SAR" identified in Step 5.

9. Go to /sapmnt/<SID>/exe/.  Once inside it use SAPCAR to un-sar the file downloaded in #3 above

2. Active Directory Preparation/Work

This solution requires that you use MS Active Directory (aka Domains).  For this section you will have to work with your organization's active directory staff.

1. Have the active directory staff create a new service account for you.  The name of the account doesn't really matter, just note what it is.

2. Set a strong account password.  Set the password to never expire and unchangeable.  Note the exact PaSsWoRd made here, you'll need it later in section 3.

3. Inside the new account created in the previous step, have them create/assign a new "Service Principal Name" (SPN).  The name and case of this SPN is critical and must be followed precisely: SAP/Kerberos<SID> -- as previously noted this entry is CaSe SeNsItIvE.  Here-in this will be called <SPN>

3. Server Side Config

1. Change directories to /usr/sap/<SID>/<Instance>/SLL

2. Set the environment variable "SECUDIR" to "/usr/sap/<SID>/<Instance>/sec".  If you like/use bash (like me) do this by executing "export SECUDIR=/usr/sap/<SID>/<Instance>/sec".

3. Create the PSE Environment.  Do this by executing: "./snc crtpse" with you PWD (Present Working Directory) being /usr/sap/<SID>/<INSTANCE>/SLL/.  You'll be prompted to create a password.  The value of this password doesn't matter, but note what you make it.

4. Create a keytab entry for your SPN created above.  Do this by executing "./snc crtkeytab -s <SPN>@<ActiveDirectoryDomain>".  You will be prompted for a password.  This password must be the same as the password when you created the active directory account in step 2-1.  The <ActiveDirectoryDomain> must be in ALL CAPS.

4. AS ABAP Configuration

1. Log into your SAP System GUI.

2. Start up transaction RZ10.  Set the following parameters in your instance (or DEFAULT.PFL, if you prefer) profile(s):

3. Add the following entry to your start profile(s):

3. Exit AS ABAP/Log off.

4. Restart the SAP System.

5. Once the system is restarted, go to transaction STRUST.

6. In transaction STRUST you will now find an entry in the left pane that says "SNC SAPCryptolib".  It should have a red "X" next to it.  Right click on it and select "Create".  You'll notice the "SNC ID" is already filled in for you.  Select RSA and an appropriate key size, then click the green check mark.

7. Go back to RZ10.  Change the value of "snc/enable" to 1.

8. Log out and restart the SAP system again.

Once you've restarted the system you can look in /usr/sap/<SID>/<Instance>/work/dev_w0 and see something like this:

N Wed Aug 14 13:45:01 2013

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=/usr/sap/EQ2/DVEBMGS51/SLL/libsecgss.so

N    File "/usr/sap/<SID>/<Instance>/SLL/libsecgss.so" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N  SncInit():   found snc/identity/as=p:CN=<SPN>@<ActiveDirectoryDomain>

N  SncInit(): Accepting  Credentials available, lifetime=Indefinite

N  SncInit(): Initiating Credentials available, lifetime=Indefinite

M  ***LOG R1Q=> p:CN=<SPN>@<ActiveDirectoryDomain> [thxxsnc.c    266]

M  SNC (Secure Network Communication) enabled

If you don't see this but instead see errors, chances are your ABAP system no longer works (good job ).  You'll have to manually edit your instance profile in /sapmnt/<SID>/profile and set snc/enable to 0.  Then restart your system and troubleshoot (good luck).

5. PC SNC Client Installation/Config

1. Inside the main SNC library file you downloaded above in file download step 1 , you'll find a "SNC_CLIENT_ENCRYPTION" folder.  On your PC execute the "SapSncClientEncryption.exe" file you'll find in this folder.  If you already have the "SNC Client Encryption" installed, I'd recommend you uninstall it and re-install it, just to make sure you have a compatible version.

2. After you executed the previous step, start up the SAP GUI on your workstation.

3. In the GUI right click on the logon entry representing the SAP you are working on.  Select "Properties" from the context menu that pops up.

4. On the window that pops up, select the "Network" tab.

5. Check the box that says "Activate Secure Network Communications".

6. Enter the "SNC Name" as follows: p:CN=<SPN>@<ActiveDirectoryDomain>

7. Select "Maximum security settings available"

8. Check the box "SNC logon with user/password (no Single Sign-On)"

You've done it.  Now all that's left is pray to the deity of your choosing <grin>.  If he/she smiles upon you, you should be able to log in to your SAP System.  You'll note a lock (which was previously open) in the lower right hand of your GUI screen in the status bar.

6. Troubleshooting

For troubleshooting SNC issues on the client side, consider reading this document on the SAP help site or Google: "Enabling Traces for SNC Client Encryption"

I'm sure by now everyone has heard more than they wanted to about the latest vulnerability sweeping the Internet.  As far as I can tell, SAP NetWeaver systems don't have any built-in OpenSSL components and shouldn't be vulnerable, but I'm not 100% sure about this.  I'm a little surprised that I can't find any mention of Heartbleed in any of the forums today.

So, can anyone state with authority that I'm correct about this, and NetWeaver (ABAP and/or Java) systems are not inherently vulnerable to this flaw?

Thanks,

Matt

Dear friends,

We have several users who are facing the issue while importing TR in QA system from DEV system. We have checked with the users by assigning them SAP_ALL and even then they are facing same issue. Could you please help us in this ? I have attached screenshot of the error. We are using Solman for transports.

Thanks

Gaurav

Hi,

I have an requirement to make restriction at plant level while executing transaction OX09. i checked transaction and found it is using SM30. But while executing this transaction i receive below screen for Plant selection.

can we make restriction for plant selection with that screen or we have some other option so that user can execute this transaction for assigned plants only.

Thanks in advance.

Himanshu

Hi,

What is the purpose of costum t-code of table view(ZSE16N)..? SE16N itself is a display t-code and the table restrications are done through S_TABU_DIS and S_TABU_NAM configeration..

Hi,

Good day to all.. I have a query regarding role transports involving Parent and derived roles.

1. I know that when we transport Derived (Child) roles, the Parent role gets included in the Transport. This I understand is the SAP standard process.

Would it be possible to provide more information related to the SAP standard process regarding this.. A link to refer would definitely help..

2. Due to the inclusion of the master(parent roles) we end up getting a lot of Transport collisions. We have approximately 100-150 Child roles per master role. As a result, though, while there might be no actual changes on the Master role, and maybe only an Org level update on the child roles for different locations, we still have to look at a lot of transport collisions, due to changes for different locations.

My question is : If we remove the Parent/Master role from the transport, would it cause any issues. Would it also affect the Inheritance in any way or cause any authorization issues later on..

Please advise..

Dear All,

Our Internal security audit suggests to avoid the use of Week SSL ciphers for our SAP PI 7.0 servers.

We have followed the SAP note 510007 - Setting up SSL on Web Application Server ABAP

as mentioned in the point 6 we have added below parameter in the instance profile of application server  and restarted our server but still the issue is not resoved.

ssl/ciphersuites=MEDIUM:HIGH:EXPORT:!LOW:!eNULL

Clients are accessing our PI server through SAP Web dispatcher.

Kindly suggest the action to be taken to resolve the issue.

Please find the below comment from Audit.

-----------------------------------------------------------------------------------------------------------------------

The remote host supports the use of SSL ciphers that offer weak encryption.

Note: This is considerably easier to exploit if the attacker is on the same physical network
-----------------------------------------------------------------------------------------------------------------------

Regards,

Lalitha.

For the two people that have not heard of the OpenSSL Heartbleed-Bug yet, let me start with a short explanation (taken from Heartbleed Bug):

"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

So, is that a serious issue? Hell yeah! To quote Bruce Schneier: ""Catastrophic" is the right word. On the scale of 1 to 10, this is an 11."

You will see lots of people recommending you change your passwords on all https:// sites. While that is generally something that you want to do now and then (in my case that would probably require me to take a week off...) _right now_ is probably not the time (yet).

Let me explain:

• If one of the sites you have an account on is affected by the issue, data from the site may have leaked, including session data, cookies or your password (although in the individual case that is highly unlikely). Also, depending on how their landscape has been set up, their SSL keys may have leaked.
• This means that it _might_ be the case that an attacker has the SSL keys and can use it to de-crypt the communication and sniff your new password, too. In order to fix that the site has to request & install a new SSL server certificate _and_ declare the old one invalid by revoking it.
• Unfortunately your browser will ignore that revocation by default. Which is why you should check the settings as described in this blog: http://www.macobserver.com/tmo/article/dealing-with-heartbleed-what-you-need-to-know/P5
• The last step is to wait for the site operator to either notify you or check on the web site that they have done the first two things (patched OpenSSL & renewed SSL certificates) - only then the site can be considered secure again!

While you're at it, it's probably also a good idea to renew any oAuth authorizations you may have given on thoise sites (like, allowing your blog to automatically post to Twitter).

This is going to be a loooong painful process for everyone. But there's no point running in a blind panic now. There's a lesson in there for everyone, I guess.

Other recommended blogs to read while you're waiting:

Creativity is bad.

On Passwords

initial1

Wanted: Your Insights and Feedback on SAP Product Security

Ensuring software security is a top priority at SAP, and development teams are continuously working on improving the security features of our products. In our current customer engagement initiative, we are looking for customer feedback on security pain points and priorities. Our goal is to identify potential for improvements that could enable more efficient and secure SAP software environments. Find out more. 11 April 2014

Secure System Communication with UCON

To help you keep pace with ever-growing security challenges, SAP NetWeaver 7.40 includes a new framework, Unified Connectivity (UCON), for securing Remote Function Calls (RFCs) in ABAP-based systems. Read Thomas Weiss’ new SAP Insider article to find out more. 10 January 2014

New Overview Presentation on SAP NetWeaver Application Server, Add-On for Code Vulnerability Analysis

SAP NetWeaver Application Server, add-on for code vulnerability analysis is an integrated tool for efficiently scanning ABAP source code for security vulnerabilities. The new overview presentation explains in detail how you can easily and efficiently locate security risks in your ABAP source code in order to create secure applications with confidence. 8 January 2014

HI Every one,

I am preparing test cases for on e of the role assigned to a user,

In the ROLE i am having below authorization objects will you please help me how can i prepare test cases for the below, please..

1. S_TRANSLAT:Translation environment auth Object in which ACTIVITY : 02 , Target language : * and Translation: Text type name:      *

2. S_PROGRAM : ABAP: Program Flow Checks in which User action ABAP/4 program  : VARIANT and Authorization group ABAP/4 pro : *
3. S_ADMI_FCD　 : System Authorizations

4. S_RFC　 :　 Authorization Check for RFC Access 

5. S_BDS_D　 :　　 BC-SRV-KPR-BDS: Authorizations for Accessing Documents 

6. S_RFCACL　 :　 Authorization Check for RFC User (e.g. Trusted System)

7. S_RS_AO　　 :　 Analysis Office: Authority Object

8. S_RS_RSTT　 :　 Authorization Object for RS Trace Tool

by using which t-codes i can prepare these test cases,

Please dont suggest to check in SU21 t-code, i already did enough research and unable to fins them ....

Thanks,

Chandra.

Hi,

we have a problem regarding different user id´s in 2 SAP systems.

We have a global SAP system and a local SAP system. On our global SAP we have a BSP application. This BSP writes data into local SAP.

The picture shows in scenario 2 that we have local SAP where the user has a different user ID to global SAP. It is not possible to harmonize it. So we need a user mapping.

Are there any SAP standard functionalities for this topic?

Hi Experts,

We have our own application which uses SAP connectors(JAVA and .NET) to connect to SAP system to extract all the metadata.

for this we make connection with SAP in our application using SAP HOST, System no, client, Username and password.

Our extraction is failing with the authorization error.

Could you please let me know what are the minimum authorizations required for a connection user to extract all the meta data.

Thanks for your help in advance.

Regards,

Krishna

I want to remove multiple Roles from multiple users but there is also condition that in all user there is no all roles exist.

in  some user there is one or two roles or more roles are not exist .

so give me easy way to remove roles.

and i don't want to remove user using PFCG or SU01 it's to much long process.

..thanks in advance

Hi All,

I added an object M_MATE_WRK in the master role and generated the profile for derived role as well.

The necessary derived roles have the object now.

When user runs a custom t-code which needs this object the su53 still shows that access for M_MATE_WRK is missing.

I ran a trace to see which object is actually missing and even the trace showz the same object.

Can any one please help me understand why this object is not reflecting in user profile.

Regards,

Yasmin

Hi,

How to find the list of roles and tcodes assigned to a user, is there any specific table for the same.

Thanks,

Venkatesh