Hello,

I want to add a CO-transaction KB15N - "Manual Cost Allocation" to a role and want to ensure that only selected CO-objects (cost centers, internal orders) can be posted with it.

However, when I see the checked authorization objects for this transaction in SU24 (see screenshot) I cannot find any objects allowing the restriction to selected CO-objects only.

Could you please give me a tip how I can make that certain cost centers or orders cannot be posted with KB15N with this role ?

With best regards,

Robert

Hi,

I have disable the multiple login's in SAP through RZ10.When users network session was  lost any reason.he will  not able to login again

because the only option "Terminate this login " Showing . I want to enable other option "Continue with this logon & ends any other logon"

so the user are  ends the free session.Please help

Rgds

sudarshan

Segregating Warehouse Responsibilities using standard Inventory Management and Warehouse management authorizations

Background/Situation

In certain situations there can be a requirement to separate logistical processes in a SAP system on a detailed level.  This is usually the case when different parties are responsible to perform different logistical processes and / or are responsible for different parts of the same warehouse. 

Examples of the situations where the requirements could occur are:

• A third party executes logistical activities and manages a part of the  plant and warehouse.  In these parts of the plant and warehouse this third party is responsible for the stock.
• ‘Special’ materials are stored in certain parts of the warehouse and should only be handled by a certain set of users.

This separation in responsibilities can be depicted in SAP by setting up different plants and warehouses that can subsequently be authorized on. But these solutions would mean a redesign of the logistical landscape and additional administrative activities would be needed during day to day operations.  Avoiding this redesign and administrative burden would require effective authorization restrictions on organizational elements lower than plant and warehouse. The requirement of controlling who executes IM and WM processes on a detailed level can be met using standard SAP authorizations in combination with IM/ WM customizing without setting up additional plants and warehouses.  This blog discusses this solution for segregating warehouse responsibilities. 

Content of this blog

This blog explains when this solution can be used, when it should not be used, how it works and what it can and cannot do.  It also gives an overview of the activities that need to be performed to implement the solution. The solution is based on my own investigation and experience, but also information from several notes, knowledge base articles and threads was used and combined to create a complete solution.

The solution and when to use it

You can use the solution when you need to differentiate between different groups of users who can perform IM /WM activities within parts of the same plant and warehouse.

The SAP SAP WM customzing and  authorization elements ‘storage location’ and ‘storage type’ form the basis for the solution. By properly defining the WM customizing authorizing on the authorization elements  them you can:

• Restrict IM movements based on storage location  to certain groups of users ( next to the normal restriction on movement type and plant)
• Ensure that ‘allowed processes ’ are  defined in WM customizing ( like storage type search settings ) so during WM processes users that needs to execute them are not hampered by authorization checks
• Restrict ‘manual’  WM movements based on the ‘source’ and ‘destination’ storage type to certain groups of users (next to the normal restriction on warehouse and WM movement type)

By authorizing on these two elements (storage location and storage type), you can create an authorization setup that only allows users with certain roles to perform specific IM and resulting WM movements for specific storage locations and restrict who can make ‘manual’ WM movements for specific storage types. In this case ‘Manual’ WM movements refer to transfer orders that are not triggered by an IM movement or other specific Logitical actios. For example the transfer orders of the movement type 999 that can be created manually via transaction LT01.

With such an authorization setup only the party that is responsible for the storage locations and storage types can keep control over the movements of stock located there while normal ‘Allowed’ warehouse processes are performed in a regulated manner and are not hampered by authorization restrictions.

When not to use it

Only use it when there is a hard requirement that these restrictions are enforced by the system. Implementing and maintaining the solution (for WM) can be complex.  If there is no hard requirement to enforce these restrictions in the system on such a detailed level don’t do it. In case checking if procedural agreements are adhered to is sufficient do not use authorizations for it.  It also makes no sense to put in effect restrictions in SAP if there are no physical restrictions as well.  if SAP blocks a user from moving materials from one part of the warehouse to another but there is no physical  restriction ( like a locked door or a fence) the person can still just move the materials and not register it. 

Prerequisites

Before this solution can be implemented a number of things need to be clear. If these aspects are not clear the solution cannot be implemented correctly and will only work partly or not at all.  The following must be determined:

• Ownership of all Storage locations
• Ownership of all Storage types
• Clearly defined logistical processes
• Which party executes which steps in these process

Combined ownership of storage locations and storage types should be avoided as much as possible as this will complicate and can (partially) undermine the solution. Where ever possible ownership of storage types for interim bins have to be determined as well.

The concept

Inventory Management

When an IM movement is made an authorization check on plant and movement type is executed. If the user is not authorized the movement cannot be made. By settings made in customizing a subsequent check can be activated whenever a movement is made for a certain storage location. This customizing switch is set per storage location. By default this customizing setting is off.   When this customizing setting for a storage location is activated it will trigger an authorization check for the combination of movement type, plant, storage location ( and of course activity)  whenever a IM movement is made using this storage location. The authorization object checked is M_MSEG_LGO.  See also SAP Knowledge Base Article 1668678.

So by only granting the roles for a certain party with the storage location/plants they are responsible for in combination with the movement types they are allowed to perform the required segregation in responsibilities can be made.

When a storage location to storage location movement is made both the ‘Source’ and ‘Destination’ storage locations are checked in case the customizing check is set for both storage locations. This would mean that a movement betweens storage locations ‘owned’ by different parties is blocked by authorizations. In those cases a ’two –step’ storage location to storage location movement can be made wherein the sending party executes the first step and the receiving party executed the second step. See also SAP note 205448.   

Warehouse management

The solution for warehouse management is more complicated and is based on the SAP WM Customizing like the concept of storage type search (strategies).

Authorization check for all transfer orders:

During the creation of a TO an authorization check on Warehouse is performed in all cases (Field LGNUM of object L_LGNUM).  At that point no check on Storage type is performed (LGTYP is checked with DUMMY) See also Knowledge base article 1803389. In case the user is not authorized for the warehouse the TO cannot be created

Authorization checks in relation to WM customizing:

When a transfer order is created, SAP will try to determine which storage type to pick the material from (source) or which storage type to put this material (destination).

To determine where to pick from SAP checks if it can find a suitable source storage type for removal by searching in the ‘storage type search’ table defined in WM customizing.  This search uses a number of variables like reference movement type, warehouse, pick strategy indicator in the material master and special stock indicator to find a suitable storage type. In case a suitable source storage type is found and used in the transfer order no extra check is performed.

The same method is used to determine the storage type to put away the material. In that case a suitable destination storage type is searched for in the ‘storage type search’ table in WM customizing.   In case found no extra authorization check is performed.

In a lot of cases WM movements are triggered by logistical activities like IM movements.  Under normal circumstances  the ‘storage type search’ WM customizing is properly defined for the logistical process , the necessary material master data is setup and the TO can be created without issues and without needing explicit authorization for the source or  destination storage types. This because it is an ‘allowed’ process and as such the extra authorization checks are not needed.

In case no suitable source or destination storage type is found in the  ‘storage type search ’ table and the user creates the transfer order in the foreground the user can enter a source or destination storage type manually. In that case and extra authorization check is executed.   This check is on the combination of Storage type and Warehouse.  The same object _LGNUM is used, for this check but now the field LGTYP is not checked with DUMMY but for the storage type (see FORM BERECHTIGUNG_LGTYP of include FL000F00). This check is performed because the entered storage type is not found as a suitable storage type in the search strategy (see include LL03AF6I). This check on object L_LGNUM is executed separately for the destination and source storage type.   Also when the users creates the transfer order in the foreground and changes the source or destination storage type into a storage type that is not part of the applicable ‘storage type search ‘ table entry this extra authorization check on the source and / or destination storage type is executed.  See also Knowledge base article 1803389. A thread that also mentions this is http://scn.sap.com/thread/775605

Using what is explained above this extra authorization check can be used to restrict the deviations that a user can make compared to the ‘allowed’ processes that are defined in the WM customizing.  By only granting authorization for the storage types the user is responsible for the user can only make deviations to these storage types. This can be considered technically correct as the stock located there is under this user’s responsibility.

Authorization checks for ‘manual’ transfer orders

Some WM movements can be created manually and are not triggered by other activities like IM.  For instance transaction code LT01 to create a TO manually can be used. Normally these movements are WM supervision movement types like 999 .  Not all WM Movements can be created manually. Which WM movement types can be used to manually create TO’s depends on customizing.  For all movements that are created manually an authorization check on WM movement type in combination with Warehouse is executed. The object that is checked is L_BWLVS.  Also the general check on warehouse is executed.  During the creation of manual transfer orders the concept of ‘storage type search’ and authorizations also applies. By not setting up ‘storage type search‘ customizing  for those movements the extra authorization check is always executed.  By only providing authorization for the storage types s users can only move stock between these storage types they control using these ‘manual’ movements

Conclusion:

1. By restricting the access on IM level (movement type, plant and storage location) or other actions that trigger a Transfer order the authorization for the subsequent WM Movement  is restricted as well. If the user has authorization for the action with this the user also has authorization for the subsequent TO, but the manipulation of the storage types the material is picked or put away can be restricted to those defined as applicable in the storage type search (WM customizing) and those that are controlled by the authorization of the user (using roles)
2. The manual WM movements can be restricted based on movement types and to those storage types  that are controlled by the user’s authorizations (using roles)

What it cannot do

Warehouse management:

No authorization check on storage type is performed when a TO is confirmed. The Warehouse is checked but the storage type is not checked (Object L_LGNUM with DUMMY). This means that anybody with authorization for the warehouse and confirming any TO can confirm a TO for that warehouse. There is no way to restrict on storage type during TO confirmation using standard SAP.  Because a Transfer order needs to have been created in order for it to be confirmed and the creation of the TO is controlled this gap is not crucial for the solution. Also the storage type cannot be altered during confirmation.

Inventory Management:

In almost all situations a material document will contain a storage location.  There are however a few situations where a material document does not contain a storage location. This is when a goods receipt is performed and the materials are consumed upon receipt. This happens for instance if a PO has a cost center as account assignment.  You must determine if these situations are relevant and if this gap is relevant for your situation.  If for example goods receipts are always performed by one of the parties then only one of these parties should have the authorization to do goods receipts. Although this party could potentially do a goods receipt while the PO erroneously contains a storage location which is not ‘owned’ by this party they can still do the goods receipt. This will not be an issue as they are responsible for all goods receipts.   In case multiple parties need to be able to perform goods receipts for different storage location you can include an authorization check (on e.g. the storage location in the PO) using BADI MB_CHECK_LINE_BADI.   This is however not standard SAP.

How to set it up

Inventory Management:

The more easy part is the authorization restriction for Inventory Management.   This can be done in four steps:

1) Activate the check on storage location:

Activate the check on object M_MSEG_LGO in customizing (menu path “Materials Management --> Inventory Management and      Physical  Inventory --> Authorization Management --> Authorization Check for Storage Locations”) See also SAP Knowledge Base        Article 16686

2) Make storage location an organizational level:

Use program ‘PFCG_ORG_FIELD_CREATE’ to make the field LGORT an organizational level. See SAP note 727536

3) Update SU24 for relevant transaction codes:

All transactions that create, change or display IM movements need to be updated to have object M_MSEG_LGO set as ‘proposed = Y’  so that the object is populated in PFCG during role maintenance.

4) All roles that contain these transactions need to be updated to contain the M_MSEG_LGO object with the right plants, storage           locations, movement types and activity.  Important to know is that the check on M_MSEG_LGO is also performed when a material           document is displayed. This means that also roles that provide display access to material documents ( like MB51) need to be updated to include the authorizations with activity ‘03’

Warehouse management

Setting up the solution for warehouse management is a more tricky part and consists of three steps:

1) Set up all necessary storage type search strategies to cover ALL ‘allowed’ processes:

Stock removal and stock placement storage types search entries have to be setup in WM customizing for all ‘allowed’ processes for which no additional authorization check on storage type is needed.

2) Make sure that the necessary master data (material master data etc) is set up correctly so that the correct storage type search can be found and used during 'allowed' processes

3) Update the roles:

All roles that contain the object L_LGNUM need to be updated so that they contain the authorization for the storage types belonging to the parties they are for. Please note that the object has no activity field and that some display transactions related to WM check on this object as well with DUMMY for the field LGTYP.

What to consider during implementation

Please keep in mind the below aspects in order to successfully deploy this solution:

1. WM storage type search (strategies/sequences):  All ‘allowed’ scenarios must be covered by stock removal and stock placement strategies else authorization checks on storage type will be triggered which can fail because the user is not authorized while he/she should be able to perform the step in the process. Considering there are many variables involved there are many strategies to be maintained.  Having the processes clear and involving a specialist in SAP WM is essential in order to cover everything needed.
2. Material master data:  In order for SAP to find the correct storage type in the ‘storage type search’ table the material master data fields like stock placement and stock removal strategy indicators need to be set correctly. This is crucial for the solution to work.  As there are a lot of material master records this can be quite some work. Most issues after introducing this solution will most probably be because of the incorrect or missing material master WM data.
3. Training (of key users): especially the WM part of the solution can be complex. Training of (key) users is important in order for them to understand the concept and to find the right solution when goods ‘get stuck’.
4. (temporary) Super role:   It can be very useful to (temporarily) have a sort of ‘super user ’ role available that can make transfer orders between storage types handled by different parties ( including those for dynamic bins). This can be done by granting this role authorization for all storage types or by creating a WM movement type that has search strategies for all storage types and granting access to that movement type. By assigning this role to a limited number of key users during the first phase after go-live a work around is available when a material movement gets ‘stuck’ while a real solution ( like material master data ,  WM search strategies of authorization roles changes) are being investigated and followed up. 

Hi,

Is there any way that I can see the roles in all child systems from CUA ? I cant use USLA04 table as it is a new role and no users are assigned.

Thanks in advance.

Regards,

Subha

Hi fellow SAP experts,

I need some advice on system performance impact when switching on Table Logging for T000 - configuration in production please?

We have decided to turn on Table Logging for auditing purposes, only allowing developer config in production following a volume of evidence being supplied.

I need to know how much this activation is going to impact the performance of the companies production environments, how much storage, memory, performance, etc. this function is going to consume and how much of the above consumables I need to cater for now and in the future?

We have a Dual Track environment, BAU want to switch on Table Logging for fix on fail, I want to swich it on for Project deliveries.

Please advise, with referencing if possible?

Thank you kindly

Paul

Hi,

We wanted to give SAP_ALL profile to users with validity date and it is advised to generate a role from SAP_ALL profile.

My question is SAP_ALL is a live profile, when new authorization objects added to system (maybe after new functionality), SAP_ALL is also expanded with a report and these new authorizations are also added to SAP_ALL, right?

When I generate a role using this profile as template and then if SAP_ALL changes, how can I update the role created from SAP_ALL automatically?

Thank you for your help.

Best regards

Oktay 

I need to create more than 1000 derived roles, from existing reference roles.

Reference roles are also derived roles. So I executed LSMW for mass copy.

Eg: Reference role XYZ with parent role XXX

New role(ABC) copied from XYZ ,so ABC is having same values as XYZ and master role also.

Now the issue is after executing the LSMW all roles are copied to new roles, but all objects are inactive in new roles .I am not able to activate the object also.

I generated a new Client certificate and sent it to Verisign via our enterprise group and I have received a Verisign certificate.  When I attempt to "Import Certificate Response", I get the following error (Long text):

Issuer certificate missing in database:CN=Symantec Class 3 Secure Server CA - G4, OU=Syma

Message no. TRUST057

Diagnosis

The following issuer certificate is missing from the database or is marked as inactive: CN=Symantec Class 3 Secure Server CA - G4, OU=Syma

Procedure

Store the issuer certificate in the database (menu function Certificate -> Export -> Database) and make sure that the certificate is not marked as inactive (menu function Certificate -> Database).

How can I import the intermediate/primary certificates to resolve this problem?

Hello,

Is someone able to tell me, why the documentation link in SAP AIS is not working

As an instance:

KW - SAP Library >>> Finance General (FI)

Thanky you

All the best

Erwin

We have a scenario where we want to make an SLC Sell side system part of the CUA landscape becuase some internal users need to exist on the sell side. However making it part of the CUA landscape means that supplier registration on the SLC system would attempt to create the supplier on the CUA system as well. This is obviously not a desired outcome.

I was hoping that there would be some option either on the CUA side or the registration process to allow creation on local system only.

The alternative is to not put the system under CUA and have an ALE interface to push selected users onto the SLC system. This introduces the challenge of putting in an interface, designing a selection and push mechanism and setting up procedures for sychronizing changes.

Does anyone know a way around this?

Hello guys,

In know that this topic was still discussed. But I have the same problem and I can´t find any Information in table ADR7.

I have some deleted users and I know their user ID. For example: one of these users was deleted in June 2014. Now I would like to find out their fullname (first and last Name).

As I have read I have to search in table ADR7 for the username. But there are no entries for this deleted user in ADR7. 

And I can´t find entries in ADR7 for my own user. UNAME in ADR7 is Remote-Mail-Name but not the user Name which is used to logon, isn´t it?

I cannot imagine that this entries were deleted completly. I think These entries have to be available for the Audit.

Thanks for your input and help.

Best regards,

Björn

Dear Experts,

We had a requirement, where we need to restrict the foreground and display error option for user and should allow only background processing of data.

We were able to restrict background throughs_btch_jobbut please suggest how to restrict foreground and display error option errors.

Regards

Chander Dubey

Hi,

We are trying to implement header authentication to SAP EP 7.3 with Tivoli Access Manager for e Business. We followed the attached PDF from SAP to implement ip header authentication.

We followed the steps below:

1. 1. Deployed the package (https://sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/business_packages/a1-8-4/IPHeaderLoginModuleLibrary.zip) with JSPM tool. The package was deployed successfully.
2. 2. Configured the system for authentication with header variable. The header authentication was working successfully. We were able to login through a HTTP header passed by Tivoli Access Manager.
3. 4. Registered a new login module with the class name de.platinion.security.IPHeaderLoginModule and name, IPHeaderLoginModule at the following location NWA>Configuration>Security>Authentication and Single Sign-On>Login modules.
4. 5. In the NWA>Configuration>Security>Authentication and Single Sign-On, replaced the HeaderVariableLoginModule from the login module stack ticket with the new IPHeaderLoginModule. Added the following properties for this module:

-       Header = <TAM header name>

-       Ume.configuration.active = true

-       Ip = <TAM IP address>

The login module stack looks like:

-       EvaluateTicketLoginModule  SUFFICIENT  {ume.configuration.active=true}

-       IPHeaderLoginModule REQUIRED {ip = TAM_IP_ADDRESS, ume.configuration.active=true, Header=<header_name>}

-       BasicPasswordLoginModule REQUISITE {}

-       CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

After making this configuration change we restarted the EP J2EE engine. After restart we were not able to login though the Web GUI. The header authentication as well as the direct URL (username/password) authentication is not working. We are basically locked out of the system and cannot make any change in the configuration.

Please advise on next steps.

Hello,

I was hoping someone with PPOME / workflow knowledge could help me here... Currently, are company locks down the transaction code PPOME, meaning you have to submit a transport request any time making a change to the struture, when a user...

THe way we have it setup is we have an organization unit at the highest level, followed by a position, and then a user assigned to the position.

What we would like to do is anytime we want to change a user (add/remove from a position), we would like for it to NOT ask for a transport request, but anytime some tries to change a position or organization unit, it does...

I hear this may be possible... cna someone tell me how/if it is?

Hi,

Recently we implemented a SAP Note 1640523 in our production system and after that the transport route got failed, many transactions are not working and we are getting a lot of dumps.

Can anyone suggest on this.

For most SSO issue, the Logon Trace is needed to find the root cause.

In ABAP system, actually, the logon trace is the development trace of work process. Normally we use the important Note:

#495911 - Trace analysis for logon problems

After get the trace, we can use the Security Audit Log to locate the work process which handled the logon to find the real reason why logon failed.

But sometime, if the security audit log is not active or there is no entry logged in audit log, it becomes difficult to find the work process.

For HTTP Logon issue, I found we can use ICM trace to locate the work process.

Firstly, Raise the ICM trace level to 3.

This can be done in the SMICM, use menu “Goto -> Trace Level -> Set”:

(Also remember go to SM50 to raise trace level to 3 on “Security” component for DIA work processes.)

Then reproduce the issue, and after that change all the trace levels back to default value.

Now let go to check the ICM trace. Use the reproduce timestamp to find related trace:

(Here I recommend the free software Notepad++, it can search large text file very fast. Show the result in list and can locate to position of file by double-clicking.)

Then we can search by such keyword “IcmHandleOOBData”, in the result following lines are what we need:

[Thr 140080821593856] IcmHandleOOBData: Received data on 1st MPI (seqno: 1, type=6, reason=Request processed in wp(6)): 42/23079/0

[Thr 140080821593856] IcmHandleOOBData: request will be processed in wp 6

Here the "wp 6" mean the work process number 6 handled this logon.

Then we can go to check the dev_w6 to find the related trace, we can use timestamp or keyword "note 320991" to search:

In these logon trace, we can find the root cause of why logon failed.

Hi Expert,

I have to maintain start and end dates for around 200 users in 4 different Java systems. When I export the file of users it does not capture the validity fields. Is there a way/script to automate this? Otherwise I will have to do it manually.

Hi fellow SAP experts,

I need some advice on system performance impact when switching on Table Logging for T000 - configuration in production please?

We have decided to turn on Table Logging for auditing purposes, only allowing developer config in production following a volume of evidence being supplied.

I need to know how much this activation is going to impact the performance of the companies production environments, how much storage, memory, performance, etc. this function is going to consume and how much of the above consumables I need to cater for now and in the future?

We have a Dual Track environment, BAU want to switch on Table Logging for fix on fail, I want to swich it on for Project deliveries.

Please advise, with referencing if possible?

Thank you kindly

Paul

Currently we are set up for SAP SSO using MS Kerberos exactly as described in SAP's guide at: http://help.sap.com/saphelp_nw70/helpdata/EN/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm

Please think of the following scenario:

1) The SAP application server belongs to CORPORATE domain. The service account for SAP is also in the same domain such as CORPORATE\SAPService<SID>

2) In RZ10, the snc/identity/as parameter is set up like p:SAPService<SID>@CORPORATE for the SSO to work.

3) The SPNs are also defined in the CORPORATE domain controller such as SETSPN -A SAPService<SID>/dontcare CORPORATE\SAPService<SID>

4) Users install the appropriate gsskrb5.dll file into their system32 folder and then create a new SSO-enabled entry for the SAP server in their SAPGUI, by activating the SNC and entering the SNC Name: p:SAPService<SID>

The scenario above works very well for us for authenticating the CORPORATE domain users. My extended scenario (and hence the question) is as follows:

5) Let's assume we have SAP users from another domain called ADVISORS as well. There is a trust relationship between the CORPORATE and ADVISORS domains at the OS level, so the ADVISORS users can reach files/folders/servers/applications in CORPORATE domain and vice versa.

6) If we would like to set the ADVISORS users with Kerberos SSO authentication to our SAP server in CORPORATE domain, what should we do?

I have tried changing the user mapping on /SU01 for a user coming in from ADVISORS domain but it didn't work.

Is it possible to have multi-domain Kerberos SSO authentication to the same SAP server?

Thank you in advance for your reply.

Hello,

I'm not sure whether this is the right forum to discuss this issue,if its not, please redirect me to the right group.

I'm stuck in a place in my project where the requirement is to implement some security parameter related to dialog IDs, mainly the following:

1.) Password rules (viz, uppercase, lowercase, etc etc.)

2.) Password change on next Dialog log-on

3.) Expiry of Dialog IDs not logging into the system for more than 90 days.

Now, the catch comes here!!.

I work in SolMan security and we have around 65 managed systems connected with it. Hence there could be many RFCs, many background jobs,

many Batch Jobs, some JCo connections (and others which I might have missed here since I'm not a Basis guy).

There are high chances that we could have at-least one Dialog ID maintained in any of these connections which is destined to fail after the implementation of these security parameters and we want to eliminate this risk by doing a impact analysis in DEV before doing it in PROD as the risk is high and the consequences are critical

Now what I'm unable to find here is a exhaustive list of user IDs (all types) maintained in these connections so that I can segregate out the dialog ones from them and highlight the risk areas. However, i'm unable to find any table or any other method which could provide me, if not 100%, a fair glimpse of the IDs maintained in RFCs and background Jobs. I sought help from my Basis team also, however, they are saying it would be a cumbersome task in looking out for details of each connection manually and they know no other way to do it.

Any help on the ways out would be highly appreciated. Do let me know if I have missed out something in explaining the scenario.

Thanks,

Deepanshu