Dear gurus,
I have problem like this:
On November 2010, I see from ST03N that a user has access to tcode FBZ1.
From roles assigned, that user has no access to that tcode (I saw in menu and auth object S_TCODE).
I tried to login as that user, and I can't directly access by typing FBZ1 from the tcode shortcut.
From SUIM -> change document, I see there's no additional role assigned or role change to that user.
What could possibly allow that user to access that tcode?
Thanks for help.
Best Regards,
I have a scenario where a Time Administrator in HR entering time in CAT2 is not allowed to approve his own time entry in CAPS but allowed to approve other employee's timesheet.
I have maintained the infotype 0316 in P_PERNR with PSIGN value = E. the time admin can still approve with this authorization. am i missing anything ?
Dear SAP,
i have one doubt in sap security i need to give full FICO module tcode authrisation to one userid only fico module tcodes full authrisation
remaining module tcodes will not to work is it possible in sap please help me is it possible are not
regards
suresh
Hello,
We are facing a strange issue. We have some sales orders. When user is trying to Access VA02 and modify a contract, We are getting an error as "No authorization to change this sales document". We could change some sales orders. We have observed two things here,
A) if a sales order has items in it,--> "No authorization to changes this sales document"
B) if a sales orders has no items in it --> "No problem with the authorization, we can modify the order".
Document type used for this sales order is ZC02. We have given ZC02 in role and 01,02,03,43,C1 and C2 activities in the roles along with proper Org values. still we are not able to open the sales order with change mode.
Could you please help me resolve this issue??
Security Gurus,
I am facing a unique situation with regards to Security Admin’s access in Production to deactivate authorization objects.
The Security Admin in Production when opens a role in PFCG, then goes to Authorization tab and tries to deactivate authorization objects with different status, the results are as follows:
- Authorization Object (Manually) : Cannot deactivate/ or activate
- Authorization Object (Maintained) : Cannot deactivate/ or activate
- Authorization Object (Changed): Cannot Deactivate/ or activate
- Authorization Object (Standard): Can Deactivate, but cannot activate
So the Security Admin can deactivate “Authorization Object (Standard)”, however it cannot reactivate the same or any other authorization object.
The trace is not picking up any check when “Authorization Object (Standard)” is Deactivated, however for every other failed deactivation & re-activation it is showing missing authorization for S_USER_VAL (which is assigned as all ‘’, i.e. No authorization). S_USER_AGR is assigned with 02 access, which is coming in for user assignment.
Do you think it is a bug, or there is a way to that deactivation of “Authorization Object (Standard)” can be limited without affecting access for user assignment ?
Dear All
We have a requirement to restrict our derived roles for SD modules on division and Sales office. By default , division (org element) is coming in Auth tab , however sales office is not populated. Hence , as of now we are able to restrict on Division only.
To restrict on Sales office as well, i have followed below options:
1) Manually added object "V_VBKA_VKO" in profile and maintained field "VKBUR". ---- Didn't work.
2) Added object "V_VBKA_VKO" for va01 in su24. Then added va01 in role and restricted it for Sales office through "VKBUR" field. --- Didnt work.
Please help , how can we restrict this based on Sales Office also.
Regards
Urvish Patel
Anyone come across the following issue with single sign on between SAP and SuccessFactors?
Caused by: dk.itst.oiosaml.sp.model.validation.ValidationException: The assertion must contain the service provider https://www.successfactors.eu or the company-wide service provider https://www.successfactors.eu/<companyID> within the Audience list: [https://www.successfactors.com]
at com.successfactors.authentication.service.saml2.extend.SFSAML2AssertionValidator.validate(SFSAML2AssertionValidator.java:90)
at dk.itst.oiosaml.sp.model.OIOAssertion.validateAssertion(OIOAssertion.java:217)
at com.successfactors.authentication.service.saml2.SFSAML2AssertionConsumerHandler.handleSAMLResponse(SFSAML2AssertionConsumerHandler.java:525)
... 58 more
OUr SF instance is in Amsterdam - perhaps there is a certificate for .eu rather than .com. Any pointers most welcome!
Hi, All
We want to use Webdispatcher (on windows) as a reverse proxy with SSL. I generated a request file with command at below
sapgenpse get_pse u2013s 2048 -p C:\usr\sap\FW0\W00\SAPSSLS.pse -r C:\usr\sap\FW0\W00\SAPSSLS.req "CN=portal.xxx.com, OU=xxx company"
sent to an authority and we got a response file.
sapgenpse import_own_cert -c C:\usr\sap\FW0\W00\SAPSSLS.crt -p C:\usr\sap\FW0\W00\SAPSSLS.pse -x pin
when I try to import to webdispatcher, I got an error message
import_own_cert: Sorry, but you didn't supply the filename of the CA Response
any idea
ABH
Hi,
We have setup SSO with Kerberos and SPNEGO for NWBC and now we want to expose it to the internet via SAP Webdispatcher.
NWBC is on a singelstack ABAP system on server1 and we have configured a standalone J2EE system on server 2 for isuing the saplogon ticket.
This works fine with the redirect from icf NWBC -> Error Pages -> Logon Error -> Redirec to URL (Form Fields) http://server2:port/redirect/redirect.jsp
on server2 we have a java application (redirect/redirect.jsp) witch has %response.sendRedirect("http://server1:port/nwbc")%
Problem is that when the webdispatcher calls http://server1:port/nwbc the URL in the browser is hidden with MYDOMAIN.COM/nwbc but when the Logon-error (no saplogon ticket yet) is redirecting to http://server2:port/redirect/redirect.jsp the browser is showing the actual URL http://server2:port/redirect/redirect.jsp and also when returning to NWBC the browser is showing http://server1:port/nwbc.
And we don't wan't to expose hostnames (server1 and server2) to the internet.
Anyone knows how to solve this?
Hi Expert,
I have to maintain start and end dates for around 200 users in 4 different Java systems. When I export the file of users it does not capture the validity fields. Is there a way/script to automate this? Otherwise I will have to do it manually.
Hi Everyone,
I have a similar issue, Maximu no. of profiles are exceeded for an user for a Child system(User is created in CUA system) and when I am deleting the roles from User for the Child system form CUA system, I am able to delete the roles. But the issue is, I am not able to see the changes being reflected for that User in the Child system. IDOCs in SCUL Tcode is again showing "Maximum number of profiles for user exceeded"
What can be done to resolve this?
Regards,
Shruti
Dear Sap Gurus,
We have a requirement that we need to lock particular users at some particular time and kill the logged in users from the system , then we need to run our scheduled process and after completion the process, we need to unlock the users.
We tried to find some tcode or program but we are unable to find that.
Please suggest.
Regards
RJ
I have a requirement to upload documents and his respected fingerprint signed (SHA1WithRSA).
To achive this I am using the functions modules:
SSF_KRN_DIGEST
SSF_KRN_SIGN_BY_AS
but I can´t make it work.
I also ask for the .pem file used to generate the PSE that I'm using to sign documents.
With this pem file I execute in openSSL this following command:
#Creates Message Digest of document.txt, and the sign it with MyKey.pem
dgst -sha1 -sign MyKey.pem -out document.sign document.txt
AND THIS WORKS! Now, with this succesfull case I try to track down the problem with the FM that I'm using, and I detected that SSF_KRN_DIGEST is given me a diferent result than openssl (so I forget for sign the document for a while...).
This are the HEX value for OpenSSL (this is the one that works):
| 30 | 21 | 30 | 09 | 06 | 05 | 2B | 0E | 03 | 02 | 1A | 05 | 00 | 04 | 14 | AC |
| 37 | 25 | AC | AD | 34 | E2 | F8 | B9 | 21 | B3 | 15 | DD | 20 | 0D | 71 | 5B |
| FD | EE | EB |
And this is the HEX value of the result of FM SSF_KRN_DIGEST:
| 30 | 40 | 06 | 09 | 2A | 86 | 48 | 86 | F7 | 0D | 01 | 07 | 05 | A0 | 33 | 30 |
| 31 | 02 | 01 | 00 | 30 | 09 | 06 | 05 | 2B | 0E | 03 | 02 | 1A | 05 | 00 | 30 |
| 0B | 06 | 09 | 2A | 86 | 48 | 86 | F7 | 0D | 01 | 07 | 01 | 04 | 14 | AC | 37 |
| 25 | AC | AD | 34 | E2 | F8 | B9 | 21 | B3 | 15 | DD | 20 | 0D | 71 | 5B | FD |
| EE | EB |
As you can see, both files do countain the digest, but the metadata and padding is different. As far as I know, it should respect the ASN.1 structure, but I can figure out whats wrong with the SSF_KRN_DIGEST call.
This is my code:
* Creamos el message diggest del archivo
CALL FUNCTION 'SSF_KRN_DIGEST'
EXPORTING
b_detached = 'X'
ostr_input_data_l = lv_bin_data_len
str_hashalg = 'SHA1'
IMPORTING
ostr_digested_data_l = lv_digested_len
* CRC =
TABLES
ostr_input_data = lt_bin_data
ostr_digested_data = lt_digested_data
EXCEPTIONS
ssf_krn_error = 1
ssf_krn_noop = 2
ssf_krn_nomemory = 3
ssf_krn_opinv = 4
ssf_krn_nossflib = 5
ssf_krn_input_data_error = 6
ssf_krn_invalid_par = 7
ssf_krn_invalid_parlen = 8
ssf_fb_input_parameter_error = 9
OTHERS = 10.
Where lt_bin_data contains the document, uploaded in binary mode.
Thanks in advance.
regards.
Hi folks !
I have a questionhere,how couldhide aparametertypedin apassword, sothisis not visiblein debugmode?
Is this possible?
Thanks for help.
Hi Experts,
I am trying to setup Structural Authorization from HCm in BW. I am using 0HR_PA_2 and 0HR_PA_3 extractors to pull the data from HCM in 0TCA_DS01 and 0TCA_DS02. I am able to load the data for both DSO's and Authorizations are generated also via RSECADMIN.
The auth relevant info objects are
0ORGUNIT
0HRPOSITION
0EMPLOYEE
But when i run the query for test user it is giving the error "You do not have the sufficient authorization". Our security guy setup everything for the test user at the back end. Can anyone help me out to fix this problem?
Hi,
I have requirement to change User's Default Time zone but only for those who has blank entry and other will remain as it is.
I can do mass update via SU10 however to get list of user's with Blank Time zone i should have access to USR02
as per our security policy no one in organization has access to USR02 table including basis /security team.
how do i get this list in Production system?
Regards,
Satyajit
Hi there,
I`m new to some SAP security procedures.
I want to know what is the best practice to do the following:
A user asked me to add them the following transactions.
va01
va02
zva05
mm3b
zmsk
Problem is, there is a lot of roles containing these transactions.
Whats the best way to proceed?
PS: We use GRC, so the assignment has to be SoD complient.
Thank you
Ashod
Hi I wrote a programme for removing and adding roles on mass in ECC6, our security team would now like to have this programme avialble in SAP CRM, where I have come across a bit of a snag. The FM and everything are there ok, but I get an error on the tables I am selecting from.
Table in ecc6 - T528T - Position texts
Can anyone tell me what the relevant table is in SAP CRM that would hold this information???
We are a realty company and every new construction project is a new compcode for us . PS generates all the 0WBS_ELEM .
we have one single report on WBS . My question is more focused on How can we restrict the access of the Users by Authorizations from query execution point of view?
Scenario : i have the below situation .
Dept1 :
1) C.XXXX.0001.ANBD ( where XXXX is the company code , we have around 2867 Comp_codes )
1.1) Sub: C.XXXX.0001.ANBD 01
1.2) C.XXXX.0001.ANBD 02
2.1 ) sub C.XXXX.0001.ANBD 08
Dept2 :
C.XXXX.0201.CADB ( again where XXXX is the company code )
I want the boss of the dept 1 to be able to view all the depts below . , but 1.1 should not be able to view the WBS related to 1.2.
boss of dept2 should be able to see the data of all WBS XXXX compcodes . but one Compode1 WBS elemt should not be viewed by another user in another compcode2 .
Will Appreciate and reward your help with points.
REgards
Ram
Hi,
Is there a way to set a 'Valid To' Time for a User Role Assignment.
I know there is a 'Valid To' Date field in SU01. But we need to expire a few Role Assignment at a particular time of the Day.
But we are looking for a 'Valid To' Time as well, along with the Date. We may create a Z TCode for this but what I want to know is there a Function Module which can be used or any other Inputs?
Thanks!