Hi,
- Is there a way to find out (using transaction/table) last accessed date on a SAP table and who accessed it?
- Is there a way to find out (using transaction/table) user's activity on a transaction? (when was the last time user accessed a particular transaction)
Thanks,
Karan.
Hi All,
When we release any transports we are getting the above error, this is basically due to the fact that implificaiton of complex password parameters, to supress this we had followed the note 761637.
I had regenerated RFCs and reset TMS user, but still no use any ideas?
This is definely not the issue with Authorization as user TMSADM has right profiles.
Reg,
VV
Hi Security-Folks,
I like to discuss with you the recommended settings for the Security Audit Log (SM19 / SM20).
Here's my proposal:
Profile Parameters:
rsau/enable = 1
rsau/selection_slots = 10
rsau/user_selection = 1
Filter settings in SM19:
1. Filter: Activate everything which is critical for all users '*' in all clients '*'.
2. Filter: Activate everything for users 'SAP*' in all clients '*'
This includes the built-in user 'SAP*' as well as all users account names starting with 'SAP', e.g. 'SAPSUPPORTx' because of rsau/user_selection = 1
To show log entries in for user 'SAP*' only, filter by 'SAP#*' in SM20 or use report RSAU_SELECT_EVENTS instead.
3. Filter: Activate everything for other support and emergency users, e.g. 'FF*' (FireFighter) in all clients '*'
4. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients. This user should not be used in dialog mode. It's only required for specific activities while applying support packages or while importing transports (however in this case you can use another background user as well).
5. Filter: Activate everything for client '066'. This client is not used anymore and can be deleted (see http://scn.sap.com/community/security/blog/2013/06/06/how-to-remove-unused-clients-including-client-001-and-066 ).
6. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily (see http://scn.sap.com/community/security/blog/2010/12/05/how-to-get-rfc-call-traces-to-build-authorizations-for-srfc-for-free ).
7.-10. Filter: free for other project specific purpose
What settings are you using and why?
Kind regards
Frank Buchholz
Active Global Support - Security Services
Hi,
after a system copy from PRD to QAS, I tried to reconfigure the Transport Management System and got the following error message when adding the QAS system to the transport landscape:
RFC communications error with system/destination DOM_CTL
An RFC error occurred in the TMS communications layer.
Target system: DOM_CTL.(000)
Function: TMS_CFG_CREATE_A2D_REQUEST
RFC message: Error during the retrieval of the logon data store
Error during the retrieval of the logon data stored in secure storage.
What should I do to correct this?
Transaction SECSTORE doesn't show any relevant errors...
thanks
Antonio
Hi people,
We have a system where we´ve found that many users are using SA38 in order to execute programs. Until now when we face this kind of situations what we´ve done is to identify the programs executed, create a Z transaction of each one and then assign these tcodes to the proper users.It works pretty well but is time consuming.
I wonder wheter this approach is the best one or if there is something else (faster) that can be done. We asked to SAP and the reply confirmed our procedure but I´d like to know you point of view. So, do you have something cool and magic?
Thanks,
Félix
Hello,
Our client is planning to upgrade SAP ECC6.0 system from EHP 4 SP6 to EHP6 SP5.
I am unable to find appropriate documents/discussions that will tell me if it has any impact on SAP Security infrastructure.
If yes, any pointers from where I can get information to estimate the efforts required ?
We had a considerable impact when we applied EHP4 on ECC 6.0.
Would EHP4 to EHP6 have similar impact ?
Thanks,
Kshitij
Hi
I created users through SU01 and assigned the profiles e.g SAP_ALL, SAP_NEW etc.
When i created profile using profile generator and assign, it assign to Role & Profile .
Can you please clearify for me the concept beteen Role & Profile
Thanks
Hi Gurus,
We have master derived roles security concept in place. Our master roles are changed in a separate system (Like Adding or Deleting tcode,object values etc) and then pushed across 5 R/3 development systems (each system for different region). In each development system, we have derived the roles for different countries. However there is monthly release of updated master roles coming in to each of the system and we have to update the derived roles.
The issue now is, we have some Non ORG values maintained in each of the derived roles and these gets over written by * values from parent role when we do copy data. We are looking for any automation we can do to have few of the non org fields (like AUART Sales Document Type, BSART Order Type, FKART Billing Type etc) with the values maintained in Derived roles and dont get over written by * value from parent role.
Since it is a monthly release happening and every month we need to update almost 180(parent roles) * 15 countries = 2700 derived roles its a very lengthy process...
Please advice in case you have any solution to reduce the effort in this case.
With Regards,
Nishad Showkath
Hello gurus,
I know that posting interview question series are not allowed if the person has not put in any effort, but I have and folks seem to want to practice a bit sometimes so I take the liberty of creating a central one.
Tackle one or all of them to test your knowledge.
There are no model answers.
If you want to suggest additional ones, then please contact me.
The rules
Flaming of answers is allowed.
Funny answers earn a beer (or cup of tea).
There are no points.
1) When PFCG proposes 3 activities but you only want 2, how do you fix this?
2) What is the use of transaction PFUD at midnight?
3) Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes?
4) How are web services represented in authorizations of users who are not logged on?
5) How do you force a user to change their password and on which grounds would you do so?
6) What is the difference between SU24 and SU22? What is "orginal data" in SU22 context?
7) When an authorization check on S_BTCH_JOB fails, what happens?
8) Can you have more than one set of org-level values in one role?
9) Should RFC users have SAP_NEW and why?
10) What is an X-glueb command and where do you use it in SAP security?
11) What is the disadvantage of searching for AUTHORITY-CHECK statements in ABAP OO coding and how does SU53 deal with this?
12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default?
13) Can you use the information in SM20N to build roles and how?
14) If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do?
15) Name any one security related SAP note and explain it's purpose or solution.
16) What are the two primary differences between a SAML token profile and a SAP logon ticket?
17) Where do you configure the local and global settings of the CUA and what are the consequences of inconsistent settings?
18) If you have users in different systems with different user ID's for the same person, what are your options to manage their authorizations centrally?
19) Explain the use of the TMSSUP* RFC destinations and the importance of the domain controller?
20) Why should you delete SAP_NEW profile and which transaction should you use before doing so?
To be continued...
How to kill process/Actavity in SAP ?
Hello together,
I have a problem in SE09/SE10 with a transport request.
The request is as follows:
Modifiable
D01K939667 100 Username /Description
D01K939668 Username Customizing Task
The requests itself has the status "Modifiable". The task D01K939668 within the request is already released. I have to delete the whole request now, but when trying to delete it, it says "Request D01K939668 already released". How can I delete a task within a request, that is already released?
Thank you for any help!
Best regards
Klaus Hirschegger
Hello,
Our client is planning to upgrade SAP ECC6.0 system from EHP 4 SP6 to EHP6 SP5.
I am unable to find appropriate documents/discussions that will tell me if it has any impact on SAP Security infrastructure.
If yes, any pointers from where I can get information to estimate the efforts required ?
We had a considerable impact when we applied EHP4 on ECC 6.0.
Would EHP4 to EHP6 have similar impact ?
Thanks,
Kshitij
What is the basic difference in using SM30 and SE16 to get the data from the tables.
Also, Is there any use in preventing the users the use of SM30 from the security point of view.
Thanks, DVRK
This question was posted on another site and I was asked by the moderator to cross-post it here:
On another discussion forum, the topic of the SAP Certification program came up. In the discussion thread, there was some debate about the subject areas tested on the exam for SAP security, so I am putting the question to you.
At your current workplace, which of the following, if any, are responsibilities/ expected competencies of your experienced SAP Security analysts:
Encryption
Single Sign-on configuration/ maintenance
Network topology (SAP router and web dispatcher)
Operating system (SAP gateway)
Database security
J2EE
To categorize the responses, it would be helpful to know if you consider yours is a relatively large SAP support organization or not.
Thanks in advance for your responses and comments.
Regards,
Gretchen Lindquist
How to kill process/Actavity in SAP ?
Hello,
Our client is planning to upgrade SAP ECC6.0 system from EHP 4 SP6 to EHP6 SP5.
I am unable to find appropriate documents/discussions that will tell me if it has any impact on SAP Security infrastructure.
If yes, any pointers from where I can get information to estimate the efforts required ?
We had a considerable impact when we applied EHP4 on ECC 6.0.
Would EHP4 to EHP6 have similar impact ?
Thanks,
Kshitij
Hi,
after a system copy from PRD to QAS, I tried to reconfigure the Transport Management System and got the following error message when adding the QAS system to the transport landscape:
RFC communications error with system/destination DOM_CTL
An RFC error occurred in the TMS communications layer.
Target system: DOM_CTL.(000)
Function: TMS_CFG_CREATE_A2D_REQUEST
RFC message: Error during the retrieval of the logon data store
Error during the retrieval of the logon data stored in secure storage.
What should I do to correct this?
Transaction SECSTORE doesn't show any relevant errors...
thanks
Antonio
I have a question which is not technical but related to SAP role management. I am not sure if this is the right place to ask.
We have implemented CHARM(solution manager) funtionalty and importing the new/modified roles from dev to production using CHARM.
Though the functionality is fine, but we are facing issues because of the lenghty process. For example a simple RFC raised for modifying a role takes a lot of time for filling the details, business impact, assesement, business approval, change manager approval, etc.
This process looks fine for big changes where such a detailed assesement is required, but since we receive lot of requests to create/modify role daily, this process is not feasible as putting all these information takes a lot of time and sometimes business cannot wait if the requirement is urgent.
As the transport capbility is a inbuilt part of CHARM process, so even we cannot take the role management outside SOLMAN CHARM.
I wish to know from other people if they are using the CHARM, how they manage role management in their company.
