49011732 Sap Security Faqs
Transcript of 49011732 Sap Security Faqs
-
8/3/2019 49011732 Sap Security Faqs
1/5
SAP SECURITY FAQs:
1.Authorization Object S_Program is not active
I have received a request from business to add authorization objct ZMXM withUser Action as SUBMIT for Authorization Object S_Program. I have already manually
added the required access to a given role in DEV and moved to QAS environment. The
Import on QAS was successful but when I saw role in PFCG the Authorization ObjecS_Program is showing as inactive. I have repeat the process of transport but still same
issue. Also I have cross checked by adding other Authorization Object and its showing
active on QAS environment. Is the problem with S_Program only? Could you please
help me to solve this issue as I have to revert back to business. I am working on 4.6Cversion of SAP with Oracle 10g.
SOL1:
1. Please check the object is activated in QAS system (as this is a standard object,surely this shud be activated)
SU03 -> Authorization -> Activate
2. Please compare the entries of S_PROGRAM in DEV & QAS system
which does work in table TADIRand TOBJ. Is anything missing ordifferent?
SOL2:
o I have found the table entries for S_Program in TADIR an TOBJ same
on DEV as well as on QAS system.
Also the object is active for particular role/profile in SU03 transaction.
SOL3:
you might have saved and transported the role without generating
the profiles.
Please follow the below points:
1. Deactivate the S_PROGRAM object, save & generate the
profile.
-
8/3/2019 49011732 Sap Security Faqs
2/5
2. Again activate the same object, enter the field values, save and
generate the profile and transport the request. Just check thechanges and update me the status for further investigation
Still not working.
2. What is a Test Script ?? Scenarios where role creation through SECATT would be
helpful.
SOL1.
If you go for mass derive role creation like you need to create same role for
differenent company code or plant or some other org (larger companies having
many number org level and may need this kind of security set up) level where allauthorizaions are same but only differs in org level you have to create huge
number of roles then. And if you have 10 roles each of having 75 derivation then
you need create 750 roles. So this kind of scrips are really helpful and it will save
lots of time.
3. UST04 inconsistency
I am facing a error in our existing system. I am getting an entry in table UST04 which
comprises of a profile and a user assigned to that profile. But when I go to SU01 to see
the details of that particular user I get a message saying user does not exist.
The user also doesnot exist in the table USR02. But this is very unlike SAP that I can see
a user in UST04 and unable to see the same in SU01 and table USR02.
I have also executed a program named RSAUTHXPRA in order to synchronise USR*
and UST* tables,but even that doesnt seem to be working.
Need some help on this. Your help is highly appreciated. In anticipation of your reply.
Thanks in advance.
SOL1: Probably, program PFCG_TIME_DEPENDENCY is not scheduled in thesystem. You can try running this program or you can also run the same
-
8/3/2019 49011732 Sap Security Faqs
3/5
program through transaction PFUD. PFCG_TIME_DEPENDENCY does user
comprison and removes invalid profiles. It is advisable to schedule this program
to run atleast once everyday to clean-up invalid profiles in your system. Please trythis out.
Some security questions
==============================================================
I have one year experience in SAP Security and only two in Basis, so flame on......... Iswear I didn't use google or any of my systems for reference!
1) When PFCG proposes 3 activities but you only want 2, how do you fix this? Best
answer is to modify your su24 data.
2) What is the use of transaction PFUD at midnight? removes invalid profiles from user
records
3)Is PFUD needed when saving in SU01 and does the user need to logoff and on again
after changes? PFUD is not needed and the user needs to log off and back on again
4)How are web services represented in authorizations of users who are not logged on? ??
5)How do you force a user to change their password and on which grounds would you do
so? SU01 -> Logon Data tab -> Deactivate password. I am not sure what grounds thiswould be necessary. I have never had to use it.
6)What is the difference between SU24 and SU22? What is "orginal data" in SU22
context? SU22 you maintain authorization objects???? Su24 you maintain which
authorization objects are checked in transactions and maintain the authorization
proposals.
7)When an authorization check on S_BTCH_JOB fails, what happens? "You do not haveauthorization to perform whatever operation you are trying to perform." message. HAHA
-
8/3/2019 49011732 Sap Security Faqs
4/5
8)Can you have more than one set of org-level values in one role? I might be
misinterpreting this question. But yes. Depending on the transactions inserted into the
role menu, you could have more than one org level to maintain. Purchasing Org andPlant, Sales Org and Sales Division.....
9)Should RFC users have SAP_NEW and why? No. Just insert the transactions and
necessary authorization objects into a role. S_RFC for one.
10) What is an X-glueb command and where do you use it in SAP security? ???
11) What is the disadvantage of searching for AUTHORITY-CHECK statements in
ABAP OO coding and how does SU53 deal with this? Disadvantage? I can think of an
advantage. My ABAPer shows me his programs and we work out what authority checks
should be performed.
12) In which tables can you make customizing settings for the security administration and
name one example of such a setting which is usefull but not SAP default? ???
13) Can you use the information in SM20N to build roles and how? You could, I guess.
Not a good practice though. Build roles based on business processes.
14) If the system raises a message that authorizations are missing but you have
SAP_ALL, what do you do? Regenerate SAP_ALL which reconciles new authorizationobjects from SAP_NEW
15) Name any one security related SAP note and explain it's purpose or solution. Don't
know the number off hand, but I was looking at it yesterday. Program Z_DEL_AGR to
allow deletion of more than one role at a time. There is no mechanism in SAP to achieve
this currently.
16) What are the two primary difference between a SAML token profile and a Logonticket in SAP? ??? I know what these are but have no experience with it.
-
8/3/2019 49011732 Sap Security Faqs
5/5