49011732 Sap Security Faqs

8/3/2019 49011732 Sap Security Faqs

1/5

SAP SECURITY FAQs:

1.Authorization Object S_Program is not active

I have received a request from business to add authorization objct ZMXM withUser Action as SUBMIT for Authorization Object S_Program. I have already manually

added the required access to a given role in DEV and moved to QAS environment. The

Import on QAS was successful but when I saw role in PFCG the Authorization ObjecS_Program is showing as inactive. I have repeat the process of transport but still same

issue. Also I have cross checked by adding other Authorization Object and its showing

active on QAS environment. Is the problem with S_Program only? Could you please

help me to solve this issue as I have to revert back to business. I am working on 4.6Cversion of SAP with Oracle 10g.

SOL1:

1. Please check the object is activated in QAS system (as this is a standard object,surely this shud be activated)

SU03 -> Authorization -> Activate

2. Please compare the entries of S_PROGRAM in DEV & QAS system

which does work in table TADIRand TOBJ. Is anything missing ordifferent?

SOL2:

o I have found the table entries for S_Program in TADIR an TOBJ same

on DEV as well as on QAS system.

Also the object is active for particular role/profile in SU03 transaction.

SOL3:

you might have saved and transported the role without generating

the profiles.

Please follow the below points:

1. Deactivate the S_PROGRAM object, save & generate the

profile.


2/5

2. Again activate the same object, enter the field values, save and

generate the profile and transport the request. Just check thechanges and update me the status for further investigation

Still not working.

2. What is a Test Script ?? Scenarios where role creation through SECATT would be

helpful.

SOL1.

If you go for mass derive role creation like you need to create same role for

differenent company code or plant or some other org (larger companies having

many number org level and may need this kind of security set up) level where allauthorizaions are same but only differs in org level you have to create huge

number of roles then. And if you have 10 roles each of having 75 derivation then

you need create 750 roles. So this kind of scrips are really helpful and it will save

lots of time.

3. UST04 inconsistency

I am facing a error in our existing system. I am getting an entry in table UST04 which

comprises of a profile and a user assigned to that profile. But when I go to SU01 to see

the details of that particular user I get a message saying user does not exist.

The user also doesnot exist in the table USR02. But this is very unlike SAP that I can see

a user in UST04 and unable to see the same in SU01 and table USR02.

I have also executed a program named RSAUTHXPRA in order to synchronise USR*

and UST* tables,but even that doesnt seem to be working.

Need some help on this. Your help is highly appreciated. In anticipation of your reply.

Thanks in advance.

SOL1: Probably, program PFCG_TIME_DEPENDENCY is not scheduled in thesystem. You can try running this program or you can also run the same


3/5

program through transaction PFUD. PFCG_TIME_DEPENDENCY does user

comprison and removes invalid profiles. It is advisable to schedule this program

to run atleast once everyday to clean-up invalid profiles in your system. Please trythis out.

Some security questions

==============================================================

I have one year experience in SAP Security and only two in Basis, so flame on......... Iswear I didn't use google or any of my systems for reference!

1) When PFCG proposes 3 activities but you only want 2, how do you fix this? Best

answer is to modify your su24 data.

2) What is the use of transaction PFUD at midnight? removes invalid profiles from user

records

3)Is PFUD needed when saving in SU01 and does the user need to logoff and on again

after changes? PFUD is not needed and the user needs to log off and back on again

4)How are web services represented in authorizations of users who are not logged on? ??

5)How do you force a user to change their password and on which grounds would you do

so? SU01 -> Logon Data tab -> Deactivate password. I am not sure what grounds thiswould be necessary. I have never had to use it.

6)What is the difference between SU24 and SU22? What is "orginal data" in SU22

context? SU22 you maintain authorization objects???? Su24 you maintain which

authorization objects are checked in transactions and maintain the authorization

proposals.

7)When an authorization check on S_BTCH_JOB fails, what happens? "You do not haveauthorization to perform whatever operation you are trying to perform." message. HAHA


4/5

8)Can you have more than one set of org-level values in one role? I might be

misinterpreting this question. But yes. Depending on the transactions inserted into the

role menu, you could have more than one org level to maintain. Purchasing Org andPlant, Sales Org and Sales Division.....

9)Should RFC users have SAP_NEW and why? No. Just insert the transactions and

necessary authorization objects into a role. S_RFC for one.

10) What is an X-glueb command and where do you use it in SAP security? ???

11) What is the disadvantage of searching for AUTHORITY-CHECK statements in

ABAP OO coding and how does SU53 deal with this? Disadvantage? I can think of an

advantage. My ABAPer shows me his programs and we work out what authority checks

should be performed.

12) In which tables can you make customizing settings for the security administration and

name one example of such a setting which is usefull but not SAP default? ???

13) Can you use the information in SM20N to build roles and how? You could, I guess.

Not a good practice though. Build roles based on business processes.

14) If the system raises a message that authorizations are missing but you have

SAP_ALL, what do you do? Regenerate SAP_ALL which reconciles new authorizationobjects from SAP_NEW

15) Name any one security related SAP note and explain it's purpose or solution. Don't

know the number off hand, but I was looking at it yesterday. Program Z_DEL_AGR to

allow deletion of more than one role at a time. There is no mechanism in SAP to achieve

this currently.

16) What are the two primary difference between a SAML token profile and a Logonticket in SAP? ??? I know what these are but have no experience with it.


5/5

49011732 Sap Security Faqs

Documents

Transcript of 49011732 Sap Security Faqs