Applying FDM security at group level

Hi Folks
Does anyone know if there is a way in 11.1.1.3 to apply FDM roles at a group level in FDM? I can apply the roles in Shared Services, but when I go into FDM User Maintenance it appears that the roles have to be applied at an individual user level for usernames to appear. Is there a way around this?

It is something that I & others have mentioned at the CAB meetings. We will continue to push for it.

Similar Messages

Group Level Data Level Security not working

I'm trying to test the data level security at the group level.
Here's what I did
1. Went to the security -> Groups -> Permissions -> Filters
2. In Name added the Fact table on which I want to filter.
3. Selected "Enable"
4. In Filter Column I added a filter on a column in the dimension. (I didn't use any session variables in the filter)
When I create an answers query with the column from the dimension (Which I used in filter) and fact from the fact table where I defined the filter, the filter is not applied..
Am I missing something in the creation of filters?
Thanks in Advance.
Rama.

Hi,
If the user is member of both user defined and Administrator group no filter will be applied to them because Administrator group will take precedence and no filter can be applied to Administrator.Even if you ooen Administrator group, you will see that permission tab is disabled for Administrator group.
Hope this helps.
Regards,
Sandeep

Row level access at the Group level assignments

I know the concept ROW LEVEL security or "Access Restrictions" but I haven't really implemented it before.
1. Create a Row level security from the BO -UNIVERSE designer from the TOOLS> MANAGE SECURITY>MANAGER ACCESS RESTRICTIONS.
RESTRICTION-EMPLOYEE ( If user is available in the table then only display the results)
In the where clause Employees.Employee_Name = @Variable('BOUSER') here the BO user always at the user level ID.
2. Then assign the above restriction to the USER or GROUP.
The question what I have.. if I assign the Restriction at the GROUP level, will this condition be applied for all users under that group. Do I need to do anything else.
Please confirm.

THose are two different things you are talking about here:
1) @Variable('BOUSER') is a placeholder that is replaced during the runtime with the ID of the user who is running the report accessing your universe. Adding this expresson somewhere in your universe (does not have to be necessary the where clause of an access restriction) will mean that the generated SQL statement will contain the user ID at the related place.
2) Access restrictions: You can setup access restriction for users or even groups. If you set those for groups then the restriction will be applied to ALL users being members of this group, when they run a report that uses your universe. If a specific user belongs to 2 different groups for which universe restrictions are applied, then the conflict will be solved according to the settings in your universe. Access restrictions can be used to change the where clause of the generated statements but also for using different credentilas to connect to the database (based on the group) and/or a different set of parameters eg. the maximum bnumber of rows fetched by the universe can vary among different groups.
Hope this helps.
Regards,
Stratos

Windows failed to apply IP Security settings

Hi,
Our server/client environment is a mix of Windows Server 2012, 2008 R2, 2008 and Windows 7. We have nothing below Windows Server 2008. Both the forest and domain functional levels are at Windows 2008 R2.
Every 15 minutes, the following event is generated on all machines joined to the domain:
"Windows could not record the Resultant Set of Policy (RSoP) information for the Group Policy extension <IP Security>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately."
Below is the detailed view:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 12/5/2013 2:24:17 PM
Event ID: 1091
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: book.wolfson.fiu.edu
Description:
Windows could not record the Resultant Set of Policy (RSoP) information for the Group Policy extension <IP Security>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
<EventID>1091</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2013-12-05T19:24:17.011Z" />
<EventRecordID>439591</EventRecordID>
<Correlation ActivityID="{211DE0BB-42E9-4D61-A1D3-0D3F09A24477}" />
<Execution ProcessID="1076" ThreadID="3300" />
<Channel>System</Channel>
<Computer>book.wolfson.fiu.edu</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">3934</Data>
<Data Name="ProcessingMode">0</Data>
<Data Name="ProcessingTimeInMilliseconds">6817</Data>
<Data Name="ErrorCode">2</Data>
<Data Name="ErrorDescription">The system cannot find the file specified. </Data>
<Data Name="DCName">\\drexel.wolfson.fiu.edu</Data>
<Data Name="ExtensionName">IP Security</Data>
<Data Name="ExtensionId">{e437bc1c-aa7d-11d2-a382-00c04f991e27}</Data>
</EventData>
</Event>
Based on the ErrorDescription field above, there seems to be some sort of file missing but that's a little vague and I cannot figure out how to fix. Another clue is that when I search on the internet for the ExtensionID string {e437bc1c-aa7d-11d2-a382-00c04f991e27},
it seems to be related to the IP Security policy setting, however, that setting is not even configured in group policy within our domain or on any machine.
Any suggestion?
Thanks!
-sul.

Hi Sul,
Before going further, I want to confirm whether the Event ID 1085 was also logged in the Event Viewer. Besides, have we ever deleted a Group Policy
that contains assigned IPSec polices?
If we ever deleted an IPSec policy object in the past, there may be other policies that are linked to the deleted IPSec policy object. We can assign
an IPSec policy to different GPOs, it is not part of a specific GPO.
If our situation meets the description above, we can follow the solution below to fix the issue:
The old IPSec policy will be set in:
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy
with a link to the deleted object, e.g.
"DSIPSECPolicyPath"="LDAP: //CN=ipsecPolicy{12345678-abcd-1a2b-5478-12345678}\\0ADEL:<GUID>,CN=Deleted Objects, DC=domain, DC=tld"
We have to search for the deleted IPSec policy link in all existing GPOs. We can use an LDIFDE export for it: Note the value in DSIPSECPolicyPath
registry key without "LDAP: //" (see above) and run the following command:
ldifde -r "( ipSecOwnersReference= CN=ipsecPolicy{12345678-abcd-1a2b-5478-12345678}\\0ADEL:<GUID>,CN=Deleted Objects, DC=domain,DC=tld)" –f
C:\ipsecPolicies.txt
We will find an export of the Group Policy Objects that contain the link to the deleted ipsecPolicy. In the export we will find the GUID of the problematic
policies - we can use LDP.exe or similar in order to get the "displayName" of the Group Policy (located in "CN=Policies, CN=System, DC=domain, DC=domain").
We will have to create a dummy ipsecPolicy (maybe "ICMP permit all"), open all these policies, assign and unassign this dummy ipsecPolicy. We can
do this in one go directly after assigning the IPSec policy.
During the next group policy update the reference to the deleted ipsecPolicy object should be replaced and we can delete the dummy ipsecPolicy. The
error should not occur anymore.
Hope it helps.
Best regards,
Frank Shen

ME21N Material group level authorization is not working in ECC 6.0

Dear Security Experts,
We have created a role Z_ME21N with one Tcode ME21N. The role has to restrict users in the material group level.
For that, we added Authorization object M_MATE_WGR.
1. When we are trying to add field values for {M_MATE_WGR, BEGRU}, generally it should show me the list possible values to be used based on the MM configuration related to Material Authorization Group. We have correctly configured the authorization groups from V_TBRG for M_MATE_WGR. But itu2019s not showing any possible values.
2. However we are able to add values manually, but I guess these are not being considered during authorization check and our restriction on Authorization group level in ME21N is not working.
Test Scenario: We have manually added values 005,007,009,010,013 (which is pointing to specific material group) to BEGRU of M_MATE_WGR. We already assigned this Authorization Object to role Z_ME21N and this role has been assigned to u2018testuseru2019, but the authorization check with the M_MATE_WGR authorization group is not happening. It allows operations on all the material groups.
Anybody came accross same scenario?
SAP Prodcut version : ECC 6.0
Database : SQL Server 2005
Support pack level : 15
Please share your views, thanks in advance.
Regards,
Abu Sandeep

Dear All,
I got a reply just now from SAP regarding the same issue.
I coudnt understand what SAP and you are saying.
Dear Abu
*Apologies for the delay. This message has been turned on to application*
*area of MM from the Basis side just now.*
*Unfortunately, authorization object "M_MATE_WGR " is not checked*
*in the purchasing transactions (PR & PO), the system works as standard*
*functional designed.*
*Only the following objects are checked in PR/PO:*
*M_BEST_BSA Document Type in PO M_BANF_BSA Document Type in PR*
*M_BEST_EKG Purchasing Group in PO M_BANF_EKG Purchasing Group in PR*
*M_BEST_EKO Purchasing Org. in PO M_BANF_EKO Purchasing Org. in PR*
*M_BEST_WRK Plant in PO M_BANF_WRK Plant in PR*
*Setting in check/maintain on in SU24 only means that the profile*
*generator will propose the object when creating a user, however is*
*does not mean that M-MATE_WGR will be checked.*
*Please close this message by pressing the confirm button at your*
*earliest convenience.*
*Many thanks in advance for your understanding.*
So, how can I resolve this problem? John, are you sure that, you implemented this successfully?
SAP says, this cant be done.
Regards,
Abu Sandeep.

Data-level security in user level

Hi All,
In our OBIEE we have created several application roles and assign them to the users. We set data-level security for each application role, and the filter does apply to all related users. But we want to do more specific data-level security for each user, which we did by clicking on user name in Manage Identity, and set permission with additional data filter. But this does not work.
Let's say we have Application Role1 with access to region='Asia', but then we want to set User1 to access only subregion='North Asia' and User2 to access only subregion='South East Asia', where User1 and User2 belongs to Application Role1.
Is this possible to work in OBIEE 11g?
Thanks.

Hi,
Yes it is possible,
Please refer the below link.
http://satyaobieesolutions.blogspot.in/2012/06/obiee-11g-security-week-row-level.html -- stey by step is there.
Hope this help's
Thanks
Satya

Alternative to apply dimension security in Planning?

Hi all,
I have created a new application and need to apply the security settings which are in the old version of the application. Is there any other way to do this accept going through Administration --> Dimension. View whether there is security on a member, note that what kind of security and which groups are assigned this security? For instance the Entity and Account dimension are very deep and there are lots of user groups, so it will take me ages to replicate this. Any other way to do this?
Thanks in advance!
Mathijs

Hi John,
We keep ending up with the error below where it says it failed to get identity for user admin. Do you have any idea what's going wrong? Thanks in advance (we're on version 9.3.1.4)
Executed command:
D:\hyperion\Planning\bin>
ExportSecurity.cmd /A=prdhpl02,/U=admin,/P=password,/S_GROUP=BC-HQ2,/DELIM=!,/TO_FILE=BC-HQ2,/DEBUG=true
Error:
D:\hyperion\Planning\bin>ExportSecurity.cmd /A=prdhpl02,/U=admin,/P=password,/S_
GROUP=BC-HQ2,/DELIM=!,/TO_FILE=BC-HQ2,/DEBUG=true
Tue Aug 04 16:18:20 BST 2009 :: User Name=admin,appName=prdhpl02,searchCriterian
ull,userSearchCriterianull,groupSearchCriteriaBC-HQ2,valuesDelimiter=!,fileName=
BC-HQ2.txt,debug=true
[04-Aug-2009 16:18:20]: Loading System Properties...
[04-Aug-2009 16:18:20]: Need to create an Object. pool size = 0 creatredObjs = 0
[04-Aug-2009 16:18:20]: Intializing System Caches...
[04-Aug-2009 16:18:20]: Loading Application Properties...
[04-Aug-2009 16:18:20]: Looking for applications for INSTANCE: []
[04-Aug-2009 16:18:21]: The polling interval is set =10000
Tue Aug 04 16:18:21 BST 2009 :: Logging into the application
Arbor path retrieved: D:\Hyperion\common\EssbaseRTC\9.3.1
[04-Aug-2009 16:18:22]: Setting ARBORPATH=D:\Hyperion\common\EssbaseRTC\9.3.1
Old PATH: D:\oracle\product\10.2.0\agent10g\jlib;D:\oracle\product\10.2.0\agent1
0g\bin;D:\oracle\product\10.1.3\OracleAS_1\jdk\bin;D:\oracle\product\10.1.3\Orac
leAS_1\ant\bin;D:\oracle\product\10.2.0\client_1\bin;C:\Program Files\Windows Re
source Kits\Tools\;C:\Program Files\Support Tools\;C:\Program Files\HP\NCU;C:\WI
NDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\NetIQ\AppMan
ager\bin;C:\Program Files\NetIQ\Common\bin;D:\oracle\product\10.1.3\OracleAS_1\o
pmn\bin;D:\Hyperion\common\CLS\9.3.1\bin\windows;D:\Hyperion\FinancialManagement
\Common;D:\Hyperion\FinancialManagement\Server;D:\Hyperion\common\SAP\bin;D:\Hyp
erion\FinancialManagement\Client
[04-Aug-2009 16:18:22]: Old PATH: D:\oracle\product\10.2.0\agent10g\jlib;D:\orac
le\product\10.2.0\agent10g\bin;D:\oracle\product\10.1.3\OracleAS_1\jdk\bin;D:\or
acle\product\10.1.3\OracleAS_1\ant\bin;D:\oracle\product\10.2.0\client_1\bin;C:\
Program Files\Windows Resource Kits\Tools\;C:\Program Files\Support Tools\;C:\Pr
ogram Files\HP\NCU;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Pr
ogram Files\NetIQ\AppManager\bin;C:\Program Files\NetIQ\Common\bin;D:\oracle\pro
duct\10.1.3\OracleAS_1\opmn\bin;D:\Hyperion\common\CLS\9.3.1\bin\windows;D:\Hype
rion\FinancialManagement\Common;D:\Hyperion\FinancialManagement\Server;D:\Hyperi
on\common\SAP\bin;D:\Hyperion\FinancialManagement\Client
New PATH: D:\Hyperion\common\EssbaseRTC\9.3.1\bin;D:\oracle\product\10.2.0\agent
10g\jlib;D:\oracle\product\10.2.0\agent10g\bin;D:\oracle\product\10.1.3\OracleAS
_1\jdk\bin;D:\oracle\product\10.1.3\OracleAS_1\ant\bin;D:\oracle\product\10.2.0\
client_1\bin;C:\Program Files\Windows Resource Kits\Tools\;C:\Program Files\Supp
ort Tools\;C:\Program Files\HP\NCU;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Sys
tem32\Wbem;C:\Program Files\NetIQ\AppManager\bin;C:\Program Files\NetIQ\Common\b
in;D:\oracle\product\10.1.3\OracleAS_1\opmn\bin;D:\Hyperion\common\CLS\9.3.1\bin
\windows;D:\Hyperion\FinancialManagement\Common;D:\Hyperion\FinancialManagement\
Server;D:\Hyperion\common\SAP\bin;D:\Hyperion\FinancialManagement\Client
[04-Aug-2009 16:18:22]: New PATH: D:\Hyperion\common\EssbaseRTC\9.3.1\bin;D:\ora
cle\product\10.2.0\agent10g\jlib;D:\oracle\product\10.2.0\agent10g\bin;D:\oracle
\product\10.1.3\OracleAS_1\jdk\bin;D:\oracle\product\10.1.3\OracleAS_1\ant\bin;D
:\oracle\product\10.2.0\client_1\bin;C:\Program Files\Windows Resource Kits\Tool
s\;C:\Program Files\Support Tools\;C:\Program Files\HP\NCU;C:\WINDOWS\system32;C
:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\NetIQ\AppManager\bin;C:\Prog
ram Files\NetIQ\Common\bin;D:\oracle\product\10.1.3\OracleAS_1\opmn\bin;D:\Hyper
ion\common\CLS\9.3.1\bin\windows;D:\Hyperion\FinancialManagement\Common;D:\Hyper
ion\FinancialManagement\Server;D:\Hyperion\common\SAP\bin;D:\Hyperion\FinancialM
anagement\Client
Setting Arbor path to: D:\Hyperion\common\EssbaseRTC\9.3.1
[04-Aug-2009 16:18:23]: MAX_DETAIL_CACHE_SIZE = 20 MB.
[04-Aug-2009 16:18:23]: bytesPerSubCache = 8802 bytes
[04-Aug-2009 16:18:23]: MAX_NUM_DETAIL_CACHES = 2272
Setting HBR Mode to: 2
HBR Logging Config File : HBRServer.properties
2009-08-04 16:18:23,703 WARN main com.hyperion.hbr.security.HbrSecurityAPI - Err
or retrieving user by identity
Embedded HBR initialized.
[04-Aug-2009 16:18:23]: Regeneration of Member Fields Complete
[04-Aug-2009 16:18:23]: Need to create an Object. pool size = 0 creatredObjs = 0
[04-Aug-2009 16:18:23]: Thread main acquired connection com.hyperion.planning.o
lap.HspEssConnection@1117a20
[04-Aug-2009 16:18:23]: Thread main releasing connection com.hyperion.planning.
olap.HspEssConnection@1117a20
[04-Aug-2009 16:18:23]: Thread main released connection com.hyperion.planning.o
lap.HspEssConnection@1117a20
[04-Aug-2009 16:18:23]: Need to create an Object. pool size = 0 creatredObjs = 1
java.lang.RuntimeException: failed to get identity fo useradmin
at com.hyperion.planning.HspJSImpl.login(Unknown Source)
at com.hyperion.planning.HspJSImpl.login(Unknown Source)
at com.hyperion.planning.HyperionPlanningBean.Login(Unknown Source)
at com.hyperion.planning.HyperionPlanningBean.Login(Unknown Source)
at com.hyperion.planning.utils.HspExportSecurityCmd.execute(Unknown Sour
ce)
at com.hyperion.planning.utils.HspExportSecurityCmd.main(Unknown Source)
java.lang.RuntimeException: Unable to aquire activity lease on activity 1 as the
activity is currently leased by another server.
at com.hyperion.planning.sql.actions.HspAquireActivityLeaseCustomAction.
custom(Unknown Source)
at com.hyperion.planning.sql.actions.HspAction.custom(Unknown Source)
at com.hyperion.planning.sql.actions.HspActionSet.doActions(Unknown Sour
ce)
at com.hyperion.planning.sql.actions.HspActionSet.doActions(Unknown Sour
ce)
at com.hyperion.planning.HspJSImpl.aquireActivityLease(Unknown Source)
at com.hyperion.planning.HspJSImpl.reaquireActivityLease(Unknown Source)
at com.hyperion.planning.utils.HspTaskListAlertNotifier.reaquireTaskList
ActivityLease(Unknown Source)
at com.hyperion.planning.utils.HspTaskListAlertNotifier.processTaskListA
lerts(Unknown Source)
at com.hyperion.planning.utils.HspTaskListAlertNotifier.run(Unknown Sour
ce)

Information Regarding Essbase Security Except Filter Level and User Level

I have an requirement to implement data level security in Essbase. For ex: A user can only see those data which are from Asia region or an user will be able to see those data which are from America.
Asia and America are defined in my location dimension.
can any one explain about it without using user Level Security and Filter level security.
Please tell me how to do it?
Thanks in advance.

Sandeep's reference the DBAG and the section on filters is the right direction. The filter is created in EAS.
Let's use an example.
You create a METAREAD filter (that is, it filters both data and dimensionality) that gives a user limited access to the Location dimension (I think I have that right), e.g., the British Isles, the UK and Ireland. You can also create a READ filter but it only limits data and, in my opinion at least, causes confusion because users can see metadata (the whole world) but only see data for the British Isles.
NB -- filters can be assigned to individual usernames or to groups that users are members of. For a POC, I'd keep it simple and just assign it to a username, but it's your choice.
Assign the filter to the user in Shared Services.
Try connecting to the database in Excel through the Classic Add-In or SmartView to test what the user sees -- it should be: Total Location, British Isles, the UK, and Ireland. You will see Total Location (top of the dimension) because that's how Essbase navigates down -- it has to have the dimension name to find the limited children. You won't see any data there. But you will see data at the Location members that the METAREAD filter allows.
That's it -- it's been around since the year dot, and is the way access is restricted. You shouldn't need to reinvent the wheel to get this to work in OBIEE. Essbase should do the work.
Regards,
Cameron Lackpour

Security Account Group

Hi,
We create one product type in shareholding (security area). System select account assignment reference on Valuation class and three asset G/L posting.
My question is how to possible change position management procedure in one product type. We create Securities Account Group company wise, but in which time we select Securities Account Group so system change PMP? We check Assign Position Management Procedure tab it is possible to PMP on basis of Securities Account Group.
Regards,
Vishal Patel

Hi Greg,
if you differentiate on both Security Account and the Security Account Group, then you can see positions in TPM12. Otherwise you can make own reports based on logical databases (for example FTI_TR_POSITIONS). Further, on the quantity ledger position level, you can use TPM26.
Regards,
Tomislav

How to create a formula based on group level

Hi,
If there are three group level ins a report:
How can I creat a formula to put on page header depended on current group level?
Thanks!

Thanks, Abhilash ans Sastry
I really try to do is to show different text on page header depend on which group level is. the reason is that if there are multi pages group footer, only the first page has group name on tilte if I put group name on the footer.
I would like to put group name on page header, but have to know which group level is.
Thanks again

BW Report Designer - Group level changes

Dear all,
we intent to use BW Report Designer and want to insert page breaks between group level changes
so that we get one page per item of a group (as it is possible in Crystal reports).
Example:
Sales organization is listed in column 1 of our query - we need one page per item -
page 1 - Sales organization 100
page 2 - Sales organization 200
Concerning to the online documentation it should be possible, but we can't find this functionality
within the BW Report designer.
Could anybody assist us?
Thanks
Hagen

Check the below post and you'll have your solution! Hope this helps.
Page Breaks in Report Designer

Bug in report sorting? Sort doesn't work in last group level.

Is this a known error? Is there documentation from Oracle about it?
My query is a simple select from a table. I then created three group levels. Each group contains a value for sorting (up arrow next to column). However, data is not sorted by the value in the third group.
Try:
create table test_sort (a number, b varchar2(5), c varchar2(5));
insert into test_sort (a, b, c) values (1, 'A', 'X');
insert into test_sort (a, b, c) values (1, 'B', 'Y');
insert into test_sort (a, b, c) values (1, 'B', 'Z');
insert into test_sort (a, b, c) values (1, 'A', 'Z');
insert into test_sort (a, b, c) values (2, 'A', 'Z');
insert into test_sort (a, b, c) values (2, 'A', 'Y');
insert into test_sort (a, b, c) values (2, 'A', 'X');
insert into test_sort (a, b, c) values (1, 'A', 'Y');
insert into test_sort (a, b, c) values (1, 'B', 'X');
Create a query tabular report with the wizard (select * from test_sort). Then make the groups: first a, then b, then c. Make sure that there is an arrow next to the values (sorting).
The report only displays a and b values sorted.
Edited by: user489847 on Jun 3, 2010 1:19 AM

Hello,
This is the normal behaviour documented here :
http://www.oracle.com/webapps/online-help/reports/10.1.2/topics/htmlhelp_rwbuild_hs/rwcontxt/props/pi_col_break_order.htm
Restrictions
Break Order has no effect on columns that belong to the lowest group of a particular query.
Break Order only affects columns in groups that are above the lowest child group of a query.
You have to add an "ORDER BY" in the SQL query in order to sort the columns belonging to the "lowest group"
Regards

Groups & Levels issue !!

Dear Experts/Gurus,
I have created the Groups & Levels through Revise Pay Scale Groups and Levels for both Staff & Workers separately but when i checked the details in PA30 through infotype 0008 only Staff grps & levels is displayed their but Workers grps & levels is not at all displayed even though i have created the same.
Please let me know what may be the issue.
Rgds,
Vikrant

Hi,
For both groups do you have one allowance grouping or different?
assin the allowance group to your payscale sturcture(payscale type, area, group, level) in the table of V_T7INA3. Then you can get the groups the in master data 0008IT.
And also maintain he V_T510 table, maintain your wage types to your group and level.
Good luck
Devi

IGS: Vulnerability "security hole in level 3"

Hi!
We are using SAP ERP 6.0 system with an ingetrated IGS 7.0
We already changed IGS according to sap note 896400 to the version 7.00 (Patch 15)
When we run scan on demand we get the following information:
A security hole in level 3 was found at server ServerX.
Vulnerability-Level [highest]: 3
Vulnerability-Level [highest counted]: 0
Vulnerability Details
Date: Sun 10 May 2009 1:26:13 MET
Vuln: 300803
Vulnerability: SAPXPG Remote OS Command Execution at sysnr 3
ToDo: Set up a project to implement access restriction rules to RFC programs
with the 'secinfo' and 'reginfo' (only available in SAP Netweaver) mechanism
CertRef: M906071, SAP 30/08
Tool Reference: proprietary CERT and IPINS scanner
Comment:
Counted in: 2009-07
Monitor:
Date: Sun 10 May 2009 1:26:17 MET
Vuln#: 100806
Vulnerability: External Server Registration is possible at sysnr 3
ToDo: Secure remote registration of RFC programs (only possible in SAP Basis
7.00 and later)
CertRef: M906071
Tool Reference: proprietary CERT and IPINS scanner
Comment:
Counted in: 2009-07
Monitor:
Date: Sun 10 May 2009 1:26:17 MET
Vuln#: 101802
Vulnerability: IGS HTTP Administration is enabled and this version has
reported vulnerabilities at sysnr 3
ToDo: Upgrade to a higher patch level, i.e., for BC-FES-IGS 6.40 Patch Level
17 or higher and for BC-FES-IGS 7.00 Patch Level 07 or higher
CertRef: SAP 34/09
Tool Reference: proprietary CERT and IPINS scanner
Comment:
Counted in: 2009-07
Monitor:
End of Vulnerability Details
Question:
What we have to do to avoid s security holein level 3?
Thank you very much!
regards

Do you solved tye probllem below. ??? Can you help me.
I have the same problem.
What the format of secinfo, reginfo and what value to to profile gw/reg_no_conn_info ??
Thanks,
Vulnerability Details
Date: Sun 10 May 2009 1:26:13 MET
Vuln: 300803
Vulnerability: SAPXPG Remote OS Command Execution at sysnr 3
ToDo: Set up a project to implement access restriction rules to RFC programs
with the 'secinfo' and 'reginfo' (only available in SAP Netweaver) mechanism
CertRef: M906071, SAP 30/08
Tool Reference: proprietary CERT and IPINS scanner
Comment:
Counted in: 2009-07
Monitor:

IGS: Vulnerability (security hole in level 3 was found)

Hi!
We are using SAP ERP 6.0 system with an ingetrated IGS 7.0
We already changed IGS according to sap note 896400 to the version 7.00 (Patch 15)
When we run scan on demand we get the following information:
A security hole in level 3 was found at server ServerX.
Vulnerability-Level [highest]: 3
Vulnerability-Level [highest counted]: 0
Vulnerability Details
Date: Sun 10 May 2009 1:26:13 MET
Vuln: 300803
Vulnerability: SAPXPG Remote OS Command Execution at sysnr 3
ToDo: Set up a project to implement access restriction rules to RFC programs
with the 'secinfo' and 'reginfo' (only available in SAP Netweaver) mechanism
CertRef: M906071, SAP 30/08
Tool Reference: proprietary CERT and IPINS scanner
Comment:
Counted in: 2009-07
Monitor:
Date: Sun 10 May 2009 1:26:17 MET
Vuln#: 100806
Vulnerability: External Server Registration is possible at sysnr 3
ToDo: Secure remote registration of RFC programs (only possible in SAP Basis
7.00 and later)
CertRef: M906071
Tool Reference: proprietary CERT and IPINS scanner
Comment:
Counted in: 2009-07
Monitor:
Date: Sun 10 May 2009 1:26:17 MET
Vuln#: 101802
Vulnerability: IGS HTTP Administration is enabled and this version has
reported vulnerabilities at sysnr 3
ToDo: Upgrade to a higher patch level, i.e., for BC-FES-IGS 6.40 Patch Level
17 or higher and for BC-FES-IGS 7.00 Patch Level 07 or higher
CertRef: SAP 34/09
Tool Reference: proprietary CERT and IPINS scanner
Comment:
Counted in: 2009-07
Monitor:
End of Vulnerability Details
Question:
What we have to do to avoid s security holein level 3?
Thank you very much!
regards

Do you solved tye probllem below. ??? Can you help me.
I have the same problem.
What the format of secinfo, reginfo and what value to to profile gw/reg_no_conn_info ??
Thanks,
Vulnerability Details
Date: Sun 10 May 2009 1:26:13 MET
Vuln: 300803
Vulnerability: SAPXPG Remote OS Command Execution at sysnr 3
ToDo: Set up a project to implement access restriction rules to RFC programs
with the 'secinfo' and 'reginfo' (only available in SAP Netweaver) mechanism
CertRef: M906071, SAP 30/08
Tool Reference: proprietary CERT and IPINS scanner
Comment:
Counted in: 2009-07
Monitor:

Applying FDM security at group level

Similar Messages

Maybe you are looking for