Best practice for standard security role
Hi, I'd like to know which is the best practice for standard role use, some people tell me that a standard role should never be used, that a copy must be made and assign the users to the copy, but then, why should SAP bother creating the standard role?
They are provided as a template for you, and you can copy them into a different namespace and make changes there before generating the profiles and authorizations.
Why you should use a copy of them is because SAP will also update them sometimes. If transactions change in the standard menues with SP's and upgrades, then you will find them in transaction SU25.
If you do a search on "standard AND roles" in the SDN then you will also find more detailed infos and opinions on the use of them.
Cheers,
Julius
Similar Messages
-
Best Practice for ESS/ MSS role customization
Hi ,
I would want to know the best practice for role customization for ESS / MSS business package . For eg if my company does not want to use someof the workset like working time , travel etc , what is the best practice for this scenario .
anEEZHi Aneez,
This is the link for complete best practices on NetWeaver
http://help.sap.com/bp_epv260/EP_EN/index.htm
Browse the Busines scenarios, you will find what you are looking for.
Now, these ones is specific for ESS and MSS
http://help.sap.com/bp_epv260/EP_EN/html/EP/N26_ESS.htm
http://help.sap.com/bp_epv260/EP_EN/html/EP/N27_MSS.htm
Hope this helps,
Kumar
P.S Reward Points for useful answers. -
Best Practices for standardizing long text for EP GUI version
Hello, I have a question that is related to standardizing best practices for all portal applications that use EP
1) The portal team has recommended activating the GUI version from portal to allow the long text to have the same features as the standard GUI. Since this solution is per transaction, we will need to identify what transactions need to have this temporary solution built in. Also, business users will need to remember which transactions they will access via portal or GUI.
(2) Even though the long text function is activated via GUI per transaction, the system will prompt a message of u201CRuntime Error! Program C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEu201D. This may create frustrations to the users each time they maintain the long text. The risk of this may be losing the use of long text throughout the maintenance orders, production orders, notifications, material masters, equipment masters, maintenance task lists, production routings, etc.
All feedback welcomed
Thanks MarkI found the solution, make everything in Illustrator (well text anyway) at a big size then bring it ibto Photoshop in a dicument 1024 x 576 (so no widescreen pixel ratio) then when saving document bring size of Image to 720 x 576 then you get great anti aliased pictures.
Solved. -
Office Web Apps - Best Practice for App Pool Security Account?
Guys,
I am finalising my testing of Office Web Apps, and ready to move onto deploying it to my live farm.
Generally speaking, I put service applications in their own application pool.
Obviously by doing so this has an overhead on memory and processing, however generally speaking it is best practice from a security perspective when using separate accounts.
I have to create 3 new service applications in order to deploy Office Web Apps, in my test environment these are using the Default SharePoint app pool.
Should I create one application pool for all my office web apps with a fresh service account, or does it make no odds from a security perspective to run them in the default app pool?
Cheers,
Conrad
Conrad Goodman MCITP SA / MCTS: WSS3.0 + MOSS2007i run my OWA under it's own service account (spOWA) and use only one app pool. Just remember that if you go this route, "When
you create a new application pool, you can specify a security account used by the application pool to be either a predefined Network Service account or a managed account. The account must have db_datareader, db_datawriter, and execute permissions for the content
databases and the SharePoint configuration database, and be assigned to the db_owner role for the content databases." (http://technet.microsoft.com/en-us/library/ff431687.aspx) -
Best practice for external but secure access to internal data?
We need external customers/vendors/partners to access some of our company data (view/add/edit). It’s not so easy as to segment out those databases/tables/records from other existing (and put separate database(s) in the DMZ where our server is). Our
current solution is to have a 1433 hole from web server into our database server. The user credentials are not in any sort of web.config but rather compiled in our DLLs, and that SQL login has read/write access to a very limited number of databases.
Our security group says this is still not secure, but how else are we to do it? Even if a web service, there still has to be a hole in somewhere. Any standard best practice for this?
Thanks.Security is mainly about mitigation rather than 100% secure, "We have unknown unknowns". The component needs to talk to SQL Server. You could continue to use http to talk to SQL Server, perhaps even get SOAP Transactions working but personally
I'd have more worries about using such a 'less trodden' path since that is exactly the areas where more security problems are discovered. I don't know about your specific design issues so there might be even more ways to mitigate the risk but in general you're
using a DMZ as a decent way to mitigate risk. I would recommend asking your security team what they'd deem acceptable.
http://pauliom.wordpress.com -
Best Practice for BEX Query "PUBLISH to ROLE"?
Hello.
We are trying to determine the best practice for publishing BEX queries/views/workbooks to ROLEs.
To be clear of the process I am referring: from the BEX Query Designer, there is an option QUERY>PUBLISH>TO ROLE. This function updates the user menu of the selected security role with essentially a shortcut to the BEX query. It is also possible to save VIEWS/WORKBOOKS to a role from the BEX Analyzer menu. We have found ROLE menus to be a good way to organize BEX queries/views/workbooks for our users.
Our dilemma is whether to publish to the role in our DEV system and transport to PROD,... or if it is ok to publish to the role directly in the PROD system.
Publishing in DEV is not always possible, as we have objects in PROD that do not exist in DEV. For example, we allow power users to create queries directly in PROD. We also allow VIEWS and WORKBOOKS to be created directly in PROD. It would not be possible to publish types of objects in DEV.
Publishing in PROD eliminates the issues above, but causes concerns for our SECURITY team. We would be able to maintain these special roles directly in PROD.
Would appreciate any ideas, suggestions, examples of how others are handling this BEX publish-to-role process.
Thank you.
-JoelHi Joel,
Again as per the Best Practices.Nothing to be created in PRD,even if we create them in PRD for Power users its assumed as temprory and can be deleted at any time.
So if there are already deviations then you can go for deviations in this case as well but it wont be the Best Practice.Also in few cases we have workbooks created in PRD as they cud nt be created in DEV due to various reasons...in such cases we did not think of Best Practice ,we had a raised an OSS on this aswell.
In our Project,we have done everything in DEV and transported to PRD,in case there were any very Minor changes at query level we have done in PRD and immedialtely replicated the same in DEV so that they are in SYNC.
rgds
SVU -
Best Practice for Securing Web Services in the BPEL Workflow
What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
They are all deployed on the same oracle application server.
Defining agent for each?
Gateway for all?
BPEL security extension?
The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
Regards
FarbodIt doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
You can enforce rules at your network layer to allow access to the App server only from Gateway.
When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
The next BPEL developer in your project may not be aware of Security extensions
Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
Thanks
Ram -
Best Practice for Security Point-Multipoint 802.11a Bridge Connection
I am trying to get the best practice for securing a point to multi-point wireless bridge link. Link point A to B, C, & D; and B, C, & D back to A. What authenication is the best and configuration is best that is included in the Aironet 1410 IOS. Thanks for your assistance.
GregThe following document on the types of authentication available on 1400 should help you
http://www.cisco.com/univercd/cc/td/doc/product/wireless/aero1400/br1410/brscg/p11auth.htm -
Best Practice for enhancing the SAP delivered standard WD ABAP application
Hi,
I am new to WebDypro ABAP.
To enhance the SAP delivered Standard WebDynpro Component (complex component with Business objects & powl).
Kindly let me know the best practice for enhancing the Standard WD ABAP from the below 1 or 2.
1) To copy & create a "Z" of the component & make changes in that (or)
2) to enhance directly on the same standard component without making "Z".
Regards,
NSHi NS,
If it is a standard component its better we go for enhancing the component rather than copying it into Z component.
If there is any issue with in the standard component , SAP supports it through notes and OSS messages. If it is a Z component, SAP doesn't support it.
If there is any up gradation of business packages, changes will be done to standard , but not the Z components, wherein we could miss it.
Further, since it is a standard component it might have been used at many places, changes that has to done to reflect all changes might be difficult in this case if it is a z component.
Regards,
Harsha -
Is there any best practice or standard for database object naming ?
Hi
Thank you for reading my post
is there any standard or best practice for databse objects naming ?
for example how should we name columns of a table ? should it be like TOTAL_VOTE or TOTALVOTE and many other items.
Thankswhat does oracle suggest as a naming schema for tables , fields , views. indexes , tablespaces , ... If you look at the data dictionary you will see that not even Oracle keeps rigidly to any specific standard, although there are tendencies :)
"The nice thing about standards is that there are so many of them to choose from."
-- Andrew Tannenbaum
Cheers, APC -
Best Practice for PDF print forms based on SAP standard
Hi,
I have copied the SAP standard PDF form F_D_INT_SCALE_00 to a Z form, and am using it in conjunction with the standard print program RFDZIS01_PDF. However I need to output some additional fields that are not supplied by the print program / interface (for example Customer VAT number).
What is the best practice for achieving this? As far as I can see the only way is to take a copy of the standard print program and modify it to select the extra data, and modify the interface. I never like taking copies of standard programs though for obvious reasons.
If I had this requirement with a smartform it would be a simple case of embedding ABAP code into the Z smartform and leaving the print program alone, but unfortunately there is no provision for the non-PDF version of the Interest Letter to be sent by email.
Thanks in advance,
VindalooThanks for your reply Robert.
However I think you are referring to Smartforms when you mention Code Initialization and Global Data declarations. I need to know the best way to modify copies of standard Adobe Print Forms.
Regards,
Vindaloo -
Best practice for promoting roles
I would like to know what is the best practices for promoting Administrative and/or normal Roles between environments. If I make a change to the capabilities of a role, I'd rather not create a whole new build if I didn't have to. Would exporting from debug, and importing via 'lh import' suffice, or is there an easier/better method?
ThanksHello,
I'd ask in the Windows forum on Microsoft Community.
Karl
When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
My Blog:http://unlockpowershell.wordpress.com
My Book:Windows PowerShell 2.0 Bible
My E-mail: -join ('6F6C646B61726C40686F746D61696C2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}}) -
Best practices for customizing the standard OBIA metedata repository (RPD)
Hello
Is there a Best practices document published by oracle or a partner that talks about best practices for customizing OBIA out-of-box RPD. I am specifically looking for guidance around:
1. adding new objects to physical layer or modifying an exisitng table definition to add more columns
2. Building new Logical columns in BMM layer
3. Modifying the exisitng Subject areas.
ThanksThere is a very good presentation by Rittman mead on extending and customizing BI Applications. Refer to this link (http://www.rittmanmead.com/files/OOW2008%20-%20Extending%20and%20Customizing%20the%20BI%20Apps%20Data%20Warehouse.pdf ).
Thanks,
-Amith. -
Best practice for assigning permissions
Good morning,
I am trying redo permissions on our shared folders, and want to incorporate some sort of best practice and be security conscious.
The current environment is permissions is assigned directly to the folder, and it is usually domain users :(.
I have a multi-domain environment, I want to know what is the best way to handle permissions, so for instance I have a folder called
\\ITserver01\ITtest, what kind of naming scheme do you give? I was thinking about maybe ITserver01_ITtest_RW as an example...
Also do I have to create a domain local r/w and R/o group and a universal group r/w and r/o, since I cannot assign place users directly in the domain local account?
ChadBest practices (esp in naming schemes) depends a bit on the corporate culture and standard procedures. However, we put users in domain local groups based on their role. Those groups would be made a member of a domain group that is used to grant access to
local resources. and then make those resource access domain groups are member of local groups on the server.
For example, If I have a server 'test', then there is a domain group called 'test administrators' and that group is then a member of the local admins group of the test server. And one of the members of the 'test administrators' group would be the 'site domain
admins' group.
For your example, ITserver01_ITtest_RW would be a domain local group. And you would not put users in it directly, but user groups. Users are in groups like 'Site helpdesk admins' or whtever. Something that defines their role in the orgnization.
And then you would put the 'Site helpdesk admins' as member in the ITserver01_ITtest_RW group.
Does that make sense? -
Best Practice for trimming content in Sharepoint Hosted Apps?
Hey there,
I'm developing a Sharepoint 2013 App that is set to be Sharepoint Hosted. I have a section within the app that I'd like to be Configuration-related, so I would like to only allow certain users or roles to be able to access this content or even see
that it exists (i.e. an Admin button, if you will). What is the best practice for accomplishing this in Sharepoint 2013 Apps? Thusfar, I've been doing everything using jQuery and the REST api and I'm hoping there's a standard within this that I
should be using.
Thanks in advance to anyone who can weigh in here.
MikeHi,
According to
this documentation, “You must configure a new name in Domain Name Services (DNS) to host the apps. To help improve security, the domain name should not be a subdomain
of the domain that hosts the SharePoint sites. For example, if the SharePoint sites are at Contoso.com, consider ContosoApps.com instead of App.Contoso.com as the domain name”.
More information:
http://technet.microsoft.com/en-us/library/fp161237(v=office.15)
For production hosting scenarios, you would still have to create a DNS routing strategy within your intranet and optionally configure your firewall.
The link below will show how to create and configure a production environment for apps for SharePoint:
http://technet.microsoft.com/en-us/library/fp161232(v=office.15)
Thanks
Patrick Liang
Forum Support
Please remember to mark the replies as answers if they
help and unmark them if they provide no help. If you have feedback for TechNet
Subscriber Support, contact [email protected]
Patrick Liang
TechNet Community Support
Maybe you are looking for
-
I received the above error reinstalling SQL Server 2008. I have tried all suggestions. This error also appears when I install any version of SQL Server. I have also installed; Microsoft® .NET Framework Version 2.0.50727.4927 Microsoft® .NET Framewo
-
Possible route from 2008 r2 to 2012 r2 Essential on different machines?
I have a Windows server 2008 r2 standard on a machine and we bought a new server. I want to transfer all my users, groups, machines from the 2008 r2 machine to the new 2012 r2 Essential machine. I've read the Migrate from Previous Versions to Windows
-
Hello, we will have big web project. And now I must choise techlogies. All projects were create with PHP. Now I think change technology, because I think PHP will small for this project. This project can have more that 1000 users one time. This site w
-
Want to transfer songs and pics to new computer without old one
My old computer, somethings really wrong with the drivers, and it doesn't recognize my ipod or any usb device (we have given up trying to fix it, we've tried like everything, including reinstalling windows, therefore deleting all of my songs and itun
-
Regular Expressions problem with OPA
hi, I have version OPA 10.2, when I try using regualr expressions it won't let you submit data and move onto the next screen. I've tried for example using the OPA hel's National Insurance number, I tried for a 6 digit number using: For a minimum of 6