ChaRM security

Similar Messages

• ITSM & ChaRM Security Approach

  Hi Gurus,
  I am new to ITSM & ChaRM security. I have read lot of documentation about this but We don't want to use the standard template roles for ChaRM provided by SAP. We would like to customize roles from scratch based on testing/trace results to get accurate security access (no more or less access),
  Is this a good approach ? Which approach is normally used by companies whether they just copy standard roles and implement ?
  also, do we need to create business partner for all end users who can create support message?
  Regards,
  Salman

  thanks Andrey and Thorben.
  Andrey - We have a scenario where End users won't create incidents from solman but through satellite system via "Create support message" then our support desk team (Level2) will use the incident number and assign it to the team and support desk team can also create incidents directly through solman(so support desk team would definately need user id in solman and bp).
  Thorben - I am thinking of creating one single role per function group (like Change manager). Probably, I will end up creating not more than 6 - 10 single security roles per our function groups.
  1) End-User
  REQUESTER - who creates ticket - this is by default already there
  2) Support Desk
  (2nd level support) - who receives the ticket first or creates a new ticket and
  assigns Support team
  3) Support
  Team/ Message Processor - who process ticket and create Change Request
  4) Tech/Dev   - who updates Change Request with estimates, assigns
  developer etc. and sends it for approval - possibly CHARM
  CHANGE MANAGER without Approval capacity??
  5) Business
  Approver (NOT a CHANGE MANAGER) - should only have Change Request approval
  authorizations
  6) Developer -
  as SAP defined
  7) Tester - as
  SAP defined
  8) Operator/Basis - as SAP defined
  9) ADMIN - Together IM ADMIN and CHARM ADMIN

• Documentation for SolMan / ChaRM Security Rolls / Authorizations

  Good Day;
  I am currently setting up all the roles / authorizations for the different areas within Solution Manager / ChaRM.
  I have been looking for a u201Cdetailedu201D document on all the security authorizations for Solution Manager / ChaRM. So far the only document I am able to find is the Security Guide for SAP Solution Manager 4.0 as of SP 15.
  If there are more detailed documents, would someone point me in the right direction.
  Regards
  Don

  Thanks Roel;
  I am looking at user role authorizations.
  The first thing I want to setup is the Team leader roles.
  I need the team leader to have the ability to do the following
  1.Create Issues
  2.Create change requests
  3.Change the status of a change request to u201CIn Developmentu201D
  4.Create transports and tasks
  5.Release transports
  The Team leader will not have the authorization to u201Capprove u201C change requestsu201D 
  Thanks Again
  Regards
  Don

• ChaRM security control on action

  Hi,
  In the  correction process, we have Developer to set a correction into 'in development' status & have Change Manager to set this correction into 'to be tested' status. There are two actions between status 'in development' & to be tested'. They are 'release transport requests' & 'pass to test'. However, security is not able to control down to the action level. It is only able to control the status level (with the authorization code to each of the status).
  Status 'in development'
                     Release Transport Request
                     Pass To Test              
  Status 'to be tested'
  So, we have a situation that a developer has access to set 'in development 'that allow them to create transport & tasks; however, they also have access to Release Transport Request. This is problematic due to our auto schedule import (every 15 minutes) from dev to qa environment.
  It appeared that the authorization will control the action leading to the status change - action to perform 'pass to test' will fail due to status change.
  This is standard SAP out of box correction flow. How was intended to be used?
  Thanks
  Kalven

  Hi,
  Thanks for sharing Note 1002541 - Extended authorization checks: Single
  tasks.
  According to the note, we have applied the following:
  Object Authorization /TMWFLOW/D (Task in Development Systems)
  --> Authorization field: /TWMFLOW/T
  --> Value: not to have 3000 (Release Transport Request)
  However, it still does not restrict access on "Release Transport
  Request" action
  Does anyone able to restrict the action of Release Transport Request under In Developement status?
  Thanks,
  Kalven

• ChaRM: Role Developer needs to test in QAS system

  Hi!
  We are about to implement and use Solman ChaRM approach.
  One interesting point is:
  the developer should have the possibility within the urgent correction to test the transport in QAS system.
  If everything is ok, then the transport should go to QAS system.
  Can some one tell how to cutomize this process?
  Thank you very much indeed!
  H. Thomasson

  hi christian,
  i am currently customizing charm security, i am trying to use sap_socm_admin role and copying it to customer namespace like
  zsap_socm_developer, zsap_socm_manager etc, and trying to enforce restrictions by adding or removing auth keys under the auth object b_userstat . My problem is when i do that these roles are missing other authorizations to perform small functions like displaying logs and things like that.
  so i wanted to know if there is any role ( single of composite ) that i can use to copy for all my users and i can simply restrict the clicking on actions ( authorize CR, set in development  ..etc) by removing or adding just the auth key, i mean only the auth key...i dont care if they have auth to projects or task list or what ever i just want to restrict by the actions they can perform.
  rgds

• Roles in ChaRM

  Hello,
  Is there any way to create new roles in ChaRM? Like a Change Manager, I want to create one role say change analyst. Is this possible? How can I do that?
  Thanks and Regards,
  Rajeev

  hi ashley,
  i have the same requirement,
  i am currently customizing charm security, i am trying to use sap_socm_admin role and copying it to customer namespace like
  zsap_socm_developer, zsap_socm_manager etc, and trying to enforce restrictions by adding or removing auth keys under the auth object b_userstat . My problem is when i do that these roles are missing other authorizations to perform small functions like displaying logs and things like that.
  so i wanted to know if there is any role ( single of composite ) that i can use to copy for all my users and i can simply restrict the clicking on actions ( authorize CR, set in development ..etc) by removing or adding just the auth key, i mean only the auth key...i dont care if they have auth to projects or task list or what ever i just want to restrict by the actions they can perform.
  please advice
  rgds

• Security Authorizations in SolMan / ChaRM

  Good Day All;
  I am trying to get a handle on the security settings within Solution Manager / ChaRM.
  Would some be so kind as to point me in the direction of some documentation on this subject.
  Regards
  Don.

  Thanks Roel;
  I am looking at user role authorizations.
  The first thing I want to setup is the Team leader roles.
  I need the team leader to have the ability to do the following
  1.Create Issues
  2.Create change requests
  3.Change the status of a change request to u201CIn Developmentu201D
  4.Create transports and tasks
  5.Release transports
  The Team leader will not have the authorization to u201Capprove u201C change requestsu201D 
  Thanks Again
  Regards
  Don

• My iPad updated and wants a security code. I tried the one from my phone and it doesn't work - I never entered a security code. How can I get in now?

  ?My iPad updated and now wants a security code for access and I never gave it one. I tried code I used for my phone and it doesn't work. How can I access now?

  iOS: Device disabled after entering wrong passcode
  http://support.apple.com/kb/ht1212
  How can I unlock my iPad if I forgot the passcode?
  http://tinyurl.com/7ndy8tb
  How to Reset a Forgotten Password for an iOS Device
  http://www.wikihow.com/Reset-a-Forgotten-Password-for-an-iOS-Device
  Using iPhone/iPad Recovery Mode
  http://ipod.about.com/od/iphonetroubleshooting/a/Iphone-Recovery-Mode.htm
  Saw this solution on another post about an iPad in a school environment. Might work on your iPad so you won't lose everything.
  ~~~~~~~~~~~~~
  ‘iPad is disabled’ fix without resetting using iTunes
  Today I met my match with an iPad that had a passcode entered too many times, resulting in it displaying the message ‘iPad is disabled – Connect to iTunes’. This was a student iPad and since they use Notability for most of their work there was a chance that her files were not all backed up to the cloud. I really wanted to just re-activate the iPad instead of totally resetting it back to our default image.
  I reached out to my PLN on Twitter and had some help from a few people through retweets and a couple of clarification tweets. I love that so many are willing to help out so quickly. Through this I also learned that I look like Lt. Riker from Star Trek (thanks @FillineMachine).
  Through some trial and error (and a little sheer luck), I was able to reactivate the iPad without loosing any data. Note, this will only work on the computer it last synced with. Here’s how:
  1. Configurator is useless in reactivating a locked iPad. You will only be able to completely reformat the iPad using Configurator. If that’s ok with you, go for it – otherwise don’t waste your time trying to figure it out.
  2. Open iTunes with the iPad disconnected.
  3. Connect the iPad to the computer and wait for it to show up in the devices section in iTunes.
  4. Click on the iPad name when it appears and you will be given the option to restore a backup or setup as a new iPad (since it is locked).
  5. Click ‘Setup as new iPad’ and then click restore.
  6. The iPad will start backing up before it does the full restore and sync. CANCEL THE BACKUP IMMEDIATELY. You do this by clicking the small x in the status window in iTunes.
  7. When the backup cancels, it immediately starts syncing – cancel this as well using the same small x in the iTunes status window.
  8. The first stage in the restore process unlocks the iPad, you are basically just cancelling out the restore process as soon as it reactivates the iPad.
  If done correctly, you will experience no data loss and the result will be a reactivated iPad. I have now tried this with about 5 iPads that were locked identically by students and each time it worked like a charm.
  ~~~~~~~~~~~~~
  Try it and good luck. You have nothing more to lose if it doesn't work for you.
   Cheers, Tom

• Error while creating IMG project in solar_project_admin for the CHARM maint

  Dear Experts,
     I  am integrating the r3 system to the charm process.
  I have created the maintainenace project in SOLAR_PROJECT_ADMIN
                                             gave tha logiccal component(TMS is configured ( DEV--> QA --> PRD) .
  Now when i create teh img project for this it is throwing the error as below.
  *S:No authorization to:000 on as a trusted system (Trusted RC=1).
  Message no. No authorization to000
  \I have all the roles to my user id mapped
  Trusted rfc's
  S_RFC
  S_RFCacl
  etc......
  What might be the error................??
  my need to be create in the clients 000 for which i am omplementing the charm..........??
  What are the roles should be given in 000 client.
  Regards,
  Umesh
  jsumesh85  at  gmail

  Hi Umesh,
  Please confirm your problem by as issue with the trusted system, check the link below
  [Trouble trusted system|http://help.sap.com/saphelp_nw04/helpdata/en/8b/0010519daef443ab06d38d7ade26f4/content.htm]
  No authorization to log on as a trusted system (trusted RC = <0 1 2 3>).                                                                               
  Here, the trusted return codes ( = 0, 1, 2 or 3 ) have the following meanings:                                                                               
  1   Calling system is not a trusted system, or security                         
       ID for the system is invalid.                             
       Solution: Create (again) the trusted system (see above).
  as of in trusted system, you supposed to get the same user in both the systemm witht the respected access like S_RFCACL.
  complete explanation of trusted RFCs is in note 128447.Please follow the note
  Thanks
  Jansi

• Using AX as wireless router, how to set up w/ security and airtunes on XP

  I previously had a Linksys wireless router. I just purchased an Airport express to use as the wireless router (and remove the Linksys router) as well as use the Airtunes functionality.
  After some trial and error, I have been able to wireless connect my computer to the AX on it's own (the linksys router is now unplugged and out of the equation). I can connect to the internet fine on my PC (XP Pro SP2).
  Trouble is, when I use the Network Setup Assistant, it shows the apple network listed, but it can't connect to it, no matter how many times I try, reboot my machine or reboot the AX. I've tried both the "setting up a new network" and "editing an existing network" option, and in each selection, after a few minutes of trying to connect to the network, I just get a failure message.
  If I try and use the Admin utility, nothing shows up in the left-hand list window, and when I Press re-scan, still nothing shows (it doesn't even appear to scan).
  I'm not sure what I'm doing wrong. I can't find simple instructions on how to set up the AX as the only wireless router for a PC and set up security and Airtunes (I'm assuming enabling airtunes is done in these applications, as I haven't seen anything about that yet either).
  Any ideas on how this is done with a PC? Much thanks!
  Dell 4500 series

  I have found the 'DHCP Reservations' option on the AirPort Extreme to be buggy.  I seem to remember it causing IP conflicts for some reason.  I think what I remember is that if the computer with the reservation was off, and the DHCP server then handed out that IP to another DHCP client, then there would be a conflict when the reserved IP computer was turned back on.  Maybe it was an issue in ealier versions of the AE or OS X as the case may be, and maybe it's been corrected, but I've never bothered using it agian since the method I describe below has always worked without fail.  Also, I'm guessing DHCP Reservations would work fine if one manually enters IPs outside of the DHCP range but in the AE 'DHCP Reservation Setup Assistant' the IP options provided are within the DHCP range which to me makes no sense and increases the potential for IP conflicts.
  Here's what I do to setup a mixed environment of static and dynamic IPs on my network.  It works like a charm and does not require the DHCP server (beyond the distribution of dynamic IPs to hosts using DHCP).
  For machines on my network that are accepting services from the public network, I set them up with static IPs using the 'Manually' option (System Preferences/Network/Ethernet/Configure IPv4).  The settings for 'Router' IP address and 'DNS Server' IP address should both be set with your gateway/router LAN IP).  Use an IP address below or above the DHCP range of adresses (in AE/Internet/DHCP/DHCP Beginning & Ending Address).
  i.e. if my subnet is 10.0.1.1 and my DHCP range is 10.0.1.100 to 10.0.1.150, you could set the static IPs on your local hosts as 10.0.1.x where x = any number from 2 - 99 or from 151 - 200 as an example.
  All other machines and devices that do not require static routing are setup as DHCP clients and get a dynamic IP from the AE.  To me it's a simpler setup though it might take a little extra time to setup initially.
  John

• Cannot establish secure connection to Apple Store

  I've tried all the solutions I can find to no avail, but cannot seem to establish a secure connection to the iTunes store.  No error code just a blank iTunes Store screen and a never ending attempting connection.  Some of what I've tried:
  * Date and time correct
  * SSL and TSL checked
  * No proxy and tried to check and uncheck auto detect settings
  * Used Autoruns to be sure no other LSP providers
  * Ensured Windows Firewall has iTunes fully allowed (even reset Firewall to default and then reallowed it again)
  * Removed and/or disabled all security software to test for possible blocking
  * Reset Winsock and rebooted
  * I CAN reach secure sites in my browser just not in iTunes
  * Removed iTunes, Quicktime and any other Apple related items I could find with RevoUninstaller to look for leftover entries, rebooted and reinstalled (several times)
  * Cleaned all cookies, caches and old registry entries
  * Machine is free of all malware
  This only happens on one computer so I know it's not my account.  It happened out of the blue (well, I'm sure it was related to something...a Windows update, an update of something....but I didn't associate it at the time so I do not know what).  I know another person who had the exact same symptoms out of nowhere and has very different software from me (and a totally unrelated account to mine) so I suspect a Windows Update but I don't know which one.
  Specs:  Windows 7 64-bit  iTunes 10.6.3   AV is Microsoft Security Essentials with realtime Malwarebytes
  When I open iTunes it takes a very long time to load, system becomes sluggish, and then when it finally does load, it simply will not connect to the store and it will not recognize any iPhone or iPad I try to sync.  When I run the diagnostic the only information it seems to contain that is pertinent is that I can't establish the secure connections. In Safe mode iTunes will start more quickly but since I cannot start Apple service in safe mode I cannot connect to the iTunes store that way.  (I have however, disabled all but the most essential startup items and the long load in normal boot still remains).
  I'm at a loss. I've Googled and searched the forums here and tried every plausible thing I could find but nothing seems to work.  Any further ideas are welcomed.  I was going to try an older install of iTunes but older versions won't read a library created in a newer version. I would really like to sync some new items to my devices and since the computer won't sync to the cloud as it can't log in - I'm kinda stuck at the moment.  It's really frustrating. I'll be glad to post diag logs if anyone things it will really help.
  Many thanks for any additional ideas!

  I finally went into my services and looked at every service that wasn't set to start automatically and read the description.  If it sounded like it could be enabled safely (obviously that was a decision I had to make for myself and the security of my machine) I enabled it and set it to start automatically. Anything with regards to peer to peer, internet related, and homesharing was certainly something I considered.  There was also a service called IKE that was stopped for some reason that was recommended never to be stopped.  I personally enabled over 35 different services.  Somewhere in there (and I have no idea which service or combination of services) it fixed my problem.  The interesting part was that I never went in and stopped any of these services or changed the status on my own, so I have no idea where they got changed - and nowhere in any of the reinstalled did Apple products set the services back to what they needed them to be.  Go figure.
  As an aside - Bonjour was enabled AND running but iTunes kept telling me it wasn't.  That is what started my search in the services to start with.  I did try iTunes support but they were less than helpful and directed me back to all the same tech bulletins or to call for paid support - which I wasn't about to do for a free program that just stopped working.
  iTunes is now opening like a charm and is connecting perfectly for me.  Obviously, this is something you'd want to do with caution and I'd suggest that before you blanket go and do as many as I did that you might want to carefully select the ones that you look at setting.  My first reboot took a bit but after that things have been running smoothly.  Your mileage may vary and take this with caution.  You may want to enable a few at a time and test instead of doing what I did.

• Solution Manager 4.0 Security

  Hi all,
  If anybody has experience with the Solution Manager 4.0 Security, could you please share the list of authorization objects used for implementation of Solution Manager for the following scenarios:
  1. Implementation & Distribution,
  2. Roadmaps,
  3. E-Learing,
  4. Service Desk,
  5. ChaRM (Change Request Management),
  6. Solution Monitoring,
  7. Diagnostics,
  8. Solution Reporting.
  I would appreciate your help in this regard.
  Thanks

  Hi Balaji,
  here is a list of roles in solution manager:
  http://help.sap.com/saphelp_sm40/helpdata/en/f9/35023b6b33162ee10000000a11402f/content.htm
  Hope that helps,
  Frank.

• RICEF Security - best practice to develop security specs

  Good Morning All,
  We have new ECC implementation kicked off, my question is how RICEF security is controlled? What are the standard guidelines practised in industry?
  We are encouraging process teams to start use authorizations checks in custom transactions where ever necessary, ABAP team says this is in discreation of BP, ABAP will enforce checks if Business Process(BP) ask.
  I not sure if BP will take that extra time to think on authorization checks for RICEFS, we security team offered help to BP saying we can help on finding appropriate auth objects for their RICEF objects.
  As we cannot really enforce this or push hard, I am trying to think what is best way to get this in place.
  What I think is for some custom tcodes, which are low risk reports there is really no need to induce 2nd level check(1st level being S_TCODE) but my concern is this should not be taken for granted.
  I would like to hear suggestions from group.
  Thank You.
  Edited by: Julius Bussche on Apr 22, 2011 5:46 PM
  Subject title made more meaningful.

  Their job is to make it work and security is very often seen as a barrier
  This is very unfortunate but often true Security can however also offer cool solutions to spagetti code and defunct requirements!
  As you correctly state, the reason is often lack of training, awareness and being under pressure from deadlines and complexity. I also suffer under this but have with time learnt that "right first time" is the best way.
  The ideal solution IMO would be to integrate the authority-check statement into both the external and internal license meaurement.
  - A program without any authority-check is freeware because anyone can run it.
  - A program with a display auth check run by a user with display authorizations costs 1 cents each time.
  - A program with change / create checks run by a user with change / create authorizations costs 2 cents each time.
  - A program with delete checks run by a user with delete authorizations costs 5 cents each time.
  - Any program with any checks run by a user with FROM --> TO ranges in authorizations costs 20 cents each time.
  - A program with a display auth check run by a user with SAP_ALL costs 100 cents each time.
  - etc...
  This way, developers will add as many appropriate checks to their code so that it generates revenue from the application. Business process owners will try to restrict the authority-checks to only those really needed and will restict authorizations as much as possible to exact values when testing their roles.
  Would work like a charm... but I'm sure there is a catch somewhere... 
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 24, 2011 12:07 AM

• I was having problems connecting to my internet at home with my 4s.  I tried many of the suggestions.  Nothing worked.  I did not want to sit on the phone with apple etc trying to fix it.  I bought a router extender.  It worked like a charm.

  I just want to let those of you who have problems connecting to home internet.  I had same problem with my 4s iphone and tried many of the suggestions here as well as on the internet.  Then I found something called an internet extender. Bought it and worked like a charm.  It was worth the $60 I paid.  No more hours of trying to figure it out.  I don't know if this will work for anyone else with this problem but if it helps you I'm happy

  I would recommend that you do the following as a minimum:
  Power-down the modem, AirPort Express base station, and computer(s).
  Power-up the modem; wait at least 10-15 minutes to allow it adequate time to initialize.
  Power-up the Express; wait at least 5-10 minutes. Note: The AirPort's status light may continue to flash amber after it has initialized. That is because, there may be some additional configuration items necessary, like setting up wireless security, before the overall setup is completed to get a green status.
  Power-up your computer(s).
  In this basic configuration, the Express will broadcast an unsecured wireless network with a Network Name (SSID) of Apple Network NNNNNN. Network clients, connected to the base station either by wire or wireless, should now be able to access the Internet through the ISP's modem. Once Internet connectivity has been verified, you can use the AirPort Utility to configure the base station for wireless security and any other desired options.
  If the above steps do not solve the problem, start over with step 1 above, but then perform the next steps between steps 1 & 2. above.
  Disconnect the Express from the Internet broadband modem.
  While all of the devices are powered-down, perform a "factory default" reset on the Express. This will get it back to its "out-of-the-box" configuration and make setting it up much easier, especially if you use the "Assist me" process within the AirPort Utility. (ref: Resetting an AirPort Base Station or Time Capsule)
  After the base station resets, go ahead and power it back down.
  Reconnect the Express to the Internet broadband modem. For the 2nd generation Express, be sure to connect the cable to the base station's WAN (circle-of-dots) port.
  Continue with step 2 in the first set of steps.

• Queries on SAP Solution Manager ChaRM & Service Desk

  Hi All,
  I have couple of queries on ChaRM and Service Desk. Request your expert advice.
  1.     As we know it is possible to create a change request from service desk ticket. Now I want to know if it is possible to have a dependency between the Service Desk ticket and corresponding ChaRM request so that till the time the change request is not closed/ Abandoned, the service request cannot be closed.
  2.     Can a ChaRM change request can have multiple change documents attached to it and if yes how the status of the change request is determined. If we can create only one change document then is it the case that we can handle changes in only one satellite system with one change reuest. Example u2013 2 change requests are required if changes required in ECC & BI system for same incident.
  Thnaks.
  Best regards, Vithal

  Hi Sanjai & all,
  Now I want to know some of the scenario where we are required to have multiple change documents. As we know once the change document has got created it is not possible to change the change request. Also in the change document we have certain actions (e.g. quality team approval) which we get on change level and not for each document. Please let me know how this will be possible in case we have multiple change documents getting created (say one for development team, other for customizing team and one for security team).
  So in all we have a scenario where some actions are happening at change request level - then some changes at change document level (have multiple change documents)u2013 then again some actions which we want to do on the collective change (will not mind in doing at change document level).
  Thanks for all your pointers.
  Best regards,
  Vithal