CUA Security

Similar Messages

• CUA security question

  Hi,
  My company has decided to use only one cua for both productive and non productive systems (dev. , test, ...). What are the security issues or risks of this kind of set up? Same question for SAP SolMan for both production and non productive systems.
  Thanks.
  Regards.
  Philippe.

  Hi
  From a security point of view Julius is quite right, furthermore, by creating one CUA for Test and Developemnt, and another for productive use, you will also gain the option to test changes to your CUA landscape before migrating them to production.
  From a more pragmatic point of view I must admit that I have created many "only-one-CUA-Solutions". This will give you the advantage of a Single point of user maintenance, but if you do so, make sure that your master system is installed on a system with the highest possible security level, and that is I guess your productive system, or dedicated CUA System.
  And remember, a new client on test, development or solman, will not provide that level of security, unless your can ensure that level of security on all clients on the system.
  Regards
  Morten Nielsen

• MDM Portal CUA Security

  Hello Experts:
  We have a scenario as below.
  1) Enterprise portal witn windows NTML and using CUA for user base.
  2) MDM 5.5 SP4 need to be integrated.
  3) The R/3 is 620
  1) How can we authenticate the portal/cua user in MDM
  2) How can we create users in MDM automatically while creating in CUA.
  Please help.
  Please let me know for any more details, I can send.

  Hi Sabari,
  MDM at the moment does not support SSO based on any standard mechanism. The only option is using the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/69/3482ee0d70492fa63ffe519f5758f5/frameset.htm">User Mapping</a> facilities of the portal.
  See also the MDM docs
  <a href="http://service.sap.com/nw04operation">service.sap.com/nw04operation</a> -> MDM about MDM 5.5 Portal Content Installation <a href="https://service.sap.com/~sapidb/011000358700004656462006E">(PDF in service marketplace)</a>.
  this is a known limitiation and the MDM people are working on it.
  Regards,
  Patrick

• Sap-security: Myths about CUA

  can anybody plz tell me, what is the process of creating/maintaining CUA by a sap-security admin?
  Edited by: Julius Bussche on Oct 15, 2010 10:41 AM

  Not sure what you meant by that "wilderness" comment... (though I use it myself sometimes
  I have a customer implementing new systems on release 7.10 so they have no legacy CUA or coding etc.
  They are using CUA from SolMan for all logical systems (ERP; BW, PI, SolMan) with the exception of the ERP productive client where the users are provisioned via SAML (currently external ID mapping for initial loads, later federation).
  We have 3 million SU01 users...
  CUA is very rubust, and if you understand how it works and what the tweaks are then it works like a charm.
  Even when the "C" in "CUA" becomes a hassle with decentral admin requirements (user groups are a classic example in the master) then there are simple ways to deal with most of them in SHD0.
  If you have already consolidated your systems or even implementing new ones, then you should not exclude CUA as an option.
  My benchmarks are:
  -  CUA is easy to implement but requires a central guru for the tool. A knowledgeable admin can get it up and running in a few days.
  -  IdM is infact a development environment and not only a tool. It is an organizational project (possibly beyond company boundaries) which an admin cannot perform on their own.
  Depending on the requirements and systems in the landscape, you choose the tool.
  CUA is not obsolete!
  Cheers,
  Julius

• SAP Security CUA

  Can someone please help me get answers to differences between
  CUA : Light version
  CUA : Full fledged version.
  I was only aware of CUA, was not aware of anything called Full Fledged version.
  If somebody knows a thing or two about these can you direct me to a link that explains them or would you be kind enough to reply to this thread with the answers.

  Raghu,
  Sorry, I was in a hurry when I replied.
  I was asked about this by my Manager, He wants me to find out more about this. I did tell him that I never heard this term before.
  So I am not sure if it was just made up OR does it genuinely exists. I have done a lot of search myself but have not landed up on anything as of yet.
  But everyone thanks for your help and please let me know if you find something on this, I will do the same.

• Security interview questions - some fun to tickle your brain.

  Hello gurus,
  I know that posting interview question series are not allowed if the person has not put in any effort, but I have and folks seem to want to practice a bit sometimes so I take the liberty of creating a central one.
  Tackle one or all of them to test your knowledge.
  There are no model answers.
  If you want to suggest additional ones, then please contact me.
  The rules
  Flaming of answers is allowed.
  Funny answers earn a beer (or cup of tea).
  There are no points.
  1)     When PFCG proposes 3 activities but you only want 2, how do you fix this?
  2)     What is the use of transaction PFUD at midnight?
  3)     Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes?
  4)     How are web services represented in authorizations of users who are not logged on?
  5)     How do you force a user to change their password and on which grounds would you do so?
  6)     What is the difference between SU24 and SU22? What is "orginal data" in SU22 context?
  7)     When an authorization check on S_BTCH_JOB fails, what happens?
  8)     Can you have more than one set of org-level values in one role?
  9)     Should RFC users have SAP_NEW and why?
  10)     What is an X-glueb command and where do you use it in SAP security?
  11)      What is the disadvantage of searching for AUTHORITY-CHECK statements in ABAP OO coding and how does SU53 deal with this?
  12)      In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default?
  13)     Can you use the information in SM20N to build roles and how?
  14)     If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do?
  15)     Name any one security related SAP note and explain it's purpose or solution.
  16)     What are the two primary differences between a SAML token profile and a SAP logon ticket?
  17) Where do you configure the local and global settings of the CUA and what are the consequences of inconsistent settings?
  18)            If you have users in different systems with different user ID's for the same person, what are your options to manage their authorizations centrally?
  19)            Explain the use of the TMSSUP* RFC destinations and the importance of the domain controller?
  20)            Why should you delete SAP_NEW profile and which transaction should you use before doing so?
  To be continued...

  I have one year experience in SAP Security and only two in Basis, so flame on......... I swear I didn't use google or any of my systems for reference!<br><br>
  1) When PFCG proposes 3 activities but you only want 2, how do you fix this? Best answer is to modify your su24 data. <br><br>
  2) What is the use of transaction PFUD at midnight? removes invalid profiles from user records <br><br>
  3)Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes? PFUD is not needed and the user needs to log off and back on again <br><br>
  4)How are web services represented in authorizations of users who are not logged on? ?? <br><br>
  5)How do you force a user to change their password and on which grounds would you do so? SU01 -> Logon Data tab -> Deactivate password. I am not sure what grounds this would be necessary. I have never had to use it. <br><br>
  6)What is the difference between SU24 and SU22? What is "orginal data" in SU22 context? SU22 you maintain authorization objects???? Su24 you maintain which authorization objects are checked in transactions and maintain the authorization proposals. <br><br>
  7)When an authorization check on S_BTCH_JOB fails, what happens? "You do not have authorization to perform whatever operation you are trying to perform." message. HAHA <br><br>
  8)Can you have more than one set of org-level values in one role? I might be misinterpreting this question. But yes. Depending on the transactions inserted into the role menu, you could have more than one org level to maintain. Purchasing Org and Plant, Sales Org and Sales Division..... <br><br>
  9)Should RFC users have SAP_NEW and why? No. Just insert the transactions and necessary authorization objects into a role. S_RFC for one. <br><br>
  10) What is an X-glueb command and where do you use it in SAP security? ??? <br><br>
  11) What is the disadvantage of searching for AUTHORITY-CHECK statements in ABAP OO coding and how does SU53 deal with this? Disadvantage? I can think of an advantage. My ABAPer shows me his programs and we work out what authority checks should be performed. <br><br>
  12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default? ??? <br><br>
  13) Can you use the information in SM20N to build roles and how? You could, I guess. Not a good practice though. Build roles based on business processes. <br><br>
  14) If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do? Regenerate SAP_ALL which reconciles new authorization objects from SAP_NEW <br><br>
  15) Name any one security related SAP note and explain it's purpose or solution. Don't know the number off hand, but I was looking at it yesterday. Program Z_DEL_AGR to allow deletion of more than one role at a time. There is no mechanism in SAP to achieve this currently. <br><br>
  16) What are the two primary difference between a SAML token profile and a Logon ticket in SAP? ??? I know what these are but have no experience with it. <br><br>

• Interaction of BW Roles and BWA Explorer Security

  We secure all our BW users via roles these roles have Analysis
  authorizations embedded in them which restrict access to specific
  infoproviders and values in these based on authorization relevant
  infobjects.
  When we try to create a BWA Explorer object in RSDDTPS we are forced to
  assign a userid and an analysis authorization directly in
  the "Authorizations" tab. Our security group only wants to have too
  assign roles to users either via SU01 or CUA.
  Configuration
  BO 2008 Enterprise Server (connected to BW system)
  BW system (Netweaver 7.01 EHP1)
  BWA 7.2
  1) How can we create BWA Explorer objects on a infoprovider without
  directly assigning users in Authorization Tab and how can we make the
  system ignore whatever is on this tab and base access to a BWA explorer
  object on the roles assigned to the user via SU01/CUA.
  2) If a User has roles assigned in BW that give them access to a
  specific infoprovider will this automatically also give them access to
  a BO Server published BWA explorer object built on that infoprovider.
  Related to this do we also need import the same roles and assign to the
  user in CMS server with link to BWA Explorer Server or does the user
  automatically get access to BWA Explorer as long as BWA Explorer is
  published on BO Server.
  3) If the user in BW is assigned roles that limit values based on an
  authorization relevant object is this restriction enforced in the
  values returned in published BWA Explorer for the user. Example
  Authorization Relevant object is Profit Ctr and the user has two value
  roles one contains access to all profit center that role up to a
  hierarchy node limited to the USA and the other contains hierarchy
  analysis authorization limiting access to all profit centers rolling up
  to hierarchy node representing Europe. When a user access's the BWA
  Explorer object which contain profit ctr will the values be limited
  only to USA AND Europe Profit centers or will the BW value based
  security be ignored.
  Please provide advice on above questions and document resources on how
  BW role based security interacts with BWA Explorer.

  Hi Expert,
  I need a solution for same scenario, anyone can give inputs.
  Regards,
  Ganesh

• How to cleanup the CUA entries

  Hi all,
  I'm in the process of doing some client cleanup prior to an upgrade project.  I am also just learning about the CUA system so have been reading through the docs.
  Our landscape:
  UTL - Solution Manager and CUA  (7 ehp1)
  DEV - Development (ecc5)
  QAS - Quality (ecc5)
  PRD - Production (ecc5)
  This was set up about 5 years ago during intial implementation, and little has been done to manage the CUA child entries to match up with client useage changes over that time.  At this point, security uses CUA for some clients and local user admin for others.  When I use t-code SCUA I get the message the "CUA definition is inconsistant, for repair see long text."  And I beileve the issue it is complaiing about is there are child systems still defined in CUA that don't exist, or no longer have a connection.
  I'm wanting to remove these old child systems, and will delete the actual clients where then exist after removing them from CUA.
  What I'm not to clear on yet is what happens after I go through the steps on the central system
  a.     T-CODE SCUA
  b.     T-CODE WE20
  c.     T-CODE BD64
  Since I'll be deleting the associated clients on the respective system, do I need to do the steps for deleting a CUA child on the local system as well?  Then delete the client?
  At some point I'll be adding the new CUA child entries for the actual/used clients as well.  But I thought I'd go through the delete process first.
  Any corrections or clarifications as to what I'm attempting to do will be much appreciated!
  Thanks
  Laurie McGinley

  Thank you Bree,
  So as I understand you, I do not need to run through the WE20 and BD64 transactions to remove them from the distribution model IF there may be a chance we could recreate the associated client on the source system. 
  So... for example...
  I want to get rid of DEV:700 now because we no longer use it.  The CUA child is DEVCLNT700.  I can use the report RSDELCUA and delete the child which removes it from the CUA list.  I can then delete the actual client DEV:700.  In a year, when we decide we want that client back for testing, I can create the client, and add it back to the CUA landscape screen and run SCUG.
  If, however, we decide we won't be recreating that client in the future...
  I would need to run the report, delete the cua child... and here is where I'm unclear.  Do i need to run WE20 and BD64 in the central system before doing the actual client delete?  And if so, do I need to do the steps at the client system for removing a child from CUA before I actually delete the DEV:700 client.
  Hope this isn't too confusing...
  Thanks
  Laurie

• [Initial Password] CUA vs IdM

  Hi,
  Please correct me if I am wrong: when the CUA cha,ges to password in the child systems, they are set as initial. It means that, on the first logon, the user has to change it.
  Is there a possibility for IdM to set "definitive" password. It seems so to me after reading
  |                     |        CUA        |  Identity Management       |
  | Password management | Initial passwords | yes incl. workflow support |
  in https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/7037d982-40aa-2a10-e283-a76a9dfc93ab, page 29
  Thanks in advance.
  Best regards,
  Guillaume

  IdM can only do what SAP permits.  Depending on how one is authenticating determines the password policy.  An initial password, an expired password and a password reset by an administrator all set the same flag.  The user must change their password on next logon.  The only way around this to write directly to the db with SAP's hash.  A terrible idea and a big security risk. 
  UME uses a delegated model so the password policy depends on what you are authenticating against.  This question is normally asked because a company wants to do password synchronization; one is better off doing SSO.

• Synchronization beetween CUA x LDAP - Can it use paged queries?

  I’m using the synchronization process between LDAP (Microsoft Active Directory) and CUA (ECC 6.0). I’m having problems with a specific Microsoft best practice. This best practice allow only read 1000 objects in one query, in order to get the next 1000 objects, you should make a new query.
  I’ve already open this parameter to more than 1000 objects, then everything works well. However, when we receive a Microsoft consulters and auditors, they had hardly advice us to return this parameter to default 1000 objects due security issues.
  Then my question is “how can SAP support it”? The transaction rsldapsync_user has any configuration to support paged queries.

  Notes 1000644 807846 and 584121 which are discussing this issue.
  You can activate the paged search with the commandline parameter
  "-pagesize" as mentioned in these notes.

• System Landscape security

  Hi,
  We have a system landscape having systems based on Java stack(EP,BI Java), Java+ABAP(XI,SRM) stack and ABAP(ECC) stack.
  We have Windows Active Directory as the LDAP server.
  We need to implement a security concept for the entire landscape.
  Requirement is to use single sign-on and LDAP. We also want to use Windows integrated authentication.
  Could someone please answer the following questions:
  1.Recommended data source for users and role assignments?(LDAP,ABAP,UME).
  2.Can/Should CUA be used to manage the users of Java stacks?
  4. Any other recommendation / learnings?
  Basically, I need to know an optimal/tested solution for implementing security in such a complex landscape.
  Thanks.

  Rohit,
  If you go to https://websmp207.sap-ag.de/security and navigate to 'Security in Detail' on detailed navigation, you will find relevant information.
  There is also a security guide on /NW2004s. Related documents you can find at
  https://www.sdn.sap.com/irj/sdn/docs?rid=/webcontent/uuid/dfb47ddd-0901-0010-a9b4-c0cce1277616
  Regards,
  James

• How to create automatically users&roles in CUA and in chlid systems?

  Hi,
  i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
  i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
  are there any standard BAPI or Funcion modules that can do this job?
  is the role created automatically in CUA can be seen automaticall in the portal child system?
  any help?
  Thanks&Best regards

  You can use one of the various ways Java EE provides you, e.g. container managed authentication.
  It's also all in the Java EE tutorial: [http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html].
  You can configure it in the application server as well: [http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html].
  Here is an example how to use it in JSF: [http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/].

• CUA, SSO and Portal

  Hi Guys,
  I'm a security guy, with CUA, Portal and SSO - but when it comes to installation of CUA and SSO with Portal, I have some gaps in my knowledge, so I could use a little help.  Thanks in advance.
  My client is implementing a non SAP SSO solution.  As I've seen it before, it would be best to have that solution authenticate to the EP, and have EP issue tickets to the various SAP systems, and set up the SSO in that fashion.  Would I be correct in my line of thought and do you have any more information on this?
  Second, in my experience, CUA and SSO are quite separate, and so you don't need to implement one prior to the other.  Would I be correct on this line of thought as well?
  Third, on the Portal, is there a note number or a document from SAP that illustrates how to go about integrating Portal into CUA?  I know that the portal roles are Java based and assigned via the UME, whereas CUA would have regular SAP roles. 
  Thanks,
  Santosh Krishnan

  Damn. You were faster than me, but I still want to add a comment.
  Santosh et. al. are not migrating a CUA to an IdM - this migration is easily done by adding the IdM as the "front-end" to the CUA and then switching the managed systems over to direct provisioning one at a time, without stress. That is standard procedure and works.
  What is being done here is to implement a CUA for the business logic of the ABAP systems and use "catching screens" as the front-end to be able to distribute the password to non-ABAP systems as well simulate a "real" IdM with a crow's nest of overhead in the background for the basis folks to take care of and maintain.
  Not a good idea, and I can already see all the "catching IDocs" involved, or even the dependency on being able to do so.
  Clear design error (in the year 2010) and bad investment in available technology (in the year 2010 as well).
  I would go for an IdM (regardless of the vendor) with all the agents supported for current and planned systems' APIs being used (regardless of the vendor) and a standards based SSO technology compatible with the various worlds on site (as regardless as possible of the legacy vendor support).
  Whether that is PSE's, Kerberos or SAML does not really matter much when decentral password synchronization is still considered as an option for human owners of system identities.
  Hopefully Santosh will keep us updated, but I would also understand if this for what-ever reasons was not allowed.
  My customers also dont permit me to post everything while they are still using the odd FM or two...
  Cheers,
  Julius

• CUA issue; after roles are removed systems assigned to users remain?

  Hello,
  I've had this specific issue with CUA for some time, but haven't needed to try and resolve until now.
  The problem is this:
  - after security roles for a user have been removed for an entire system, in the system tab entries remain.
  - this results in the user account remaining in the child system, even though there are no security roles assigned.
  I have tried removing system entries once all roles are removed, however after saving the changes I see that the systems still exist.
  So, can anyone comment on why this happens? Is there an SAP note to resolve this?
  Appreciate the feedback.
  Paul

  Paul Vipond wrote:
  Thanks Julius.
  My intention is not to delete users. What I'm expecting to happen is that after I remove all the roles assigned to user for a specific child system, that user should not exist in the child system anymore.
  If you delete the system assignment for a child system, A deletion of the user in that system will happen.
  Paul Vipond wrote:
  This is the way it has worked for many child systems, but not all. For me it's specifically my production systems where a user account remains after all the roles have been removed.
  In dev/test systems I've removed all roles assigned to a user and after saving their account no longer exists in those dev/test systems.
  Make sense?
  If that is so, that is a bug in your dev/test system. I suggest to open an incident wiht SAP then.
  It should work like in a standalone system.... Removing all roles there will never lead to a deletion of that user!
  b.rgds, Bernhard

• CUA Landscape

  Does Position Level Security really work with CUA?
  I would like to setup two landscapes for CUA.
  One CUA for Test/Sandbox and put it on Solution Manager using User Level Security.
  One CUA for Prod/QAS using Position Level Security residing on the ECC 6.0 Dev Box.
  I realize the HR ORG Model is needed for Indirect Role Assignments or Position Level Security, so I'm told CUA should reside on the same client as the HR ORG Structure.
  Our Tech Lead here wants to use one CUA for all of the clients and put it on Solution Manager. 
  My question to you folks, how much sense does this make to use one CUA and place it on Solution Manager?

  > I'm not sure what you mean by DEV being a bit of
  > shambles, but I would think if you are provisioning
  > users, you would want to use User Level Security in
  > one CUA and Position Level Security in the other CUA
  > to keep the provisioning methods separate.
  I just mean that  the level of thought and design that goes into a production system, doesn't seem to go into the non-production systems.  So, position based security is less feasible due to design.  You are right in that if you want user level security in non-prod, then best to use a non-prod CUA for that.   Have a prod CUA for the position based security.
  > Justin, are you using two CUA's?
  I work for many clients, so I have used both 1 CUA system and 2.
  >
  > Did you need to set up a lot of composite roles?
  Not normally.  I design top-down.  That is, I define 'job' level roles rather than activity level roles.  I would normally end up with about 100 roles for a large organisation, which are then derived as per their business units.  I would expect no more than 1000 roles for a very large organisation.
  >
  > One last question, do you have a list or cookbook on
  > how to set up the composite roles with Indirect user
  > assignments or know where I can find them?
  Unfortunately, the information on this in help.sap.com is just impossible to understand.  I just re-read it then and it still doesn't make sense to me!  If you have CUA set up in a sandbox or something, I would just run PFCG, and there is a menu item called 'read from RFC' or something like that.  Run that, and then the single roles from the child systems are available to you to put into your composites.
  >
  > Sounds like you have CUA working really good there!
  >
  > Your answers have been helpful!
  >
  > Thanks!