How does my role as a SAP SECURITY ADMIN dfiffre frm upgrade n implementati
hi Gurus ,
i am new to this Security i just want to know how does my role as a security admin differ ..in a implementation project and in a upgrade project ........pls answer this ..............n can i get any doc abt the tables n the objects .............related to security ....................... any links or docs u can mail me at [email protected]
thank you
A few inputs from my end....
Implementation --> starting from role naming conventions to role design,sod conflicts, master child relations and documentation.
Upgrade --> If from 4.0 versions to higher versions then its something similar where we convert profiles to Roles and then redesign them to SOD conflicts..
But in case of higher upgrades then the java component access and the segregation of duties for these components as well have to be considered...
Hope it helps...
Vbr,
Sri
Award points for helpful answers
Similar Messages
-
Advice needed: what does your company log for SAP security role changes?
My client has a situation where for many years, they never logged changes to SAP security roles. By that I mean, they never logged even basic details, like who requested a change, tested it, approved it, and what changed!! Sadly their ticketing system is terrible, completely free-form text and not even searchable.
Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
I plan to recommend, at least, they need to use a unique# (a ticket#, or whatever) for every change and update the same in PFCG role desc tab, plus in CTS description of transports... but what about other details, since they have a bad ticketing system? I spoke with internal audit and change Mgmnt "manager" about it, and they are clueless and will not make recommendations. It's really weird but they will get into big trouble eventually without any logs for security changes!Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
I have questions:
a) Do you want to make things straight
b) Do you want to implement a versioning mechanism
c) You cannot implement anything technical, but you`re asking about best "paper" practise?
The mentioned scenarios can be well maintained if you use SAP GRC Solutions 10 (Business Role Management)
Task Based, Approvals, Risk Analysis, SOD and role generation and maintenance in a structured way (Business Role Management). Workflow based, staged process with approvals.
PFCG transaction usage will be curtailed to minimum if implemented fully.
Do we really want to do things "outside" PFCG?
@all:
a) do you guys use custom approval workflows for roles?
b) how tight your processes are? how much paperwork, workflow, tickets, requests and incidents you have to go through to change a role?
c) who is a friend of GRC here, raise your hand
Cheers Otto
p.s.: very interesting discussion, I would like to learn something here about how it works out there in the wild -
How does the purchase process of SAP C4C work?
Hello,
we need some information about the purchase process of the SAP C4C System.
Now we have access to our own C4C System and we are trying to configure it. But what are the next steps? How do we get the productive system? How does SAP transfer the test data to the productive system? where do we get our development system? ....
Does anybody have any experience with the first C4C implementation?
The information we get from SAP confused even more than helped.
Thanks and regards
SuitaHI Suita
If you are still looking for help, we specialise in Cloud for Customer implementations and have been through this process. You can contact me at [email protected]
There are a number of assets available on the service marketplace. While you may need advice, I do not believe that consulting services are a mandatory part of the C4C setup, having said that SAP ideally will have discussed some options during the software selection process.
Are you implementing SAP C4C standalone or with integration to any other system?
Regards
James. -
How does execute PHP Script from SAP?
I've already installed SAPRFC and run SAP Function from PHP successfully. But failed when tried execute PHP script from SAP (SM59). Anyone can help me for a clear instruction for this problem?
ThanksHi Max,
here is the Source:
[code]
#!/usr/bin/php -q
<?php
// SAPRFC - Server example
// PHP server function RFC_READ_REPORT
// Require: CGI version PHP, RFC destination defined in SAP R/3 (SM59)
// http://saprfc.sourceforge.net
// Interface definiton for RFC_READ_REPORT
// (generated by saprfc.php - option Generate PHP)
$DEF_RFC_READ_REPORT = array (
array (
"name"=>"SYSTEM",
"type"=>"EXPORT",
"optional"=>"0",
"def"=> array (
array ("name"=>"","abap"=>"C","len"=>8,"dec"=>0)
array (
"name"=>"TRDIR",
"type"=>"EXPORT",
"optional"=>"0",
"def"=> array (
array ("name"=>"NAME","abap"=>"C","len"=>40,"dec"=>0),
array ("name"=>"SQLX","abap"=>"C","len"=>1,"dec"=>0),
array ("name"=>"EDTX","abap"=>"C","len"=>1,"dec"=>0),
array ("name"=>"VARCL","abap"=>"C","len"=>1,"dec"=>0),
array ("name"=>"DBAPL","abap"=>"C","len"=>1,"dec"=>0),
array ("name"=>"DBNA","abap"=>"C","len"=>2,"dec"=>0),
array ("name"=>"CLAS","abap"=>"C","len"=>4,"dec"=>0),
array ("name"=>"TYPE","abap"=>"C","len"=>3,"dec"=>0),
array ("name"=>"OCCURS","abap"=>"C","len"=>1,"dec"=>0),
array ("name"=>"SUBC","abap"=>"C","len"=>1,"dec"=>0),
array ("name"=>"APPL","abap"=>"C","len"=>1,"dec"=>0),
array ("name"=>"SECU","abap"=>"C","len"=>8,"dec"=>0),
array ("name"=>"CNAM","abap"=>"C","len"=>12,"dec"=>0),
array ("name"=>"CDAT","abap"=>"D","len"=>8,"dec"=>0),
array ("name"=>"UNAM","abap"=>"C","len"=>12,"dec"=>0),
array ("name"=>"UDAT","abap"=>"D","len"=>8,"dec"=>0),
array ("name"=>"VERN","abap"=>"C","len"=>6,"dec"=>0),
array ("name"=>"LEVL","abap"=>"C","len"=>4,"dec"=>0),
array ("name"=>"RSTAT","abap"=>"C","len"=>1,"dec"=>0),
array ("name"=>"RMAND","abap"=>"C","len"=>3,"dec"=>0),
array ("name"=>"RLOAD","abap"=>"C","len"=>1,"dec"=>0),
array ("name"=>"FIXPT","abap"=>"C","len"=>1,"dec"=>0),
array ("name"=>"SSET","abap"=>"C","len"=>1,"dec"=>0),
array ("name"=>"SDATE","abap"=>"D","len"=>8,"dec"=>0),
array ("name"=>"STIME","abap"=>"C","len"=>6,"dec"=>0),
array ("name"=>"IDATE","abap"=>"D","len"=>8,"dec"=>0),
array ("name"=>"ITIME","abap"=>"C","len"=>6,"dec"=>0),
array ("name"=>"LDBNAME","abap"=>"C","len"=>20,"dec"=>0)
array (
"name"=>"PROGRAM",
"type"=>"IMPORT",
"optional"=>"0",
"def"=> array (
array ("name"=>"","abap"=>"C","len"=>40,"dec"=>0)
array (
"name"=>"QTAB",
"type"=>"TABLE",
"optional"=>"0",
"def"=> array (
array ("name"=>"LINE","abap"=>"C","len"=>72,"dec"=>0)
// Create list of PHP server functions
$GLOBAL_FCE_LIST[RFC_READ_REPORT] = saprfc_function_define(0,"RFC_READ_REPORT",$DEF_RFC_READ_REPORT);
// PHP server function
function RFC_READ_REPORT ($fce)
$REPORT = saprfc_server_import ($fce,"PROGRAM");
saprfc_table_init ($fce,"QTAB");
$fd = fopen ($REPORT,"r");
if (!$fd)
return ("NOTFOUND"); // raise exception "NOTFOUND"
while (!feof($fd))
$LINE = fgets ($fd,73);
saprfc_table_append ($fce,"QTAB",array("LINE"=>$LINE));
fclose ($fd);
saprfc_server_export ($fce,"SYSTEM","PHP");
return (true);
// Call script with: ./server.php -a phpgw -g hostname -x sapgw00
$rfc = saprfc_server_accept ($argv);
// Dispatch one function call
$rc = saprfc_server_dispatch ($rfc,$GLOBAL_FCE_LIST);
saprfc_close ($rfc);
?>
[/code]
Regards
Gregor
Message was edited by: Gregor Wolf -
can anybody plz tell me, what is the process of creating/maintaining CUA by a sap-security admin?
Edited by: Julius Bussche on Oct 15, 2010 10:41 AMNot sure what you meant by that "wilderness" comment... (though I use it myself sometimes
I have a customer implementing new systems on release 7.10 so they have no legacy CUA or coding etc.
They are using CUA from SolMan for all logical systems (ERP; BW, PI, SolMan) with the exception of the ERP productive client where the users are provisioned via SAML (currently external ID mapping for initial loads, later federation).
We have 3 million SU01 users...
CUA is very rubust, and if you understand how it works and what the tweaks are then it works like a charm.
Even when the "C" in "CUA" becomes a hassle with decentral admin requirements (user groups are a classic example in the master) then there are simple ways to deal with most of them in SHD0.
If you have already consolidated your systems or even implementing new ones, then you should not exclude CUA as an option.
My benchmarks are:
- CUA is easy to implement but requires a central guru for the tool. A knowledgeable admin can get it up and running in a few days.
- IdM is infact a development environment and not only a tool. It is an organizational project (possibly beyond company boundaries) which an admin cannot perform on their own.
Depending on the requirements and systems in the landscape, you choose the tool.
CUA is not obsolete!
Cheers,
Julius -
Role of SAP security design consultant
Hi All,
what role does a SAP HR (SAP Security Design) Consultant play?
how different is it from a regular SAP HR?
pls let me know
regards,
PratikWhat i assume is you will have to understand different roles of users in that company who will need access to Hr system, and classify under catogories, set up roles and define authorisation profiles, set up structural authorisations based on clients requirements.
as far as HR is concerned you need to understand different authorisation objects,roles, profiles available in standard SAP ystem and set up new ones add some additional privileges etc whereever required. get your self familiar with various HR authorisation Objects etc.
Also lil bit of user management, reporting on Infoytpes, tracking changes, modiufication to business critical transactions etc. -
How does XI pick up idoc-file sitting in SAP?
Hi All,
Our scenario is SAP (Idoc) --> XI --> Bank(FTPS). We are creating idoc-file in SAP system and want transfer this file using XI to bank FTP server.
This what we done in SAP system:
1) Created FILE port pointing to physical directory in SAP system
2) Created Partnet Type B (bank) partner profile
Created i/b and o/d interface in XI refering Idoc. Now configuring sender file adapter....Can I pick up file in SAP system using NFS?? How does it work?
What is the best way to do this scenario by using XI?
Thx
NavinNavin,
Create a File port in WE21. Also give the directory and file name in the physical directory. When ever you have created the partner profile you have to give the Recevier Port. Give this as your File port which is created above.
Then in the corresponding directory you will have a Flat Idoc. Then pick this file with XI and send to the Bank as FTP. You dont need anything in IR. Only you need is ID. Check this for some help on how to use XI for FTP purpose:
/people/shabarish.vijayakumar/blog/2006/04/03/xi-in-the-role-of-a-ftp
---Satish -
SAP Security Report for single and composite roles
Hi
I have a requirement to create a cutomize report in SAP Security.
I have to display Composite roles,corresponding single roles,the tcodes assigned to those single roles and the description of t- codes. The selection screen has composite roles,single role and T-code which are optional.User can enter selection in any of the selection critreria.How should I go on this?If user gives only composite roles on the selection for e.g 'TEST'. for this role I get suppose 3 child roles 'TEST1' 'TEST2' 'TEST3' from table AGR_AGRS.Now to get the tcodes i go to table 'AR_1251' and I get the tcodes.
But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.for e.g, 'TEST' 'SAP1' 'SAP2' etc..Now if go to get the tcodes for this single role in AGR_1251,I will ceatainly get the tcodes for eg MM01,FB01,etc.But then how would I know whether MM01 belongs to composite role 'TEST' SAP1' or SAP2' for the single role 'TEST2'.
Please advise.
Thanks
Edited by: Julius Bussche on Aug 13, 2009 4:52 PM
Subject title improvedI though of seperate selection options for singles and composites, but you also said:
> But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.
My suggestion would be to build better single roles, but that is just me...
Cheers,
Julius -
SAPJSF user role - does it have to be SAP delivered name ?
Hi Folks,
Security question - We are upgrading to EP 7.0 . The SAPJSF user ( in ABAP system) has the role SAP_BC_JSF_COMMUNICATION_RO.
Does the Portal need this exact named role ? If so ..can it be changed in the
Portal end ?
Our policy with roles is not to use the SAP delivered - so we copy and change
to our standard . Will the portal recognize a different role on the SAPJSF user.
This note got me thinking on this 908911
Thanks for input ! DanAh, yes. It does read the role. It displays this role in the UME user interfaces as a group to which users are assigned. You can then assign portal roles to this "group."
See the picture in this document:
http://help.sap.com/saphelp_nw04s/helpdata/en/ed/18cc38e6df4741a264bddcd4f98ae2/frameset.htm
-Michael -
GRC - Role Expert v5.2: how does the Transaction Usage functionality work
Hi All,
re: GRC - Role Expert v5.2: how does the Transaction Usage functionality work
We are implementing GRC suite v5.2, but specifically my question is regarding Role Expert:
SAP documentation states that it is possible to use Role Expert to do the following: for roles allows you to see if, or how much, a transaction is being used, when it was last used, and who used it.
My question is how without Audit Log or RBE?
Let me know if you have ever used this functionality and if it requires the SAP Back-End Audit Log to be turned on or RBE.
Thanks in advance!Hi Gary,
You dont need a RBE tool activation to get the successful transaction usage log with Role Expert.
Role Expert functionality allows you to log all the transactions that have been added/deleted to the role that is changed. Also when you create a new role via the Role Expert then automatically the transaction log starts.
If you go the "History" tab in the Role Expert, then you can find all the last changes made to the role.
Also you can go to the "Risk Analysis" tab to find the log of Risk Analysis performed with the added tcodes.
Hope this helps.
Thanks,
Kiran Kandepalli. -
How to search roles by Query in SAP BW?
how to search roles by Query in SAP BW?
Use SUIM with option roles with Auth object and put S_RS_COMP or S_RS_COMP1 here u can put the query for which u want role.
-
SAP WM-RF 'Serial Number' Transaction LM80 - How does it work?
Hi gurus
We are looking at using the standard SAP RF transaction 'LM80' - 'Serial number capture'
Does anyone have any experience with this transaction? How does it work and what is the process flow?
Cheers
EddyHi
Please advise if this is the process others are using for LM80:
1. Create STO or Sales Order
2. Create Delivery
3. Create Warehouse Transfer Order
4. Pick/Confirm Warehouse Transfer Order
5. Scan serial numbers to completely picked delivery via LM80
6. Post Goods Issue
My question is: is there a way to 'pick' via serial numbers? The process would then be that you scan in serial numbers during picking
kind regards
Ed -
How does Merged Dimensions Work in WebI created on SAP BI Queries
Hi,
I need to know how does Merge dimensions work in WebI when using SAP BI Query as source?
Below is my understanding when connection is defined for the universe on oracle database:
1) To get the data in merged dimensions, there must be physical join (Either Direct or vai some other tables) between different tables at backend level (This means there must be join between tables in Oracle database.)
2) we get the UNION of data when dimensions are merged at webI level.
I dont know how this works in SAP BI.
Since there is different data model defined for different BI Queries in SAP , and for each BI Query and there is seperate Universe, So how can you get correct data in WebI when there is no connections in DSO's used in different BI queries?
Can any one suggest me the way data apperas in merged dimensions for WebI created on SAP BI?I assume we are only talking about merging dimensions in Web Intelligence here and not on the BW backend. this is a client side mere where you have 2 resultsets.
if you want to do this on the BI server side it would be a multi-provider combining different InfoProviders - or a InfoSet - depending on the join type you need. MultiProvider is a union, Infoset allows you to choose
Ingo -
SAP CRM Interactive reporting Enhancement Workbench - How does it work?
Hi Everyone,
I am trying to enhance the SAP given reporting areas in CRM Interactive Reporting tool. I have the SAP documentation, I know I have to use transaction code CRMD_IREW; but I am not sure of the rest of the steps SAP has given.
Does anyone has any experience with this; can anyone share their thoughts and possible configuration steps and if possible please give a brief overview of how the fields get added to the reporting area, do they get added to the datasources first and then we need to manually add them to the virtual cubes and also in BEx query and then it gets reflected in Reporting area or how does it work?
Any inputs will be greatly appreciated!
Thanks & Regards,
SRVHi,
In general, we add enhanced field to extract structure by appending method.
later we can implement logic at COMD or by using BADI to fill the data for added field.
do test run at RSA3 and replicate into bw side.
About CMOD Logic, WIth help abap epxert you need to find relation between data source base tables and added field base table. then only we can fill data to into it.
Can we know what is your data source?
Which field you want add from which table?
Thanks -
Role of Solution Manager in SAP Security.
Hi
Can anyone help me to understant the role of SAP Solution Manager in SAP Security. Link to any relevant document is appreciated.
Thanks you all.Hi,
First understand and decide what each consultant is going to do in the system. Like Technical Consultant will take care of Installation, Setting Up Landscape, Setting up TMS etc.
Project Manager will create projects, Handle roadmaps etc.
Segregating this way will help you defining the Roles in the system. I would also suggest you to have authorization Matrix in a Spreadsheet.
The authorization can also be categorized based on Operational processing.
Check this link.
http://help.sap.com/saphelp_sm40/helpdata/en/24/c7baad86044eacb7203cdd341211a9/content.htm
For authorization in Servicedesk.
Check page 35 in this link.
https://websmp207.sap-ag.de/~sapidb/011000358700001197002005E/Addtional_Information.pdf
http://help.sap.com/saphelp_nw2004s/helpdata/en/52/6714a9439b11d1896f0000e8322d00/content.htm
Rewads point if help ful
Thanks
Pankaj Kumar
Maybe you are looking for
-
This does not happen in other browsers and it happens on a variety of computers I have access to and would seem to be a common problem but I can find no identical cases in my searches of Firefox , Facebook or windows help or Google search. My home ma
-
Stanza and my videos no longer work after upgrade to iOS5?
I upgraded to iOS5 on my 3GS. Problem 1:Now Stanza just hangs and I get a null error. The books are also gone from iBooks (They both had the same titles - I use Stanza to read at night because of the night view option.) I imagine this has something t
-
Hi friends, How can I freeze header in a table? If not possible with a table, can I use any other web bean in OAF. Or can I use CSS or javascript or extending a TableBean. Need a solution as soon as possible. Thanks, Amar.
-
Arrow Keys Won't Work on Many Websites
On many game sites, the arrow keys won't work at all, so I'm not able to play. The hardware is fine, they work fine in email and Word, just not on the game sites. Do I have a setting wrong? I've checked everything (I think....) Thanks!!!
-
So I've had my ipod for about 9months now, 3months ago the screen started to crash every now and then, I didn't think much of until now! my screen has changed colour! It hasn't been dropped, nothings spilt on it at all! I bought a case for it the sam