Redesign Security

Similar Messages

• With Firefox 4.0 I cannot find a lock icon designating a secure site even though it is indicated by "https". Is this an omission or do I need to turn on the feature?

  The redesign of the browser for Firefox 4.0 seems to be missing the display of the lock icon that I am accustomed to looking for when seeking assurance that the site I am visiting is using Secure Socket Layer protection for my personal information. I can see the "https" designation in the address line but miss the added confirmation provided by the lock icon. I am running Windows XPPro SP3 and using Classic views instead of the standard XP theme - could this have something to do with it or do I need to turn on an option to have the lock shown?

  The padlock has been replaced by the site identity button, for details on using it see https://support.mozilla.com/kb/Site+Identity+Button

• Security for Military Data --- our Options -- Share your experiences

  Hi,
  We want to secure military specific data in SAP.
  We also want to comply with ITAR requirements.
  One option is to create roles and profiles and then assign it to users who can view that data. In this approach the biggest problem is over head of maintaining 100's of profiles and roles. Our company does not have suffecient funds or team to do that.
  Second option was to use development and here is how we envisioned it.
  Maintain an indicator for foreign nationals in HR and also maintain an indicator for military personal in HR. (We are allready doing that, for some other busines process) So this table will tell us if an employee if foreign national or a military personal.
  If Military person.
  give access for military specifc data.
  else.
  error message.
  endif.
  similarly
  if foreign national.
  give error message.
  esle.
  let him view data
  endif.
  Now we are not sure if SAP has a common routine for authorizations, which we can change and add these conditions in it. (We will do core mod by getting access key).
  If we follow this approach will we have to modify a single routine (for all SAP modules) for all master and transaction data transactions, or will it be multiple routines which we will have to modify.
  We also need to cover authorization for table maintenence, transaction codes, org structure level...etc.
  Can you please provide your inputs/point of view on this.
  Will apprecaite if you can share any other option.
  Thanks in advance.

  Agreed with Wolfgang, roles & profiles are better in the long run than system mod.
  There are ways to redesign roles to make them manageable. Example: Derived roles.
  If you already maintain the users thru HR, you can assign roles in R/3 to Job, Position, Work Center, etc. Another idea to help you automated the roles assignment.
  Regards,

• How does my role as a SAP SECURITY ADMIN dfiffre frm upgrade n implementati

  hi Gurus ,
  i am new to this Security i just want to know how does my role as a security admin differ ..in a implementation project and in a upgrade project ........pls answer this ..............n can i get any doc abt the tables n the objects .............related to security .......................  any links or docs u can mail me at [email protected]
  thank you

  A few inputs from my end....
  Implementation --> starting from role naming conventions to role design,sod conflicts, master child relations and documentation.
  Upgrade --> If from 4.0 versions to higher versions then its something similar where we convert profiles to Roles and then redesign them to SOD conflicts..
  But in case of higher upgrades then the java component access and the segregation of duties for these components as well have to be considered...
  Hope it helps...
  Vbr,
  Sri
  Award points for helpful answers

• The "verisign" logo for secured sites is missing from the status/addon bar. How can I get it back?

  Whenever I used to sign it to ebay, the "verisign" logo would show red/unsecured. A refresh of the page would reload with a secure setting.
  I can no longer see the logo anywhere but refresh out of habit anyway hoping it is then secure on the next load.
  If the logo showed for any other sites/pages I wouldn't know.
  Is there a way to get it back so I feel safer?

  Firefox has a built-in security indicator, but it has changed. The status bar was redesigned out of Firefox, so now you use the area to the left of the address (green, blue, or plain) to check whether the site is secure.
  [https://support.mozilla.com/en-US/kb/Site%20Identity%20Button Site Identity Button | How to | Firefox Help]
  Other discussions about this change mention an add-on you can use if you really prefer seeing a lock: [http://support.mozilla.com/en-US/questions/796225 firefox 4 where is the padlock bottom right corner | Firefox Support Forum | Firefox Help].
  If you were using an add-on from Verisign, its icon might be on the Add-ons toolbar. You can turn that on using:
  View menu > Toolbars > Add-ons Toolbar
  If you have the orange Firefox button, tap the Alt key to temporarily display the classic menu bar.
  Does that fix it?

• Small network redesign help

  Hello,
    I work in a small company that has about 75 clients, and about 10 servers, and I have a refurb 4948 that's not setup yet, currently on the live network are asa5510, a sg300, voip system, and an old 2960 that's currently my core sw (the 4948 will replace this) and I'm planning on redesigning our flat network.
    We've always had a single collision domain on vlan 1 which I read is not recommended for security, and I was wondering if it's worth the headaches of setting up vlans on this small network (I'm no Cisco veteran, just learned hands on reading forums and guides) So my plan is to finally set up a dmz on the firewall and I'm reading a bit more before I get into that, and put the servers in a vlan on that dmz, I read that the 4948 can do routing so I can probably set inter-vlan on it if needed. Here's a diagram of my planned network, if you guys can give me some guidance on a best way to redesign it I'd totally appreciate it. Thanks in advanced.

  Why do you want the servers in a DMZ, are they going to be accessed from the internet ?
  I would definitely recommend putting the servers on the 4948 switch has it has much better performance than the 2960. And as you say it can route as well so perhaps it might be an idea to replace the 2960 with the 4948 and then if you do need a DMZ use the 2960 as the DMZ switch.
  Ideally you do not want your DMZ switch to have any internal LAN clients on it but that may not be possible for as you may not have enough ports. But you definitely do not want your DMZ switch to be routing, that should be left to the firewall.
  In terms of using vlans the answer is it depends. With the number of devices you have it may not be worth doing unless you are experiencing issues at the moment. It is always a good idea to have the servers on a separate vlan because if they are the same vlan a faulty NIC in a client could bring down the servers as well but that said in your setup all the clients would be in the same vlan anyway. And generally people start to consider using vlans when the IP subnet gets to be bigger than a /24 which you are nowhere near.
  I presume at the moment you route off the firewall ie. the inside interface of the firewall is the default gateway for the clients and servers ? If you stay with one vlan there is no benefit to routing on the 4948, you may as well just use this as a higher performance switch for the servers/clients.
  I can't see a need for vlans here unless you are experiencing performance issues but the 4948 could well sort that out for you.
  Perhaps you could clarify the bit about the servers and the DMZ and maybe go a bit more into what you want ?
  Jon

• Setting up Security in Universe

  Hi
  I am quite new to SAP Business Objects and having trouble with setting up security in Universe
  I want to create Restriction on a dimension 'Country'.
  For e.g if Person X belongs to 'USA', he should be seeing the value 'USA' only in the Country Dimension
  and if Person Y belongs to 'FRANCE' he should be seeing the Value 'FRANCE' only.
  This is because, there will be only one Revenue Report (web intelligence) and based on security, the designated person will be able to see the report for the country in which he belongs.
  Similarly, someone in management level will be able to see all Countries.
  Note that, Country Dimension will be in the Filter part of a Web Intelligence report.
  I have done the following settings and not able to get the desired results.
  1. Created a Restriction USA in the Universe
  2. In the Rows Tab, added a where clause ' TableName.Country = 'USA'
  3. Mapped the User X (AD user added in CMC) to the Restriction USA.
  The user still sees all the country in the WebI Report.
  Any help will be appreciated.

  >
  Srikanth G N wrote:
  > Simon, Thanks for your input. I am not clear on how to handle security at datamart level.
  > For e.g. should we have another table where you map users to countries?
  > If that's the case, I am more inclined towards having security at universe level, as it makes it simpler for me.
  Hi Vikas, it really depends on how your organizational hierarchy is set up. If country is part of the organizational hierarchy, you can add it to your security table instead of adding another table. In our case, we have 3000+ stores that are divided up under this hierarchy....division, region, district, store. Different country is being differentiated by different division. Each user in the security table has an org type to tell me whether he or she is at the store level or at the district level and so on. Each user also has an org name that tells me his or her store number or district number and so on.
  I've found it very easy to maintain because I can run SQL query instead of doing it in dialog boxes. It also means that I can set things up programmatically...something you cannot do in the Designer without using SDK. And with 20,000+ users, you want to do it programmatically. But of course, it works only if you have a well-defined organizational hierarchy.
  Just to throw another wrinkle to this issue: SAP is completely redesigning the semantic layer in XI 4.0. All the previous universe designer functions will be in a new tool called Information Design Tool. Whether they will continue to support row level security is up in the air. They may or they may not as we don't know at this time. Even if they do, how much of the old set up will migrate smoothly to the new architecture is yet another unknown. Therefore, in my humble opinion, if it is not something that has already been built previously, I will try to make the universe as "migrate-friendly" as possible. But of course, you and your management have to make that call.
  Hope this helps.
  If you are using the BusinessObjects tool, you should join [ASUG|www.asug.com]

• Forms login security

  Hi Friends,
  How do I make our 3rd party appl forms login more secure?
  Currently, the appl program uses a primitive database authentication method
  by providing the username and password of the database in clear text inside
  a .ini file. Changing the database user and password will be useless due to
  password being exposed literally. Users of the application are registered in a table in the database with the password of the user exposed in clear text. An administrator or anybody with database access will be able see a user's password in clear text thus user authentication is compromised.
  Can I change the username to point to the database username and not a table?
  Can I incrypt the password table entry itself?
  Can I incrypt the .ini file so as not to show literal passwords?
  Can I use the form to get the userid/passwd from LDAP active directory server?
  Please help ....thanks a lot

  Are you sure that this is a Forms application and no JAVA-program ?
  It seems that a JAVA programmer tried some forms development :p
  The application may need some redesign.
  My suggestion :
  - the schema owner (database user holding the table objects) creates database
  roles implementing reader roles, insert role update roles and so on
  - each user will be created as a database user
  - grant the required role(s) to the user, but dont set those roles as default_role
  (ALTER USER xy DEFAULT_ROLE CONNECT, ...;
  - rebuild the login procedure authenticating now against the database account
  and not against the password in the application user-table
  - let the user password expire whilst using the existing user-table (implement a password expiration date) or use the database account for that
  - after successful login issue : DBMS_SESSION.SET_ROLE(...); for each
  role of the user, the created session has now the roles enabled
  - database roles should be password protected...
  If this is too much effort, it is possible to encrypt the table entries using oracle's Obfuscation Packages (depends on RDBMS-version).
  If your are using Oracle Forms > 6i :
  In addition to that all above it is possible at least to authentify against the Oracle Portal (not sure if this works against a different OID)...
  Message was edited by:
  user434854

• Sample Unit Tests on Role Redesign

  Hi All,
  I'm working in a Project in which we undertaken the resposibility of creating new set of roles and the new roles are built.
  Now, the client is asking for unit tests.
  Can someone please provide me with some "sample unit tests" for this Role Redesign.
  Regards,
  Preethi

  Hi,
  Speak to the test team on your project, they will have templates, methods etc.
  Basic steps are
  1. Login with appropriate user & role
  2. Run transaction to completion.  If errors then capture input data & actions & corresponding error messages (texts, SU53's etc). 
  3. Fix & retest if required, include SU24 changes etc
  Your security team will be able to help with any of the above that is new to you.

• DFS redesign ideas?

  Hi,
  Basically I am looking for a few ideas on how to redesign our file servers.
  We have multiple physical file servers and a few virtual servers and what is replicated and what is not is quite confusing. Total storage size is around 6TB made up of home directories, and shared resources - no particularly special file types etc. Using
  DFS with home directories however does mean that I need to essentially have only a single point of reference to be supported by Microsoft as per:
  http://blogs.technet.com/b/askds/archive/2010/09/01/microsoft-s-support-statement-around-replicated-user-profile-data.aspx
  What I am thinking about doing is consolidating everything onto 4 servers.
  We have a large single site with a few remote sites. The remote sites have had their links upgraded to 1Gb and we have been removing our server infrastructure from these areas due to not having environmental/physical space/security in place.
  On our main site we have two separate buildings which each contain a SAN (Not linked to each other).
  Microsoft's guides show concepts of using a DFS Failover Cluster in a main site with replication to a single server at a remote site.
  I could do this model but just in one site, but due to the fact I have two equally sized SAN's on the main site, the issue with this is that I would like to spread the load to both SAN's. Therefore if I have anything running on the single server as primary I
  am creating an SPOF.
  What I am thinking of doing is create 2 x 2 node DFS Failover Clusters (One in each building connected to that building's SAN).
  This means:
  I can load balance the primary DFS shares at the cluster level (SAN's)
  Rapid failover can occur if needed between individual nodes within a cluster
  The single point of failure (Storage) in just using a single DFS cluster is eliminated
  However I am not sure if this is supported or recommended?

  Not sure if i'm misunderstanding things here, but the way I see it you have three levels at which you need to provide redundancy
  DFS Namespace servers - I would suggest you host these on your domain controllers that you already have, actual file load will be minimal and they will provide adequate failover.  It also has the benifit of keeping your namespaces all under the same
  parent domain.  \\domainname\share\foldertarget
  DFS Folder Targets - These point to shares on your actual file servers that do the heavy lifting, one copy of each share per SAN with DFS replication to keep them in sync.
  The actual file servers - A standard cluster running a clustered file service role.
  This way you have each san servering files via a 2 node file cluster.  (active/passive)
  Each file cluster is replicating accross to the other via DFS replication. (active/active)
  Let your domain controllers handle the actuall exposing of DFS shares. (active/active)
  The only issue will be keeping on top of DFS replication between your two file server clusters to make sure users in the same building do not see differnet files depending on which file server cluster they are currently using.
  Hope this helps.

• Excel to CI for Security

  I frequently user Component Interface USER_PROFILE to add Roles to user profiles.
  There has been several occasions where I need to delete Roles from several user profiles because of a security redesign project.
  Has anyone discovered or developed a CI that will delete a specified Role from a specified user profile without deleting the actual role definition.
  A solution would be greatly appreciated.
  Thanks

  I used to do this using backend delete statement :D
  there are only a few tables related to User profiles
  PSOPRDEFN
  PSOPRALIAS
  PSROLEUSER
  PSUSERATTR
  PSUSEREMAIL
  PSUSERPRSNLOPTN
  PS_ROLEXLATOPR
  PS_ROLEXLATOPR_LNG
  PS_RTE_CNTL_RUSER
  Out of these, i remember deleting rows from PSROLEUSER for sure. Thats the table which stores OPRID-ROLENAME mapping,
  Other candidate is PS_ROLEXLATOPR..just check that one out if it stores rolename..
  DELETE FROM PSROLEUSER WHERE ROLEUSER= 'TONY' and ROLENAME ='XXXX'
  should do the trick
  PS: Please be careful, you are playing with metadata which should never ever be touched..unless you are very very sure of what you are doing. Take backups of tables..test in sand box environments 100 times before you consider considering running these in production.
  I can just say that it worked for me flawlessly :D.

• What is going on with the explosion of versions and redesigns?

  Why is FF now coming out with new versions monthly and massive redesigns god knows how often? A version used to last a year or two and now it's a month at the most if I'm not mistaken. Maybe no-one's noticed but that's not how other software works. Seems to me like something with so many problems shouldn't be released in the first place.

  Note that another popular browser like Google Chrome behaves in the same way and even needs an update if one of its built-in plugins like Flash need an update.
  Firefox allows easily to set a lot of options including the update behavior, but in other programs this can be a fixed setting and not easy to modify or you may not even notice this like you do in Firefox.
  Having an up-to-date browser that has all the security patches to exposed security flaws is important to minimize the security risks.
  Big appearance changes like recently with the Australis appearance do not happen that often, but this redesign hasn't finished yet and you will notice more changes in upcoming Firefox releases.

• Social Security Number Field Qs.

  I generally work more on the graphics/layout end of Adobe products, primarily with Photoshop and InDesign... But my boss decided I need to redo all our old forms by redesigning them in Adobe LiveCycle 7.1.  I have a field where the end user will be required to input a Social Security Number.  Our end users are... not tech savvy, to say the least, and because the old forms already have the dashes that go between the numbers (999-99-9999) before the end user clicks into the field, they have to remain like that on the new forms I am creating. 
  In the "Value" tab, in the "Object" pallete, I am able to enter a Default Value but when I preview the form and attempt to enter data, the default text (blank spaces and dashes) do not disappear.  Is there a way to make this work, without scripting?  I know nothing about scripting so I don't know the first place to start to even attempt to write one.  If scripting is the only way, does anyone have a script you can post to me, or a URL I can go to, to read up on HOW to do it?
  Any help is greatly appreciated.  Thanks in advance!!
  ~Nicholaii

  I'm sorry I've taken so long to reply!
  In LiveCycle Designer 7, in the Library, under the Custom tab, there is a SSN element that is pre-formatted.  The problem is, the people I am designing the form for, want the dashes to be in the box before the end user selects the box to type the SSN in.  Once the box is selected, the dashes should remain, and the end user will type in the SSN and the cursor will simply skip over the dashes to continue filling the field.
  I'm attaching what I have... I'm starting to think they just won't get what they're asking for.

• With the new upgrade we have lost the secure payment lock

  We have lost the secure payment icon at the bottom left of the screen. It was working until we uploaded the latest version of Mozilla

  The whole status bar was redesigned, so now you use the area to the left of the address (green, blue, or plain) to check whether the site is secure.
  [https://support.mozilla.com/en-US/kb/Site%20Identity%20Button Site Identity Button | How to | Firefox Help]
  Other discussions about this change mention an add-on you can use if you really prefer seeing a lock:
  [http://support.mozilla.com/en-US/questions/796225 firefox 4 where is the padlock bottom right corner | Firefox Support Forum | Firefox Help]

• ACL or Accounts-Security

  Hi Experts,
  Is there any advantage of using accounts over ACLs. Using either of these, the security requirements of the client can be achieved. However if I use accounts , a large number of WLS groups are required. Which one would be better choice?
  Regards,
  Rekha

  Yes, the main advantages are performance and usability.
  With ACLs each document can have different security settings.
  As for performance, if you enter a query like "what document can a user read?" it requires to check all ACLs (not sure if it is still true, but I think in earlier versions ACLs were implemented as comma-separated strings, so this query was quite costly). With accounts, or security groups, the logic is much closer to relational database, so even though the queries require few OUTER JOINs, in the end they are much faster.
  As for usability, imagine a scenario like "I want to replace a person X with a person Y" - with accounts you do it in one place, with ACLs I do not know (not sure if there is anything like "mass ACL update" available).
  Note that "a large number of WLS group" should be auto-generated, ideally, in cooperation with an IDM solution.
  In general, I'd recommend ACLs only for very specific situations - namely, if security settings change during items lifetime (in 10g, they were a part of a component called Collaboration Manager, and it meant that a user might be granted access to an item only for the sake of a workflow, which is something you cannot do with accounts/security groups - or to be precise, you cannot do it easily).
  I have also heard, with no further details, that recently ACLs were redesigned, so some statements above might become obsolete.