Risk Issues with IDOCs in Support Roles

I am managing a security architecture project and need to create some IT support roles.
Are there any IDOC-related transactions that can create, change or modify data? If so they would be innapropriate for any IT access.

I can recommend forgetting about S_TCODE when it gets to IDOCS.
Several S_IDOC* authorization objects even have TCD (transaction code) as a field, in an attempt to create a second level of security control. This looks good on a PowerPoint presentation, but is unrealistic "in the wild".
You can gain a quick start by first reading the documentation on the S_IDOC* objects in tcode SU21, then read the ALE and RFC Security Guides on service.sap.com and then (important) talk to the people who actually use these transactions about their business processes.
Changing IDOCS is very often a symptom of bad master data quality or the sequence of some process flows.
You cannot tackle this without an understanding of the business processes which you might disrupt, but can add a lot of value by isolating the authorizations for it (the S_IDOC objects have many fields... and S_IDOCMONI is the one you should try to understand most) and then looking into the processes.
When you get that far, then you will also want to look into the development systems for the distribution of the ALE models via RFC instead of transporting them. This is a bigger can of worms than changing an IDOC...
Unfortunately some audit recommenations "blacklist" the ability to recieve an IDOC, In my books this is silly, because batch processing anyway does what it is told. Other scenarios make is usefull to be able to receive messages via IDOC for what happened on the other side.
The weapon of choice here is to understand the interfaces and use Su24 to document them to create secure roles for them or upgrade to newer technologies where these are supported.
My 2 cents,
Julius

Similar Messages

Issue with IDOC occurence and SeeBurger message mapping

Hey Guys
While developing a EDI 850 to IDOC scenario i came across this issue with pre-delivered Seeburger mapping(A_850_V4010_to_I_ORDERS05).
I actually need to post multiple IDOC's to SAP system in the same message so i changed the IDOC occurence to unbounded and re-imported that as a .XSD file in Integration repository.
Earlier the pre-delivered message mappings provided by SeeBurger(under SEEBURGER_HIGH-TECH, 1.7.1 of seeburger) was working fine for me since i was posting only 1 IDOC but now the mapping is failing as the IDOC occurence has changed(unbounded).
Is there a way we can do some settings on SeeBurger server or Bic so that we can use the pre-delivered mapping for Multiple IDOC's as well?
I just want to make sure before i start off with doing whole of the mapping manually.
Thanx
Aamir

Thanx for the input guys
@Deepthi.
Doing whole of mapping manualy is definitely the last option but i m looking for ways to re-use the pre-delivered SeeBurger mapping.
>>Seeburger Mapping is only just to convert XML to EDI and EDI to XML.
Bic mapping designer does this,i m dealing with message mapping of XI(convert source to target) not Bic designer right now,and Bic does more than just XML to EDI and vice versa,it handles other industry standards too.
@Jens
>>The XI message mappings from Seeburger in the Industry solutions are mapping templates
Yeah,but the mapping template i have deals with 850 to ORDERS05,when i change IDOC occurence and re-import it back in Integration repository,it doesn't stays as ORDERS05,it has to be changed to user defined message interface(in my case MI_ORDERS05) so i m unable to use 850 to ORDERS05 template.
@Seshagiri
>>Open the Seeburger SWCV From the IR--goto External Def---Select the right one and copy it and paste it in notepad.
Changing the occurence is not an issue,i want to re-use the pre-delivered mapping in Integration repository,which is not working.
Looks like i need to do it manually
Thanx
Aamir

Could not trace the issue with IDOC to file

Hi All,
We are facing issue with missing idoc data in the file, There were 20 idocs got generated (msg type - PAYEXT) from the payment run but only 15 of them written to the file, in the Outbound partner profiles we are using file port to create file. Noticed that all idocs were showing the same status (03) and The IDoc was written to file & file location.
When we checked the file and found that 5 idocs data was not written to the file, but surpricingly status was showing that it was written to file. Can any one give clue / similar experience ... on this. Not sure how to track the issue ... i checked SMQ1, but nothing was locked.
Thanks
Satya

Hi Kumar,
As Jose mentioned please check the occurrence of the 6th file. It should be 0..unbounded. Also if you do this it will pass the mapping but you will get the error for the 6th file in sxmb_moni, because it would be an empty root message only. This is a known issue and I dont think we have a solution for this. But one workaround would be to create a custom mapping exception so that you have that exception in sxmb_moni when the message fails and if you have alerts then you will have this mapping exception in your alert.
Regards,
---Satish

Posting Data Issue with IDOC Type : COND_A03

Friends,
I'm posting the data from Middleware(Message Broker) to SAP using the IDOC Type : COND_A03 with Message Type : COND_A.
For this IDOC,I'm populating the below Segment's data.
Segement :E1KOMG:
Fields:
KVEWE,KOTABNR,KAPPL ,KSCHL,VAKEY ,KONDA,MATNR .
Segement :E1KONH:
Fields:
KNUMH,DATAB,DATBI
Segement :E1KONP:
Fields:
KSCHL,STFKZ,KSTBM,KSTBW,KRECH ,KBETR,KONWA,KPEIN,KUMZA,KUMNE,MXWRT,GKWRT,ZAEHK_IND ,KBRUE,VALTG,
VALDT,ANZAUF,MIKBAS,MXKBAS,KOMXWRT,KLF_STG,KLF_KAL
Problem: In SAP, IDOC's are processing successfully with status 53 and updating the tables : KONH,KONP successfully.
But Table A957 which is passing against KOTABNR field is not pupulating with the Materials passing.
Can anyone please guide me why the Materials are not populating in the table : A957.
Regards,
Sreeram

Hi,
I guess there might be some issue with VAKEY population.
All the key fields in A957 should be concated properly while populating VAKEY. (Leading zeros must be prefixed to the material)
Regards,
Ganga

Issue with Server 2012 RDS roles

I have a Server 2012 system where the Remote Desktop Services roles were installed manually, not using Remote Desktop Services Installation. This was picked up because of the licensing errors which popup from time to time. From what I have read, it is not
possible to fix the licensing issues without installing the RDS roles correctly.
I have tried to uninstall the roles but Server Manager hangs with an empty progress bar and never completes the task.
I have run Remote Desktop Services installation, but it fails as the roles are already installed. The error message is "Failed to open the runspace pool. The Server Manager WinRM plug-in might be corrupted or missing."
I am reluctant to reload the operating system and start again, as various pieces of software have already been installed. Is there a way to successfully remove the RDS roles or successfully run the RDS installation wizard with the roles already installed?

Hi FissioPB, could you give us a reference about how to detect and remove the internet filter?
I´ve tried the following, but the same issue “Failed to open the runspace pool. The Server Manager
WinRM plug-in might be corrupted or missing" and "ERROR_WINHTTP_TIMEOUT" events.
netsh http add iplisten 127.0.0.1
netsh http add iplisten ::1
"netsh winhttp show proxy"
netsh winhttp reset proxy
Block GPOs
Any advice could be helpful. Thanks!!
:S
H1R@M

Is there a known issue with windows 8 supporting itunes?

each time I update itunes I lose my itunes store connection and therefore can't update apps etc. Is this a known issue with windows 8 users?

Yes. Some are complaining.
Search iTunes.exe. RIght Click, Properties, Compatibility, Click Run this program as Adminitrator. OK.
See if this helps

Issues with IDOC strucuture in XI

Hi all,
I tried to import IDOC structure(ZDESADV.DELVRY01.Z1DELVRY) from SAP box in Integration Repository . After importing , That Idoc strucuture is getting linked with ZDESADV.DELVRY02.Z1DELVRY .
Like the view from IR is
Display IDoc
Name             : ZDESADV.DELVRY01.Z1DELVRY
Namespace    : urn:sap-com:document:sap:idoc:messages
Software Component Version :
Description:
(Tabs)Struture/XSD/WSDL ( In structure Tab)
Structure          Categary                     type
Z1DELVRY     Element
IDOC            Element                     ZDESADV.DELVRY02.Z1DELVRY
BEGIN          Attribute                     xsd:String
EDI_DC40      Element                      EDI_DC40.ZDESADV.DELVRY02.Z1DELVRY
Then is it not generating the fields of EDI_DC40 segment .....
My question here is , Why this Idoc type is linked with DELVRY02 but I only Imported DELVRY01. It is really creating issue.
Does anyone have any idea where the issue.
Whether it is in XI box or SAP box ?
Thanks
Laks

Hi lakshmi s ,
Please elaborate the solution... where was this idoc not properly linked??
I am facing the same issue and need the solution very urgently!!
Thanks n regards
VJ
Edited by: newbpi on Mar 9, 2010 4:56 AM

ECC6.0 upgrade issue with IDoc release

Hi experts,
we are in the process of upgrading our ECC environment from 5.0 to 6.0. We have quite a few interfaces which use ORDERS/Invoice Idocs in customised form. In ECC5.0 environment, we had developed a Z segment in the ORDERS Idoc and the segment release was set as 640. Everything worked fine in ECC5.0.
In upgraded environment, SAP has released new version of some segments. one of those is E1EDP01. This segment has 2 new versions in ECC6.0 environment - 007 and 008. This change in the version changes the data in the IDoc and hence interface goes in error at the EDI provider.
We have tried to use 640 as the IDoc segment release in the partner profile of the IDocs. This still gives us an issue because the 007 version of the segment E1EDP01 has release 620 and hence the Idoc picks up 007 version instead of 006 version as desired. When we change the partner profile with Segment release in the IDoc type as 46C, it gives us an issue in the Z segment saying that the IDoc segment is not released in 46C and the Idoc goes in error.
has any one faces such situation in the past? if yes, please throw some light.
Thanks in advance.

Hello,
Iam new to SAP. Thars why i cant understand well to do upgrade,
Then i found out some notes from internet about Upgrade : SAP Note Number 857904 (upgrade from Release 6. To 7.0).
In that notes,
Actually i would like to know about some key words (for example : ASSIGNING, REPLACE, TRANSFER. ) which how to work in the Release 7.0
Always i have some objets in 4.6C.
Ex 01: READ DATASET p_dataset INTO wa_record
Ex 02 : TRANSFER i_crhu TO p_crhd
LOOP AT i_crhd.
*disable controls in crhd
    PERFORM f_disable_crhd.
    TRANSFER i_crhd TO p_crhd.
    IF sy-subrc NE 0.
      MESSAGE a045.        "Error when transfering data to error file
    ENDIF.
ENDLOOP.
CLEAR i_crhd.
CLOSE DATASET p_crhd.
IF sy-subrc NE 0.
    MESSAGE a039.                      "Error at close dataset
ENDIF.
OPEN DATASET v_crhd FOR OUTPUT IN TEXT MODE.
And then i have some FM (ex : WS_UPLOAD , WS_DOWNLOAD)
So I have changed the code for WS_UPLOAD by GUI_UPLOAD
                              and WS_DOWNLOAD by GUI_DOWNLOAD
now my problem is to know about some key word which how to work in ECC6 (for example ASSIGNING, REPLACE, TRANSFER. )
thanks in advance
Rathy

Issue with IDoc adapter

Hi
I have sent a couple of IDocs from r3 to a legacy system through a Xi interface. Sender adapter is IDoc. For example I have sent 100 IDocs from r3 and 80 reached legacy system. Where we can check for missing IDoc? I am able to see 100 in BD87 of r3 system.
Thanks

I can see that message in SXMB_MONI as a success message. But if go to the let of the display there is a column with name outbound status. In that column is is showing a red flag( error at outbound side). No message in SMQ1or SMQ2. Also no error message in RWB. Where it can be found? How to reprocess it? Do we have to resend the IDoc again?
thanks

Issue with idoc configuration in xMII

Hello,
I have an issue when I try to create IDOC communication between SAP ECC 6.0 and my MII 12.1 system.
Here is the configuration in SM59:
Here is the configuration for XMIIIDOC03 resource adapter in netweaver:
And here is the error message I get:
For information, my MII system is able to ping the SAP ECC server (sap0252.sap.logica.com) and the system number is 00.
Could you please explain what is wrong?
Thanks

Hi again,
I tried all the suggestion and I still have some issues. The network access seems to be solved by adding the gateway service which was missing. But now, I have the Program not registered issue even after trying the procedure given by Henry to force the program registration (I also modified the programID value to force it).
Here is my new configuration:
SM59 :
NWA :
Error:
Could you please have a look?
Regards,

Issue with IDOCs

hello All,
I have a PO created which is Interplant PO.
Now when I check the IDOC it is in 51 status. and the error msg is "Missing authorization: Purchase Order Create Purchasing Grou ZIP".
Now the Buyer name is Z and is not present in the below standard role mentioned....
I checked the role "SAP_AIO_PURCHASER-S"
Standard   Purchasing Group in Purchase Order
   Activity                       Create or generate, Change, Display, Print, edit messages
   Purchasing Group               *
Do I need to ask entitlement team to add ZIP buyer name in the above purchasing group?
Please suggest what to do?
Thanks in advance,
Forum Shah

Yes you need to add this purchasing grom as there is no authorisation.

Acknowledment issue with idoc Adapter

Hello all,
I've an interface process that send a specific idoc from SAP R/3 4.7 to SAP XI 3.0.
This Idoc is known at XI side in IDX2 transaction.
Each time XI receives this kind of idoc, it processes an acknowledgment (sends back an ALEAUD idoc to my SAP R/3)
with followings data in E1ADHDR / E1STATE segment :
DOCNUM     0000000002401038
STATUS     51
STAMQU     SAP
STAMID     IDOC_ADPAPTER
STAMNO     000
I don't want this ack idoc to be sent but I don't manage to find where customize Idoc adapter to send it.
Can you help me ?

HI,
Make an entry in the table IDXNOALE in XI system by providing the details for the port, IDOC etc for which the Acknowledgements need to be turned off. You ca check this port etc from IDX1 entry in XI server
Or
Go to IDXNOALE report in XI There, click on request acknowledgement button, and in exceptions section, provide the message type for which you donot want acknowledgements.
Regards,
Moorthy

Issue with generating a security role in program CRMD_UI_ROLE_PREPARE

Hello -
We have recently upgrade from CRM 2007 from CRM 4.0. We are working with the Business Roles and generating the security role from the business role using CRMD_UI_ROLE_PREPARE. We first create a simple test Business Role, a Z* copying from TPM_ROLE. Then we generated the security using CRMD_UI_ROLE_PREPARE. This was fine. Now was have copied a Business Role from TPM_ROLE that is one we want to use. We have created our own Z* Nav Bar and Role Config Key. This is working fine, but now when we try to generate using CRMD_UI_ROLE_PREPARE, the txt file is not generated, though there are no errors in the log. We can still generate the security role from our simple test. We have looked on line, and read the article in CRM Expert in June on Business Roles, but have not found the solution yet. Has anyone run into this?
thanks
   George

This is how I used this program:
A. Generate required authorization objects
1.     T-Code: SA38
2.     Enter report CRMD_UI_ROLE_PREPARE and choose Execute.
3.     Select your Business Role.
4.     Choose language EN.
5.     Choose Execute.
Result: A file is created for each Business Role and saved on your computer in the SAP working directory. If you are working with Microsoft Windows XP, this file is saved in C:\Documents and Settings\<User ID>\SapWorkDir\.
B. Assign authorization objects
1.     T-Code: PFCG
2.     Enter your Role and choose Change.
3.     On the Menu tab choose Import from file and upload the file previously created.
4.     Choose Save.
Then adapt the authorizations if needed and choose Generate.
Stephanie.

Issue with Idoc when creating invoice taking wrong payment term

Hi All,
My Requirement is invoices created through B2B interface should hold the payment term of purchasing party instead of invoicing party
400021 is Invoicing party having payment term 2000 i.e. 20 days
414478 is the Purchasing party having the payment term 1000 ie 10 days
So invoice should hold the payment term 10 days instead of 20 days
I have an IDOC which is creating Invoice, I am trying to reprocess the IDOC to see the issue but could not able to achieve the solution.
Please help me out which approach should i follow to achieve the solution of this issue.
Thanks,
VB

Hi,
Try using E1EDK18 segment. Put "Number of days" ,Qualifier and check if this achievs the desired result or not? If yes then you have to use an user exit to put the number of days in the IDOC.
Cheers,

Issue with IDOC segment creation..

hi,
i created an idoc segment thru we31. when i was saving it, and when the transport request was asked, i cancelled it. it so happend that the underlying structure was created (i was able to see that in se11) but in we31, the segment definition did not appear and i got the message "segment does not exist yet".
so in se11, i deleted the associated structure and tried to recreate the segment, i am not able to !! while saving, i get the error "you do not have authorization for delete for function idoc segment"
when i performed a segment check (ctrl + F1), i got the message,
Repository structure missing for segment ZZZ |
Inconsistent overall length in segment version 000
Segment version 000 not released
Entries exist in table of Segments for segment ZZZ
Entries exist in table of Segment definitions for segment ZZZ
Entries exist in table of Segment structures for segment ZZZ
| Segment ZZZ is inconsistent
what shud i do ?
thks

resolved. seems some authorization was missing. thks

Risk Issues with IDOCs in Support Roles

Similar Messages

Maybe you are looking for