Roles / Security guide

Hello everyone:
Im administrating a demo SAP Web App Server Java/ABAP and I'd like to know about security but in specific about roles needed for main tasks, for instance, what permissions are needed for an ABAP Developer, XI user, Portal admin, etc, I don't want to give SAP_ALL to everyone.
Is there any guide / place where I can check this out? not really a guide to Fully Secure SAP Applications, but just about roles needed for each use.
Thanks!
Alejandro

Thanks Sri:
I actually meant if there's a guide for a WebAs administrator, let's say, besides the predefined roles and their permissions, what happens when I want to create new roles, based on technical/functional decisions, which roles should I pick for them.
Let's say, I want a developer Java + ABAP user, so he needs permissions / roles A, B and C
Is there anything like that available?
Thanks!
Alejandro

Similar Messages

SEM-BCS authorization or Security Guide

Hello,
Last year We went Live with SEM-BCS Project.Now We need to restrict all the t-Code's in SEM-BCS. During the Go-Live We have provided Full authorization's to everyone.Now Auditor's are bugging us to restrict the access in the SEM-BCS system.If Possible anyone can provide authorization or Security Guide for BCS Project
Vijay

Hello Again,
Guide Contain's Only Authorization Object's & Default SAP Defined Roles. But Here it a different Scenario. SEM-BCS team has provided me 30 T-Codes & I am supposed to Pick all the Default Values for all the T-Codes.
I am doing it from T-Code: SU24 & Updating it in Excel. My Question's are
1. How to get more Knowledge on the Tcodes
2. How it will Function
3. In what way we can restrict the Feild values & Activities for the T-codes.
My functional team Have no Knowledge on this Objects & what activities should be there.
Now i need to explain them each & every T-Code & what does each feild & Activity Do. If there is any Go-Live document for this it will be really helpful for me.
For All 30 T-codes I need to create Custom Roles & Audit need's No Astrick for new custom Roles.
Vijay

Java UME Security Guide?

Hello,
I'm looking to understand NW java security. For example I need to understand enough to give a development team access to the WebDynpro adminstrator enough to look at and test their WebDynpro developments but not have access to the WebDynpro console, ume, other NW administration. The portal will not be used at this point. I want to be able to restrict permissions in java only. Is there a security guide out there that explains this.
Your help is appreciated.
Thanks,
Doug
The roles I'm seeing out of box in our sandbox are...
Administrator
SAP_JAVA_NWADMIN_CENTRAL
SAP_JAVA_NWADMIN_CENTRAL_READONLY
SAP_JAVA_NWADMIN_LOCAL
SAP_JAVA_NWADMIN_LOCAL_READONLY
SAP_JAVA_NWMOBILE_ADMIN_READONLY
SAP_JAVA_NWMOBILE_ADMIN_SUPER
SAP_JAVA_NWMOBILE_HG_ADMIN
SAP_JAVA_SUPPORT

Hi Doug,
Volker and Raymond have good suggestions. You can also use the search function on the Help Portal to find out more about the roles in question.
The Mobile roles are here: [Setting Up Administrator Users |http://help.sap.com/saphelp_nw70/helpdata/EN/3e/9f934257a5c96ae10000000a155106/frameset.htm].
SAP_JAVA_SUPPORT is for the Solution Manager. Here is a document from SDN that mentions it: [Supportability Setup Guide Solution Manager Diagnostics|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4c02c046-0a01-0010-deb3-c7f7d5b95776|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4c02c046-0a01-0010-deb3-c7f7d5b95776] page 57. The document is kind of old though, 2005.
The others are roles for the SAP NetWeaver Administrator. The local role is for granting administrator access to the application. The central role is reserved for future use, I believe.
-Michael
Edited by: Michael Shea on Sep 4, 2008 11:46 AM
Make the link pretty.

Security Guide for Enhancement Pack 4 for ECC 6.0

Hello,
I am trying to analyse the impact of applying Enhancement pack 4 for ECC 6.0, Can someone help me find any security guides for it.
It is an existing system and few additional modules are being implemented.
Kind Regards.

Hello,
We have applied EHP4 on an exisiting(running) ECC 6.0 System. Can someone help me find answers to below queries
a) What is the SAP standard process to start with Security bit.
b) Do we need to run SU25 steps. If yes, which one of them.
c) Since the purpose of applying EHP4 was to activate few set of new business functionalities, we intend to affect the existing security design at the minimal. What is the best approach for this.
Kind Regards,
Abdul

Security guide for PI 7.1

Hi all,
Can anybody tell me if there is a security guide available for PI 7.1 ?
regards,
Loveena .

Here it is
http://help.sap.com/saphelp_nwpi71/helpdata/en/8c/2ec59131d7f84ea514a67d628925a9/frameset.htm
Regards,
Prateek

XI Security Guide

Anyone know where I can find the XI security guide?

Hi,
Check this as well
<a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51">Configure Message Level Security in SAP XI 7.0</a>
---dushanth
Message was edited by:
dushanth ry

System 9 Security guide

Hi,
Where do I find the Hyperion System 9 Security Guide refered to in the Planning admin guide?
Is it a PDF located somewhere.
Thanks
CD

Hi,
All documents are at :- http://download.oracle.com/docs/cd/E10530_01/welcome.html
For the Security Guide, click the Installation & Backup tab and it is under common installation.
Cheers
John

Menu Role Security

I have a menu with role security enabled. If I grant one of
these roles to a pre-existing user, everything works fine.
However, if I grant it to a brand new user I get "FRM-10256 User
is not authorized to Run Form Builder Menu". (Note that all of
the forms, menus etc are held in the file system).
I have definitely granted the right role. What is going on
here?
Thanks
Chris
null

Thanks.
Chris Rimmer (guest) wrote:
: John,
: Don't worry, I already answered my own question! To use menu
: role security:
: 1) Ensure that the view SYSTEM.FRM50_ENABLED_ROLES exists. If
: not, you will need to run a script (FRM50SEC.SQL I think) to
: create it. I also advise that you grant SELECT on this view
to
: PUBLIC, to avoid the problem that I encountered.
: 2) Create the roles to be used, if they don't yet exist.
: 3) In the menu module, set the "Use Security" property to TRUE
: and add the roles to the "Module Roles" list.
: 4) For every item in the menu, you must now make a selection
in
: the "Item Roles" property to decide which roles can access the
: item.
: 5) Make sure you compile the Menu Module. Done.
: Chris
: john (guest) wrote:
: : Hello Chris,
: : I don't have the answer, sorry. I would like to ask you for
: : your help on creating menu role. How can I create a menu
role
: : then grant it to users specificly? Thanks for you time.
: : john
null

Reviewer Role - Security Access

HI, This is a question on security.
We have security around Entity Custom2 and Custom3.
Now I have a manager who has access to his entity and has role as reviewer 2
I have a inpiutter with access to the same entity with Reviewer 1.
The manager however cannot see the data till it reaches Reviewer2.
The requirement is that he should only 'SEE' the data at Reviewer1 and start making changes only at Reviewer2.
The moment i give him Reviewer1, he can see the data but also can 'edit' it which is not what is wanted.
Can you please guide me on this ?

Hi,
I do not think Hyperion system can support this function.
Because, user can edit data or not is controlled by setting to security class.
And the time, user can read/edit data is controlled by review level.
They are separate settings and cannot interacted.
One solution is to add a dimension like version in HFM.
Reviewer 1 has read/write, Reviewer 2 has read access to version member V1.
Reviewer 2 has read/write access to version member V2.
When user do the promote, they need to trggier the rules copy data to next version member.

How to implement Oracle user/role security with Access front end?

Hi,
We have successfully migrated our Access database tables to Oracle 10g using SQL developer. We've recreated all the users and roles(i.e., access groups) in Oracle and granted rights to tables.
In the Access front end database, in the Database window we have saved linked Oracle tables which replaced the Access tables. The forms, reports, queries run fine with the linked Oracle tables. All the linked table use one ODBC DSN to the Oracle database with the same Oracle user id.
We need to be able to authenticate users into the Oracle database and RE-link the tables based on their own unique user id. By during so we can allow users to use the Oracle standard user id/role and system privileges to control select, update, ect. rights to the database.
I've been able to use the VB code within Access to logon into the database with a unique id, but I have not been able to find out how to RE-link the tables to the unique user id using VB. There should be some way to relink tables dynamically, based on users login into the Access front end.
I don't know a great deal about Access projects, but I do know with SQL server allows login into your Access project and link tables dynamically.
Can someone give me some assistance or point me in the right direction?
Thanks in advance,
Larry

We had one of our programmers here come up with a VB code solution for re-linking table within Access. However the relinking takes 3-4 minutes for 100+ tables.
In an effort to help you understand the situation better, I will attempt to elaborate on the problem:
We have an Access 2003 application which currently has a front end using Access(forms, reports, queries, & VB code) and a MS Access 2003 backend.
We have migrated the backend tables to Oracle. However, we still have a need to maintain the front end in Access, since we have over 60 forms, 40 reports, 200+ queries in Access. Its easy to understand, we have a significant investment in the front end(Obviously, the plan is to migrate the front end also at some future date).
In order to utilized the existing front end, we have to validate and modify the current front end connections to the new Oracle backend. One of the features of Access is that you can "link" tables and save the link for runtime. Each Access table can have its own link which is a separate ODBC/JET connection. As such, each separate link has its own userid/database information.
The other issue with using the Access front-end is that Access utilizes a workgroup file to implement user and group security. The workgroup file contains all the users and which groups the users belong to in Access. Then within Access, you allow users access to object(tables, queries, ect) by their userid and or group. When users open an Access database with Access security enabled, they are required to log into Access. The login is authenticated by the workgroup file. Once, logged into Access, users have rights to Access objects based on their rights granted to their userid and groups they belong. The problem here is that when you remove the linked Access tables and replace them with linked Oracle tables, Access has knowledge about Oracle table rights granted to users; nor would you expect it to.
The dilema is the disconnect between Access and the fact Oracle utilizes a similar but much more sophisticated security model. It creates users and roles(which are similar to Access groups), and again this is independent of Access security.
Our solution was to still use the Access workgroup file security along with the Oracle security model. By using the Access userid and then creating a similar Oracle userid with similar table rights granted in Access, you could apply security within Access and also with the Oracle database.
For example, a user BOB logs into Access via the workgroup file, using VB code, Access then establishes a Oracle connection logining into Oracle using the same unique userid BOB into Oracle.
After connecting and validating user BOB into Oracle, then the Access tables are relinked to Oracle using the user BOB userid and table rights.
This Oracle userid has been granted table rights specific for this userid.This allows the user BOB to use the Access application and still be authenticated into the Oracle database.
The problem with this solution is that the relinking of the saved Access tables takes 3-7 minutes for about 100+ tables. This is not acceptable for users each time they log into the application.
Our current alternative is to use one Oracle userid to login each user, and use Access form restrictions/security to allow/prevent users from updating/viewing data. Obviously, this is not the optimal solution in respect to security, but it at least allows us to control access to the data(via the forms) by using one logon required for each user, and quick startup time for the application.
I understand SQL server does a better job in integration, but we use Oracle which is what I am trying to work with.
Larry

: Role Security within Company Code at Profit Center Level

Can someone explain how to restrict GL transaction processing within a company code, below the company code level, at a Divsion / Branch level at the profit center level for ECC6 via user authorizations in FI GL roel security?

Hi,
Create Authorization Objects for the branch/ division containing the User ids and mention in the role.
Thanks
VK

SAP Role Security for BSP

Hello Experts,
I am developing BSP application in BW Environment for some custom table maintenance which doesn't involve Portal.
I call the BSP Application with "CALL_BROWSER" FM from Programs.They want to control the access to the users based on Role or Auth Objects or others inside the system.
Because, if some user knew the URL for the BSP the security is pretty open.
Is there anyway to do security for BSP based on roles?
Best Regards
Arun Prasad

Hi,
Here are the step:
1. Create the Role in PFCG with following detail Auth Obecjt:
2. Create the Authorization Check for ICF Access Internet communication Framework (S_ICF) & with Field ID is ICF_FIELD. Chcek the checkbox SERVICES. For the same Auth Object create another Field ID "ICF_VALUE", here assign you BSP Application ID lets say MYBSP.
3. Then goto SICF transaction, goto your BSP Application node, undere service data mention this ID as MYBSP against SAP Auth.
4. Now you need to check Auth obejct before calling the FM CALL_BROWER the way you do if for normal ABAP Report.
Hope this will solve your problem. Let me know if you have any questiion.
* Reward each useful answer
Raja T
Message was edited by:
Raja T

Security guides

First time posting and coming from xp/FC7.
I've decided to give Linux a more serious go around as I have played around with FC7 for a while but haven't really learned much as there is not much you really need to do besides point and click. I like the idea behind Arch where I can build the system up around what I need and not what the organization that is sponsoring the distro thinks I need.
That being said I'd like to along with becoming more accustomed to working with the backend of a unix like OS I also want to get a few pointers on good security practices. The most in depth I have been so far with setting up security measures has been the basic firefox+noscript, running windows firewall if that gives you an idea of how new I am to the whole topic.
So any guides/books/blogs/articles discussing good security practices related unix like operating systems or better yet arch in particular would be greatly appreciated.

Read more about firewalls here, here, here and here.
Besides that, these are the basic, most important security measures:
- Don't work in the root account/set up a user account with the right privileges
- Build packages from AUR as user, not root (only install them via root)
Noscript for firefox on linux is also a good idea. Same is true for adblock, flashblock etc
edit: Oh, and welcome to the Arch Forum, have fun!
edit2: I was wrong about the firewall
Last edited by Sigi (2008-04-16 16:01:42)

10.1.3. EJB security guide

I want to use file based security provider and deploy also on embedded application server
I found two guides
download-west.oracle.com/docs/cd/B32110_01/web.1013/b28957/ejbsec.htm
and a bit shorer
download-east.oracle.com/docs/cd/B25221_04/web.1013/b14429/ejbsec.htm
Which one should I read

Thanks for the link. I was more interested in Adapter Installation guide for connecting peoplesoft. From the link you gave, I was able to locate that document.
After installing 10.1.3 Adapters (only Desing time components), I am not able to start iaexplorer.exe. When I start that , nothing happens.
Application Server: 10.1.3.0 (Oracle SOA Suite)
Adapter Version: 10.1.3.0(Adapters for PeopleSoft, etc)
Installation option during Adapter installation: Desing time components.
Problem: IAExplorer doesnt start.
I tried executing , "ae.bat" and this is what the error i get. Any pointers towards solution would be appreciated
starting java
######### Error: Can not init logging ...
Exception in thread "main" java.lang.NoSuchFieldError: WHITE
at com.ibi.bse.gui.BseFlashScreen.initComponents2(BseFlashScreen.java:92
at com.ibi.bse.gui.BseFlashScreen.<init>(BseFlashScreen.java:30)
at com.ibi.bse.gui.BseFlashScreen.main(BseFlashScreen.java:158)
Thanks

BO User Roles & Security

Hi,
I have created Folders for our BO developers in BO Xi 3.1 CMC.
Can anyone tell me how to assign the security so that the user can store and access files from their folders.
my questions here are..
1.How to store reports and universes for users exclusively.
2.users should be able to access their folder only and store their reports in theirs.
3.what level of securities we have ?

Hi,
Dont grant access to the Public folder and grant the rights to access the Universe.all users will have to store there reports Which are developed by them in Fav folder.
This will help in your case.
Cheers,
Ravichandra K

Roles / Security guide

Similar Messages

Maybe you are looking for