SAP BI 7.0 Security Blueprint

Similar Messages

• Security Blueprint doc

  Hello,
  1.Do we have document / template for SAP security blueprint?
  2. What is meaning of AS-IS processes, with respect to security?
  3.How do we go about documenting To-Be processes, with respect to security?
  Thanks in advance.
  VJ

  I can't think of anywhere where blueprint docs are available.  Blueprint docs usually take quite a while to put together & there is obvious reluctance of people to make available work which likely remains the property of their company/client.
  Hussein did well to mention ASAP, you can download it and get some useful templates from there.  More info here: https://websmp101.sap-ag.de/roadmaps
  Have a think about stuff like the following:
  Security Objectives
  Security Approach
  TX to Role Mappings
  Restriction Requirements
  Compliance Requirements (SOX, internal security standards)
  Build Standards
  Developer Security standards
  User Management
  Basically all the stuff you need to be able to build from your set of blueprint docs
  Have fun & good luck

• QM Digital Signature SAP System's Personal Security Environments (PSEs)

  Hi All,
  We want to introduce the Digital Signatures for Quality Management Result Recording and Usage Decision. (Transaction Codes :QE01,QE02,QA11,QA12).
  We have made some studies.Still we need some suggessions to achieve the final goal.
  ==============================================================
  1.
  SSF settings for system signature
  Check and if necessary maintain the standard settings. To do this, execute the following activities in the IMG under SAP Web Application Server -> System Administration -> Digital Signature:
  • Define application-dependent parameters for SSF functions
  • Define security settings for the system
  The above IMG Structure
  SAP Web Application Server -> System Administration -> Digital Signature:
  Is not appearing in ECC6.0. Where we can find the above structure in ECC6.0?
  2. SAP Netweaver
  --> Application Server
  --> System Administration
  -> Maintain the Public Key information for the system
  --> Maintaining the system security information.
  This IMG Actvity "Maintaining the System Security information"
  Environment.
  We have to create new “SAP System's Personal Security Environments (PSEs)” ?
  What is the procedure to create SAP System's Personal Security Environments (PSEs) ?
  We are unable to proceed.
  Plz. help.
  With Best Regards,
  Raghu Sharma.

  Dear All,
  Basis involment is very much required.
  Hence we are closing this issue.
  With Best Regards,
  Raghu Sharma

• Difference between SAP CRM Security and SAP ECC 6.0 security

  Hi
  I have extensively worked on SAP ECC security but haven't have chance to work on CRM Security.
  Can anyone please let me know the difference between CRM security compared to  ECC security.
  Thanks...

  I am sorry to say, but instead of giving the guy a decent answer you are starting a fight or discussion about stupid forum points...
  really sad.....
  The big  difference between SAP ECC and SAP CRM Security (up to release 5.0) was the following:
  1) For sure there are very different transaction codes in SAP CRM as compared to SAP ECC in the first place
  2)  If you are familiar with R/3 or ECC authorizations; then you know that already on transaction code level, the 'allowed activity' is controlled on tcode level , whereas in SAP CRM , in most cases the 'allowed activity is not controlled by the Transaction code, but on authorization object level....
  E.g. transaction code BP allows you to create/change/display  any type of Business Partner (e.g; sold-to/ship-to/contact person/employee/customer) which is based on the business partner ROLE concept.... anyway...you can control the allowed activity based on different authorization objects.....
  another example is business transaction processing...which can be launched by:
  a very generic transaction code: CRMD_ORDER
  transaction category related transaction codes :e.g.
        > CRMD_BUS2000126 for activity management
        > CRMD_BUS200115 for Sales processes
  Again...allowed activity is not controlled by the tcode, but on authorization object level...
  3) As of the new WEBCLIENT UI (which is valid as of release CRM2006s/CRM2007/CRM7.0) SAP also invented an extra authorization layer, which is UI COMPONENT LEVEL and logical links....  controlled by object UIU_COMP.
  However, they also introduced the BUSINESS ROLE Concept (e.g; SALESPRO/MARKETINGPRO/...) which defines actually the functionalities, navigation bar, screen configuration, logical links you can use/see within the new WEBclient UI.
  Another thing is that instead of using TRANSACTION CODES, as of these new releases, you are actually using 'external services'....so you do not authorize on tcodes basically....but the logic between tcodes and external services in relation to the authorization objects that are checked is more or less the same....
  STANDARD authorization setup in the new WEBUI client is therefore controlled by both backend authorizations (not UIU component related) and the UIU_COMP (restricting access to workcenters/logical links/...)
  4) Additionally SAP also provides a concept called ACE (which stand for ACCES CONTROL ENGINE)....
  This requires a bit of customizing...and the rest is more or less pure customer development, as you will create your own methods where you'll define a logic which dynamically will verify what kind of access you have for an object....
  You should now that ACE is actually implemented on top of your 'normal' sap crm security setup....
  cheers
  Davy Pelssers

• Choice of sap NW admin vs security admin

  Hi
  My company will be implementing sap soon and I have the opportunity to get into either basis or security. I need your advice please.
  I have a very good IT experience but not in sap nor any admin exp. I have some user level knowledge in sap. My company will send for the training in the future and is checking my interest.
  Thanks

  I've solved the issue;
  It was caused by me deploying the web-app through the weblogic
  administration console.
  If it deploys during startup it does work fine.
  Hope this might help other people as well.
  Thnx,
  Aias
  "Aias Martakis" <[email protected]> wrote in message
  news:4193c4f5$1@mail...
  Hi,
  I've created mbeans that i want to register on a Mbean Server (with the
  registerMBean method) of a managed server.
  On a single server this works perfectly but as soon as i switch to a
  managed/admin environment i get the error that the current context
  principals are not sufficient for doing the registration:
  weblogic.management.NoAccessRuntimeException: Access not allowed for
  subject: principals=[
  ], on ResourceType: CmpDomainMBean Action: register, Target: null
  at
  weblogic.management.internal.Helper$IsAccessAllowedPrivilegeAction.run(Helpe
  r.j
  ava:2149)
  I've got the context through: ctx = new InitialContext();
  I definately don't want to hardcode the credentials into the file (i didtry
  it and it does work), and I'm really curious as to why this did work on a
  single-server and not on a managed-admin server.
  I've found that adding theoption: -Dweblogic.disableMBeanAuthorization=true
  to the startup indeed does wat it says and it then can register on a
  man/admin env. This ofcourse is not a desirable solution either since all
  the authorization will be disabled.
  So my guess is that the context on the managed server has been altered
  compared to when running from a single-server.
  Anyone any ideas as to why this changed, or any idea what else could cause
  this to happen?
  Thanks in advance,
  Aias

• SAP Design Studio Bookmark security

  We like the new feature in 1.3 which allow us to save bookmark / navigation state in SAP Design Studio application. However it looks like it require Administrator rights for users to be able to save or delete it. We were not able to locate what security required in BI for end users, and we are reluctant to give Administrator right to them.
  Does Design Studio 1.3 come with new security to allow user to add/delete bookmark? Anyone out there able to assist us to pin point which security is required?

  Hi Steven,
  I am not sure it is security
  Please look at the SAP help at https://websmp202.sap-ag.de/~sapidb/011000358700000449022014E/ds13_admin_bip_en.pdf
  Notice this picture/section:
  Could you check on this to see if it helps?

• SAP GUI 7.20 Security Rules - How to 'Always Allow' Everything?

  The SAP GUI 7.20 comes with a list of security rules.
  What is the best way to allow all access so that user's wont get any security prompts?

  @Sven, section 2.5 refers to 'Central Repository for Security Configuration'. Like Michael, I have a large number of users and we package and distribute software using non-SAP software. We can't have a central repository that all users can connect to so the 'Location' registry entry wouldn't work for us.
  @Michael:
  > Under the SAP GUI Configuration / Security / Security Settings you can change the default of "Customized" to Disabled.
  Do you mean 'Default Action = Allow'? Mine is set to that, but I still get pop-up prompts.
  Would setting 'SecurityLevel = 0' result in the SAP GUI have the required result?
  I realise that this process would need to be followed:
  - Administrator should install a new version of the SAP GUI 7.20 onto a PC
  - Administrator should edit the registry values using the rule editor in the 'Security' node of the SAP GUI options dialogue
  - A saprules.xml file will then be generated
  - The saprules.xml file should then be copied from the %APPDATA%\SAP\Common folder to the location specified in the registry value 'Location' (maybe make Location a folder on the PC? and put the saprules.xml file into there?)
  - The saprules.xml file in the location specified in the registry value 'Location' will not be overwritten by SAP GUI patches or new installations, however it may need to be updated to include new features
  Note:
  - Registry values are stored in different places for 32 bit and 64 bit PC's

• Does SAP upgrade cover prievious security notes.

  Hi, i am beginner in security field and have this confusion. I am using Solution Manager to find out missing security notes from my system. Should i filter the result and implement security notes that have been released after the date of the upgrade or should I include all security notes including thoses notes relased before the upgrade date.
  Thank You..

  In addition to the list of security notes at https://service.sap.com/securitynotes you should have a look to the Security Patch Process FAQ as well.
  Concerning your question:
  Yes, all security corrections of SAP are part of a Support Package.
  But there exist some pitfalls:
  By the time when you finally have upgraded your production system, it's already some month old compared with the corresponding development close date for the support package at SAP. Therefore you always will find some new security notes -> Use the Maintenace Optimizer to find new security notes while you are preparing the upgrade and the application System Recommendations monthly. 
  Several security notes contain manual instructions to configure the system (e.g. concerning profile parameters, RFC Gateway access control lists or logical filenames), which are valid for the new support package. -> I recommend to skip any date selection while searching for security notes. (Use a date interval only if you explicitely want to have a look, e.g. to the notes of the most recent patch day.)
  Kind regards
  Frank

• SAP Cloud - Help Desk Security Roles

  Hi SAP user community,
  Can you please recomend which security profile we should use for our Help Desk support?
  Help Desk support would only require access to Application and User Managment --> Busienss Users. Their task would need to be limited to Password Resests and User Locks.
  Thank you,
  Zhenya

  Hi Zhenya,
  I wouldn't use the pre-delivered roles for your use case.
  You can create your own roles via "Application And User Management -> Business Roles" and assign them to your users.
  It would probably be sufficient to create a business role that grants access only for the view "Application And User Management -> Business Users".
  Best Regards,
  Andreas

• SAP-J2EE (root) node Security Provider

  I changed the SAP-J2EE (root) node to "ticket" now I can't seem to get into the Visual Administrator.  I wouldn't think this would affect Visual Adminstrator?
  Is there a way to change things back via a command line interface?

  Rohit,
  Did you install as a double stack or add-in installation? Or did you install as a standalone AS Java?
  Depending on what kind of installation you did determines what the default users you have.
  See the following from the AS Java Security Guide:
  http://help.sap.com/saphelp_nw04s/helpdata/en/9f/d770424edcc553e10000000a1550b0/frameset.htm
  Naturally this is just the default installation. If these users have been deleted since installation, you have to adjust accordingly.
  As to which datasource which data source is default also depends on how you installed AS Java. You have the correct data source for the AS Java as stand alone. Depending on what version you originally installed, the double-stack/add-in default data source may be dataSourceConfiguration_abap.xml.
  Changing the data source won't help you if you cannot find the guest user though.
  -Michael

• SAP NOTE 1298433 Bypassing security in reginfo & secinfo

  Could someone advice me about SAP NOTE 1298433 Security note: Bypassing security in reginfo & secinfo
  In my opinion this error correction  must be done carefully due could be a risk during the execution of jobs  that use external programs  causing that  jobs finish with errors, losing files  or external programs  unable to connect
  We have received news from others customers that have applied this change and they have had some issues, where external programs where unable to connect, there was such a flood of them at once at the end the  client requested to  disable this for now, as they are controlling their environment for this with their firewalls.

  A likely cause of failure is that you restricted the user-hosts in secinfo without maintaining reginfo.
  Absence of reginfo defaulted to secinfo settings, but that is somewhat contradictory as they service a different purpose.
  Please describe the scenario of your concern? Particularly, are you using any IS-solutions or have background processing "balanced" onto a specific server?
  Can you locate it to a reginfo problem in combination with a router?
  Firewalls between the server network and the clients is good, but not very scalable as the firewalls are generally rather blunt and don't understand application logic. Network security folks seldomly understand SAP as well and don't really like maintaining SAP related network devices.
  Cheers,
  Julius

• Flex and SAP Netweaver Web Service Security

  HTTPS should just work, please repost here if it doesn't.  In regards to the username and password, the browser will prompt you just like it would when you log into a normal system.  The "challenge" box will come up and you can log in there.  If you have already signed in and navigated to the page using SSO2 tickets the flex app will use that token to gain access to the system.
  More broadly, I never use the AS proxy generator or the MXML webservices to do this.  I find that that directly using the actionscript classes is easier to debug, see my post:  http://www.danmcweeney.com/57

  >
  Irvan Bastian wrote:
  >
  > 1. I really don't know know to connect from Flex to web service when it's run in the SSL HTTPS way. Can you give me a sample code ? (i think it will use DEFAULT_DESTINATION_HTTPS component from mx.rpc.soap.WebService)
  I believe just using https as the location of the WSDL will make the Flex framework switch to use https, that and make any destinations https.
  >
  Irvan Bastian wrote:
  > 2. About the user and password, I alerady using
  > fooService.setRemoteCredentials("username", "password"); but the browser still prompt the username and password. I must type it once again to pass the HTTP Basic Authentication. How can I type the use and password in the program only to pake the browser doesn't prompt anything and pass the HTTP Basic Authentication silently.
  setRemoteCredentials does not do what you think it does, this method is used for, quoting the Flex Docs, "These are passed from the proxy to the endpoint.  If the useProxy property is set to false, this property is ignored."
  I have to look into setting the "Authorization" header directly, for a version you couldn't do it, I think you can now, but can't remember if it is restricted to certain HTTP verbs.
  >
  Irvan Bastian wrote:
  > 3. What is "SSO2 tickets" ??
  These are the SAP single sign on tickets, they show up in headers as MYSAPSSO2 values.

• SAP IDM position based security with user in multiple positions

  Hi,
  In case of Higher Duties, we have a scenario where a user can have multiple positions with access to the business roles of both the positions.
  The design is to have one business role assigned to one position so that the user can have all the access he requires.
  In case of higher duties, we see an exception.
  Has anyone implemented such a scenario?
  Inputs/advices are much valued.
  Thanks
  Chaitanya

  Hi Chaitanya,
  Is it possible to assign more than one position to an employee in HCM?
  If so, there is many ways of dealing with that from IDM side, I don't know precisely your business requirement, what you need to maintain and what should be dynamic, but i can suggest you to :
  1. Translate every position you receive from HR to a Business role and assign as many Business roles you want to the same user.
  From HCM you will receive :
  Employee :
  - Z_POSITION_ID1 :1
  - Z_POSITION_ID2 : 2
  In IDM
  Employee
  - Member of BR1
  - Member of BR2
  2. If you have a lot of attributes related to HR position on user (link user-position) to maintain , then create a custom Object in IDM (entrytype Z_POSITION).
  You wil be able to manage relations much easier than a simple relation (One-to-one attribute)
  Otherwise, It worth to look over this blog for general design of HCM integration :
  How to optimize identities’ lifecycle management in your information system using SAP HR events?
  Fadoua

• SAP ERP Security Problems

  Hello,
  We are searching and investigating the security problems and needs in SAP Systems (the NetWeaver and R3).
  We are looking for vulnerabilities from the network level up to the application and SAP-GUI level.
  We would like to hear and learn from users on case studies and problems that occurred during implementing and running the SAP systems.
  We would appreciate if you could contact us for further details.
  Thank you.
  <Contact information removed by forum moderator>
  Message was edited by: Christian Wippermann

  Dear Alon,
  Thank you for your interest in SAP Security. You are very welcome to investigate product security and to share your results with SAP ([email protected]). But this is exactly the place where SAP users should report security problems they may find. They should not report to other companies! That is why I removed your contact information and closed this thread.
  To make myself clear: Please report security problems directly to [email protected] My collegues there will support to solve the issues.
  Best regards,
  Christian

• Security prompt when opening .msg files in SAP

  I have a customer that gets this prompt when opening an attachment in SAP.  The attachment was saved from Outollk so it is in .msg file format.  The customer is using Windows 7, and Office 2007.  This is from the customer:
  As discussed, below is a screen shot of the pop up I receive every time when opening an email attachment with T-Code VA02.  I use this function multiple times per day.  Even if I select “Always Allow,”  I continue to receive this pop up.

  Hello Ronald,
  Did you try to create a security rule at the SAP GUI?
  Access the SAP GUI "options", then "security" -> "security settings". Click at the "Open security configuration" button, and then at the "insert" button.
  Regards,
  Isaías