SAP security & minimal rights concept

Similar Messages

• Do SAP Security Notes contain hacker and/or virus defence?

  Dear SCN fellows,
  I am new to this community and generally new to asking for SAP help in discussions and blogs.
  I need some advice on whether SAP Security Notes contain hacker and/or virus defences?
  I am investigating a companies SAP Security settings against its policy and global market standards.  I have identified that since our SAP rollout SAP Security notes patches have not been maintained.  RSECNOTE provides a large list of missing security notes.  I'm writing a report and what to confirm whether these notes offer any advice, support or notification of hacking or viruses.  Similar to Internet security software I guess.
  Can anyone advise if my thoughts and questioning is heading in the right direction or have I got the concept of SAP Security Notes completely wrong?
  Thank you kindly.
  Paul

  Hi Paul,
  I need some advice on whether SAP Security Notes contain hacker and/or virus defences?
  SAP releases respective security notes as per the loophole identification.  Once you run RSECNOTE you get the list of all applicable notes to your software release.
  Applying these notes will help you to remove the vulnerability SAP identified, So yes it contains solution to remove vulnerability.
  I'm writing a report and what to confirm whether these notes offer any advice, support or notification of hacking or viruses.  Similar to Internet security software I guess.
  Could you please elaborate it is not that clear to me.
  BR,
  Mangesh

• SAP Security Career Growth

  Hi Gurus,
  Could u please provide Sap Security Consultant Career Growth

  I would suggest that a good start would be not asking for points on the security forum if you wish to be taken seriously.
  You should also aim to develop the following:
  - Good understanding of SAP Authorisation Concept (lots of people don't get the basics right)
  - Have an overview of the main business processes
  - Understand risk management from a business and a technical perspective (understand not just the how, but the why's of security)
  - Appreciation of SAP Audit.  If you don't understand what they are looking for then how can you start to secure your system.
  You can also look at SAP courses ADM940, ADM950, ADM960
  Hope that helps

• SAP XI and SAP Security...

  Hi Friends..
  Iam an ABAP Developer in U.S. and planning to change my field into either SAP XI or SAP Security...
  Can you please suggest me depending on the current market which field is better to choose and which one is in demand and has good pay..
  I appreciate your proper guidance for the change of my career..
  Thanks,

  Kanthi,
  SAP XI seems to be doing pretty well and should be able to find something eventually. That is not to say that SAP Security in not a good choice, but jumping into SAP Security would be a totally new concept (unless you have already been exposed to that area as part of your ABAP experience)

• Frustrated. Need Advice on SAP Security Implementation!!!

  I'm very frustrated with my latest project and I would really appreciate your feedback.
  I recently joined a company that's implementing SAP. They are already in the realization phase and will soon enter the final preparation stage. I was brought in to implement SAP Security. I was provided with a  compiled list of roles and tcodes based on the blueprints from the teams and this was my starting point.
  I wanted to do a presentation with the teams so that we all know what my expectations/requirements are from them and vice versa. In preparation for this, I gathered their processes from their blueprints. I wanted them to break each processes into detailed activities/tasks/functions. From there, they can identify the tcodes and then the roles. I also wanted to do this approach because the company is following SOX regulations. I showed this to my team lead and the PM and the PM adviced me not to go with this strategy because there would be too much work involved. I wanted this approach because I also wanted to do the SOD but I was told not to do it because it would only confused them. He just wanted to work on polishing the list of roles and tcodes.
  Some teams leads are all experienced people while other teams are not because they are working with an employee from the company. Kinda like a partnership, 1 is a consultant while the other is a team lead from the company. Which I believe is normal practice so that there is knowledge transfer.
  So I had my presentation and I found out that most of the team leads have not seen this compilation of roles and tcodes. I also found out that even though they are already in the realization stage, majority of the teams have no idea what roles to give nor do they know who to give it to. I also asked for the org chart from the HR team but I was told that they still don't have it and cannot give it to me. They even asked me why I need it. They also informed me that HR structural authorizations are not going to be implemented and yet nobody can give me a damn good reason why. All they tell me is that because they don't need it.
  So as you can see, I'm not getting the cooperation/support I need to be able to do my job properly. How can I when every strategy I wanted to do is being turned down? What should I do? Really need your advice on how to proceed. Your inputs are highly appreciated.
  Thanks in advance!

  Julius, Auke and Alex,
  Im sure everyone would agree that the advice you guys offer is more than valuable. Thank you for that.
  I myself have been encountering the same situation that Litz is facing except for that in my case the Management is very co-operative (and trust me, this helps a lot). My problem is that neither me nor my Management know what access  needs to be given to Consultants or IT Staff after GoLive or even now.The Functional Consultants "don't have the time" to tell me what Tcodes they need access to, and they insist that they should have sap_all, and I have no idea what access they SHOULD have.
  I was going to post another thread for my questions but I guess there are already too many which address the same issue. These threads did give me a good insight on how SAP Security should be managed, and I was able to get some of it chalked out. I have a few questions though, which I wasn't too sure about even after reading through the countless threads.
  Most consultants in my company had sap_all in QA since no one knew what they should be have and often had we noticed that they would be playing with the Basis Tcodes. Now knowing what they have been doing in QA, I do not want to give them sap_all in Prod (although they insisted) at any cost. So, I made a role (z:sap_all), copied sap_all, disabled Basis Tcodes and assigned it to them. Then I kept adding Tcodes one by one on request basis.
  We haven't gone Live (they say that we are still in testing phase since the final cutover is due in the next few weeks) yet and I know that this cannot work after Go-Live since z:sap_all has Tcodes like SE38, AL11, SM50 etc in Prod. They say that they need these to do processing and it is okay to give it to them since we haven't gone live. I would also like to mention that my company is trying to get SOX compliant and needs these things in place.
  I have been entrusted a BIG responsiblity and am trying my best to live up to the expectations and I am relying yon you guys to help me out.All the Business Roles are in place, and its just the IT roles that I'm worried about.
  So, my questions are
  1. Until how long is it okay for Functional Consultants to have this kind of access in Prod ?
  2. After we Go-Live, would a display only role for all functional Tcodes suffice for them ? Or should they have Basis Tcodes too ? If yes, which ones (Im asking this because I know that it should be minimal)
  3. I have been to told to create an "IT-Support role" by the Manager of the Implementation Partner for after GoLive. But he has no idea what T-codes it should have or what it does. Any ideas on this ?
  4. I have read about the "firefighting role". Im guessing that the IT Support Role is the same as this. But what exactly does the firefighting role have? And in what situations is it assigned?
  5. How important is the period before the final Cutover important as far as SOX compliance goes?
  A little enlightenment on the common issues encountered after Go Live would also help me assess the situation a lot better.
  I hope Im not asking too much of your time here. Thank you again guys !! Appreciate it !
  Kunal

• SAP Security handover from the Onshore Implementation team Documents

  Dear All,
  We are an Implementation & Support Team and we are getting SAP Security handover from the Onshore Implementation team where in future we ought to continue the Implementation.
  Please could you let me know what others documents which we require for handling the complete security landscape for our Scenario!
  CRM, BI, BS, SOLMAN, EP and PI
  Please suggest any other documents besides the below or any other specific details with respect to each Module,
  u2022           Enterprise-Wide Role Matrix
  u2022           Role Implementation Framework Prototype
  u2022           User Authorization and Strategy Management Procedures
  u2022           User Role and Authorization Concept Technical Design
  u2022           SAP Security Organization Hierarchy Requirements
  u2022           Transaction to Role Mapping
  u2022           Role to Position Mapping
  u2022           Available authorization policy documents
  u2022           Role matrix with segregation of Duties
  Many Thanks

  What do you have defined for your support?
  Presumably you have quoted a price per call but what do you cover and how do you calculate the charge to your client?
  Please let me know so that I can undercut your quote.
  Damn - forgot to ask who your client was and the contact name.
  Cheers
  David
  Edited by: David Berry on Feb 11, 2011 12:29 AM
  Edited by: David Berry on Feb 11, 2011 12:30 AM

• Part-time OR online Phd sap security GRC

  Please help
  I am from India and intrested in part-time online Phd (sap security GRC) i have recently done my M.phil and MCA (both part-time) and working in IT industry for 10 years and for SAP security for over 5+ years.PleaseGuide me , I have done all my studies through distance education as I belong to poor financial background but I am studing as I have very strong desire for education.
  Thanks in advance

  Hello
  I know that Central Michigan University has an online MBA with SAP emphasis:
  http://www.cel.cmich.edu/onlinemba/SAP/
  And they recently introduced two online Doctoral programs in Health Administration and Education (teaching), but not IT or business.
  Also look at the list of universities in India that are members.  Go to our Program Overview at University Alliances Overview
  And you will find a link on the right to "University Alliances around the World".  I know that Symbiosis offers some distance learning programs, but maybe not in SAP yet.
  It could be worth taking time to contact them about your request.
  Good Luck
  Bob LoBue

• Where is com/sap/security/core/server/secstorefs/SecStoreFS?

  Hi,
  I am trying to create a Java client in NWDS that retrieves a DataSource object via JNDI from my XI 3.0 system.
  I have added the jars I could think of (connector.jar, jta.jar, sapj2eeclient.jar, sapopensta.jar, etc.) to my build path.
  When I attempt to retrieve the DataSource object via my Context I get the following exception:
  java.lang.NoClassDefFoundError: com/sap/security/core/server/secstorefs/SecStoreFS
       at com.sap.sql.connect.OpenSQLConnectInfo.getStore(OpenSQLConnectInfo.java:798)
       at com.sap.sql.connect.OpenSQLConnectInfo.lookup(OpenSQLConnectInfo.java:783)
       at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:209)
       at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:197)
       at com.sap.engine.services.dbpool.spi.ManagedConnectionFactoryImpl.createManagedConnection(ManagedConnectionFactoryImpl.java:113)
       at com.sap.engine.services.dbpool.spi.DefaultConnectionManagerImpl.allocateConnection(DefaultConnectionManagerImpl.java:26)
       at com.sap.engine.services.dbpool.cci.ConnectionFactoryImpl.getConnection(ConnectionFactoryImpl.java:51)
       at com.hclaxon.xi.tools.CommsChannelConfigurator.createDBConnection(CommsChannelConfigurator.java:382)
       at com.hclaxon.xi.tools.CommsChannelConfigurator.run(CommsChannelConfigurator.java:425)
       at com.hclaxon.xi.tools.CommsChannelConfigurator.main(CommsChannelConfigurator.java:465)
  Exception in thread "main"
  Could someone please tell me which jar contains the class mentioned above?
  thanks
  Brian

  Hi all,
  Update to original question. I realised I was using a newer version of the openSQL api, so changed that.
  Now I get a different execption:
  java.lang.NoClassDefFoundError: com/sap/security/core/server/secstorefs/SecStoreFSException
       at java.lang.Class.getDeclaredConstructors0(Native Method)
       at java.lang.Class.privateGetDeclaredConstructors(Class.java:1618)
       at java.lang.Class.getConstructor0(Class.java:1930)
       at java.lang.Class.newInstance0(Class.java:278)
       at java.lang.Class.newInstance(Class.java:261)
       at com.sap.sql.connect.OpenSQLDataSource.newInstance(OpenSQLDataSource.java:148)
       at com.sap.sql.connect.OpenSQLDataSource.newInstance(OpenSQLDataSource.java:133)
       at com.sap.engine.services.dbpool.spi.ManagedConnectionFactoryImpl.createManagedConnection(ManagedConnectionFactoryImpl.java:102)
       at com.sap.engine.services.dbpool.spi.DefaultConnectionManagerImpl.allocateConnection(DefaultConnectionManagerImpl.java:26)
       at com.sap.engine.services.dbpool.cci.ConnectionFactoryImpl.getConnection(ConnectionFactoryImpl.java:51)
  Can anyone tell me where this class is?
  thanks
  Brian

• Com.sap.security.core.ume.service failed. J2EE Engine cannot be started

  Hi,
  I have configured SNC on NetWeaver 7.0 (ABAP+JAVA) System on Windows 2003 Server with MS-SQL 2005 Database.
  After the SNC configuration restarted the Server but the JAVA Server process is going down with EXIT Code -11113. The SNC Configuration is working fine but JAVA is not running. SDM and dispatcher are in green but server process is going gray.
  I have checked the log files under C:\usr\sap\SID\DVEBMGS00\j2ee\cluster\server0\log
  The following is the part of log file.
  #1.5#005056BA6C3F001D0000000F000008D8000489ACAFC86070#1277274683393#com.sap.engine.core.service630.container.ServiceRunner##com.sap.engine.core.service630.container.ServiceRunner#######SAPEngine_System_Thread[impl:5]_71##0#0#Error#1#/System/Server#Java###Core service com.sap.security.core.ume.service failed. J2EE Engine cannot be started.
  [EXCEPTION]
  #1#com.sap.engine.frame.ServiceException: <Localization failed: ResourceBundle='com.sap.engine.frame.KernelResourceBundle', ID='UME initialization failed.', Arguments: []> : Can't find resource for bundle java.util.PropertyResourceBundle, key UME initialization failed.
       at com.sap.security.core.server.ume.service.UMEServiceFrame.start(UMEServiceFrame.java:372)
       at com.sap.engine.frame.ApplicationFrameAdaptor.start(ApplicationFrameAdaptor.java:31)
       at com.sap.engine.core.service630.container.ServiceRunner.startApplicationServiceFrame(ServiceRunner.java:214)
       at com.sap.engine.core.service630.container.ServiceRunner.run(ServiceRunner.java:144)
       at com.sap.engine.frame.core.thread.Task.run(Task.java:64)
       at com.sap.engine.core.thread.impl5.SingleThread.execute(SingleThread.java:79)
       at com.sap.engine.core.thread.impl5.SingleThread.run(SingleThread.java:105)
  Caused by: com.sap.security.core.persistence.datasource.PersistenceException: SNC required for this connection
       at com.sap.security.core.persistence.datasource.imp.R3PersistenceBase.newPersistenceException(R3PersistenceBase.java:178)
       at com.sap.security.core.persistence.datasource.imp.R3PersistenceBase.init(R3PersistenceBase.java:446)
       at com.sap.security.core.persistence.imp.PrincipalDatabagFactoryInstance.<init>(PrincipalDatabagFactoryInstance.java:356)
       at com.sap.security.core.persistence.imp.PrincipalDatabagFactory.newInstance(PrincipalDatabagFactory.java:156)
       at com.sap.security.core.persistence.imp.PrincipalDatabagFactory.getInstance(PrincipalDatabagFactory.java:109)
       at com.sap.security.core.persistence.imp.PrincipalDatabagFactory.getInstance(PrincipalDatabagFactory.java:56)
       at com.sap.security.core.InternalUMFactory.initializeUME(InternalUMFactory.java:266)
       at com.sap.security.core.server.ume.service.UMEServiceFrame.start(UMEServiceFrame.java:279)
       ... 6 more
  #1.5#005056BA6C3F001D00000011000008D8000489ACAFC8628E#1277274683393#com.sap.engine.core.Framework##com.sap.engine.core.Framework#######SAPEngine_System_Thread[impl:5]_71##0#0#Fatal#1#/System/Server#Plain###Critical shutdown was invoked. Reason is: Core service com.sap.security.core.ume.service failed. J2EE Engine cannot be started.#
  Please help me to solve the issue.
  Thanks,
  Ajay.

  Hi Tim,
  I have configured using Kerberos library for 32 bit on Net Weaver 7.0 with MS SQL 2005 Server on Windows 2003 Server. I didnt change any thing on JAVA side. I have configured as per the Kerberos configuration steps  as per below URL
  http://help.sap.com/saphelp_nw70ehp2/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/frameset.htm
  The configuration was successful and I am able to login with out asking password, but After the configuration when I have restarted every thing on ABAP side works well but JAVA server process going down with EXIT code -11113. One of the log file contains follows error message.
  com.sap.engine.frame.ServiceException: <Localization failed: ResourceBundle='com.sap.engine.frame.KernelResourceBundle', ID='UME initialization failed.', Arguments: []> : Can't find resource for bundle java.util.PropertyResourceBundle, key UME initialization failed.
       at com.sap.security.core.server.ume.service.UMEServiceFrame.start(UMEServiceFrame.java:372)
       at com.sap.engine.frame.ApplicationFrameAdaptor.start(ApplicationFrameAdaptor.java:31)
       at com.sap.engine.core.service630.container.ServiceRunner.startApplicationServiceFrame(ServiceRunner.java:214)
       at com.sap.engine.core.service630.container.ServiceRunner.run(ServiceRunner.java:144)
       at com.sap.engine.frame.core.thread.Task.run(Task.java:64)
       at com.sap.engine.core.thread.impl5.SingleThread.execute(SingleThread.java:79)
       at com.sap.engine.core.thread.impl5.SingleThread.run(SingleThread.java:105)
  Caused by: com.sap.security.core.persistence.datasource.PersistenceException: SNC required for this connection
       at com.sap.security.core.persistence.datasource.imp.R3PersistenceBase.newPersistenceException(R3PersistenceBase.java:178)
       at com.sap.security.core.persistence.datasource.imp.R3PersistenceBase.init(R3PersistenceBase.java:446)
       at com.sap.security.core.persistence.imp.PrincipalDatabagFactoryInstance.<init>(PrincipalDatabagFactoryInstance.java:356)
       at com.sap.security.core.persistence.imp.PrincipalDatabagFactory.newInstance(PrincipalDatabagFactory.java:156)
       at com.sap.security.core.persistence.imp.PrincipalDatabagFactory.getInstance(PrincipalDatabagFactory.java:109)
       at com.sap.security.core.persistence.imp.PrincipalDatabagFactory.getInstance(PrincipalDatabagFactory.java:56)
       at com.sap.security.core.InternalUMFactory.initializeUME(InternalUMFactory.java:266)
       at com.sap.security.core.server.ume.service.UMEServiceFrame.start(UMEServiceFrame.java:279)
       ... 6 more
  [Framework -> criticalShutdown] Core service com.sap.security.core.ume.service failed. J2EE Engine cannot be started.
  Jun 25, 2010 3:05:24 AM             com.sap.engine.core.Framework [SAPEngine_System_Thread[impl:5]_69] Fatal: Critical shutdown was invoked. Reason is: Core service com.sap.security.core.ume.service failed. J2EE Engine cannot be started.
  One of the line says "SNC required for this connection". What does this mean? What else need to be done for JAVA to communicate with ABAP?
  Thanks,
  Ajay.

• Com/sap/security/core/server/secstorefs/SecStoreFS?

  Hi,
  I am trying to create a Java client in NWDS that retrieves a DataSource object via JNDI from my XI 3.0 system.
  I have added the jars I could think of (connector.jar, jta.jar, sapj2eeclient.jar, sapopensta.jar, etc.) to my build path.
  When I attempt to retrieve the DataSource object via my Context I get the following exception:
  java.lang.NoClassDefFoundError: com/sap/security/core/server/secstorefs/SecStoreFS
  at com.sap.sql.connect.OpenSQLConnectInfo.getStore(OpenSQLConnectInfo.java:798)
  at com.sap.sql.connect.OpenSQLConnectInfo.lookup(OpenSQLConnectInfo.java:783)
  at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:209)
  at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:197)
  at com.sap.engine.services.dbpool.spi.ManagedConnectionFactoryImpl.createManagedConnection(ManagedConnectionFactoryImpl.java:113)
  at com.sap.engine.services.dbpool.spi.DefaultConnectionManagerImpl.allocateConnection(DefaultConnectionManagerImpl.java:26)
  at com.sap.engine.services.dbpool.cci.ConnectionFactoryImpl.getConnection(ConnectionFactoryImpl.java:51)
  at com.hclaxon.xi.tools.CommsChannelConfigurator.createDBConnection(CommsChannelConfigurator.java:382)
  at com.hclaxon.xi.tools.CommsChannelConfigurator.run(CommsChannelConfigurator.java:425)
  at com.hclaxon.xi.tools.CommsChannelConfigurator.main(CommsChannelConfigurator.java:465)
  Exception in thread "main"
  Could someone please tell me which jar contains the class mentioned above?
  thanks

  Hi,
  Please try this, it may usefull for u.
  tc_sec_secstorefs.jar in SDM\root\origin\sap.com\tc\sec\secstorefs\tc_sec_secstorefs.sda
  Thanks & Regards,
  Ravi.

• Com.sap.security.core.server.secstorefs.WrongKeyException

  Hi,
  we have done a system copy,while starting the java stack we are getting the below error.
  Caused by: com.sap.sql.log.OpenSQLException: Error while accessing secure store: The encryption key (usually in the key file) is not the key that is required to decrypt the data in the secure store file or the system name (SID) is wrong..
          at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:106)
          at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:145)
          at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:226)
          at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:197)
          at com.sap.engine.core.configuration.impl.persistence.rdbms.DBConnectionPool.<init>(DBConnectionPool.java:112)
          ... 15 more
  Caused by: com.sap.security.core.server.secstorefs.WrongKeyException: The encryption key (usually in the key file) is not the key that is required to decrypt the data in the secure store file or the system name (SID) is wrong.
          at com.sap.security.core.server.secstorefs.SecStoreFS.openExistingStore(SecStoreFS.java:2017)
          at com.sap.sql.connect.OpenSQLConnectInfo.getStore(OpenSQLConnectInfo.java:802)
          at com.sap.sql.connect.OpenSQLConnectInfo.lookup(OpenSQLConnectInfo.java:783)
          at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:209)
          ... 17 more
  Caused by: com.sap.security.core.server.secstorefs.InvalidStateException: Internal error during the decryption process.
          at com.sap.security.core.server.secstorefs.Crypt.decrypt(Crypt.java:850)
          at com.sap.security.core.server.secstorefs.SecStoreFS.openExistingStore(SecStoreFS.java:1985)
          ... 20 more
  Caused by: javax.crypto.BadPaddingException: Invalid PKCS\#5 padding length: 30
          at iaik.security.cipher.s.b(Unknown Source)
          at iaik.security.cipher.w.a(Unknown Source)
          at iaik.security.cipher.w.engineDoFinal(Unknown Source)
          at javax.crypto.Cipher.doFinal(Unknown Source)
          at com.sap.security.core.server.secstorefs.Crypt.decrypt(Crypt.java:825)
          ... 21 more
  #1.#000255334607000000000015000640DE00046E8629009A5B#1247422399420#com.sap.engine.core.Framework##com.sap.engine.core.Framework#######Thread[Thread-1,5,main]##0#0#Error#1#/System/Server#Plain###Loading: ConfigurationManager returned false! #
  #1.#000255334607000000000017000640DE00046E8629009BC2#1247422399421#com.sap.engine.core.Framework##com.sap.engine.core.Framework#######Thread[Thread-1,5,main]##0#0#Error#1#/System/Server#Plain###Kernel not loaded. System halted.#
  #1.#00025533460700000000001A000640DE00046E862908A703#1247422399948#com.sap.engine.core.thread.impl5.ThreadManagerImpl##com.sap.engine.core.thread.impl5.ThreadManagerImpl#######Thread[Thread-1,5,main]##0#0#Error##Plain###Unexpected thread activity after interrupt() is executed in shutdown of SAPEngine_System_Thread[impl:5]_ThreadManager:
  Thread[SAPEngine_System_Thread[impl:5]_2]
  Task: com.sap.engine.core.thread.impl5.ActionObject - Processing Task [classname: com.sap.engine.core.cluster.impl6.JoinPortListener | toString: com.sap.engine.core.cluster.impl6.JoinPortListener@252e252e] with classloader [com.sap.engine.boot.CoreClassLoader@21d821d8]#
  Regards,
  Sam

  Hi,
  Check with this note,
  Note 791574 -
  Also
  Secure Storage for Application Specific Data
  Applications or application components, deployed on the J2EE Engine, can save sensitive data
  in encrypted form in a secure storage area in the J2EE Engineu2019s configuration database. The
  data saved in this area is encrypted using a secret key that is created explicitly for the application
  or service. The J2EE Engine uses the triple DES algorithm to perform the encryption.
  You can use two approaches for storing and maintaining the encrypted data for the individual
  applications or application components:
  u2022 Centralized storage
  With centralized storage, applications or application components use the Secure Storage
  service on the J2EE Engine to encrypt and decrypt the data. This data is also stored in the
  corresponding secure storage context on the J2EE Engine. You can control the
  parameters of this secure storage area from the properties of the Configuration Manager.
  For more information
  u2022 Decentralized storage
  With decentralized storage, the applications and application component maintain their own
  storage area for the encrypted data. They only uses the Secure Storage service on the
  J2EE Engine to retrieve the key, which is necessary to encrypt and decrypt the data.
  Regards,
  Ravi

• What are the Essentials for a Sap Security Consultant.

  Hi Gurus,
  I have completed a Implementation in which I alone handled the entire Security . It is a defense client .
  Now I am technically expert at security. But I have no functional knowledge.
  Implementing Security in SAP one needs to have knowledge of funtional process as well. The course that are purely technical stuff and I have good idea of techincal stuff.
  The Question is what is a Sap Security Consultant expected to know . And how to go about acquiring that knowledge?

  Hi Hussain,
  There is a little bit of release-dependent-everything in this thread: Authorization for VAP2 in conflict with VD02 for F_KNA1_GRP
  Try solve it and you will understand that you need the requirements (without that you are anyway doomed) and the knowledge and the appropriate access to create / test it.
  BAPI's are remote enabled stable interfaces to SAP standard functionality. They are the best examples of combining functional, technical and standard skills in a sustainable way without creating a mess (a mess, way beyond the bounds of your concerns...).
  If you learn to use the available tools and information sources, then you dont need to stress about the essentials, even if your customer makes a design error before or after your advice.
  Cheers,
  Julius

• Post-upgrade ToDo, PI configuration Wizard: com.sap.security.api.DuplicateKeyException Group found, but unique name "SAP_SLD_DATA_SUPPLIER" is not unique!

  after PI-Upgrade to NW-PI-731-SP07,  executing the PI-configuration wizard:
  step 126 of 162
  Assign SLD Data Supplier user to Group SAP_SLD_DATA_SUPPLIER (local SLD)
  Error:
  Group found, but unique name "SAP_SLD_DATA_SUPPLIER" is not unique!
  Execute Java Service
  Library: sap.com/tc~lm~ctc~util~core_ear
  Class: com.sap.ctc.util.core.services.UserFacade
  Method: void com.sap.ctc.util.core.services.UserFacade.addUserToGroup(java.lang.String, java.lang.String)
  Arguments (2)
  userName : SLD_DS_EXE
  groupName : SAP_SLD_DATA_SUPPLIER
  InvokeService- Result: ERROR
  Refresh Env. Messages: false
  Duration: 1.936 sec
  Library Info
  Default Trace
  Exception Class: com.sap.security.api.DuplicateKeyException
  Exception Message: Group found, but unique name "SAP_SLD_DATA_SUPPLIER" is not unique!
  com.sap.security.api.DuplicateKeyException: Group found, but unique name "SAP_SLD_DATA_SUPPLIER" is not unique!
  at com.sap.ctc.util.infra.rfc.BaseConfig.dispatchException(BaseConfig.java:230)
  at com.sap.ctc.util.core.services.impl.ume.java.GroupJavaImpl.verify(GroupJavaImpl.java:121)
  at com.sap.ctc.util.core.services.impl.ume.DualGroupImpl.verify(DualGroupImpl.java:118)
  at com.sap.ctc.util.core.services.content.ume.UserService.addToGroup(UserService.java:725)
  at com.sap.ctc.util.core.services.UserFacade.addUserToGroup(UserFacade.java:288)
  what to do?
  ============
  o.k.
  https://service.sap.com/sap/support/notes/1016283
  first run the UME consistency check => found some inconsistency => did repair UME
  then run again UME consistency check => found no more inconsistency !!
  the again - try to run the PI-Upgrade-Wizard => but again error on executing .....

  see this sap-notes:
  http://service.sap.com/sap/support/notes/1617234
  http://service.sap.com/sap/support/notes/1661135
  http://service.sap.com/sap/support/notes/1678815
  http://service.sap.com/sap/support/notes/1626747

• Advice needed: what does your company log for SAP security role changes?

  My client has a situation where for many years, they never logged changes to SAP security roles.  By that I mean, they never logged even basic details, like who requested a change, tested it, approved it, and what changed!!  Sadly their ticketing system is terrible, completely free-form text and not even searchable. 
  Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details?   What details do you capture?  What about Projects, that involve dozens of changes and testing over several months?
  I plan to recommend, at least, they need to use a unique# (a ticket#, or whatever) for every change and update the same in PFCG role desc tab, plus in CTS description of transports... but what about other details, since they have a bad ticketing system?  I spoke with internal audit and change Mgmnt "manager" about it, and they are clueless and will not make recommendations.  It's really weird but they will get into big trouble eventually without any logs for security changes!

  Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
  I have questions:
  a) Do you want to make things straight
  b) Do you want to implement a versioning mechanism
  c) You cannot implement anything technical, but you`re asking about best "paper" practise?
  The mentioned scenarios can be well maintained if you use SAP GRC Solutions 10 (Business Role Management)
  Task Based, Approvals, Risk Analysis, SOD and role generation and maintenance in a structured way (Business Role Management). Workflow based, staged process with approvals.
  PFCG transaction usage will be curtailed to minimum if implemented fully.
  Do we really want to do things "outside" PFCG?
  @all:
  a) do you guys use custom approval workflows for roles?
  b) how tight your processes are? how much paperwork, workflow, tickets, requests and incidents you have to go through to change a role?
  c) who is a friend of GRC here, raise your hand
  Cheers Otto
  p.s.: very interesting discussion, I would like to learn something here about how it works out there in the wild

• SAP Security On A New SAP Implementation

  Hi Gurus,
  I'm going to be part of a team that will be implementing SAP Security with a company that's implementing SAP. My experience has always just been on the maintenance and support and I was wondering security wise, what's involved during the implementation stage. What are the things to be done or considered when implementing SAP Security? Are there steps to be followed? What is the best strategy for implementing authorizations?
  Thanks in advance for answering my questions and enlightening my junior mind.
  JB

  Hi,
  SAP Security implimentation process follows the Authorisation Methodology. In this we need to follow the phases which are 
  1._Requirement_ :In this Implimenting parttner team comunicates with end user and prepare the S.O.D.  As per S.O.D implimenting partners prepare the _Role matrix ._
  2._Analsys:_ as per role matrix based on rules and regulations consultants educate the end user.
  3. *Implimentation* :   As per role matrix Single role,composite rople,derive role will be Develop and securing table ,reports.transaction which are critical.
  4. Quality check and test: developed roles are move to qulity system and testing will be done  as per approval from the decision maker role are move to the production server.
  5.Cutover: this roles are assigned to the users and system goes to live.
  Underlined and bold words plesase cocentrate deep.
  Thank you.