SAP XI Security Roles

Hi
I am looking forward for the complete list of SAP XI standard roles and their details and description.
Is there any document or link where I can get this information?Security Guide for XI does not contain this list.
Thanks

Hi,
The following is the complete list of the SAP XI pre-defined roles. And you can check the detail information for these roles in the Role Maintenance tool (TX PFCG).
Pre-defined roles for dialog users:
        SAP_XI_DISPLAY_USER
        SAP_XI_DEVELOPER
        SAP_XI_CONFIGURATOR
        SAP_XI_CONTENT_ORGANIZER
        SAP_XI_MONITOR
        SAP_XI_ADMINISTRATOR
        SAP_SLD_ADMINISTRATOR
        SAP_SLD_CONFIGURATOR
Pre-defined roles for service users:
        SAP_XI_IR_SERV_USER
        SAP_XI_ID_SERV_USER
        SAP_XI_APPL_SERV_USER
        SAP_XI_RWB_SERV_USER_MAIN
        SAP_BC_AI_LANDSCAPE_DB_RFC
        SAP_XI_IS_SERV_USER_MAIN
        SAP_XI_AF_SERV_USER_MAIN
        SAP_XI_CMS_SERV_USER
Please don't forget to reward.
Regards,
William
Message was edited by: William Wu
Message was edited by: William Wu

Similar Messages

Need Security Roles Material

Hi Guys,
Can anybody tell how to create & maintain security roles in SAP BW & security role administration in Business Objects 3.x.
Some material with screen shots describing step by step process of creation & maitainence will be helpful.
Thanks,
yogitha

Hi,
Some links which can help you in giving some idea.
http://help.sap.com/bp_bw370/documentation/Authorization_BW_Proj.pdf
http://www.sap.com/germany/about/company/revis/pdf/DS_Leitfaden_BW_en.pdf
http://www.mariewagener.de/files/active/0/Sicherheitsleitfaden_SAP_BW.pdf
http://aninda-gupta.com/sapsecuritypages/topics/sap-bw-security/
Hope it helps

Advice needed: what does your company log for SAP security role changes?

My client has a situation where for many years, they never logged changes to SAP security roles. By that I mean, they never logged even basic details, like who requested a change, tested it, approved it, and what changed!! Sadly their ticketing system is terrible, completely free-form text and not even searchable.
Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
I plan to recommend, at least, they need to use a unique# (a ticket#, or whatever) for every change and update the same in PFCG role desc tab, plus in CTS description of transports... but what about other details, since they have a bad ticketing system? I spoke with internal audit and change Mgmnt "manager" about it, and they are clueless and will not make recommendations. It's really weird but they will get into big trouble eventually without any logs for security changes!

Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
I have questions:
a) Do you want to make things straight
b) Do you want to implement a versioning mechanism
c) You cannot implement anything technical, but you`re asking about best "paper" practise?
The mentioned scenarios can be well maintained if you use SAP GRC Solutions 10 (Business Role Management)
Task Based, Approvals, Risk Analysis, SOD and role generation and maintenance in a structured way (Business Role Management). Workflow based, staged process with approvals.
PFCG transaction usage will be curtailed to minimum if implemented fully.
Do we really want to do things "outside" PFCG?
@all:
a) do you guys use custom approval workflows for roles?
b) how tight your processes are? how much paperwork, workflow, tickets, requests and incidents you have to go through to change a role?
c) who is a friend of GRC here, raise your hand
Cheers Otto
p.s.: very interesting discussion, I would like to learn something here about how it works out there in the wild

Invalid Security role-name error in Web Project

Hi All,
I have imported a J2EE application project built in JBOSS into NWDS 7.1.
While building the project i get the following error
CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN
This error directs me to the following code in web.xml
<security-constraint>
 <display-name>Default JSP Security Constraints</display-name>
 <web-resource-collection>
 <web-resource-name>Portlet Directory</web-resource-name>
 <url-pattern>/jsp/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>PEHNTAHO_ADMIN</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>
I have tried out the following things to resolve this issue :
1) Remove the role manually(as suggested by various people in other J2EE forums), but then some other error came in to picture
2)Then I added the following code in web.xml
<security-role>
 <role-name>PEHNTAHO_ADMIN</role-name>
 </security-role>
Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
 java.rmi.RemoteException: class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
version status: HIGHER
deployment status: Admitted
description:
 1. Error:
Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
ERRORS:
Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
 
</web-app>
" is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
WARNINGS:
Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
3) I had also added the following code in web-j2ee-engine.xml
<security-role-map>
 <role-name>PEHNTAHO_ADMIN</role-name>
 <server-role-name>all</server-role-name>
 </security-role-map>
but still i get the same deployment error.
Please help me in resolving this problem.
Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
Thanks and Regards,
Sruti

Hi Malathy,
Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
Could you please let us know you created a roles named users in WLS ?
Thanks & Regards,
Murali.
============

Difference between SAP CRM Security and SAP ECC 6.0 security

Hi
I have extensively worked on SAP ECC security but haven't have chance to work on CRM Security.
Can anyone please let me know the difference between CRM security compared to ECC security.
Thanks...

I am sorry to say, but instead of giving the guy a decent answer you are starting a fight or discussion about stupid forum points...
really sad.....
The big difference between SAP ECC and SAP CRM Security (up to release 5.0) was the following:
1) For sure there are very different transaction codes in SAP CRM as compared to SAP ECC in the first place
2) If you are familiar with R/3 or ECC authorizations; then you know that already on transaction code level, the 'allowed activity' is controlled on tcode level , whereas in SAP CRM , in most cases the 'allowed activity is not controlled by the Transaction code, but on authorization object level....
E.g. transaction code BP allows you to create/change/display any type of Business Partner (e.g; sold-to/ship-to/contact person/employee/customer) which is based on the business partner ROLE concept.... anyway...you can control the allowed activity based on different authorization objects.....
another example is business transaction processing...which can be launched by:
a very generic transaction code: CRMD_ORDER
transaction category related transaction codes :e.g.
> CRMD_BUS2000126 for activity management
> CRMD_BUS200115 for Sales processes
Again...allowed activity is not controlled by the tcode, but on authorization object level...
3) As of the new WEBCLIENT UI (which is valid as of release CRM2006s/CRM2007/CRM7.0) SAP also invented an extra authorization layer, which is UI COMPONENT LEVEL and logical links.... controlled by object UIU_COMP.
However, they also introduced the BUSINESS ROLE Concept (e.g; SALESPRO/MARKETINGPRO/...) which defines actually the functionalities, navigation bar, screen configuration, logical links you can use/see within the new WEBclient UI.
Another thing is that instead of using TRANSACTION CODES, as of these new releases, you are actually using 'external services'....so you do not authorize on tcodes basically....but the logic between tcodes and external services in relation to the authorization objects that are checked is more or less the same....
STANDARD authorization setup in the new WEBUI client is therefore controlled by both backend authorizations (not UIU component related) and the UIU_COMP (restricting access to workcenters/logical links/...)
4) Additionally SAP also provides a concept called ACE (which stand for ACCES CONTROL ENGINE)....
This requires a bit of customizing...and the rest is more or less pure customer development, as you will create your own methods where you'll define a logic which dynamically will verify what kind of access you have for an object....
You should now that ACE is actually implemented on top of your 'normal' sap crm security setup....
cheers
Davy Pelssers

Problem with security role

Hello,
I have Enterpise Portal 7.0 SP13 instance (only Java stack installed). My enviroment is AIX 5.3 and Oracle 10.
This instance has a lot of security alerts in the default trace log, like this:
#1.5^H#C2B30000C03D006400000039000A9084000443246AFD6467#1199723599717#com.sap.engine.services.security.roles.SecurityRoleImpl##com.sap.engine.services.security.roles.SecurityRoleImpl#j2ee_admin#1208####41667d10bd3e11dccc51c2b30000c03d#SAPEngine_Application_Thread[impl:3]_5##0#0#Error#1#/System/Security/Audit/J2EE#Java###:Authorization check for caller assignment to J2EE security role [ : ].#3#ACCESS.ERROR#SAP-J2EE-Engine#guests#
Anyone knows what is it?
Regards
Rodrigo

I found the bug : in LDAP I've got a user also called OIDGroup1 (the same as group's name).

Security role with alias KeystoreAdministrator does not exist.

i have a error trying to start the java engine of a Solution Manager 4.0 SR2 on AIX with ibm jdk SR9
the next log is about the std_server0.out
i do not how to create the alias because i can not connect using Visual Administrator because the server not start
stdout/stderr redirect
node name : server0
pid : 995354
system name : SMS
system nr. : 00
started at : Wed Aug 13 18:26:36 2008
[Thr 1] Wed Aug 13 18:26:37 2008
[Thr 1] MtxInit: -2 0 0
<?xml version="1.0" ?>
<verbosegc version="200708_30">
SAP J2EE Engine Version 7.00 PatchLevel 108458.44 is starting...
Loading: LogManager ... 2643 ms.
Loading: PoolManager ... 2 ms.
Loading: ApplicationThreadManager ... 837 ms.
Loading: ThreadManager ... 54 ms.
Loading: IpVerificationManager ... 12 ms.
Loading: ClassLoaderManager ... 14 ms.
Loading: ClusterManager ... 226 ms.
Loading: LockingManager ... 68 ms.
Loading: ConfigurationManager ... 86617 ms.
Loading: LicensingManager ... 28 ms.
Loading: CacheManager ... 159 ms.
Loading: ServiceManager ...
Loading services.:
Service cross started. (75 ms).
Service memory started. (98 ms).
Service runtimeinfo started. (115 ms).
Service trex.service started. (87 ms).
Service file started. (156 ms).
Service timeout started. (159 ms).
Service userstore started. (19 ms).
Service jmx_notification started. (78431 ms).
Service p4 started. (188119 ms).
Service classpath_resolver started. (63 ms).
<af type="nursery" id="1" timestamp="Wed Aug 13 18:32:05 2008" intervalms="0.000">
<minimum requested_bytes="48" />
<time exclusiveaccessms="1.635" />
<nursery freebytes="0" totalbytes="209715200" percent="0" />
<tenured freebytes="1724342296" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637940248" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<gc type="scavenger" id="1" totalid="1" intervalms="0.000">
 <flipped objectcount="253990" bytes="19242624" />
 <tenured objectcount="0" bytes="0" />
 <refs_cleared soft="644" weak="1" phantom="0" />
 <finalization objectsqueued="1363" />
 <scavenger tiltratio="50" />
 <nursery freebytes="190330424" totalbytes="209715200" percent="90" tenureage="10" />
 <tenured freebytes="1724342296" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637940248" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
 </tenured>
 <time totalms="107.395" />
</gc>
<nursery freebytes="190328376" totalbytes="209715200" percent="90" />
<tenured freebytes="1724342296" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637940248" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<time totalms="110.754" />
</af>
Service deploy started. (4055 ms).
Service bimmrdeployer started. (7 ms).
Service MigrationService started. (70 ms).
Service log_configurator started. (194277 ms).
Service locking started. (8 ms).
Service http started. (295 ms).
Service naming started. (626 ms).
Service failover started. (112 ms).
Service appclient started. (140 ms).
Service javamail started. (218 ms).
Service ts started. (220 ms).
Service jmsconnector started. (207 ms).
Service licensing started. (22 ms).
Service connector started. (212 ms).
Service configuration started. (32 ms).
Service iiop started. (316 ms).
Service webservices started. (706 ms).
Service dbpool started. (25283 ms).
<af type="nursery" id="2" timestamp="Wed Aug 13 18:33:36 2008" intervalms="91291.585">
<minimum requested_bytes="768" />
<time exclusiveaccessms="0.302" />
<nursery freebytes="0" totalbytes="209715200" percent="0" />
<tenured freebytes="1723791376" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637389328" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<gc type="scavenger" id="2" totalid="2" intervalms="91293.279">
 <flipped objectcount="353647" bytes="28752016" />
 <tenured objectcount="0" bytes="0" />
 <refs_cleared soft="1056" weak="0" phantom="0" />
 <finalization objectsqueued="2858" />
 <scavenger tiltratio="50" />
 <nursery freebytes="180516672" totalbytes="209715200" percent="86" tenureage="11" />
 <tenured freebytes="1723791376" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637389328" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
 </tenured>
 <time totalms="90.892" />
</gc>
<nursery freebytes="180514624" totalbytes="209715200" percent="86" />
<tenured freebytes="1723791376" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637389328" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<time totalms="92.831" />
</af>
Service com.sap.security.core.ume.service started. (64165 ms).
Service tcdisdic~srv started. (815 ms).
Service security started. (911 ms).
Service classload started. (43 ms).
Service applocking started. (132 ms).
Service shell started. (216 ms).
Service tceCATTPingservice started. (21 ms).
Service telnet started. (60 ms).
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [service_ssl] and user [null] not generated; Consequences: keystore view [service_ssl] is not created for user [null]; Countermeasures:see log for details
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [TrustedCAs] and user [null] not generated; Consequences: keystore view [TrustedCAs] is not created for user [null]; Countermeasures:see log for details
Service webdynpro started. (699 ms).
Service keystore started. (952 ms).
Service ssl started. (56 ms).
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [TicketKeystore] and user [null] not generated; Consequences: keystore view [TicketKeystore] is not created for user [null]; Countermeasures:see log for details
Service ejb started. (1367 ms).
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [securestorage] and user [null] not generated; Consequences: keystore view [securestorage] is not created for user [null]; Countermeasures:see log for details
Service tcseccertrevoc~service started. (286 ms).
Service tcsecsecurestorage~service started. (379 ms).
Aug 13, 2008 6:33:41 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [securestorage] and user [null] not generated; Consequences: keystore view [securestorage] is not created for user [null]; Countermeasures:see log for details
Service servlet_jsp started. (1783 ms).
Aug 13, 2008 6:33:41 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [securestorage] and user [null] not generated; Consequences: keystore view [securestorage] is not created for user [null]; Countermeasures:see log for details
Timed out services:
Service com.adobe~DataManagerService > hard reference to service jmx.
Service com.adobe~TrustManagerService > hard reference to service jmx.
Service cafumrelgroupsimp > hard reference to service cafummetadataimp.
Service com.adobe~PDFManipulation > hard reference to service jmx.
Service adminadapter > hard reference to service jmx.
Service pmi > hard reference to service tcsecdestinations~service.
Service jms_provider > hard reference to service jmx.
Service sld > service sld start method invoked.
Service jmx > service jmx start method invoked.
Service rfcengine > hard reference to service jmx.
Service tcsecsaml~service > hard reference to service adminadapter.
Service com.adobe~LicenseService > hard reference to service basicadmin.
Service com.adobe~DocumentServicesConfiguration > hard reference to service basicadmin.
Service tcsmdserver~service > hard reference to service jmx.
Service com.adobe~DocumentServicesDestProtoService > hard reference to service jmx.
Service cafummetadataimp > service cafummetadataimp start method invoked.
Service tcsecvsiservice > hard reference to service tcsecdestinationsservice.
Service tcsecdestinationsservice > service tcsecdestinationsservice start method invoked.
Service dsr > hard reference to service security.
Service monitor > hard reference to service jmx.
Service cafruntimeconnectivityimpl > service cafruntimeconnectivityimpl start method invoked.
Service tclmctcconfsservice_sda > hard reference to service jmx.
Service CUL > hard reference to service jmx.
Service tc.monitoring.logviewer > hard reference to service jmx.
Service apptracing > hard reference to service jmx.
Service com.adobe~XMLFormService > hard reference to service jmx.
Service tcsecwssecservice > service tcsecwssecservice start method invoked.
Service com.adobe~FontManagerService > hard reference to service jmx.
Service com.adobe~DocumentServicesLicenseSupportService > hard reference to service jmx.
Service com.adobe~DocumentServicesBinaries2 > hard reference to service jmx.
Service basicadmin > hard reference to service jmx.
[Framework -> criticalShutdown] 3 core services have timed out [adminadapter; jmx; basicadmin].
Aug 13, 2008 6:33:53 PM com.sap.engine.core.Framework [Thread[Thread-1,5,main]] Fatal: Critical shutdown was invoked. Reason is: 3 core services have timed out [adminadapter; jmx; basicadmin].
</verbosegc>

i have a error trying to start the java engine of a Solution Manager 4.0 SR2 on AIX with ibm jdk SR9
the next log is about the std_server0.out
i do not how to create the alias because i can not connect using Visual Administrator because the server not start
stdout/stderr redirect
node name : server0
pid : 995354
system name : SMS
system nr. : 00
started at : Wed Aug 13 18:26:36 2008
[Thr 1] Wed Aug 13 18:26:37 2008
[Thr 1] MtxInit: -2 0 0
<?xml version="1.0" ?>
<verbosegc version="200708_30">
SAP J2EE Engine Version 7.00 PatchLevel 108458.44 is starting...
Loading: LogManager ... 2643 ms.
Loading: PoolManager ... 2 ms.
Loading: ApplicationThreadManager ... 837 ms.
Loading: ThreadManager ... 54 ms.
Loading: IpVerificationManager ... 12 ms.
Loading: ClassLoaderManager ... 14 ms.
Loading: ClusterManager ... 226 ms.
Loading: LockingManager ... 68 ms.
Loading: ConfigurationManager ... 86617 ms.
Loading: LicensingManager ... 28 ms.
Loading: CacheManager ... 159 ms.
Loading: ServiceManager ...
Loading services.:
Service cross started. (75 ms).
Service memory started. (98 ms).
Service runtimeinfo started. (115 ms).
Service trex.service started. (87 ms).
Service file started. (156 ms).
Service timeout started. (159 ms).
Service userstore started. (19 ms).
Service jmx_notification started. (78431 ms).
Service p4 started. (188119 ms).
Service classpath_resolver started. (63 ms).
<af type="nursery" id="1" timestamp="Wed Aug 13 18:32:05 2008" intervalms="0.000">
<minimum requested_bytes="48" />
<time exclusiveaccessms="1.635" />
<nursery freebytes="0" totalbytes="209715200" percent="0" />
<tenured freebytes="1724342296" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637940248" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<gc type="scavenger" id="1" totalid="1" intervalms="0.000">
 <flipped objectcount="253990" bytes="19242624" />
 <tenured objectcount="0" bytes="0" />
 <refs_cleared soft="644" weak="1" phantom="0" />
 <finalization objectsqueued="1363" />
 <scavenger tiltratio="50" />
 <nursery freebytes="190330424" totalbytes="209715200" percent="90" tenureage="10" />
 <tenured freebytes="1724342296" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637940248" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
 </tenured>
 <time totalms="107.395" />
</gc>
<nursery freebytes="190328376" totalbytes="209715200" percent="90" />
<tenured freebytes="1724342296" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637940248" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<time totalms="110.754" />
</af>
Service deploy started. (4055 ms).
Service bimmrdeployer started. (7 ms).
Service MigrationService started. (70 ms).
Service log_configurator started. (194277 ms).
Service locking started. (8 ms).
Service http started. (295 ms).
Service naming started. (626 ms).
Service failover started. (112 ms).
Service appclient started. (140 ms).
Service javamail started. (218 ms).
Service ts started. (220 ms).
Service jmsconnector started. (207 ms).
Service licensing started. (22 ms).
Service connector started. (212 ms).
Service configuration started. (32 ms).
Service iiop started. (316 ms).
Service webservices started. (706 ms).
Service dbpool started. (25283 ms).
<af type="nursery" id="2" timestamp="Wed Aug 13 18:33:36 2008" intervalms="91291.585">
<minimum requested_bytes="768" />
<time exclusiveaccessms="0.302" />
<nursery freebytes="0" totalbytes="209715200" percent="0" />
<tenured freebytes="1723791376" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637389328" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<gc type="scavenger" id="2" totalid="2" intervalms="91293.279">
 <flipped objectcount="353647" bytes="28752016" />
 <tenured objectcount="0" bytes="0" />
 <refs_cleared soft="1056" weak="0" phantom="0" />
 <finalization objectsqueued="2858" />
 <scavenger tiltratio="50" />
 <nursery freebytes="180516672" totalbytes="209715200" percent="86" tenureage="11" />
 <tenured freebytes="1723791376" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637389328" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
 </tenured>
 <time totalms="90.892" />
</gc>
<nursery freebytes="180514624" totalbytes="209715200" percent="86" />
<tenured freebytes="1723791376" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637389328" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<time totalms="92.831" />
</af>
Service com.sap.security.core.ume.service started. (64165 ms).
Service tcdisdic~srv started. (815 ms).
Service security started. (911 ms).
Service classload started. (43 ms).
Service applocking started. (132 ms).
Service shell started. (216 ms).
Service tceCATTPingservice started. (21 ms).
Service telnet started. (60 ms).
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [service_ssl] and user [null] not generated; Consequences: keystore view [service_ssl] is not created for user [null]; Countermeasures:see log for details
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [TrustedCAs] and user [null] not generated; Consequences: keystore view [TrustedCAs] is not created for user [null]; Countermeasures:see log for details
Service webdynpro started. (699 ms).
Service keystore started. (952 ms).
Service ssl started. (56 ms).
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [TicketKeystore] and user [null] not generated; Consequences: keystore view [TicketKeystore] is not created for user [null]; Countermeasures:see log for details
Service ejb started. (1367 ms).
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [securestorage] and user [null] not generated; Consequences: keystore view [securestorage] is not created for user [null]; Countermeasures:see log for details
Service tcseccertrevoc~service started. (286 ms).
Service tcsecsecurestorage~service started. (379 ms).
Aug 13, 2008 6:33:41 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [securestorage] and user [null] not generated; Consequences: keystore view [securestorage] is not created for user [null]; Countermeasures:see log for details
Service servlet_jsp started. (1783 ms).
Aug 13, 2008 6:33:41 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [securestorage] and user [null] not generated; Consequences: keystore view [securestorage] is not created for user [null]; Countermeasures:see log for details
Timed out services:
Service com.adobe~DataManagerService > hard reference to service jmx.
Service com.adobe~TrustManagerService > hard reference to service jmx.
Service cafumrelgroupsimp > hard reference to service cafummetadataimp.
Service com.adobe~PDFManipulation > hard reference to service jmx.
Service adminadapter > hard reference to service jmx.
Service pmi > hard reference to service tcsecdestinations~service.
Service jms_provider > hard reference to service jmx.
Service sld > service sld start method invoked.
Service jmx > service jmx start method invoked.
Service rfcengine > hard reference to service jmx.
Service tcsecsaml~service > hard reference to service adminadapter.
Service com.adobe~LicenseService > hard reference to service basicadmin.
Service com.adobe~DocumentServicesConfiguration > hard reference to service basicadmin.
Service tcsmdserver~service > hard reference to service jmx.
Service com.adobe~DocumentServicesDestProtoService > hard reference to service jmx.
Service cafummetadataimp > service cafummetadataimp start method invoked.
Service tcsecvsiservice > hard reference to service tcsecdestinationsservice.
Service tcsecdestinationsservice > service tcsecdestinationsservice start method invoked.
Service dsr > hard reference to service security.
Service monitor > hard reference to service jmx.
Service cafruntimeconnectivityimpl > service cafruntimeconnectivityimpl start method invoked.
Service tclmctcconfsservice_sda > hard reference to service jmx.
Service CUL > hard reference to service jmx.
Service tc.monitoring.logviewer > hard reference to service jmx.
Service apptracing > hard reference to service jmx.
Service com.adobe~XMLFormService > hard reference to service jmx.
Service tcsecwssecservice > service tcsecwssecservice start method invoked.
Service com.adobe~FontManagerService > hard reference to service jmx.
Service com.adobe~DocumentServicesLicenseSupportService > hard reference to service jmx.
Service com.adobe~DocumentServicesBinaries2 > hard reference to service jmx.
Service basicadmin > hard reference to service jmx.
[Framework -> criticalShutdown] 3 core services have timed out [adminadapter; jmx; basicadmin].
Aug 13, 2008 6:33:53 PM com.sap.engine.core.Framework [Thread[Thread-1,5,main]] Fatal: Critical shutdown was invoked. Reason is: 3 core services have timed out [adminadapter; jmx; basicadmin].
</verbosegc>

Issue with generating a security role in program CRMD_UI_ROLE_PREPARE

Hello -
We have recently upgrade from CRM 2007 from CRM 4.0. We are working with the Business Roles and generating the security role from the business role using CRMD_UI_ROLE_PREPARE. We first create a simple test Business Role, a Z* copying from TPM_ROLE. Then we generated the security using CRMD_UI_ROLE_PREPARE. This was fine. Now was have copied a Business Role from TPM_ROLE that is one we want to use. We have created our own Z* Nav Bar and Role Config Key. This is working fine, but now when we try to generate using CRMD_UI_ROLE_PREPARE, the txt file is not generated, though there are no errors in the log. We can still generate the security role from our simple test. We have looked on line, and read the article in CRM Expert in June on Business Roles, but have not found the solution yet. Has anyone run into this?
thanks
 George

This is how I used this program:
A. Generate required authorization objects
1. T-Code: SA38
2. Enter report CRMD_UI_ROLE_PREPARE and choose Execute.
3. Select your Business Role.
4. Choose language EN.
5. Choose Execute.
Result: A file is created for each Business Role and saved on your computer in the SAP working directory. If you are working with Microsoft Windows XP, this file is saved in C:\Documents and Settings\<User ID>\SapWorkDir\.
B. Assign authorization objects
1. T-Code: PFCG
2. Enter your Role and choose Change.
3. On the Menu tab choose Import from file and upload the file previously created.
4. Choose Save.
Then adapt the authorizations if needed and choose Generate.
Stephanie.

CAreer in SAP BASIS comaprision with SAP GRC/Security

Hi Everyone,
I am an SAP BASIS consultant with 2 years of experience working in a MNC company,
I want to change my career to SAP GRC/SAP Security, i have some basic knowledge on SAP Security,
COuld you please advice me, which one to choose,?
Does SAP GRC/Security has demand , and can we get oportunities to work abroad compared to SAP BASIS ?
which one has more scope SAP BASIS or SAP Security/GRC ?
Because in BASIS, i am not getting enough scope to work on some good things like Installation, upgrades, Migration,
i am doing a very basic kind of work like tranports, job scheduling, monitoring, and other small activities ?
So request you people to advice me ?
<removed_by_moderator>
Read the "Rules of Engagement"
regards
Rakesh Rao
Message was edited by: Juan Reyes

Hi Rakesh
I saw your post in GRC and was waiting of it to appear here
First up - 2 years is still junior. You may find batch jobs, transports, monitoring, etc all mundane but it is a foundation and learning ground work and foundations to being a good Basis Administration. And one things for sure, an awesome basic (I name my best-techy-friend) makes a huge difference on project timelines and deliverables for the rest of us.
Installation and Upgrades come with time. Whilst still performing junior tasks you could focus on reading up on approaches in case an opportunity in your job comes us and be prepared to prove to your management that you are ready for a bigger responsibility.
Switching to GRC/Security would be pointless unless you have a desire to learn GRC or Security. These are my background and they are undervalued until things go wrong (insurance policy in a way).
If you do switch you will reset your 2 years of domain experience back to 0 and you will start off with password resets and basic user administration
It takes time to work through the ranks. It was 3 years before I got to build my first role. I spent my first few years in security on email chasing approvals, password resets, user account creation, running reports for audit - sounds familiar to what you are doing now?
You have to master the basics before you are trusted and ready for the more complex activities. By knowing what you are doing now you will be more successful when the time comes to step up and do migrations, upgrades and installations. Support production by mastering you technical analysis skills is how you can break through being a fresher/junior
Regards
Colleen
Ps - if your motivation is more than "good things" happy to answer questions specific to security and GRC.
Also, boring doesn't mean it can't get interesting nor does it mean it's a worthless activity: SPAU transport imported before patching!!
Message was edited by: Colleen Lee
Added link for when transports go bad

How do I map declared security role to an actual operational one?

Hello,
Suppose I have created few security roles at the ejb-jar.xml file of my J2EE application using:
<security-role>
<role-name> managers <role-name>
</security-role>
Our portal is connected to our LDAP server so the WAS contains all the groups it has over there.
My question is: How do I actualy map the security role I declared at the deployment descriptor (manager) to an actual group in our organization?

Hi Roy,
Are you familiar with thishttp://help.sap.com/saphelp_nw04/helpdata/en/1a/733e401b21e801e10000000a155106/frameset.htm ?
Best regards, Maksim Rashchynski.

Security Role for RZ70

Hi Guys,
Which security role provides access to RZ70. Also when I added all the SLD roles I am told I do not have authority to change SLD administration, instead of not being authorized for the transaction.
Regards,
Chris

Hi,
It seems your SLD hasnt been registered onto the SAP gateway.
Have you setup your Data Supplier Bridge properly Access information in T-code SLDAPICUST
check this post
Re: No Message Server defined
tcode rz70 ( program RSLDADM ) is part of SAPKB62019. In this report you could check if any special Security roles have added
Refer,
Re: RZ70
Re: Accesing multiple R/3 systems from WD application
Thanks
swarup
Edited by: Swarup Sawant on Feb 23, 2008 4:43 AM

NWA 7.3 : Looking for "security roles" (Policy Configuration) ...

Hi guys,
We deployed a simple application in our new SAP NW 7.3 JAVA instance; by calling the application, we receive "error 403 : Error: You are not authorized to view the requested resource."; this was fixed wihtin NW 7.x by adding a user/group within security roles of the selected component ( Visual Admin => Security Provider => Policy Configurations => select component and than security roles );
where to do this within NWA 7.3 ?
any ideas;
Thanks
Oliver

Hi Oliver,
Procedure
Start SAP NetWeaver Administrator with the quick link /nwa/auth.
Choose Components.
Select a policy configuration.
On the Authentication Stack tab, choose the Edit pushbutton.
Determine if you want to use an existing template or if you want to change the policy configuration of the current component.
To use an existing template, select a template from the Used Template field.
For authscheme references, select a template from Used Authscheme.
The component uses the settings and authentication stack from the template. To edit these settings, edit the settings of the policy configuration template. To create a new template, see Creating Authentication Stack Templates for Policy Configurations.
To change the policy configuration of the current component, do the following:
Add and remove login modules as required.
The system applies the login modules in the order they appear in the list.
Set a processing flag for each login module.
For more information about login module flags, see Policy Configurations and Authentication Stacks.
Add and remove any options to the login modules.
Set the authentication stack parameters according to the type of policy configuration.
Please,go through below help file
http://help.sap.com/saphelp_nw73/helpdata/en/4a/734e26fa92731fe10000000a42189c/frameset.htm
Cheers
Revanth Pasupuleti

BW Security roles

Hello Guru's,
I am trying to setup different security roles in BW like developer, admin, report user.
It would be great if somebody can share the authorizations required for these three roles.
For report user, I have provided S_RS_COMP, S_RS_COMP1,S_RS_AUTH authorizations.
It will be helpful if someone can provide the different authorizations that need to be set for admin and developer roles.
Thanks

Hi,
Try with this standard role ...
SAP_BC_AUTH_DATA_ADMIN
I recommend you to enter PFCG and search standard roles like SAP_BW* or SAP_BC* roles and search some ADMIN or DEVELOPER role...
For report user you need to create some analysis authorizations based on the requirement. Following link can help you :-
http://help.sap.com/bp_bw370/documentation/Authorization_BW_Proj.pdf
Navesh

SAP HANA security issue: SAP DBTech JDBC: [258]

Hello experts,
I am trying SAP HANA security features by playing out with a test user (MYTESTUSER) I've previously created. This is the permissions detail I've granted to the mentioned user:
Granted Roles:
PUBLIC
Object Privileges:
_SYS_BIC : SELECT
_SYS_REPO : EXECUTE, SELECT
REPOSITORY_REST (SYS): EXECUTE
MYSCHEMA : SELECT (Contains source tables for views)
Package Privileges:
TEST.MYTEST (Package containing my views)
Analytic Privileges:
AP_MYTEST : Contains all my views and a couple restrictions over an attribute.
What do I expect?: when logging on as MYTESTUSER it should be able to deploy the different folders in SAP HANA Studio, dive into "Content" folder, and even more: reach the package TEST.MYTEST, once there by selecting "Calculation Views" folder then being able to open CV_MYTEST calc view (which was already added into AP_MYTEST shown above).
What happens as is?: Running as MYTESTUSER I am able to reach the calc view, when opened it is able for view only (its design). When pushing over the button "Open in Data Preview Editor" it trhows me the error:
Cannot get the data provider outline
SAP DBTech JDBC: [258]: insufficient privilege: insufficient privilege: Not authorized at ptime/query/checker/query_check.cc:2418
What is expected?: Running as MYTESTUSER "Open in Data Preview Editor" feature must return and show adequate data from calculated view.
In consequence:
What does this error ("Not authorized at ptime/query/checker/query_check.cc:2418") specifically means and how to start addressing it?
I'm unable to determine what is crashing or in what point it doesn't work. Any clues?
I've also realized that there's no way out to perform some kind of trace (at least in an easy-known-fashion). Could you also advice? it would be quite important to be able to detect what are specifically the missing authorizations for a performed action. (kinda SU53 in SAP)
Any clues or advices are welcome. Thanks a lot in advance,
Bernardo

Hi Bernardo,
Can you check whether _SYS_REPO has SELECT access on your schema. Open _SYS_REPO user and check whether your schema is listed under objects privileges or not. If not run the below query.
GRANT SELECT ON SCHEMA <schema_name> TO _SYS_REPO WITH GRANT OPTION.
if it doesn't work try to give SELECT and EXECUTE access on both _SYS_BI and _SYS_BIC to your schema and check. And also but default your should have all the privileges on your schema.
Regards,
Venkat N.

Authorization check for caller assignment to J2EE security role

Dears experts, in the default.trc logs in, my Enterprise Portal NW2004s, appear this error:
#1.#0018714E4A14005E000027E1000057B8000441BB7EF2FC03#1198173451524#com.sap.engine.services.security.roles.SecurityRoleReference#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleReference#Guest#2126####46ce8210aefd11dcc68f0018714e4a14#Thread[Thread-59,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Audit/J2EE#Java###: Authorization check for caller assignment to J2EE security role [ : ] referencing J2EE security role [ : ].#5#ACCESS.ERROR#service.jms.default.authorization#administrators#SAP-J2EE-Engine#administrators#
#1.#0018714E4A14005E000027E5000057B8000441BB7F8BDC21#1198173461543#com.sap.engine.services.security.roles.SecurityRoleImpl#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#2127####46ce8210aefd11dcc68f0018714e4a14#Thread[Thread-59,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Audit/J2EE#Java###: Authorization check for caller assignment to J2EE security role [ :
Any idea about it?
Thanks friends

Hi Holger,
Thanks for the tip, it could be the case, I just checked and we are on Patch 0 for JEECOR as you can see here below:
sap.com/SAP-JEECOR 7.00 SP13 (1000.7.00.13.0.20070907082334) 20071028144036
sap.com/SAP-JEE 7.00 SP13 (1000.7.00.13.2.20071026143730) 20071203150628
Will inform some people internally to patch to atleast 3 to check if it still occures.
Anyway, Thanks again..
Benjamin Houttuin

SAP XI Security Roles

Similar Messages

Maybe you are looking for