Security changes in ADEP

Similar Messages

• SAP Security tool within to determine the affects of a security change.

  Hi -
  Do anyone know of a security application tool within SAP to determine the affects of a security change to roles other than SUIM, SE16 ( tables), PFCG, etc
  The basics are:
  1) A role is updated to include additional t-codes, removal of t-codes, or change authorizations of existing t-codes.
  2) Currently there is no way to determine what other t-codes may be affected by the change in authorizations which makes regression testing almost impossible.  The ultimate solution would be a list to the process teams for regression testing to ensure everyone is aware of the consequences of making a change.
  The application in question would:
  1) Use the change log within SAP (with a few parameters specified) to determine what authorizations were changed.
  2) Lookup all the authorizations by t-code for every t-code in the roles meeting the criteria.
  3) Create a list of roles / t-codes that use the authorizations that were identified as changed.  This would be the t-codes that need to be evaluated for regression testing.
  This process is possible today, but would take hours to evaluate a simple change by hand.  A single t-code can have 100+ authorizations and a role could have 50+ t-codes.  This case would lead to the manual cross referencing of 5000+ items which would be extremely time consuming and prone to error.
  Thanks
  Larry Mac

  Hi Larry,
  I am only aware of SUIM....
  there are some possibilities beside change logs, for instance Transaction->executable with role/for user,....
  Also rsusr008_009_new(critical authorizations) gives you a good chance for finding such
  possible effects.
  The cusotmizing of critical auths./combinations/variants is a bit complex, but following the documentation step by step gives a good starting point.
  So if after the changes users show up in the result, you knwo, that you have to react.
  Of course this is not 100% the solution you are looking for, but gives the possibility for an additional check/countercheck.
  b.rgds, Bernhard

• Windows Vista won't connect after security change

  I have an AirPort Extreme base station, to which we connect using an iMac, PowerBook G4 and a Windows Vista laptop. I used to have it set to WEP, but changed it to WPA for the increased security. After the change, my PowerBook and iMac are connecting just fine, but my wife's Vista machine has been nothing but headaches. It will sometimes connect, after a bit of fighting with it, but not reliably or quickly. At the moment, it says that it is connected with local and internet access, but I can't actually access anything on the internet, and diagnosing the problem in Vista reports that a wireless network cannot be found (despite the fact that it simultaneously reports that it is connected to one).
  I know squat about Windows -- I'm a Mac guy. Anybody know how to help me fix this?
  Thanks in advance!

  No answers, but the problem seems to have disappeared. Man, I'm starting to realize how fortunate I am to have been using Macs for the last 23 years. I think Vista is going to be a very good thing for Apple! There's nothing like actually using Vista to make one want to flee screaming and never look back...

• Security change hdd. MacBook will not boot.

  Hi all,
  I am in some real need for help.
  Yesterday i changed the security of my macbook(aluminium) because i am at a hotel with wifi.
  (selected in Finder "this computer" pressed command-i, and in information checked the option "secure.")
  At night i shut down my mac without problems. But this morning it does not boot up anymore.
  All i get is the grey screen with Apple logo and spinning progress wheel. It stays in this mode until eternity.
  In verbose mode i checked fsck -f and it said at the end HD is OK. So I recon that there is nothing wrong with
  my hdd in itself. (thought at first that hdd would be chrashed).
  Anybody any ideas?
  Can i undo the security in verbose mode and what is the command line?
  Thanks for all the help. Am in czech republic so not able to go to my usual mac shop.
  Jake (written with iPhone)

  Tough without the Install disc, but some things to try...
  Does it boot to Single User Mode, CMD+s keys at bootup, if so try...
  /sbin/fsck -fy
  Repeat until it shows no errors fixed.
  (Space between fsck AND -fy important).
  Resolve startup issues and perform disk maintenance with Disk Utility and fsck...
  http://docs.info.apple.com/article.html?artnum=106214
  Tough without the Tiger Disk problems, but try fsck...
  To use fsck, you must run it from the command line. Unlike using your mouse to open an application to do something, you'll need to type a text command at the prompt (#) to tell fsck what to do. The Terminal application (/Applications/Utilities) and single-user mode are two examples of command-line interfaces in which you can type such commands. To use fsck:
  1. Start up your computer in single-user mode to reach the command line. Hold CMD+s keys down at bootup.
Note: If necessary, perform a forced restart as described in the Emergency Troubleshooting Handbook that came with your computer. On desktop computers, you can do this by pressing the reset/interrupt button (if there is one) or holding down the power button for several seconds. On portable computers, simultaneously press the Command-Control-power keys. If your portable computer doesn't restart with this method, you may need to reset the Power Manager.
  2. At the command-line prompt, type /sbin/fsck -fy
  (SPACE between fsck AND -fy important)
  3. Press Return. fsck will go through five "phases" and then return information about your disk's use and fragmentation. Once it finishes, it'll display this message if no issue is found:

  The volume (nameofvolume) appears to be OK 
If fsck found issues and has altered, repaired, or fixed anything, it will display this message:
*** FILE SYSTEM WAS MODIFIED *** 

Important: If this message appears, repeat the fsck command you typed in step 2 until fsck tells you that your volume appears to be OK (first-pass repairs may uncover additional issues, so this is a normal thing to do).
  4. When fsck reports that your volume is OK, type reboot at the prompt and then press Return.
  http://docs.info.apple.com/article.html?artnum=106214

• Network security change to WPA2 won't take

  Hi all, I am getting a very low airport signal strength and am concerned other neighbors are using my connection. I am using a mac mini OS 10.4.11 with a wireless Belkin54g 802.11g router. In system pref. I noticed that there seems to be "none" security on the network, and when I try to add a WPA2 password for more security, it accepts the changes. However, when I then try to connect to my network, it asks if I want to join the "belkin54g" -which is mine, and it connects automatically without asking for the password I created. Furthermore, I can see that the security setting changes when I connect from WPA2 personal to "none" again. How can I simply add security to this network and be confident that others without the password can't join?
  Thanks for any help on this.
  Joe

  In addition to Fortuny's correct advice, I'd suggest giving your router a distinctive name, so that it is easier to recognize as being your own.
  The low signal strength would normally not be an indication of your router being used by others. You might need to change the channel number of your router so that it is not trying to use the same band as the other routers in your neighborhood. Normally you need to get 3 channel numbers away from other users to minimize interference.
  You can use this program:
  http://istumbler.net/
  to determine which channels are being used by routers in your immediate neighborhood.

• SAP security - changing check maintain setting for security objects

  I am trying to change the check maintain indicator for a couple of transactions
  to alow me to manage access based on security objects that are not currently defined as check maintain.  Specifically, I have updated the check indicator
  (using SU24) to check maintain for object c_stue_ber on transactions MD11 and MD12 (planned order create/change).  The transactions still do not check this object as expected.  Does anything else need to be done to enable checking an
  object that is not set up as check maintain originally?
  Any help is appreciated.
  Thanks,
  Doug Scott

  Hello Kerstin,
  I also wrote a message to SAP and got the following response.  Looks like there are no security checks for this object in these transactions.
  Regards,
  Doug
  Response from SAP
  03.04.2007 - 12:48:38 CET    SAP    Reply 
  Dear Doug,
  An authority check on C_STUE_BER is not possible for the transactions
  CO02, CO03, MD11, MD12, CO26, CO27, CO28, COOIS, COHV, CO05, CO05N,
  CO04N, COMAC or CO46.
  In CO01 we check if the user has the authority to resolve the BOM
  (C_STUE_BER). After resolving the BOM we don't check any longer with
  C_STUE_BER since we don't work with the BOM but with a component list
  in the order (which is actually a copy or the BOM).
  For this component list there is no authority check.
  The component list is visible in CO02, CO03, CO26, CO27, CO28, COOIS,
  COHV, CO05N, CO04N, COMAC, CO46.
  For production orders we use authority C_AFKO_AWA. With this
  authority you can limit the access to CO02, CO03 and the change of
  production orders by other transactions.
  But please note that there are still transactions
  that will display the orders and its components without authority
  checks. For example infosystem transactions (COOIS, COHV, CO26, CO27,
  ...) and other processing transactions (COGI, ...). For those
  transactions you would have to limit access.
  For the creation of planned orders MD11, the authority check C_STUE_BER
  is not used. Here you can use M_MTDI_ORG to check on a MRP controller.
  So you should enter the same MRP controller in the material master
  of the troublesome products and only this MRP controller will be able
  to create a planned order for this material.
  I am sorry not to be able to offer you any better solution for this
  problem.
  Kind Regards
  Eoin Donnelly
  SAP Support Consultant (SCM)
  SAP GSC Ireland

• Transitioning from XI 3.0 to PI - Security changes?

  Does anyone have any experience transitioning from XI to PI, from a security perspective?  Any learnings to share?  Will be moving from Netweaver 4 to 7 also.
  Looking at the guide, the AS ABAP roles look similar. 
  Are there new features that have require special attention?

  Mary,
  Their is no difference, except Service Users(Names).
  Thanks,
  Saga

• Has the Global Object Security changed

  We have a form that uses a global object to work. Since Acrobat 9 and the introduction of the GOSP we have had to remind users to uncheck the "enable global object security policy" in the Javascript section of preferences.
  Recently this has stopped working, the code still fails with a "InvalidSetError: Set not possible, invalid or unknown."
  what;s going on?
  can I re-enable the global objects maybe with a registry hack?

  Thanks for getting back to me, I have sorted the issue (hopefully)
  there are three sets of fields that form a date selector they all end in the same two digit number to identify them (which set on which page) this two digit ident is saved to a global variable so that the scripts that then make the day, month and year selector fields un-hide etc
  anyway, it turned out that the first set was the one that failed, the other two on the page worked fine. So I deleted set 1 and copied set 2 and placed them where set 1 was, it all worked fine so I just renamed the fields back to set 1 and all was still ok.
  The odd thing is that this issue has been there since the first version of the form in 2010 but has only now chosen to surface.
  this is the code that the button uses
  var fieldExtension = event.target.name.substring(event.target.name.length -2, event.target.name.length)
  global.dateField = "date" + fieldExtension
  if (this.getField("day" + fieldExtension).display == display.hidden){
    showDate()
  }else{
    hideDate()
  Anyway, all sorted

• New iTunes security changes

  New system I see?

  I'm having the same issue. The problem happens when you enter your email address after choosing the security questions and answers. I receive an error stating that my email address is not in a valid format (when it actually is - I quadruple checked). Someone from Apple, please help us out. I'm trying to purchase music from you. You've got to be losing sales over this issue...

• Weblogic Security(Change Password)

  We are implementing “Forgot Password" feature for our web application which is based on Weblogic Portal Server. We are using Spring JMS POJO(http://static.springsource.org/spring/docs/2.5.x/reference/jms.html#jms-asynchronousMessageReception) for anonymous user to recover their password, We have the Spring JMS listener which receives the password reset request, but while doing the password reset we are getting security error
  Here is the code where we do the reset onMessage() of MessageListener
  com.bea.p13n.security.management.authentication.AtnManagerProxy proxy = AtnProxyHelper.getAtnProxy("SQLAuthenticator");
  proxy .setPassword(loginId, newPassword);
  Looks like Spring JMS listener is running as a client within the WL server, but even this pair of code does not work too
  Subject subject = com.bea.p13n.security.Authentication.authenticate("weblogic","weblogic");
  com.bea.p13n.security.management.authentication.AtnManagerProxy proxy = AtnProxyHelper.getAtnProxy("SQLAuthenticator");
  proxy .setPassword(loginId, newPassword);
  java.lang.SecurityException: The caller is not in the proper role for attempted user operation. Required role(s) [Admin, PortalSystemAdministrator, Self, updateRole]. Caller role(s) Anonymous.
       at com.bea.p13n.security.management.authentication.AtnSecurityMgmtHelper.validateUserCallerRole(AtnSecurityMgmtHelper.java:567)
       at com.bea.p13n.security.management.authentication.internal.UserProvider.setPassword(UserProvider.java:330)
       at com.bea.p13n.security.management.authentication.internal.UserProvider.setPassword(UserProvider.java:314)
       at com.bea.p13n.security.management.authentication.AtnManagerProxy.setPassword(AtnManagerProxy.java:544)
       at com.pics.weblogic.UserManagement.recoverPassword(UserManagement.java:623)
       at com.pics.core.service.ForgotPasswordServiceImpl.changePassword(ForgotPasswordServiceImpl.java:44)
       at com.pics.messaging.MessageQueueReceiver.onMessage(MessageQueueReceiver.java:100)
       at org.springframework.jms.listener.AbstractMessageListenerContainer.doInvokeListener(AbstractMessageListenerContainer.java:505)
       at org.springframework.jms.listener.AbstractMessageListenerContainer.invokeListener(AbstractMessageListenerContainer.java:444)
       at org.springframework.jms.listener.AbstractMessageListenerContainer.doExecuteListener(AbstractMessageListenerContainer.java:414)
       at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.doReceiveAndExecute(AbstractPollingMessageListenerContainer.java:293)
       at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.receiveAndExecute(AbstractPollingMessageListenerContainer.java:239)
       at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.invokeListener(DefaultMessageListenerContainer.java:872)
       at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.run(DefaultMessageListenerContainer.java:812)
       at java.lang.Thread.run(Thread.java:619)

  Yes, I agree it is a bad idea, but initially we did the password reset in sync but the e-mail notification in async, but then when doing the password reset we got into trouble of same security exceptions, so we moved that all the reset password and e-mail into same async code block assuming that Spring JMS listener will not ask for authorization since the WL server and JMS listener both are running on the same thread/context, but looks like Spring JMS listener in running on a different thread context. I need to impersonate since user has not logged into the system("forgot password" recovery feature). Looks like it does not matter sync or async I need to impersonate user, Here is the work around that I have put for now
       Subject subject = com.bea.p13n.security.Authentication.authenticate("weblogic","weblogic"); //I need to create a special user for this, Ugly!!
       ResetPassword resetPassword = new ResetPassword ("ForgotUserID","ForgotEmail"); //Now every thing happens here, setPassword API
       weblogic.security.Security.runAs(subject, resetPassword );
  If I had used MDB instead of Spring MDB then it would have worked(I have done the same in WL couple years back)
  Thanks
  Edited by: lbrocks_prn on Nov 19, 2009 10:18 PM
  Edited by: lbrocks_prn on Nov 19, 2009 10:19 PM

• Online Security - Changing Call Packages

  Hello BT Forum,
  Just a quick question.
  It seemed pretty easy for me to gain access to details of my Mother's call package; I was after was the expiry date of the current contract.  All it needed was her telephone number, postcode and a tick in the box. 
  So what is to stop kindly me or some nefarious person from changing my Mother's call package without her knowledge?
  I find it perturbing that access to these details was so easy.
  CFAM
  Solved!
  Go to Solution.

  Thank you for your suggestion.
  I did use the live chat facility but the BT agent was unable to assist - they do not have access to the full account details.  I also tried their telephone call centre but their operator did not have access either, he suggested that I contact their 'new/retention customer' division.  There I found out the details of the contract and immediately thereafter the BT Agent tried to persuade me to 'upgrade' the service and that it would be 'stupid' to cancel the current contract.  
  It seems to me a rather bizarre process to go through to get what is in effect a 'date,'  which could easily be written on the monthly bill that is sent.  Again I was somewhat amazed at the ease with which I was able to obtain the information but then I do know more details; and perhaps all I was after was an end date.
  However, after a little searching I found that rolling contracts are no longer offered by BT (web link noted below).  I was advised that the terms of any existing rolling contract is maintained on a 28 day rolling contract.  That this contract can be cancelled at any time without penalty.  This is the information I need as I am preparing my Mother to be connected to broadband. 
  So I have the information I need to make a decision about broadband packages.
  However, what does not help at this stage is the bombardment of BT advertising literature promoting their Sports Channel with unlimited broadband.  I am sure that such a service will appeal to many but to my seventy year old Mother, such a package offers little benefit or incentive.
  Regards,
  CFAM
  http://bt.custhelp.com/app/answers/detail/a_id/10757

• Will the rowlevel security changes with Oracle upgradation.

  Hi All,
  We have upgraded our database from 9.2.0.6 to 9.2.0.8 . After the upgrade the users who run their reports against the database are telling that they were unable to run their reports. It is hanging. It is confirmed that all the users were unable to run their reports except a fer who have super user access to the database. We have implemented the security polity through fine "grained access control". There is any difference between the above mentioned versions in row level control.?
  Regards,
  Girija

  The mentioned above will not influence behaviour of oracle, since most of it just has to do with SSH.
  My (relatively) simple view is that you should disable all services that you do not use (run chkconfig --list for a list and turn of all services that you do not use). Next install iptables by grabbing the needed rpm's from the RHEL cd's and turn it on. Allow access on port 22 only for the listed IP's and allow access on port 1521 for the IP range that should be allowed to the database. That is.. as long as you have configured 1521 as your listener port (1521=default), please check $ORACLE_HOME/network/admin/listener.ora for the correct port.
  Since the initial connection is made on 1521, you should be set. I know there is some setting that allows only sqlnet traffice on 1521 (instead of returning answer on a random range), but if you configure iptables to keep state you should be ok (otherwise, check metalink for the correct setting or reconfigure iptables).
  If you have a webserver and/or other daemons that are running and that should be accessible, you should be ok now.

• Wireless Security change

  Currently I am running WPA2 TKIP PSK on all on my WLANs, I was given the task of changing the preshared keys once a year. I have 5 WLAN's at each site. How would one go about doing this to make it as easy as possible? or should we change to somthing else?

  Kevin,
  I too work in a very large healthcare envioment. I will tell you, we are 100% radius (EAP-PEAP and EAP-FAST). Almost all newer devices will support radius. We have over 6,000 clients and all do radius. Thats not to say you wont come across some that do not. Even older devices, may need a firmware upgrade to support radius. But Scott is on target, you will need to see what devices can and can not.
  As for adding more WLANS. I would caution you not to exceed 5 WLANs. As you add more, your network utilization will increase for managment overhead. All networks are deisgned differently, so it would be hard to say what impact yours might have. But I have seen some networks with 6 and 7 wlans produce 55% network utilization with no network traffic, it was all managment frames.

• Changing security settings in iMac.

  I had this error report come up when installing an Apoggee Duet manual on an external bootable drive with Mt Lion on it.Here is what it says:
  "Your security preferences only allows installation from mac app store & identified developers".
  How do I change this setting? Is it safe to change it?

  In System Preferences>Security change the setting to Anywhere (you'll probably need to unlock the preference panel using your admin password).
  Alternatively, leave the setting as is and simply right-click or control-click on the installer package and select 'Open' from the menu that appears. Only do this if you are confident that the download has come from a bona fide source.

• Advice needed: what does your company log for SAP security role changes?

  My client has a situation where for many years, they never logged changes to SAP security roles.  By that I mean, they never logged even basic details, like who requested a change, tested it, approved it, and what changed!!  Sadly their ticketing system is terrible, completely free-form text and not even searchable. 
  Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details?   What details do you capture?  What about Projects, that involve dozens of changes and testing over several months?
  I plan to recommend, at least, they need to use a unique# (a ticket#, or whatever) for every change and update the same in PFCG role desc tab, plus in CTS description of transports... but what about other details, since they have a bad ticketing system?  I spoke with internal audit and change Mgmnt "manager" about it, and they are clueless and will not make recommendations.  It's really weird but they will get into big trouble eventually without any logs for security changes!

  Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
  I have questions:
  a) Do you want to make things straight
  b) Do you want to implement a versioning mechanism
  c) You cannot implement anything technical, but you`re asking about best "paper" practise?
  The mentioned scenarios can be well maintained if you use SAP GRC Solutions 10 (Business Role Management)
  Task Based, Approvals, Risk Analysis, SOD and role generation and maintenance in a structured way (Business Role Management). Workflow based, staged process with approvals.
  PFCG transaction usage will be curtailed to minimum if implemented fully.
  Do we really want to do things "outside" PFCG?
  @all:
  a) do you guys use custom approval workflows for roles?
  b) how tight your processes are? how much paperwork, workflow, tickets, requests and incidents you have to go through to change a role?
  c) who is a friend of GRC here, raise your hand
  Cheers Otto
  p.s.: very interesting discussion, I would like to learn something here about how it works out there in the wild