Sunday, 10 November 2013

Maintain/Restore Authorization Groups

Report Authorization Maintenance

Many SAP programs are supplied either with an authorization group which does not fit in with the customer's authorization system or without an authorization group altogether. This report allows you to maintain the authorization groups for such programs without the need to change the program attributes. It also allows you to restore customer-specific authorization groups following an Upgrade.
Program RSCSAUTH generates a list of type 1 reports ("Program" column), the authorization groups as maintained by SAP ("SAP" column), and those maintained by the customer "Customer" column).
The "Customer" column is an input field where you can enter your own authorization groups.
When you choose "Save", the customer-specific authorization groups for all SELECTED reports are copied into Table TRDIR. This has the same effect as changing the authorization group in the program attributes, as existing SAP authorization groups are overwritten. The authorization groups for each report are also entered in Table SREPOATH. This is to allow you to restore customer-specific authorization groups following an upgrade by running RSCSAUTH again.

Selection Screen

Report Selection

Here you can select the programs whose authorization groups you wish to maintain. You can limit your selection to
  • Particular programs ("Program name" selection)
  • Programs supplied by SAP with a particular authorization group (or without authorization group) ("Authorization group (SAP)" selection)
  • Programs from particular applications ("Application" selection)
  • Programs with a particular logical database ("Log. DB directory" and "from application" selection).

Authorization Groups

You can choose here whether to maintain customer-specific authorization groups ("Maintain" box) or whether to transport customer-specific authorization groups between SAP Systems or restore old settings after an Upgrade ("Restore/ Transport" box).
You cannot maintain and transport (or restore) authorization groups simultaneously. If you wish to maintain and then transport authorization groups, you will need to run the report twice; once with the "Create/ change" option in the "Maintain" box, and then with the "Restore with transport" option in the "Restore/ Transport" box. If you try to select options from both boxes at the same time, an error message is displayed.

Maintain

Select "Create/ change" to maintain customer-specific authorization groups.
Defaults can also be supplied for the new authorization groups:
  • Copy authoriziation groups from:
  • Default authorization group
    The value entered here is now suggested for all reports for which no customer-specific authorization group has yet been entered.
  • Report tree
    Here you can enter the name of a report tree. The node authorization is suggested as a default for all reports in the tree. The node authorization is also displayed in a separate column. Existing customer-specific authorization groups are NOT overwritten by the node authorization. If a report exists in more than one node, the authorization of the first node (alphabetically!) is used. Authorizations for private nodes are ignored.
If both a default value and an authorization tree are specified, the default value is only used for reports for which no node authorization could be found.

Restore/ transport

The functions in this box are not for maintaining but transporting customer-specific authorization groups, as well as for restoring them following an Upgrade.
The following functions are available:
  • Test run
    All reports for which customer-specific authorization groups exist are listed: Report name, SAP authorization group, Customer-specific authorization group.
  • Restore
    You can use this function to restore customer-specific authorization groups (ex. following an upgrade). A check list is output (as with the test run). The SAP authorization groups are shown in the SAP column. In the "Customer" column are the customer-specific authorization groups with which the SAP authorization groups are overwritten.

  • Restore with transport
    You first see a dialog box in which you specify a transport request. Alternatively, you can branch from here into the transport and correction system. The selected reports with the customer-specific authorization groups are entered in the transport request where the customer authorization group differs from the SAP authorization group. Afterwards a check list is output, similarly to the "Restore" function.
    When you release the transport request, the authorization groups are transported into the target system. In order to change the program attributes in the target system, in other words, to copy the authorization groups into Table TRDIR in the target system, you need to run Report RSCSAUTH using the "Restore" option.

Wednesday, 30 October 2013

Alternative to ST01 system trace using Tcode STAUTHTRACE for multiple system at a time


  1. Execute STAUTHTRACE
  2. Click System-Wide Trace
  3. Select all system
  4. Enter a user ID to trace.
  5. Click Activate trace
  6. Once done, you may evaluate the log

Wednesday, 18 September 2013

Why is SAP authorization profile red or yellow?


When you change a role, you must regenerate the authorization profile. In this case, the status of the profile generation is displayed red or yellow at the top of the Authorizations tab page, and is explained in more detail further down the tab page with a short text:


·        If the status display is red, you must perform an authorization data comparison, since the menu was changed since the last profile generation or no authorization data exists.
·        If the display is yellow, the authorization data for the role was changed and saved after the last generation. The generated profile is no longer current. You need to regenerate it.

Friday, 6 September 2013

SAP Query using tcode SQVI with username and email as the result


  1. SQVI
  2. Quickview: Email
  3. Click Create
  4. Datasource: Table Join
  5. Ok
  6. Edit > Insert Table (both tables)
    ADRP
    ADR6
    USR21
  7. Click Check. If defined joined condition is correct, click back
  8. Expend and select the field you would like to see in the result

    eg: First Name, Last Name, E-Mail Address and User Name in User Master Record

  9. Click on selection field tab. Select user name in master data. Add to the left column.
  10. Click check for errors. If none, then proceed to execute
  11. Now you can search using username and it will show your the first name, last name and email address

Tuesday, 27 August 2013

Frequently used SE16 Tables for security


  • AGR_USERS : Assignment of roles to users  Basis - ABAP Authorization and Role Management
  • AGR_TCODES : Assignment of roles to Tcodes  Basis - ABAP Authorization and Role Management
  • BUT100 : BP: Roles  Basis - Use AP-MD-BP* Components
  • SRRELROLES : Object Relationship Service: Roles  Basis - General Object Relations
  • EKPA : Partner Roles in Purchasing  MM - Purchasing
  • AGR_AGRS : Roles in Composite Roles  Basis - ABAP Authorization and Role Management
  • AGR_DATEU : Personal settings for roles  Basis - ABAP Authorization and Role Management
  • AGR_USERT : Assignment of roles to users  Basis - ABAP Authorization and Role Management
  • AAA_ROLES2 : SAP Authorization Assistant - Roles no longer Managed  Basis - ABAP Authorization and Role Management
  • AAA_ROLES : SAP Authorization Assistant - Roles Managed by Tool  Basis - ABAP Authorization and Role Management
  • AGR_TCDTXT : Assignment of roles to Tcodes  Basis - ABAP Authorization and Role Management
  • EHSWAT100 : MD (BDT): Business Partner Roles  Environment, Health and Safety - Waste Management
  • CACS_AGRROL : Participant Roles in Participation Agreement  ICM - Incentive and Commission Management (ICM)
  • AGR_SELECT : Assignment of roles to Tcodes  Basis - ABAP Authorization and Role Management
  • AGR_TCODE3 : Assignment of roles to Tcodes  Basis - ABAP Authorization and Role Management
  • BPFRG : OBSOLETE TABLE: Business Partner: Roles for Release  Fi Services - Business Partner
  • USLA04 : CUA: Assignment of Users to Roles  Basis - User and Authorization Management
  • USRSYSACT : CUA: Roles in Distributed Systems  Basis - User and Authorization Management
  • TB003T : BP Roles: Texts  Basis - Use AP-MD-BP* Components
  • USRSYSACTT : CUA: Roles in Distributed Systems  Basis - User and Authorization Management
  • TB003E : BP Role Exclusion Groups -> BP Roles  Basis - Use AP-MD-BP* Components
  • DPR_RATES : Customizing: Cost/Revenue Rates for Project Roles  PPM - cProjects Accounting Integration
  • TDLOAN_CPPART : Default Sttng of Permitted Roles and Roles for Partner Copy  Fi Services - Loans Management
  • TE673 : Installation Roles in an Installation Group  IS - Contract Billing
  • TE673T : Names of Installation Roles  IS - Contract Billing
  • AGR_USERS - Assignment of roles to users  Basis - ABAP Authorization and Role Management
  • AGR_1251 - Authorization data for the activity group  Basis - ABAP Authorization and Role Management
  • AGR_DEFINE - Role definition  Basis - ABAP Authorization and Role Management
  • AGR_TCODES - Assignment of roles to Tcodes  Basis - ABAP Authorization and Role Management
  • AGR_1252 - Organizational elements for authorizations  Basis - ABAP Authorization and Role Management
  • AGR_HIER - Table for Structure Information for Menu  Basis - ABAP Authorization and Role Management
  • AGR_AGRS - Roles in Composite Roles  Basis - ABAP Authorization and Role Management
  • UST12 - User master: Authorizations  Basis - User and Authorization Management
  • AGR_PROF - Profile name for role  Basis - ABAP Authorization and Role Management
  • PRGN_CUST - Customizing settings for authorization process  Basis - ABAP Authorization and Role Management
  • USR10 - User master authorization profiles  Basis - User and Authorization Management
  • BUT100 - BP: Roles  Basis - Use AP-MD-BP* Components
  • AGR_TEXTS - File Structure for Hierarchical Menu - Customer  Basis - ABAP Authorization and Role Management
  • SSM_CUST - Set Values for the Session Manager / Profile Generator  Basis - Session Manager
  • USR12 - User Master Authorization Values  Basis - User and Authorization Management

Thursday, 13 June 2013

SSO Parameter value



login/password_change_for_SSO
Handling of password change enforcements in Single Sign-On situations

Valid Input, Formats, Areas:

 0 =  Ignore requirement for password change(=> backward compatible)
 1 = Popup with selection 2 or 3 (User decides, default)
 2 = Password change dialog only (Entry: Old and new password)
 3 = Deactivation of password (automatic, no popup)

Tuesday, 21 May 2013

SPRO missing entry - launch with tcode SIMGH


  1. Launch SIMGH
  2. Find structure under IMG structure
  3. Then click display

Thursday, 2 May 2013

GRC 10 - Firefighter tcode

Child system /GRCPI/GRIA_EAM
Centralized GRAC_SPM

Thursday, 21 February 2013

GRC 10 - Repository Sync failed with error "No more storage space available"

When you run repository sync from
SPRO > GRC > AC > Sync Job > Repository Object Synch > Run in foreground

You will get below error:
Program for Repository User Synchronization


Processing for connector GRCTEST210
Starting user synchronization for connector GRCTEST210.
Error in GRCTEST210; Reason Error in RFC; 'No more storage space available for
User sync failed with errors

Repository Object sync job failed with errors
Please check SLG1 for further details

----------------------------------------
For the Fix: Implement patch GRC 10 SP 10



Note 1590847 - User Sync failing with error No more storage space available




Symptom
User sync is failing with the following error "No more storage space available"

Other terms
Repository, Access Control 10.0, /GRCPI/GRIA_USR_LIST_IN_PERNR, User Sync

Reason and Prerequisites
Program Error

Solution
Kindly implement the attached correction instruction in the plugin system to resolve the issue.
Please run the User sync in Full mode after implementing the corrections.





Correction delivered in Support Package
GRCPINW
V1000_700
SAPK-10305INGRCPINW

Monday, 4 February 2013

Determind / Find / Check - GRC 5.3 Support pack and patch version

Three way to find the Support pack and patch version for GRC 5.3

Option 1 (via GRC CUP)


  1. Launch GRC via http://testgrc.amd.com/AE/index.jsp
  2. Click About

  3. This is SP 19 patch 7


Option 2 (via System Info)



  1. Lauch system info > http://test.amd.com/sap/monitoring/SystemInfo
  2. Click All component

  3. VIRAE is CUP and this screen show it is running SP 19 patch 9

Option 3 (via JSPM - ask basis for help)


  1. Launch JSPM from \usr\sap\ED7\JC00\j2ee\JSPM\go.bat
  2. Enter SDM password

  3. Click Deployed components tab




Thursday, 24 January 2013

Useful field name when you perform SUIM or display data from AGR_1251

Account type KOART
Company code BUKRS
Cost element KSTAR
Distribution channel VTWEG
Division SPART
Operating concern ERKRS
Plant WERKS
Profit center PRCTR
Purchasing group EKGRP
Purchasing organization EKORG
Sales group VKGRP
Sales office VKBUR
Sales organization VKORG
Shipping point VSTEL
Warehouse number / warehouse c LGNUM
Valuation area BWKEY
Business Area GSBER
Maintenance Planning Plant IWERK
Credit control area KKBER
Controlling Area KOKRS
Cost Center KOSTL
Storage Type LGTYP
Personnel Area PERSA
Plan Version PLVAR
Maintenance Plant SWERK
Transportation planning point TPLST
MRP Controller DISPO
Release Code FRGCO
Codition type KSCHL
Chart of Accounts KTOPL
Release Group FRGGR
STORAGE LOCATION (object) LGORT
WORK CENTER ARBPL
Consolidation Unit BUNIT
Bom (authorization group) BEGRU
ORDER TYPE AUART

Tuesday, 22 January 2013

Check GRC 10 error log using SLG1


  1. Execute SLG1
  2. Enter GRAC or GRFN and you will be able to see the application log

Friday, 18 January 2013

ST01 trace file delete


  1. To delete ST01 trace file, it can only be done in OS level.
  2. Delete the trace file and it will be created again the next time you activate trace.

Thursday, 17 January 2013

Create role with display mode only ACTVT 03


  1. Tcode PFCG
  2. Enter the role name
  3. Role > Download
  4. Now open the *.SAP file which you have downloaded and edit with notepad.
  5. Search for ACTVT then change all the value *, 01, 02 and etc to only 03
  6. Save and upload the file back using PFCG

Sunday, 6 January 2013

Change SAP* password and default password


http://wiki.sdn.sap.com/wiki/display/ABAP/Changing+the+default+password+for+sap+use

Changing the default password for sap use

Changing the default password for sap use
You are trying to change the password for sap* user, however when you go into su01 and enter sap* as the user name, the following message is displayed, user sap* does not exist.
You can delete the SAP* user using ABAP code :-
Delete from usr02 where bname = 'SAP' and mandt = '**';
Where '*' means your client no.
Then login to your client using password SAP* and password PASS
However, if you delete it, then it will automatically created once again with password PASS
The userid, SAP*, is delivered with SAP and is available in clients 000 and 001 after the initial installation. In these 2 clients, the default password is 07061992 (which is, by the way, the initial date when R/3 came into being...). It is given the SAP_ALL user profile and is assigned to the Super user group.
When I say it is "delivered" with SAP, I mean that the userid resides in the SAP database; there are actually rows in the user tables used to define userids.
If you delete the userid, SAP*, from the database, SAP has this userid defined in its kernel (the SAP executable code that sits at the operating system level, i.e., disp+work). When this situation exists, the password defined in the SAP code for SAP* is PASS.
This is necessary when you are performing client copies for example, as the user information is copied at the end of the process.
You can sign into the client you are creating while a client copy is processing using SAP* with password PASS (but you should have a good reason to do this - don't change anything while it's running).
Anyway, if the SAP* userid is missing, you can sign in to the client you want and simply define it using transaction SU01 and, as I stated above, assign it to the SUPER user group and give it the SAP_ALL profile. You define its initial password at this point. If you've forgotten its password and don't have a userid with sufficient authorization to create/change/delete userid,
then you can use the SQL statements to delete it from the database and then you can use SAP* with PASS to sign back into the client you want to define it in and recreate it.
There is also a profile parameter which can override the use of SAP* with PASS to close this security hole in SAP (login/no_automatic_user_sapstar). When this parameter is defined either in your DEFAULT.PFL profile or the instance-specific profile and is set to a value of '1', then the automatic use of SAP* is deactivated. The only way to reactivate the kernel-defined SAP* userid at this point would be to stop SAP, change this parameter to a value of 0 (zero), and then
restart SAP.
The default password for SAP is 06071992. (DDIC has 19920706*)

Thursday, 3 January 2013

User type (Dialog, system, communications, service, reference )


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/67119e439b11d1896f0000e8322d00/content.htm

User Type

You can specify the following user types:
      Dialog (A)
       Individual system access (personalized)
       It is possible to log on using SAP GUI. The user is therefore capable of interaction through SAP GUI.
       The system checks whether the password has expired or is initial.
       The user can change his or her password himself or herself.
       Multiple dialog logons are checked and, where appropriate, logged.
       Purpose: for individual human users (including Internet users)
      System (B)
       System-related and internal system processes.
       It is not possible to log on using SAP GUI. The user is therefore incapable of interaction through SAP GUI.
       The password change requirement does not apply to the passwords, that is, they cannot be initial or expired.
       Only a user administrator can change the password.
       Multiple logons are permissible.
       Purpose: background processing and communication within a system (internal RFC calls) and between multiple systems (external RFC calls). Purpose: for example, RFC users for ALE, workflow, TMS, CUA.
      Communications (C)
       Individual system access (personalized)
       It is not possible to log on using SAP GUI. The user is therefore incapable of interaction through SAP GUI.
       Although the system checks whether the password has expired or is initial, the implementation of the requirement to change the password, which exists in principle, depends on the logon method (interactive or non-interactive).
       The user can change his or her password himself or herself.
       Purpose: external RFC calls of individual human users.
      Service (S)
       Shared system access for a larger, anonymous group of users.  Assign only very restricted authorizations for this user type.
       It is possible to log on using SAP GUI. The user is therefore capable of interaction through SAP GUI.
       During a log on, the system does not check whether the password has expired or is initial.
       Only a user administrator can change the password.
       Multiple logons are permissible.
       Purpose: Anonymous system access (such as for public Web services). After an individual authentication, an anonymous session begun with a service user can be continued as a person-related session with a dialog user.
      Reference (L)
       It is not possible to log on to the system.
       User type for general, non-person related users that allows the assignment of additional identical authorizations, such as for Internet users created with transactions SU01.
To assign a reference user to a dialog user, specify it when maintaining the dialog user on the Roles tab page. In general, the application controls the assignment of reference users. This assignment is valid for all systems in a Central User Administration (CUA) landscape. If the assigned reference user does not exist in a CUA child system, the assignment is ignored.
You should be very cautious when creating reference users.
       If you do not implement the reference user concept, you can deactivate this field in accordance with SAP Note 330067.
       We also recommend that you set the value for the Customizing switch REF_USER_CHECK in table PRGN_CUST to "E". This means that only users of type REFERENCE can then be assigned. Changing the Customizing switch affects only new assignments of reference users. Existing assignments are retained.
       We further recommend that you place all reference users in one particularly secure user group to protect them from changes to assigned authorizations and deletion.