SAP SECURITY FAQs: 1.

Authorization Object S_Program is not active I have received a request from business to add authorization objct ZMXM with User Action as SUBMIT for Authorization Object S_Program. I have already manually added the required access to a given role in DEV and moved to QAS environment. The Import on QAS was successful but when I saw role in PFCG the Authorization Objec S_Program is showing as inactive. I have repeat the process of transport but still same issue. Also I have cross checked by adding other Authorization Object and its showing active on QAS environment. Is the problem with S_Program only? Could you please help me to solve this issue as I have to revert back to business. I am working on 4.6C version of SAP with Oracle 10g. SOL1:

1. Please check the object is activated in QAS system (as this is a standard object, surely this shud be activated) SU03 -> Authorization -> Activate 2. Please compare the entries of S_PROGRAM in DEV & QAS system which does work in table TADIR and TOBJ. Is anything missing or different?

SOL2:
o

I have found the table entries for S_Program in TADIR an TOBJ same on DEV as well as on QAS system. Also the object is active for particular role/profile in SU03 transaction.

SOL3:

you might have saved and transported the role without generating the profiles.

Please follow the below points:

1. Deactivate the S_PROGRAM object, save & generate the profile.

2. Again activate the same object, enter the field values, save and generate the profile and transport the request. Just check the changes and update me the status for further investigation

Still not working.

2. What is a Test Script ?? Scenarios where role creation through SECATT would be helpful. SOL1.

If you go for mass derive role creation like you need to create same role for differenent company code or plant or some other org (larger companies having many number org level and may need this kind of security set up) level where all authorizaions are same but only differs in org level you have to create huge number of roles then. And if you have 10 roles each of having 75 derivation then you need create 750 roles. So this kind of scrips are really helpful and it will save lots of time.

3. UST04 inconsistency I am facing a error in our existing system. I am getting an entry in table UST04 which comprises of a profile and a user assigned to that profile. But when I go to SU01 to see the details of that particular user I get a message saying user does not exist. The user also doesnot exist in the table USR02. But this is very unlike SAP that I can see a user in UST04 and unable to see the same in SU01 and table USR02. I have also executed a program named RSAUTHXPRA in order to synchronise USR* and UST* tables,but even that doesnt seem to be working. Need some help on this. Your help is highly appreciated. In anticipation of your reply. Thanks in advance.

SOL1: Probably, program PFCG_TIME_DEPENDENCY is not scheduled in the system. You can try running this program or you can also run the same

program through transaction PFUD. PFCG_TIME_DEPENDENCY does user comprison and removes invalid profiles. It is advisable to schedule this program to run atleast once everyday to clean-up invalid profiles in your system. Please try this out.

Some security questions ============================================================== I have one year experience in SAP Security and only two in Basis, so flame on......... I swear I didn't use google or any of my systems for reference! 1) When PFCG proposes 3 activities but you only want 2, how do you fix this? Best answer is to modify your su24 data. 2) What is the use of transaction PFUD at midnight? removes invalid profiles from user records 3)Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes? PFUD is not needed and the user needs to log off and back on again 4)How are web services represented in authorizations of users who are not logged on? ?? 5)How do you force a user to change their password and on which grounds would you do so? SU01 -> Logon Data tab -> Deactivate password. I am not sure what grounds this would be necessary. I have never had to use it. 6)What is the difference between SU24 and SU22? What is "orginal data" in SU22 context? SU22 you maintain authorization objects???? Su24 you maintain which authorization objects are checked in transactions and maintain the authorization proposals. 7)When an authorization check on S_BTCH_JOB fails, what happens? "You do not have authorization to perform whatever operation you are trying to perform." message. HAHA

8)Can you have more than one set of org-level values in one role? I might be misinterpreting this question. But yes. Depending on the transactions inserted into the role menu, you could have more than one org level to maintain. Purchasing Org and Plant, Sales Org and Sales Division..... 9)Should RFC users have SAP_NEW and why? No. Just insert the transactions and necessary authorization objects into a role. S_RFC for one. 10) What is an X-glueb command and where do you use it in SAP security? ??? 11) What is the disadvantage of searching for AUTHORITY-CHECK statements in ABAP OO coding and how does SU53 deal with this? Disadvantage? I can think of an advantage. My ABAPer shows me his programs and we work out what authority checks should be performed. 12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default? ??? 13) Can you use the information in SM20N to build roles and how? You could, I guess. Not a good practice though. Build roles based on business processes. 14) If the system raises a message that authorizations are missing but you have SAP_ALL, what do you do? Regenerate SAP_ALL which reconciles new authorization objects from SAP_NEW 15) Name any one security related SAP note and explain it's purpose or solution. Don't know the number off hand, but I was looking at it yesterday. Program Z_DEL_AGR to allow deletion of more than one role at a time. There is no mechanism in SAP to achieve this currently. 16) What are the two primary difference between a SAML token profile and a Logon ticket in SAP? ??? I know what these are but have no experience with it.