November 2017 ~ HOW TO SAP

GRC 5.3 - Valid to date is always the current date during submission of a new request

GRC 5.3 provision user with validity period the same day user was created. SU01 screen as below:
In GRC you can see the following when request for a new account:
This was cause by following settings in GRC 5.3 in Configuration > Field Mapping > LDAP Mapping > Additional Fields > validToDate
Remove this entries and try again.

HOW TO SAP - Perform system trace for missing authorization

November 29, 2017 authorization trace, st01, system trace,

How to perform system trace for authorization

Execute tcode ST01
Check Authorization Check (you may select more)
Click Trace On (Make sure to turn it off after you are done!)
Now ask user to perform their task.
*If there is more then one app server, go tcode SM51
*Then double click on the app server.
*Then repeat step 1 to 3
Remember - Once user completed the test, turn of all trace from ST01
Now, click Analysis
Filter the trace like below (select what you need)
For authorization issue, anything above RC=0 meaning there is missing authorization.

VIRSA - HOW TO export mitigation control

November 28, 2017 export mitigation control, virsa,

SA38 or SE38 and execute /VIRSA/ZVRAT_L03
Enter the following details:

3. Exported file looks like:

SOD Scan using /n/virsa/zvrat

November 26, 2017 sod scan, virsa,

Tcode /n/virsa/zvrat
Ok
Enter userid
Choose the system where user id was created
Then execute
If the system id was not found, you may add the system using those entries in SM59.
To add, execute /n/virsa/zvrat_s16
Select Comp Calibrator Configuration
Under Parameter 19, add in a new system
Save and try scan again

GRC 5.3 SNC - Provision with upper case userid which cause SNC to fail

November 25, 2017 cup, grc 5.3, lowercase, snc, su01, uppercase,

GRC 5.3 is able to provision SNC settings to SU01 but USERID appears in upper case format as below:
SNC is case sensitive, thus it will failed when user tried to login.
Because GRC 5.3 convert user id to UPPERCASE as below:
This can be resolved in two step.
Step 1: Configuration > Request Form Customization > SNC Name >
Default value > p:#!#userId#!#@DOMAIN.COM
Step 2: Configuration > Field Mapping > LDAP Mapping > Additional Fields > Add SAP_User_ID and then map it to the correct LDAP fields. In our case, its "mailNickname" because it is in lowercase.
GRC will then replace userId with the LDAP field "mainNickname" which is in lowercase
Once provision, SNC field in SU01 will be in this format p:zmolan@DOMAIN.COM

Table USR02 - User Lock value

November 22, 2017 user lock, USR02,

Execute SE16
Enter USR02
Below are the value and its description:

Value:

0	Not locked
16	Lock
32	Locked by CUA admin (User Admin)
64	Locked by system Administrator
128	Locked due to incorrect logon attempts or too many failed attempts
192	A combination of both. The user is locked by admin and user tries to logon with incorrect passwords and gets locked ( 192 = 64+128)

Difference between SU22, SU24 and SU25

November 21, 2017 SU22, SU24, SU25,

Difference between SU22, SU24 and SU25

SU22 displays and updates the values in tables USOBT and USOBX, while SU24 does the same in tables USOBT_C and USOBX_C. The _C stands for Customer.

The profile generator gets its data from the _C tables. In the USOBT and USOBX tables, the values are SAP standard values as shown in SU24.

With SU25 one can (initially) transfer theUSOBT values to the USOBT_C table Continue Reading

What is SU24 Concept

November 20, 2017 Authorization, security, su24,

Transaction SU24 maintains the USOBT_C and USOBX_C tables. These tables hold the relationships between the particular transaction and its authorization objects. It is possible to add or subtract the checks performed in the transaction by changing the appropriate flag.

•The benefit of transaction SU24 occurs when transactions are added to or deleted from Role Groups using the Profile Generator.

•When new transactions are added, the Profile Generator will add all authorization values maintained in SU24 for the transaction(s).

•When deleting transaction the Profile Generator will remove all authorization values that are maintained in SU24 for the transaction.

•Activities performed:

•Check/Maintain Authorization Values

•Addition of Authorization Object to tcode

•Deletion of Authorization Object from tcode

Check Ind.	Proposal	Meaning	Explanation
Check	YS	Check /Maintained	The object will be inserted along with the values in the role. The object will be checked along with the values during runtime of the transaction.
Check	NO	Check	This object will not be inserted into the roles. A check on the object along with the values will be done during the runtime of the transaction
Do not Check	NO	Do Not Check	The object will not be inserted into the roles and there will not be any check performed during runtime of the transaction

Status Texts for authorizations

•Standard: All field values in the subordinate levels of the hierarchy are unchanged from the SAP defaults

•Maintained: At least one field in the subordinate levels of the hierarchy was empty by default and has since been filled with a value

•Changed: The proposed value for at least one field in the subordinate levels of the hierarchy has been changed from the SAP default value.

•Manual: You maintained at least one authorization in the subordinate hierarchy levels manually (it was not proposed by the Profile Generator).

Effect of SU24 changes in Role Groups

•Authorization objects are maintained in SU24 for a particular transaction code. When a transaction code is added to role, only the authorization objects having check as check indicator value and yes as proposal value, maintained for that tcode will be added into the role group.

•

1) Adding Tcodes to a role

When a new Tcode is added to a role

•When a new tcode is added to a role, going in either change authorization data or expert mode provides the same result. All the authorizations maintained for the tcode at SU24 level is added to the role.

•The program adds new standard authorizations for objects in the roles If the authorization default values contain objects that

were previously not existing

Or only had authorizations in the status Changed or Manual

•A new standard authorization is not included

if the authorization fields contain identical authorizations in the status Standard in both authorizations, and the fields maintained in the old authorizations are empty in the new standard authorization.

If there were already authorizations in the status Maintained (active or inactive) or Inactive Standard before the merge, the program compares the values and the maintenance status of all authorization fields to determine whether new standard authorizations must be extended.

Changing SU24 values for a tcode

If the authorization data is changed for any tcode in SU24 and tcode is already present in the role, then going in the expert mode with option “read old data and compare with new data” will only reflect the additional changes.Change authorization data will not pull the new data for the tcode maintained at SU24 level

2) Removing Tcodes from the role

When you remove transactions from the role menu, this has the following effect on the authorizations.

•A standard authorization for which the associated transaction was removed from the role menu is removed during the merge, unless at least one other transaction that remains in the menu uses the same authorization default value. This applies both for active and inactive standard authorizations.

•Authorizations in the statuses Changed and Manual are not affected by the merge. They are therefore always retained.

RSUSR200 Report - List user according to system, validity, User type, lock status and logon attempts

November 19, 2017 lock attempts, logon status, report, RSUSR200, search by system id, user type, validity,

Execute SA38 > RSUSR200
There are many selection. This screen show that you can select by system
You may also choose by User Type
Execute and report display as below

Display a list of user's password status and lock status

November 18, 2017 RSUSR200, SUIM, user password status,

Execute tcode rsusr200 or
Tcode SUIM > User > By Complex Selection Criteria > By Logon Date and Password change
Enter a list of user.
You will be able to see details as below

User type (Dialog, system, communications, service, reference )

November 15, 2017 Authorization, security, su01, user type,

User Type

You can specify the following user types:

● Dialog (A)

○ Individual system access (personalized)

○ It is possible to log on using SAP GUI. The user is therefore capable of interaction through SAP GUI.

○ The system checks whether the password has expired or is initial.

○ The user can change his or her password himself or herself.

○ Multiple dialog logons are checked and, where appropriate, logged.

○ Purpose: for individual human users (including Internet users)

● System (B)

○ System-related and internal system processes.

○ It is not possible to log on using SAP GUI. The user is therefore incapable of interaction through SAP GUI.

○ The password change requirement does not apply to the passwords, that is, they cannot be initial or expired.

○ Only a user administrator can change the password.

○ Multiple logons are permissible.

○ Purpose: background processing and communication within a system (internal RFC calls) and between multiple systems (external RFC calls). Purpose: for example, RFC users for ALE, workflow, TMS, CUA.

● Communications (C)

○ Individual system access (personalized)

○ It is not possible to log on using SAP GUI. The user is therefore incapable of interaction through SAP GUI.

○ Although the system checks whether the password has expired or is initial, the implementation of the requirement to change the password, which exists in principle, depends on the logon method (interactive or non-interactive).

○ The user can change his or her password himself or herself.

○ Purpose: external RFC calls of individual human users.

● Service (S)

○ Shared system access for a larger, anonymous group of users. Assign only very restricted authorizations for this user type.

○ It is possible to log on using SAP GUI. The user is therefore capable of interaction through SAP GUI.

○ During a log on, the system does not check whether the password has expired or is initial.

○ Only a user administrator can change the password.

○ Multiple logons are permissible.

○ Purpose: Anonymous system access (such as for public Web services). After an individual authentication, an anonymous session begun with a service user can be continued as a person-related session with a dialog user.

● Reference (L)

○ It is not possible to log on to the system.

○ User type for general, non-person related users that allows the assignment of additional identical authorizations, such as for Internet users created with transactions SU01.

To assign a reference user to a dialog user, specify it when maintaining the dialog user on the Roles tab page. In general, the application controls the assignment of reference users. This assignment is valid for all systems in a Central User Administration (CUA) landscape. If the assigned reference user does not exist in a CUA child system, the assignment is ignored.

You should be very cautious when creating reference users.

■ If you do not implement the reference user concept, you can deactivate this field in accordance with SAP Note 330067.

■ We also recommend that you set the value for the Customizing switch REF_USER_CHECK in table PRGN_CUST to "E". This means that only users of type REFERENCE can then be assigned. Changing the Customizing switch affects only new assignments of reference users. Existing assignments are retained.

■ We further recommend that you place all reference users in one particularly secure user group to protect them from changes to assigned authorizations and deletion.

Change SAP* password and default password

November 13, 2017 Authorization, password, SAP*, security,

Changing the default password for sap use

You are trying to change the password for sap* user, however when you go into su01 and enter sap* as the user name, the following message is displayed, user sap* does not exist.

You can delete the SAP* user using ABAP code :-
Delete from usr02 where bname = 'SAP' and mandt = '**';

Where '*' means your client no.

Then login to your client using password SAP* and password PASS

However, if you delete it, then it will automatically created once again with password PASS

The userid, SAP*, is delivered with SAP and is available in clients 000 and 001 after the initial installation. In these 2 clients, the default password is 07061992 (which is, by the way, the initial date when R/3 came into being...). It is given the SAP_ALL user profile and is assigned to the Super user group.

When I say it is "delivered" with SAP, I mean that the userid resides in the SAP database; there are actually rows in the user tables used to define userids.

If you delete the userid, SAP*, from the database, SAP has this userid defined in its kernel (the SAP executable code that sits at the operating system level, i.e., disp+work). When this situation exists, the password defined in the SAP code for SAP* is PASS.

This is necessary when you are performing client copies for example, as the user information is copied at the end of the process.

You can sign into the client you are creating while a client copy is processing using SAP* with password PASS (but you should have a good reason to do this - don't change anything while it's running).

Anyway, if the SAP* userid is missing, you can sign in to the client you want and simply define it using transaction SU01 and, as I stated above, assign it to the SUPER user group and give it the SAP_ALL profile. You define its initial password at this point. If you've forgotten its password and don't have a userid with sufficient authorization to create/change/delete userid,
then you can use the SQL statements to delete it from the database and then you can use SAP* with PASS to sign back into the client you want to define it in and recreate it.

There is also a profile parameter which can override the use of SAP* with PASS to close this security hole in SAP (login/no_automatic_user_sapstar). When this parameter is defined either in your DEFAULT.PFL profile or the instance-specific profile and is set to a value of '1', then the automatic use of SAP* is deactivated. The only way to reactivate the kernel-defined SAP* userid at this point would be to stop SAP, change this parameter to a value of 0 (zero), and then
restart SAP.

The default password for SAP is 06071992. (DDIC has 19920706*)

Create role with display mode only ACTVT 03

November 10, 2017 display, pfcg,

Tcode PFCG
Enter the role name
Role > Download
Now open the *.SAP file which you have downloaded and edit with notepad.
Search for ACTVT then change all the value *, 01, 02 and etc to only 03
Save and upload the file back using PFCG

ST01 trace file delete

November 08, 2017 st01, trace,

To delete ST01 trace file, it can only be done in OS level.

Delete the trace file and it will be created again the next time you activate trace.

Check GRC 10 error log using SLG1

November 06, 2017 error log, grc 10, SLG1,

Execute SLG1
Enter GRAC or GRFN and you will be able to see the application log

Useful field name when you perform SUIM or display data from AGR_1251

November 05, 2017 field description, field name,

Account type	KOART
Company code	BUKRS
Cost element	KSTAR
Distribution channel	VTWEG
Division	SPART
Operating concern	ERKRS
Plant	WERKS
Profit center	PRCTR
Purchasing group	EKGRP
Purchasing organization	EKORG
Sales group	VKGRP
Sales office	VKBUR
Sales organization	VKORG
Shipping point	VSTEL
Warehouse number / warehouse c	LGNUM
Valuation area	BWKEY
Business Area	GSBER
Maintenance Planning Plant	IWERK
Credit control area	KKBER
Controlling Area	KOKRS
Cost Center	KOSTL
Storage Type	LGTYP
Personnel Area	PERSA
Plan Version	PLVAR
Maintenance Plant	SWERK
Transportation planning point	TPLST
MRP Controller	DISPO
Release Code	FRGCO
Codition type	KSCHL
Chart of Accounts	KTOPL
Release Group	FRGGR
STORAGE LOCATION (object)	LGORT
WORK CENTER	ARBPL
Consolidation Unit	BUNIT
Bom (authorization group)	BEGRU
ORDER TYPE	AUART

Determind / Find / Check - GRC 5.3 Support pack and patch version

November 03, 2017 Authorization, check, grc 5.3, jspm, patch, security, support pack, version,

Three way to find the Support pack and patch version for GRC 5.3

Option 1 (via GRC CUP)

Launch GRC via http://testgrc.amd.com/AE/index.jsp
Click About
This is SP 19 patch 7

Option 2 (via System Info)

Lauch system info > http://test.amd.com/sap/monitoring/SystemInfo
Click All component
VIRAE is CUP and this screen show it is running SP 19 patch 9

Option 3 (via JSPM - ask basis for help)

Launch JSPM from \usr\sap\ED7\JC00\j2ee\JSPM\go.bat
Enter SDM password
Click Deployed components tab

GRC 10 - Repository Sync failed with error "No more storage space available"

November 01, 2017 Authorization, grc 10, repository sync, security,

When you run repository sync from
SPRO > GRC > AC > Sync Job > Repository Object Synch > Run in foreground

You will get below error:
Program for Repository User Synchronization

Processing for connector GRCTEST210
Starting user synchronization for connector GRCTEST210.
Error in GRCTEST210; Reason Error in RFC; 'No more storage space available for
User sync failed with errors

Repository Object sync job failed with errors
Please check SLG1 for further details

----------------------------------------
For the Fix: Implement patch GRC 10 SP 10

Note 1590847 - User Sync failing with error No more storage space available

Symptom
User sync is failing with the following error "No more storage space available"

Other terms
Repository, Access Control 10.0, /GRCPI/GRIA_USR_LIST_IN_PERNR, User Sync

Reason and Prerequisites
Program Error

Solution
Kindly implement the attached correction instruction in the plugin system to resolve the issue.
Please run the User sync in Full mode after implementing the corrections.

Correction delivered in Support Package
GRCPINW
V1000_700
SAPK-10305INGRCPINW

HOW TO SAP

Popular Posts

Blog Archive