QUESTION:
1) how to assign the selected transaction in role example in the role we have a
Two transactions(T1,T2)so we have a users U1,U2. i need to assign the T1 and
lock the T2 to U1, and U2 assign the bothT1,T2
2) two company codes ex 1001,1002 and two users
,one user need to access both company codes and another user need to access
only one company code need to access by giving same role (one role
) to both of them.how can give access or restrict company codes in one role?
3) If SU53 screenshot does not give anything then How will you find the solution? If there is no relevant Role , then How?
4) In SU53 screenshot , there are missing authorization. How you come to know that these are the relevant Roles in which we have to add these objects? Decision not SUIM
5) authorization issue. We had asssigned company codes 'BUKRS' in range for example 4000-4220 some come company code is working some are not working means in between ranges .
3) If SU53 screenshot does not give anything then How will you find the solution? If there is no relevant Role , then How?
4) In SU53 screenshot , there are missing authorization. How you come to know that these are the relevant Roles in which we have to add these objects? Decision not SUIM
5) authorization issue. We had asssigned company codes 'BUKRS' in range for example 4000-4220 some come company code is working some are not working means in between ranges .
ANSWER:
Localisation restriction can b done by assigning derive
role..
QUESTION: Can you tell me the use of Cost Center
and accounting number field in SU01 transaction in Logon data tab
ANSWER: This is used for companies to track the users
accounts by subsidiary companies. Most of the time major companies will have
some stake in organizations in other countries. They will also let them use
them use the system. So they can put the account number and charge them for the
users and also assign cost center to track the costs by business area
QUESTION: A user has
reported missing auth in an object. User has provided su53 screeshot, without
using SUIM can we find out the role user having which contains that auth object
?
ANSWER: how about linking two tables AGR_USERS and
AGR_1251 using SQVI tcode, then you can find even user id field also along with
the rest of fields.....
This will give you all roles user have which
contains the auth object as shown by SU53...
QUESTION: Hi All What is the
use of the table TCDCOUPLES? What does it mean by calling transactions?
ANSWER: There are several t-codes which calls some
further t-codes in a series.
Table TCDCOUPLES contains the list of t-codes in the form Caller t-code and called t-codes i.e, t-code which calls another t-code and t-code which is
called by another t-code.
Table TCDCOUPLES contains the list of t-codes in the form Caller t-code and called t-codes i.e, t-code which calls another t-code and t-code which is
called by another t-code.
QUESTION: Can anyone tell me
the pre-implementation activties for SAP Security ?
ANSWER:
QUESTION:
What is the difference between BW/BI and SAP ECC System ?.
High Level ANSWER: on the purpose and target audience
High Level ANSWER: on the purpose and target audience
ANSWER: Guru's Im not having any realtime Exp in SAP
SEC, Looking for a break. plz ignore if my ANSWER: is wrong. 1) In Ecc we work on T code while in
BI Reports & Tcodes ie; user data { OLTP & OLAP} 2} difference Auth
Objects .
3} In BI we use RSA1 is work bench data dictionary which is used to develop new things & in ECC we use SPRO.
3} In BI we use RSA1 is work bench data dictionary which is used to develop new things & in ECC we use SPRO.
QUESTION: Any table is
available were for a particular t.code what are the Org values available...
instead of every time going in pfcg and seeing..
ANSWER: USOBT is standard SAP table for default values
of authorizations fields in auth objects for a t-code.Here no auth values are
maintained . Generally we change auth values as per business rules and
requirements.
USOBT_C is table we generally deals with as it is customer specific.
USOBT_C is table we generally deals with as it is customer specific.
QUESTION: What is
information security?
ANSWER: Information security is the process of
protecting information and It protects its availability, privacy...infact we
can say Protecting the business information.
QUESTION: Can anyone please
tell me the table name to check whether a particular transport is moved in
which all system. I need to check this at one go in dev, or Quality or any
other system.
There is one table E070, but it is not useful for me as It was showing changes till Quality only but the transport was moved to production but it did not show in the table.
I can check this in t-code SE01 but I need to do this for Multiple Transport requests at one go, to check for transport conflicts... hope I m clear with my query :)
There is one table E070, but it is not useful for me as It was showing changes till Quality only but the transport was moved to production but it did not show in the table.
I can check this in t-code SE01 but I need to do this for Multiple Transport requests at one go, to check for transport conflicts... hope I m clear with my query :)
ANSWER: E070 -> Change & Transport System:
Header of Requests/Tasks
E070A -> Change & Transport System: Attributes of a Request
E070C -> CTS: Source/Target Client of Requests/Task
E070CREATE -> Change & Transport System: Creation Date of Request
E070DEP -> Change & Transport System: Dependencies of Requests
E070A -> Change & Transport System: Attributes of a Request
E070C -> CTS: Source/Target Client of Requests/Task
E070CREATE -> Change & Transport System: Creation Date of Request
E070DEP -> Change & Transport System: Dependencies of Requests
QUESTION: Can you tell me a
situation where the service ID was helpful.
ANSWER: this should be good in case of firecall or
firefighter ID to keep only one fix password with restrcting its validity
date..so that system will not ask for passwd change..
service user is also used as a ffid in spm,
Reason: Multiple logins are possible (But not at a time) & Licensing cost
will be low.
QUESTION: Can Anyone tell me
about CRM WebUI and the t-code to ACE(Access control Engine) to assign User
groups.
I dont want to go through SPRO, need to check direct t-code and if possible basic difference of R3 role management and CRM Web UI concept(For CRM 7.0)
I dont want to go through SPRO, need to check direct t-code and if possible basic difference of R3 role management and CRM Web UI concept(For CRM 7.0)
ANSWER: tcode crmc_ui_nblinks i think
QUESTION: How to classify
the user by license type. What will be the criteria used for the classification
ANSWER:
QUESTION:
Have any one maintained table PRGN_CUST
ANSWER:
QUESTION:
"Disable Rules. A number of transactions were not included that have SOD conflicts with other transactions. In addition, some additional SOD rules for transactions, that have other conflicts configured in the system, have conflicts with additional transactions. In order for the GRC RAR module to be used for SOD testing as part of organization's annual Sarbanes Oxley (SOX) control testing; these rules need to be incorporated into the overall GRC RAR rule set."
Could anyone provide any suggetion,how to approach for the issue?
"Disable Rules. A number of transactions were not included that have SOD conflicts with other transactions. In addition, some additional SOD rules for transactions, that have other conflicts configured in the system, have conflicts with additional transactions. In order for the GRC RAR module to be used for SOD testing as part of organization's annual Sarbanes Oxley (SOX) control testing; these rules need to be incorporated into the overall GRC RAR rule set."
Could anyone provide any suggetion,how to approach for the issue?
ANSWER:
QUESTION:
Can anybody tell me what are combination of authorization object and
authrization field value(activity) is required to create, release and delete a
transport request?
ANSWER: The system-specific authorization objects
S_CTS_SADM and S_SYS_RWBO are enhancements of the non-system-specific
authorization objects S_CTS_ADMI and S_TRANSPRT. For compatibility reasons only
the system-specific authorizations come into effect if the user has not beed
granted the required rights from S_CTS_ADMI or S_TRANSPRT. However, the display
authorization S_TRANSPRT must always be given
QUESTION: What are critical authorization objects in bi?
ANSWER: s_rs_comp and s_rs_comp1
QUESTION:
during implementation apart from doing unit test, integration 1 and 2... is it
necessary to do Negative testing... wht is d exact meaning fo negative
testing... any diffrence with integration 1 and 2
ANSWER:
QUESTION:
Why do you face blank screen(sometimes),while doing trace in ST01 t-code?
Though we have done all the pre-steps(trace on,check all options,give the user
name in filter option).
What are various return codes in ST01 and what does it mean? Which of below values are true for ST01 return codes?
RC=0 Auth check successfull
RC=4 Reqd auth for the auth object is not available in user master record
RC=12 No auth for the auth object is available.
0 = Authorisation check passed
1 = No authorisation
2 = Too many parameters for authorisation check
3 = Object not contained in user buffer
4 = No profile contained in user buffer
6 = Authorisation check incorrect
7/8/9 = Invalid user buffer
What are various return codes in ST01 and what does it mean? Which of below values are true for ST01 return codes?
RC=0 Auth check successfull
RC=4 Reqd auth for the auth object is not available in user master record
RC=12 No auth for the auth object is available.
0 = Authorisation check passed
1 = No authorisation
2 = Too many parameters for authorisation check
3 = Object not contained in user buffer
4 = No profile contained in user buffer
6 = Authorisation check incorrect
7/8/9 = Invalid user buffer
ANSWER:
trace
is always better!!... it would shw step by step of access of auth object...
Su53 cant confrim missin auth.. by trace itz possble..
QUESTION: In F.13
Transaction, there is select GL account option.what should we do if i want a
specific user to access specific GL account.Right now everyone can acess every
GL account.
Please advice how to restrict specific users to access specific GL Account?
Please advice how to restrict specific users to access specific GL Account?
ANSWER: the transaction F.13 is related to the
authorisation objects with the fields 'company codes' and the 'account
types'.So,you can restrict the user with respect to company code as well as
account types.Particularly,in account type,you can restrict with particular
account type along with the corresponding activity e.g display,change etc. as
required.
QUESTION: Can any one tell
the procedure for running a custom Programm.... what i mean is how this Custom
table or tcode linked with Custom Object... and how to run this program
ANSWER:
You Have to Include a Authority-Check
Statement in the Custom program which checks for the custom Security
Authorization object. Let say for example your object in ZABC_PLANT AUTHORITY-CHECK
OBJECT 'ZABC_PLANT'
ID 'ACTVT' FIELD '03'
ID 'WERKS' FIELD ls_t001w-werks.
IF sy-subrc <;>; 0.
MESSAGE e000(zrpt) WITH 'You do not have the authorization to'
'access plant'
ls_t001w-wer
ID 'ACTVT' FIELD '03'
ID 'WERKS' FIELD ls_t001w-werks.
IF sy-subrc <;>; 0.
MESSAGE e000(zrpt) WITH 'You do not have the authorization to'
'access plant'
ls_t001w-wer
QUESTION: Can any one tell
how to Trace & Rectify issues in Cup & Rar
ANSWER:
QUESTION:
Can anyone give examples of False positive & False negative in GRC AC- RAR
QUESTION: I dont have idea about the Reference user... what is
use of it.. it is just for providing aditional authorisation... can any one
tell what is d exact use with Reference user
ANSWER: Exact use of reference user is, wen we cannnot
assign any more access to user, i.e, users user buffer gets full, then to that
user we assign a reference user in role tab. Thrs a reference user field in
role tab. In this way a dialog user gets additional access of a reference user.
A ref user needs to be created as a Reference user type. Rest info is already
provided here. Lemme know if anymore info is required here.
we will use reference user means if any user is going for
vacation then we will give his authorizations to this reference type user for
limited period.so he cant access his authorizations until he will come back.
QUESTION: What are the
issues faced by you in ERM & CUP after golive?
6. Can we change Single roles, objects & Profile description through mass maintenance of role? If yes, how?
6. Can we change Single roles, objects & Profile description through mass maintenance of role? If yes, how?
ANSWER:
QUESTION:
What does PRGN_STAT & TCODE_MOD table consist of?
ANSWER:
QUESTION:
Is it possible to assign two roles with different validity period to a user in
one shot through GRC? If yes, how?
ANSWER: Yes its possible. While creating access
request in CUP we can select one or more roles in one request and we can set it
validity periode for each role.
QUESTION:
When does a profile become 11 character string?
ANSWER: Not exactly 150.. in my case I have seen after
170 auth obj in a role it will create new profile after 171... :)
QUESTION: How will you control GRC system if
you have multiple rule sets activated?
ANSWER: We can SET as Default rule set in RAR-->Configuraion
-->Risk analysis-->Default values
QUESTION: Is it possible to
derive a role which is not having any t-code but have some manually entered
authorization objects? If yes, how?
ANSWER: T-codes are also a part of auth objects. We cn
definitely derive such roles. This concept is known as Value Roles.
QUESTION: Can we view the
changes of a role, happened in PFCG, through GRC?
ANSWER: yes
QUESTION:
What is d Exact Definition of the table USOBX & also Usobx_c
ANSWER: USOBX_C table contains customized
authorization objects which you are maintaing in user masterrecords.that means
what ever authorizations you are maintaing as yes/no for users those
autherizations will store in USOBX_C table.USOBX table contains standered
checkindicators for the USOBT table
QUESTION: Wht is d diffrence
Between
Profile Generator Upgrade & Sap load Generator....
And i also want to know when this Slg is used..
Profile Generator Upgrade & Sap load Generator....
And i also want to know when this Slg is used..
ANSWER: SGEN-You can use transaction SGEN to generate
the ABAP loads of a number of programs, function groups, classes, and so on, as
well as Business Server Page applications
QUESTION: I have query where
in need to restrict user by the Personnel Area...
This is for t-code PHAP_ADMIN and PHAP_ADMIN_PA, this is HR t-code and there is no Org. Values for this t-code to restrict, only Plan Version is available....
Does any one know the possibility to restrict based on Personnel Area ? any object related to this t-code that can useful. Please let me know.. as soon as possible will be better for resolving i
This is for t-code PHAP_ADMIN and PHAP_ADMIN_PA, this is HR t-code and there is no Org. Values for this t-code to restrict, only Plan Version is available....
Does any one know the possibility to restrict based on Personnel Area ? any object related to this t-code that can useful. Please let me know.. as soon as possible will be better for resolving i
ANSWER: P_ORGIN is the object you can use to restrict
on personal area..according to standard behavior this object is getting checked
for the tcode PHAP_ADMIN and PHAP_ADMIN_PA, just change the proposal value for
this object in SU24 to yes and add it in role, you will be able to achieve
restrictions on personal area by maintaining P_ORGIN along with Infotype
restrcitions...also personal area is not org level field.
QUESTION: Sometimes I could
see the below values for authorization group under the table maintainance
object S_TABU_DIS
Activity : 02
DICBERCLS: &NC&(Table Authorization Group)
What does it mean by &NC&. Does it mean no value maintain.
Also what is the meaning of #,' '?
Activity : 02
DICBERCLS: &NC&(Table Authorization Group)
What does it mean by &NC&. Does it mean no value maintain.
Also what is the meaning of #,' '?
ANSWER: The value '&NC&' stands for non class
that means the table is not belongs to any table class and accessible by
anyone.without this value even having the auth object S_TABU_DIS with the
fields DICBERCLS left blank,the table will not be accessible.From the security
point of view,there should be certain authorisation group created by SE54 as
the groups are dedicated for the legitimate users.....
To give table authorizations to any user,
will give the change
authorizations through S_TABU_DIS object with the activity 02 and the authorizations groups &NC& (which is already assigned to the table).
" " will give S_TABU_CLI ( cross client access value should be "X" to get
change authorization) with the above above object. Otherwise user will not
get the change authorization. With " " user will not get the change authorization.
authorizations through S_TABU_DIS object with the activity 02 and the authorizations groups &NC& (which is already assigned to the table).
" " will give S_TABU_CLI ( cross client access value should be "X" to get
change authorization) with the above above object. Otherwise user will not
get the change authorization. With " " user will not get the change authorization.
QUESTION: What is a business role in CRM security?
ANSWER: i just know that if user has sap_all or new
also he cannot login to crm system.. there shud be some business roles assigned
.. business roles may many types like service business role,sales business
role,purchase business role,w.h bus role ... etc.. one more thing to remember
is that v can also set parameter in user master record for this business role
purpose
Business roles means its an indirect assignment (Org assignment) of positions to user through PPOMA_CRM.
QUESTION: C an any one
explain how to use SPRO T-code?
QUESTION: AS KNOWN IN SE16 IF ENTER TDDAT V CAN C AUTH GROUPS
AND FROM THERE WE CAN C THE TABLES AVAILABLE FOR THE AUTH GROUP..
@@@ANY ANS WERE AT A TIME IN SE16 WERE V CAN C ALL THE TABLES AT A TIME
@@@ANY ANS WERE AT A TIME IN SE16 WERE V CAN C ALL THE TABLES AT A TIME
ANSWER: SE15, suggest you to do r&d on that. This
t-code is very helpful in finding tables for a particular field.
DD02L - where we can see list of all the
tables.
QUESTION: can any one
explain RZ10 n RZ11 in detail..
ANSWER: RZ11 is used to view system profile parameters
and RZ10 is mainly for profile maintenance..for more details refer ADM100
Note:
does any one have ADM955 SAP GRC Access Control document?
QUESTION:
What is alternative t-code for PFCG?
ANSWER : It is UG_BW_PFCG
there are alternative tcodes to PFCG. I dont
have system access right now to give the right tcode.. but starts with OY. For
eg: OY27, OY28 invokes SU01 transaction code.. similar way, you have 1 for PFCG
No comments:
Post a Comment