SAP SECURITY FAQs: 1.

Authorization Object S_Program is not active I have received a request from business to add authorization objct ZMXM with User Action as SUBMIT for Authorization Object S_Program. I have already manually added the required access to a given role in DEV and moved to QAS environment. The Import on QAS was successful but when I saw role in PFCG the Authorization Objec S_Program is showing as inactive. I have repeat the process of transport but still same issue. Also I have cross checked by adding other Authorization Object and its showing active on QAS environment. Is the problem with S_Program only? Could you please help me to solve this issue as I have to revert back to business. I am working on 4.6C version of SAP with Oracle 10g. SOL1:

1. Please check the object is activated in QAS system (as this is a standard object, surely this shud be activated) SU03 -> Authorization -> Activate 2. Please compare the entries of S_PROGRAM in DEV & QAS system which does work in table TADIR and TOBJ. Is anything missing or different?

SOL2:
o

I have found the table entries for S_Program in TADIR an TOBJ same on DEV as well as on QAS system. Also the object is active for particular role/profile in SU03 transaction.

SOL3:

you might have saved and transported the role without generating the profiles.

Please follow the below points:

1. Deactivate the S_PROGRAM object, save & generate the profile.

SOL1. Just check the changes and update me the status for further investigation Still not working. I am getting an entry in table UST04 which comprises of a profile and a user assigned to that profile. So this kind of scrips are really helpful and it will save lots of time. enter the field values. 3. In anticipation of your reply. Again activate the same object. You can try running this program or you can also run the same . • If you go for mass derive role creation like you need to create same role for differenent company code or plant or some other org (larger companies having many number org level and may need this kind of security set up) level where all authorizaions are same but only differs in org level you have to create huge number of roles then. What is a Test Script ?? Scenarios where role creation through SECATT would be helpful. UST04 inconsistency I am facing a error in our existing system.2. save and generate the profile and transport the request. Your help is highly appreciated. • SOL1: Probably. The user also doesnot exist in the table USR02. Thanks in advance. 2. But this is very unlike SAP that I can see a user in UST04 and unable to see the same in SU01 and table USR02. program PFCG_TIME_DEPENDENCY is not scheduled in the system. Need some help on this. But when I go to SU01 to see the details of that particular user I get a message saying user does not exist. And if you have 10 roles each of having 75 derivation then you need create 750 roles.but even that doesnt seem to be working. I have also executed a program named RSAUTHXPRA in order to synchronise USR* and UST* tables.

7)When an authorization check on S_BTCH_JOB fails. how do you fix this? Best answer is to modify your su24 data.. Please try this out. HAHA .program through transaction PFUD.." message.. 2) What is the use of transaction PFUD at midnight? removes invalid profiles from user records 3)Is PFUD needed when saving in SU01 and does the user need to logoff and on again after changes? PFUD is not needed and the user needs to log off and back on again 4)How are web services represented in authorizations of users who are not logged on? ?? 5)How do you force a user to change their password and on which grounds would you do so? SU01 -> Logon Data tab -> Deactivate password.. I am not sure what grounds this would be necessary.. PFCG_TIME_DEPENDENCY does user comprison and removes invalid profiles. I have never had to use it. what happens? "You do not have authorization to perform whatever operation you are trying to perform. I swear I didn't use google or any of my systems for reference! 1) When PFCG proposes 3 activities but you only want 2.. so flame on. Some security questions ============================================================== I have one year experience in SAP Security and only two in Basis.. It is advisable to schedule this program to run atleast once everyday to clean-up invalid profiles in your system. 6)What is the difference between SU24 and SU22? What is "orginal data" in SU22 context? SU22 you maintain authorization objects???? Su24 you maintain which authorization objects are checked in transactions and maintain the authorization proposals..

Depending on the transactions inserted into the role menu. Build roles based on business processes... 14) If the system raises a message that authorizations are missing but you have SAP_ALL. 16) What are the two primary difference between a SAML token profile and a Logon ticket in SAP? ??? I know what these are but have no experience with it. I guess. Don't know the number off hand. Sales Org and Sales Division. My ABAPer shows me his programs and we work out what authority checks should be performed. But yes. what do you do? Regenerate SAP_ALL which reconciles new authorization objects from SAP_NEW 15) Name any one security related SAP note and explain it's purpose or solution. Purchasing Org and Plant. Just insert the transactions and necessary authorization objects into a role. you could have more than one org level to maintain.. S_RFC for one. 12) In which tables can you make customizing settings for the security administration and name one example of such a setting which is usefull but not SAP default? ??? 13) Can you use the information in SM20N to build roles and how? You could.8)Can you have more than one set of org-level values in one role? I might be misinterpreting this question.. 10) What is an X-glueb command and where do you use it in SAP security? ??? 11) What is the disadvantage of searching for AUTHORITY-CHECK statements in ABAP OO coding and how does SU53 deal with this? Disadvantage? I can think of an advantage. There is no mechanism in SAP to achieve this currently. 9)Should RFC users have SAP_NEW and why? No. but I was looking at it yesterday. . Program Z_DEL_AGR to allow deletion of more than one role at a time. Not a good practice though.