SAP Community - Security

Using BTP IPS, is it possible to read data from tables or else other function modules for ABAP ?

2024-02-01T13:41:54.167000+01:00

Hello All,

I would like to understand Using IPS, is it possible to read data from standard tables or else other function modules? I remember using SAP IDM ABAP connector it is possible to read data from tables as well as execute function modules apart from the standard BAPI_USER_CHANGE or RFC_READ_TABLE etc.,

My requirement is to execute RFC enabled BAPI calls like RFC_READ_TABLE/RSAU_READ_LOG and expose the data as the Proxy api. Currently i am able to connect SAP ABAP NW 7.5 system to IPS as a proxy and able to read the roles, users and perform provisioning activities related to user using the Proxy api's .

SU01 shows role assigned via position but the role does not appear in PO13

2024-02-07T17:01:21.183000+01:00

In SU01, the user appears to have certain roles assigned at the position level. However, in PO13 the position does not contain a relationship for this role.

Appgyver Platform

2024-02-19T16:27:35.208000+01:00

I have a problem to access the platform appgyver, since a week the site is showing a message about a security certificate expired, anyone can help me ?

SAP GSOAP VERSION DISCLOSURE VULNERABILITY

2024-02-20T10:38:32.337000+01:00

Hello,

We are facing security issue, SAP gsoap exposes its version information during network scanning,

Any ways to hide the version related information from SAP application ?

auth. object to restrict access to global data/ client level

2024-02-21T11:20:11.441000+01:00

An authorization object needs to be applied to several roles.

------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.

BAPI_USER_CHANGE under CUA environment

2024-03-01T10:33:58.265000+01:00

Hello SAP

We are trying to change user password by FM( BAPI_USER_CHANGE ). Our SAP system is running on CUA environment. We have checked restrictions of this FM under CUA. No special restriction were found.

I thought changing initial password will lead changing password of users on child system. Changing anohter item like first name & last name will lead to changing those of user on child system. However nothing happened as we expected. So we didn't specified target child system.

Why anything happen ? Is ther any restriction for Functional Module under CUA environment ?

How to change log retention period about User Change Documents in sap hana

2024-03-01T11:36:09.912000+01:00

Dear SAP,

I wonder if there is a way to change the log retention period for permissions and profile items that are output when inquiring user change documents through transaction SUIM.

Whether it can be easily changed through setting,
Please check if we need to develop a program that deletes data from a specific table and if there is any other way, please let us know.

The provided authorization grant is invalid

2024-03-05T08:27:15.492000+01:00

Hello everyone,

I am getting the error: The provided authorization grant is invalid. Exception was: There is no trust between entities and https://eu2.hana.ondemand.com/services in client 027

when entering the following parameters in BTP destination:

followed this tutorial blog:
https://community.sap.com/t5/customer-relationship-management-blogs-by-sap/configuring-oauth-2-0-between-sap-hybris-cloud-for-customer-and-sap-cloud/ba-p/13323502

How to request an Enhancement for SAP Security?

2024-03-11T18:15:51.602000+01:00

Hi I want to suggest an enhancement to SAP Standard security functionality (PFCG) I tried to use 2967362 - How to submit an enhancement request for On-Premise Products but you are foced to choose a product. There seems to be no way to submit an enhancement to basis technology functionality. How can I submit a request for enhancement?

I want to suggest to add functionality to allow security admins to lock a role so that it cannot be transported, and or lock a role for changes. This would help solve an old and pernicious problem for large teams / systems where roles are updated by multiple people more or less concurrently leading to lots of trouble.

Cheers,

Carl

SU01 account type

2024-03-13T09:26:05.242000+01:00

Dear Expert:

About su01 field "User Type", I confuse how to use.

For my current issue , other SAP system use (ALE and RFC) to communication . If I set User Type:Communication , it will face "Password logon not possible (Initial password expired) ".

I can set User Type: System , it work. For my current system use, just ALE & RFC. We wish No need change password , password nerver expired. Which User Type useful for my need ?

~~
Jeff

Restriction of transaction code

2024-03-21T12:07:52.029000+01:00

We are localizing an authorization and role for support users when functional test the transaction codes there were data's that can view globally.

We understand that not all transaction code has the restriction for organization level.

Sample is for tcode OBY6 functional can see data from other countries and we have checked in Su24 there is no auth obj being pulled and one is for SE16 we understand that this can be limit only based on the table auth group.

Is there a possibility to restrict certain transaction codes on specific country only? These involved mostly with IT Support tcodes?

using iFrame in Learning Module

2024-03-21T17:32:46.506000+01:00

Hello community,

Considering the issue of third-party cookie deprecation (https://d.dam.sap.com/a/s3hKB1L/Third%20Party%20Cookies%20Frequently%20Asked%20Questions.pdf?rc=10) and its impact on SAP SuccessFactors, I'm curious about the repercussions when using UI5 extensions (on BTP) embedded within iframes in the LMS. Would linking to open in a new tab address this problem? Are there any other impacts we should be aware of?

Thanks,

Anderson

No SAML2 SSO authentification among different SAP system with NWBC

2024-03-28T23:02:45.405000+01:00

Hello,

Please find the description of the issue :

When I first connect to SAP system SID1 with NWBC, I am going through the SAML2 workflow authentification, then when I am connecting to another system SID2, I am again asked to go through the SAML2 workflow authentification.

When I am reproducing the same in a web browser, connecting first to https://sapsid1.domain/sap/bc/ui2/nwbc/ with SAML2 workflow authentification, and secondly connecting to https://sapsid2.domain/sap/bc/ui2/nwbc/ , I don't need to authenticate again for SID2 as the MYSAPSSO2 cookie is shared between both (If my understanding is right).

Could you please help us understand this difference of behavior between NWBC and a web browser ? How can I have this "unique" authentification in NWBC like the one in the browser ?

Thanks for your help,

Anthony

To find out and analyze what tables and programs user accessed past 6 months using which roles.

2024-04-04T10:56:43.959000+02:00

we are trying to restrict S_PROGRAM with * value

To find out and analyze what tables and programs user accessed past 6 months.

1. we have checked the program/table usage via SM20 logs for users but is there any way to check in S/4 system for program/table usage of user through which role it is being accessed through any other standard tcode /reports?

2.If we have any other possible way to get the program/table usage of users and through which role it is being accessed through any GRC standard tcode/report?

hey team, can i know how to see the security events logs of sap hana..

2024-04-08T15:11:19.182000+02:00

I have refered https://community.sap.com/t5/application-development-blog-posts/analysis-and-recommended-settings-of-the-security-audit-log-sm19-rsau/ba-p/13297094#jive_content_id_List_of_events

but its about 2014, I m receiving different logs.. how can i get information from my new logs.. or is there any updation you have?

Format file audit

2024-04-08T17:49:52.007000+02:00

For more clarity

2024-04-09T12:21:58.206000+02:00

Hi Sandra,

Thank u for this deep explanation, I need more clarity on some areas

5: Entry type
- "q" = DDIC structure RSAUENTR2 version 1 without field SLGLTRM2
- "2" = DDIC structure RSAUENTR2 version 2 including field SLGLTRM2
- "5" = variable length record
you have mentioned 5 as a variable length.. which length does it holds?? bcoz i m clear with other things like length of user+username

what is 0000 - length of ?? + ?? . This u have mentioned.. what is the meaning of that?

And in this doc, https://community.sap.com/t5/application-development-blog-posts/analysis-and-recommended-settings-of...

every field has a defined length ,but u have here described with variable lengths, does this occurs in the latest version of sap?? Bcoz in this doc,its mentioned as

variable message has 64 bits,program has 40 like that.. and follows an order.. and here is there any order.. if possible can u provide a table like this.. so that i would be more helpful

FieldSub-fieldLengthDescription

SLGTYPE			SysLog: LIKE structure RSLGETYP
	SLGFTYP	1	Entry type: "q" = version 1 without field SLGLTRM2, "2" = version 2 including field SLGLTRM2
	AREA	2	Message area
	SUBID	1	Message name
SLGDATTIM			Time stamp (CHAR 16)
	DATE	8	Date in format YYYYMMDD
	TIME	6	Time in format hhmmss
	DUMMY	2	not used
SLGPROC			SysLog: LIKE RSLGPID structure
	UNIXPID	5	Process ID
	TASKTNO	5	Task
	SLGTTYP	2	Process type (short form)
SLGLTRM		8	Terminal name (truncated)
SLGUSER		12	User name
SLGTC		20	Transaction
SLGREPNA		40	Program
SLGMAND		3	Client
SLGMODE		1	External mode of an SAP dialog
SLGDATA		64	Variable message data
SLGLTRM2		20	Terminal name (continued), only available if SLGFTYP=2

S/4HANA Cloud Public Edition - Security

2024-04-11T17:00:34.342000+02:00

Hi Experts,

S/4HANA Cloud Public Edition is offered as a SaaS application. This collects that access to S/4HANA Cloud Public Edition is possible from any location and from any device.

Apart from the discussion about this from a security perspective, I am curious about the technical possibilities to limit this to 'Our Customer' defined “trusted locations” based on conditional access rules such as countries, regions, external IP address of subnet, device, etc.?

What are the possibilities here?

Thanks in advance!

SAP Business One 10 Vulnerabilities

2024-04-15T08:18:48.701000+02:00

Dear all,

One of our customers need to know if it is affected by some vulnerabilities detected during an audit process.

This are the main points:

Apache Log4j SEoL (<=1.x) – The plug in provides this finding as proof of vulnerability:
2. Questions: Are the servers using SAP Business objects 4.0 and if so can it be upgraded to 4.2 or 4.3 as referenced here: Solved: How is BO impacted by Log4j vulnerability? - SAP Community

i. If not using this library file, can it be deleted?

ASP.NET Core SEoL – The plug in has found multiple EOL version of ASP.NET core including 2.0.13103.0, 2.2.8, 3.1.29
1. Is SAP using these ASP.NET versions? If so can ASP.NET be upgraded independently of any SAP software (BusinessOne or Business Objects Enterprise)?
Microsoft.NET Core SEoL - The plug in has found multiple EOL version of .NET core including 10.16.5115, 1.1.13.1809, 2.0.9.26615, 2.2.8.28209, 3.1.29.31617
1. Is SAP using these ASP.NET versions? If so can .NET be upgraded independently of any SAP software (BusinessOne or Business Objects Enterprise)?
Apache 2.4.x < 2.4.58 Multiple Vulnerabilities – The plug in provides this finding as proof of vulnerability:
2. Can Apache be upgraded independent of SAP Business One?

For the first point (Log4j), we have the 3 SAP notes that help us to know the affectation of the vulnerability detected in the following SAP Forum link:

https://community.sap.com/t5/technology-q-a/how-is-bo-impacted-by-log4j-vulnerability/qaq-p/12651273

I need to know if there are any specific information regarding points 2, 3 and 4.

Kind regards,

Retire the SE16 in Production server

2024-05-02T10:19:22.958000+02:00

There is issue with Tx. SE16. Our management want to disable the use of Tx SE16 in Production environment.

We already restricted through authorization but remove the possibilities for accidental assignment . Please share the possibilities how should we proceed.