SAP Community - Security

Restriction of transaction code

2024-03-21T12:07:52.029000+01:00

We are localizing an authorization and role for support users when functional test the transaction codes there were data's that can view globally.

We understand that not all transaction code has the restriction for organization level.

Sample is for tcode OBY6 functional can see data from other countries and we have checked in Su24 there is no auth obj being pulled and one is for SE16 we understand that this can be limit only based on the table auth group.

Is there a possibility to restrict certain transaction codes on specific country only? These involved mostly with IT Support tcodes?

------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.

using iFrame in Learning Module

2024-03-21T17:32:46.506000+01:00

Hello community,

Considering the issue of third-party cookie deprecation (https://d.dam.sap.com/a/s3hKB1L/Third%20Party%20Cookies%20Frequently%20Asked%20Questions.pdf?rc=10) and its impact on SAP SuccessFactors, I'm curious about the repercussions when using UI5 extensions (on BTP) embedded within iframes in the LMS. Would linking to open in a new tab address this problem? Are there any other impacts we should be aware of?

Thanks,

Anderson

No SAML2 SSO authentification among different SAP system with NWBC

2024-03-28T23:02:45.405000+01:00

Hello,

Please find the description of the issue :

When I first connect to SAP system SID1 with NWBC, I am going through the SAML2 workflow authentification, then when I am connecting to another system SID2, I am again asked to go through the SAML2 workflow authentification.

When I am reproducing the same in a web browser, connecting first to https://sapsid1.domain/sap/bc/ui2/nwbc/ with SAML2 workflow authentification, and secondly connecting to https://sapsid2.domain/sap/bc/ui2/nwbc/ , I don't need to authenticate again for SID2 as the MYSAPSSO2 cookie is shared between both (If my understanding is right).

Could you please help us understand this difference of behavior between NWBC and a web browser ? How can I have this "unique" authentification in NWBC like the one in the browser ?

Thanks for your help,

Anthony

To find out and analyze what tables and programs user accessed past 6 months using which roles.

2024-04-04T10:56:43.959000+02:00

we are trying to restrict S_PROGRAM with * value

To find out and analyze what tables and programs user accessed past 6 months.

1. we have checked the program/table usage via SM20 logs for users but is there any way to check in S/4 system for program/table usage of user through which role it is being accessed through any other standard tcode /reports?

2.If we have any other possible way to get the program/table usage of users and through which role it is being accessed through any GRC standard tcode/report?

hey team, can i know how to see the security events logs of sap hana..

2024-04-08T15:11:19.182000+02:00

I have refered https://community.sap.com/t5/application-development-blog-posts/analysis-and-recommended-settings-of-the-security-audit-log-sm19-rsau/ba-p/13297094#jive_content_id_List_of_events

but its about 2014, I m receiving different logs.. how can i get information from my new logs.. or is there any updation you have?

Format file audit

2024-04-08T17:49:52.007000+02:00

For more clarity

2024-04-09T12:21:58.206000+02:00

Hi Sandra,

Thank u for this deep explanation, I need more clarity on some areas

5: Entry type
- "q" = DDIC structure RSAUENTR2 version 1 without field SLGLTRM2
- "2" = DDIC structure RSAUENTR2 version 2 including field SLGLTRM2
- "5" = variable length record
you have mentioned 5 as a variable length.. which length does it holds?? bcoz i m clear with other things like length of user+username

what is 0000 - length of ?? + ?? . This u have mentioned.. what is the meaning of that?

And in this doc, https://community.sap.com/t5/application-development-blog-posts/analysis-and-recommended-settings-of...

every field has a defined length ,but u have here described with variable lengths, does this occurs in the latest version of sap?? Bcoz in this doc,its mentioned as

variable message has 64 bits,program has 40 like that.. and follows an order.. and here is there any order.. if possible can u provide a table like this.. so that i would be more helpful

FieldSub-fieldLengthDescription

SLGTYPE			SysLog: LIKE structure RSLGETYP
	SLGFTYP	1	Entry type: "q" = version 1 without field SLGLTRM2, "2" = version 2 including field SLGLTRM2
	AREA	2	Message area
	SUBID	1	Message name
SLGDATTIM			Time stamp (CHAR 16)
	DATE	8	Date in format YYYYMMDD
	TIME	6	Time in format hhmmss
	DUMMY	2	not used
SLGPROC			SysLog: LIKE RSLGPID structure
	UNIXPID	5	Process ID
	TASKTNO	5	Task
	SLGTTYP	2	Process type (short form)
SLGLTRM		8	Terminal name (truncated)
SLGUSER		12	User name
SLGTC		20	Transaction
SLGREPNA		40	Program
SLGMAND		3	Client
SLGMODE		1	External mode of an SAP dialog
SLGDATA		64	Variable message data
SLGLTRM2		20	Terminal name (continued), only available if SLGFTYP=2

S/4HANA Cloud Public Edition - Security

2024-04-11T17:00:34.342000+02:00

Hi Experts,

S/4HANA Cloud Public Edition is offered as a SaaS application. This collects that access to S/4HANA Cloud Public Edition is possible from any location and from any device.

Apart from the discussion about this from a security perspective, I am curious about the technical possibilities to limit this to 'Our Customer' defined “trusted locations” based on conditional access rules such as countries, regions, external IP address of subnet, device, etc.?

What are the possibilities here?

Thanks in advance!

SAP Business One 10 Vulnerabilities

2024-04-15T08:18:48.701000+02:00

Dear all,

One of our customers need to know if it is affected by some vulnerabilities detected during an audit process.

This are the main points:

Apache Log4j SEoL (<=1.x) – The plug in provides this finding as proof of vulnerability:
2. Questions: Are the servers using SAP Business objects 4.0 and if so can it be upgraded to 4.2 or 4.3 as referenced here: Solved: How is BO impacted by Log4j vulnerability? - SAP Community

i. If not using this library file, can it be deleted?

ASP.NET Core SEoL – The plug in has found multiple EOL version of ASP.NET core including 2.0.13103.0, 2.2.8, 3.1.29
1. Is SAP using these ASP.NET versions? If so can ASP.NET be upgraded independently of any SAP software (BusinessOne or Business Objects Enterprise)?
Microsoft.NET Core SEoL - The plug in has found multiple EOL version of .NET core including 10.16.5115, 1.1.13.1809, 2.0.9.26615, 2.2.8.28209, 3.1.29.31617
1. Is SAP using these ASP.NET versions? If so can .NET be upgraded independently of any SAP software (BusinessOne or Business Objects Enterprise)?
Apache 2.4.x < 2.4.58 Multiple Vulnerabilities – The plug in provides this finding as proof of vulnerability:
2. Can Apache be upgraded independent of SAP Business One?

For the first point (Log4j), we have the 3 SAP notes that help us to know the affectation of the vulnerability detected in the following SAP Forum link:

https://community.sap.com/t5/technology-q-a/how-is-bo-impacted-by-log4j-vulnerability/qaq-p/12651273

I need to know if there are any specific information regarding points 2, 3 and 4.

Kind regards,

Retire the SE16 in Production server

2024-05-02T10:19:22.958000+02:00

There is issue with Tx. SE16. Our management want to disable the use of Tx SE16 in Production environment.

We already restricted through authorization but remove the possibilities for accidental assignment . Please share the possibilities how should we proceed.

SAP Profile Generation "Merge" function

2024-05-28T20:09:50.139000+02:00

recently I started noticing that in S/4 the Export Mode of the profile generator is behaving differently than it used to in legacy ABAP environments or ever older HANA environments, but am being told my SAP Support that this is perfectly normal behavior in my OSS request.

If it is then I cannot for the life or me understand how I missed seeing this for the last 20 years and would like some community input.

Issue:
have a role that has already been built via standard security process adding the Tcode to the role menu and then using the profile generator in export mode to "edit old status and merge with new" option.

When using that option now I am noticing that it is now taking "Active" standard authorization objects and if they match an inactive standard object it is merging the active ones into the inactive ones thus disabling the object and turning off the access for the user.

We only started noticing this when users started complaining that they were losing access in our productive environment and we went back to development and compared it to our sandbox system and noticed auth_object numbers were missing in development but were there in sandbox and the missing objects were now combined into one big disabled object.

so to correct this I used the "add authorization defaults" from the parent tree of the authorization values and added back the auth_objs and values for the Tcodes I wanted active and saved the role to turn them back on.
The tcode started working again with only the authorization objects allowed so that other access was not given inadvertently.

Then just to see if it was a fluke I used my expert mode again and to my surprise it again merged all of my active objects into inactive objects thus disabling the access again.

Finally just to see if the whole merge process worked like this i re-added my required objects which made them active, then selected the "merge" option under the authorization parent and ONLY the ACTIVE objects that shared standard activity values merged. (this is what I expected and how it worked in legacy systems)

I saved the profile and backed out and then went back in and used "expert" mode and it then again combined all of my "Active" standard objects into the "Inactive" object, thus turning off access.

I tested this in a legacy system and it is not doing this using Expert mode there.

I opened up an OSS note and the reply from them was to link the document on how authorization object comparison works with the profile generator as the solution and them pretty much saying this is now working by design.

If this is now how the merge process works (taking active auths and combining them with inactive auths) then why would we every use the merge process in export mode every again and is there a way to disable/hide expert mode in the profile generator so that new security people do not accidentally disable productive access when it merges into a inactive object for some reason?

how do we get around the 100 object limitation in a profile if our only 2 options are to activate ALL similar Standard values (thus potentially granting access not required by the user for objects that are shared by the different Tcodes) or leaving the standard objects deactivated and then having to Manually add the ojects (big no no) OR go into SU24 and change SAP Standard values which would increase security work during upgrades and our SU25 process?

Thoughts? Anyone else seeing this issue (or in SAP's response) Non-issue?

Quality system | SU25 - Initially fill the Customer Table

2024-06-06T12:18:22.476000+02:00

Dear Team,

In our Quality system, we have implemented Fiori and we need to execute 'Initially fill the Customer Tables' in SU25 tcode as part rapid activation --> Is that mandatory to open the client to execute this as part rapid activation or we can make it through TR movement?

Regards,

Basis Team.

How to see visible entities as effective user?

2024-06-10T19:07:05.045000+02:00

Dear all,

I have a project where my user has highest privilages on API. I would like to call odata API to get a list of entities to simulate what would a certain user see, for example, list of job requisitions that target user would see. I understand there is `checkUserPermissions` which could help me, but i don't know how to use it in my case. Which specific parameters should I send to get list of job requisitions that user X can see?

I appreciate any help I can get.

HANA Design-Time HDI composite role

2024-06-11T13:42:12.804000+02:00

Hi,

I want to create a design-time HDI composite role using roles created in other HDI schemas. I use HANA XSA with SP7 and have containers A and B with schema roles, then I create container C with a composite role.

Add services in mta for A and B
Grant the roles of A and B via .hdbgrants to #OO of container C
add UPS service in mta and grant system privilege ROLE ADMIN via .hdbgrants to #OO of container C
Create composite role .hdbrole using schema_roles with the same roles of A and B. I can see and select the roles of A and B in the Role Editor.

The build of .hdbrole fails with "not authorized to access the referenced object" without a guid. I suspect because of absence "grantable to other" / with_admin_option for the roles in A, B in #OO of C.

#DI.GRANT_CONTAINER_SCHEMA_ROLES doesn't have a form with _WITH_GRANT_OPTION.

I don't want to use CATALOG roles because they are not transportable.

Does anyone know how to create a composite role right in XSA or HANA Cloud?

About SSL configuration of connectivity between DAA and Solman Java system

2024-06-19T05:05:36.539000+02:00

If the DAA connectivity requires encryption, where can we find the relevant documentation about SSL configuration.

CSP Error in UI API Extension in SAP B1 Webclient

2024-06-21T11:52:39.612000+02:00

Hello,

I'm on SAP Business One v10 FP2405 WebClient.
I'm trying to develop an UI API Extension (New framework available from FP2405 !) using the new vscode extension template.

I try to add an OnChange event on a text field which trigger a fetch request to an external API (https://api.insee.fr) .
When I make the fetch request I got the error form the browser in the console :

Refused to connect to 'https://api.insee.fr/entreprises/sirene/V3.11/siret/68682020000026' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

First of all in my manifest.json file I have the lines :

"allowedExternalURLs": "*",

"allowedServiceLayerAPIs": "*"

After analysing the issue, I made multiple attempts to correct it :

1- Add :

"default-src https://api.insee.fr ; connect-src https://api.insee.fr;"

to the CSP directives In the general setting in the Webclient

2- Use a browser extension to disable CSP

3- Disable web security in chrome with the cmd :

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="C:\TmpChromeSession"

4- After digging more, I located the CSP directive in the HTML source code of the WebClient :

I tried to delete this meta Tag with the chrome developper tools but it didn't work .

So how to disable this CSP directive and allow Fetch calls to external API ?

Thank in advance.

Production system readonly

2024-06-24T10:31:32.683000+02:00

Hello Team

We are planning to migrate to s4/hana, so after migration some users might need to have access to the productive system to check historical data. So is there any possibility to start the database in read-only mode or how can we restrict users to make any changes in the system, they just need to view the data, how can we achieve this, please suggest on this.

Regards

IWSV service available in 'System A' but missing in 'System B' in USOBHASH table

2024-07-05T09:29:04.353000+02:00

For one of the fiori app, we see both IWSV and IWSG service entries available in USOBHASH table in DEV ('System A') system. However in our UAT system ('System B') entry for IWSV service is missing in USOBHASH table. Please help us with the steps to make it available in 'System B' too or please let us know if there is way to transport it.

T-code Remove from multiple roles in one short

2024-07-08T12:17:37.244000+02:00

Hi Team,

We want to removed T-code from multiples role in one short please suggest how to remove.

Regards

SNC name GRC access request - Two or More Domains

2024-07-16T13:24:06.165000+02:00

Dear Team,

Current Set Up: -

Currently we have an SNC name updated at below location.

Go to SPRO-->Governance, Risk and Compliance-->Access Control-->User Provisioning-->

Maintain End User Personalization-->Maintain EUP Fields-->We can customize the settings for SNC field here.

for example: -

p:#!#USERID#!#@xxxx.xxxxxx.xxx

New requirement: -

We have new domain added as for example " p:#!#USERID#!#@xxxxxxxxxxx.xxxxxxxxx.xxxxx " for new set of users.

Question A: -

Can this be added at the same location at " Go to SPRO-->Governance, Risk and Compliance-->Access Control-->User Provisioning-->

Maintain End User Personalization-->Maintain EUP Fields-->We can customize the settings for SNC field here " as: -

SNC name 1 = p:#!#USERID#!#@xxxx.xxxxxx.xxxx

SNC name 2 = p:#!#USERID#!#@xxxxxxxxxxx.xxxxxxxxx.xxxxxx

Is this valid entry ?

Question B: -

Is there a field which can be used to identifier or differentiator between user id's of domain 1 who should be updated with SNC name 1

And

Another set of user id's of domain 2 who should be updated with SNC name 2.

Thanks raj