SAP Community - Security

How to check when the last execution of a transaction took place

2025-03-07T10:20:00.757000+01:00

There is a need to know how to find the last execution of a specific transaction code in the system.

------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.

Security Vulnerability in SAP Crystal Reports for Eclipse (JAVA) SP31 - CVE-2024-21742

2025-03-07T17:40:42.576000+01:00

Hello

Regarding Crystal report for eclipse (java) - SP31;

Looks like there is vulnerability CVE-2024-21742 in file:

lib/xmlconnector.jar/lib/apache-mime4j-core-0.8.9.jar

version 0.8.10 and beyond does not have this vulnerability:
https://mvnrepository.com/artifact/org.apache.james/apache-mime4j-core

CVE details:
Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages.

Can someone confirm if this is effected by this CVE, and if so can this be a hotfix or new service pack?

Thank you!

Is there a way to compare multiple Roles Between Systems?

2025-03-17T11:24:49.019000+01:00

I am trying to find if the roles in our Development client are consistent with the Production client.

If I use the comparison tool found in SUIM (tcode: S_BCE_68001777) I can only select one role at a time.

I tried to create an ECATT script by I cannot bypass the log in to production step required by the transaction

Any ideas?

Mass maintenance of PFCG role menus

2025-03-18T09:14:23.388000+01:00

Hello all,

I want to delete transactions out of role menus via a mass maintenance. The known PFCGMASSVAL seems to be suitable only for authorization data, and not for entries in the role menu.

Does anyone have an idea if it is possible to do a mass maintenance of PFCG role menu entries?

Thanks in advance and best regards

Daniel

How to connect to GCP Storage Bucket provided with Handover files to transfer Backup to SAP Rise

2025-03-25T19:13:17.684000+01:00

How to connect to GCP Storage Bucket provided by SAP with Handover files to transfer Backup to SAP Rise

The purpose of this blog is to demonstrate how to connect to the GCP Bucket with the credentials provided by SAP via sharepoint through the files Handover "<sid><prefix-customer>_BROWNFIELD_CREDENTIALS.docx".

In this demonstration we will use an operating system SUSE Linux Enterprise Server 15 SP5.

Example of a file "<sid><prefix-customer>_BROWNFIELD_CREDENTIALS.docx".

Creating the .JSON file

Start by creating a .JSON file with the information contained in the file "_BROWNFIELD_CREDENTIALS.docx"

Copy the contents of the "JSON File Details" contained within the characters { }.

Example:

Paste into a notepad and save with the extension .json

Example:

Create a directory on the operating system from where you will transfer the backup and save the generated .json file. You can use the same directory for the next download and installation activities of the gsutil tool that will use this .json.

Installing of GSUTIL

Use this official documentation: https://cloud.google.com/storage/docs/gsutil_install?hl=pt-br#linux

Switch to the folder you created in the previous step with the command "cd".

Download:

curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-x86_64.tar.gz

Extract:

tar -xf google-cloud-cli-linux-x86_64.tar.gz

Installing:

./google-cloud-sdk/install.sh

You can use the default options during installation, in my case it was like this:

Log out and start a new session for the changes to take effect.

Register with the account contained in the .json

Use the command below changing it to the path of your .json file, you will have a result similar to the image.

gcloud auth activate-service-account --key-file=/gsutil/gcp-key1.json

Validate access to GCP Storage Bucket

Use the ls command to list the directories on your account.

Examples:

gsutil ls gs://sahecXXXtransferXXX01/

After the first copy just adjust the path to list sub directories

gsutil ls gs://sahecXXXtransferXXX01/HD4-21032025

In my case, I did not identify the account name, I had to ask the Project Lead because this information was not included in the brownfield file.

The list of bucket names should be returned with the command

gcloud storage ls --project=my-project

In the example below, I am listing the remote directory with a backup copy that I made.

Next, I will pass the command to execute a copy.

Copying your backup to GCP Bucket Storage

Run the command "gsutil -m cp -r SOURCE gs://TARGET/"

Example:

gsutil -m cp -r SOURCE-FOLDER-OF-YOUR-BACKUP gs://saheXXXtransferXX01/

After the copy is complete, you can list the files again with the command:

gsutil ls gs://sahecXXXtransferXXX01/HD4-21032025/

The -m parameter is used to copy files in parallel,
more details about advanced parameters can be found at this official link: https://cloud.google.com/sdk/gcloud/reference/storage/cp

In the example above, the 237GB copy took 2 hours, the speed will depend on the upload speed of your internet connection.

In the same example, I performed a HANA backup with a 20GB Split. This helps in case of a very large file failure so that you don't have to reprocess everything from the beginning.

After finishing, you just need to request a copy of the GCP Bucket backup to the /Migration directory, which is probably mounted on your Skeleton system database server. To do this, open the Service Request with the "Download Data from Cloud to Block Storage" template, providing details of the source and destination such as SID, hostname, IP, source and destination path.

Last Logon date not updated in SAP in USR02 table.

2025-03-27T09:09:40.153000+01:00

Hi SAP,

we have encountered an Audit issue where user when login in from SAPGUI, users login is getting recorded properly in USR02 table.
But when users are login in from Fiori or salesfore, etc. the login Records are not updating in table, though the users are having same SAP id.

Remove authorization value from multiple Authorization objects

2025-03-28T12:17:20.548000+01:00

Dear Team

we want to remove authorization value i.e. 23 from multiple "Authorization object" from multiple roles at a time

Required Guidance to Expose REST API Externally

2025-03-29T05:07:09.708000+01:00

Dear SAP Support Team,
We need to create and host two secure APIs in SAP to integrate with Bank for authentication and transaction processing. These APIs will facilitate automated authentication and transaction status updates between SAP and Bank, ensuring seamless, secure, and efficient communication.

Business Requirement:

Bank requires two endpoints:

Authentication API – Bank will send an authentication request to SAP, which should validate the credentials and return an authentication token. This token will then be used for further API interactions, eliminating the need for manual username/password entry.

Late Return Payment Status API – Bank will send encrypted status updates for late return payments via HTTPS. SAP must decrypt the request, validate the data, update the transaction status, and send a response.

These APIs must be externally accessible, enforce strong security mechanisms, and comply with banking and SAP security standards.

Technical Requirements:

Authentication Mechanism: The API should support automatic authentication and prevent unauthorized access. SBI should be able to call the authentication URL securely without requiring manual login like API URL.

Encryption & Security: Data should be encrypted in transit and at rest. Authentication and late return status updates should be processed securely using encryption, signature verification, and request integrity validation.

External Hosting Considerations: The URLs must be accessible externally with proper security controls.

Token Management: The authentication API should generate a secure token that SBI can use for further API requests to SAP.

Logging & Monitoring: All incoming API requests should be logged for audit purposes, and SAP should monitor API activity to detect anomalies.

Authentication API Flow:

BANK→ [HTTPS Request] → SAP (Authentication URL)

SAP → [Validate Credentials] → Internal Authentication Logic

SAP → [Generate Auth Token] → Internal Token Storage

SAP → [HTTPS Response with Token] →BANK

BANK → [Use Token for API Calls] → SAP Transactions

Late Return Payment Status API Flow:

BANK→ [HTTPS Request with Encrypted Data] → SAP (Late Return API URL)

SAP → [Decrypt Request] → Internal Processing

SAP → [Validate & Update Payment Status] → SAP Database

SAP → [HTTPS Response: Status Updated] →BANK

We need to securely expose two REST-based APIs in SAP for integration with SBI Bank using JSON over HTTPS. These APIs will handle authentication and transaction status updates.

Authentication API – Bank calls this API for authentication, and SAP responds with an authentication token.

Late Return Status API – Bank calls this API with encrypted late return payment status updates, which SAP decrypts, processes, and acknowledges.

Technical Details:

Data Format: JSON

Protocol: REST (HTTPS)

Authentication: Client certificate authentication (mutual TLS) and token-based authentication

Security: TLS 1.2/1.3, digital signature verification, IP whitelisting

SSL Certificate: Signed by a trusted CA (not self-signed)

Hosting: SAP should securely expose the APIs externally for Bank access

Request for Support:

1.What are the recommended SAP-supported approaches for hosting secure REST-based APIs?

2.Which SAP authentication mechanisms align best with mutual TLS and token-based authentication?

3.What SAP components and configurations are recommended for secure REST API exposure?

Looking forward to your expert guidance.

Duplicate role deletion from Users.

2025-03-31T17:43:12.856000+02:00

Dear Expert,

we have GRC System with our Production (SSP) system. as per the requirement users are aplly role from GRC System, but some most of the roles are duplicate in the system, is there any way to delete duplicate roles from the user automatically, there should be condition if the same roles are there if one roles are expired, can be delete, i.e. duplicate role need to verify and then delete old one, which is expired. if validity period of this role is expired, then role should be deleted.

please guide us can we do this on monthly basis from any background job which will be automated in GRC or in the system.

Thanks

Restrict the "Release" and "Pay" button in the App "Make Bank transfers"

2025-04-02T11:42:30.132000+02:00

Hi All,

I need to Restrict the "Release" and "Pay" button in the App "Make Bank transfers" in S/4 Hana Public cloud system. I don't see the restriction type related to this in the catalog.

Please advise me on the possible solution for this.

Regards,

Inchara BK

Inactive Objects to be maintained from SU24 without deleting within the role

2025-04-03T09:26:56.836000+02:00

Dear All,

We are facing a condition were we need to remove Inactive objects within the role. You can suggest us to delete or maintain it from SU24 with check indicator "NO". But either of the case is not acceptable and wanted to find if there is any new way for this.

For more clarification: We maintain an object S_SECPOL for SU01 in SU24 for Security team and added in Role1. But the same object might not be necessary for Basis (in rare Basis user maintenance access) and added in Role 2 with S_SECPOL inactive.

In this case for Role 2 we are not supposed to inactive S_SECPOL object either we cannot maintain check no for same transaction SU01 in SU24 as it might effect Role 1.

If there is any alternate, please suggest me.

Security

In IAS, if user is non-admin then he is not able to see the Privacy Policy document or Terms of use

2025-04-03T12:58:03.404000+02:00

In IAS, once a user (non-admin - usertype='employee') accept the consent, he is not able view it in IAS console., If IAS doesn't allow non-admin to view it in IAS console then is there a way(URL/api) thru which BTP application can pull this content from IAS and show it?

if we still want to let tenant users to revoke the accepted consent the only option with IAS is to load a new version so that, all users start seeing it and either accept/deny. It is sounding complex!!!

SAP IAS is handling authentication and consent management today, but it does not expose APIs for users to view or revoke consent, switching to SAP Enterprise Consent and Preference Management (ECPM) means we will need to manually enforce consent collection within your BTP application.

what is the overall guideline?

doubts with table USR40

2025-04-06T00:35:27.832000+02:00

Greetings, dear friends
I have a question: If wildcards are added to the USR40 table, would they directly impact existing users in the system? For example,
if an existing user has a password with the newly added wildcards, would they be forced to change their password?
Thank you.

Hi all "error": "IAS authentication is not 'ias'. It is: xsuaa. implementing the Build apps.

2025-04-07T09:31:10.096000+02:00

Hi all

I am developing an sap build app mobile application. I had done all the Instances and Subscriptions to my project. when I go to sap build lobby and to open the project, getting error that

 "error": "IAS authentication is not 'ias'. It is: xsuaa.

in btp cockpit security->users-> i found custom IAS tenent and checked all are ok but still getting the same error can any one help me to out.

How to find where OData service is coming from in the catalog.

2025-04-07T13:15:03.150000+02:00

Hi,

I have an OData service called R3TR IWSV UI_JOURNALENTRY_OTA_O2 0001 which I can see is being pulled into a catalog that I have built for display purposes, so no change access is permitted. This Odata is bringing in 01/02 access for F_MANDATE but the issue is I cannot find which App is bringing this into the catalog, as this needs to be removed or changed in SU24....but I cannot seem to figure out how to actually find where its originating from. I have checked the catalog for clues on the "Action" but all of the actions are listed as "Display". There are too many apps to start removing 1 by 1 to see which app is populated the S_SERVICE value.

Can someone provide some way of finding this? I have tried to check a way of mapping the application resource to S_SERVICE but sadly I came up empty.

Issue with GA SAP S/4HANA - Users Not Visible

2025-04-08T09:13:28.146000+02:00

Dear SAP community,

i have recieved an answer of a ticket:

"To check developers, you need to install SAP Note 3333812 in your development environment and execute that report."

This was helpful, but I can only see 4 developers listed, whereas the SAP measurements show that we have 9 developer licenses in the system.

Could you please clarify this discrepancy?
Additionally, could you provide more detailed guidance on how to identify the other users holding developer licenses?

Thanks in advanced

Best regards,

Feras

Deploy IDM component on PO system

2025-04-11T12:02:07.311000+02:00

Dear SAP,

Do we need license to deploy IDM component on PO (Process Orchestration) system? We have PO license.

Regards

How to bypass the SAML2 IdP selection screen for SAP NetWeaver ABAP

2025-04-14T16:20:34.793000+02:00

Hi,

Is it possible to bypass the SAML IDP selection page?

How do you ensure the SAML2 IDP is automatically selected?

Thanks and Best Regards.

Tool to secure HANA instances as per SAP checklists

2025-04-29T14:56:26.367000+02:00

Hello, I just wanted to get the word out that there is a free and open-source tool available to help securing HANA instances as per the SAP provided checklists. This should make it a whole lot easier with staying compliant and making sure that your HANA databases are configured as per SAP's recommended advice.

More information can be found at the introductory blogpost at: https://www.anvilsecure.com/blog/introducing-hanalyzer.html.

If this is not the right forum then please accept my apologies and let me know what forum this should be posted in.

Segragation of roles based on Organizational values

2025-05-09T06:54:20.391000+02:00

Hello!

How do you analyze/ check on the organizational values/ levels if the two businesses of the client are segragated? Any insights/comments will be much appreciated.

Thank you.