Security (Part-4) :-
Single Sign-On (SSO)
SAP GUI 3rd Party Tool (Keon)
HR Secure UID
HR Unsecure PIN
FI Secure PWD
SU01 (SNC) -> tab
What is single sign-on ?
1) Single sign-on, through which we create credential. Third party tool Eg: Keon, later on logon to SAP without entering any credentials.
2) We can even logon through internet using SSO.
3) SSO is represented in form of SNC (Secured Network Connection) string for the SNC String to be activated we need to configure certain DLL files at OS files.
4) Once we confirm DLL files then we need to go to SAPGUI, select one server, go to properties network and check the secure network settings and enter the SNC string.
We need to go to SU01 and check allow access for the string.
Steps to configure SSO
1) Go to OS services, select service NTLM security provider, change the start up type of the service from manual to automatic NT LM support provides.
2) Copy the GSSNTLM.DDL file to the dir on our central instance, i.e. /usr/SAP/SID/SYS/exe/run
3) Set the environment variable snc_lib to the location of the library.
4) Edit the central instance profile and set the toll parameters
/SNC/Data_protection/max = 1
/SNC/Data_protection/min = 1
/SNC/Data_protection/use = 1
/SNC/enable = 1
/SNC/Identity/as = P:/SID/sap service <SID>
Preparing SAP GUI for single Sign on
In SAP logon window choose edit -> advance/network Advance secure network communication
P:\<Domain Name>\sap service <SID>
Mapping sap system users to windows users for single sign-on
Go to SU01, choose SNC user uppercase to enter the name of windows user i.e. to assign to sap system user
P:\<Domain Name>\<User Name> and select insecure communication permitted and save our entries.
Central User Administration
Administering users centrally from one central system
CUA works with RFC’s.
Steps to Configure CUA
CUA works with RFC’s steps to config CUA.
1) Create logical systems to all the clients (using BD54/SALE)
2) Attach logical system to clients using SCC4
3) Create user CUA_SID in central system with 3 roles and create user CUA_SID_CLIENT <number>/name in child system with 2 roles.
4) Create RFCS to child systems from central and central to child using SM59
5) Log on to central system using SCUA to config CUA (Central User Admin)
6) Enter the model view and enter all child system RFC’s
Note: RFC naming convention must be same as central sys naming convention of logical system.
7) Save the entries
8) Once we expand test for individual systems we normally see the message for each system. ALE distribution was saved, central user admin activated and then comparison was started and should be in green.
Note: If any problem messages refer to sap note 333441 in market place.
9) User transaction SCUG in central system to perform the synchronization activities between the central and child system.
10) Use transaction SUCOMP to administer company address data.
Q) If all the users are locked mistakenly, how do we connect to SAP system ?
A) Follow the steps
Step 1) Go to OS level and execute the following SQL scripts after connecting to Oracle DB
Select * from <Application Server name>.USR02 where bname=’SAP*’;
Delete from <Application Server name>.USR02 where bname=’SAP*’;
Step 2) Then Login using SAP* user
Step 3) Go to EWZ5 or SU10 transaction code and unlock all the users.
USR02 is a table in which all user master records are stored.
Killing SAP* will automatically recreate a user master record in USR02 table.
All security related activities like Creation of User accounts and Creation of roles which are normally performed using SU01 and PFCG can be done using portal.
In Portal administration there are two ways of maintaining users and roles information.
1) Accessing portal using an URL
2) Accessing portal using Active Directory Service
1) Any portal URL, the ports will be in the 50000 series.
2) For portal we need J2EE engine to be installed and no need of ABAP engine to run.
3) All roles are configured in active directory service which are related with only portal i.e. users need to enter travel expenses and file their timesheets using portal, then separate roles are provided which are related with portal. These roles provide access to users to display the screens as well as store the information in DB.
4) Some portal screens will be integrated with SAP system i.e. PROS. Instead of logging into SAP system we use the portal screens from which the user provide the inputs and gets automatically saved in SAP DB.
Problems in Portal
Problem 1) Global page missing
Check in Active Directory whether the user is been correctly added under the role which is considered as global
In active directory services we have 2 types of roles
1) Global roles -> Provide access for an user to login to portal i.e. for the initial screen to appear. They are classified based on region the user belongs to. For example: Africa, Europe etc.
2) Local Roles -> Provide access for certain T – Codes or activities which the user needs to perform. Eg: Time sheet filling, travel expenses. Local roles are categorized based on the location the user is situated. Eg: Country Wise IN, USA, AF
3) Every user who access portal must have one global role and ‘n’ of local roles.
Problem 2) User reports “Not able to access ESS”
Check the global role
Check the exact local role, assigned to a user
Problem 3) User reports “He us able to access other global screens instead of his own screen”
Find which global screens user is able to access.
Go to AD service and then to particular global role.
Edit the role and check if the user ID is been added to that particular role.
If it is added then remove the user ID and add the user ID to the correct global role and inform the user to restart his system in order to access new changes.
1) Assigning users using AD service is considered as a direct assignment where as assigning users using portal is considered as indirect assignment. This is similar to assigning users in SAP using PFCG (Direct assignment) and SU01 (Indirect Assignment).
2) Unicode in SAP supports 13 languages. All character sets of these languages are embedded in the software. Non-unicode is language specific.
3) The upgrade of SAP system from non-unicode to Unicode is possible whereas the other way is not. To achieve the transition from non-unicode to Unicode we need to have Non-Unicode export kernel CD and Unicode import kernel CD.
4) SU3 is the transaction code for maintaining user own data.
5) SCAT, T-code is used for running CATT scripts.
6) ACTVT field indicates the type of activity i.e. creates, change, generate and delete.
7) In PFCG transaction code, a profile indicates a unique identifier generated by system to identify a role.
8) Notation for parent role is Z> and for Child / Derived Role it is Z:
9) Any role starting with SAP_ or SAP defined roles, they should not be generated instead they are used as Templates, hence if we want to use any SAP role first copy a role to a customized role and generate it.
10) SAP_ roles are used mainly during implementation.
11) All roles are of type Basic maintenance only whereas HR related roles and work flow related roles are of type complete view. By default the roles are of type basic maintenance.
12) Before we delete a role, it has to be added to a transport because these actions are performed in DEV system.
13) Profile names come by default if it has to be changed then it has to start with Z.
14) Color indications in authorizations
a. Red -> No organization values
b. Green -> All fields have values
c. Yellow -> Some field values are missing.
Distribution of a role can be done using
-> Go to transaction code PFCG -> Menu tab -> Distribute button
-> Enter the target system i.e. an RFC connection needs to be created between source and target system.
-> This procedure is distributing the roles between source and target using RFC connections
-> If a role is being distributed to a target system only the structure is being copied and not authorizations. Hence we need to maintain the authorization for a role in the target system.