Search found 464 matches

by os
Sun Sep 10, 2017 4:40 pm
Forum: SAP Security
Topic: SAP Security assessment, role redesign & remediation costs
Replies: 2
Views: 4140

Re: SAP Security assessment, role redesign & remediation costs

Hi, Does any one know of average costs associated with. a.) SAP Security assessments. (10K ?) b.) Role redesign. (500 to 700K ?) c.) SOD remediation. ( ?? ) also does anyone have templates on the same. what each one covers. atleast the SAP security assessment one. regards Which currency are you usi...
by os
Sun Nov 15, 2015 5:22 pm
Forum: SAP Security
Topic: Verify Users in BW against ECC
Replies: 3
Views: 5626

Re: Verify Users in BW against ECC

Dont tell the auditors, but the J2EE supports "in memory" runtime users via SAMl. So if you have a BI portal, you can authenticate and authorize the users at individual message level. There are also various "poor man's" solutions via logon tickets which require some infrastructure. "Clever woman's" ...
by os
Sun Nov 15, 2015 5:06 pm
Forum: SAP Security
Topic: LICENSE_ATTRIBUTES and assigning license to roles
Replies: 3
Views: 3861

Re: LICENSE_ATTRIBUTES and assigning license to roles

You must be careful with IDM in this case if you want to centrally evaluate the user license and write it back to the local classification. The User Bapis dont support this attribute on all releases. Where it works wonders is with internal cost distribution. If you license by role assignment and cha...
by os
Wed Aug 06, 2014 4:33 pm
Forum: SAP Security
Topic: Initial Password
Replies: 3
Views: 3662

Re: Initial Password

If the UME is AD and logon ticket or SAML is sufficient for authentication, then best is to deactivate the password. The active password is the problem and you dont need it. If UME is the ABAP system, then you have some options via parameter login/password_change_for_SSO. But possibly you set the pa...
by os
Wed Aug 06, 2014 4:27 pm
Forum: SAP Security
Topic: frequency of batch job that creates stad files
Replies: 2
Views: 3990

Re: frequency of batch job that creates stad files

Have you considered asking the basis team, or are you the basis team?

Take a look at the buttons in transaction SM36...
by os
Wed Aug 06, 2014 4:23 pm
Forum: SAP Security
Topic: XD03 Search Help reveals too much info
Replies: 4
Views: 5225

Re: XD03 Search Help reveals too much info

Note that some BAPIs also offer this search help check and when you want a remote enabled search help, then you should use the FMs from FUGR BFHV. Often you find RFC users of type dialog and service because the search help is badly implemented as a dialog from the remote system. The caller can simpl...
by os
Wed Aug 06, 2014 4:15 pm
Forum: SAP Security
Topic: SOS
Replies: 3
Views: 3276

Re: SOS

There are a few BC and HR things which are hardcoded in several places in SAP programs and LDBs and a few also in the kernel now. That means that the check is not optional.
by os
Wed Jun 04, 2014 3:45 pm
Forum: SAP Security
Topic: XD03 Search Help reveals too much info
Replies: 4
Views: 5225

Re: XD03 Search Help reveals too much info

There is also a new configuration table which lets you execute your own functions within the search help. This is less intrusive than exits.

If your release is high enough and you debug the F4, then you will see it.
by os
Wed Jun 04, 2014 3:40 pm
Forum: SAP Security
Topic: Initial Password
Replies: 3
Views: 3662

Re: Initial Password

Yes.

ps: which release are you on?
by os
Thu Apr 03, 2014 4:52 pm
Forum: SAP Security
Topic: SOS
Replies: 3
Views: 3276

Re: SOS

In St13 you can select SOS_CUSTOMER_DATA with flag "SAP Data" and see what is checked. That is used for the query execution, but is local data. St14 is the result from the remote system. You will not see the query parameters anymore of that remote system. If additional things appear then they are pr...
by os
Sat Feb 08, 2014 8:25 am
Forum: SAP Security
Topic: Sap Security upgrade
Replies: 1
Views: 3130

Re: Sap Security upgrade

You cant handle them during upgrade. They handle you during testing the upgrade...
by os
Sat Dec 28, 2013 4:16 pm
Forum: SAP Security
Topic: SU01 technical names
Replies: 3
Views: 4571

Re: SU01 technical names

Those exits to call FMs from SSM_CUST are now obsolete.
by os
Sat Dec 28, 2013 4:13 pm
Forum: SAP Security
Topic: Where are the authorization specialists located?
Replies: 4
Views: 5013

Re: Where are the authorization specialists located?

I have a customer where IT is located under global purchasing and the SAP manager has the security person, helpdesk and networks reporting directly to him. That also works fine for them - depends on the organization, culture and the people and their skills. Security does however need a certain amoun...
by os
Sat Dec 28, 2013 3:25 pm
Forum: SAP Security
Topic: Dump "insert duprec" in SU01 [Solved]
Replies: 6
Views: 7425

Re: Dump "insert duprec" in SU01 [Solved]

Nice to see use of personalizations.

Goes to show that you only need to use something for bugs to show up.. :)
by os
Sat Dec 28, 2013 3:18 pm
Forum: SAP Security
Topic: GRC V10 Connectors to non sap systems
Replies: 3
Views: 4581

Re: GRC V10 Connectors to non sap systems

It depends on whether your vendor provides APIs to such functionality which is also secure.

Few do.... so if one does then it is highly likely to be a hack.

Good ones will provide APIs with switches to turn them on and check their own customizing to validate imported values. Again here... few do.