Notes 2010

NOTE November 2010

Indirect / Position based role assignment

The HR solution offers aside from the general security concepts certain
additional security solutions that take the specific requirements related
to personal data into account.
Roles for example can be directly assigned via PFCG /SU01 / SU10
or indirectly through the HR Organizational Model.


How to use RSECNOTE

RSECNOTE is a tool provided by SAP® that allows determining which important
security notes or hot notes are missing in the respective system.
The details related to this tool are provided in the SAP® OSS Note 888889.
One of the technical prerequisites for implementing this tool is the correct
ST-A/PI installation.
The tool can later be called via ST13 and entering RSECNOTE and then
pushing F8. [In certain Basis releases the report RSECNOTE can be
called via SE38/SA38 e.g.]


How to assign a portal role through an ABAP role

Depending on what data source is selected for an Enterprise Portal [EP],
UME portal roles can actually be assigned to ABAP roles,
and with that indirectly assigned to users without additional steps in the EP.


Data source needs to be set to ABAP system.


User Groups

User groups are basically an instrument for the user administration,
but you can also utilize them for internal organization of users.
Users can be assigned to multiple user groups.

We have two different fields for user groups in the user master
[transaction SU01]:

1.    Groups – on the groups tab   

Table control in SAP®

The SAP® tables are defined in the repository, but not all of the defined tables
can be found in the database. SAP® distinguishes between certain database
and table categories.

We have two different categories of databases:

1.    Logical database   
A logical database provides a particular view of the database.

Password deposit for RFC connections

RFC [Remote function call] connections allow the execution of function calls
[programs – ABAP and non-ABAP] from external systems / clients.

These connections are maintained via transaction SM59.
This transaction cannot be restricted to „Read/Display only”.
Access to this transaction should only be granted to the Basis Administration team.

How to create an authorization class / object

For add-on application, user-exits or customer specific developments
it is sometimes required to create a customer specific authorization object.
It is always recommended to also create a customer specific authorization
class where the corresponding objects are later then assigned to.

Call transaction SU21.
Create the object class by pushing the button 

How to check users that are assigned to a role in the EP

The general portal roles only grant access to the available content in the
Enterprise Portal [EP] with different levels of permissions assigned.

UME [User Management Engine] roles consist of a set of UME actions
that define the scope of allowed activities.

The UME provides an interface for maintenance of users, roles
and groups with regard to the available data sources.
RSS feed