cancel
Showing results for 
Search instead for 
Did you mean: 

solman_admin - authorization issues in target (managed systems)

neeta_patel2
Participant
0 Kudos

Dear all,

We have SOLMAN_ADMIN (in our case SOL_ADMIN) setup in the managing target systems for the trusted connection for the Managed system configuration - however, after the managed system configuration is run and complete, there are dumps reported in ST22 in the target system. The dumps are :

SOL_ADMIN - OPEN_DATASET_NO_AUTHORITY

SOL_ADMIN - CALL C_FUNCTION_NO_AUTHORITY

SOL_ADMIN - RFC_NO-AUTHORITY for function group "SDTX"

How can I determine where these dumps come from and re-produce the error ?

We are trying to narrow down what authorizations this account has due to compliance and ensuring that there are no security violations in Production.

Regards, Neeta

Accepted Solutions (1)

Accepted Solutions (1)

Paul_Babier
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello Neeta,

Did you remember to assign the authorizations S_RFC and S_RFCACL to the user SOL_ADMIN?

Please check and if not, please assign.

Hope this iformation is helpful.

Regards,

Paul

Answers (2)

Answers (2)

Nibu
Contributor
0 Kudos

>

> SOL_ADMIN - OPEN_DATASET_NO_AUTHORITY

The Authorization object to be given authorization is S_DATASET .

> SOL_ADMIN - CALL C_FUNCTION_NO_AUTHORITY

> SOL_ADMIN - RFC_NO-AUTHORITY for function group "SDTX"

S_RFC is the object missing for these authorization. I would reccomend you to create a role including these objects and assign it to the user SOL_ADMIN , and so it will resolve this issue. If still auth issues persist, login as SOl_ADMIN and check the SU53 output to track if any other Objects to be inserted .

Regards,

Nibu Antony

neeta_patel2
Participant
0 Kudos

HI,

Should S_RFC be assigned * or specific objects. Our security person is not willing to assign * as this will cause many security violations in production. What are the specific objects that need to be allocate dto the S_RFC authorization?

Right now we are trying to configure our DEV systems.

Our security person is also very concerned that these roles and user accounts created by the managed system configuration in the managed system will cause many audit issues. I am not a security expert so if anyone has experience in this area, I am looking for recommendations . Our company gets audited on security , specifically in the SD/FI environmnet frequently and we use third party product to minimise the violations.

Thanks, Neeta

Nibu
Contributor
0 Kudos

Hi Nita,

IN object S_RFC, the Activity value you need to give 16 .

If security guy is more concerned about giving * , you enable ST01 trace and reproduce your activty with the same user and give him the trace output . So that you can give the exact value for other fields rather than * .

Refer http://help.sap.com/saphelp_nw04/helpdata/en/60/305140c770cd01e10000000a155106/content.htm for more details .

Regards,

Nibu Antony

Former Member
0 Kudos

Hi,

What is the user type you have defined for the user?

If it's a communication/non-dialog user then there's no harm in assigning any Auth objects to that user.

If it's a dialog user or you have security concerns, then take necessary approvals beforehand from the compliance person for this particular auth object with a justification that it's a mandatory requirement for Solution Manager setup. This approval should suffice the Audit questions.

Based on this you can ask the security person to create a new role and assign to the user.

This should help to meet the requirement.

Regards,

Bhaskar

Former Member
0 Kudos

Hi,

For Required role please read scurity guide

[Here |https://websmp208.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000718044&_SCENARIO=01100035870000000202&]

Operations-->security guide

Section 5.3 will be useful for your problem.

Regards,