- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Impact of authorization/roles because of applying ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Impact of authorization/roles because of applying security note
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2011 3:39 AM
Hi All,
Applying Security Notes in ECC 6 system based on the report from the early watch report, Would create any impact in authorization/roles after applying the security notes?
If yes, Can we identify the roles that need to be corrected for a particular note?
Awaiting for your suggestions
Cheviyan
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2011 11:49 AM
Around 2 years back I was very tensed about the outcome while tried to implement a SNOTE to fix a bug for SUIM. Anyway that note was implemented and along with that many other dependent and their dependent blah..blah blah.. I learned from that have to read the note carefully on impact side. And if anything out of the track comes and ruin the day. SAP always there to blame! By the way nevr fall in that situation though.
Regards,
Arpan Paik
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2011 10:24 AM
Hi,
The only way you will tell is by reading the contents of the note and progressing from there. You will have to do this anyway to identify any other dependencies. In my experience you are much more likely to not have to change role contents than have to make any changes. The note text will usually tell you all that you need to know.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2011 6:38 PM
The answer is it depends. You can quickly see the high priority and security notes by executing program RSECNOTE or transaction ST13 with tool name of RSECNOTE. Each of the notes is hotlinked to the corresponding SAP note. Some notes like 1414256 are an improvement to the ability to update the TMSADM password. However other notes like 1453164 are adding missing authority checks. So if your security role already included the proper authorization values, there would be no impact. If this note implemented a new or missing authorization value, security changes may be required. So in the end, it depends on the note and your existing security authorizations to determine if changes are required. As with any change, testing will confirm if additional authority is required. To identify the potentially impacted roles, you would need to execute a where used on the program and function modules to gather details for performing further SUIM analysis.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2011 11:49 AM
Around 2 years back I was very tensed about the outcome while tried to implement a SNOTE to fix a bug for SUIM. Anyway that note was implemented and along with that many other dependent and their dependent blah..blah blah.. I learned from that have to read the note carefully on impact side. And if anything out of the track comes and ruin the day. SAP always there to blame! By the way nevr fall in that situation though.
Regards,
Arpan Paik
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2011 12:05 AM
Hi all,
Thanks for your support.
How can we idendify the affected roles after implementing the secuirty notes? Is there any short cuts?
Cheviyan.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2011 5:05 PM
Short cuts? You mean magic right?
From the note itself you should be knowing what is going to happen.
Let's consider one example. There is one note suppose to rectify roles with proper entry in table AGR_FLAGS so that it can be copied. This case it will directly show you the list of roles get rectified after implementing the note.
On the other hand one note is there suppose to introduce authorization check in a FM that used to assign profile with with checking S_USER_PRO. In this case there should be no impact to role at all as anyone suppose to assign profile should have authorization to S_USER_PRO. But if after getting this implemented if your ABAP guy come and say why I cannot assign profile by this module? What you will answer?
Regards,
Arpan Paik
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2011 7:10 PM
I agree with Arpan. It is seldom that coding changes will require changes to your existing roles.
These program corrections should typically make checks which then match your expectations or close a "backdoor" which is inconsistent with the authorization concept and semantics of the authorization objects.
Actually SAP avoids making coding changes which are not compatible with existing customer's role implementations as if they were a snakepit...
Where new concepts are introduced, they are very often kept downwardly compatible with the older concept for some time, sometimes even for ever.
Conclusion: It is far more likely that your authorization implementation in roles has security gaps in it than what a code correction from SAP will result in missing authorizations for legitimate access to functionality. I would estimate it at about 100'000% ...
Cheers,
Julius
- SAP Managed Tags:
- Security
