on 07-05-2011 10:34 AM
Hello,
can anybody help me find/ suggest a way how to find which action protects the UME configuration upload/ download functionality? In my opinion this feature is a potential security risk and I would like to protect it.
Either check who can use this functionality or remove it from roles if possible.
Thank you,
Otto
Hi,
If any users have any roles containing the action 'Manage_All', then that user can change UME config.
As far as standard roles are concerned, the user_admin role contain this action already. Also, Administrator role, Super_Admin role as well.
Regards,
Shitij
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
thanks for the answer. But my question was one granularity level deeper. I am not interested in who can do that. I want to know how to restrict the access. Or if I have to give that access because I can`t remove it easily, what exactly should I check - checking standard roles are not enough in my opinion, one can fiddle with that and use it somewhere else, I believe.
Thanks anyway,
cheers Otto
Hi Juan,
thanks for jumping in:)) I understand the concept, but either there is no (not much) documentation or I don`t get it:))
If you say nice tutorial, can you please share the link? I spent time researching before asking, but the maturity level of Java stack and the Java related information sources is quite different from ABAP, so I was not able to find my answer by myself.
Let`s see if this gets improved...
cheers Otto
Hi Otto,
I haven't had the need to tweek the UME roles myself and it can be confusing indeed... but you can use Portal Content Studio and Identity Manager to create/edit the Portal and UME roles respectively
Check
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/ac/e0c1d5828b4e8e903c29a250a611ca/frameset.htm
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a4/d39b3e09cdf313e10000000a114084/frameset.htm
Under IM,
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/4a/e06f429c789041e10000000a1550b0/frameset.htm
I think you need to change the UME Standard actions to achieve your goal,
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/49/8b4659c793355ae10000000a42189b/frameset.htm
Again, I'm quite green in this area but let me know if that helps.
Regards
Juan
PS: BTW, Sorry for the linkfarm
Hello Juan,
thanks for the linkfarm, unfortunatelly I have been to all these places. If not, you could report this thread as "failed to search":)))
In my opinion part of the solution is to control the object Batch_Admin. But Batch_Admin of course does not do anything. When you log to NWA with user which only has this Batch_Admin, you see nothing. So I am not sure what does this one protect. And by the way the message you get in such case is: You are not authorized for NWA or something like that.
That leads to a conclusion that you must have some kind of Admin access so Batch_Admin gives any sense to you.
As for the second part: how to limit the access to upload/ download... I am afraid the NWA is not that far, but still want a confirmation from other people. The granularity seems to be all or nothing, so search for an "authorization object" that protects this upload download function is silly....?
I still think upload/ download can be misused and I would like to protect it or at least mitigate the risk somehow. So what else can I do except periodically check who has admin access and so can use this upload/ download?
Has anybody experienced a security incident where somebody changed the configuration this way?
Are there any "change documents" available so I can see who and when and maybe even how changed the configuration?
Thanks,
cheers Otto
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.