cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to restrict access to download/ upload UME configuration file

Go to solution
OttoGold
Active Contributor

on ‎07-05-2011 10:34 AM

0 Kudos

Hello,

can anybody help me find/ suggest a way how to find which action protects the UME configuration upload/ download functionality? In my opinion this feature is a potential security risk and I would like to protect it.

Either check who can use this functionality or remove it from roles if possible.

Thank you,

Otto

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-06-2011 6:30 AM
0 Kudos

Hi,

If any users have any roles containing the action 'Manage_All', then that user can change UME config.

As far as standard roles are concerned, the user_admin role contain this action already. Also, Administrator role, Super_Admin role as well.

Regards,

Shitij

Show replies
Show replies
OttoGold
Active Contributor
‎07-11-2011 10:09 PM
0 Kudos

Hi,

thanks for the answer. But my question was one granularity level deeper. I am not interested in who can do that. I want to know how to restrict the access. Or if I have to give that access because I can`t remove it easily, what exactly should I check - checking standard roles are not enough in my opinion, one can fiddle with that and use it somewhere else, I believe.

Thanks anyway,

cheers Otto

Former Member
‎07-12-2011 4:57 AM
0 Kudos

Hi Otto,

Yes, that is why I said the action 'Manage_All' needs to be prevented.

Regards,

Shitij

JPReyes
Active Contributor
‎07-12-2011 9:16 AM
0 Kudos

Hi Otto,

Basically roles in the JAVA side consist of 3 levels... permissions -> actions -> roles

You can tweak the permissions add it to actions assign it to roles..

Theres a pretty good tutorial in help.sap.com

Regards

Juan

OttoGold
Active Contributor
‎07-13-2011 10:06 AM
0 Kudos

Hi Juan,

thanks for jumping in:)) I understand the concept, but either there is no (not much) documentation or I don`t get it:))

If you say nice tutorial, can you please share the link? I spent time researching before asking, but the maturity level of Java stack and the Java related information sources is quite different from ABAP, so I was not able to find my answer by myself.

Let`s see if this gets improved...

cheers Otto

OttoGold
Active Contributor
‎07-13-2011 10:08 AM
0 Kudos

Hi Shitij,

I understand your advise, but the granularity is awful. There is pretty far from the ABAP authorization concept (ok, I know Java part is new, not mature enough, but still... it can`t be all or nothing, SAP_ALL or Manage_all is just too blunt).

Otto

JPReyes
Active Contributor
‎07-13-2011 12:35 PM
0 Kudos

Hi Otto,

I haven't had the need to tweek the UME roles myself and it can be confusing indeed... but you can use Portal Content Studio and Identity Manager to create/edit the Portal and UME roles respectively

Check

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/ac/e0c1d5828b4e8e903c29a250a611ca/frameset.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a4/d39b3e09cdf313e10000000a114084/frameset.htm

Under IM,

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/4a/e06f429c789041e10000000a1550b0/frameset.htm

I think you need to change the UME Standard actions to achieve your goal,

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/49/8b4659c793355ae10000000a42189b/frameset.htm

Again, I'm quite green in this area but let me know if that helps.

Regards

Juan

PS: BTW, Sorry for the linkfarm

OttoGold
Active Contributor
‎07-19-2011 8:25 PM
0 Kudos

Hello Juan,

thanks for the linkfarm, unfortunatelly I have been to all these places. If not, you could report this thread as "failed to search":)))

In my opinion part of the solution is to control the object Batch_Admin. But Batch_Admin of course does not do anything. When you log to NWA with user which only has this Batch_Admin, you see nothing. So I am not sure what does this one protect. And by the way the message you get in such case is: You are not authorized for NWA or something like that.

That leads to a conclusion that you must have some kind of Admin access so Batch_Admin gives any sense to you.

As for the second part: how to limit the access to upload/ download... I am afraid the NWA is not that far, but still want a confirmation from other people. The granularity seems to be all or nothing, so search for an "authorization object" that protects this upload download function is silly....?

I still think upload/ download can be misused and I would like to protect it or at least mitigate the risk somehow. So what else can I do except periodically check who has admin access and so can use this upload/ download?

Has anybody experienced a security incident where somebody changed the configuration this way?

Are there any "change documents" available so I can see who and when and maybe even how changed the configuration?

Thanks,

cheers Otto

Answers (0)

Ask a Question