cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC AC 10: PSS user id and password security???

Go to solution
former_member184114
Active Contributor

on ‎08-07-2012 12:09 PM

0 Kudos

Hi All,

I was curious to know if the user id and password sent while accessing PSS is secure enough?

This question was raised by the business to check if the user id and password are encrypted while accessing PSS.

I am quite sure that this is. However, unable to substantiate it with the help of any SAP note or other wise.

Can anybody suggest?

Regards,

Faisal

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-07-2012 12:17 PM
0 Kudos

Hi Faisal,

When you reset the password in PSS it will send the password or

the link via email, so users could get the passwords. It all depends on

which option you configure for users to use.

The password link will be sent to the email address that was

tied with the user records.

Hope this information helps!

Best Regards,

Nandita

Show replies
Show replies
former_member184114
Active Contributor
‎08-07-2012 12:30 PM
0 Kudos

Nandita,

Thanks for your reply.

Yes, I have seen that users can receive the passwords on their email ids. As you also pointed out that "users can also be sent link via email", may I get to know about this further?

Also, my actual question was, when a user accesses "End User Logon Page" he is supposed to enter his user is and password. I was quite concerned about this user id/password.

Can you please suggest?

Regards,

Faisal

Former Member
‎08-08-2012 7:34 AM
0 Kudos

Hi Faisal,

As explained earliar,the password which the user is required to enter alongwith the USERID

is from the authentication system not backened system.Once the user

is authenticated against the authentication system,he can reset the

password for any backend system

Best Regards,

Nandita

former_member184114
Active Contributor
‎08-08-2012 12:08 PM
0 Kudos

Nandita,

Thanks for your reply.

I think there is a small gap in our understanding.

Let me explain it to you again.

When we enter passwords, these passwords are sent via net to GRC system for verification. If these passwords are sent in "plain text" then anybody who wants to play with it or hack it!

How secure is to send the passwords during its access as it is accessed in browser.

Is it SSO enabled?

Is password entered by user while accessing "End User Logon Page" is encrypted and sent to GRC server?

Please suggest.

Regards,

Faisal

former_member541582
Participant
‎08-09-2012 1:44 PM
0 Kudos

Hi Fisal,

You have the possibility to activate SSL for the End User Logon Page (service GRAC_UIBB_END_USER_LOGIN in tx GRAC_ENDUSERFORM_SCIF).

I THINK this would secure the communication between the server and client. But take this with a grain of salt as I'm no no expert on secure communication.

There is bigger security issue in Access Control. The generated initial passwords are saved in clear text in a GRAC* table. Can't remember which one. If you want I can look into it. Anyone with SE16 can access this table.

Kind Regards,

Vit

former_member184114
Active Contributor
‎08-11-2012 10:49 AM
0 Kudos

Vit,

Thanks for your reply.

I tried to access this tcode. However, it says that "Transaction GRAC_ENDUSERFORM_SIC does not exist". Note the last three characters of the tcode. It takes "SIC" not completely "SICF".

Please suggest how I can activate SSL for this page.

Regards,

Faisal

former_member184114
Active Contributor
‎08-13-2012 12:29 PM
0 Kudos

Can you suggest me?

Regards,

Faisal

freemann
Explorer
‎04-19-2013 10:56 AM
0 Kudos

Hi Vit

I may not be the only Customer but I raised a message with SAP around this security flaw and they are currently addressing it and said it could be fixed mid May

Thanks

Nathan

former_member184114
Active Contributor
‎04-17-2014 5:48 PM
0 Kudos

Security certificate is installed on GRC system and now the link is opened with "HTTPS". Earlier, it was plain "HTTP. Therefore it was possible for any sniffer to see the details sent over the link.

Now it is secured with HTTPS.

Regards,

Faisal

Answers (0)

Ask a Question