cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GATP during VA01/VA02

Go to solution
Former Member

on ‎09-12-2012 10:56 AM

0 Kudos

Creating/change  Sales Orders  will trigger GATP check and one dialogue session pop-up with APO Availability Check : Delivery Proposal ( Sales Order )

Basically this new session is creted thru RFC user ( having almost all authorisations of APO system )

If Business user click create new session during APO availability check , than the business user who do not authorised to access APO system can access APO system with RFC user name and can make undesirable changes - Security risk.

So question here is :--

01. How can I prevent to open a new session during APO availability check ?

02. Do business user need APO Availability Check : Delivery Proposal ( Sales Order ) session / screen ?

03. How can I minimize sycurity risk to APO system thru unauthoried access by ECC users.?

Thanks in advance.

Regards,

Rajesh

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

frank_horlacher
Employee
Employee
‎09-12-2012 1:36 PM
0 Kudos

You can see the answer in the SCM Security Guide:

The Security Guide SAP
SCM 7.0 provides an overview of the security-relevant information that
applies to SAP SCM.

The Application
Operations Guide SAP SCM 7.0 provides a starting point for managing
your SAP solutions and keeping them up and running optimally.

  1. To access the latest version of these guides, log on to the
    SAP Service Marketplace at http://service.sap.com/scm-inst
    ® SAP SCM 7.0.
Show replies
Show replies
Former Member
‎09-12-2012 1:40 PM
0 Kudos

Thanks for update .I have gone thru this.

I am looking for solutions only to VA01/02 specific GATP check / security ?

Thanks

Rajesh

frank_horlacher
Employee
Employee
‎09-12-2012 1:51 PM
0 Kudos

then check








 

SAP Note Number


 
 

Title


 

 

727839


 
 

Authorization role
  for the SAP SCM ‒ SAP R/3 integration


 

Answers (3)

Answers (3)

Former Member
‎09-13-2012 9:32 PM
0 Kudos

As mentioned already, Trusted RFc with same current user context flaged is a good option for this but Trusted RFC also has it's own risks.

If I were you I would report this to SAP that APO is calling a screen or transaction within an RFC enabled function module. In most cases, the RFC should return the data and the calling application should support the UI which returns the control back to the caller.

CHeers,

Julius

Show replies
Show replies
babu_kilari4
Active Contributor
‎09-13-2012 12:37 PM
0 Kudos

Hi Rajesh,

You must have assigned SAPALL authorization to the RFC user id and hence the problem. You just have to make sure that the SAPALL is removed and have an authorization profile that has selective roles. By doing this way, though the user creates a new session from the delivery proposal screen he would not be able to execute the transactions.


Hope this helps.


Thank you

Babu Kilari

Show replies
Show replies
Former Member
‎09-13-2012 12:43 PM
0 Kudos

Yes, you are correct. RFC user ID in APO system having all authorisation. Now there are two issues :--

01. What are the minimum roles required for GATP check?

02. How to check , if this RFC user is being used for any other RFC / transcations too ?

Thanks,

Rajesh

Former Member
‎09-13-2012 2:50 PM
0 Kudos

Rajesh,

Did you read the note cited by expert Horlacher earlier?

Best Regards,

DB49

Former Member
‎09-14-2012 6:50 AM
0 Kudos

Hello DB49,

Yes , I have gone thru it .

This refers to the background user and user type is Communication.

In my csae it's a foreground user and user type is Dialogue User.

Thanks

Rajesh

babu_kilari4
Active Contributor
‎09-14-2012 7:22 AM
0 Kudos

I wonder, why "Dialogue"  user ? You can set it as "Service" user id..RFCs are usually set as "Service" user ids..

Babu Kilari

Former Member
‎09-14-2012 7:34 AM
0 Kudos

The user get to know ...how GATP is processed. So it hepls to understand results of GATP check.

Thank you,

Rajesh

babu_kilari4
Active Contributor
‎09-14-2012 8:06 AM
0 Kudos

Well, even with the help of Service user id - you can see that delivery proposal screen and evaluate how the RBA, PA, PAL had derived the results to give you the confirmation. Service user id allows multiple logons Vs Dialog user id. Also, Service user id is more secured..

On top of the above, you just have to sit with a security guy to test out the functionality of ATP check by minimizing the Security objects of SAPALL authorization. Once you have all the objects place, you have to build a custom authorization group and assign it to the RFC user id. This is how it works. Jut by being an APO consultant, it would be very difficult for you to decide what is required and what is not required. You need to work with SAP Security guy. The parameters also vary depending on what are the modules being used...like only GATP..DP ? SNP etc.,

Thank you
Babu Kilari

Former Member
‎09-14-2012 8:55 AM
0 Kudos

Thanks a lot Babu !!

Will update this thread if I am able to solve this issue .

I am not an APO consultant . Works on SD module.

Thanks

Rajesh

Former Member
‎09-12-2012 1:58 PM
0 Kudos

Rajesh,

There are lots of ways to MINIMIZE the security risk with authorization "tricks" for the RFC userid.  However, the ultimate solution is to use Trusted System connectivity.

http://help.sap.com/saphelp_scm70/helpdata/EN/22/042671488911d189490000e829fbbd/frameset.htm

Best Regards,

DB49

Show replies
Show replies
Former Member
‎09-13-2012 5:45 AM
0 Kudos

Thank you DB49.

Can I restrict End user ( creating Orders thru  Va01/02 in ECC and do not have access to APO  ) to open a new session ( Markerd RED Below - during GATP and thru RFC User ID he can access and change APO system  )  thru use Trusted System connectivity ?

What are the minimum roles required for RFC User for GATP Check in VA01/02 ) ?

Regards,

Rajesh

Former Member
‎09-13-2012 8:36 AM
0 Kudos

Rajesh,

The whole point of Trusted systems is that each user in the ERP system accesses the APO system only through using their own APO USERID and their own APO authorization profile within the APO system; they do not use a 'common' RF USERID.  You can then tailor each user's APO authorization profile to meet the exact APO business needs of the company (such as restricting them to JUST the authorization required to retrieve the results of an ATP check).  Each ERP user gets exactly the authorization in APO that the company decides that they need; no more and no less. 

I suggest that if you have more questions about Trusted systems, you consult with your local authorization group; or repost this question in an authorization forum, such as http://scn.sap.com/community/security

Best Regards,

DB49

Ask a Question