on 09-12-2012 10:56 AM
Creating/change Sales Orders will trigger GATP check and one dialogue session pop-up with APO Availability Check : Delivery Proposal ( Sales Order )
Basically this new session is creted thru RFC user ( having almost all authorisations of APO system )
If Business user click create new session during APO availability check , than the business user who do not authorised to access APO system can access APO system with RFC user name and can make undesirable changes - Security risk.
So question here is :--
01. How can I prevent to open a new session during APO availability check ?
02. Do business user need APO Availability Check : Delivery Proposal ( Sales Order ) session / screen ?
03. How can I minimize sycurity risk to APO system thru unauthoried access by ECC users.?
Thanks in advance.
Regards,
Rajesh
You can see the answer in the SCM Security Guide:
The Security Guide SAP
SCM 7.0 provides an overview of the security-relevant information that
applies to SAP SCM.
The Application
Operations Guide SAP SCM 7.0 provides a starting point for managing
your SAP solutions and keeping them up and running optimally.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
then check
SAP Note Number | Title |
Authorization role |
As mentioned already, Trusted RFc with same current user context flaged is a good option for this but Trusted RFC also has it's own risks.
If I were you I would report this to SAP that APO is calling a screen or transaction within an RFC enabled function module. In most cases, the RFC should return the data and the calling application should support the UI which returns the control back to the caller.
CHeers,
Julius
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Rajesh,
You must have assigned SAPALL authorization to the RFC user id and hence the problem. You just have to make sure that the SAPALL is removed and have an authorization profile that has selective roles. By doing this way, though the user creates a new session from the delivery proposal screen he would not be able to execute the transactions.
Hope this helps.
Thank you
Babu Kilari
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Well, even with the help of Service user id - you can see that delivery proposal screen and evaluate how the RBA, PA, PAL had derived the results to give you the confirmation. Service user id allows multiple logons Vs Dialog user id. Also, Service user id is more secured..
On top of the above, you just have to sit with a security guy to test out the functionality of ATP check by minimizing the Security objects of SAPALL authorization. Once you have all the objects place, you have to build a custom authorization group and assign it to the RFC user id. This is how it works. Jut by being an APO consultant, it would be very difficult for you to decide what is required and what is not required. You need to work with SAP Security guy. The parameters also vary depending on what are the modules being used...like only GATP..DP ? SNP etc.,
Thank you
Babu Kilari
Rajesh,
There are lots of ways to MINIMIZE the security risk with authorization "tricks" for the RFC userid. However, the ultimate solution is to use Trusted System connectivity.
http://help.sap.com/saphelp_scm70/helpdata/EN/22/042671488911d189490000e829fbbd/frameset.htm
Best Regards,
DB49
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you DB49.
Can I restrict End user ( creating Orders thru Va01/02 in ECC and do not have access to APO ) to open a new session ( Markerd RED Below - during GATP and thru RFC User ID he can access and change APO system ) thru use Trusted System connectivity ?
What are the minimum roles required for RFC User for GATP Check in VA01/02 ) ?
Regards,
Rajesh
Rajesh,
The whole point of Trusted systems is that each user in the ERP system accesses the APO system only through using their own APO USERID and their own APO authorization profile within the APO system; they do not use a 'common' RF USERID. You can then tailor each user's APO authorization profile to meet the exact APO business needs of the company (such as restricting them to JUST the authorization required to retrieve the results of an ATP check). Each ERP user gets exactly the authorization in APO that the company decides that they need; no more and no less.
I suggest that if you have more questions about Trusted systems, you consult with your local authorization group; or repost this question in an authorization forum, such as http://scn.sap.com/community/security
Best Regards,
DB49
User | Count |
---|---|
8 | |
4 | |
3 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.