Question:
Hello,
I was wondering if anyone can tell me what big changes in security were there between the upgrade from 4.7 to 5.0. I haven't had a chance to really work in 5.0 but I will be going to the next client that will be trying to upgrade to 5.0 from 4.6C. I know there were many new auth objects and parameters that SAP added to control user visibility in many SD and FI screens. But these parameter ids were very hard to determine since no documentation existed to let us know about it..we had to find out via trace, debugging and contacting SAP via OSS ..etc..that was in early 2004. But I will really appreciate if someone can tell me what are the main changes in EP5.0 from 4.7 in R/3 SAP security and where can I get any documentation on it if possible. Thanks..
sap_sec
Answer:
I checked the release notes and this is what I found here
http://help.sap.com/saphelp_erp2004/helpdata/en/c6/feda40ebccb533e10000000a155106/frameset.htm
28.6.3 BC-SEC-USR User and Authorization Management
28.6.3.1 Central User Administration (Extended)
Use
An improved Central User Administration is available to you as of SAP NetWeaver '04. In
particular, the following functions have been improved or added:
______________________________________________________________
SAP AG 12
_____________________________________________________R_e_le_as_e_ _N_ot_e_s
- Central User Administration (CUA). These changes have also previously been delivered by
SAP Note.
- The partner profiles and the corresponding Application Link Enabling model are
automatically created when creating the CUA.
- The synchronization of the company addresses has been integrated into the transaction
Central User Administration Structure Display (user migration).
- The improved RSDELCUA significantly simplifies the removal of the CUA.
- The log display of the central user administration (CUA) for checking the status of
IDoc distribution has a new, user-friendly interface. Performance when starting has
also been significantly improved. You can also update the display in the result list,
and select and distribute multiple users there.
For more information, see the SAP Library under SAP NetWeaver Components -> Security
-> Identity Management -> Users and Roles -> Central User Administration.
- Improvements to the User Master Comparison (transaction PFUD)
To improve the operability of transaction PFUD, the selection options were modified on
the selection screen:
- The option Manual Selection of Profiles has been removed.
- The Complete Reconciliation option has been replaced with Perform User Master
Comparison, with which you can execute the transaction in dialog.
- The newly structured selections creen allows you to select four processing modes
separately in dialog; profile comparison, composite role comparison, HR organizational
management comparison, and cleanups.
- The Replicate Local HR Assignments in the CUA Central System has been extended.
You can choose this option if you are in a child system of a CUA, and HR
organizational management is active. Indirect role assignemnts, which result from the
local HR model are transferred to the CUA central system for information, and can
be displayed in user maintenance there.
For more information, see the SAP Library under SAP NetWeaver Components -> Security
-> Identity Management -> Users and Roles -> User Maintenance -> User Maintenance
Functions -> Comparing User Master Records.
- Statistical Functions in the Menu Maintenance for Role Maintenance (Transaction PFCG)
The function Menu Statistics is now available on the Menu tab page. It provides
information about the number of menu nodes and hierarchy levels. The system also
differentiates between different types (folders, transactions and reports, URLS) for the
number of nodes.
- New and Changed Reports in the User Information System (Transaction SUIM)
- The evaluation report RSUSR200 offers the extended selection criteria By User Type,
By Validity of the User and By User Status.
For more information, see the SAP Library under SAP NetWeaver Components ->
Security -> Identity Management -> Users and Roles -> User Information System
-> Determining Users with the Users Node.
- The new evaluation report RSSCD100_PFCG for determining change documents
provides more selection options than report RSSCD100, which it replaces. This means
______________________________________________________________
SAP AG 13
_____________________________________________________R_e_le_as_e_ _N_ot_e_s
that you receive a clear results list without unnecessary data.
For more information, see the SAP Library under SAP NetWeaver Components ->
Security -> Identity Management -> Users and Roles -> User Information System
-> Determining Change Documents.
- Evaluation report RSUSR010 was extended so that you can determine which
transactions can be started with a particular composite or single role.
For more information, see the SAP Library under SAP NetWeaver Components ->
Security -> Identity Management -> Users and Roles -> User Information System
-> Determining Transactions.
- You can use Customizing switches to specify for the password generator in user
maintenance (transactions SU01 and SU10) whether the passwords should contain special
characters, and the maximum numbers of letters and numbers that are to be contained in
the passwords.
The following new Customizing parameters, which you maintain in table PRGN_CUST are
introduced for this purpose:.
- GEN_PSW_MAX_LETTERS (Maximum number of letters in generated password)
- GEN_PSW_MAX_DIGITS (Maximum number of numbers in generated password)
- GEN_PSW_MAX_SPECIALS (Maximum number of special characters in generated
password)
For more information, see the SAP Library under SAP NetWeaver Components -> Security
-> Identity Management -> Users and Roles -> User Maintenance -> Logon and
Password Security in the SAP System -> Customizing Switches for Generated Passwords.
- The authorization concept in the area of user and role administration has been refined by
the introduction of the new authorization object S_USER_SAS and the adjustment of the
existing authorization objects. With authorization object S_USER_SAS, you can make
system-specific assignments in the user maintenance transactions (SU01 and SU10), the role
maintenance transaction (PFCG) and the User Master Data Reconciliation (PFUD), and
check the BAPIs of the Business Object USER.
For more information, see SAP Note 536101 and the SAP Library under SAP NetWeaver
Components -> Security -> Identity Management -> Users and Roles -> SAP
Authorization Concept -> Organizing Authorization Administration -> Organization if You
Are Using the Profile Generator -> Authorization Objects Checked in Role Maintenance.
Answer:
We now get 40 character passwords, lots more password control parameters (numbers letters, reuse of portions of the previous password string), up to 100 stored passwords before the user can recycle a password (configurable). Expiration of unused passwords etc.
Now everyone will write their passwords down so that someone will be able to find them.
Answer:
We now get 40 character passwords, lots more password control parameters (numbers letters, reuse of portions of the previous password string), up to 100 stored passwords before the user can recycle a password (configurable). Expiration of unused passwords etc.
Now everyone will write their passwords down so that someone will be able to find them.
Oh yeah...I just noticed that. Initially I thought why the hell is the password field so big Hey now the passwords are case sensitive
Answer:
After seeing the post, I tested on the system, and the passwords are not case sensitive.
Gopi
Answer:
Did you check all the system parameters that you have to set to make a case sensitive password possible?
Answer:
After seeing the post, I tested on the system, and the passwords are not case sensitive.
Gopi
Well it is case sensitve. I just checked it. We are on ECC 6.0. Not sure about ECC 5