Re: [sap-security] Secure co09 tx at R/3 system
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by anjan.pandey on May 10 at 11:56 PM |  Mark as helpful |
Hi
As already suggested by Henrik, RFC user should never be a dialog user. Also
access of RFC user should be restricted based on what it is to be used for.
Full access(SAP_ALL and SAP_NEW) should not be granted to any user (dialog
or non dailog). Please have trace on the id performing the function and
create a role to restrict the access.
If you still want teh user to have dialog logon for the APO system, then
maintain the Logon & Security for the RFC of APO system and check on
"Current user". By this user will be able to logon to the APO system only
through his/her credentials. Also access of specific users can be restricted
based on the job performed.
Thanks.
Anjan Pandey
On Tue, May 11, 2010 at 3:22 AM, henrikmadsen2 via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by henrikmadsen2(GRC Consultant )
> on May 10 at 5:53 PM
> Can't you make the RFC connection user specific, so the user logs on with
> his own credentials? That way you control access on all instances. Or at
> least limit the RFC user to only the required stuff, and set up a different
>
> RFC connection to use for system communication.
>
> And apart from that, RFC users should NEVER be dialog!
>
> On 10 May 2010 23:25, vnc123 via sap-security <
> sap-security@groups.ittoolbox.com> wrote:
>
> > Posted by vnc123
> > on May 10 at 9:28 AM
> > Hello,
> > When i execute CO09 tx at R/3 and provide material details, the screen
> will
> > switch to AP0 system. Since i use ale_remote user, which has full
> authority
> > and is dialog , for communication between R3 AND AP0. The user can open
> new
> > session and get full access to AP0 system. How it can be controlled. I
> want
> > to disable "Create New session" icon for specific user. Or is there any
> > other way around. How to proceed. Thanks
__.____._ As already suggested by Henrik, RFC user should never be a dialog user. Also
access of RFC user should be restricted based on what it is to be used for.
Full access(SAP_ALL and SAP_NEW) should not be granted to any user (dialog
or non dailog). Please have trace on the id performing the function and
create a role to restrict the access.
If you still want teh user to have dialog logon for the APO system, then
maintain the Logon & Security for the RFC of APO system and check on
"Current user". By this user will be able to logon to the APO system only
through his/her credentials. Also access of specific users can be restricted
based on the job performed.
Thanks.
Anjan Pandey
On Tue, May 11, 2010 at 3:22 AM, henrikmadsen2 via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by henrikmadsen2(GRC Consultant )
> on May 10 at 5:53 PM
> Can't you make the RFC connection user specific, so the user logs on with
> his own credentials? That way you control access on all instances. Or at
> least limit the RFC user to only the required stuff, and set up a different
>
> RFC connection to use for system communication.
>
> And apart from that, RFC users should NEVER be dialog!
>
> On 10 May 2010 23:25, vnc123 via sap-security <
> sap-security@groups.ittoolbox.com> wrote:
>
> > Posted by vnc123
> > on May 10 at 9:28 AM
> > Hello,
> > When i execute CO09 tx at R/3 and provide material details, the screen
> will
> > switch to AP0 system. Since i use ale_remote user, which has full
> authority
> > and is dialog , for communication between R3 AND AP0. The user can open
> new
> > session and get full access to AP0 system. How it can be controlled. I
> want
> > to disable "Create New session" icon for specific user. Or is there any
> > other way around. How to proceed. Thanks
Copyright © 2010 Toolbox.com and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Related Content
In the Spotlight
White Papers
In the Spotlight
Toolbox.com for iPhone: Ask Questions & Get Answers Anywhere. Use the New iPhone App
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
