Creating Users and Groups in CMC

Like most other SAP applications, BOBJ uses a Role Based Access Control Mechanism. To assign roles or rights to a user, a user account needs to be created in CMC. Further users can be assigned to user groups and rights assigned to user groups. Assigning rights to groups is a much better option as it leads to much lesser maintenance than assigning rights to individual users.  We can create users or user groups by navigating to the “Users and Groups” area of the CMC. Continue reading “Creating Users and Groups in CMC”

Happy New Year 2013

Happy new year to all visitors for my blog. Hope you have a great year ahead! I am starting a new series of posts on SAP Business Objects Security. My new year’s resolution is to get them completed by the end of the year.

Introduction to BOBJ

Till a few years back Business Objects used to be a company whose products were used in many enterprise reporting applications. A few years back the compnay was taken over by SAP and incorporated into a large number of existing SAP products. Right now, SAP Business Objects, BO or BOBJ is the frontend reporting component of choice for SAP. Though BOBJ is largely used as the frontend for SAP BW, BOBJ reports can also be integrated with  GRC, GTS, BPC and even ECC. BOBJ can also be used to directly query SAP and non SAP databases. I have been trying to become more familiar with the security features of the BOBJ product suite as a large number of companies are increasingly using BOBJ for their frontend reporting instead of relying on the features of BEX Analyzer. Unfortunately there doesn’t seem to be too many online reources available to learn BOBJ security on our own. Hence this new thread on BOBJ security. Continue reading “Introduction to BOBJ”

HR Processes and Forms

Select an Employee for a Process

A growing tendency of HR departments around the world has been to decentralize the maintenance of HR data. So instead of one major services department handling the data for the entire organisation, we are moving towards a situation where each department has its own HR representative who owns the data for the department’s employees. Even for organisations using a shared services model for HR, the trend is to simplify data entry procedures so that even HR analysts with limited exposure to SAP transactions can get their jobs done efficiently. It was from this need to simplify the user interface for users that SAP came up with the concept of HR processes and forms. The technology is based on Adobe forms and as such more intuitive for a beginning user than SAP transaction. To a large extent, a process maps to a HR action like hire, transfer, retire. Each process in turn is tied to one or more forms which the HR administrator fills up with data. There is provision to do data validation during the submission of the forms to ensure that data entered make sense. Workflows can be configured so that on submission of the forms, the process is routed to one or more level of approvals before the action actually comes into effect. Most processes are exposed to end users through portal links. Before looking at the security aspects of a process, lets first look at how a process would look like to a HR Administrator. Continue reading “HR Processes and Forms”

ABAP Debugger

Debugger at Breakpoint

After finishing the last post on SE16N and DEBUG, I realised that since this site primarily caters to the aspiring security consultants, some portion of its target audience might be at all familiar with ABAP debugging at all. The idea behind this post is to acquaint Security Consultants with the basics of debugging. This is certainly not meant as a guide on how to debug ABAP code as you would need to be familiar with ABAP syntax to actually debug code.  However, I always consider that knowing ABAP is very helpful for any consultant, functional, security or basis. So if you have some free time you can always go through some of the free ABAP tutorials available on the web and the added knowledge would certainly come in handy the longer you stay with SAP. Continue reading “ABAP Debugger”


SE16N - Sap Editing Activated

This is a continuation of the many different articles on this blog around security around tables. However, the articles till now has concentrated on the different methods provided by SAP to restrict access to tables. Today’s article on the other hand will talk about a common method of accessing tables, the security implications for this form of access and how we react as security consultant when faced with requests for this form of access. Continue reading “SE16N and SAP_EDIT”

What happens in June

Its been more than a month since I last posted in the blog. Try as I might, I never seem to get around to posting as regularly as I would like to 🙂 Still I am a firm believer in the philosophy that something is better than nothing, so the blog lumbers on…….My current goal is to reach 100 posts in the blog and I am currently at 85. Lets see when I reach the milestone. Also, I am exploring a few new options at my work outside of SAP security. The result being that my SAP access is now limited to a solitary ECC sandbox. The reason I mention this here is to clarify that any new articles on any non ECC based articles would have to wait for a few months.

Database Views For Tables

Few aspects of SAP Security are as well explored by Security Consultants as security for Tables. SAP already provides a host of objects for controlling access to tables – S_TABU_DIS for security through table authorization groups, S_TABU_CLI for client independent tables, S_TABU_LIN for row level security and S_TABU_NAM for security individual tables. The use of these different authorization objects have been documented elsewhere on this blog and I would not want to discuss any more of them here. However, lets take a different approach and think about a way to secure individual fields for a table or in other words column level security for a table. One of the ways to achieve these is through the use of database views. Please note that creating database view is not the job of a security consultant and in all probablity you would not have access to do it in any system. However its good to know of the option if ever the need arises.  Continue reading “Database Views For Tables”