Search This Blog

Monday, May 16, 2011

SAP Note 1302928 - Field Level Authorizations Not Being Checked in CASE

Symptom
 User has assigned the authorization at field level i.e. for Attributes.
User can set 'Display Only' property for the attribute in two ways:

1) The authorization assigned by the user is 'Display only' . Even though the user has assigned Display Authorization for attributes, user was still able to change the values for the Fields having F4 helps.

2) The user makes the field 'Not Modifiable' from customizing, then also he is able to make changes to the fields having F4 help assigned.


Other terms
 Display Authorization, editable , F4 fields, case, records.


Reason and Prerequisites
 No check was done for 'Non Modifiable' attributes with F4 help assigned before displaying and the value for fields having F4 help assigned, are sent to the screen.


Solution
 Apply the note.



Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
SAP_BASIS
60
640
640
 
SAP_BASIS
70
700
701
 
SAP_BASIS
71
710
711
 

Correction delivered in Support Package
Support
Packages
Release
Package
Name
SAP_BASIS
640
SAP_BASIS
700
SAP_BASIS
701
SAP_BASIS
710
SAP_BASIS
711

Corrections Instructions
Correction
Instruction
Valid
from
Valid
to
Software
Component
Last
Modifcation
640
640
SAP_BASIS
13.02.2009  09:35:08
700
700
SAP_BASIS
13.02.2009  09:42:59
701
701
SAP_BASIS
13.02.2009  10:04:41
710
710
SAP_BASIS
13.02.2009  10:06:07
711
711
SAP_BASIS
13.02.2009  10:07:04

Posted by at No comments:

SAP Note 1304803 - Security note: Changing a transport without authorization

Symptom
 Certain reports that do not have an authorization check can create or change transport requests and change the piece list of a request.
This is a security breach.


Other terms
 Security breach


Reason and Prerequisites
 This problem is caused by a delivery error.


Solution
 Use the Note Assistant to implement the correction instructions or import the relevant Support Package.

If the report TH_E070E also exists in your system, delete it manually. For technical reasons, we cannot provide general correction instructions for this report.
If the package STRW does not exist in your system, you must first call transaction SE03 -> "Change Object Directory Entries" and change the package from R3TR PROG TH_E070E to SDEL.
In this case, the package change must be transported together with the deletion of the report.

The correction does not influence the normal functioning of the Transport Organizer (transactions SE01, SE09 or SE10) or other applications.
The Transport Organizer does not use the reports in any way.

We strongly recommend that you implement this note to eliminate this security flaw.



Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
SAP_BASIS
46
46C
46D
 
SAP_BASIS
60
610
640
 
SAP_BASIS
70
700
702
 
SAP_BASIS
71
710
720
 

Correction delivered in Support Package
Support
Packages
Release
Package
Name
SAP_BASIS
46C
SAP_BASIS
620
SAP_BASIS
640
SAP_BASIS
700
SAP_BASIS
701
SAP_BASIS
710
SAP_BASIS
711

Corrections Instructions
Correction
Instruction
Valid
from
Valid
to
Software
Component
Last
Modifcation
46C
711
SAP_BASIS
13.02.2009  14:56:46
Posted by at No comments:

SAP Note 1306604 - /SAPAPO/MC62 authorization for creating CVCs

Symptom
 Authorization object C_APO_CVC (introduced by note 1235367) is used to limit rights for CVC maintenance.
A user has authorization to create CVCs for a POS A, but not for POS B.
On the first screen of /SAPAPO/MC62 the user enters POS A, then on the next screen, using the get variant button, selects a variant for POS B; authorization is not checked again, so the user is able to create CVCs for POS B.


Other terms
 Maintenance of Characteristic Value Combinations, C_APO_CVC


Reason and Prerequisites
 Program error. In case the POS is read from a variant, authorization object C_APO_CVC is not checked.
Notes 1235367 and 1262016 are prerequisites.


Solution
 Please apply the attached correction or install the corresponding support package.





Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
SCM
410
410
410
 
SCM
500
500
500
 
SCM
510
510
510
 
SCM
700
700
700
 

Correction delivered in Support Package
Support
Packages
Release
Package
Name
SCM
410
SCM
500
SCM
510
SCM
700

Corrections Instructions
Correction
Instruction
Valid
from
Valid
to
Software
Component
Last
Modifcation
410
410
SCM
09.10.2009  09:49:48
500
500
SCM
09.10.2009  09:50:59
700
700
SCM
16.02.2009  11:23:47
510
510
SCM
16.02.2009  11:34:45




Posted by at 8 comments:

SAP Note 1315883 - RSUSR003: Standard passwords for hash code versions H and I

Symptom
You use the report RSUSR003 to obtain cross-client statements about the password status for the standard users SAP*, DDIC, SAPCPIC, and EARLYWATCH.
However, the report does not support the new hash code versions H and I.


Other terms
 Salted hash, login/password_downwards_compatibility, CODVN


Reason and Prerequisites
 The list of the hash value password processes that are supported has been extended (see Note 991968).


Solution
 These corrections consist of an ABAP correction and a kernel correction.
To ensure that the system processes the hash code version "I", you require only the ABAP corrections. For these, use the SAP Note Assistant to implement the correction instructions, or import the relevant Support Package.

To ensure that the system can also process the hash code version "H", a kernel correction is provided in addition to the ABAP correction. The lowest patch level of the kernel is specified in the "SP Patch Level" section.



Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
SAP_BASIS
71
710
711
 

Correction delivered in Support Package
Support
Packages
Release
Package
Name
SAP_BASIS
710
SAP_BASIS
711

Corrections Instructions
Correction
Instruction
Valid
from
Valid
to
Software
Component
Last
Modifcation
710
710
SAP_BASIS
12.03.2009  10:15:05
711
711
SAP_BASIS
12.03.2009  10:15:32

Posted by at No comments:
Subscribe to: Posts (Atom)