14 Comments

You must be Logged on to comment or reply to a post.

  1. Colleen Hebbert

    Hi Leo

    Good effort here to pull this together and I can see those new to GRC appreciating the piece. If you happened to have used SCN content then it would be nice for you to reference which posts you referred to  🙂


    Some improvement ideas:

    1. SICF listing – I would limit to the ones that apply to PSS. If PSS is in scope but Access Requests is not they do not need to activate them and may even remove them from display. Glad you provided recommendation on restricting the GUEST user access. I thought GUEST was a service account not communications?

    2. PRGN_CUST – I mentioned this table to you a while back, but in configuring this password entries you can control the length/format of the generated password (instead of getting a really long password)

    3. Reason System not show up

    Another reason for system not showing up – if they user does not have access to that system in the first place they will not see it. There is also a security authorization check but I assume the GUEST account has full access from the roles you mentioned.

    4. Data Sources for Authentication

    Watch out for the catch 22 – For example if ECC is your authentication source and also happens to be the account you need a password for. You need to know the password to authenticate to request a password –> you become stuck.

    5. End User Verification as YES or NO

    possible spell out the risk more on setting it to NO. Setting to NO overcomes the point I made about the catch 22 but then you need to manage risk or someone else masquerading as the user but using Challenge Response or trusting their email address is secured.

    6. Challenge Response Questions

    This goes hand in hand with the End User Verification. But also do you want users registering their own or system. How do you go about on-boarding registration of questions? What are the risks either way.

    Elaborating a bit more on the risks and options for configuring PSS will take this blog to the next level. But again, useful already a good checklist to work through.

    Regards

    Colleen

    (0) 
    1. S A Post author

      Hello Colleen,

      Thank you for the great feedback. As usual it is very much appreciated.

      I take everything you mentioned here on board and I understand where you coming from. My goal (as with all my documents) is to keep it simple and my target audience are first timers. Once they understand the basics they can go and do their own digging and experiment. I believe you learn better that way.

      My plan is to build in stages and reference the documents, so that way there is a natural progression. However input and feedback from people like yourself will help in that progression.

      it would be nice for you to reference which posts you referred to  🙂

      I usually do but in this instance there isn’t a document per se. However it was from questions raised and various answers from the community. A good amount is from your answers in the following blog. Thanks for that!!.

      GRC AC-Password self service

      PRGN_CUST – I mentioned this table to you a while back, but in configuring this password entries you can control the length/format of the generated password (instead of getting a really long password)


      Brilliant!! I was wondering how on earth can I achieve this. I’ll get straight on it.

      I’ve got a query if I may. Is giving the ‘SAP_ALL’ to the Shared user the right way to go? because if I don’t then the systems aren’t showing up!

      Also is there a way we can disable how often one can raise a PSS request in a day? Right now, it is only once a day.

      Regards,

      Leo..

      (0) 
      1. Colleen Hebbert

        Hey Leo

        SAP_ALL – do not assign this to any users. System users, like an end user, must only be given the permissions for the job they are meant to do. If you service user has SAP_ALL and password is known it is a massive risk.

        PRGN_CUST – look for the PASS_GEN* entries. I think there are 4-6 of them to control length, special character, number, letters, etc.

        Number of passwords – the one a day limit would be due to SAP user master password limit. GRC is leveraging the BAPIs for password reset (it’s why the password length is also control from PRGN_CUST). You cannot reset your own password more than one time a day. Multiple resets must be handled by the administrator.

        Regards

        Colleen

        (0) 
        1. S A Post author

          Thanks Colleen. I’ll have a crack at that table and also its good to know that there is no way around the once a day thing!

          I was aware that SAP_ALL should not be given to end user but I thought the shared user is of type ‘Communication’ (I read in one of the blogs here and it seems to be working) so it does not have login option (Or maybe I am getting confused with another user type). I wonder what authorization in SAP_ALL is enabling the systems to show up!!

          Regards,

          Leo..

          (0) 
      2. Trinetra Bhushan

        Hello,

        Thanks for putting out the blog and explaning in details.

        I have one query on End User logon page.I made AD(LDAP) as data source for end user logon and it is working fine as expected. The issue is as per the policy when the user try to login into end user page using initial password set in AD it should ask for changing the password before getting into the the page.

        Is there any way we can activate the functionality?

        Thanks,

        Trinetra

        (0) 
  2. Anthony Thiongo

    Excellent guide Leo.

    Here is a suggestion if you want to avoid the end user verification and challenge question risk highlighted.This works if your organization uses SAP portal with LDAP authentication.

    We disabled both end user verification and challenge questions for PSS. We added the PSS link/Iview to the Portal and forced the users to first access our portal with AD ID and password before going to the PSS link. This has worked great for us.

    Thanks

    Anthony

    (0) 
    1. S A Post author

      Thanks for your positive feedback Anthony. Appreciate it. You are right! the portal scenario you mentioned is a good approach to overcome some, if not most of the problems addressed in this document. A mate of mine tried the same in his organization and apparently it works like a charm!!

      Regards,

      Leo..

      (0) 
    2. Colleen Hebbert

      Hi Anthony

      If someone knows the End User Login URL directly are they able to launch it outside of the portal and just enter their User Id to proceed?

      Regards

      Colleen

      (0) 
  3. Priyanka Mathur

    Hi Leo,

    Thanks for the document, it clears out lots of questions around PSS. Great work!!

    It helped me a lot to set up PSS for our client.

    I just want to add regarding the ‘Guest’ user or the shared user which we maintained at GRC side in our services (through SICF).

    – The Guest user has to be service type in SU01.

    – SAP_ALL to service user is strict No.

    – When we maintain it in services it has to be marked as Internet user.

    – This user will need RFC authorizations similar to the RFC users we use in our target ECC/BW etc systems, so we can utilize the same roles.

    – Add authorization to  GRAC_SYS auth object to Guest user to ensure the systems appear in the System list in last step of PSS.

    Hope these points will help.

    Thanks,

    Priyanka

    (0) 
  4. huafei fan

    Hi Leo

    Thank you very much for the efforts. I’m a little confused. After completing all the settings, I can login using that shared user (GUEST) and then raise a password reset request for my own ID (like ZTEST )?

    Appreciate if you can kindly answer my question.

    (0) 
  5. Siobhan Jane Barnett

    Hello,

    This document is really great – I am working on implementing PSS and have run into an issue – I have created my shared user as a communication user – set up the SICF services, when trying to perform the test -> Right click GRAC_UIBB_END_USER_LOGIN I am promted to change the password – could anybody perhaps have an idea why and where I should look to correct this ?

    Thanks in advance,

    Kind Regards,

    Siobhan

    (0) 

Leave a Reply