cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error in calling up function 'BAPI_APOATP_CHECK'

Go to solution
former_member867693
Explorer

on ‎06-17-2015 7:47 AM

0 Kudos


Hello,

We are facing

Error in calling up function 'BAPI_APOATP_CHECK'

in APO server : Screen output without

connection to user.

While processing ATP check in sales order.

This is happening because of user type for user we are using is "system" which is not  dialog user.

Basis team is refusing to change it to dialog user due to security reason.

Can anyone help to get smooth working for gATP processes (ATP) without disturbing current setting done by BASIS.

Or does it require any enhancement

quick help will be appriciated.

Thank you.

Sandeep

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎06-28-2015 2:10 AM

Sandeep,

Expert Babu is right.  GATP is one of the few applications where SAP security experts recommend using a dialogue user for the RFC userid, and not a communications user or system user. 

If your Basis team would like to see this recommendation, have them refer to the appropriate security guide for SCM.  For example,

http://service.sap.com/~sapidb/011000358700001395692010E/SCM_SG_0_701.PDF

(this particular version is 7.0 EHP1) where it states on page 26: 



Maintaining Authorizations for Available to Promise (ATP)


Available to Promise plays an important role in the integration of SAP APO and SAP ERP: The ATP check needs an RFC connection with a dialog user to perform the check

If your basis team wants to eliminate the risk (yes, there can be a security risk if you use a generic RFC userid with type dialogue), they can set up a trusted system relationship for just the GATP check.  In this way, each ECC user who calls GATP in SCM has their own userid in SCM; and their userid in SCM actually performs the check.

Companies I have seen don't normally go this far, they just assign ONLY the roles that are strictly required to the generic RFC Userid.

Best Regards,

DB49

Show replies
Show replies
former_member867693
Explorer
‎06-30-2015 7:09 AM
0 Kudos


Thank you DB for reply,

Yes its correct and mandatory to you dialog user.

Due to security reason not ready to use it as Dialog.

Still we have created new RFC user (Dialog) and assigned role for ATP activity.

I need your input on objects in role required for ATP check.

Just need to crosscheck if i missed any.

Thanks.

SandeepT

Former Member
‎06-30-2015 9:57 AM
0 Kudos

Sandeep,

???? When you test this change, you will find out the deficiencies.  You are going to test, right?

Your larger concern should not be 'what you have missed', it normally should be 'what have you included that is not required' to this new userid, who will essentially be anonymous.  If you only want to ensure that you don't miss anything, then assign SAP_ALL composite profile.

Anyhow, the info (recommended roles for ATP user) that you requested is also contained in the security guide I mentioned earlier.

As always, your company may have an authorization strategy that differs from SAP's strategy.  You may have to tweak SAP's recommended standards in order to meet all your internal business requirements.

Best Regards,

DB49

former_member867693
Explorer
‎06-30-2015 10:16 AM
0 Kudos

DB,

Thanks for reply.

Yes surly i am going to test it...

Also will check what is not required once testing done.

Thanks for doc an info..

babu_kilari4
Active Contributor
‎06-30-2015 10:25 AM
0 Kudos

Hello Sandeep,


As mentioned by ( although I wonder what's his real name ?? ) - you may either choose to assign SAPALL authorization to your RFC user id or create a custom authorization group including the relevant components. For instance, if your business process doesn't need Quota check to be executed, the relevant authorization can be removed from your custom authorization group. It all depends on your customer's requirement. Usually it is a task that is performed during the initial days of implementation where project team collaborates with security team to come up with a definite authorization group that fulfills your business.

Hope this helps.

Thanks & Best Regards,

Babu Kilari

former_member867693
Explorer
‎06-30-2015 10:39 AM
0 Kudos

Hi Babu,

Absolutly right,

Ths has to be done at the initial stage of implementation project.

Currently i am working on implementation project .

This issue has come when testing started in UAT server which was having non dialog background user.

So may be missed as u said project team and security team could not spend time before..

Anyways  thanks for your feedback on this.

I will check and remove what is not required.

Cheers.

SandeepT

Answers (1)

Answers (1)

babu_kilari4
Active Contributor
‎06-27-2015 6:59 PM
0 Kudos

Hello Sandeep,

It is very much required that the ATP user id should either be "Dialog" type or "Service" type. If you plan to use "System" user id, you will not be able to see that delivery proposal screen and hence the short dump.

Please inform your Basis team and Security teams and make the change. This is very much a basic setup.

Thanks & Best Regards,

Babu Kilari

Show replies
Show replies
former_member867693
Explorer
‎06-30-2015 7:07 AM
0 Kudos

Hi Babu,

Thanks for reply.

Yes its correct and mandatory to you dialog user.

Due to security reason not ready to use it as Dialog.

Still we have created new RFC user (Dialog) and assigned role for ATP activity.

I need your input on objects in role required for ATP check.

Just need to crosscheck if i missed any.

Thanks.

SandeepT

Ask a Question