Julius

Thanks for the information.

We have already BADGERED Vertex for this information. Short answer: Vertex tells us this is for SAP to supply and SAP indicates that Vertex should be giving us this info.... a nice little catch-22.

I will talk to the security team to run the audit log.

Thanks

Darlene

Hello Darlene,

I dont know VERTEX, but would think that if they are installing and calling their own function module, then it is their responsibility. Who are the "end users" of this VERTEX application?

If they are calling a SAP standard function module (BAPI), then it is a bit greyer. If it is SAP, then how could SAP possibly know how your system is configured or how VERTEX is calling it, or how much of the "interface" you want to use, to be able to deliver a role? For the same reason, how could VERTEX know all of that?

My guess would be that you will be given a role which is close to SAP_ALL without a few transaction codes

Most likely, you can save yourself a lot of time, hassle and risk by logging and building a role yourself.

[Here is a usefull presentation on how to go about it|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a08fbe33-0501-0010-2d9c-fb37e9795fd9] and if you have any questions, feel free to ask them here at SDN.

Kind regards,

Julius

>

> I will talk to the security team to run the audit log.

If the security audit log is not turned on for this, then you will (most likely) need to activate it and let the software run for a while or go through a test script to collect the data.

Another option is to check the RFC profiles via ST03N statistics - these are usually there already, but much trickier to read and get information from.

I would recommend that you check the user type of this user and set it correctly (most likely to SYSTEM type user) before you do this.

Cheers,

Julius

>

> Hello Darlene,

>

> I dont know VERTEX, but would think that if they are installing and calling their own function module, then it is their responsibility. Who are the "end users" of this VERTEX application?

>

> If they are calling a SAP standard function module (BAPI), then it is a bit greyer. If it is SAP, then how could SAP possibly know how your system is configured or how VERTEX is calling it, or how much of the "interface" you want to use, to be able to deliver a role? For the same reason, how could VERTEX know all of that?

>

> My guess would be that you will be given a role which is close to SAP_ALL without a few transaction codes

>

> Most likely, you can save yourself a lot of time, hassle and risk by logging and building a role yourself.

>

> [Here is a usefull presentation on how to go about it|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a08fbe33-0501-0010-2d9c-fb37e9795fd9] and if you have any questions, feel free to ask them here at SDN.

>

> Kind regards,

> Julius

I can't agree more with Julius, I would say that it is bordering on irresponsible for a company to produces a product interfacing with SAP and they haven't tested or will not provide adequate security information for that product.

I was in a situation a while back with the SAP interface of a business process mapping tool called ARIS, however they had done their homework, just at the time was difficult to locate it in the documentation

Yes, this has been frustrating since all of our other 3rd party vendors gave us the authorization requirements. Vertex stands firm that this is an SAP item.

We do have the loggin enabled. We just went live with Vertex 4.0 a week ago, and some of the modules haven't been hit yet. So I am going to wait till the end of next week and then examine the logs.

I will post back the role that we came up with.

Thanks ALL!!!!

Hi Darlene,

I am happy for you that all your other 3rd party vendors give you the information on authorization requirements for the application. You are in a fortunate situation is seems...

I agree with you and Alex that it is their responsibility to do so, however I personally am of the opinion that it is still our responsibility to complete them (e.g. is the file path "hooked"?) or tweak them (e.g. object_type FUGR, or object_type FUNC?) based on our requirements and system setup, and test them.

A vendor cannot generically know all of that, so they would tend toward deliver the "maximum-minimum", as we all know what happens when an interface dumps...

... which brings me to another point...

Have a nice weekend,

Julius

PS: As long as you don't consider it to be a security concern, yes please post your role. It would be interesting.