Skip to end of metadata
Go to start of metadata

Symptom

In XSS applications it is common to face authorization issues. Symptoms of these incidents are:

  • Only a few users face the error
  • XssMenuArea expired
  • RFC errors
  • etc.

Solution

First of all, it's necessary to isolate the issue. How? By assigning full authorization to affected user (for example: super_admin and SAP_ALL).

After that, it's necessary to assign each role and test. The idea is to find which role is throwing this issue.

As soon as you find the role with lack of authorization, you can open it via PFCG (if it's a backend role) or User Administration (if it's a Portal role).

It's common to have custom roles without S_SERVICE authorization object. Where it's necessary to assign it to users. For example:

Assign two parameters SERVICE_TYPE = 'WEBDYNPRO' and
SERVICE = <vendor>/<(><<)>dc>/<Application>, for example;
sap.com/pcui_gp~xssutils/XssMenuArea
must be set. For testing you can also assign '*' for SERVICE to your
user.

Also, it's common to forget to assign the role SAP_ERP_EMPLOYEE to ESS users.

* You can also check note 612585 (New: Authorization default values for ext. services) for more information.

* Example of full authorization user in ESS and MSS:

Assigned roles:

Unique Name:

pcd:portal_content/com.sap.sandbox/d035508/com.sap.pct.erp.mss.manager_self_service

Display Name:

com.sap.pct.erp.mss.manager_self_service

Unique Name:

pcd:portal_content/com.sap.pct/every_user/com.sap.pct.erp.ess.bp_folder/com.sap.pct.erp.ess.roles/com.sap.pct.erp.ess.employee_self_service

Display Name:

com.sap.pct.erp.ess.employee_self_service

Unique Name:

pcd:portal_content/com.sap.pct/line_manager/com.sap.pct.erp.mss.bp_folder/com.sap.pct.erp.mss.roles/com.sap.pct.erp.mss.manager_self_service

Display Name:

com.sap.pct.erp.mss.manager_self_service

Unique Name:

pcd:portal_content/com.sap.pct/line_manager/com.sap.pct.erp.mss.bp_folder/com.sap.pct.erp.mss.13.bp_folder/com.sap.pct.erp.mss.13.roles/com.sap.pct.erp.mss.manager_self_service

Display Name:

com.sap.pct.erp.mss.manager_self_service

Unique Name:

pcd:portal_content/com.sap.pct/specialist/com.sap.pct.erp.srvadmin.bp_folder/com.sap.pct.erp.srvadmin.roles/com.sap.pct.erp.srvadmin.SRVAdministrator

Display Name:

com.sap.pct.erp.srvadmin.SRVAdministrator


  • No labels