SAP Authorizations Bypass Excel-based Permissions Traps

Direkt zum Seiteninhalt
Bypass Excel-based Permissions Traps
Grant spool jobs
Insert SAP Note 1171185 into your ZBV system. With this notice, the report RSUSR_SYSINFO_LICENSE is delivered, which retrieves and displays the user types from the systems connected to the ZBV. In addition, however, SAP Note 1307693, which contains new functionalities of licence measurement, must be installed on the subsidiary systems connected to the ZBV. In addition, you may need to extend the permissions of the users in the RFC connections to the ZBV's subsidiary systems by the permissions to the S_RFC object with the SUNI and SLIM_REMOTE_USERTYPES function groups. If the SAPHinkling 1307693 is not installed on a subsidiary system, or the RFC user's permissions have not been adjusted accordingly, the RSUSR_SYSINFO_LICENSE report in the application log (transaction SLG1) will issue a warning.

In addition to defining permissions for external RFC access through the S_RFC authorization object, it is possible to prevent external calls to function blocks. From SAP Net-Weaver AS ABAP 7.40 there is the additional SAP Unified Connectivity (UCON) layer. It controls external access to RFC function blocks independently of users or roles and can be configured to suit your needs. All function modules that are to be executable via RFC are entered into the UCON Communication Assembly. If a function block is not stored there, the call will be blocked. UCON has been designed to minimise impact on RFC call performance. The necessary function blocks are identified in the UCON Phase Tool (transaction UCONPHTL), which constantly monitors all external RFC calls and supports an introduction of the UCON Communication Assembly. This allows calls to new function blocks (such as custom developments, support package changes) to be analysed and, if necessary, released for external access. In addition, UCON offers the possibility to review the configuration in an evaluation phase. There are approximately 40,000 RFC-enabled function blocks in an ERP system; Usually no more than a few hundred of them are used. With the use of UCON you therefore increase the security of your system.
Assignment of roles
The convenience of configuring and evaluating the Security Audit Log has been improved. For this purpose, the maximum number of marked messages in the detail selection has been increased to 40 events, a forward navigation for the displayed objects has been added and the details selection in transaction SM20 has been supplemented with the technical event names. You will find the corrections and an overview of the required support packages in SAP Note 1963882.

The permissions on database objects show you the details of the user's permissions to access the object. In the following example, the MODELING role includes permission to use the _SYS_BI object with the EXECUTE, SELECT, INSERT, UPDATE, and DELETE privileges. In addition, a user assigned this role is not allowed to pass these privileges on to other users (Grantable to Others). Our role as an example also includes Analytical Privileges and Package Privileges, which are not discussed here.

If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.

A note box in which data of all kinds can be quickly filed and retrieved. This is what Scribble Papers promises. At first, the program looks very spartan. But once a small structure is in place, you realise the great flexibility of this little helper.

To develop without modification, SAP offers user-exits or business add-ins (BAdIs) for such cases.

The user ID, the relevant system and the initial password are listed for each user.
SAP Corner
Zurück zum Seiteninhalt