Skip to Content
avatar image
Former Member

prvileged accounts in FI-CO

I recently conducted an audit at a client whereby the FI-CO server had privileged accounts open with default passwords, the business response was that the module in question was non-critical and that sensitive data such as HR records were not accessible. I would like to know whether it is possible pivot between modules or utilise the credentials to access sensitive data within other modules, is anyone able to confirm one way or another please.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Apr 20, 2018 at 01:46 PM

    bit of an old post but thought I'd answer.... It's difficult to say as you would need to know what the user is authorised to do. In your example, the business may have locked down say transaction PA20 to sensitive infotypes (S_TCODE = PA20 and P_ORGIN authorisations) but have allowed SE16 tables access with no restriction. In this case, the user could get to the data via the table browser so there would be sensitive data

    SAP has more than one way to execute a function and modules are integrated with each other so again it will depend on what the access the user has to understand the entry points and if there is a way to get to the data.

    Add comment
    10|10000 characters needed characters exceeded