Skip to Content
0

prvileged accounts in FI-CO

Mar 05 at 12:03 PM

26

avatar image
Former Member

I recently conducted an audit at a client whereby the FI-CO server had privileged accounts open with default passwords, the business response was that the module in question was non-critical and that sensitive data such as HR records were not accessible. I would like to know whether it is possible pivot between modules or utilise the credentials to access sensitive data within other modules, is anyone able to confirm one way or another please.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Colleen Hebbert
Apr 20 at 01:46 PM
0

bit of an old post but thought I'd answer.... It's difficult to say as you would need to know what the user is authorised to do. In your example, the business may have locked down say transaction PA20 to sensitive infotypes (S_TCODE = PA20 and P_ORGIN authorisations) but have allowed SE16 tables access with no restriction. In this case, the user could get to the data via the table browser so there would be sensitive data

SAP has more than one way to execute a function and modules are integrated with each other so again it will depend on what the access the user has to understand the entry points and if there is a way to get to the data.

Share
10 |10000 characters needed characters left characters exceeded