Skip to Content
0
Former Member
Dec 09, 2009 at 01:22 AM

CRM call to ISU - SERIOUS SECURITY FLAW

81 Views

Hi,

The company I work for has CRM (5.0) and ISU. It is maintained by an independant company from the company that I work for.

CIC0 has been configured within CRM with many different profiles for users from different areas of the business.

Each profile has a different list of action boxes towards the top of CIC. These action boxes launch ISU transactions. Whenever one of these action boxes is selected and an ISU transaction is launched, ISU overwrites the CRM screen. The users logon ID can be seen on the bottom row of SAP (system, client, user, etc). The logon ID in this session of ISU belongs to the same user which is logged into CRM.

Each profile has the same list of icons within the "BP Search" tab within the interaction centre, alongside standard SAP icons such as "Create new Business Partner" and "Find Business Partner".

One of the icons is labelled "ISU Finder". (or "Data finder" when it is launched)

This icon launches a window on TOP of CRM (as opposed to the action boxes which overwrites CRM). This ISU Finder can be used to search for much more data in ISU than can be searched for via the CRM "ISU Data Environment" search within the Interaction Info section.

The very top left of the ISU Finder box has an icon. When selected, the user can choose the following options -

Move

Close

Create Session

Stop Transaction

If "create session" is selected, this will launch an entirely new SAP window of ISU.

After doing so, looking at the client details, the user logged into this ISU session is the same user which is used by Middleware and makes RFC calls. This user obviously has SAP_ALL.

Basically, from within CRM, 2 clicks of the mouse button will give ANY user full access to ISU.

I have two questions:

1. Can the "Create session" button easily be disabled/removed from this "ISU Finder" box?

2. If the "Create session" button can NOT be disabled/removed, can the "ISU Finder" be triggered by the CRM user - as what happens with the ISU transactions from the action boxes, as opposed to the middleware/RFC user?

Any information is greatly appreciated.

Edited by: mrichards79 on Dec 9, 2009 2:24 AM

Edited by: mrichards79 on Dec 9, 2009 2:26 AM