02-22-2005 8:25 PM
Hello
Sometimes when we did not have the relevant authorisations, we used to create a small ABAP to do a call transaction to that particular transaction and we used to be able to get through the authorization check. For eg if we did not have SM59, the code will be CALL TRANSACTION SM59.
But as I understand there is some way to prevent this as well. Can any security experts shed some light on this?
Thnx in advance
Damu
02-22-2005 10:43 PM
Some transactions also do internal security checks. For example, you can do a CALL TRANSACTION SU01 and you will still get a security error if you are not authorized to SU01.
When you have developer authority in a system, I do not know of a way to prevent a programmer from writing a program with CALL TRANSACTION. This problem is even worse when the developer has debug authority with update capability. Then they can work thru the code in the debugger, identify the security checks and override them by setting system fields in the debugger, i.e. override the value returned in sy-subrc.
Let us know if you come up with some other solution.
02-23-2005 5:18 AM
Hello Damu,
What Charles says is correct. However, there's one point you need to keep in mind. When you go into the debug mode and change the value of SY-SUBRC, that action gets logged in the system log (SM21). I assume that you are working in the development environment. But if there's are some security audits or if someone is actually monitoing the system log periodically, then you might get into trouble. Please keep this one thing in mind.
And don't ever attempt to do something like that in your productive environment.
Regards,
Anand Mandalika.
02-23-2005 6:48 PM
Probably I will give the reason why I asked this question. In CRM CIC0 ,in one of the profiles we have attached few transaction codes, SAP calls these up using a CALL transaction in OBJECT TSTC. Some of these transactions are for eg.,crmm_isa_iuser is by itself not authorised to be run by a certain user, but he can run it from the profile since SAP calls it using a CALL transaction.
How do we handle these cases since the transaction is not a custom one and we cannot add custom auth checks in it . any leads?
Damu
Message was edited by: Damu Nair
02-23-2005 7:04 PM
Hi Damu,
Most of the transactions do an authority check within the code as well.
In R/3, if you run a transaction and immediately run SU53, you will get a list authorization objects that it checks. Then you can restrict using those authorization objects. Also, I am not sure about the functionality of the transaction SE97, but it looks like the one you are looking for. Again, all this is in R/3 not CRM. Please check if there are equivalent transactions there.
Srinivas
02-23-2005 7:39 PM
Damu,
We had a similar situation with one of the DMS transactions. Please check note 358122 for a work around.
In short this is what we did
For Call Transaction authorizations. Goto Transaction SE97 and execute change mode for the transaction from which ur call transaction is done. Add the call transaction 'transaction' and set it to check or P
The note is very detailed and explains things better.
Hope this helps
Regards,
Vani
02-23-2005 8:26 PM
Thanks Vani and Srinivas, your leads are pretty good. Let me explore that. I dont see how to give you guys points. If you can refresh my memory, I will do that, Thanks again
02-23-2005 8:31 PM
Hi Damu,
Let us know about your solution once you implemented it, so that others can benefit. For rewarding, just click on the '*' next to the responses.
Regards,
Srinivas
02-24-2005 5:51 AM
A good explanation of how to assign points can be found in the weblog: "Spread the Love" by Mark Finnern
04-25-2014 4:33 PM