3 Tips to secure printers in SAP

Posted by Marta Ortona on Sep 30, 2022 8:15:00 AM
Marta Ortona

 

Do all the users of your system have the SP01 transaction? 

Stampe SAP sicurezza

 

Do you really allow all SAP users to see what all users print? Could the prints contain personal data (GDPR), sensitive data? Maybe is better to check it out! 

 

 

1) What allows the SP01 transaction to do?

 

SP01 transaction allows to display SAP's print spool.  The print spool is an area where the prints that a user makes from SAP are stored before being printed physically. 

 

Unlike the SP02 transaction, that allows to see only your own prints, SP01 allows to see the prints of all users. 

 

If HR it's also used in SAP ERP system, any user could see the printing of confidential documents (i.e. pay slips, or other confidential HR data). You can clearly see the prints generated by technical users (i.e. system users). There are often jobs that generate spools through technical utilities. 

 

2) Is it a real risk?

It could be a very high risk also if the SP01 transaction might not really allow to display all spools. 

 

As for most SAP transactions, the fact of owning a transaction does not mean being able to execute it with all its functionality. In fact, in addition to the technical authorization object S_TCODE (which protects the transactions' boot in SAP) it is necessary to have a series of additional authorization objects in order to see the contents of the print spools

The authorization objects linked to the prints are the following: 

  • S_SPO_ACT – Limitation of activities in spools
  • S_SPO_DEV – Limitation of printing devices, if managed in SAP
  • S_ADMI_FCD with the values SPOR and SP01

If all the objects above are present, a user is able to display all the spool through SP01 transaction.

 

Attention if you enable the SP01 transaction in a role that doesn't have the objects mentioned above, a certain user may receive them from other roles. In SAP the authorizations mount up!

 

 

3) How to avoid the problem and where it was probably born?

  • Often during SAP implementations consultants suggest the use of SP01 transaction. For those who give support or for those who carry out a project, this can be correct. However, this feature should not be released or shown to end users. This often results in a habit to use this transaction, also for legitimate purposes, hard to get off. 
    • Remove SP01 transaction from all users and assign it only to those who might really need it.
    • Release and alert the users to use the SP02 transaction in place of SP01, see also how to build a base role in SAP.
    • If some users need to see the spool of other people you can release the SP01 transaction so that you can see the spool of other people (they could also classify sensitive and non-sensitive information, see note OSS Note 158487 - How can one user view the spool requests of other users)
SAP SPOOL AUTHORIZATION

Blog post originally translated from: https://www.aglea.com/blog/3-suggerimenti-sulla-sicurezza-delle-stampanti-in-sap

Topics: SAP HR, gdpr, ruoli, pfcg, SPOOL

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all

SAP Security Blog AGLEA RSS Feed

Aglea s.r.l. - Subject to the management and coordination of Horsa S.p.A. - P. IVA: IT 03868780960 - 2024 | Privacy Policy - Cookie Policy