SAP authorizations, 10 things to avoid!

Posted by Marta Ortona on Oct 7, 2022 8:15:00 AM
Marta Ortona

There are many creative ways, in addition to the standard SAP, to manage authorizations. 

SAP autorizzazioni cosa non fare

 

Let us begin by saying what is the only recommended way. Authorization control using the statement ABAP AUTHORITY-CHECK.

 

What are other ways to manage SAP authorization controls? More importantly, why shouldn’t you use them? 

Support tables that govern who can do what 

Among the bad practices the method definitely most used is to create a custom table where users are inserted. 

 

Technically, in the program code (related to the SAP transaction) a user presence check is inserted (often in addition to certain other conditions) in the defined custom table, so that it is possible to continue. 

 

But why is this not right and what risks does it entail? 

 

  • Each custom development has a cost (of creation and, above all, of management)
  • There is  a standard way, the use of authorization controls (Authority-Check) why not use it? Eventually defining a custom authorization object 
  • During troubleshooting it is not possible to use the standard debug or trace authorization tools as they are not useful 
  • Who knows that process is certainly autonomous but a new resource that takes over or entrust its management to third parties may struggle to trace back to management.  Especially if there are many such cases. 
  • If I delete an account, will the table be cleaned? 
  • If a user moves from one direction to another? Is its user removed from the table? Or does it still fit?  
  • Is there a custom table history? To find out who did what? 
  • Is the table protected by an ad hoc authorization group?
  • Is the table centrally managed by IT or is the maintenance directly delegated to the relevant departments? 
    • IT maintenance often directly to functional applications, not to Security personnel n
    • IT might lose control of that process if delegated to business over time 
  • You are thinking of a system of identity Management or SAP GRC Access Control in the Access Request Management module. These systems do not support provisioning these additional custom tables. 

 

Which are therefore the advantages of using custom tables for authorization control?

 

How much does the conversion of these authorization models cost? 

Unfortunately, there is no unambiguous answer, depends on how much these situations are present in the processes.

For a few cases it can be relatively simple, for many even impossible.

Use of wired code roles

Not so common but still possible today. The insertion objects' technical names of objects into the ABAP code. 

For example: if the user has assigned at that time (maybe without even checking the validity of the attribution) a certain role (technical name) then you can perform a certain operation.

 

  • It is never recommended to enter name/string at code level
  • In case of removal or renaming of the role would serve to revise the code ABAP developed
  • Also in this case, as in the previous standard, debugging tools would not help.

 

Use of hard coded userid

Similar to the previous one but this time directly on the technical user. If I am using a certain user, then I will be able to perform a certain operation. 

 

Bypass of authorization checks

What does it means? Here is a real scenario 

 

The user must run a certain functionality in background mode. During the submission of the activity the user is replaces by the program with a technical user.

The result is that a technical user is used to carry out a certain activity rather than the user of the person who actually carried out the operation.

 

In the case of accounting records, for example?

 

How can you discriminate if it is an action actually carried out by technical users or made by real users through technical users? During an audit this could be very important. 

 

A specific audit at the level of developed ABAP programs can bring out the above case studied.

 

Blog post originally translated from: https://www.aglea.com/blog/autorizzazioni-sap-10-cose-da-non-fare

 

Topics: sap custom, autorizzazioni sap, profili sap, sap tabelle custom

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all