Those areas that are often poorly guarded, when you send emails, may contain sensitive or personal data in the body of the email or in the attachments.
In SAP there is a feature to see all outgoing mails from SAP, also in content terms. Let us see what it is and why it is often underestimated in terms of security.
There is a specific module that allows to send email in SAP, it's called SAP Office.
Through SBWP Transaction (SAP Business Workplace), see image above, which is often correctly inserted in the base role issued to all SAP users, it's possible to receive and/or send emails. There are different types:
The above, clearly represents the end-user mode.
However you can also use the mail management functionality through programs. For example, once completed an elaboration (maybe run in the background), send an email notification to who had requested that particular activity.
There are several, the main are the following:
From the top down, for end-user management purposes, it’s kind of Microsoft’s Outlook inside SAP.
Up to management by mail administrators, for example SCOT transaction.
Probably the most underrated is SOST. That is the possibility to see the outgoing mails from SAP, regardless of who sent them. In the Sender column you can see who sent the email.
Through the selection of the email and the glasses button it's possible to visualize the contents.
The emails' content can be the most disparate for example:
Imagine finally the presence of a program for the discounts' calculation or the automatic sending of sensitive data to a limited number of persons.
The sender in this case could be a system user, but through SOST transaction it may be possible to see its contents.
There may be different audits to be done:
About the second case above, imagine the following scenario:
An user, maybe form an external Company, who has a station without company mail but with access to SAP.
The latter could send emails using the SAP mail in absence of the corporate one.
Blog post originally translated from: https://www.aglea.com/blog/sap-mail-in-sap-tutti-leggono-le-mail-di-chiunque