For almost a decade I (and I am sure, all ABAPers) have been happily using the loop holes in SAP security to access the forbidden transactions, with no malicious intension though, only for speedy analysis and ethical debugging.
But today I am wondering, is it really a loop hole or has SAP provided these small windows to the developers knowingly?
SAP Security Guys!! Hope you are reading this.
Building AI-Driven Apps Using Semantic Kernel.pptx
Simple SAP Security Breach !!
1. 8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simplesapsecuritybreach/ 1/7
Simple SAP Security
Breach
TOPICS: Authorization Data Theft Hacking
SAP Security
POSTED BY: SAP YARD AUGUST 18, 2015
It is nearly impossible to prevent a developer from
accessing any t-code. We saw an example in our other
post titled “Can you really restrict any developer
from executing any t-code?“. For almost a decade I
(and I am sure, all ABAPers) have been happily using
the loop holes in SAP security to access the forbidden
transactions, with no malicious intension though, only
for speedy analysis and ethical debugging.
But today I am wondering, is it really a loop hole or has
Enter email
Subscribe
RECENT POSTS
Simple SAP Security Breach
Playing Sherlock Holmes to
detect CONVT_CODEPAGE
runtime error mystery
DELETING rows of the
internal table within the
LOOP. Is it a Taboo? A big
NO NO?
SAP YARD
YOUR BACKYARD FOR SAP TECHNICAL TIPS AND SOLUTIONS
HOME SEE ALL POSTS ASK YOUR QUESTIONS ABOUT ME CONTACT ME
You and 92 other friends like this
SAP Yard
173 likes
Liked
SEARCH …
2. 8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simplesapsecuritybreach/ 2/7
SAP provided these small windows to the developers
knowingly?
SAP Security Guys!! Hope you are reading this.
Check, I do not have access to t-code SE38 (ABAP
Editor) in my Pre-Production system.
I also do not have access to t-code SE80 (Object
Navigator/ ABAP Workbench), SE37 (Function
Module) etc in the same system.
Quick Reference for Vistex
Technical
Offshore Development
Model in 10 Steps
3. 8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simplesapsecuritybreach/ 3/7
I do have authorization to the basic t-code SE11
(Display Table). You might have access to some other
common t-codes (you can use that). SE11 is my secret
window to all the forbidden t-codes.
Check how ??
I am in SE11. Click Other Object icon (Shift + F5) ->
Enhanced Options radio button. Click on the corner
square icon for Program, Function Group or click
‘More’ to get other areas.
5. 8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simplesapsecuritybreach/ 5/7
Similarly you can view, function modules, services,
proxies, web dynpros and what not.
As an ABAPer, I am happy to figure out this alternative
way to navigate through the t-codes. This process is
specially handy, when you want to check something
really quick or want to do some comparison during some
issues mitigation.
If you go via the right path i.e. –> ask your manager
for approval –> raise ticket for security team –>
wait for approval again –> wait for security team
to provide you the right access. Some times, you do
not have the liberty of waiting and watching for that
long. So, ABAPers quickly use this trick. Specially in
quality and pre-production (where you have the
restriction).
Question to Security Guys.
Are the developers suppose to access the t-code via this
alternate route?
Did you guys knowingly provide this alternative? If you
6. 8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simplesapsecuritybreach/ 6/7
know and it is ok to access this way, then we are good.
But, if Security Guys are not aware of this loop hole,
then there are chances of bigger Security breach. SAP
Security folks can end up giving the same alternative
in Production environment too. If this happens,then
there can be serious implications and data theft (and
I know of clients where you can use this alternative in
Production environment as well).
We would like to hear comments from Security
experts. Please provide your opinion on this topic.
Should Security team not close this alternative if the
user’s role does not allow him/her to access certain
transactions?
ABAPers, please forgive me if your doors get closed.
But I am sure, no ABAPer want his/her system and
data to be visible to unwanted crooks. It’s our duty to
make our environment as robust as possible and protect
them from any unforeseen spy or data thief.
Morever ABAPers would figure out some other way, if
this one is closed.. ABAPers rock!!!!
Do you have anything more to add to it? Do you have any
story to share on this topic. Please feel free to email us at
mailsapyard@gmail.com or leave it in our comment
section.
If you want to get updates about our new tweaks and
tricks, please subscribe.
If you liked it, please share it. Thank you very much for
your time!!
7. 8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simplesapsecuritybreach/ 7/7
BE THE FIRST TO COMMENT
ON "SIMPLE SAP SECURITY BREACH"
Image source : www.theregister.co.uk
Previous post
Leave a comment
Logged in as SAP Yard. Log out?
Comment
Post Comment
COPYRIGHT 2015 | SAPYARD BY WWW.SAPYARD.COM
ALL PRODUCT NAMES ARE TRADEMARKS OF THEIR RESPECTIVE COMPANIES. SAPYARD.COM IS NOT AFFILIATED TO SAP AG.