Protect all reports against execution via SA38
By Wolfgang Morgenthaler
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
This tip is posted by Wolfgang Morgenthaler at Antarcon.de.
In the SAP standard system, it's possible to run nearly every report with transaction sa38. The reason: there is no authorization check, because the field authorization group is filled with spaces. This report copies the report name to the field authorization group. You should run this program after every release change.
TABLES: TRDIR. SELECT-OPTIONS: S_NAME FOR TRDIR-NAME, S_secu FOR TRDIR-secu default ' ' OPTION EQ. PARAMETERS: P_SECU LIKE TRDIR-SECU, P_UEBS AS CHECKBOX, P_UPDA AS CHECKBOX. SELECT * FROM TRDIR WHERE NAME IN S_NAME AND SECU IN S_SECU. WRITE: / TRDIR-NAME, TRDIR-SECU. " alte Gruppe if trdir-secu ne space. " bereits gefuellt check p_uebs ne space. " ueberschreiben? endif. IF P_SECU = SPACE. TRDIR-SECU = TRDIR-NAME. ELSE. TRDIR-SECU = P_SECU. ENDIF. WRITE: TRDIR-SECU. " neue Gruppe IF P_UPDA EQ 'X'. UPDATE TRDIR. ENDIF. ENDSELECT.
Did you like this tip? Hate it? Send us a note to let us know your opinion, or to submit your own tip.
Dig Deeper on SAP security administration