Question:
We have a discussion with one of our customer about access to SE38.
We claim that a user can have access to run dangerous ABAP's that have no authorisation check installed, Now they want us to give them examples. As they see no harm in giving SE38 in production.
Can anybody give us some examples of dangerous ABAP's without authrisation check?
Answer:
about any Z programs can be dangerous
_________________
SapFans Moderator
NetWeaver ‘04–SAP Web AS for ORACLE certified
Search: /forums/search.php
SAP Notes: http://service.sap.com/notes
SAP Help: http://help.sap.com
Basic Rules: /forums/viewtopic.php?t=222759
Answer:
Snowy thanks for this answer. But the cutomers answer is that they protect all own developed ABAP's . What i we are realy looking for is standard SAP ABAP's that are not protected by authorisation checks
Answer:
I do not know of any unprotected SAP standard programs but this must exist.
If they want access to SE38, you can protect it by only giving out a few programs they now they want.
Anyways, they have to justify their needs, why do they want that access? Ask them for good example where this is needed.. .except for Z programs, I do not see real needs for it (except for Basis in some cases).
_________________
SapFans Moderator
NetWeaver ‘04–SAP Web AS for ORACLE certified
Search: /forums/search.php
SAP Notes: http://service.sap.com/notes
SAP Help: http://help.sap.com
Basic Rules: /forums/viewtopic.php?t=222759
Answer:
I do not know of any unprotected SAP standard programs but this must exist.
If they want access to SE38, you can protect it by only giving out a few programs they now they want.
Anyways, they have to justify their needs, why do they want that access? Ask them for good example where this is needed.. .except for Z programs, I do not see real needs for it (except for Basis in some cases).
That still doesn't solve the 10's of thousands of unprotected SAP Standard progs with no auth group that they are still able to run.
Answer:
Hi,
The thing to be aware of when giving out SE38 or SA38 is that you bypass one of the primary controls that are available in SAP i.e. S_TCODE. There are quite a number of transactions that share auth objects, and the only thing stopping a user from being to access / process the data is the fact that they can't start the transaction code.
It is the combination issue you need to worry about. For example if you have P_ABAP where repid = SAPDBPNP and COARS = 2 (not recomended) with SE38 then the user can execute any HR PA report and all auth checks are deactivated.
Regards
Peter
Answer:
One report that comes to mind is in Asset management. It posts depreciation and once run is almost impossible to reverse. With SE38 you can run it as often as you like.
Report RSCSAUTH I beleive has no internal auths and let you change the auth groups on reports.
_________________
John A. Jarboe
Answer:
RSCLICOP-family of ABAPs runs a client copy. One of the input vars is a source client. Target is you logged on client. So select client 000 for instance completely wipe-out your production client. Program does not contain auth.checks.
Answer:
Another set of programs are the go-live delete programs. you can find them by entering delete in the text search key in the SE38 ABAP search. THese set of programs wipe out your vendors, customers, almost all master data, no questions asked, no validation, no check for the documents tied to the master records. just a pure delete.
_________________
John A. Jarboe
Answer:
Hi all
thanks for this help. i will try to find the program's and report back when i found them.