Question:
Hi Security Folks,
I've been trying to search into sapfans database. Unfortunately can't find the answer of my problem.
One of my colleague saying that by the time we giving access/transaction SAP Query and Adhoc Query SAP Security can't restrict the sensitive data (such as payroll,etc) that can be access by the user. Is this correct? What's the best authorization we can give to the user?
Thanks in advance
Answer:
This is partially true. If you are nto so specific in your giving of access to these you can assign a user to one user group and if they know how you can access ALL user groups.
If the reports were not built on the Logical data bases then tehre is no internal checks.
THe best way to give these out are to go to PFCG and user the "add report" option in the PFCG menu tab. Ther eis an option to add ABAP QUERY etc.. This way you do not have to rely on user group maintenacne and the inherent flaw in that system.
Answer:
Actually in the latest versions of SAP Query, direct table access (i.e. not via the logical database) does check authorization for S_TABU_DIS for the tables accessed if you use the standard query functionality.
The opportunity for secure access is present. You just have to make sure you manage it effectively.
Answer:
Latest versions includes 4.6c.
Answer:
Hi Thanks for your answer.
So based on your explanation we could not restrict SAP Query because it's using direct table (we're in 4.7).
How about adhoc query ? Can we make an access restriction or have same case with SAP Query?