Lukardi

Webinar: Jak autoryzacje w ECC wpływają na koszty licencji w S/4 Rise with SAP  

Do Security Notes Work as their Name Suggests?

Share

SAP publishes new Security Notes every month. Many SAP administrators are quick to install these patches. The only question that arises is - do you believe in the security they provide?

In today's article, we will answer whether security vulnerabilities will continue to be exploited in such a situation?

In OSS Note 1908870 - SACF | Workbench for Switchable Authorization Scenarios, SAP has developed a central solution for switching authorization verification. This allows authorization verification for specific functions only when the customer activates them. The idea is to reduce the impact on established authorization concepts.

Unfortunately, few customers know that such a designed patch will remain inactive after the OSS note is implemented. In other words - enhanced privilege checks (designed to reduce risk) cannot perform their intended function. As a result, the corresponding security vulnerability is still active and can be exploited.

Compatibility with client programs

With SUCC transactions, the customer can define scenarios for the custom software it uses. Scenario-based authorization verification enables developers to enhance standard software with alternative authorization verification for authorization objects.

The use of authorization switching in client programs opens the door to the possibility of developing and updating ABAP programs and authorization roles in separate environments.

Don't forget - switchable authorizations must be activated!

The SACF transaction enables the activation of predefined authorization controls that include authorization tracking and SAL integration.

For security reasons, it is recommended to implement all defined scenarios (except "SACF_DEMO_SCENARIO") as "live" scenarios. Here, auditors must compare the number of defined scenarios with the number of "live" scenarios and perform a rigorous evaluation.

 

After running the scenario, the system performs an authorization test that activates greater protection.

Remember: make sure to set the verification of both "header-" and "object-" to ACTIVE.

Otherwise, the system will not perform checks (or will not perform logging).

 

Required authorizations

In order to use scenario-based authorization, developers and administrators must be assigned the appropriate permissions (S_TCODE). Start with the following transactions:

Then go to the authorization object S_DEVELOP and the corresponding object types (available actions: 02 for change, 03 for display mode and 06 for delete).

Remember: do not assign "change" or "delete" actions to users on an active system!

Summary

It is undoubtedly important to maintain a high level of SAP security and implement best practices in this area. It is essential to familiarize ourselves with the details of the uploaded notes so that at the end of the day our system has the right level of security.

If you have questions or concerns - write - we will be happy to answer them.

We Manage the Digital Transformation of Your Business

Do you want to secure your business from cyberattacks? Or are you planning a digital transformation or looking for IT specialists for a project? We'd be happy to help. We are here for you. Let's talk about professional IT services for your business.

Tomasz Jurgielewicz

Head of Security Department at Lukardi. For the past 10 years, he has led a team of SAP Security specialists, providing comprehensive services and tools to secure SAP systems and optimize licenses. Experience in the areas of: - identification of authorization conflicts and authorization reorganization, - identification of SAP vulnerabilities, - integration of SIEM solutions with SAP, - optimization of SAP licenses.