Each month, SAP publishes new Security Notes Many SAP administrators install these patches quickly. The only question is - do you believe in the security they provide?
In today's article, we will answer the question of whether the security vulnerabilities will still be exploited in such a situation?
In the note OSS 1908870 - SACF | Workbench for Switchable Authorization Scenarios, SAP has developed a central authorization verification switching solution. This allows you to check the permissions for specific functions only when the client activates them. The idea is to reduce the impact on established authorization concepts.
Unfortunately, few customers know that the patch designed in this way will remain inactive after the implementation of the OSS note In other words, enhanced authorization checks (designed to reduce risk) cannot perform their intended function. As a result, the corresponding vulnerability is still active and can be exploited.
Thanks to SUCC transactions, the client can define the scenarios of non-standard programs that he uses. Scenario-based authorization validation enables developers to refine standard software with alternative authorization validation for authorization objects.
The use of authorization switching in client programs opens the door to the possibility of developing and updating ABAP programs and authorization roles in separate environments.
Don't forget - switchable authorizations must be activated!
The SACF transaction enables the activation of predefined authorization checks that include authorization tracking and SAL integration.
For security reasons, it is recommended to implement all defined scenarios (except "SACF_DEMO_SCENARIO") as "live" scenarios. Here, auditors have to compare the number of defined scenarios with the number of live scenarios and perform a rigorous assessment.
When the scenario is triggered, the system performs an authorization test that activates more protection.
Remember: make sure you have set both "header-" and "object-" verification to ACTIVE.
Otherwise, the system will not check (or perform logging).
To use scenario-based authorization, you must assign developers, developers and administrators the appropriate permissions (S_TCODE). Start with the following transactions:
Then navigate to the S_DEVELOP authorization object and the appropriate object types (available actions: 02 for changes, 03 for display mode, and 06 for deletion).
Remember: do not assign "change" or "delete" actions to users on the active system!
Undoubtedly, it is important to maintain the high level of security of the SAP system and implement best practices in this area. The essence is to get acquainted with the details of the notes being uploaded, so that in the end our system has an appropriate level of security.
If you have any questions or doubts - write to us - we will be happy to answer them.
Author: Tomasz Jurgielewicz