Do Security Notes Live up to Their Name?

Reading time: 3 min.
Tomasz Jurgielewicz

Do Security Notes Live up to Their Name?

Each month, SAP publishes new Security Notes Many SAP administrators install these patches quickly. The only question is - do you believe in the security they provide?

In today's article, we will answer the question of whether the security vulnerabilities will still be exploited in such a situation?

In the note OSS 1908870 - SACF | Workbench for Switchable Authorization Scenarios, SAP has developed a central authorization verification switching solution. This allows you to check the permissions for specific functions only when the client activates them. The idea is to reduce the impact on established authorization concepts.

Unfortunately, few customers know that the patch designed in this way will remain inactive after the implementation of the OSS note In other words, enhanced authorization checks (designed to reduce risk) cannot perform their intended function. As a result, the corresponding vulnerability is still active and can be exploited.

Compatibility with client programs

Thanks to SUCC transactions, the client can define the scenarios of non-standard programs that he uses. Scenario-based authorization validation enables developers to refine standard software with alternative authorization validation for authorization objects.

The use of authorization switching in client programs opens the door to the possibility of developing and updating ABAP programs and authorization roles in separate environments.

Don't forget - switchable authorizations must be activated!

The SACF transaction enables the activation of predefined authorization checks that include authorization tracking and SAL integration.

For security reasons, it is recommended to implement all defined scenarios (except "SACF_DEMO_SCENARIO") as "live" scenarios. Here, auditors have to compare the number of defined scenarios with the number of live scenarios and perform a rigorous assessment.

Security Notes 1

Security Notes 2

When the scenario is triggered, the system performs an authorization test that activates more protection.

Remember: make sure you have set both "header-" and "object-" verification to ACTIVE.

Otherwise, the system will not check (or perform logging).

Security Notes 3

Authorizations required

To use scenario-based authorization, you must assign developers, developers and administrators the appropriate permissions (S_TCODE). Start with the following transactions:

Security Notes 4

Then navigate to the S_DEVELOP authorization object and the appropriate object types (available actions: 02 for changes, 03 for display mode, and 06 for deletion).

Security Notes 5

Remember: do not assign "change" or "delete" actions to users on the active system!


Undoubtedly, it is important to maintain the high level of security of the SAP system and implement best practices in this area. The essence is to get acquainted with the details of the notes being uploaded, so that in the end our system has an appropriate level of security.

If you have any questions or doubts - write to us - we will be happy to answer them.

Author: Tomasz Jurgielewicz

If you find this article valuable, please share it.
This will allow us to reach new people. Thank you in advance!

We will take care of the digital transformation of your business

Do you want to protect your business against cyber attacks? Or maybe you are planning a digital transformation or looking for IT specialists for a project? We are happy to help. We are here for you. Let's talk about professional IT services for your company.
Contact Us
Darmowy e-book

Wszystko, co musisz wiedzieć
o migracji z SAP ERP na SAP S/4HANA

Nasz zespół ekspertów przygotował dla Ciebie
e-poradnik, dzięki któremu zrobisz to łatwo, bezboleśnie i bez szkody dla bezpieczeństwa
Twojej firmy.

To praktyczna wiedza podana w przystępnym
języku - zupełnie za darmo.
Pobierz darmowego e-booka
+ 48 508 400 203
Address Information
ul. Tęczowa 3 , 60-275 Poznań
NIP: 5213683072
REGON: 360098885
Visit our Social Media:
Address Information
ul. Tęczowa 3 , 60-275 Poznań
NIP: 5213683072
REGON: 360098885
Visit our Social Media:
Lukardi 2022. All Rights Reserved. 
Made with