Simple SAP Security Breach

SAP Yard SAP Security Breach
Share on Facebook19Share on LinkedIn42Tweet about this on TwitterShare on Google+2
Please Share!!

It is nearly impossible to prevent a developer from accessing any t-code. We saw an example in our other post titled “Can you really restrict any developer from executing any t-code?“. For almost a decade I (and I am sure, all ABAPers) have been happily using the loop holes in SAP security to access the forbidden transactions, with no malicious intension though, only for speedy analysis and ethical debugging.

But today I am wondering, is it really a loop hole or has SAP provided these small windows to the developers knowingly?

SAP Security Guys!! Hope you are reading this.

Check, I do not have access to t-code SE38 (ABAP Editor) in my Pre-Production system.

SAPYard No authorization to SE38

I also do not have access to t-code SE80 (Object Navigator/ ABAP Workbench), SE37 (Function Module) etc in the same system.

SAPYard : No authorization to SE80

I do have authorization to the basic t-code SE11 (Display Table). You might have access to some other common t-codes (you can use that). SE11 is my secret window to all the forbidden t-codes.

Check how ??

I am in SE11. Click Other Object icon (Shift + F5) -> Enhanced Options radio button. Click on the corner square icon for Program, Function Group or click ‘More’ to get other areas.

7

3

4

For demo, I chose, Program. Provide the program name you want to view. And here you are in the ABAP editor. You can see the code.

5

Similarly you can view, function modules, services, proxies, web dynpros and what not.

6

As an ABAPer, I am happy to figure out this alternative way to navigate through the t-codes. This process is specially handy, when you want to check something really quick or want to do some comparison during some issues mitigation.

If you go via the right path i.e. –> ask your manager for approval –> raise ticket for security team –> wait for approval again –> wait for security team to provide you the right access. Some times, you do not have the liberty of waiting and watching for that long. So, ABAPers quickly use this trick. Specially in quality and pre-production (where you have the restriction).

[adToAppearHere]

Question to Security Guys. 
Are the developers suppose to access the t-code via this alternate route?
Did you guys knowingly provide this alternative? If you know and it is ok to access this way, then we are good.

But, if Security Guys are not aware of this loop hole, then there are chances of bigger Security breach. SAP Security folks can end up giving the same alternative in Production environment too. If this happens,then there can be serious implications and data theft (and I know of clients where you can use this alternative in Production environment as well). 

We would like to hear comments from Security experts. Please provide your opinion on this topic. Should Security team not close this alternative if the user’s role does not allow him/her to access certain transactions?

ABAPers, please forgive me if your doors get closed. 🙂  But I am sure, no ABAPer want his/her system and data to be visible to unwanted crooks. It’s our duty to make our environment as robust as possible and protect them from any unforeseen spy or data thief.

Morever ABAPers would figure out some other way, if this one is closed.. ABAPers rock!!!!

Do you have anything more to add to it? Do you have any story to share on this topic. Please feel free to email us at mailsapyard@gmail.com or leave it in our comment section. 

If you want to get updates about our new tweaks and tricks, please subscribe.

If you liked it, please share it. Thank you very much for your time!!

 

 

 

Image source : www.theregister.co.uk

Share on Facebook19Share on LinkedIn42Tweet about this on TwitterShare on Google+2
Please Share!!

24 Comments on "Simple SAP Security Breach"

  1. Joydeep Halder | August 19, 2015 at 5:39 pm |

    Nicely captured. I feel like some “Aabra-ka-Daabra” secret got revealed to the security guys.

    Ya very true that ABAPers have to do this when the project demands urgent and immediate solution/fix in production.

    I have also seen in Production sometimes SE11 access was not there. Like you said ABAPers always find a way out ( 🙂 ).So we had to follow a different route. Going by the route of SM37 , then selecting a batch job and going into the step details and finally Goto->Program and look for “other object”

  2. Thanks Joydeep.. Man!!! I just used your method via SM37 to look into the code.. 😀
    I had never tried it earlier (I did not know about it).. 🙂

    Now, the ABAPers have one more back door entry method in their Arsenal.. 😛

    Thanks again Joydeep.

    Regards,
    Raju.

  3. Shishira Shastri H | August 21, 2015 at 2:48 pm |

    Thanks for the useful info and detailed snapshots.

  4. Mutero william | August 21, 2015 at 3:37 pm |

    Dear Raju

    Thanks for that information. I didnt know about that security breach, yes sometimes its very necessary as it wont stop me from doing my work waiting for authorisations.

    Regards

    William Mutero

    • Yes William.. All of us do it on everyday basis.. Through this post, wanted to warn the SAP Security Team, not to give the same access in Live Production system.. 🙂

      Regards,
      Raju.

  5. SE11 is not really a basic transaction, first of all it gives you access to all info within your SAP system and as you point out it also gives you access to all SAP objects! But if you don’t have SE37, SE80 why do you have SE11. I would argue SE11 is one of the first transactions that should be locked down!!! I’m not saying SE11 should be locked down to an ABAP developer but your scenario makes no sense!

    • Dear Mart – Thank you very much for writing your point.
      Agree, we should not be having access to SE11 as well if we don’t have access to SE37, SE80. But in production the support team usually have access to view batch jobs via SM37. And Joydeep (comment above) showed us that we can use the same trick using SM37 as well..

      My question to Security guys: Shouldn’t they have something in their check that if a user has no access to certain t-code directly, then they should not be able to access it via any other means.. If Security gives access to any one basic t-code, ABAPers might find a way to traverse to any other..

      Your thoughts on this please.

      Regards,
      Raju.

  6. I’m not sure you should be building your authorisation profiles based on tcodes. Can’t you assign specific roles / auth objects which work across different tcodes! I.e. auth object for editing a program irrespective of how you get to the edit program functionality!

    • Hi Mart, I thought the same thing. Based on the roles/auth objects, user should have or should have no authorization to different t-codes. Irrespective of how you try to access it.

      I am not a security person. May be some SAP Security expert can reveal some more on this point.

      Thanks.
      Raju.

  7. But let’s be honest an good abaper needs full access to do their job so if your cant trust your abapers you are pretty much screwed any way!

    • It’s not about not trusting your ABAPer.. ABAPers are good Samaritan 🙂 .

      It’s about, whether Security Folks know or not know, these things can happen.

      My point is : if you want to stop someone from accessing any t-code, just stop them in every way. Do not let someone enter back door..

      Regards,
      Raju.

  8. To be honest I suspect if it’s setup correctly using the correct roles/ auth objects I think it would be!

    • I also think the same. Let’s wait what some SAP Security person has to say..

      Will try to pull in some security folks.. 🙂

      Regards,
      Raju.

  9. Mohamed Haarish | August 22, 2015 at 5:00 am |

    Hi Sir,

    This is so informative for an ABAPer! Just yesterday i faced this same scenario to getting access even for SE80 which every ABAPer should have. I used this loop hole to check the programs. I just need one question can we able to Edit the program with this loop hole if i have the access key for it? I dont want to test my system ;).

    Regards,
    Haarish
    Nissan Motor Corporation,
    Senior Technical Consultant,
    Tokyo, Japan.

    • Dear Haarish – Are you talking about Editing the program in development system? You should never edit programs/objects in non-development box.. 🙂 If it opens for edit in non-development system, then the Security folks would be in soup.. 😀

      Regards,
      Raju.

  10. Joydeep Halder | August 22, 2015 at 5:04 pm |

    It even sounds quite interesting when I have had this in my every projects across several clients who were believed to be most sensitive on security topics having tolerance zero. That being said, I mean to say they have had the best security guys.

    So, I think, the question is again the same and supposedly to be known to them.

    • True Joydeep.. Even, I have used in all the projects till date..

      Let me ask some Security folks, what’s their take is on this topic..

      Regards,
      Raju.

  11. Sorry to disappoint, but with our customers your trick will not work… Xpandion’s software identifies irregular and sensitive access and any developer that will gain access to sensitive activities like SE80 or SE38 or their underlying screens will appear in our alerting systems almost immediately.
    Best regards,
    Moshe

  12. Yep, you can see ABAP.
    But you should not be able to start any ABAP.
    S_DEVELOP ACTVT 03+16

Comments are closed.