Executing transactions through workflow log bypass SAP securi ty?
Tisch, Bradley
Bradley.Tisch at kraft.com
Mon Jun 21 15:00:55 EDT 2004
This is standard SAP - any transaction call made via an ABAP routine
bypasses the authorization check based on athorization object S_TCODE.
>From SAP Help:
The authorization check is not executed when the transaction is called
indirectly, that is, from another transaction. Authorizations are not
checked, for example, if a transaction calls another with the CALL
TRANSACTION statement.
You should make sure that any security-critical transactions you call are
always subject to authority checks.
To prevent this perform and authority check using S_TCODE prior to making
the call.
Brad Tisch
-----Original Message-----
From: SAP Workflow [mailto:Owner-SAP-WUG at MITVMA.MIT.EDU]On Behalf Of
skidmore.s at pg.com
Sent: Monday, June 21, 2004 1:40 PM
To: SAP-WUG at MITVMA.MIT.EDU
Subject: Executing transactions through workflow log bypass SAP
security?
Hello Fellow WF'ers,
We are on SAP 4.5B, and a user recently brought an issue to my attention
regarding security. In our production system this user currently does not
have
access to a certain transaction (to post an invoice in my case). However,
we
executing the same transaction through the WF log, she is able to execute it
(and post the invoice). I had a quick check and the method/task are setup
as
dialog with that user as a recipient. I also checked the method, and it is
doing a straight call transaction.
I didn't think that executing items from the workflow log skipped any of the
base SAP security checks. My next steps are to run a trace with my security
contacts, but is there anything anyone can think that would be allowing
this?
Thanks,
Sheldon Skidmore
More information about the SAP-WUG
mailing list