Executing transactions through workflow log bypass SAP securi ty?

[Tisch, Bradley]

This is standard SAP - any transaction call made via an ABAP routine
bypasses the authorization check based on athorization object S_TCODE.
 
>From SAP Help:
The authorization check is not executed when the transaction is called
indirectly, that is, from another transaction. Authorizations are not
checked, for example, if a transaction calls another with the CALL
TRANSACTION statement.
 
You should make sure that any security-critical transactions you call are
always subject to authority checks.
 
 
To prevent this perform and authority check using S_TCODE prior to making
the call.
 
 
Brad Tisch
 
 
-----Original Message-----
From: SAP Workflow [mailto:Owner-SAP-WUG at MITVMA.MIT.EDU]On Behalf Of
skidmore.s at pg.com
Sent: Monday, June 21, 2004 1:40 PM
To: SAP-WUG at MITVMA.MIT.EDU
Subject: Executing transactions through workflow log bypass SAP
security?
 
 
Hello Fellow WF'ers,
 
We are on SAP 4.5B, and a user recently brought an issue to my attention
regarding security.  In our production system this user currently does not
have
access to a certain transaction (to post an invoice in my case).  However,
we
executing the same transaction through the WF log, she is able to execute it
(and post the invoice).  I had a quick check and the method/task are setup
as
dialog with that user as a recipient.  I also checked the method, and it is
doing a straight call transaction.
 
I didn't think that executing items from the workflow log skipped any of the
base SAP security checks.  My next steps are to run a trace with my security
contacts, but is there anything anyone can think that would be allowing
this?
 
Thanks,
Sheldon Skidmore