Executing transactions through workflow log bypass SAP securi ty?

Michael Pokraka workflow at quirky.me.uk
Tue Jun 22 05:39:27 EDT 2004 

Nicely detailed answer... this is also why WF can be a security tool or
loophole, depending on how you apply it.
Indeed, it can be a security 'feature' to be able to give people access t=
o
things they can't normally do. i.e. they can only work on invoices that
arrive in their inbox, no others. This is why some transactions like MIR4
don't allow you to select a different document once in the transaction.
Cheers
Mike
 
Tisch, Bradley wrote:
> This is standard SAP - any transaction call made via an ABAP routine
> bypasses the authorization check based on athorization object S_TCODE.
>
>> From SAP Help:
> The authorization check is not executed when the transaction is called
> indirectly, that is, from another transaction. Authorizations are not
> checked, for example, if a transaction calls another with the CALL
> TRANSACTION statement.
>
> You should make sure that any security-critical transactions you call a=
re
> always subject to authority checks.
>
>
> To prevent this perform and authority check using S_TCODE prior to maki=
ng
> the call.
>
>
> Brad Tisch
>
>
> -----Original Message-----
>> From: SAP Workflow [mailto:Owner-SAP-WUG at MITVMA.MIT.EDU]On Behalf Of
> skidmore.s at pg.com
> Sent: Monday, June 21, 2004 1:40 PM
> To: SAP-WUG at MITVMA.MIT.EDU
> Subject: Executing transactions through workflow log bypass SAP
> security?
>
>
> Hello Fellow WF'ers,
>
> We are on SAP 4.5B, and a user recently brought an issue to my attentio=
n
> regarding security.  In our production system this user currently does =
not
> have
> access to a certain transaction (to post an invoice in my case).  Howev=
er,
> we
> executing the same transaction through the WF log, she is able to execu=
te it
> (and post the invoice).  I had a quick check and the method/task are se=
tup
> as
> dialog with that user as a recipient.  I also checked the method, and i=
t is
> doing a straight call transaction.
>
> I didn't think that executing items from the workflow log skipped any o=
f the
> base SAP security checks.  My next steps are to run a trace with my sec=
urity
> contacts, but is there anything anyone can think that would be allowing
> this?
>
> Thanks,
> Sheldon Skidmore
>
>

More information about the SAP-WUG mailing list