Have authority checks disappeared from WAPIs?

Tue Jul 26 09:26:14 EDT 2011

Mike,

I did a trace and the only authorization check is for function group SWRA (Workflow Interfaces: Administration).

The function group includes the following FM's:

SAP_WAPI_ADM_WORKFLOW_CANCEL
SAP_WAPI_ADM_WORKFLOW_RESTART
SAP_WAPI_ADM_WORKFLOW_RESUME
SAP_WAPI_ADM_WORKFLOW_SUSPEND
SAP_WAPI_ADM_WORKITEM_BACK
SAP_WAPI_ADM_WORKITEM_REDORULE

So as long as you have authorization for Function group SWRA, you have access to these.

Claude

-----Original Message-----
From: sap-wug-bounces at mit.edu [mailto:sap-wug-bounces at mit.edu] On Behalf Of Mike Pokraka
Sent: July 26, 2011 6:46 AM
To: sap-wug at mit.edu
Subject: Have authority checks disappeared from WAPIs?

G'Day,

I'm not sure if I've just noticed this or if it's been this way for a
while, or if my memory is deceiving me:

One upon a time the WAPIs used to be a formal wrapper for the equivalent
SWF*/SWW* function modules. I think the WAPIs used to do indirect auth
checks via these FM calls, however since the FMs can be overriden (e.g. FM
SWW_WI_ADMIN_CANCEL has a parameter AUTHORIZATION_CHECKED) I am not too
sure and have no 4.6 system handy to check.

Nowadays (ECC6) however, the WAPIs use OO methods internally and as far as
I have been able to establish there are no auth checks carried out - if a
user can execute FM SAP_WAPI_ADM_WORKFLOW_CANCEL by any means then they
can cancel a work item. Unfortunately I haven't been able to conclusively
test this with a user that has SE37 but no workitem admin access, but
debugging shows no auth check.

Could someone verify I've got this right? Has this changed? Am I just
confused?

I'm going to implement my own auth checks anyway, but I am very curious as
it *may* mean that custom code written pre-ECC could have turned into a
security hole post-upgrade.

Regards,
Mike

_______________________________________________
SAP-WUG mailing list
SAP-WUG at mit.edu
http://mailman.mit.edu/mailman/listinfo/sap-wug
====================================================================================

La version française suit le texte anglais.

------------------------------------------------------------------------------------

This email may contain privileged and/or confidential information, and the Bank of
Canada does not waive any related rights. Any distribution, use, or copying of this
email or the information it contains by other than the intended recipient is
unauthorized. If you received this email in error please delete it immediately from
your system and notify the sender promptly by email that you have done so. 

------------------------------------------------------------------------------------

Le présent courriel peut contenir de l'information privilégiée ou confidentielle.
La Banque du Canada ne renonce pas aux droits qui s'y rapportent. Toute diffusion,
utilisation ou copie de ce courriel ou des renseignements qu'il contient par une
personne autre que le ou les destinataires désignés est interdite. Si vous recevez
ce courriel par erreur, veuillez le supprimer immédiatement et envoyer sans délai à
l'expéditeur un message électronique pour l'aviser que vous avez éliminé de votre
ordinateur toute copie du courriel reçu.