8/18/2015 Simple SAP Security Breach | SAP Yard

http://www.sapyard.com/simplesapsecuritybreach/ 1/7

Simple SAP SecurityBreachTOPICS: Authorization Data Theft Hacking

SAP Security

POSTED BY: SAP YARD AUGUST 18, 2015

It is nearly impossible to prevent a developer fromaccessing any t-code. We saw an example in our otherpost titled “Can you really restrict any developerfrom executing any t-code?“. For almost a decade I(and I am sure, all ABAPers) have been happily usingthe loop holes in SAP security to access the forbiddentransactions, with no malicious intension though, onlyfor speedy analysis and ethical debugging.

But today I am wondering, is it really a loop hole or has

Enter email

Subscribe

RECENT POSTS

Simple SAP Security BreachPlaying Sherlock Holmes todetect CONVT_CODEPAGEruntime error mysteryDELETING rows of theinternal table within theLOOP. Is it a Taboo? A bigNO NO?

SAP YARDYOUR BACKYARD FOR SAP TECHNICAL TIPS AND SOLUTIONS

HOME SEE ALL POSTS ASK YOUR QUESTIONS ABOUT ME CONTACT ME

You and 92 other friends like this

SAP Yard173 likes

Liked

SEARCH …

8/18/2015 Simple SAP Security Breach | SAP Yard

http://www.sapyard.com/simplesapsecuritybreach/ 2/7

SAP provided these small windows to the developersknowingly?

SAP Security Guys!! Hope you are reading this.

Check, I do not have access to t-code SE38 (ABAPEditor) in my Pre-Production system.

I also do not have access to t-code SE80 (ObjectNavigator/ ABAP Workbench), SE37 (FunctionModule) etc in the same system.

Quick Reference for VistexTechnicalOffshore DevelopmentModel in 10 Steps

8/18/2015 Simple SAP Security Breach | SAP Yard

http://www.sapyard.com/simplesapsecuritybreach/ 3/7

I do have authorization to the basic t-code SE11(Display Table). You might have access to some othercommon t-codes (you can use that). SE11 is my secretwindow to all the forbidden t-codes.

Check how ??

I am in SE11. Click Other Object icon (Shift + F5) ->Enhanced Options radio button. Click on the cornersquare icon for Program, Function Group or click‘More’ to get other areas.

8/18/2015 Simple SAP Security Breach | SAP Yard

http://www.sapyard.com/simplesapsecuritybreach/ 4/7

For demo, I chose, Program. Provide the programname you want to view. And here you are in the ABAPeditor. You can see the code.

8/18/2015 Simple SAP Security Breach | SAP Yard

http://www.sapyard.com/simplesapsecuritybreach/ 5/7

Similarly you can view, function modules, services,proxies, web dynpros and what not.

As an ABAPer, I am happy to figure out this alternativeway to navigate through the t-codes. This process isspecially handy, when you want to check somethingreally quick or want to do some comparison during someissues mitigation.

If you go via the right path i.e. –> ask your managerfor approval –> raise ticket for security team –>wait for approval again –> wait for security teamto provide you the right access. Some times, you donot have the liberty of waiting and watching for thatlong. So, ABAPers quickly use this trick. Specially inquality and pre-production (where you have therestriction).

Question to Security Guys. Are the developers suppose to access the t-code via thisalternate route?Did you guys knowingly provide this alternative? If you

8/18/2015 Simple SAP Security Breach | SAP Yard

http://www.sapyard.com/simplesapsecuritybreach/ 6/7

know and it is ok to access this way, then we are good.

But, if Security Guys are not aware of this loop hole,then there are chances of bigger Security breach. SAPSecurity folks can end up giving the same alternativein Production environment too. If this happens,thenthere can be serious implications and data theft (andI know of clients where you can use this alternative inProduction environment as well). 

We would like to hear comments from Securityexperts. Please provide your opinion on this topic.Should Security team not close this alternative if theuser’s role does not allow him/her to access certaintransactions?

ABAPers, please forgive me if your doors get closed.  But I am sure, no ABAPer want his/her system and

data to be visible to unwanted crooks. It’s our duty tomake our environment as robust as possible and protectthem from any unforeseen spy or data thief.

Morever ABAPers would figure out some other way, ifthis one is closed.. ABAPers rock!!!!

Do you have anything more to add to it? Do you have anystory to share on this topic. Please feel free to email us atmailsapyard@gmail.com or leave it in our commentsection. 

If you want to get updates about our new tweaks andtricks, please subscribe.

If you liked it, please share it. Thank you very much foryour time!!

 

 

 

8/18/2015 Simple SAP Security Breach | SAP Yard

http://www.sapyard.com/simplesapsecuritybreach/ 7/7

BE THE FIRST TO COMMENT

ON "SIMPLE SAP SECURITY BREACH"

Image source : www.theregister.co.uk

Previous post

Leave a commentLogged in as SAP Yard. Log out?

Comment

Post Comment

COPYRIGHT 2015 | SAPYARD BY WWW.SAPYARD.COMALL PRODUCT NAMES ARE TRADEMARKS OF THEIR RESPECTIVE COMPANIES. SAPYARD.COM IS NOT AFFILIATED TO SAP AG.