cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

accumulation of rights within roles - SECURITY GAP?

Former Member

on ‎12-18-2008 11:35 AM

0 Kudos

Hi

my user has following access

In role A she has P_ORGINCON with following values, Read access

AUTHC M, R

INFTY 0001

0002

0024

0041

9010

PERSA *

PERSG *

PERSK * (employee subgroups)

PROFL ZZ_ALL

SUBTY *

VDSK1 *

In role B she has P_ORGIN with following values, Read access

AUTHC M, R

INFTY 0001

0002

0003

0006

0007

0025

0032

0034

0041

2001

2002

2003

2004

9010

9015

PERSA *

PERSG *

PERSK Z0

Z1

Z2

Z8

ZB

ZD

ZE

ZF

ZJ

ZK

ZL

ZM

ZN

ZP

PROFL ZZ_ALL

SUBTY *

VDSK1 *

When she tries to display any infotype NOT included in role A (e.g. IT06), for any subgroup which is NOT in group B (e.g. Z3), she can do it! Security gap!!

Is it because SAP will combine the authorisations, no matter what the individual limitations are?

Thanks for any help. We really need to find a solution for this

Nadia

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

jurjen_heeck
Active Contributor
‎12-18-2008 11:52 AM
0 Kudos

> Is it because SAP will combine the authorisations, no matter what the individual limitations are?

That should not happen. I would suggest to run a trace while the user accesses one of these 'prohibited' infotypes.

Show replies
Show replies
Private_Member_119218
Active Participant
‎12-18-2008 12:05 PM
0 Kudos

I agree with Jurjen - run a trace on a user, who is fully authorized, performing the same action as she is in order to understand what checks are made and when.

Different authorization objects do not "combine" in any way.

Former Member
‎12-18-2008 12:06 PM
0 Kudos

Hi

I did trace and funny enough it came out as an error on IT06 and group Z3. However the result is that she can see the data

jurjen_heeck
Active Contributor
‎12-18-2008 12:14 PM
0 Kudos

> I did trace and funny enough it came out as an error on IT06 and group Z3. However the result is that she can see the data

With which transaction?

Former Member
‎12-18-2008 12:21 PM
0 Kudos

How did you run the trace ?? did you monitor the TCD that she woudl haveused or the user ?please explain the trace you set up etc..

Whats the error message ?

I fear your trace itself was not rightly done. Since i understandit was an HR activity trace isthe best and its not wrong !

Thx

Former Member
‎12-18-2008 12:41 PM
0 Kudos

I have used ST01

ST01 showed error 4 for IT06, on Z3

Private_Member_119218
Active Participant
‎12-18-2008 12:43 PM
0 Kudos

Can we get the actual trace results? Just the section where the failed check occurs.

Former Member
‎12-18-2008 12:47 PM
0 Kudos

The trace is quite long, but this is related to specific IT06

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;PROFL=*;

P_ORGINCON RC=0 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;PROFL= ;

P_ORGINCON RC=0 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;PROFL= ;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEECAA;PROFL= ;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEECAA;PROFL=ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEECAA;PROFL=ZZ_ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEECAA;PROFL=ZZ_ORM;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEECAA;PROFL=ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEECAA;PROFL=ZZ_ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEECAA;PROFL=ZZ_ORM;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ORM;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ORM;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ORM;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ORM;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEDAAA;PROFL=ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEDAAA;PROFL=ZZ_ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEDAAA;PROFL=ZZ_ORM;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ZZ_A

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ZZ_O

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ZZ_A

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ZZ_O

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NERE;PERSG=1;PERSK=Z3;VDSK1=CNAT2HRHR;PROFL=ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NERE;PERSG=1;PERSK=Z3;VDSK1=CNAT2HRHR;PROFL=ZZ_A

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NERE;PERSG=1;PERSK=Z3;VDSK1=CNAT2HRHR;PROFL=ZZ_O

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NERE;PERSG=1;PERSK=Z0;VDSK1=CNAT2CELT;PROFL=ALL;

P_ORGINCON RC=0 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NERE;PERSG=1;PERSK=Z0;VDSK1=CNAT2CELT;PROFL=ZZ_A

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NERE;PERSG=1;PERSK=Z0;VDSK1=CNAT2CELT;PROFL=ZZ_O

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ALL;

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ZZ_A

P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ZZ_O

Private_Member_119218
Active Participant
‎12-18-2008 1:06 PM
0 Kudos

Well. There is one check in there that is successful:

P_ORGINCON RC=0 INFTY=0006; SUBTY=' '; AUTHC=R; PERSA=NERE; PERSG=1; PERSK=Z0; VDSK1=CNAT2CELT; PROFL=ZZ_A

Which indeed does confirm that, while the user does not appear have authorizations for INFTY 0006, she is still able to display the data. Authorization restrictions for 'PROFL' field are observed, however.

Please verify that (a) you have entered a range in 'INFTY' field of P_ORGINCON for role A and (b) that none of the other roles assigned to the user contain auth. obj. P_ORGINCON.

Edited by: Martinsh Shaiters on Dec 18, 2008 3:06 PM

Former Member
‎12-18-2008 1:27 PM
0 Kudos

Martinsh,

the successful check is for group Z0 for which she is authorised through role B...

where does that leave me then?

Private_Member_119218
Active Participant
‎12-18-2008 1:34 PM
0 Kudos

Which is not the problem at all.

In role A, you give |PERSK| = '*'. Role B does not come into play anywhere in the trace.

Edited by: Martinsh Shaiters on Dec 18, 2008 3:35 PM

Former Member
‎12-18-2008 2:00 PM
0 Kudos

Sorry, I think Ive lost you...

I agree, PERSK is * in role A but not for IT06.

in each role, INFTY are restricted, not by range but by individual values

What do you think I should do?

Thank you

Former Member
‎12-18-2008 2:18 PM
0 Kudos

Hi,

Can you confirm if the object in role B is P_ORGINCON and not P_ORGIN? I notice you have specified PROFL, you cannot do this in P_ORGIN?

Martyn

Former Member
‎12-18-2008 2:22 PM
0 Kudos

Apologies for the confusion. Object is P_ORGINCON

P_ORGIN in inactive in both roles.

Thank you

Private_Member_119218
Active Participant
‎12-18-2008 2:23 PM
0 Kudos

I suggest you run transaction S_BCE_68001397.

Search for auth. object P_ORGINCON with value of 0006 in 'Employee Subgroup' field.

How many roles does this search return?

Former Member
‎12-19-2008 10:01 AM
0 Kudos

Martinsh

that tx code is for users and not for role.

Value 0006 is for IT and not Empl Subgroup

I already did this at the very beginning searching for P_orgincon, 0006 and persk Z3 and no roles were returned for my user

Former Member
‎12-19-2008 12:27 PM
0 Kudos

A theoretical possibility: A reference user has been assigned to the user.

Check in SU01 on the "Roles" tab whether the "Reference user" field has an entry in it?

Cheers,

Julius

Ask a Question