Solved: Security leak in backend because of portal usage

Privete_member__1368233 · ‎12-31-2008

Some of our backend users use SAP query (transaction sq01) for creating a report on competences.

Since their access is restricted for displaying employees in a certain personal area we limited the access in their authorisationrole on level of Personal Area in P_ORGIN.

Since a few months though, we implemented the SAP portal and asigned one new backendrole for all users (to use their portal functionalities)

This new backendrole allows to consult info of all Personal Areas.

Result: Via transaction SQ01 the backend users can display information of all personal areas.

Who can give me a tip on how to solve this authorisation leak ?

jurjen_heeck · ‎12-31-2008

> Since a few months though, we implemented the SAP portal and asigned one new backendrole for all users (to use their portal functionalities)

> This new backendrole allows to consult info of all Personal Areas.

To me this sounds as if the new backendrole has to much authorizations in it. I trust that the portal functionality itself does not open your system too wide?

If so, you'll need to redesign the backend role to allow only for the information provided by the portal functionality.

Generally these backendroles are way too wide. The problem you described appears if (some of) the portal users also have GUI access.

jurjen_heeck · ‎12-31-2008

> Since a few months though, we implemented the SAP portal and asigned one new backendrole for all users (to use their portal functionalities)

> This new backendrole allows to consult info of all Personal Areas.

To me this sounds as if the new backendrole has to much authorizations in it. I trust that the portal functionality itself does not open your system too wide?

If so, you'll need to redesign the backend role to allow only for the information provided by the portal functionality.

Generally these backendroles are way too wide. The problem you described appears if (some of) the portal users also have GUI access.

Former Member · ‎12-31-2008

For several reasons (not only this one) you might want to create your queries in a development system and transport them (subject to change controls and tests).

Similar but not exactly the same is the SQVI Quick Viewer.

It appears that what you have found is that mixing 2 of the various concepts in the system into the same user access concept, produces undesirable results...

Cheers,

Julius

Former Member · ‎01-05-2009

Hi,

Not specifically related to your portal functionality, but when the query was created can you confirm if a logical database was used for the relevant infoset? Is should be PNP or PNPCE.

Regards

charmaine_greene · ‎01-08-2009

Hi

I would speak to a developer about creating a bespoke report that does an authority check on the personal area. I think this would be an easier option - although not the quickest.

Anyway it is not best practice to allow end users unfettered access to SQ01 in the production enviroment - unless there is a businesss case to support this, this access should be discouraged and other alternative solutions should be explored.

Regards

Charmaine

Former Member · ‎01-08-2009

I would say that there should be a process be in place for defining the way security should work here.Don't get everybody get access to create queries(SQ01).Have limited people create access to create queries and provide access to the requested queries through the query user groups by following an approval process.I know this was a more painfull process but good to follow for better security....

Hope somebody has a better solution.