12-31-2008 12:17 PM
Some of our backend users use SAP query (transaction sq01) for creating a report on competences.
Since their access is restricted for displaying employees in a certain personal area we limited the access in their authorisationrole on level of Personal Area in P_ORGIN.
Since a few months though, we implemented the SAP portal and asigned one new backendrole for all users (to use their portal functionalities)
This new backendrole allows to consult info of all Personal Areas.
Result: Via transaction SQ01 the backend users can display information of all personal areas.
Who can give me a tip on how to solve this authorisation leak ?
12-31-2008 12:43 PM
> Since a few months though, we implemented the SAP portal and asigned one new backendrole for all users (to use their portal functionalities)
> This new backendrole allows to consult info of all Personal Areas.
To me this sounds as if the new backendrole has to much authorizations in it. I trust that the portal functionality itself does not open your system too wide?
If so, you'll need to redesign the backend role to allow only for the information provided by the portal functionality.
Generally these backendroles are way too wide. The problem you described appears if (some of) the portal users also have GUI access.
12-31-2008 12:43 PM
> Since a few months though, we implemented the SAP portal and asigned one new backendrole for all users (to use their portal functionalities)
> This new backendrole allows to consult info of all Personal Areas.
To me this sounds as if the new backendrole has to much authorizations in it. I trust that the portal functionality itself does not open your system too wide?
If so, you'll need to redesign the backend role to allow only for the information provided by the portal functionality.
Generally these backendroles are way too wide. The problem you described appears if (some of) the portal users also have GUI access.
12-31-2008 7:59 PM
For several reasons (not only this one) you might want to create your queries in a development system and transport them (subject to change controls and tests).
Similar but not exactly the same is the SQVI Quick Viewer.
It appears that what you have found is that mixing 2 of the various concepts in the system into the same user access concept, produces undesirable results...
Cheers,
Julius
01-05-2009 9:56 AM
Hi,
Not specifically related to your portal functionality, but when the query was created can you confirm if a logical database was used for the relevant infoset? Is should be PNP or PNPCE.
Regards
01-08-2009 12:41 PM
Hi
I would speak to a developer about creating a bespoke report that does an authority check on the personal area. I think this would be an easier option - although not the quickest.
Anyway it is not best practice to allow end users unfettered access to SQ01 in the production enviroment - unless there is a businesss case to support this, this access should be discouraged and other alternative solutions should be explored.
Regards
Charmaine
01-08-2009 6:28 PM
I would say that there should be a process be in place for defining the way security should work here.Don't get everybody get access to create queries(SQ01).Have limited people create access to create queries and provide access to the requested queries through the query user groups by following an approval process.I know this was a more painfull process but good to follow for better security....
Hope somebody has a better solution.