> Security-related programs should, therefore, always be assigned to an authorization group.

That is a very blunt and rather antiquated approach.

SAP has also (when the opportunity is ripe) redesigned many of their Report type transactions.

The best place for an authority-check to use the coding function which actually does the work, is beyond these blunt tools such as transaction codes, program groups, function groups, services, etc.

In this way the entry points are scalable and the checks are consistent to be used in a sustainable authorization concept where the user has the correct authority to use functionality, almost regardless of the entry point.

That is what transaction SU24 is all about and why you can maintain proposals for various types of entry points (not just the vast number of tcodes). Take a look at the drop-down menu in Su24 and the options on the Menu tab of PFCG which correspond to them and then rethink S_TCODE lists...

In the special case of tcodes you can however turn some checks off in a context sensitive way. This is an exception, to be treated with caution - but for some objects you cannot turn it off at the application layer and for others you cannot turn it off in the kernel either (checks triggered behind ABAP statements, even if you don't check the authority).

Again: There are millions of programs, there are 100's of thousands of function modules, there 10's of thousands of transactions, there are ~ 2500 authorization objects (not all of which are relevent for your implementation...

Take your pick which is easier to administrate and audit....

Where I give Auke full credit, is that if the user is not authorized to use the transaction + all subsequent consequences, then it is rather suspect why they are authorized to start it so obviously....

However you will have a tough time preventing a determined user from submitting reports in a system.

I think I am starting to repeat myself. Perhaps I am wrong....

Cheers,

Julius

basically I do agree with all that has been said here.

a few thoughts to bring into the discussion.

The better auditors do not only look at Dangerous T-Codes but also at authorization objects with certain values, for instance Debug.

Is there a list of transactions already?

Yes in system administration made easy!

Part of that list you can see below

The table below is organized with input from Basis consultants and users and lists

transactions that we recommend you lock. The transactions are categorized by the following risk categories:

< Dangerous

< Security-related

< Performance impact

Transaction Description Dangerous Security Performance

F040 Document Archiving X

F041 Bank Master Data Archiving X

F042 G/L Accounts Archiving X

F043 Customer Archiving X

F044 Vendor Archiving X

F045 Document Archiving X

F046 Transaction Figures Archiving X

GCE2 Profiles: Initial screen X

GCE3 Maintain Authorizations: Object Classes X

KA10 Archive Cost Centers (all) X

KA12 Archive cost centers (plan) X

KA16 Archive cost centers (line items) X

KA17 Archive admin: cost centers (line items) X

KA18 Archive admin: completely cancelled X

doc

KA20 Archive admin: cost centers (all) X

O001 Maintain Users: Initial Screen X

O002 Profiles: Initial Screen X

O016 Maintain Authorizations: Object Classes X

OBR1 Reset Transaction Data X (delete transaction data)

OBZ7 Maintain Users: Initial Screen X

OBZ8 Profiles: Initial screen X

I once have seen an accident with OBR1 so I can tell from own experience what a lot of trouble that was and use that as an example of the list saying that I luckily did not have bad experience with much the rest of the list

this book describes that one should lock these dangerous transactions, i am not in favor of that.

However during my implementations I do advise clients not to have these transactions in either :

u2022 any role given to any user (advise them to use firefighter instead for controlled access ) or

u2022 not to give it to end-users.

I must admit Jurjen that sometimes it is hard to convince clients.

I am not always around long enough after go-live to see things go wrong if they did not follow my advice, but then I think, I do not have to solve the problem also so who cares!!

If you look in those transactions, you will find an armada of other checks...

- Client needs to be open (T000-CCCORACTIV)

- Company code needs to be unproductive (T001-XPROD)

- S_ARCHIVE checks.

- Maximum authority checks (on * values).

- S_PROGRAM group checks which relate to development work or SPRO activities.

- etc

IS it not more efficient and consistent for security to prevent the use of the transaction (or the report or function module behind it...) than to find all the tcodes, ways of submitting reports, or possible ways of calling function modules (also as other users, either remotely or in job-steps).

My vote: Forget about "forbidden tcode" lists.

Cheers,

Julius

Julius

although I tend to agree with what you say it makes things far more complicated.

How to convince a client not to give debug access can be pretty hard.

Secondly we need not to forget the damage that some (inexperienced) Functional consultants do.

I recently had a hard job to convince the client not to use ABAP query by end users!

One of the other consultants on the project thought to make his own life simple by not creating the reports the end users needed!

For myself I hold a list of forbidden transactions WITH THE REASON for not granting it, end a number of authorisations that should not given!.

Besides there is always a number of things that are implementation specific.

Like HR being used by a single company in the system thus not allowing other companies in the same system unlimited access to HR!

I allways do a check on * (STAR) values as i rather give all possibel values then a *.

Remeber that most programms auditors use chack on * values given in a number of fileds and do not allow that, the worst of that as we all should know is S_TCODE or field TCD Which should NEVER have a *!

In the end I feel it all bares down again on Knowledge of the security consultant and in that area I have seen too many things go wrong. So for those less experienced consultants I say let them stick to the forbidden transaction list. As that is at least giving a little security!

And for the rest, It is giving us a lot of work to correct the errors others have made and lets be happy for that

Hi guys,

I see where Auke is coming from in this "next best" or "something is better than nothing" solution which is possible, but that does not make in right or prevent it from breeding more problems and should not be encourages to grow in popularity.

> Auke wrote:

> although I tend to agree with what you say it makes things far more complicated.

Compare the number of authorization objects in SAP (SU21) to the number of transactions(SE93) + reports (SE38) + function modules (SE37) + methods (SE24) + services (SICF) etc etc in SAP and then reconsider which is less complicated and more scalable (for consistent reuse).

> Like HR being used by a single company in the system thus not allowing other companies in the same system unlimited access to HR!

This is also a nice example of why * values or no checks except blunt ones (like S_TCODE or S_PROGRAM) should be avoided as the only security or used with caution if you want to rely on them.

> I allways do a check on * (STAR) values as i rather give all possibel values then a *.

I definately agree with this, but sometimes there is not sufficient time or risk to justify the granularity for some fields.

> In the end I feel it all bares down again on Knowledge of the security consultant and in that area I have seen too many things go wrong. So for those less experienced consultants I say let them stick to the forbidden transaction list. As that is at least giving a little security!

Relying on a little negative list of tcodes to design security is like being a little bit pregnant...

> And for the rest, It is giving us a lot of work to correct the errors others have made and lets be happy for that

I prefer having some time for my family, the garden, SDN, researching something new.... and let a program with a sustainable concept behind it do my work for me

> Jujen wrote:

> To my frustration some people kling on to transaction lists without really understanding the implications. That's where the creative guys go seeking (and finding) the backdoors.

Exactly. That is also were the accidents happen when the real authority protection is neglected in favour of some tcode which only the author knows about... and the user clicks on some strange button, or someone lures them into running the program.

Cheers,

Julius

Julius

I agree with most of your comments, but we are not living in an ideal world so i am confronted with people who claim to be very experienced and than come up with very poor security designs and i have to convince the client that they have a bad design.

and with many clients presenting a list is helping to convince them!

as many clients have even less knowlegde on security than those bad consultants!

Jurjen

when I teach Security I do not even mention SAP_ALL other then absolutely forbidden to give in any system. And I do explain the risks!

As I currently join most projects only in a stage when someone else has made a mess out of security, I am confronted with a lot of SAP_ALL users and it takes quite a lot of effort to replace that with good roles.

One of the steps when analyzing the problems is using my forbidden transaction list and see if any of those are in the roles design.

When I see such a thing I go talk with the process designer and ask why the transaction is in that role.

Most of the times I can convince them to remove it from the design.

I do exactly the same with object and values that should not be used.

However that discussion is more difficult as functional consultants normally have no clue what the objects do and are too afraid to have these removed!