- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Users authorized to start all reports
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Users authorized to start all reports
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2010 11:27 AM
Hello,
my Early watch alert reports me the issue "Users Authorized to Start all Reports". This is caused because users of my system have access to the transaction SA38. I try to protect the execution of some Z reports using an authorization group, but there are a lot of standard reports without authorization group that can not be protected and then executed by any user.
Can anyone tell me what would be the best way to prevent users can run standard SAP programs through the SA38 transaction.
Thanks.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2010 12:09 PM
Hi,
Remove SA38 and assign the reports they need to custom transaction codes. Assign the transaction codes to relevant roles.
An alternative would be to put an auth group on all executable programs but this is not a small piece of work by any means.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2010 12:09 PM
Hi,
Remove SA38 and assign the reports they need to custom transaction codes. Assign the transaction codes to relevant roles.
An alternative would be to put an auth group on all executable programs but this is not a small piece of work by any means.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2010 12:40 PM
Hi Alex, thanks for your speedy response.
There is no other way to solve the problem without having to generate custom transaction codes?
Thanks
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2010 1:44 PM
The problem is that using SA38 is reliant on the auth groups being in place. Without an auth group, the only restriction are those auth checks that are available for the program itself. While they may stop some programs from completing, they won't necessarily prevent a program from executing. Lots of standard executable programs are subject to auth checks, but there are plenty that will only get automatically checked because they access tables or other system objects or functions. Often when people have SA38, they also have too much system level access to which can render those controls ineffective.
Good luck with whatever method you choose.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2010 5:43 PM
But removing SA38 from users is no excuse to leave S_PROGRAM open for ALL report authorization groups, even it it is the most popular and easy-to-explain-to-an-auditor type of solution.
There are many many many ways to start arbitrary reports in the system and you will have a tough time finding all of them if a user is determined to find one themselves.
To understand the mechanism, take a look in report RSDBRUNT at around line 5265 in the form FORM %_AUTH_SUBMIT USING P_VARIANT P_SECU P_SSET which all SUBMITed programs eventually have to pass.
If the report is SUBMITed from SE38, SE80, etc... (workbench transactions) then it will additionally check P_ACTION = SUBMIT. For others, it is sufficient to be able to submit them via a VARIANT.
Cheers,
Julius
- SAP Managed Tags:
- Security
