Bug in SU01 program - In correct authority checks ...

jayasimha_chandra · ‎03-16-2010

Dear Security consultants,

We have de-centralized user administration in place. Local site admins will be administering the uses like locking, unlocking, role assignments and changing the user group(making obsolete).

Now we changed the local user admin role :

Previously it was having SU01 and object s_user_grp with 01 & 02 values. No issues with this setup.

Removed the activity 01 from object s_user_grp. Now we are getting issues. Local user admins not allowed to change the user groups anymore. System is returning the authorization error and its looking for 01 value which is create.

How to overcome this problem? We do not want to give s_user_grp with 01 (create). I think this is bug?

Please advice.

Regards,

Jay

Former Member · ‎03-16-2010

Hi Jay,

Unfortunately, S_USER_GRP actvt 01 is being checked when you attempt to change the user group for a user. It appears as if the security administrator is attempting to "create" a user in a new user group. However the admin is only trying to "change" the user group.

We have noticed this as well on the current project that I am working on. I recommend identifying some local site personnel or security adminstators to be "central" security administrators and give them the 01 capability.

Former Member · ‎03-16-2010

Not sure if we can call it a bug. This is probably how it was interpreted. So you have local Admins, i would assume you will have then local user groups as well. And these local admins will have admin access to their local group only and not to other groups.

So what is problem in giving them access to 01 ? Think like this, you already are giving them access to remove roles from the users in their local group. what is the problem if they can create users in their group then ? if they can remove, let them add as well or the policy is that removing access is not ciritical but creating a user id is. If yes then I will question the policy.

Again I understand these local admins are changing user groups and removing roles when users are terminated or transferred. If that is not the case then let us know the business scenario why these local admins need to change user groups and remove roles.

If they just need to do lock / unlock ..you probably already know that 05 would be enough.

sdipanjan · ‎03-16-2010

Congratulation for Inventing a bug in SAP. Please get in touch with SAP and raise a message to SAP as a "Product Error" category.

By the way.... please be advised to verify the SU24 entry and the roles under consideration by some one having good knowledge in authorization concept of abap in this case before you invent more bugs.

regards,

Dipanjan

Former Member · ‎03-16-2010

I suspect that you are being misled by the SU53 and ST01 trace.

SU01 has central "base check" routines which are called, not only when saving but also when determining whether function "buttons" should be visible at all.

When you remove '02' the system will look for something stronger '01' but you might not be able to change it anyway if not authorized for the group you are wanting to change from .

If you take a look at how the CUA config of the local and global fields work, then you can work out how to create a standard transaction variant for SU01 itself ! and then create a ZSU01 for the full access.

SU01 is a complex function module. If you want to do yourself a favour then take a long read through it for a few hours and test the behaviour. A trace will always lead you to the same source code locations for the checks.

Cheers,

Julius

jayasimha_chandra · ‎03-17-2010

Thanks for all replies.

Nishant Sourabh -

Yes, we have local admins and local user groups as well. They can assign the roles only thier local users.

Local user admin moves user from active group to obsolete group. This activity is not working anymore becuase it needs 01 value.

Have to raise SAP OSS.

Once again thanks for your kind responces.

Regards,

Jay

Bug in SU01 program - In correct authority checks for the object S_USER_GRP