07-09-2010 4:47 PM
Hello All,
Can certain users logon directly to the OS from SAP in a UNIX environment? How does one find out such users?
Thank you.
07-09-2010 5:42 PM
Check out transaction
OS04
OS05
OS06
OS07
RZ.. transactions also few DB transactions can give you details of OS and DB.
To find if they used the transaction :
Please SUIM -
> Change document tab
probably to see if anyone used the OS.. transactions, you should not give this transaction to anyone easily.
Regards
07-09-2010 5:42 PM
Check out transaction
OS04
OS05
OS06
OS07
RZ.. transactions also few DB transactions can give you details of OS and DB.
To find if they used the transaction :
Please SUIM -
> Change document tab
probably to see if anyone used the OS.. transactions, you should not give this transaction to anyone easily.
Regards
07-09-2010 7:41 PM
Thank you very much!
Obviously I am not authorized to use the TCodes you listed but was able to find users assigned with authorization to execiute those TCodes.
Could you clarify the use of SUIM>>>Change Documents to determine if the OS Tcodes were used?
Thank you
07-09-2010 10:05 PM
Actually,
I forgot to mention if you need audit logs it has to be
SM19 and few other SM20 etc transactions
and audit logging should be enabled by your Basis.
I was thinking about security authorization data.
07-12-2010 10:23 AM
Hi,
what do you mean with "login directly to the OS"? Did users change anything? Did they just saw anything which they are not allowed to?
Beside of OS* transactions there are some commands you can reach over transaction SM49. Or you can browse directories through AL11.
So please specify your problem.
Regards,
Julia
07-13-2010 2:38 AM
Thank you for your response. My objective is to find out all unauthorized users with the ability to exit from SAP and directly access the OS. All of the responses have been helpful.
07-12-2010 1:19 PM
07-21-2010 4:31 PM
Hi,
What is the best way to determine which users can execute the program RSBDCOS0?
IIn SUIM, I entered object S_Program with value RSBDCOS0 together with S_TCODE with value of SA38. Is that correct or should I include SE38?
Thank you
07-21-2010 9:29 PM
Forget about SE38 and transaction codes here for stuff like this...
Concentrate on object S_LOG_COM and S_DATASET with the extention "FILTER". These objects are the correct checks to make and if the programs are using the correct symantics of the auth objects then you are doing a good job, even if the use does have access to SA38 and many other transaction which have the ability to access the OS directly.
Two known exceptions are the ABAP C-call 'SYSTEM' (see RZ11 parameter rdisp/call_system documentation) and external server programs which call the OS via the RFC gateway without ABAP system intervention (see OSS notes about the file 'secinfo.dat').
They are both quite easy to solve unless you have dodgey coding which is (still) needed and uses older concepts.
SAP "owns" the authorization checks and the objects S_LOG_COM and S_DATASET are the documented symantics for restricting it and they check for this in their own code.
If you do the same in your code and plug the backdoors, then you should be fine.
Hope that helps you further...
Cheers,
Julius