Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access to SU01 with no authorization to the transaction

Go to solution
Ayax
Participant

‎06-03-2011 12:37 AM

0 Kudos

Hello,

I hava a user that was able to execute transaction SU01 even though he has no authorization to it, at least not directly, I do not know how he did it, this are the entries from sm20:

01.06.2011 16:10:36 UserX userxlaptop SU01 SAPLSMTR_NAVIGATION Start of transaction SU01 failed (Reason=6)

01.06.2011 16:10:42 UserX userxlaptop SE37 SAPLSMTR_NAVIGATION Transaction SE37 Started

01.06.2011 16:10:42 UserX userxlaptop SE37 RSFUNCTIONBUILDER Report RSFUNCTIONBUILDER Started

01.06.2011 16:10:47 UserX userxlaptop SE37 RS_TESTFRAME_CALL Report RS_TESTFRAME_CALL Started

01.06.2011 16:10:53 UserX userxlaptop SU01 RS_TESTFRAME_CALL Transaction SU01 Started

I executed program RS_TESTFRAME_CALL but was not able to go to SU01 from there, does anybody know how was the access to SU01 possible?

Regards,

Ayax

1 ACCEPTED SOLUTION

Go to solution
martin_voros
Active Contributor

‎06-03-2011 1:40 AM

0 Kudos

Hi,

Report RS_TESTFRAME_CALL is used to test a function module. So if you go to SE37 and you want to test a function module it will call this report. So that user was able to use function module to launch transaction SU01 without authorization check. You can't see from log which function was used but I guess he used FM SUSR_USER_MAINT_WITH_DIALOG that is used in SU01.

Cheers

3 REPLIES 3

Go to solution
martin_voros
Active Contributor

‎06-03-2011 1:40 AM

0 Kudos

Hi,

Report RS_TESTFRAME_CALL is used to test a function module. So if you go to SE37 and you want to test a function module it will call this report. So that user was able to use function module to launch transaction SU01 without authorization check. You can't see from log which function was used but I guess he used FM SUSR_USER_MAINT_WITH_DIALOG that is used in SU01.

Cheers

Go to solution
arpan_paik
Active Contributor

‎06-03-2011 7:47 AM

0 Kudos

There are many other ways to break into initial txn screen. Developer play these magic and some times they assign themselves profile (not to mention the name). However for these if your developer does not have access to objects like S_USER* so they won't be able to do any further activity there.

But if he is too smart then may be there are other ways to break that as well (like change RC in runtime). That may have solution in terms of authorization restriction or some SNOTE implementation (lots of bug). And specifically in old systems.

Regards,

Arpan Paik

Go to solution
Former Member

‎06-03-2011 2:26 PM

0 Kudos

Hi Ayax,

SUSR_USER_MAINT_WITH_DIALOG can be used by the user in FUNCN to get to SU01 screen. As suggested by others unless he has access to S_USER* objects in the profile it would be in change mode (Unless the developer resorts to debug/replace) in systems ... but i think thats how he reached to the tcode..

~Sri