Access to SU01 with no authorization to the transaction
I hava a user that was able to execute transaction SU01 even though he has no authorization to it, at least not directly, I do not know how he did it, this are the entries from sm20:
01.06.2011 16:10:36 UserX userxlaptop SU01 SAPLSMTR_NAVIGATION Start of transaction SU01 failed (Reason=6)
01.06.2011 16:10:42 UserX userxlaptop SE37 SAPLSMTR_NAVIGATION Transaction SE37 Started
01.06.2011 16:10:42 UserX userxlaptop SE37 RSFUNCTIONBUILDER Report RSFUNCTIONBUILDER Started
01.06.2011 16:10:47 UserX userxlaptop SE37 RS_TESTFRAME_CALL Report RS_TESTFRAME_CALL Started
01.06.2011 16:10:53 UserX userxlaptop SU01 RS_TESTFRAME_CALL Transaction SU01 Started
I executed program RS_TESTFRAME_CALL but was not able to go to SU01 from there, does anybody know how was the access to SU01 possible?
Martin Voros replied
Report RS_TESTFRAME_CALL is used to test a function module. So if you go to SE37 and you want to test a function module it will call this report. So that user was able to use function module to launch transaction SU01 without authorization check. You can't see from log which function was used but I guess he used FM SUSR_USER_MAINT_WITH_DIALOG that is used in SU01.