08-23-2011 6:07 PM
Hi Experts,
As per analysis of one Issue user is having access to transaction code FD32 however while checking in system it shows that user has modified customer details.
On checking ST03 it showed the users has executed XD02 that provide the ability to Change Customer (Centrally) however the users don't have access to XD02 ?
Can you please provide any pointer why this happening ?
Is this a known bug ?
I have also checked TCDCOUPLES and FD32 transaction do call XD02 , however the user is not having access XD02 and hence cannot modify the customer record but report Customer Change Overview shows that the user has modified customer record?
08-23-2011 6:39 PM
Hi Jitendra,
Hope you are doing good
When you check TCDCOUPLES, make sure field Check Ind. is marked with YES for the XD02 entry otherwise S_TCODE check will not be performed when the user switches from FD32 (Calling tcode) to XD02 (called tcode).
Also ensure user doesnot has access to directly execute XD02 program via SE90, etc or maybe via some function module like ALINK_CALL_TRANSACTION.
Hope this helps.
Cheers!
Sandipan
08-25-2011 2:42 PM
Hi Sandipan,
Good to hear from you
However still I am not able to figure out how the user is getting access to XD02 ?
Below is the list of transaction executed by users :
In below listed which I got from ST03 it shows that the user has executed XD02 however the user is not having access to XD02.
Also I checked TCDCOUPLES table and check indicator is marked as "X" for called transaction XD02 calling transaction code FD32 that is the S_TCODE check will be performed.
FB70
FBL5N
FB03
ZFKORD50
XD02
FD32
F150
RFC
FBL3N
ZV332126
SESSION_MANAGER
<AD_DISPLACE>
QISR1
FD03
IQS3
<AD_RESET_USR02>
QISR
IQS2
SAPMSEM1
SAPMSYST
SU53
F-32
<AD_DEL_USER>
/sap/bc/gui/sap/its/qisr
RSBTCRTE
iac/wa/webgui/style/1x1.gif
FB08
/sap/bc/gui/sap/its/qisr/~flNUQVRFPTc5O
/sap/bc/gui/sap/its/qisr/~flNUQVRFPTMwO
/sap/bc/gui/sap/its/qisr/~flNUQVRFPTIxN
/sap/bc/gui/sap/its/ZISR_AKNB/!
SAPF150S2
SAPF150S2
FB1D
FB00
08-26-2011 12:44 PM
This list you have posted cannot be from TCDCOUPLES.
Looks more like a statistics monitor display list....
Cheers,
Julius
08-26-2011 1:13 PM
Hello Julius,
This is the list that I got from ST03 transaction for the week in which this Issue has been raised.
This is not the list from TCDCOUPLES.
08-26-2011 1:08 PM
Hi Jitendra,
Did you check the change documents for the user? Are you sure that there are no roles/profiles assigned and deleted during this activity? Just another way to see how the user has got additional access
Regards,
Raghu
08-26-2011 1:10 PM
Hi,
This is the list that I got from ST03 transaction for the week in which this Issue has been raised.
08-26-2011 1:17 PM
Ah okay, my fault for not reading carefully...
What does ZV332126 do? Same for ZFKORD50?
Also there is RFC (no surprises there) and BSPs so take a look in the RFC server profiles at what was called and what do they do?
SAPGui transaction codes are not the only entry ponits into the system to start applications.
Cheers,
Julius
Edited by: Julius Bussche on Aug 26, 2011 2:17 PM
09-23-2011 9:47 AM
Hi Julius ,
Thanks for your reply.
Below is the list of Information that I got from RFC Server Statistics (ST03n) for the User
Is there any possibility that user can make changes to customer master records by raising an ISR ?
Report/Transaction RFC Destination RFC Program
FBL5N NONE SAPLSGOSITS
FBL5N NONE SAPLSGOSITS
FBL5N NONE SAPLSGOSITS
IQS2 NONE SAPLSGOSITS
FBL5N NONE SAPLSGOSITS
IQS3 NONE SAPLSGOSITS
IQS3 NONE SAPLSGOSITS
IQS3 NONE SAPLSGOSITS
IQS3 NONE SAPLSGOSITS
FB03 NONE SAPLSGOSITS
QISR1 SAPGUI SAPLAWRT
RFC NONE SAPLARFC
RFC NONE SAPLARFC
RFC NONE SAPLARFC
RFC NONE SAPLARFC
FB03 NONE SAPLSGOSITS
RFC NONE SAPLARFC
FB03 NONE SAPLSGOSITS
QISR SAPGUI SAPLAWRT
SBWP NONE SAPLSIWWP2
SBWP NONE SAPLSIWWP2
SBWP NONE SAPLSIWWP2
SESSION_MANAGER ukblx177_EU3_01 SAPLTHFB
SESSION_MANAGER ukblx178_EU3_01 SAPLTHFB
SESSION_MANAGER ukblx178_EU3_01 SAPLTHFB
SESSION_MANAGER ukblx255_EU3_01 SAPLTHFB
SO01 NONE SAPLSIWWP2
SESSION_MANAGER ukblx255_EU3_01 SAPLTHFB
SESSION_MANAGER ukblx275_EU3_01 SAPLTHFB
SESSION_MANAGER ukblx275_EU3_01 SAPLTHFB
SESSION_MANAGER ukblx275_EU3_01 SAPLTHFB
QISR1 SAPGUI SAPLAWRT
QISR1 SAPGUI SAPLAWRT
QISR SAPGUI_QUEUE SAPLOLEA
QISR SAPGUI SAPLAWRT
QISR SAPGUI SAPLAWRT
QISR SAPGUI SAPLAWRT
QISR SAPGUI SAPLAWRT
RFC NONE SAPLSGOSITS
RFC NONE SAPLSGOSITS
RFC NONE SAPLSGOSITS
RFC NONE SAPLSGOSITS
RFC NONE SAPLSO00
09-23-2011 10:10 AM
From the RFC calls to destination SAPGUI it looks as if they have some sort of a client scripting / end-user upload tool.
It is quite possible that exposing server side intended RFC access to client side end-users (as some bolt-on tools will force you to do...) can give them the opportunity to process things without seeming to have the required authorizations. Sometimes the front end tools make it really user-friendly for them to break your processes and security...
However whether or not it is in fact critical and /or does deviate from the business process in this case is another matter.
Are the master data owners complaining about these unauthorized changes? Are the changes cause quality problems with the master data?
Or is this just some "business process controls" checks which are done and now everyone needs to explain how the system works (with their hands up in the air and a stone tied to their feet ;-).
Cheers,
Julius