- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Security note 1576763 - rdisp/auth_check_user_list
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Security note 1576763 - rdisp/auth_check_user_list
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2012 3:00 PM
Hi All,
In one of the security notes it is advised to set parameter rdisp/auth_check_user_list to TRUE. However, for us it is not clear what this parameter actually does. There is no documentation available on the support portal nor in the documentation in the system itself.
Does anyone know what the parameter actually does? Also does it have any side-effects that we have to be aware of before implementing it?
Thanks!
Maaike
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2012 3:49 PM
Hi,
From what I can make out from from the OSS note:
TH_USER_LIST is a remote enabled FM which can be called by RFC from another system. Triggering the FM will provide a list of users logged into that destination. In conjunction with the OSS note, setting rdisp/auth_check_user_list = TRUE will force an additional authorisation check against the FM for S_RZL_ADM therefore requiring the RFC user in the target system to have admin authorisations to be able to return this information.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2012 3:49 PM
Hi,
From what I can make out from from the OSS note:
TH_USER_LIST is a remote enabled FM which can be called by RFC from another system. Triggering the FM will provide a list of users logged into that destination. In conjunction with the OSS note, setting rdisp/auth_check_user_list = TRUE will force an additional authorisation check against the FM for S_RZL_ADM therefore requiring the RFC user in the target system to have admin authorisations to be able to return this information.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2012 3:56 PM
Hi,
I have seen that, but how do I translate that into more functional language? I'm not sure what that function module actually does and what it means that access is being restricted. Can it do any harm?
Thanks
Maaike
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2012 4:04 PM
The function module presents a list of logged on users. I assume the logic behind it is to reduce the information available to perform an exploit using a known active userID.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2012 11:14 AM
I understand the intention, but I'm worried about possible side-effects. Just spoke to a Basis consultant about this and his guess is that the only potential side-effect could be the proper working of transaction AL08 (logged on users across all application servers). If that is the case, then we'll have to figure out next steps.
- SAP Managed Tags:
- Security
