02-01-2012 3:00 PM
Hi All,
In one of the security notes it is advised to set parameter rdisp/auth_check_user_list to TRUE. However, for us it is not clear what this parameter actually does. There is no documentation available on the support portal nor in the documentation in the system itself.
Does anyone know what the parameter actually does? Also does it have any side-effects that we have to be aware of before implementing it?
Thanks!
Maaike
02-01-2012 3:49 PM
Hi,
From what I can make out from from the OSS note:
TH_USER_LIST is a remote enabled FM which can be called by RFC from another system. Triggering the FM will provide a list of users logged into that destination. In conjunction with the OSS note, setting rdisp/auth_check_user_list = TRUE will force an additional authorisation check against the FM for S_RZL_ADM therefore requiring the RFC user in the target system to have admin authorisations to be able to return this information.
02-01-2012 3:49 PM
Hi,
From what I can make out from from the OSS note:
TH_USER_LIST is a remote enabled FM which can be called by RFC from another system. Triggering the FM will provide a list of users logged into that destination. In conjunction with the OSS note, setting rdisp/auth_check_user_list = TRUE will force an additional authorisation check against the FM for S_RZL_ADM therefore requiring the RFC user in the target system to have admin authorisations to be able to return this information.
02-01-2012 3:56 PM
Hi,
I have seen that, but how do I translate that into more functional language? I'm not sure what that function module actually does and what it means that access is being restricted. Can it do any harm?
Thanks
Maaike
02-01-2012 4:04 PM
The function module presents a list of logged on users. I assume the logic behind it is to reduce the information available to perform an exploit using a known active userID.
02-22-2012 11:14 AM
I understand the intention, but I'm worried about possible side-effects. Just spoke to a Basis consultant about this and his guess is that the only potential side-effect could be the proper working of transaction AL08 (logged on users across all application servers). If that is the case, then we'll have to figure out next steps.