11-27-2012 2:59 PM
Hi All. I have a quick query I was hoping somebody can help me with. I'm auditing an instance of SAP 4.0B and the guide I am using asks to check for access to S_PROGRAM activity values for SA38, SE37, SE38, SE80, SE11, SE12, SE15 and SE16
What I need to find out is whether it is possible to perform any changes on these if the Production environment has been set to No Changes in transaction SCC4. Thanks for any assistance
11-27-2012 7:18 PM
You can fairly safely report that in a 4.0B system there will be a few ways to make changes even if SE06 and SCC4 are closed. That SE24 does not exist yet is just a small condolence... 🙂
Users with powerful authorizations such as these in 7.31 etc will also make changes.
Cheers,
Julius
11-27-2012 7:18 PM
You can fairly safely report that in a 4.0B system there will be a few ways to make changes even if SE06 and SCC4 are closed. That SE24 does not exist yet is just a small condolence... 🙂
Users with powerful authorizations such as these in 7.31 etc will also make changes.
Cheers,
Julius
11-28-2012 9:32 AM
Hi Julius. Thanks for the reply. Do you have any tips as to what security holes or settings I can look out for in 4.0B. SAP is not my speciality and would appreciate any advice.
Thanks,
John
11-28-2012 2:17 PM
For one, 4.0B does not destinguish between the ability to display (activity 03) and execute (activity 16) from the workbench.
So any update functions (which should not make any authority-checks anymore) cor "dark horses" an be executed if the user is able to see them...
You can find a few examples in SE37 quite easily. A famous one is RFC_ABAP_INSTALL_AND_RUN. You will typically find a few more of the same ilk in the Z* namespace as well.
Cheers,
Julius