cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP MII Security concern

Former Member

on ‎02-05-2013 3:59 PM

0 Kudos

In MII there is no way to restrict the access to ax exclusive role. The only way to achieve this is to read the user's roles in javascript and restrict the access to the webpage. The roles of the active user can be found in the variable 'IllumLoginRoles'.

For transactions the role permissions are easily maintanable. For webpages the responsability lies with the developer.

Anyway here is the concern: A user can pass whatever value they want through the IllumLoginRoles parameter. Eg. he can add the following line to the URL

     ?IllumLoginRoles='SAP_XMII_Super_Administrator'

This seems to be a flaw in the parameter-concept. If the developer restricted the permissions of the transactions the user still won't be able to execute the transactions though. But it still seems to be a bad practice.

What does the community think?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member185280
Active Contributor
‎02-05-2013 4:36 PM
0 Kudos

As long as the data access and transaction execution layer are secure then I don't think its an issue. I have only used that parameter for convenience when a page format is dynamic etc but not as the actual security. In cases where no access at all to the web layer is desired I have implemented a jsp with a role check. The subject probably does deserve to be added to the best practice document if it isn't already in there.

Show replies
Show replies
Ask a Question