Julius, I was hoping you would be one of the responders to this. As much as I am a fan of some of your posts here, I will risk being difficult about this in order to get to the answers I am seeking. I expect you will not take this as a lack of open mind for other ideas (and I pretty much know you will not take it personally).

Also, I’m going to break this up into little pieces-parts (3).

Julius von dem Bussche wrote:

I quite like the current construct where you have to show intention to add S_RFCACL to SAP_ALL and it does not "just happen" like magic. The reasons I am aware of are:


The object is not a control of authorization. It controls authentication. So it belongs to the login family of security controls and not "all authorizations for the system".

OK, interesting. I don’t often have situations where I have to mentally separate those two concepts to take an action, but you are absolutely right. I’ll think on that. But for this question that seems sort of academic. I see that S_RFCACL controls authentication and, since that is acceptable to me in the given use case, I don’t see this (by itself) as a reason not to use it for this.

BTW, please note I am not expecting anyone to give me a blueprint on how to hack into a system where an ID has SAP_ALL+S_RFCACL. (How secure would that be? ) What I am asking for is between here and there. Such as, “it would take someone who can program ABAP (and/or other XYZ skill sets), who also has auths to transaction ABC (etc.) in a system that has LMNOP setup in the architecture, and with that these aspects of S_RFCACL would authenticate them, and here’s basically the damage that person could do (which they could not do otherwise) if they had all that.” I also think that "LMNOP" is underused in examples.

Julius von dem Bussche wrote:


It is high up on the list of misuse candidates, and there is not effective way to prevent a person from discovering which users have SAP_ALL as a myriad of search helps in SAP provide the option to F4 users by Profile name. Searching for users by objects and authorization values is in contrast protected by SUIM access or table access. This is particularly true for non-Dialog users which can then easily be entered into external RFC connections without requiring knowledge of the target system password anymore.

The salient point I see here is that people in that system can see which users have SAP_ALL. Agreed/point taken. However, the next step is “why should I be concerned with such a thing in this use case?”

I think you attempt to answer that question with your comment about “can then easily be entered into external RFC connections.”

However, I do not yet see how this could happen. Are you speaking of someone who has access to create RFC Destinations? If so, only Basis has SM59 and S_ADMI_FCD to NADM … done. Otherwise, how easy (or even plausible) is it really for someone who has their normal, non-SAP_ALL QA access in a non-ECC system to get to a place where they can control the user launching across to the target ECC QA system. I don’t think that’s a hack, so I don’t mind asking, do you have a practical example of how one could do that? Ultimately what I hope to find is what auths they need on the non-ECC side in order to do that.

Julius von dem Bussche wrote:


In the semi-likely event of the SAP system loosing cabin pressure due to S_RFCACL access granted to passengers, an oxygen mask will drop from the ceiling above the pilot's seat only...  :-). SAP themselves have not included this object by default into any roles outside of the Z and Y namespace, it is not included into SAP_ALL automatically, in higher releases you cannot via SU24 nor the "distribute full value to open fields" button in PFCG provide any * access to some of the fields. You definitely granted this access yourself and it is optional to have used trusted RFC anyway.

Funny, but I’m sorry -- this bullet amounts to, “SAP does it, therefore we should, too.”

This is the same SAP that, in a semi-recent support pack on my systems, changed how they applied roles to transports (i.e., now only truly adding the role data upon release) apparently only to account for those (few? inexperienced?) SAP Security admins who could not remember to add/re-add a role to a transport before releasing it. In doing so, they have made it significantly harder for us to distribute roles within our multi-client development systems before we release to QA (i.e., no more SCC1). This is the lead we should follow?

This is the same SAP where I have no hair left when dealing with most of my incidents because the processors don’t read or don’t understand the situation presented, often even at the higher levels, even when written painstakingly clearly.

And this is the same SAP that provides paltry security training which essentially forces one to take a class in an entire product in order to learn any security about it in a classroom setting. So beyond ADM940, HR940, and BW365, we are left to on-the-job crash-course training for just about every other product.

I suspect you don’t do everything Microsoft tells you to do, either.

No, if there is anything I have observed about SAP over the years, it is that shockingly few in the organization really know (and/or care) about the authorizations/security aspect of their product. I don’t give them much credit just because they are “SAP” – I listen to what the individuals have to say before I can respect their opinion.

I understand that building/maintaining SAP is a monumental task, and they have given me jobs for many years, but what they do is deliver a mostly generic product and tell us what all the levers and dials do, and it is up to us (the “royal” us) to understand what we are given and decide how to change and customize it for our own environments. Their opinion on that does not rule. They include a flag that allows what I am suggesting. So, all points that boil down only to “SAP does it” or “said so” or “made it hard” for unspecified reasons are not impactful in this discussion. As I said, I am looking more toward practical examples.

Julius von dem Bussche wrote:

That is a much safer approach than turning everything on by default and expecting diligence and audits to bend it back again - we know how that works from the past and don't want to go back there.

Wait, just remember the use case here. Don’t make it sound like I am giving SAP_ALL to everyone permanently in Prod. This is about temporary access in a non-Prod system (while admitting many non-Dialog IDs have SAP_ALL essentially permanently, but still not knowing exactly how that matters). In our case, only our Prod systems even get audited, so that’s a moot point for me.

We’re not talking about going back to SU02 and manual profiles here, but you make the addition, and working around of, one object sound a lot like that. And I still don’t know exactly why. This is the kind of overblowing of smoke I would like to avoid. I don’t want the 100% safest approach; I want “safe enough” (as determined by "us"). So I want to know why in order to determine what’s safe enough for our environment.

But here is your best response so far (and it wasn’t even to me … wahhhhh). Though it doesn’t intentionally address my use case, because in my case you are jumping systems into an ID you know has SAP_ALL on purpose (otherwise, you don’t have S_RFCACL with stars on your normal account), but the answer does shed some important light.

Julius von dem Bussche wrote:

Colleen Hebbert wrote:
The other part that confuses me is if it is trusted then it's still your account. So even if I do have the access to jump systems I still need authorisations against my account to execute items in the target system (unless dodgy code is the risk here?)

If you have not activated the "equals user" field of the object OR you have not restricted the "RFC names" field for the users when activated to 'Yes", then you can, from any client of the remote system with a trusted system entry in the target, logon as any user you want to as long as you can find their name as having SAP_ALL, as long as you in the source system have either access to SM59 OR have access to execute function modules (see SAP note 587410).

Game over and I cannot see any implementable way of preventing that from happening, except for only granting trust at all to systems within the same user administration AND being very restrictive with S_RFCACL for all users in the system, particularly non-Dialog SAP_ALL users who will not notice or complain if their user IDs are used and you will probably never notice the misuse either.

Very, very good points there. This is getting at what I’m looking for. I agree about not noticing the non-Dialog users. I’m not yet sure this is “game over” though.

So what you are saying is (skipping over SM59, previously/easily addressed): If someone can execute a function module from the source system (so, SE37 with S_DEVELOP 16 to type FUGR or the like) as part of their normal authorizations, someone I didn’t intend to have SAP_ALL in either system, they could use said access to call that same function module (if it exists) over on the target system as any ID they can determine has SAP_ALL on it. Is that what you are saying?

Now we have a real discussion here. So my follow-ups are:

• Still, can they really control which ID they are using to RFC into the trusted target system if their ID exists in both systems? (repeat of question above)
• If there is a non-trusted RFC destination from that same source to that same target using a static ID that has SAP_ALL, is that not exactly the same thing? (Yeah, I need to look into that. ) Except that they can’t control the ID in this case, of course …
  • … or can they switch the ID if the non-trusting RFC uses “current user”?

• This all is still governed by having trust between the 2 systems, correct? I have no fear of someone jumping from SRM QA to ECC Prod, or even ECC Dev to ECC QA, if there are no trusted RFCs between them. Of course! (Right?) This is what you mean by “except for only granting trust at all to systems within the same user administration”? That was part of my Background Architecture.

• Finally, back in the day, I'd think this would not apply to “Background” IDs, which we don’t have anymore. I assume Dialog, Service, Communications are all in play here today, but do we have the luxury of not worrying about System IDs in this scenario? (I cringingly expect not.)

Thanks for a rousing discussion so far.

Be careful about assuming too much, Julius. You have made an incorrect inference that tells me you have not been inside this organization.

The systems of which I speak contain no patient data (and I won't be mentioning what we do use for patient data). My comments also do not speak to the level of auditing that takes place outside the systems. And a discussion of all of the layers of security to even get this far is also out of scope here.

And if you are referring to the non-Dialog SAP_ALL IDs, remember that the given use case is non-Prod ... and, really, who does not have that situation below Prod? I'm just admitting we are as imperfect as nearly everyone else.

So, I see where you're coming from and appreciate you looking out for me and all, but I think we're good here. I also hope this will not be your final response on this thread.

So, I take it you will not be responding to the 3.5 bullet points above that, which were listed in relative order of importance (and you only picked the last/least one)?

BTW, given the attitude, 3rd bullet point doesn't really need an answer. It's just re-stating the obvious and keeping the scope narrow, which you seem to insist on expanding.

Julius von dem Bussche wrote:

ps: As such changes to default behaviour (particularly if they are heading in the direction of less secure) are likely to be classed as a development request, perhaps a better bet for you is to launch your thoughts via ASUG?

Opening an OSS note will with little doubt lead you to SAP Note # 11.

Another option is the SCN Security Functionality Wishlist -> Security Functionality Wishlist-Topics - Security and Identity Management - SCN Wiki  - it has a good hit rate if the idea is well thought out, which in this case I have my doubts about.

You are welcome to refer to this discussion in all 3 which promises to continue to be lively, up to you. But I have some doubts that in this case community motivation will have much impact, even with the "We are customer" slogan from one auditor and references to other frustrations you have added... 🙂 (I did not comment on them as they are irrelevant to this discussion - but feel free to open threads about them as well - also interesting stuff and backgrounds to it, but I do also understand your frustrations with some of them combined with old habits - I am well versed in that, but that is just me).

Cheers,
Julius

Well, now it's just clear that you have no idea what I'm asking anymore. You seem to be having your own conversation now.

This is a flag, among many others, which can be set one way or another without a development request. Or did they not teach you that in your SAP classes?

The only question on the table is, what is the *real* risk of setting that flag? If it was never to be used, it wouldn't be there.

So, anyone else want to actually address the question/discussion being had here? I welcome all comers (if you keep it on topic).

Hi Gretchen,

I really don't want to have a back & forth about this, but I also can't have you unjustifyably publicly framing me as someone who is rude, out of line, demanding free consulting, etc., especially based in error. And you, of anyone else here, know me better than that. Or at least I thought so.

I think of you as a fan of debates, Gretchen, so I think you will agree that I deserve a rebuttal to your comments here, so I will offer a polite one to clear my name and be done with it.

Gretchen Lindquist wrote:

Steve Quinn wrote:

So, I take it you will not be responding to the 3.5 bullet points above that, which were listed in relative order of importance (and you only picked the last/least one)?

Steve,
IMHO that was pretty rude and not really consistent with SCN's Rules of Engagement.

I politely disagree. I think that you assume too much intent here.

I ended my post with 4 bullet points + one inset (which I refer to as 4.5 bullet points; not numbered, just counting them). I think a fair, understanding read of them is clearly that the first 2 bullets were real, important questions, absolutely critical to furthering the discussion, and that the second 2 bullets were only confirmatory (basically throw-aways, but wanted to double-confirm and round out the whole picture, anyway).

Fact: Only the last one was responded to. Even if I give you that the importance of each bullet was not clear, I was asking if that would be the end of the answers on those bullets, or if there was an intention to come back around and address the other bullets. In my mind, the first 2 bullets were/are critical to move forward. That was not a demand nor an expectation; only a question, and a fair one, I think. If Julius did not intend to answer, that's fine, he didn't have to and anyone else could ... or not. I never once insisted that Julius must answer my question(s). Whether or not I phrased that question rudely, I think that accusation is arguable and up to broad interpretation. Please understand.

However, IMHO, the following were blatantly rude (esp. the first one), given what was in this thread at that point (e.g., 17-years experience, demonstration of knowledge, etc.).

Julius von dem Bussche wrote:

Are state hospitals in the US not expected to have security training, pen-tests, adhere to some sort of minimum security requirements which are reasonably up-to-date?
...

I would suggest ADM960 for you.

...

... if the idea is well thought out, which in this case I have my doubts about.

The first one especially was a direct attack on my knowledge, training, experience, and ability to do my job, apparently based only on a merely confirmatory throw-away question that I basically already knew the answer to. And the last one is based on something I never suggested, was created entirely by Julius, and is now wrongly believed by others.

But I did not complain about that overt rudeness. I have seen Julius treat people as such in other threads. I think there is overwhelming evidence here (that I need not cite) that I treated Julius in a very friendly and fun manner, even being a fan (while also challenging his ideas), at least up until that point. But I will admit that these (his) comments did put quite a chill on the conversation going forward. I just wanted to brush aside his rude comments and get to the back to the heart of the question, i.e., the other bullets. Perhaps that "brushing aside" is what you were reading into my comments as rude (which was still just asking a question).

Gretchen Lindquist wrote:

Julius, and in fact any of us here, does not owe you a(nother) response. SCN is not free consulting on demand. Members are free to post their questions, and members including Moderators respond as they are able.

I am in complete agreement with you with this. I never said that Julius or anyone owed me anything. (And I don't know what this business is about moderators.) As I said, I was asking if he was going to answer those bullets or not. That's all, and I think when someone skips over critical bullets, that's a fair question for the sake of keeping the discussion moving. He could have responded "no" sometime next month, or never, for all I care or expect, and that would have been fine.

I also believe someone else out here other than Julius has capacity to answer these questions and can jump in if/as they choose. The point, from the beginning, was to have a challenging, thought-provoking technical discussion on this topic with whomever wants to.

Gretchen Lindquist wrote:

Julius has already given you quite a bit of time in well-reasoned responses ...

Well, this is the one thing I say you have in error. Lots of posts have passed since then; don't incorporate them into that moment. Remember, at the time I made my post you questioned here, all that Julius provided was 2 responses (one each to me and Colleen), and when I picked those apart and asked for more more focused/specific info, he only provided challenges to the data in my systems (which he doesn't know and is irrelevant and out of scope), his response only to my last bullet (which I took to be rude to boot), and a silly offer for me to take his idea that I wanted to change SAP standard and post that idea to three other places. So, while I can give you that took him some time, I can't fairly call them all "well-reasoned" or agree with your unspoken implication here that the "well was dry" and there was nowhere else practical to go with this.

Gretchen Lindquist wrote:

If you want to change the way SAP delivers SAP_ALL ...

I don't. I never did. Julius made that up and ran with it. I challenge anyone to find evidence of that in any of my posts in this thread (but I wouldn't recommend anyone wasting one's time with that ... it's just not there).

So, Gretchen, I love ya, I really do. And I appreciate where you were coming from. But I had to set the record straight on me here. Sorry we had to do this publicly.

Bullying, eh? Really, Julius? My words – twisted again. I am not giving advice. This is a technical forum for the sake of information.

But I have strong doubts you actually want answers to these questions because the record here indicates you are much more interested in character assassination, which I now have to make one final response to (because silence = consent). And then you can call me whatever you want after that.

Unfortunately, what this thread is riddled with is nasty, incorrect characterizations (as if you would know). Is it really necessary to completely discredit a fellow member of your field, to the point where no one will listen to him again, just because you find him on the “wrong” side of one argument (which was never originally intended to be an argument at all)? Rhetorical: no, that is not necessary.

But, fine. You “win” … a thread that was never supposed to be about winning or losing … only sharing and understanding. Since we apparently can’t have a pure technical discussion about this, you get to win.

The elephant in the room for me is why someone of your talents feels the need to descend to that level of interaction in order to make your case, instead of simply “winning” on the technical arguments alone, which you are obviously more than capable of doing. Yours is a tactic normally reserved for those who have no point or no leg to stand on … but you do have those. So I don’t get it. It's quite disappointing and perplexing, actually.

But I have no room in my life for that level of negativity, so I’ll simply wish you well and safe travels.

=====

P.S. If anyone now or in the future ever did want answers (out of curiosity?) …

- I never once suggested adding S_RFCACL to SAP_ALL in SolMan, which I believe would be necessary for anyone to be able to hop through there. Since my original post, that’s never been an intended use case. For that matter, doesn’t “hopping further” require S_RFCACL in the next target? This thread makes it sound like S_RFCACL in one system amounts to a blank check into all other systems. Unless granting S_RFCACL in ECC QA somehow gives someone access to hop through a Solman that does not have S_RFCACL setup … which would be new and surprising information to me here.

- We have the ability to stop transports in QA when there is a reason that is necessary. I assume others do, as well.

- Further, on “creating whatever RFCs I want to,” even if I achieved full SM59 access in ECC QA from outside it, I wouldn’t be able to create non-trusted RFCs into a Prod system, because I don’t know the passwords of the target SAP_ALL IDs. And I imagine I wouldn’t be able to create a trusted RFC into Prod if there’s no S_RFCACL in Prod waiting for me (as specified from the start) -- and if I could, that's bad.

- We certainly have no existing Trusted RFCs between QA and any Prod system, which is the only thing relevant here (except SolMan “Prod”, covered above) -- if there were non-trusted RFCs from QA into Prod, we’d have an existing problem not related to S_RFCACL.

- We do have a Gateway for each level of landscape, so QA has its own.

- I have not tried it yet because, as I mentioned/asked at least 3 times here, I don’t know how. And that “how” is not in ADM960 (I checked). That’s what I’ve been asking for -- a practical example. I don’t even want you to tell me at this point, but I also don’t understand why you would expect me to already know it when I’ve made it quite clear otherwise. So, until I can, I’ll have to take your word for it.

Thank you, Greg, for being someone who can point out problems with a theory without malice. Although 1416085 doesn't answer this technically enough, your broad perspective is very much appreciated and is worth reflection.

Now, if ever a thread needed a bow to complete it, this is one. And that bow will be, “why did this all happen?” It’s actually quite simple …

• Them: That incident with troubleshooting that access took too long. What happened?

• Me: Well, we gave him SAP_ALL but that wasn’t enough. Troubleshooting finally uncovered that he needed S_RFACL for this. That’s not in SAP_ALL. But we didn’t have a role in that system/client with S_RFCACL; in fact, we don’t really have one for that anywhere. We’ve never needed it. We had to come up with something. So this took longer than we would have liked.

• Them: Well, why isn’t this object in SAP_ALL? It is SAP “ALL”, isn’t it?

• Me: Well, S_RFCACL is treated differently, kind of special. Let me look more closely into it.
• << cue: research leading to Note 1416085 >>

• Me: SAP doesn’t put S_RFCACL in SAP_ALL on purpose because they say that would be very bad … “you allow the logon from any system, client, or any user” ... somehow. But not without trusted RFCs, I’d imagine. And that would only apply to people with SAP_ALL for the time you give it. Interestingly, there’s a flag mentioned here that could incorporate S_RFCACL into SAP_ALL by default. If we really wanted to do this to avoid this in the future, it seems we have a decision to make. Should we use this flag SAP offers or should we create a ready role with S_RFCACL in it in every client?

• Them: Well then, what would be the real risk of incorporating it? Can it be mitigated and how easily?

• Me: I don’t know. Let me find out.
• << cue: setting up a test environment, not knowing how a malicious person could get in, Googling & reading (neither went anywhere), and creating this thread >>

So, now what I have to show for it is: having a somewhat better idea of how a malicious person might get in (well, that’s something) without being able to answer all of "their" questions, withstanding personal attacks as if this is reddit or Twitter, and having old friends turn on me (well, that’s something, too, I guess).

But at least I now feel fully qualified to write a post entitled, “How to End Your Career and Years of Good Will in Just One Thread.”

The quick answer: “Publicly question anything the target audience apparently holds as sacred, no matter how well-intentioned the reason, no matter how you try to frame and limit the discussion to the technicals. And then don’t just give in immediately ... try to press on in the hopes of getting answers for you and your people.” Yeah, I didn’t see that coming until it was too late.

Anyone who might have had a similar conversation or supported the original intent is surely in hiding in that bunker in Oregon after witnessing this crucifixion. I wouldn’t recommend anyone Like this, either … too risky to be associated.

Since I don’t have someone like Julius here to bounce this off of at my desk, I figured someone in the community knew, so I tried to hold a public, technical conversation to flesh this out.

It failed.