10-09-2007 8:48 AM
Hi there,
Just wondered whether anyone has come up with this issue yet, and if so, how did you get round it.
We currently produce Vendor payment files - through normal standard SAP payment program F110. This in turn creates a file for export into our banking system. We need to save this file from SAP into a folder, and then from our banking system, pull the payment file into the banking software.
Because of this we need to give full access to the folder to various people to allow them in the first instance to save the file to the correct path, however this means that the files that we store in this path can therefore be modified.
The banking sytem that we are using is HSBCnet, and we have spoken to them and they cannot suggest any way around this to comply with SOA.
Any ideas anyone?
All suggestions welcome!!
Regards
Jackie
10-09-2007 9:47 AM
Hi Jackie,
This sounds quite tricky, as you say as soon as you give people access to the folder with the ability to drop the files in there then they are open to modification. Even if you allow users to manually s/ftp the files into the folder, they will always be able to overwrite the stored file with one of the same name and altered values.
Writing the file to write-once media would be an option but impractical if you need to pull the file into the banking software.
An option would be to modify the F110 payment programme to s/ftp the file to the network location. The ftp user would have write access to the folder and the rest have read access.
Alternatively you could get F110 to write the file to an arbitrary folder (without general access for the people mentioned) and have a custom programme that ftp's the file over to the folder that the banking software will pick the file from (ensuring read only access there for the users).
You could put a detective control in place e.g. checksums on the files or change logging on the folders, though I'm not sure if either would be adequate or appropriate.
If I can think of any other idea's I'll add them on here
Cheers
Alex
10-09-2007 9:47 AM
Hi Jackie,
This sounds quite tricky, as you say as soon as you give people access to the folder with the ability to drop the files in there then they are open to modification. Even if you allow users to manually s/ftp the files into the folder, they will always be able to overwrite the stored file with one of the same name and altered values.
Writing the file to write-once media would be an option but impractical if you need to pull the file into the banking software.
An option would be to modify the F110 payment programme to s/ftp the file to the network location. The ftp user would have write access to the folder and the rest have read access.
Alternatively you could get F110 to write the file to an arbitrary folder (without general access for the people mentioned) and have a custom programme that ftp's the file over to the folder that the banking software will pick the file from (ensuring read only access there for the users).
You could put a detective control in place e.g. checksums on the files or change logging on the folders, though I'm not sure if either would be adequate or appropriate.
If I can think of any other idea's I'll add them on here
Cheers
Alex
10-09-2007 6:15 PM
A compensating (albeit rather low-tech) control would be that the person running the payment program or accessing the files, is not the same person reconciling the bank statement or posting any business entries to the bank accounts. You can also rotate the tasks between different people if you have the headcount. Not bullet-proof either, but it would help.
Remember, the server admin, or a developer, or security admin, or basis consultant, or anybody running a generic program for file system operations, etc, <i>might</i> change / download, delete and replace the file as well.
Kind regards,
Julius
10-10-2007 9:06 AM
good call Julius, sounds like a good candidate for compensation/mitigation - if that is acceptable. I'm not familiar with SOA requirements unfortunately so can't comment on that part.
10-09-2007 10:09 PM
01-16-2012 4:16 PM