Solved: Authorization Checks on RPLINFC0

Former Member · ‎05-22-2008

Has anyone found a way to secure program RPLINFC0? This program shows HR master data and contains no auth checks to set security against. So, anyone who has access to run SE38 or SA38 has access to this data. Any help is greatly appreciated.

Thanks,

Marnie

Former Member · ‎05-22-2008

Actually this program is also set up for tcode - PC00_M02_LINF0.

And it looks like the auth object P_ORGIN is checked.

Former Member · ‎05-22-2008

Actually this program is also set up for tcode - PC00_M02_LINF0.

And it looks like the auth object P_ORGIN is checked.

Former Member · ‎05-23-2008

I checked around for some infos on it.

It seems to be very popular amongst HR consultants, not because of any possible missing auth checks but because of the usefull infotype overview it delivers.

It seems to have been originally developed for Switzerland HR reporting, but can be used by other countries as well.

Whether the HR data is returned by the report might have something to do with entries in table T777D according to SAP notes.

Of course, you can use S_PROGRAM object to restrict access to submit the report (see the documentation on report RSCSAUTH for more on that) and you can report it to SAP via the Service Marketplace (service.sap.com) or to security (at) sap (dot) com. Relying on the user not having access to SA38 would not be a sufficient control in this case, in my opinion.

Cheers,

Julius

Frank_Buchholz · ‎05-28-2008

Having a close look to the execution level authorization (Who is allowed to execute the report?) and the application level authorization (Which data can be processed?) I can state the following:

Concerning the execution level authorization you should work with Julius' proposal: Assign a report authorization group using report RSCSAUT to activate a authorization check for S_PROGRAM. (This recomendation is valid for almost all reports.)

Concerning the application level authorizations for P_ORGIN I've checked the report RPLINFC0 in a SAP ECC 6.0 installation (basis 7.0).

Result: The correct authorizations are are checked:

P_ORGIN RC=0 INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_ORGIN RC=0 INFTY=0105;SUBTY=0010;AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_ORGIN RC=0 INFTY=0105;SUBTY=0020;AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_ORGIN RC=0 INFTY=0000;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_ORGIN RC=0 INFTY=0002;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_ORGIN RC=0 INFTY=0003;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_ORGIN RC=0 INFTY=0006;SUBTY=1;AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_ORGIN RC=0 INFTY=0007;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_ORGIN RC=0 INFTY=0008;SUBTY=0;AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_ORGIN RC=0 INFTY=0009;SUBTY=0;AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_ORGIN RC=0 INFTY=0017;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

...

Well, there is no explicit authority check coded into the report, but this is perfectly fine because the usual HR development framework for retrieving data is used: At some stage the function HR_READ_INFOTYPE is called which performs all neccessary authorization checks.

Kind regards

Frank Buchholz

Former Member · ‎06-01-2008

I take the liberty of assuming that JC's answer and Frank's confirmation with more comments has answered your question.

This *Answered" status is usefull for people who use the search.

Cheers,

Julius

PS: A side note from me for any auditors out there: Displaying a program in SE38 etc and searching for the statement "AUTHORITY-CHECK" is not a complete check. It does not necessarily tell you about the runtime security checks of the program when it is executed by a user. Often, checks which vannot be changed in the debugger or not found...