Home > IT Answers > SAP > SAP Security outside in
Help

Question

  Asked: Apr 2 2008   3:16 PM GMT
  Asked by: 1112gene

SAP Security outside in


SAP, VB, Security Program Management, SAP security, Visual Basic

Question,
I came to this company 1yr ago and noticed immediately they had not implemented Security!!! SAP_ALL for everyone in Production!!!
So as my second BIG project I took on, Security. In building the profiles for these people I came across 2 problems which are holding me from rolling out these profiles I built, which are based on the same problem, an outside system coming into SAP.
Since everyone had SAP_ALL or NEW we had no problems but restricting the Authority has shut down the operation and accessibility of these 2 outside systems which are very necessary.

1st problem and biggest is we have a VB frontend to SAP for easy order taking for Custom Service Dept.
I found out the design/programmer used a VB call into SAP via a VB BAPI that will allow MS into SAP.
He did not setup an RFC via SM59 or a Trusted RFC, and has no call for Call Function: for Authority_Check_RFC in the VB program, which prevents the Login and Security check being passed allowing access!

I told them this would not work with out the Call Function: from the VB program as a start and if it doesn’t work we need to do the RFC via SM59 or STV1.

It’s gotten personal and they think I have not setup S_RFC with proper Authorization but in order to do that you need Object Group AAAB, take S_RFC and throw out the rest, but I still don’t see that as a solution w/o the Call Function in the VB program!
What say you?

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
Last Answered: Jul 2 2008  1:45 PM GMT  by Sapsecurity28




hi,

i don't know much about VB...

but its UNBELIVEABLE that all the users in your company are using SAP_ALL.

the risks to this, is simply unquantifiable...

if a VB application is connecting to your SAP system to view information, like you said,

there has to be an RFC connection between both systems,

in which case the Target host and IP addresses would have to be defined in SM59...

and an appropriate system user created or setup (maybe ALEREMOTE) to be used for logon across both applications.

doin this means that setting up the Authorization Object S_RFC...under Object Class AAAB.

you will also need to re-build from scratch (define as per the business, build and implement, test, and deploy a whole new security & authorization design) for your company. this is very, very important.

make use of TX SU24 as is necessary to maintain the Transactions and Authorization Objects required by your users.

it will take a lot of effor and time as you will have to refine your design as to enable you capture for each business unit and role, only the Authorization Objects and Transaction, that they only need.

chumy
  • AddThis Social Bookmark Button

Browse more Questions and Answers on SAP, Development and Security.

Looking for relevant SAP Whitepapers? Visit the SearchSAP.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register