SAP_ALL, not for dialog users

Question: Hi,

I am in a finance module in an organization. Our auditors have pointed out that 7 users have been attached SAP_ALL profile. When i went to the BASIS guy, he tells its not a risk because all 7 users are not dialog users....can somebody comment on that..

Regards,
Marja

Answer:
All depends. How many dialog or communication users have S_BATCH_NAM with one of the non-dialog users in the name field? These users effectively have SAP_ALL.
How many of these user ids are attached to communication users that have a password stored in transaction SM59 (or an external sideinfo file) in any of your systems.

I am afraid your bais guy is a total naif about security.

Answer:
Guest is correct, the SAP_ALL users may not be dialog users but there is a reasonable likelyhood that they can be used by people with certain auths.

If you want to fool the auditors, rename the SAP_ALL profile to something different. Most won't pick this up, however I don't recommend this course of action.

Answer:
& make sure the non dialog user's password is not easily guessable even though they cannot be logged on directly in SAP.

If the password is easily guessable they can be used via Excel / Bapis etc.

Answer:
No user should have SAP_ALL perminantly attached, Even SAP*. There are too manu back doors that let you use that access. ( i.e Reference user, USRBF2, UST04 etc.)

Answer:
Hi Guys,

Thanks a million for your replies. I will take it up wit the basis guy, but since he talks in tehnical lingo, can you please help me with ( in a bit non-techie language) regarding how and in what circumstances a dialog user can access non-dialog iD. that would be of great help.

Thanks & Regards
Marja

Answer:
1. Scheduling jobs in SM36 and/or SM37. Not all reports regurgitate data come do things.
2. potentiall SM35.
3. Reference user field in SU01 ( the error message is configurable)
4. Direct table manipulation of USRBF2, UST04 via SE30, SE37, SE38 to name a few.

And the list goes on...

Answer:
Do you have WORKFLOW implemented and the user is non-dialog and has SAP_ALL?

Answer:
Non-dialog users can also execute functionality via RFC and make use of the SAP_ALL.

No comments:

topics