This website is not affiliated with, sponsored by, or approved by SAP AG.

SCC8 Auth check S_TABU_DIS

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

SCC8 Auth check S_TABU_DIS

Postby AlainR2000 » Mon Jul 09, 2012 4:09 pm

Hello All,

Any idea why the Sap system requires object s_tabu_dis with act 02 group SS in order to run SCC8 ?

I want to give access to a clerk to run a SAP_USER client export, which basically only reads a whole bunch of tables and creates a transport request, no data alteration or what so ever, so why is this feature implemented ?

I did set the "Nio control" in SU24 for that obeject and tcode, but still, it looks like hardcoded that unless you have s_tabu_dis 02 wth SS, you will not be able to run SCC8.

Can somebody explain the logic behind that behavior ? Of course, I was told by Sap... "Works as expected !"

Thank you all !

Shawn
AlainR2000
 
Posts: 21
Joined: Wed Mar 29, 2006 9:36 am

Re: SCC8 Auth check S_TABU_DIS

Postby msr01 » Tue Jul 10, 2012 9:11 am

Hi Shawn,

you've given the answer by yourself : "....and creates a transport request...."
Transport requests will be stored in tables.

msr
msr01
 
Posts: 2
Joined: Wed May 30, 2012 11:31 am

Re: SCC8 Auth check S_TABU_DIS

Postby AlainR2000 » Tue Jul 10, 2012 11:30 am

Thank you but this is not true. We have people creating transport requests (Abaper) and none of them have access to object s_tabu_dis auth grouip SS.
AlainR2000
 
Posts: 21
Joined: Wed Mar 29, 2006 9:36 am

Re: SCC8 Auth check S_TABU_DIS

Postby AlainR2000 » Tue Jul 10, 2012 11:34 am

I guess I forgot to mention that the issue is granting auth grp value SS, not s_tabu_dis...

The auditors will flag any user with s_tabu_dis , act 02, grp SS as they are potentially at risks even tough the cabn only run SCC8. I tried changing the Auditor's perception, buthey, not achievable short term !
AlainR2000
 
Posts: 21
Joined: Wed Mar 29, 2006 9:36 am

Re: SCC8 Auth check S_TABU_DIS

Postby Al. » Wed Jul 11, 2012 8:13 am

Hi,

The whole client copy/export/import function needs to have a reasonably high level of control around it hence the 02/SS auths. If you think about the volumes of data that support some of the client export options you can see how having for most activities in this area. While you are not changing table contents a client export will potentially store a huge amount of data on the server which could have serious implications.

Cheers
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: SCC8 Auth check S_TABU_DIS

Postby Gary Morris » Thu Aug 02, 2012 11:46 am

Because SAP_USER is an export of the SECURITY, user master records and role assignments. It makes sense to require someone to have at least the authorization mentioned if they are going to export and import the security tables.
Gary Morris
SAP Security Consultant
garydavidmorris@gmail.com
Gary Morris
 
Posts: 399
Joined: Sun Oct 20, 2002 10:42 pm
Location: San Antonio, Texas


Return to SAP Security

Who is online

Users browsing this forum: Google Adsense [Bot] and 6 guests





loading...


This website is not affiliated with, sponsored by, or approved by SAP AG.