This website is not affiliated with, sponsored by, or approved by SAP AG.

Limit the use of S_RFC - RFC1

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

Limit the use of S_RFC - RFC1

Postby Baz » Thu Nov 29, 2012 11:12 am

SAP Standard RFC Connections from SAP PI use standard Auth Objects for the internal/user that connects to SAP ECC.


http://help.sap.com/saphelp_nwpi71/help ... ameset.htm

epending on the SAP system version, the following authorizations are required to read the metadata (authorization object: S_RFC, ACTVT: 16, FUGR):

Release


Function Groups (FUGRs)

As of 4.6D RFC1, SDIFRUNTIME, SG00, SRFC, SYST, SYSU

however the client has asked if it is possible to restrict the programs that can be called by the this userid as they are nervous about the possibility of calling RFC_READ_TABLE_ENTRIES and get commercially sensitive information.

is there a way to restrict this?
Last edited by Baz on Tue Dec 04, 2012 7:50 am, edited 1 time in total.
Reason: Unresolved! :o(
Baz

AsPiRiNg tUlY iDiOt Image

http://www.catb.org/~esr/faqs/smart-questions.html

Image

check out my Podcasts http://dj-baz.podomatic.com
Baz
 
Posts: 4736
Joined: Fri Nov 08, 2002 5:54 am
Location: He's out there! somewhere!!!!

Re: Limit the use of S_RFC - RFC1

Postby Al. » Thu Nov 29, 2012 5:34 pm

Hi Baz,

Does the ID have SAP_ALL currently?

If you are just restricting to FUGR = RFC1, SDIFRUNTIME, SG00, SRFC, SYST, SYSU then you can just use S_TABU_DIS to control which tables (or at least tables grouped by table authorisation group) that can be accessed by the ID.

You can also specify the exact FM's that can be executed through S_RFC (check out note 931251) should you wish to take that approach. The ease of deployment of solution depends what you are using PI for though.

Cheers
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3049
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: Limit the use of S_RFC - RFC1

Postby Baz » Fri Nov 30, 2012 3:02 am

Hi Al

thank you for that! :)
that should do the trick.
we want to process some standard BAPIs however there was some concern that the Adapter could be hijacked by other developments and bypass security.

regards
Baz

AsPiRiNg tUlY iDiOt Image

http://www.catb.org/~esr/faqs/smart-questions.html

Image

check out my Podcasts http://dj-baz.podomatic.com
Baz
 
Posts: 4736
Joined: Fri Nov 08, 2002 5:54 am
Location: He's out there! somewhere!!!!

Re: Limit the use of S_RFC - RFC1 -[RESOLVED]

Postby Al. » Mon Dec 03, 2012 4:01 pm

That's a legitimate concern & general mitigation is to give the ID just the auths required to do the job. To be honest there are some bigger fish to fry like securing your RFC gateway (through reginfo & secinfo files) which is more likely to be exploited.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3049
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: Limit the use of S_RFC - RFC1

Postby Baz » Tue Dec 04, 2012 7:51 am

thanks Al

i have unresolved this as the problem is that the SAP_BASIS version we are on here is 7.01 and this is not available for out version! :( :( :(
Baz

AsPiRiNg tUlY iDiOt Image

http://www.catb.org/~esr/faqs/smart-questions.html

Image

check out my Podcasts http://dj-baz.podomatic.com
Baz
 
Posts: 4736
Joined: Fri Nov 08, 2002 5:54 am
Location: He's out there! somewhere!!!!

Re: Limit the use of S_RFC - RFC1

Postby Al. » Wed Dec 05, 2012 4:29 am

That's a bugger!

Still, if you are using a system ID, restrict it to the RFC FUGR's (RFC1, SDIFRUNTIME, SG00, SRFC, SYST, SYSU) and limit the tables through S_TABU_DIS then you are in a reasonable position.

If you want to reduce the risk that the ID could be misused then the most basic way is to ensure that only admins have auth object S_BTCH_ADM=Y and end users also don't have access to auth object S_BTCH_NAM with a * or string that allows that ID to be used when scheduling a job.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3049
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: Limit the use of S_RFC - RFC1

Postby thx4allthefish » Wed Dec 05, 2012 8:38 am

Baz wrote:thanks Al

i have unresolved this as the problem is that the SAP_BASIS version we are on here is 7.01 and this is not available for out version! :( :( :(


Baz, somebody is hitching you.

I have a PI 7.00 Patchlevel 0014 here and there IS an object S_RFC. I'm using it all the time (to connect to the SolMan etc.). It's still on base of function groups, but that should be enough for your isssue.
curiousorange wrote:I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?
thx4allthefish
 
Posts: 5694
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Re: Limit the use of S_RFC - RFC1

Postby Al. » Thu Dec 06, 2012 4:43 am

Hi Fish,

I would very very worried if S_RFC wasn't there :-)
I assumed Baz was referring to the explicit definition of the function modules. Agree with you that FUGR should be more than adequate though.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3049
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: Limit the use of S_RFC - RFC1

Postby Baz » Mon Dec 10, 2012 4:00 am

sorry for any confusion! yes there is an S_RFC for FUGR but not for Function Modules as the note describes.

the problem i have is that the RFC1 allows access to RFC_GET_TABLE_ENTRIES.
I suggested they deactivate the code for that FM!

i am not sure why my interfaces have been singled out and rejected - although it is a highly restrictive system.
i can quite happily change from RFC to PROXY and then security have no idea of what i am doing when i get in the system...
or i can call someone else's communication channel and piggy back into ECC that way!

but i try and do things properly and get refused....! :(
Baz

AsPiRiNg tUlY iDiOt Image

http://www.catb.org/~esr/faqs/smart-questions.html

Image

check out my Podcasts http://dj-baz.podomatic.com
Baz
 
Posts: 4736
Joined: Fri Nov 08, 2002 5:54 am
Location: He's out there! somewhere!!!!

Re: Limit the use of S_RFC - RFC1

Postby Al. » Mon Dec 10, 2012 11:49 am

Hi Baz,

If your interfaces are being rejected then I would propose that they build you a proper user that is restricted to the correct table auth groups. If they are going to get pedantic about the FM's that could be used then I would expect them to provide an answer! Obviously without knowing the intimate (oo er) detail it's hard to give an absolute recommendation. If they have certain secure interface standards then they sure as hell should be helping you implement them.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3049
Joined: Tue Feb 25, 2003 5:35 am
Location: London


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 5 guests





This website is not affiliated with, sponsored by, or approved by SAP AG.