This website is not affiliated with, sponsored by, or approved by SAP AG.

XD03 Search Help reveals too much info

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

XD03 Search Help reveals too much info

Postby BWorth » Thu May 29, 2014 10:01 am

We are using the object F_KNA1_APP to limit access to customers within a specific set up account groups.

If you go into the search help in XD03 and use the Customers by Address Attributes search ( DEBIX ) the screen will return the very information for all account groups that we were trying to hide ( ie Name, Street post code etc )

Anyone have any ideas of a simple way to stop this happening. So far, the only option we can come up with is to remove the customer attribute help all together.

Thanks for any advice.
BWorth
 
Posts: 1
Joined: Thu May 29, 2014 5:33 am

Re: XD03 Search Help reveals too much info

Postby Al. » Fri May 30, 2014 5:04 am

Hi, it's not a simple method as such but this is the standard way of restricting results in search help.

https://help.sap.com/saphelp_nw04s/help ... ontent.htm
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: XD03 Search Help reveals too much info

Postby os » Wed Jun 04, 2014 3:45 pm

There is also a new configuration table which lets you execute your own functions within the search help. This is less intrusive than exits.

If your release is high enough and you debug the F4, then you will see it.
os
 
Posts: 469
Joined: Wed Dec 21, 2005 10:51 am

Re: XD03 Search Help reveals too much info

Postby Al. » Thu Jun 05, 2014 4:14 pm

os wrote:There is also a new configuration table which lets you execute your own functions within the search help. This is less intrusive than exits.

If your release is high enough and you debug the F4, then you will see it.

Nice :)
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: XD03 Search Help reveals too much info

Postby os » Wed Aug 06, 2014 4:23 pm

Note that some BAPIs also offer this search help check and when you want a remote enabled search help, then you should use the FMs from FUGR BFHV.

Often you find RFC users of type dialog and service because the search help is badly implemented as a dialog from the remote system. The caller can simply open a new session (depending on the auths of the RFC user they can anonymously go quite far doing things they are not meant to do).

One way of easily checking this from a plausibility perspective is looking at table SMEN_BUFFC -> the system connection user has dialog favourites...

Just a little tip for your next audits...
os
 
Posts: 469
Joined: Wed Dec 21, 2005 10:51 am


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 2 guests





loading...


This website is not affiliated with, sponsored by, or approved by SAP AG.