14.12.10

SAP Note 13202 - Security aspects in ABAP programming

Symptom:

Use of the ABAP Development Workbench (for developing transactions and reports) raises the question of how to protect critical system data against unauthorized manipulation.

Reason and Prerequisites

Generally, all database tables can be read and changed in an ABAP program. This includes HR information, accounting documents and user master records. In addition, existing function modules and program routines that themselves read and change critical data can also be called. Data from other clients can also be read and changed.

Solution

SAP does not currently support a procedure that enables simultaneous use of a system as a production system and as a development system while adhering to safety/security aspects.

You should therefore proceed as follows:

      a) In production systems no users should be authorized for program development (transactions SE..). This does not affect the reporting tools (ABAP Query, EIS, Report Writer); for these tools the appropriate authorization checks are performed automatically.
      b) It is sometimes necessary to correct a program in a production system. For such cases, you should develop a procedure in which a user is temporarily granted SE38 authorization in order to perform the correction, which is then checked by another person. Once the correction is complete, the authorization is removed.
      c) Program development can be performed only in a separate system (or several systems). The transport of programs (or other development environment objects such as messages, screens, or structures) must be performed by a defined position in the company that ensures that importing the new object does not damage the correctness of the system (data update, for example) nor violate security aspects (missing authorization checks).

      The Development Workbench functions can be used for the checks (cross reference lists of tables and function modules used, for example).

      As of Release 6.20, Transaction SCI (Code Inspector) has been
      available for examining R/3 source code. This tool contains a
      group 'Security checks' which can be used to carry out static
      checks for security-relevant statements.


As of Release 3.0E authorization objects exist which are supervised by the system for executing the following operations:

    • C calls (the CALL instruction): S_C_FUNCT
    • File operations (OPEN DATASET, READ DATASET,
      TRANSFER ... TO DATASET, DELETE DATASET): S_DATASET
    • CPIC operations (COMMUNICATION): S_CPIC
    • OLE operations (CREATE OBJECT object class) S_OLE_CALL

It is not planned to limit the authorizations of developers.

Key word: Security SExx

No comments:

Post a Comment