topic Re: Question about the function module (RFC_READ_TABLE) in Application Development and Automation Discussions

Question about the function module (RFC_READ_TABLE)

Former Member — Tue, 01 Jul 2014 11:15:14 GMT

Dear everyone

Could I ask you a question about the function module (RFC_READ_TABLE)?

I was asked if it's possible to create a report which compares the data between different SAP systems (both production systems).

Now, the easiest way would be to use the function module (RFC_READ_TABLE) within a SAP infoset query (SQ01 type query).

But I heard the rumor that using the function module (RFC_READ_TABLE) is not advisable due to the security reason.

However, I am not exactly sure what sort of security problems this function module can possibly have...

Would you help me on this?

I also would like to know if using "remote enabled module" type function module can always overcome this possible security issue.

Or, are there any points that I need to be careful about even when I use "remote enabled module" function module?

Thank you very much in advance.

Takashi

Re: Question about the function module (RFC_READ_TABLE)

FredericGirod — Tue, 01 Jul 2014 11:20:37 GMT

Hi,

if anybody could read the content of a table of your productive server, your authorization control doesn't stop this person. He could read any data, extract the list of the customer, extract the list of price, get the salary of people (if you have HR) ....

so it's a big issue if you open it

there is a standard transaction that do this for customizing tables : SCU0

regards

Fred

Re: Question about the function module (RFC_READ_TABLE)

Former Member — Wed, 02 Jul 2014 02:03:26 GMT

Dear Fred-san

Thank you very much for your support on this.

But, may I double check about what you mentioned above?

So, what you were mentioning was that if some user executes the query with

the function module (RFC_READ_TABLE), under the following conditions, he can access to

the HR data even when he does not have the authorizations for HR transactions?

<Conditions>

1. the user has the authorization for HR database tables themselves

2. RFC_READ_TABLE is called to retrieve the data from HR database

<example>

Data: LF_HR_TABLE like DD02L-TABNAME value 'PA0000'.

CALL FUNCTION 'RFC_READ_TABLE'
EXPORTING
query_table = LF_HR_TABLE

TABLES
   OPTIONS                    =
   fields                     =
   data                       =    .

But then, as long as we call this function module for a non-critical tables such as

VBAP (sales order) or EKKO (purchase order) within our query, it wouldn't seem to be

so security risk to use RFC_READ_TABLE...

Besides, each query (infoset query) has got the concept of user groups, which limits

the access to the queries within the user group.

※If someone does not belong to the user group, he cannot execute the queries within that

user group, etc

So, my feeling is that even infoset queries does have authorization concept...

Would you give me your thought on this?

I also thank you for your information for SCU0.

That is an interesting transaction

Kind regards,

Takashi

Re: Question about the function module (RFC_READ_TABLE)

FredericGirod — Wed, 02 Jul 2014 07:59:19 GMT

Hi,

just a detail, VBAP & EKKO are critical ! if your competitor have this informations, it could determine your price, where your sale your business, where you buy your component and how much, the price .. when ...

so query & RFC_READ... are very dangerous for authorization

(and with RFC.. you didn't have the concept of organizational data)

regards

Fred

Re: Question about the function module (RFC_READ_TABLE)

Former Member — Thu, 03 Jul 2014 01:54:27 GMT

Hi, Fred-san

Thank you again for your information on this.

Yes, I agree that the data in VBAP and EKKO are also important, and we shouldn't let

the competitors to have access to those data in our system.

But I was not sure how those competitors can execute the query with RFC_READ_TABLE in our

system...

I mean, they don't even have a SAP account for our system...

So what you were saying was that if someone (=competitors) catches the data which is being

trasfered over internet while our users are executing RFC_READ_TABLE, it would cause a security risk?

Anyhow, I felt that we need to be very very careful for using RFC_READ_TABLE.

So I will not use this function module in the report this time.

Thank you

Takashi

Re: Question about the function module (RFC_READ_TABLE)

FredericGirod — Thu, 03 Jul 2014 06:49:14 GMT

Remember, the most of time, Hacking comes from inside

So, if someone could take these informations and go to your competitor ...

regards

Fred

Re: Question about the function module (RFC_READ_TABLE)

Former Member — Thu, 03 Jul 2014 13:54:01 GMT

Oh, now I understand the risk of using this function module

So it wasn't like someone can eavesdrop the data while if's transfered over

the internet if we use this function module.

Anyhow, I decided not to use this function module this time.

So, the information will be safe with us

Thank you for your help

Kind regards,

Takashi