Solved: Break Security

Former Member · ‎2008 Apr 22

Guys, last nigth I was thinking, if a user is not allow to execute for example transaction sm50 and he execute /h before of perform sm50 , he can change the values of variables in debugging process ? and worst access to transaction ?

Former Member · ‎2008 Apr 22

Hi,

I sounds a nice theory, but have you tried it?

I have developer only access in a dev system, no basis transactions. So if I run SM12 I get message "You are not authorized to use transaction SM12".

If I type /h, then run transaction SM12 I get "You are not authorized to use transaction SM12", no debugger. The check for S_TCODE is not explicity coded, I think the check is at system level, so it can't be bypassed in debug.

Regards,

Nick

Former Member · ‎2008 Apr 22

Hi Dear,

Its a very good question....

But SAP is much more aware of it. It can be controlled by authorization. In our production system we cannot change the values in debug mode.

<REMOVED BY MODERATOR>

Edited by: Alvaro Tejada Galindo on Apr 22, 2008 12:33 PM

Former Member · ‎2008 Apr 22

Hi,

It would be possible if he bypass all the authority check statement.

But to do this he must have of course debug right and also be able to change values in debug mode.

Hope I have answered your qestion

Regards

Former Member · ‎2008 Apr 22

Hi,

I sounds a nice theory, but have you tried it?

I have developer only access in a dev system, no basis transactions. So if I run SM12 I get message "You are not authorized to use transaction SM12".

If I type /h, then run transaction SM12 I get "You are not authorized to use transaction SM12", no debugger. The check for S_TCODE is not explicity coded, I think the check is at system level, so it can't be bypassed in debug.

Regards,

Nick

Former Member · ‎2008 Apr 22

All depends the level of authorizations you have

Also don't forget all transactions are linked to an ABAP program and a ABAP source code can be debugged.

Regards.

Former Member · ‎2008 Apr 22

Hi Jürgen,

I still don't see how you can debug around the authorisation check on object S_TCODE. Further to my earlier test where I used a system where I had limited access, I repeated it on a system where I have full access, with the following results.

Enter /h

Run transaction sm12

In debug set a break-point on statement AUTHORITY-CHECK and execute

The dubugger does not stop, the transaction starts.

The auth object S_TCODE is checked for the start of every transaction. But, even with full authorisation the ABAP debugger will not stop on the S_TCODE check.

Regards,

Nick

ThomasZloch · ‎2008 Apr 22

System debugging has to be switched on, then one can actually see the S_TCODE authority check done in function AUTH_CHECK_TCODE. (I'm on 6.20, might be different in subsequent releases).

So it's always recommended to not allow anybody the changing of field values in debugging, at least in productive systems.

Cheers

Thomas

Former Member · ‎2008 Apr 22

System dubugging! That was it, I knew there was something else that needed to be set.

Nick

Former Member · ‎2008 Apr 22

Our security is set in Production that we are not allowed to alter values in DEBUG mode.

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

Break Security