Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SQ02 Infoset - security hole - authority

Former Member
0 Kudos
108

Hi,

I have heard, that SQ02 (creating Infosets) has several security holes (regarding authorizations). Does anybody know about it and could specify these holes?

Thanks

Markus

2 REPLIES 2

Former Member
0 Kudos
42

Hi,

the main idea behind the sq02 and the whole query tool in SAP is, that you can write your own abap code into the query. This may result in a situation, that a user with authority to sq02 can delete, insert or modify any table records even without the authority to that table.

Therefore be careful who do you authorize to create infosets - it's very powerful tool.

Filip

Former Member
0 Kudos
42

HI,

When u create an infoset, you attach user group to the infoset. In user group, you specify multiple users that can have access to your infoset and query.

So these multiple users can have access to ur infoset and then can change the code.

But if you restrict the authorisation to users and not allow them to change or create queries using ur infoset.

object S_QUERY Revokes authorization to change or create queries for a specific user.

Hope this will help u.

Reward points if its helpful

Thanks,

Vijay