Download basket approvals gone with the wind
After spotting what I thought was a security gap in SAP I now call out to all community members to support the idea to remove download basket approval for files downloaded on SAP Service Marketplace. I invite everyone to read the blog and vote for the idea on idea place. Together we can stand strong and make a difference.
Idea on SAP Idea place
Youtube – approving download files without using maintenance optimizer
The video already has a good amount of views for the time it has been online and several persons notified me they didn’t yet know this “workaround” to approve download files.
The sentiment coming from most of those persons comes down to the fact that they find it useless to go through a full maintenance process to approve a single file which is sometimes the case.
Why oh why?
The question is what the real reason is that SAP implemented this “feature”. As far as I can see the real reason seems to be that they wanted to force SAP customers to integrate SAP Solution Manager into their system landscape.
To me the whole notion of forcing customers to implement a piece of software is not compatible with the new SAP as they now position themselves. Listening to the customer and doing something with the feedback provided. In my opinion the time is right now to provide the feedback but I would prefer I’m not the only one sending that feedback. I need your help to provide feedback.
Download basket security gap or feature?
Ever since the overhyped Black Hat conference security has been kicked up a notch on the importance ladder. It has become a sensitive topic. Even blogging about hidden features or tricks generates some haters stating the blog should be deleted. I didn’t see that one coming but hey not everyone can love you right. Nothing wrong with that.
Now to the point of the alleged security gap. When I was creating the Youtube video previously mentioned in this blog I wondered to what extend the download basket was in fact secure. From a technical point of view you have two spots where an S-user is inserted. Once in the RFC connection used to connect to the SAP back-end and once in the table AISUSER to bind a certain S-user to a SAP user.
So I changed the S-user in the table AISUSER to the S-user of another company, ignored the warning that was triggered afterwards and went on to test the same function module shown in the Youtube video. To my surprise I could access the download basket data of that S-user as well.
Checking with SAP
Instead of blogging it out immediately I decided to create a customer message and check with SAP if this was normal behavior as I was convinced I seemed to have found a security gap.
You could argue that you cannot do anything with download basket content of another S-user but I wondered to what extent it could be further exploited and function modules to download content right into EPS/in for example could be used in the same way. Besides that you still have the fact that you could figure out what someone else or a rival company is doing in terms of download files and implementing SAP software.
Feature it is
Apparently it’s a feature was the final outcome of the customer message with SAP. Any company that is tied to another in some or the other way through VAR or CCC can access S-user download basket content of all users in those companies. I didn’t even know there was any kind of those relationships between the two companies I tested.
I tested out some other company combinations and most failed so there has to be some kind of truth behind the fact that the companies have to be tied together somehow or some in way.
Why is that feature there then?
So then the next question becomes why is that feature there? Because some customer just refuse to put a Solution Manager in place and then the only way they can download/implement a support package stack is by help of their VAR partner who approves the download files for them.
Common sense and waste of time
In general I don’t find forcing the need to have a Solution Manager in place a good idea but let’s leave that aside for the moment.
The fact that SAP wants to let the customer use the maintenance optimizer to download Enhancement Packages and complicated combinations of SAP components makes sense because it helps prevent wrong combinations of software components (to some extent) and provides a more “safe” procedure compared to the previous manual stack downloads.
Besides that change tracking is often in place in another form at companies so the maintenance optimizer is only used to select and download files, not to keep track of SAP system changes.
The fact that you have to approve a single file that you need to download from SAP service marketplace is just ridiculous and a waste of time. Apparently it’s the service marketplace team that has the right to place a file as “needs approval” or not.
Everyone seems to be using workarounds anyway, keeping a maintenance transaction open on the approval step or using the function module mentioned in the Youtube video. The question raises then? Why is the approval still there?
We can provide freedom to the download files and save us time and money by not having to perform a step which is not called for. Let us vote up the idea to remove download basket approvals through Idea Place: