Skip to Content

Scenario

 

A user can set the parameter CRM_UI_PROFILE to a specific value or even * .

It’s a security risk, because a user could use a standard business role instead of the customer configured role.

The user parameter overrules any other role assignments (via the organizational management or pfcg-role),

CRM 7.0 / PFCG Roles and Authorization Concept, page 28:

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/00515e75-f1d0-2c10-bebb-e5675f470ee6QuickLink=index&overridelayout=true&46316927415846

 

Requirement

Even if the parameter is set to * only allowed business roles are displayed in the pick list of the logon screen.

 

Solution

 

The enhancement spot WCF_RESTRICT_ACCESS (note 1566074) and an own defined authorization object is used to

restrict the business roles.

 

Implementation

 

1. Create authorization object ZUI_PROFIL

Create the authorization field ZUI_PROFIL in transaction SU21:

/wp-content/uploads/2013/07/sdn_1_251332.png

Create the authorization object ZUI_PROFIL with field ZUI_PROFIL and don’t forget to re-generate SAP_ALL

 

2. Implement the enhancement spot WCF_RESTRICT_ACCESS

In the next step you have to implement the enhancement spot WCF_RESTRICT_ACCESS in transaction SE18.

Add the following code in method get_business_role_white_list

 

 

method if_wcf_restrict_access_badi~get_business_role_white_list.
** Restrict Access to WebClient UI Framework
** according to the authoization object ZUI_PROFIL
** Note 1566074

** Data
  data lt_role type standard table of crmc_ui_profile.

  field-symbols <fs_role> type crmc_ui_profile.
  field-symbols <line> like line of ct_business_roles.

*
  cv_is_implemented = abap_true.

* Get all CRM-web-UI business roles
  select * from crmc_ui_profile into table lt_role
      where profile_type = ‘C’.

* authority check
  loop at lt_role assigning <fs_role>.

    authority-check object ‘ZUI_PROFIL’
             id ‘ZUI_PROFIL’ field <fs_role>-profile.

    if sy-subrc = 0.
      append initial line to ct_business_roles assigning <line>.
      <line> = <fs_role>-profile.
    endif.

  endloop.
endmethod.

 

 

3. Apply authorization object to user

 

In the last step you only add the new authorization object with the allowed roles in pfcg role.

 

/wp-content/uploads/2013/07/sdn_3_251348.png

 

Result

 

In the logon screen only the allowed roles are shown:

/wp-content/uploads/2013/07/sdn_4_251349.png

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Carsten Kasper

    Hi Monika,

    thank you for sharing this information. It never occured to me by now, but it is absolutely correct that there is a hole in security.

    When setting up authorization I tend to advice to authorize the navigational links inside WebClient one by one. This way the security issue should not be that bad. Even if the user logs on with a different Business Role he or she would not be able to see any links where there is no authorization.

    cheers Carsten

    (0) 
    1. Monika Suchy Post author

      Hello Carsten,

      the restriction in UIU_COMP doesn’t close the security hole totaly. If a user can use a different business role all customer specific restrictions (e.g. disabled fields or assigment blocks) are not considered.

      Regards,

      Monika

      (0) 
      1. Carsten Kasper

        Good point. Totally agree with you there. It could be partly handled by making configurations not role specific, but sometimes that is exactly what you want. Thus you need something else.

        Now I am wondering, why SAP did not encapsulate the CRM_UI_PROFIL parameter in an S_DEVELOP authorization. In my eyes it is clearly meant for developers only.

        (0) 
        1. Monika Suchy Post author

          I totally agree, this shoudn’t be a user parameter … and there are many other critical parameters. Just think about WCF_IGNORE_ENHANCEMT: with the value A the user can deactivate the existing UI Enhancement Sets.

          The best protection is that most of the users do not know these parameters …

          (0) 

Leave a Reply