GRC EAM – Bypassing user exit via non-dialog logon?
I’d like to share with you a scenario that we´ve identified were a FF user can bypass the user exit mechanism of GRC EAM. I´d appreciate your inputs to understand what´s the best option to eliminate this risk.
Let´s say i´m a FF user, ZFFUSER for this example so I´m assigned to a role that allows me to execute /grcpi/gria_eam for a decentralized model. The role also has to contain S_USR_GRP permission as below:
Depending on NW version ACTVT 02 might not be required, but ACTVT 05 is needed because when I check out the FF my user ID will internally generate a new random password for the FF ID.
Let´s say that in this scenario ZFFUSER also has some S_RFC permissions and as part of those the BAPI_USER_CHANGE is included.
For this scenario I´ll consider the usage of a RFC connection as below and SE37 but note that function modules can be called outside SAP with Excel macros for example
Let´s say I have this RFC created
I´ll then login with ZFFUSER and execute SE37 as below:
Execute and then
Note that usage of SE37 is not mandatory. Same thing can be achieved with non-SAP programs as long as S_RFC and S_USR_GRP are assigned to the user
Now the password for my FF ID called ZFIREFIGHTER is “Diego123!”.
Let´s try to logon directly:
That´s as expected. User exit doesn´t allow me to logon.
But let´s go back to our RFC and set ZFIREFIGHTER in the connection:
Let´s try now a remote logon:
Now I´m logged with the FF ID and I have bypassed the user exit mechanism.
Note also that in addition to do a remote logon I can also execute function modules calls to the system using this FF ID with the password I´ve set earlier. This can be done using Excel or any other script tool for SAP.
IF FF ID has enough permissions a BAPI call can also be used for this:
And then I´ll be able to login with SAP*
If the user is locked, I can unlock with the bapi, same if it´s not assigned to SAP_ALL.
Well, that´s all. Hope you have fun with this and share some ideas 🙂
one important poin to note is that this depends on permissions for S_RFC properly restricted but i think user Exit should also consider somehow remote logons, what do you think?