GRC EAM – Bypassing user exit via non-dialog logon?
Hi All,
I’d like to share with you a scenario that we´ve identified were a FF user can bypass the user exit mechanism of GRC EAM. I´d appreciate your inputs to understand what´s the best option to eliminate this risk.
Let´s say i´m a FF user, ZFFUSER for this example so I´m assigned to a role that allows me to execute /grcpi/gria_eam for a decentralized model. The role also has to contain S_USR_GRP permission as below:
Depending on NW version ACTVT 02 might not be required, but ACTVT 05 is needed because when I check out the FF my user ID will internally generate a new random password for the FF ID.
Let´s say that in this scenario ZFFUSER also has some S_RFC permissions and as part of those the BAPI_USER_CHANGE is included.
For this scenario I´ll consider the usage of a RFC connection as below and SE37 but note that function modules can be called outside SAP with Excel macros for example
Let´s say I have this RFC created
I´ll then login with ZFFUSER and execute SE37 as below:
Execute and then
Note that usage of SE37 is not mandatory. Same thing can be achieved with non-SAP programs as long as S_RFC and S_USR_GRP are assigned to the user
Now the password for my FF ID called ZFIREFIGHTER is “Diego123!”.
Let´s try to logon directly:
That´s as expected. User exit doesn´t allow me to logon.
But let´s go back to our RFC and set ZFIREFIGHTER in the connection:
Let´s try now a remote logon:
Now I´m logged with the FF ID and I have bypassed the user exit mechanism.
Note also that in addition to do a remote logon I can also execute function modules calls to the system using this FF ID with the password I´ve set earlier. This can be done using Excel or any other script tool for SAP.
IF FF ID has enough permissions a BAPI call can also be used for this:
And then I´ll be able to login with SAP*
If the user is locked, I can unlock with the bapi, same if it´s not assigned to SAP_ALL.
Well, that´s all. Hope you have fun with this and share some ideas 🙂
one important poin to note is that this depends on permissions for S_RFC properly restricted but i think user Exit should also consider somehow remote logons, what do you think?
Thanks!
Diego.
Hi Diego,
did you report this to OSS as incident? Have you taken some action to secure this e.g. removed from S_RFC the BAPI_USER_CHANGE authorization?
Jakub