Skip to Content
Author's profile photo Diego I. Yaryura
Diego I. Yaryura
March 2, 2017 2 minute read

GRC EAM – Bypassing user exit via non-dialog logon?

Hi All,

I’d like to share with you a scenario that we´ve identified were a FF user can bypass the user exit mechanism of GRC EAM. I´d appreciate your inputs to understand what´s the best option to eliminate this risk.

Let´s say i´m a FF user, ZFFUSER for this example so I´m assigned to a role that allows me to execute /grcpi/gria_eam for a decentralized model. The role also has to contain S_USR_GRP permission as below:

Depending on NW version ACTVT 02 might not be required, but ACTVT 05 is needed because when I check out the FF my user ID will internally generate a new random password for the FF ID.

Let´s say that in this scenario ZFFUSER also has some S_RFC permissions and as part of those the BAPI_USER_CHANGE is included.

For this scenario I´ll consider the usage of a RFC connection as below and SE37 but note that function modules can be called outside SAP with Excel macros for example

Let´s say I have this RFC created

 

I´ll then login with ZFFUSER and execute SE37 as below:

Execute and then

Note that usage of SE37 is not mandatory. Same thing can be achieved with non-SAP programs as long as S_RFC and S_USR_GRP are assigned to the user

Now the password for my FF ID called ZFIREFIGHTER is “Diego123!”.

Let´s try to logon directly:

That´s as expected. User exit doesn´t allow me to logon.

But let´s go back to our RFC and set ZFIREFIGHTER in the connection:

Let´s try now a remote logon:

Now I´m logged with the FF ID and I have bypassed the user exit mechanism.

Note also that in addition to do a remote logon I can also execute function modules calls to the system using this FF ID with the password I´ve set earlier. This can be done using Excel or any other script tool for SAP.

IF FF ID has enough permissions a BAPI call can also be used for this:

And then I´ll be able to login with SAP*

If the user is locked, I can unlock with the bapi, same if it´s not assigned to SAP_ALL.

Well, that´s all. Hope you have fun with this and share some ideas 🙂

one important poin to note is that this depends on permissions for S_RFC properly restricted but i think user Exit should also consider somehow remote logons, what do you think?

 

Thanks!

Diego.

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Jakub Cisty
      Jakub Cisty

      Hi Diego,

      did you report this to OSS as incident? Have you taken some action to secure this e.g. removed from S_RFC the BAPI_USER_CHANGE authorization?

       

      Jakub