Case Study #003.01

Scenario

An authorization personnel decided to create a new role for a request involving an RFC connection. In the role they created, they added the S_RFC authorization object. However, by assigning * to the parameters of the S_RFC object, they caused a security vulnerability.

Impact

The S_RFC authorization object allows connections to be made to the current SAP system from SAP or non-SAP systems. It contains the parameters RFC_TYPE, RFC_NAME, and ACTVT. Assigning * to the RFC_NAME parameter means that an external user can call all remote RFCs in the SAP system. A user with this authorization can perform actions such as modifying and viewing tables, creating users, resetting passwords, creating new business partners, or submitting new purchase requisitions. Numerous similar activities could be performed in the system without control.

DefenceMore OCA Capabilities

Defencemore OCA's A009 control detects and reports when the S_RFC authorization object is assigned to a role at a critical level. The A016 control lists the details of the most recently created role, enabling monitoring of the newest role. Additionally, the A022 control lists all authorization objects assigned to a role, along with their parameter values. The A018 control captures and lists critical RFC calls made from external systems.

Related Checks

• A009 RFC Authorization
• A016 Last Created Roles
• A022 Last Modified Roles
• A018 Critical RFC Calls