HR Module Authorization Vulnerability

Learn how DefenceMore OCA for SAP identifies critical HR module authorization risks and prevents unauthorized access to sensitive data.

Case Study #003.02

Scenario

An authorization personnel accidentally created a role for an employee by assigning critical-level parameter values to the P_ORGIN and P_ORGINCON authorization objects, which control access to infotypes in the Human Resources module.

Impact

P_ORGIN and P_ORGINCON are the main authorization objects that enable access to infotypes in the Human Resources module. Users who hold these authorizations at a critical level will gain access to sensitive data.

DefenceMore OCA Capabilities

Defencemore OCA's A012 control checks the parameter values assigned to the P_ORGIN and P_ORGINCON authorization objects and lists roles created at a critical level. The K005 and K006 controls list access to payment information. If an employee has accessed tables containing payment data, it is recorded. The A022 control lists all authorization objects assigned to a role, along with their parameter values. Additionally, the A018 control captures and lists critical RFC calls made from external systems.

Related Checks

  • A009 RFC Authorization
  • A016 Last Created Roles
  • A022 Last Modified Roles
  • A018 Critical RFC Calls