[1595] in SAPr3-news
Re: External Security for SAP
daemon@ATHENA.MIT.EDU (Ben Coonfield)
Mon Jul 29 07:07:35 1996
To: sapr3-news@MIT.EDU
Date: Mon, 29 Jul 1996 02:37:16 +0000
From: Ben Coonfield <BEN_COONFIELD@wow.com>
Jim Hawthorne wrote:
>
> Most replies I've had on SAP security have been unbelieveable - i.e
> you can't stop developers from accessing the system, or if you give
> people SE38 there is NOTHING you can DO. !!!! This would technically
> make running the HR module in the U.K ILLEGAL to say nothing of most
> of the credit checking facilities and dunning letters in FI.! ...
> Cheers Jim Hawthorne
Per my understanding, this is entirely correct. If a person has the
ability to create or update an ABAP program, then you have already given
away all of the keys to your system. The answer? Don't let *anyone*
have ABAP access on your production system, and be careful to review
programs being migrated. Also, as you note, do not allow *anyone* to
have any sort of logon access to a UNIX box on which SAP production
runs, except your most trusted basis support staff.
Many kinds of security checks can be built into an ABAP program.
However, they can all be bypassed easily by anyone with ABAP access.
Anything you can add by writing ABAP code, can be removed or bypassed,
with more ABAP code.
There are several kinds of audit trails, which could probably tell you
after the fact what happened.
If you have any ideas to improve the situation, say so, but I believe
the steps above are the only way to enforce security policies.
I'm not familiar with the UK Data Protection Act, but most applications
I have seen have similar exposures.
--
Ben Coonfield (BCoonfield@wow.com)
Opinions expressed do not represent my employer, or any one else, and
might not even my own after I think it over. Please do not quote or
forward this message without permission. Thanks.
