Re: [sap-security] Impact of customized transaction on GRC rule set
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by sapvish (SQA) on Mar 6 at 10:40 AM |  Mark as helpful |
Hello
I too was expecting few words of advise on this topic , CC Rule engine will
not scan any called tcode for SoD unless it has an entry in s_tcode and SAP
is aware of this limitation.
Following best practices of including auth check while calling standard
tcodes can help and also a report with the name of Embedded Action Calls
in Programs of SAP system in Informer-->Audit Reports-->Miscellaneous will
let you know the where all uasge of standard tcode in any program.
But then it is something which is going unnoticed in CC reporting , only way
i can see to enforce is by dupliacting the customized tcode in the
function(there mite be sm other way which i am not aware of )
Regards,
Vishal
On Sat, Feb 27, 2010 at 5:38 AM, GRCQuest via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by GRCQuest
> on Feb 26 at 1:40 PM
> Hi
>
> We are currently using GRC CC 4.7 and I am struggling with the number of
> new customized transactions that I have to add to the existing functions
> which in turn generates thousands of new rules. Many of our customized
> transactions are variants of standard transactions and there are ABAP codes
> that actually call the standard transactions. You can actually see them in
> ST01 trace. However, the transactions being called are often not required in
> the users' profile and I suspect it is because there are no ABAP code to
> enforce the authorization check. The reason I am interest in this is because
> when the called transaction is cumpulsory, the user must have the standard
> transactions in their profiles. Since the called (standard transactions) are
> already governed by the standard rule set I reason that there is no need to
> duplicate them with rules for the corresponding customized transactions. In
> other words, the customized transactions are governed vicariously via the
> standard transactions' rules.
>
> Basing on this concept, I would like to pressure our development folks to
> include authorization check for called transactions whenever a standard
> transaction is called to complete the process. I would like your opinion if
> this is consider a reasonable request. I would also like to hear from other
> CC users with similar issues and the various techniques they use to hold
> down the growing number of customized CC rules.
>
> Thanks
__.____._ I too was expecting few words of advise on this topic , CC Rule engine will
not scan any called tcode for SoD unless it has an entry in s_tcode and SAP
is aware of this limitation.
Following best practices of including auth check while calling standard
tcodes can help and also a report with the name of Embedded Action Calls
in Programs of SAP system in Informer-->Audit Reports-->Miscellaneous will
let you know the where all uasge of standard tcode in any program.
But then it is something which is going unnoticed in CC reporting , only way
i can see to enforce is by dupliacting the customized tcode in the
function(there mite be sm other way which i am not aware of )
Regards,
Vishal
On Sat, Feb 27, 2010 at 5:38 AM, GRCQuest via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by GRCQuest
> on Feb 26 at 1:40 PM
> Hi
>
> We are currently using GRC CC 4.7 and I am struggling with the number of
> new customized transactions that I have to add to the existing functions
> which in turn generates thousands of new rules. Many of our customized
> transactions are variants of standard transactions and there are ABAP codes
> that actually call the standard transactions. You can actually see them in
> ST01 trace. However, the transactions being called are often not required in
> the users' profile and I suspect it is because there are no ABAP code to
> enforce the authorization check. The reason I am interest in this is because
> when the called transaction is cumpulsory, the user must have the standard
> transactions in their profiles. Since the called (standard transactions) are
> already governed by the standard rule set I reason that there is no need to
> duplicate them with rules for the corresponding customized transactions. In
> other words, the customized transactions are governed vicariously via the
> standard transactions' rules.
>
> Basing on this concept, I would like to pressure our development folks to
> include authorization check for called transactions whenever a standard
> transaction is called to complete the process. I would like your opinion if
> this is consider a reasonable request. I would also like to hear from other
> CC users with similar issues and the various techniques they use to hold
> down the growing number of customized CC rules.
>
> Thanks
Copyright © 2010 Toolbox.com and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Related Content
In the Spotlight
White Papers
In the Spotlight
Earn Recognition for Your Contributions at Toolbox for IT. Gain Points for Community Achievements
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
_.____.__ 
