What may be considered by a programmer as just playing around might end up as a security nightmare for a SAP® based enterprise. I actually want this to sound dramatic and grab your attention – I have dealt with the consequences of bored programmers' actions too many times...
Programmers are valuable assets to a company, yet bored programmers can be plain trouble.
I can reassure you that adventurous programmers initially intend to simply have some fun and stimulate their senses a bit, before going back to their real tasks. That being said, I can also assure you that what begins as an innocent harmless adventure, may not end happily ever after.
Fact: most programmers can easily take over an inactive user account. In fact, all it takes are just 3 moves. Let me lay out the general sequence of actions for you:
Step 1: Identify a dormant user account using T-Code: SE16 (Table Browser) and Browse Table: USR02 (Logon Data)
Step 2: Add SAP_ALL and Change Password and Unlock User T-Code: SU01 (Maintain User)
Step 3: Login as a new user – so all activities are now performed under another user's name
Now what, you ask? Well, according to our customers, salaries and invoices seem to interest programmers very much. So here are examples of what can happen next:
Example 1 – check how much you boss earns
Once a programmer has succeeded to login to the SAP system as a new user, viewing salaries is very simple:
T-Code: PA30 (Maintain HR Master Data)
Infotype: 0008 (Basic Pay), "Display"
Yes, most programmers are "shocked" to find out that their boss makes so much more money than they do.
Example 2 – discover company's highest invoices
Once in SAP, what harm would it do (ponders the programmer) if the details of the highest invoices are revealed? Retrieving this data is easy:
T-Code: SE16 (Table Browser), Browse table: BKPF_BSAD (Customer financial documents)
Document type = DZ (customer payment), Amount > 1,000,000
If the company is doing well (the programmer continues to ponder), why not ask for a raise, or let others know?
When things go too far
At times the innocent and harmless programmers get used to playing around and become bored once again. Sometimes they are tempted to take things even a step further (for their own personal – and wrongful – benefit). This time, their exploring around might end up in transferring money to the programmer's account instead of to the vendor's. Yes you are reading my thoughts correctly: fraud, security breach, etc.
I don't want to complicate things more; however do you remember that the programmer is using an actual legitimate account instead of his/her own? This means that these activities are practically untraceable, and even if eventually traced, so much time has surely gone by, that reacting to such incidents becomes painfully impossible and pointless.
In my previous post I promised to suggest an effective solution for adventurous programmers. So here we go:
Alerts Alerts Alerts!
Let's revisit the 3 moves in which a programmer can take over an account. Now, let's see how this can be prevented
step-by-step with the right alerts.
Step 1 can be prevented by receiving an alert if an employee made use of the following:
T-Code SE16 with table USR02 (Logon data)
Irregular use of T-Code SU01 (Change User)
Step 2 can be avoided if alerts are sent out for:
Usage of sensitive T-Code SU01 (Maintain User)
Adding high risk authorization profile SAP_ALL
Irregular behavior of user
Step 3 (if a programmer reached this step) can be stopped with alerts for:
Usage of sensitive T-Code: PA30 (HR Master Data)
Irregular behavior of user
Sophisticated and automated alerts ensure that taking over an inactive user account does not go unnoticed.
What about the invoices?
Alerts for the following:
Usage of sensitive T-Code SE16 (Table Browser) with sensitive tables: BKPF* (Financial Docs), etc.
There are many alerts for preventing an attempt to transfer money dishonestly, see a few examples:
Irregular activity of a user
Usage of sensitive T-Code: F110 (Payment Run)
Activating Debugging mode
Remember to stay alert
Smart, customized and real-time alerts are the key to implementing a proactive approach to security in any organization. Don't leave room for blunders. Even the best of programmers can go bored...
Visit again soon... I still owe you some insights on how to enable justified access to the production environment without compromising on security.