Andreas Wiegenstein

Dr. Markus Schumacher

SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
Ten golden rules for coding authorization checks in ABAP
 Click to edit Master text styles
March 18, Heidelberg

 Second level
 Third level
 Fourth level
 Fifth level

©
© 2014
2011 Virtual
2014 Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
My car, my house, my boat, …

Andreas Wiegenstein (Twitter: @codeprofiler)

 Click to edit Master text styles
 Founder of Virtual Forge (Heidelberg), responsible for R&D
 Second level
 SAP Security Researcher, active since 2003
 Third level
 Received Credits from SAP for 66 reported 0-day Vulnerabilities
 Fourth level
 Speaker at international Conferences
 Fifth level
 SAP TechEd (USA & Europe), DSAG (Europe)
 BlackHat (Europe), Hack in the Box (Europe)
 Troopers (Europe), IT Defense (Europe), RSA (USA)
 Co-Author of „Sichere ABAP Programmierung" (SAP Press, 2009)
 Co-Author of "ABAP Best Practices Guideline (DSAG, 2013/2014)
 Created training class WDESA3 (ABAP Security) @ SAP University

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Authorizations in Custom Code

 Click to edit Master text styles

 Second level
 Third level
 Fourth level
 Fifth level

Ongoing survey, results as of March 12, 2014

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #1

Perform authority checks

 Click to edit Master text styles
General advice
 Second level
 Check with your business department, if (and which) authorizations
 Third level
are required in order to execute the business logic you provide.
 Fourth level
 As a fallback, analyze code that is similar to your business process for
 Fifth level
authorization checks.
 If authority checks are required for your custom business logic, add
them to your code.

On average there are 866 missing authority checks in custom code.

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #1

Perform authority checks (cont’d)

 Click to edit Master text styles
Specific advice

 Second level
Don't rely on S_RFC authorizations. They only determine, *if* a function module can be
invokedremotely.
Third level
They are by no means related to the specific business logic of your
custom code.You don't want
Fourth users with S_RFC * authorizations to be able to issue
level
purchase orders or to raise someone's salary. Auditors don't like this either...
 Fifth level
 Don't rely on authorization groups assigned to reports. They are usually coarse
grained, as the same authorization group is used for multiple programs. And they are not
necessarily related to the specific business logic of your custom code.
 Always check start authorizations when using CALL TRANSACTION, as no implicit start
authorization check is performed by the kernel.
 Function module AUTHORITY_CHECK_TCODE
 Since 740: CALL TRANSACTION … WITH AUTHORITY-CHECK

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #2

Perform authority checks according to SAP standard functionality

 Click to edit Master text styles
General advice
 Second level
 Always use functionality based on the ABAP command AUTHORITY-
 Third level
CHECK in order to perform authorization checks.
 Fourth level
 Fifth level
(A common bad practice is to base authorizations on usernames.)

On average there are 187 hard-coded username checks in custom code.

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #3

Check the result of an authority check

 Click to edit Master text styles
General advice
 Second level
 Always check the result of sy-subrc after you perform an
 Third level
AUTHORITY-CHECK. sy-subrc with value zero means authorization
 Fourth level
sufficient.
 Fifth level
 Since other ABAP commands also change sy-subrc, make sure to
perform the sy-subrc check *immediately* after the AUTHORITY-
CHECK.

On average there are 13 broken authority checks in custom code.

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #4

Perform authority checks for the user that is actually logged on

 Click to edit Master text styles
General advice
 Second level
 Only check the authorization of the currently logged on user
 Third level
(by avoiding the optional parameter FOR USER).
 Fourth level
 Fifth level
On average there are 2 ‘alias’ authority checks in custom code.

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #5

Always use APIs instead of AUTHORITY-CHECK, if they exist

 Click to edit Master text styles
General advice
 Second level
 Always use specialized API functions for authorization checks instead of
 Third level
AUTHORITY-CHECK.
 Fourth level
 Fifth level
Specific advice
 Use AUTHORITY_CHECK_TCODE instead of S_TCODE
 Use AUTHORITY_CHECK_DATASET instead of S_DATASET / S_PATH

On average there are 92 insufficient authority checks in custom code.

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #6

Declare all fields of the authorization object

 Click to edit Master text styles
General advice
 Second level
 Always use specialized API functions for authorization checks instead of
 Third level
AUTHORITY-CHECK.
 Fourth level
 Fifth level
Specific advice
 Always make sure to specify all fields of the authorization object you check.
 If there are fields you don't want to check, mark them as DUMMY in order to
make your intentions explicit.

No meaningful statistical information available at this time.

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #7

Don't use DUMMY values in important fields

 Click to edit Master text styles
General advice
 Second level
 Do not use DUMMY values in important authorization fields like 'ACTVT'
 Third level
 Fourth level
On average there are 8 DUMMY authority checks (ACTVT) in custom code.
 Fifth level

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #8

Don't program privileging authorization checks

AUTHORITY-CHECK
Click toOBJECT
edit'S_DEVELOP'
Master text styles
 Second level
ID 'DEVCLASS' FIELD '*'
ID 'OBJTYPE' FIELD 'PROG'

 Third level
ID 'OBJNAME' FIELD lv_prog
ID 'P_GROUP' DUMMY " Field not required in this context
 Fourth level
ID 'ACTVT' FIELD '03'.

IF sy-subrc = 0.
 Fifth level
READ REPORT lv_prog INTO lt_code.
ENDIF.

General advice
 Avoid "*" values in authorization fields, as they force administrators to grant
unnecessarily high privileges to users

On average there are 2 privileging authority checks (ACTVT) in custom code.

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #9

Make authorization checks early in your business logic

 Click to edit Master text styles
General advice
 Second level
 If an authorization check is required for a given business logic, it should be
 Third level
checked as early as possible
 Fourth level
 Fifth level
No meaningful statistical information available at this time.

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #10

Perform authorization checks in order to avoid dumps

 Click to edit Master text styles
Specific advice
 Second level
 Always make sure to test for S_DATASET and S_PATH authorizations before
 Third level
you open a server-side file.
 Fourth level
 Fifth level
No meaningful statistical information available at this time.

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Further Information

 Click to edit Master

Blog Post textrules
“Ten golden styles
for ABAP authorization checks”

 Second level
https://www.virtualforge.com/en/blog/post/ten_golden_rules_authorizations_en.html
 Third level
 Fourth level
 Fifth level

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Thank you
Click to editfor your text
Master attention
styles
 Second level
 Third level
 Fourth level
 Fifth level

Andreas Wiegenstein
CTO

Twitter: @codeprofiler

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Disclaimer

SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as
 Click to edit Master text styles
their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

All other product and service names mentioned are the trademarks of their respective companies. Data contained
 Second level
in this document serves informational purposes only.

The authors  Third

assume level
no responsibility for errors or omissions in this document. The authors do not warrant the
accuracy or completeness of the information, text, graphics, links, or other items contained within this material.
 Fourth
This document is provided withoutlevel
a warranty of any kind, either express or implied, including but not limited to the
implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
 Fifth level
The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or
consequential damages that may result from the use of this document.

No part of this document may be reproduced without the prior written permission of Virtual Forge GmbH.

© 2014 Virtual Forge GmbH.

©
© 2014
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.