Do Security Notes Live Up to Their Name?
On every second Tuesday of each month, SAP releases new Security Notes. Many SAP administrators install these patches relatively quickly – but are they putting too much faith in the security they provide?
SAP Professional article Security
In OSS Note 1908870 - SACF | Workbench for Switchable Authorization Scenarios, SAP has developed a central solution for "switchable" authorization verification that makes it possible to conduct authorization checks for adapted functions only after they are activated by the customer. The idea is to reduce the effect on established authorization concepts.
Unfortunately, very few customers know that patches and enhancements designed in this way will remain inactive once this OSS Note is implemented. In other words, enhanced authorization checks that are meant to reduce risk can’t perform their intended function. The result? The corresponding security hole can still be exploited!
In our newest SAP Security blogpost AKQUINET expert Ralf Kempf explains how to close this security gap.