Business partners and the sneaky back door of the F4 search help: How to protect your sensitive data

SAST Blog: Business partners and the sneaky back door of the F4 search help: How to protect your sensitive dataSAP offers a consolidated data object, the business partner, to simplify the management of sensitive master data for customers, suppliers, and employees. This simplification also poses dangers, however. Therefore, all companies that plan to migrate to SAP S/4HANA should familiarize themselves with the business partner concept ahead of time.

 

Business partner concept poses risk to master data security

Users who have access to business partner data (transactions BP and BUP3) see much more in the F4 search help than they are authorized to see. This is because the search help provides information about the general master data in the business partner, independently of user authorization. Since this involves personal data, it must be classified as highly critical overall.

SAST Blog: Business partners and the sneaky back door of the F4 search help: How to protect your sensitive data
When an SAP user uses the F4 search help in transaction BUP3, they may gain access to sensitive data, regardless of which authorizations they have been assigned. This must be prevented at all costs. The authorization object B_BUPA_GRP, which is contained in the SAP package BUPA, solves the problem in the first step. This object consists of two fields: “Activity” and “Authorization Group”. The “Activity” field determines which activities are allowed, while the “Authorization Group” field defines which business partner group these activities should apply to.

Play it safe and install the corresponding SAP Note

To eliminate the vulnerability, install SAP Note 2441447 as the second step. After you implement the SAP Note, the system checks the authorization object B_BUPA_GRP ACTVT F4 and the corresponding authorization groups when the search help is opened. Subsequently, the display only contains the master data that the user is authorized to see. Sensitive data is now secure and no longer accessible. For more information, refer to SAP Note 2441447.

Tip: We have summarized several things you need to watch out for when installing an SAP Note in our blog post Do Security Notes Live Up to Their Name?

Don’t lose track of SAP security during your SAP S/4HANA transition

As a result of the abundance of tasks they have to perform, SAP system owners face major challenges. The transfer of customer and supplier master data during the migration process is often highly complex. Our experience shows that data security is often given a low priority – especially on time-intensive projects. This can have fatal consequences.

If you need additional consulting support to secure important master data in your SAP systems, contact us. Visit our website or send us an e-mail – we will be happy to advise you.

Adrian Lehment (SAST SOLUTIONS)
Adrian Lehment (Junior SAP Consultant, SAST SOLUTIONS)

 

More S/4HANA theme posts:

Think about updating your authorization roles in your SAP S/4HANA project!

Get your SAP S/4HANA migration into high gear with a sound security strategy