cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security Breach or Easier Business Process SBO? License and Authorization Concern

Former Member

on ‎11-26-2015 4:39 PM

0 Kudos

Hi All,

This is my first post, and seemingly significant. I am looking for opinions from SAP Business One Partners and Customers on a specific topic.

I have logged an incident with SAP Global Support where they illustrated this is intended System Behaviour.

The concern has to to with Licensing and authorizations. As we all know, security is very important, but what if there is a potential flaw in SBO. I am trying to see where  everyone stands and see if our company is by any means being too paranoid.

For the sake of arguement we have the following and I am urging all to attempt this themselves:

Create a Demo Enviroment of SAP (SAP standard is fine, the problem exists in all versions and patch levels)

2 Users (Create two Users)

1 license required (1 professional License)

Open two sessions of Business One on the same computer (Session 1 and Session 2)

Session One log in as manager

Create two users, UserA and UserB

UserA = Give this user a professional license, but NO access to the Chart of accounts (Under Authorizations in the Administration Module)

UserB = NO license, but Full authorizations for everything (including the Chart of Accounts).

Tab to the second session of Business One (Session 2)

Log in as User A (In the second tab)

Click on Form settings to Show the Chart of Accounts under Financials

Click on Chart of Accounts

You should recieve a Permission Override (as UserA does not have access to the Chart of Accounts)

In the permission override enter UserB's Credentials (who does NOT have a license but granted autorizations)

You will see that User A will be granted access to the COA

I would really appreciate everyone's comments on this

Thanks,

Samantha Niton

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member227598
Active Contributor
‎11-27-2015 12:11 PM
0 Kudos

Hi Niton,

1. USER A have a professional license, but NO access to the Chart of accounts as per attached screen.

2. Whereas   USERB have No license, but Full authorizations for everything.

3. When you Log in as User A. And Click n Chart of Account Then System check the current login user they have the authorization to acess the Chart of Account or Not?

4. if Not then System display the screen ,Permission Override , Then any entered user whicjh have full acess control with User code & password at that time system check the access authorization control & Usercode with password details only.

5.But When you are trying to login individualy by using the USER B user then System check the Liencse Part.

Rgds,

Kamlesh Naware

Show replies
Show replies
Former Member
‎11-27-2015 1:22 PM
0 Kudos

Hi Kamlesh,

You are on the right track in reproducing this concern. Thank you for your response, I would love to hear your opinion once you reproduce this.

1. USER A have a professional license, but NO access to the Chart of accounts as per attached screen. (Correct)

2. Whereas  USERB have No license, but Full authorizations for everything. (Correct)

3. When you Log in as User A. And Click n Chart of Account Then System check the current login user they have the authorization to acess the Chart of Account or Not?

(Yes, and UserA does not have permission, so it will bring up the permission override)

4. if Not then System display the screen ,Permission Override , Then any entered user whicjh have full acess control with User code & password at that time system check the access authorization control & Usercode with password details only.

(Yes, but THIS is where you enter UserB's Credentials, the individual who does NOT have a license... but full authorizations.)

5.But When you are trying to login individualy by using the USER B user then System check the Liencse Part.

(You do not log in with UserB  in this example, you  simply grant override access as mentioned Above)

Our concern is that UserB does not have a license, yet he or she is able to allow access to a restricted module. Is there a need for concern here?

This functionality can be considered efficient and effective however we also feel it can be very dangerous. My example uses the Chart of Accounts for exaple, however what if this was with Cheque printing, as it exists for ALL components of Business One.

Let me know what your thoughts are, we want to see if other people think of this as problematic

-Samantha

Illumiti One

Former Member
‎11-27-2015 1:40 PM
0 Kudos

Also,

Once this issue is reprouced, change something (the currency of an account for example) in the COA as UserA

Log in as manager in a silumtaneous session and look at the change log for that account in the COA... UserA changed the account, but UserA can also very well argue that

"I don't have authorizations for it so I couldn't have changed this"

There is NO trail to see who authorized this action, and it is in a loop.

EFT is also very concerning!

What does everyone else think!?

-Samantha Niton

Illumiti One Inc.

Ask a Question