on 11-26-2015 4:39 PM
Hi All,
This is my first post, and seemingly significant. I am looking for opinions from SAP Business One Partners and Customers on a specific topic.
I have logged an incident with SAP Global Support where they illustrated this is intended System Behaviour.
The concern has to to with Licensing and authorizations. As we all know, security is very important, but what if there is a potential flaw in SBO. I am trying to see where everyone stands and see if our company is by any means being too paranoid.
For the sake of arguement we have the following and I am urging all to attempt this themselves:
Create a Demo Enviroment of SAP (SAP standard is fine, the problem exists in all versions and patch levels)
2 Users (Create two Users)
1 license required (1 professional License)
Open two sessions of Business One on the same computer (Session 1 and Session 2)
Session One log in as manager
Create two users, UserA and UserB
UserA = Give this user a professional license, but NO access to the Chart of accounts (Under Authorizations in the Administration Module)
UserB = NO license, but Full authorizations for everything (including the Chart of Accounts).
Tab to the second session of Business One (Session 2)
Log in as User A (In the second tab)
Click on Form settings to Show the Chart of Accounts under Financials
Click on Chart of Accounts
You should recieve a Permission Override (as UserA does not have access to the Chart of Accounts)
In the permission override enter UserB's Credentials (who does NOT have a license but granted autorizations)
You will see that User A will be granted access to the COA
I would really appreciate everyone's comments on this
Thanks,
Samantha Niton
Hi Niton,
1. USER A have a professional license, but NO access to the Chart of accounts as per attached screen.
2. Whereas USERB have No license, but Full authorizations for everything.
3. When you Log in as User A. And Click n Chart of Account Then System check the current login user they have the authorization to acess the Chart of Account or Not?
4. if Not then System display the screen ,Permission Override , Then any entered user whicjh have full acess control with User code & password at that time system check the access authorization control & Usercode with password details only.
5.But When you are trying to login individualy by using the USER B user then System check the Liencse Part.
Rgds,
Kamlesh Naware
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kamlesh,
You are on the right track in reproducing this concern. Thank you for your response, I would love to hear your opinion once you reproduce this.
1. USER A have a professional license, but NO access to the Chart of accounts as per attached screen. (Correct)
2. Whereas USERB have No license, but Full authorizations for everything. (Correct)
3. When you Log in as User A. And Click n Chart of Account Then System check the current login user they have the authorization to acess the Chart of Account or Not?
(Yes, and UserA does not have permission, so it will bring up the permission override)
4. if Not then System display the screen ,Permission Override , Then any entered user whicjh have full acess control with User code & password at that time system check the access authorization control & Usercode with password details only.
(Yes, but THIS is where you enter UserB's Credentials, the individual who does NOT have a license... but full authorizations.)
5.But When you are trying to login individualy by using the USER B user then System check the Liencse Part.
(You do not log in with UserB in this example, you simply grant override access as mentioned Above)
Our concern is that UserB does not have a license, yet he or she is able to allow access to a restricted module. Is there a need for concern here?
This functionality can be considered efficient and effective however we also feel it can be very dangerous. My example uses the Chart of Accounts for exaple, however what if this was with Cheque printing, as it exists for ALL components of Business One.
Let me know what your thoughts are, we want to see if other people think of this as problematic
-Samantha
Illumiti One
Also,
Once this issue is reprouced, change something (the currency of an account for example) in the COA as UserA
Log in as manager in a silumtaneous session and look at the change log for that account in the COA... UserA changed the account, but UserA can also very well argue that
"I don't have authorizations for it so I couldn't have changed this"
There is NO trail to see who authorized this action, and it is in a loop.
EFT is also very concerning!
What does everyone else think!?
-Samantha Niton
Illumiti One Inc.
User | Count |
---|---|
94 | |
11 | |
11 | |
6 | |
6 | |
4 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.