How to secure file

Hi
I m coding . I want to secure my file so that no body can make changes in it.can u tell how?
Thanks.

hi rani patil ji,
pls see the below link..
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/37bef2c0-0d01-0010-58ac-d1286bb09b6
securing files in abap
After doing all kind of ABAP work for many years, it’s often amusing for me to see such a system as SAP R/3 being so vulnerable and so unprotected from attacks and sabotage. The system has very strong security mechanisms, so complicated that it probably takes years to build up the experience managing all that, but those things can be used to restrict access for normal users. Anyone who wants to target it can find some ways, combining existing functionality, holes not closed by administrators, probably complemented by social engineering. It seems that it’s just because normally the people that have an access to such system are too busy to screw it. But what if some nice behaving well paid consultant is actually looking to sell your data? Or if someone unhappy with the very wise executive decision to let a crowd of folks go look for another job wants to say the “last word”? The fact is, and I like to repeat it every time I hear that someone has decided to strip us of some authorisations, that anyone with some technical SAP experience will always find the way. Or let’s say, “most likely” will.
Before I go further, let me give a couple of notices:
Some things discussed below were actually tried by me, on various versions of SAP. It can happen that some trick I tried several years ago is already blocked by SAP. I never want to try certain tricks again - it’s not good, and I don’t have my own SAP system to play with. I assume no responsibility on the results of trying those innocent tricks.
The first thing that you learn as an ABAPer is that you can read the data directly from SAP database tables. And not only read, but also update. Direct updates, unless done on customer’s own tables, in theory can break the SAP warranty. But we have to do this from time to time, and there is nothing more simple that can screw up the whole system. Just one line of code. But hey, it’s not only about sabotage! What about messing with the accounting? Or changing your own user account information? During the SAP boom days (end of 90s), a code to get yourself the best authorisation available in the system was circulating over the Net. Simple updates of USR* tables. The guy who wrote it pulled it back later because he didn’t feel well about it.
Most companies have a policy of not allowing direct updates of SAP tables, but not every company enforces it through QA process. I remember how did I learn that direct updates are not good. It was probably a couple of months after I took my BC400 course that I got a task of programming a mass update of customer master. I think it was that simple update of KNVV that got my change back from QA with a big red cross. Good work! That’s when I understood also how important the quality assurance is.
The next funny thing you learn as an ABAP programmer is that there are some “system variables”. And also that they can be manipulated too. What is especially useful it’s changing the value of return code SY-SUBRC after failed authorisation check. Yes, you need to be authorised to change values in debugger, but this is what we all have in development systems, and for some limited periods even in production. No big deal if it’s dev? But it can be a good starting point and a gate to other systems! And it brings even more fun if when doing some nasty update, you change the “current user ID” to be stored as “who has updated it” to some other than yours!
Though at some critical points SAP checks the authorisation other than with standard authority-check and SY-SUBRC, most of time it’s still good old return code, and it doesn’t look like it’s going to change. But why should we ABAPers care if under the debugger, we can change almost any SAP program without asking SAP or our admin for access key. Just jump over it! (Kind of open-source - feel free to modify if you need to!) Then, why not to transport this change to the productive system if management thinks that having QA folks go through each modified piece of code that is going to be transported is a waste of corporate money? As if it’s not the code that runs the enterprise blood through the servers.
But it’s not only the code. There is a useful transaction SE16N, where SAP has implemented a command (”&sap_edit”) that allows you to modify just any table in SAP. The command name implies that it’s “internal use only” and should be reserved for SAP support folks, but I have never seen it asking whether I am an SAP employee. Oh, there are “change documents” that they use to track all those changes, but there is also a menu item to delete them, and after all, why not to play with the table storing them directly? OK, to do all those things you need to be authorised, but don’t give up: there are debugger (see above) and other tricks (see below) that get us there.
That was about changing the data, but sometimes even reading can be considered as a biggest sin. At some point in SAP career, everyone will see “authorisation hysteria”. It starts with some global effort to strip us of our rights. Sure, we developers should be hanged after seeing some secret production data, so to prevent the mass executions, they first revoke the rights for standard “business” transactions. Then, normally several years after that, someone says hey! those potentially bad bad guys have SE16 and can view data just from any table! Oh my! Now we set the authorisations for each table. S_TABU_DIS is the cure! And the tables are gone for us, forever. No, wait! we have database views! and many other things that you get using where-used-list for the table in question in SE11 (a “very special” SAP feature nearly unknown to professional accountants). There is even more. There are hundreds of funcion modules in SAP and the changes always are that after investing some time into research, but still considerably less than we spend explaining that if we are supposed to analyse production problems, we need some more authorisation to do that, we can find some magic function module that, being called directly in SE37, gives us the data we need. And don’t forget that very often developers are given rights to schedule background jobs that run with any user they want and then read the output. No limits - it can be helped only by a different authorisation process, where everything in a system is really integrated. For example, database views inherit authorisation of tables, and SELECTs check things like S_TABU_DIS authomatically. But overhead of doing that will probably make the systems unusable.
As so many things can be done if we got enough authorisations, one would ask “what’s the big deal”? Just stop giving the debug with change authorisation away and this will save the system from abuse. Well, there are always countermeasures. Each system has some special users that have special authorisations. And frequently those users are maintained as default login user for some RFC connection. One very well known example is the user of the APO CIF interface. Till mid-2006, it was a general advice from SAP to give that interface user SAP_ALL authorisation. Now, years after introducing CIF, they have issued an OSS note that describes a safer setup. But the system that still has the old setup, or has some other user for interfacing with other systems, there are fancy things one can do with that. You need just a debug session without change authorisation and some RFC-capable function on the target system. A good one is, for example, RFC_READ_TABLE, which is present on all systems regardless of which applications are installed. When called under debugger in SE37 with appropriate RFC destination, the function jumps into the target system, and your session does this together. The place to watch is the function SFCS_FA_FUNCTION_INVOCE, where the remote call happens. If you follow the cross-system call with “Step-Into”, you can then open a new window on the target system that will be running not with your poor user, but with that special one! While this is a very common approach to interfacing two systems, if a special authorisation somes into question, then building the interface with an intermediate system to prevent abuse of RFC could solve the problems, but the complexity will be the price to pay.
The next inviting feature of SAP is the ability to run operating system commands on the application server. This can be done either with the function SXPG_COMMAND_EXECUTE or directly with CALL SYSTEM. The former does some security checks to prevent running some commands that can harm the system but this check is of course very limited as SAP can never know what command is dangerous on your system. The most dangerous of all that is that the command will be run as a subprocess, with the same OS user as that of the SAP instance. Which means, you can run a process with the same OS authorisations as SAP, having access to the same data etc. The most simple sabotage by stopping the SAP at most needed moment (scheduled by cron if it’s running on UNIX) is obviously stupid, but what about manipulating some files (e.g. with data for or from external systems) or even transport files? With transport files, it’s not that straightforward as it used to be as now files are compressed (in older versions, you could modify program source code right in the transport files), but if they are not encrypted, they can be used to implement custom logic directly or plant a back doors for later time.
You are not convinced because all you can do is to run a single command? Well, this single command can get you a terminal window on your PC, running a shell on the application server! Just install an X server on the PC and launch something like xterm on the app server, setting the display parameter to the PC - takes several seconds. X applications like xterm are present in all default UNIX installations. If the SAP is running on a Windows machine, it’s not better, because you can always have a Cygwin environment (the same one used to get an X server on your PC), and all you need is to transfer several files to the SAP server, which can be done easily with direct FTP, file upload functions or network shares. As soon as you get a terminal, running other things is becoming much easier! Unless some knowledgeable admin restricts the authorisations to the maximum extent, erases unneeded OS applications from the server and, best of all, restricts the network connections between the server and the rest of the network. Interfaces could use some TCP ports that are opened only between certain machines on the network and the rest - closed for more security. But I don’t believe anyone in the world is doing that. That’s waste of corporate money and lost of convenience after all!
Let’s say, we got some hole to get through. What can be done in some short time? For sure, we’ll want to plant a backdoor to ease our later activity. No system has better resources for that. They could set the system level to productive to forbid the changes, they kick us with developer keys and object access keys. But all we need is just one ABAP command, INSERT REPORT. Surprisingly, this one doesn’t care at all what program are you going to modify. THERE ARE NO CHECKS! It can be anything, anywhere including production system, and on execution, SAP doesn’t care if you don’t have development authorisation. So, we’ll start with that, having that one line hidden in some nice customer program, sneak through the absent or sleepy QA procedures and we are ready for a next assignment.
All those simple tricks above can be dealt with and holes can be closed. But because doing that required some effort, and knowledge and money is an important prerequisite, most likely we will live with that for years from now. Which is not really bad - if we save some time when analysing a production problem, we’ll probably have more time to do a proper code review, and do many other things right. There should be more tricks and I’ll be glad to know and discuss them (for fun, not for breaking!), so any comments will be very welcomed.
regards
karthik
pls reward me points if the above is usefull to you

Similar Messages

  • How can i remove secure files from the trash? I tried click away the secure notification in info, but still i cann't remove them. Is there a buttoncombination to use?

    How can i remove secure files from the trash? I tried click away the secure notification in info, but still i cann't remove them. Is there a buttoncombination to use?

    If you are unable to empty the trash, try holding the Option key while selecting Empty Trash.
    Otherwise, some steps in the following link may help you.
    http://support.apple.com/kb/ht1526

  • How to configure java.security file to run j2ee programs

    Hi,
    I am using Sun one application server to run my j2ee programs.
    plz tell me how to configure java.security file inside my appserver so that i can run my servlet program that is using jsse API to create SSL sockets.
    I am not able to follow whats there in java.security file.Kindly tell how to configure it.
    Waiting for ur replies!
    Thanks,
    Akshatha

    Hi,
    I am using Sun one application server to run my j2ee programs.
    plz tell me how to configure java.security file inside my appserver so that i can run my servlet program that is using jsse API to create SSL sockets.
    I am not able to follow whats there in java.security file.Kindly tell how to configure it.
    Waiting for ur replies!
    Thanks,
    Akshatha

  • HT3275 How do I find/restore files from items in secure home folder? How do I find/restore files that crashed when in finder of secure (File Vault) home folder?

    How do I find/restore files from items in secure (File Vault) home folder? How do I find/restore files that crashed when in finder of secure (File Vault) home folder?  When I go into Time Machine, I see earlier dates but can't see files in my User File. I have File Vault turned on and see my home folder as a sparsebundle.  Do I neede to restore this in order to see files in my home folder.  When I click on it to restore it gives me an estimated time of over 2 hours.  Also tried to restore an Excel file I was working on when computer hung, so lost it without saving or naming it.  Does it exist anyplace and can I restore it?

    Thanks. I had pretty much figured out from other posts that I had better turn off File Vault for my home folder and use a disk utility sparse bundel for little information I wanted to secure. The information about File Vault 2 in Lion was new and useful though.

  • How to browse files in time capsule from outstate?

    how to browse files in time capsule from outstate?

    I presume by outstate you mean remote access ie from internet in a different location??
    If so google for remote access time capsule.
    It is simple if you have TC setup as the main router and a static public IP.
    Just go to finder, go, go to server and type in AFP://IPofTC
    The TC has to be checked to allow wan access and use a decent password as the security for AFP is poor.

  • Cant get com.apple.security.files.user-selected.read-only entitlement to work

    Hey I am curious how can I get the .ipa compiled file for iOS to be able to read all the directories on the iPhone?
    I made a file browser but I cant get to the pictures
    I tried adding the entitlements in Flash Builder 4.6 in the descriptor file like this:
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
    <key>com.apple.security.assets.movies.read-only</key>
    <true/>
    <key>com.apple.security.assets.pictures.read-only</key>
    <true/>
    in the
      <iPhone>
            <Entitlements>
            <![CDATA[
    I got Push notifications working and accepted in the app store but it can't read the pictures directory when browsing for a file
    I know the app id and stuff is set up right or I wouldnt have been able to get it accepted in the app store.  In the entitlements area of course I have the application identifier set and aps-environment and keychain access groups and whatnot set up right.
    When I try to put the app onto the iPhone with iTunes it just says 'Entitlements are not valid' (does not mention anything about mismatched ids) I can't find anything about how to add this entitlement and I could have sworn I saw a thing that said I can just use the descriptor file to add entitlements in some of the documentation I have it set to use air 3.4
    Is there something I am doing wrong, how do I get apple to just put these entitlements in the mobileprovision file, I cant seem to edit it, if I do I also get an error in itunes that is some hex code...

    Did you ever solve your problem?
    I just transfered my web hosting and e-mail to bluehost. I had some of the same problems you are having. I noticed you have your incoming server set to bluehost.
    Incoming mail server: (SSL) box610.bluehost.com (sever requires authentication which I already have done)
    If bluehost is your server this is what worked for me:
    Account Information
    Account type— POP
    Description—anything you want
    Email Address—in your case would be [email protected]
    Full name—  first and last name
    Incoming server—mail.magnus.com
    User name—[email protected] Notice it is the @ symbol not a +
    password— your password . Remember they are case sensitive
    Outgoing Mail server—select edit smpt server list from the drop down window
    select the + to add a server
    Account Information
    Description—may be left blank
    Server name—mail.magnus.com
    TSL Certificate—None
    Advanced
    Use default ports
    Check  Use SSL
    Authenticate—password
    Username—[email protected]
    passowrd—your password
    Click ok
    In the accounts window
    Outgoing SMTP— select the server you just created.
    Check—use only this server
    Select the Advance tab next to the Mailbox Behaviors
    Check use SSL— it will be port 995
    Authenticate —use password
    Ann

  • Oracle secure files

    Does anyone know if there is documentation from Oracle on how to setup the 11g db secure files database and store files per the 11g secure files method in UCM 10gR3. There is documentation for the filestore provider and to get the database storing content but it does not store things per the 11g secure files way.
    Edited by: DanKoz on Nov 11, 2009 7:13 AM

    ad #1 - yes, but it is not a specific feature of FSP - UCM just has table which has a column of BLOB type (?) and SecureFiles will take care of it
    ad #2 - for 50000 docs you won't see much difference in performance. However, check this post: Database base storage stress test especially the last comment

  • MaxL - Export Security File Command

    Hi,
    Ours is a planning application - Classic - 11.1.2.0 version.
    I have a requirement where I need to get all the information regarding security defined on dimensions, data forums etc. The reason we are looking for this is so that we can compare the overlap (if any) of security given to any particular user - who mind end up being in two groups (in shared services) but each group has different access/permissions.
    For instance - There is a user who has access to two data forms and say on one form he needs write access to Actuals and on all the other he should just have read access to Actuals. This user is in two groups and in one group he has been given write access to Actuals but in another group he was given read access to Actuals. So, based on this the "Write" permission will be dominant and he would be getting write on both the places which might not be efficient.
    So, to avoid such situations I need to know the all security overlaps in a readable format. I did go through the Export Security File command but I am not sure if it would give me all the details I need. I did read the tech ref but couldn't get all the information. Will this command help to achieve my requirement? Are there any other better methods?
    Please let me know your ideas. Any help is appreciated.
    ~ Adella
    Edited by: Adella on Sep 15, 2011 10:16 AM
    Edited by: Adella on Sep 15, 2011 10:16 AM

    Thank you John for your prompt response.
    I don't know why I didn't think of this when I was thinking about this issue...I mean I knew of this utility but it didn't struck me for some reason...sorry about that but I think this would help me :)
    I also have another question - I don't know if I should have posted it as another post but please let me ask here.
    Does, the dimension level security applied on Planning data forms also work on reporting?
    We have situations where a user needs to work on data forms as well as work on reports. In data forms he should just be able to see part of customers but when working with reports he should be able to see all customers. So, if I have two groups in Shared services - one group for reports and another one for planning and this user being in both the groups how would it work?
    Will it overlap at some point? Or will it be two different things since for once group we would provision him as a planner for an application and in the reporting group he would be playing some other role? I am a little confused on this as ultimately it is the same user.
    Please let me know.
    ~ Adella

  • Display system security file fragmentation_percent

    Hi - I'm trying to run the MAXL command to display how fragmented my security file is but in the log, I keep getting this error message about 'Syntax error near security'. I am on Essbase 7.0
    OK/INFO - 1051034 - Logging in user planning.
    OK/INFO - 1051035 - Last login on Monday, March 01, 2010 11:59:39 AM.
    OK/INFO - 1241001 - Logged in to Essbase.
    MAXL> display system security file fragmentation_percent;
    ERROR - 1242021 - (1) Syntax error near ['security'].
    MAXL> alter application 'UAT2NYPF' enable connects;
    OK/INFO - 1056013 - Application UAT2NYPF altered.
    MAXL> logout;
    User planning is logged out
    MaxL Shell completed

    Is there anything that can be done, in terms of maintenance, for the security file for Essbase 7.0?
    Over the weekend, our server guys rebooted the Essbase server, essbase service never came up this morning. I launched essbase in the command prompt and it gave me an error message about bad security file.
    I replaced the security file from a backup, but if these corruptions can be avoided by doing maintenance on the security file, then I am looking for some ways to automate that maintenance process on a bi weekly basis.
    Thanks
    Edited by: CLAU on Mar 1, 2010 9:56 AM
    Edited by: CLAU on Mar 1, 2010 10:10 AM

  • Yosemite on MacBook Air - Third time installed, now will not be startup disk.  Disk Utility says OK. Disk Warrior says 375 pages of bad .plist files.  How delete plist files?

    Yosemite on MacBook Air - Third time installed, now will not be startup disk.  Disk Utility says OK. Disk Warrior says 375 pages of bad .plist files.  How delete plist files?
    What does "Accessibility" mean?

    Had the same problem, finally realized that the FileVault Encryption was struck at 19%. Speed back up to normal after I disabled FileVault using terminal command - sudo fdesetup diable
    To check whether the FileVault is the culprit, go to System Preferences --> Security & Privacy --> FileVault to see if encryption is in progress.. For me the blue bar was less than a quarter with status 'estimating time remaining'..
    Then open Terminal and type in: sudo fdesetup disable
    It will then ask for the admin password (to be it asked twice), then it was disabled... Back to normal life again..
    Here is my terminal log for reference:
    Last login: Tue Oct 21 23:05:13 on console
    Gowthams-MBP:~ asgowtham$ fdesetup status
    FileVault is On.
    Encryption in progress: Percent completed = 18.80
    Gowthams-MBP:~ asgowtham$ fdesetup status
    FileVault is On.
    Encryption in progress: Percent completed = 18.80
    Gowthams-MBP:~ asgowtham$ fdesetup status
    FileVault is On.
    Encryption in progress: Percent completed = 18.80
    Gowthams-MBP:~ asgowtham$ sudo fdesetup disable
    Password:
    Enter a password for '/':
    ..fdes.
    FileVault has been disabled.
    Gowthams-MBP:~ asgowtham$ fdesetup status
    FileVault is Off.

  • Security file comparison

    Dear All,
    Our security file crashed and we used the backup copy to recover it. The date of the backup copy shows it is the one on the prior day. Which I don't think there will be much defference, and we reviewed the log and can find no security changed during the day.
    But our management team asks us to compare the two files and report the difference...
    Do you have any good idea to compare the 2 files?

    Well, your comparison is always going to be off, isn't it? One file is good, the other corrupt -- they have to be different, don't they?
    I would be extra sure to have a backup of the .bak file before I did any of this as Essbase has a tendency to write a copy of Essbase.bak on start up and it would be a shame to overwrite your last good copy.
    If the original file will still let you start Essbase up (usually this isn't the case, but you might get lucky), you can dump the contents of the Essbase.sec in three ways:
    1) Start Essbase in a window, and issue the DUMP command -- that will write the information out to a text file.
    2) I think you can do this from EAS, but for the life of me can't remember how -- right click on the security node and select export? I don't have EAS in front of me.
    3) Use MaxL's export security_file command.
    One other thing to consider -- if you use externalized to Shared Services security, most of your security is there, not in Essbase.sec, so you might want to think about comparing what was in Shared Services versus what is there today.
    Regards,
    Cameron Lackpour

  • How to secure an iPad from improper use?

    How to secure an iPad from improper use?
    Hi everyone - We are thinking of providing our sales reps with iPads to use as product catalogs (by opening a PDF file) however we wish to restrict them from doing anything else. Is there an app or something which would enable us to restrict the tablet in this way?
    Thanks a lot

    The only option would be to set up the iPad to open a PDF reader app as the sole app in Guided Access:
    http://support.apple.com/kb/HT5509
    That's the only way you can limit an iPad to using only a single app. That would seem to make the iPad rather overkill, if all you want is for them to be able to read PDFs. Something like one of the base-model Kindles might be better suited to the task.
    Regards.

  • Security file Migration

    Hi all, I am working on EssBase 6.5 on Win NT. Now we are going to Migrate this server on the Unix Machine. I have to Migrate my cfg. Application, Databases etc. But little Confusion i have ie. What should i do with the Security file. Can we transfer this file as usual it is on the NT. Or we should dump this file and then recreate all the Users. But This wouldn't be easy to do. Suggest me how we can Migrate my applications on th Unix from NT. Thanks in Advance..........

    Vishal,<BR>Stop essbase service<BR>dump security file<BR>load the dump in database using dts , informatica etc<BR>use sql to generate maxl commands (eg create user etc) using the data dump use default passwords for all users.<BR>copy results into maxl file<BR>run maxl file<BR>test using any login.<BR>ask users to chnage their passswords<BR><BR><BR>you should be ok<BR><BR>Sanjay

  • Cant' find how-to-security-jaas.zip

    Where is the download location for how-to-security-jaas.zip??? Here is the URL for the how-to, but no downlaod.
    http://otn.oracle.com/tech/java/oc4j/htdocs/how-to-security-JAAS.html
    The date on the how-to is 2001. Can anyone tell me if this information is still up to date?
    Thanks,
    Alan

    The how-to article is still there, but this file is nowhere to be found. I also wanted to use this to confirm some of the JAZN functionality. I tried a few things to get the file, but no go. I've spent some time on this, either supply the file or remove the article.
    The file in question is: how-to-security-jaas.zip
    Thanks.

  • Creating security file

    Hi gurus, iam new to essbase,
    Once security file is corrupted and what are steps to recreate security file in essbase.
    Thanks in advance

    Go to backup or rename one of the other sec files in the essbase bin directory
    or maybe have a read of How to Regenerate the Essbase.sec file
    Cheers
    John
    http://john-goodwin.blogspot.com/

Maybe you are looking for

  • How to List view web part to display document library for only users with access permission

    Hi I am trying to accomplish this requirement but I don't know if that is possible or how to get there.  Any suggestion or advice are helpful. On a site collection, I have several document libraries,  with each library have unique permission to a few

  • Safari not displaying pages correctly...

    I have a new iMac with two accounts on it. One for my wife and one for me. On my account, safari works fine regardless of the website. However on my wife's account safari, cuts off some of the content and some of the text appear to be too large for t

  • Creating OM Infotypes

    I am trying to create a new custom OM Infotype, the T77* entries are not creating automatically as they should. Also screens 2000 and 3000 are not creating, could this be stopping the table entries from creating? Any help would be appreciated.

  • Applications Aren't Opening even though I bought Creative Cloud Membership

    I purchased the student version of Creative Cloud on my macbook pro back in December of 2014, I guess I had downloaded trial versions of the applications, now  when I open the applications it tells me my "Trial Has Expired" and to either License The

  • Dreamweaver MX 2004 Loading Trouble

    I have dreamweaver MX 2004 that does not load on my powerbook g4. I have re-installed with negative results. It appears to load; however, a small window error window appears without any error message and the only option is "ok" which upon click exits