SAP Note 1232490 - Authorization check SE80 for where-used list

Symptom
In the result list of the where-used list, you can display source code in different ways. In addition to the immediate display of a strictly limited part (for example, a line of ABAP code), you can extend this part by expanding it, and you can then view it in its context. However, from the result list of a where-used list, you can also go to display mode or change mode for a hit. This takes you to the relevant processing tool for the workbench object. These tools also often have separate transaction codes. In many cases, you can access them only using the Object Navigator (transaction SE80).

Therefore, the authorization to execute transaction SE80 is of central importance for the assignment to developer profiles.

Even before calling the where-used list, both when directly calling it in transaction SE84 and when calling it from other transactions (for example, transaction SE16N), the system therefore checks
whether an authorization to start the Object Navigator (transaction SE80) is assigned to your user profile.


Other terms
Where-used list


Reason and Prerequisites
The required authorization checks are missing.


Solution
Implement the corrections using the Note Assistant, or import the relevant Support Package.
The system will then check the authorization for transaction SE80 before calling the where-used list.

For releases lower than Release 46C, you can implement the 46C correction instructions for the modules REPOSITORY_INFO_SYSTEM_SET and RS_EU_CROSS.

Affected Releases

Software Component Release From Release To Release And subsequent SAP_APPL 30 31I 31I   SAP_APPL 40 40B 40B   SAP_APPL 45 45B 45B   SAP_BASIS 46 46C 46C   SAP_BASIS 60 620 640   SAP_BASIS 70 700 702   SAP_BASIS 71 710 720

Correction delivered in Support Package

Support Packages Release Package Name SAP_APPL 31I SAPKH31IB9 SAP_APPL 40B SAPKH40B89 SAP_APPL 45B SAPKH45B67 SAP_BASIS 46C SAPKB46C59 SAP_BASIS 620 SAPKB62065 SAP_BASIS 620 SAPKB62067 SAP_BASIS 640 SAPKB64023 SAP_BASIS 640 SAPKB64025 SAP_BASIS 700 SAPKB70017 SAP_BASIS 700 SAPKB70020 SAP_BASIS 701 SAPKB70102 SAP_BASIS 701 SAPKB70105 SAP_BASIS 702 SAPKB70201 SAP_BASIS 710 SAPKB71007 SAP_BASIS 710 SAPKB71009 SAP_BASIS 711 SAPKB71101 SAP_BASIS 711 SAPKB71103

Corrections Instructions

Correction Instruction Valid from Valid to Software Component Last Modifcation 649885 620 701 SAP_BASIS 24.10.2008  17:57:58 649886 710 711 SAP_BASIS 18.07.2008  12:07:56 770292 46C 46C SAP_BASIS 18.05.2009  13:40:33 1188085 31I 31I SAP_APPL 15.01.2010  09:58:24 1188086 40B 45B SAP_APPL 15.01.2010  09:57:52

Direct Link : https://service.sap.com/sap/support/notes/1232490

SAP Note 1235367 - Missing authority check in APO transaction.

Symptom

For maintenance of planning-relevant characteristic combinations only display and change rights can be checked (object C_APO_FUN, function S_CHARC and C_CHARC), there is no possibility to limit user rights for deletion.


Other terms
maintain CVCs, C_APO_FUN


Reason and Prerequisites
It might be useful to limit user rights for deletion of CVCs.


Solution
A new authorization object C_APO_CVC is created with fields ACTVT and APO_PSTRU. The following activities can be set: create CVCs, display CVCs, delete CVCs.
This authorization object is added to the objects checked by function module /SAPAPO/MCP_PERMISSION_CHECK2.
The behaviour of characteristic combination maintenance won't change if the new object C_APO_CVC is not assigned to any user, since the original object C_APO_FUN with function S_CHARC/C_CHARC is still checked. In addition the new object C_APO_CVC is also checked.

Note 1262016 has been created to check C_APO_CVC at other points where user might be able to maintain CVCs.

If the system doesn't allow to create the new authorization object (SAP namespace), you can import the attached files (102842.zip contains K102842.A3P and R102842.A3P) that contain the authorization object. The procedure is described in note 13719.

Manual activities:
Start transaction SU21, select object class 'APO', from context menu select 'Create Authorization Object'.

Enter
Object = C_APO_CVC
Text   = APO Authorization Object: CVC Maintenance

Choose fields
ACTVT Activity
APO_PSTRU Planning Object Structure ID

Maintain 'Permitted Activities', marking the following entries:
01 Create or generate
03 Display
06 Delete

Maintain 'Authorization Object Documentation':
Definition
'You can use the authorization object C_APO_CVC to specify whether a user can maintain characteristic value combinations of a planning object structure in Demand Planning.

The rights that you assign here refer to all CVCs of a planning object structure, and not to individual CVCs.'

Defined fields
'The ACTVT field is available for maintaining the authorization object C_APO_CVC. You can choose the following activities for the ACTVT field:

01 (Create): Create CVCs

03 (Display): Display CVCs

06 (Delete): Delete CVCs


The APO_PSTRU field defines the planning object structure for which the user is allowed to execute the activities maintained in ACTVT.'

Affected Releases

Software Component Release From Release To Release And subsequent SCM 410 410 410   SCM 500 500 500   SCM 510 510 510   SCM 700 700 700

Correction delivered in Support Package

Support Packages Release Package Name SCM 410 SAPKY41019 SCM 500 SAPKY50014 SCM 500 SAPKY50015 SCM 510 SAPKY51008 SCM 700 SAPKY70001

Corrections Instructions

Correction Instruction Valid from Valid to Software Component Last Modifcation 686108 510 510 SCM 09.10.2008  10:37:23 693552 410 410 SCM 21.10.2008  09:49:21 1020614 700 700 SCM 28.07.2008  14:34:53 1021607 500 500 SCM 29.07.2008  13:51:16

Direct Link : https://service.sap.com/sap/support/notes/1235367

SAP Note 1243004 - Security Note: Missing SYSLOG entries for ABAP Debugging

Symptom

Some operations in the Two Process Debugging Architecture (TPDA) debugger tool are not written to the SYSLOG.

Solution
Import the kernel patch level mentioned below, or higher patch level:
7.00 PL 173
7.01 PL 9
7.10 PL117
7.11 PL 5

Affected Releases

Software Component Release From Release To Release And subsequent SAP_BASIS 70 700 701   SAP_BASIS 71 710 711

Direct Link : https://service.sap.com/sap/support/notes/1243004

SAP Note 1259414 - Cross Site Scripting:PCUI Stored JavaScript Vulnerability

Symptom

Any PCUI application offering document management functionality allowing attachment of a link or an URL (such as a link to a company website or a link to a product description) to a created business transaction does not perform adequate input validation. This field inappropriately allows JavaScript to be injected into the CRM content server that may be executed in any user's browser accessing sensitive content server data.


Other terms
Cross Site Scripting, XSS Support, PCUI, F4 Help


Reason and Prerequisites
The PCUI Framework does not perform adequate input validation with BSP application that allows a URL to be added as an attachment


Solution
Appropriate encoding mechanism have been added to prevent such attacks.Please implement the corrections attached.

Affected Releases

Software Component Release From Release To Release And subsequent SAP_ABA 70 700 700   BBPCRM 4.0 400 400

Correction delivered in Support Package

Support Packages Release Package Name BBPCRM 400 SAPKU40017 SAP_ABA 700 SAPKA70019

Corrections Instructions

Correction Instruction Valid from Valid to Software Component Last Modifcation 705882 700 700 SAP_ABA 07.11.2008  04:02:54 705881 400 400 BBPCRM 16.02.2009  06:34:08

Direct Link : https://service.sap.com/sap/support/notes/1259414