Accessing restricted DB tables

There are various ways to access the Database via ABAP. When the Database is being accessed, S_TABU_DIS and/or S_TABU_NAM are being checked. For the SQL Editor in the DBACOCKPIT, there is a own authorization object S_TABU_SQL. The access itself is done through the ABAP kernel and the Database Engine installed next to the SAP Kernel on the Filesystem.

This process can lead to access to sensitive data covering both business and security assets. Examples for business assets are recipes for production and examples for security assets are passwords hashes, etc. In certain cases this can lead to a full compromise of the system.

• Transaction DBACOCKPIT -> SQL Editor
• Transaction SE16, SE16N, SE16N_EMERGENCY, SE16H
• Transaction SE17
• Transaction SM30
• Transaction SM34
• Transaction SQVI (QuickViewer)
• Transaction S416N, S416H
• Report /1BCDWB/DB*
• Custom code (Generic table access, SQL injection, ABAP command injection)
• ABAP Debugging
• Function Module SE16N_EXTRENAL_CALL
• Function Module RFC_READ_TABLE (and clones)
• Function Module RFC_GET_TABLE_ENTRIES
• File Read due to data is written to files
• OS Command R3trans
• OS Command: sqlplus, hdbsql, isql, …

Restrict access to the mentioned transactions and RFCs. For mitigation of OS commands, please see the following chapterOS Command execution. Restrict access to tables through the following authorization objects on a need to know basis:

• S_TABU_DIS (and maintain table authorization groups, especially for Z*tables if S_TABU_NAM is not used. Avoid assignments of table authroization group &NC& as this grants access to a large amount of tables, especially in older systems)
• S_TABU_NAM
• S_TABU_CLI
• S_TABU_LIN

Preferably only for SAP Basis if at all!

• S_TABU_SQL

• SAP Authorization Objects and SAP Roles for SQL Editor
• Function Module for SE16 transaction
• The danger of the SQL Editor of DBACOCKPIT (SAP HANA DB)