Start of Content Area

Procedure documentation Authorizations for Starting External Programs Locate the document in its SAP Library structure

Use

You can prevent unauthorized access to external programs by either specifying the file secinfo in the data directory of the gateway instance or by setting the profile parameter gw/rem_start (see Structure linkParameterization of the SAP Gateway).

Caution

This file is not available in the standard system - this means that all programs can be started by any user. By accessing the SAP gateway from the network, unauthorized users can execute all operating system commands on an SAP system.

If this file is available but does not contain any entries, no program at all can be started.

Successful and rejected calls can be determined using Gateway Logging with indicator S.

Recommendation

To control access to external programs, we strongly recommend a secinfo configuration of the SAP system.

Prerequisites

Parameter gw/secinfo must be set on the path to the secinfo file so that the gateway can find the sec info file in the right place.

More information:

Security Parameters

Making Security Settings for External Programs

Procedure

Maintain file secinfo in directory data of the gateway instance, or set parameter .gw/secinfo.

The syntax of the entries is as follows:

USER=<user>, [PWD=<pwd>,] [USER-HOST=<user_host>,] HOST=<host>,TP=<tp>;

Use a line of this format to allow the user <user> to start the <tp>  program on the host  <host>.

The level of authorization checking performed can be increased by specifying PWD and/or USER-HOST.

Example

USER=mueller,    HOST=hw1414,      TP=test;

The user mueller can execute the test program on the host hw1414.

Example

USER=hugo, PWD=pass, USER-HOST=hw1234,  HOST=hw1414, TP=prog;

The user hugo can execute the prog program on the host hw1414, as long as he has logged on to the Gateway from host hw1234 and has used the CPI-C call CMSCSP to set the security password to pass.

If the user has used the CMSCSU call to set the security user, then this is also used for checking.

The '*' character (wild card) can be used as a generic specification for any of the parameters.

If either of PWD or USER-HOST are not specified, the value '*' is assumed.

Example

All users should be allowed to execute the test program on the host hw1414:
USER=*,HOST=hw1414,TP=test;

You can display the current list of security entries using the SAP Gateway Monitor and you can update this display at any time (see Structure linkMonitoring and Error Handling of the SAP Gateway)..

More Information

Section Authorizations for Registering External Programs with the SAP Gateway describes how to register external programs with the SAP Gateway.

 

 

End of Content Area