SAP Knowledge Base Article - Public

3425040 - Fix Read Access Authorization Checks in Bank Account Management.

Symptom

The Bank Account Management component contains vulnerabilities related to wrong read authorization check for the restriction type object FCLM_BAM in the DCLs of several CDS views. Due to the incorrect DCL syntax, customers can potentially display a larger number of bank accounts than their permissions should allow when they open the "Manage Bank Accounts" app, or any other apps related to bank account management.

Example:

A user has been assigned with a role that contains the authorization for two different sets of restriction type FCLM_BAM, each defines a different combination of company code and account type:

  1. Authorization for company code FCLM_BUKRS 1710 and account type FCLM_ACTY 09
  2. Authorization for company code FCLM_BUKRS 2910 and account type FCLM_ACTY 20

With this setting, the user should not be able to view bank accounts with a combination of company code 1710 and account type 20 or company code 2910 and account type 09 in the "Manage Bank Accounts" app. However, due to the DCL syntax error, the user was able to view these bank accounts.

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

Environment

SAP S/4HANA Cloud

Cause

Program Error.

Resolution

After you upgrade to CE2402, adjustments might be necessary for existing roles that contain the restriction type "Bank Account Management" (FCLM_BAM) in the "Maintain Business Roles" app.

  • For roles that use either the Company Code (BUKRS) or Account Type (FCLM_ACTY) as the only restriction field under the restriction type “Bank Account Management”, no adjustment is needed.
  • For roles that use both the Company Code (BUKRS) and Account Type (FCLM_ACTY) as the restriction fields under the restriction type “Bank Account Management”, users may observe that fewer bank accounts are displayed than prior to the upgrade, and this is the intended result with this DCL fix.

However, if you still want to display the same number of bank accounts as before the upgrade, please make the following modifications to the maintained restrictions in the "Maintain Business Role" app.

The following example demonstrates the change and how to adjust the roles, if necessary:

  • Before the upgrade:

With the following restrictions maintained, users can access the following bank accounts:

    • Bank accounts that have the account type 09 and belong to company code 1710
    • Bank accounts that have the account type 20 and belong to company code 2910
    • Bank accounts that have the account type 09 and belong to company code 2910 (Wrong behavior)
    • Bank accounts that have the account type 20 and belong to company code 1710 (Wrong behavior)

  • After the upgrade:

With the fix, users assigned with this role can access only the following bank accounts:

    • Bank accounts that have the account type 09 and belong to company code 1710
    • Bank accounts that have the account type 20 and belong to company code 2910

Additional restriction values must be explicitly maintained if you still want to display the full set of bank accounts as before the upgrade. For example, you can adjust the restriction values as follows:

Keywords

FCLM_BAM, Authorization, FCLM_BUKRS, FCLM_ACTY 09, FCLM_ACTY 20, wrong authorization check for the restriction type object FCLM_BAM, , KBA , FIN-FSCM-CLM-BAM-2CL , Bank Account Management (Public Cloud) , Problem

Product

SAP S/4HANA Cloud 2402

Attachments

Authorization_FCLM_BAM.png