/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PreviewSymptom
The Bank Account Management component contains vulnerabilities related to wrong read authorization check for the restriction type object FCLM_BAM in the DCLs of several CDS views. Due to the incorrect DCL syntax, customers can potentially display a larger number of bank accounts than their permissions should allow when they open the "Manage Bank Accounts" app, or any other apps related to bank account management.
Example:
A user has been assigned with a role that contains the authorization for two different sets of restriction type FCLM_BAM, each defines a different combination of company code and account type:
- Authorization for company code FCLM_BUKRS 1710 and account type FCLM_ACTY 09
- Authorization for company code FCLM_BUKRS 2910 and account type FCLM_ACTY 20
With this setting, the user should not be able to view bank accounts with a combination of company code 1710 and account type 20 or company code 2910 and account type 09 in the "Manage Bank Accounts" app. However, due to the DCL syntax error, the user was able to view these bank accounts.
"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."
Read more...
Environment
SAP S/4HANA Cloud
Product
Keywords
FCLM_BAM, Authorization, FCLM_BUKRS, FCLM_ACTY 09, FCLM_ACTY 20, wrong authorization check for the restriction type object FCLM_BAM, , KBA , FIN-FSCM-CLM-BAM-2CL , Bank Account Management (Public Cloud) , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)