Skip links
🔥🔥🔥 Join us for our upcoming training session at Black Hat MEA: "Securing SAP Systems: Expert Insights and Penetration Testing Techniques" 🛡️🔍

RSCSAUTH Authorization group ABAP program, SAP security note 694148


You can use the RSSCAUTH report to change the authorization group of a program. The program authorization group is used as a parameter of the S_PROGRAM authorization object when you execute a report. It is therefore an essential criterion for determining whether or not a user can execute a report.
However, the RSCSAUTH report is insufficiently protected against uncontrolled execution:
When you start the RSCSAUTH report, the system only checks whether the user has an authorization (that includes the “SAP_ALL” value in the “Authorization group ABAP program” authorization field) for the S_PROGRAM authorization object.

This means that it is frequently possible for a large group of people to execute RSCSAUTH. This is undesirable because of the far-reaching effects that the use of the RSCSAUTH report can have.

Available fix and Supported packages

  • SAP_BASIS | 46A | 46D
  • SAP_BASIS | 610 | 640
  • SAP_BASIS 46C | SAPKB46C47 |
  • SAP_BASIS 46B | SAPKB46B56 |
  • SAP_BASIS 610 | SAPKB61039 |
  • SAP_BASIS 640 | SAPKB64001 |
  • SAP_BASIS 620 | SAPKB62037 |
  • SAP_BASIS 46D | SAPKB46D36 |

Affected component

    Security – Read KBA 2985997 for subcomponents


Score: 0


Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.




How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer