I am an ABAP developer who has been doing some very basic security research, and I want to ask what I think are some fairly simple questions to which haven't been able to find any really good comprehensive answers.
We have a number of ids that are defined as System user types and are used for communication with SAP by some of our web apps where the users are not SAP GUI users.
The questions I have are as follows:
- Is there any situation where a system user type should be assigned a transaction?
- If there is, explain why. (Maybe a call transaction within a function group/module that is assigned through S_RFC?)
- How serious are the security risks associated with assigning (a) transaction(s) to a system user type? (I'm thinking if somehow, the id was assigned a function module or function group that it should get assigned and has access to a transaction which is in a role that gives it update capability, that would be an example of a good reason why transactions shouldn't be assigned).
I am nowhere as gifted in this area as all the experts, so I thought I would pose the questions to all of you.
Thank you in advance for your help.