Thank you, Greg, for being someone who can point out problems with a theory without malice. Although 1416085 doesn't answer this technically enough, your broad perspective is very much appreciated and is worth reflection.
Now, if ever a thread needed a bow to complete it, this is one. And that bow will be, “why did this all happen?” It’s actually quite simple …
- Them: That incident with troubleshooting that access took too long. What happened?
- Me: Well, we gave him SAP_ALL but that wasn’t enough. Troubleshooting finally uncovered that he needed S_RFACL for this. That’s not in SAP_ALL. But we didn’t have a role in that system/client with S_RFCACL; in fact, we don’t really have one for that anywhere. We’ve never needed it. We had to come up with something. So this took longer than we would have liked.
- Them: Well, why isn’t this object in SAP_ALL? It is SAP “ALL”, isn’t it?
- Me: Well, S_RFCACL is treated differently, kind of special. Let me look more closely into it.
- << cue: research leading to Note 1416085 >>
- Me: SAP doesn’t put S_RFCACL in SAP_ALL on purpose because they say that would be very bad … “you allow the logon from any system, client, or any user” ... somehow. But not without trusted RFCs, I’d imagine. And that would only apply to people with SAP_ALL for the time you give it. Interestingly, there’s a flag mentioned here that could incorporate S_RFCACL into SAP_ALL by default. If we really wanted to do this to avoid this in the future, it seems we have a decision to make. Should we use this flag SAP offers or should we create a ready role with S_RFCACL in it in every client?
- Them: Well then, what would be the real risk of incorporating it? Can it be mitigated and how easily?
- Me: I don’t know. Let me find out.
- << cue: setting up a test environment, not knowing how a malicious person could get in, Googling & reading (neither went anywhere), and creating this thread >>
So, now what I have to show for it is: having a somewhat better idea of how a malicious person might get in (well, that’s something) without being able to answer all of "their" questions, withstanding personal attacks as if this is reddit or Twitter, and having old friends turn on me (well, that’s something, too, I guess).
But at least I now feel fully qualified to write a post entitled, “How to End Your Career and Years of Good Will in Just One Thread.”
The quick answer: “Publicly question anything the target audience apparently holds as sacred, no matter how well-intentioned the reason, no matter how you try to frame and limit the discussion to the technicals. And then don’t just give in immediately ... try to press on in the hopes of getting answers for you and your people.” Yeah, I didn’t see that coming until it was too late.
Anyone who might have had a similar conversation or supported the original intent is surely in hiding in that bunker in Oregon after witnessing this crucifixion. I wouldn’t recommend anyone Like this, either … too risky to be associated.
Since I don’t have someone like Julius here to bounce this off of at my desk, I figured someone in the community knew, so I tried to hold a public, technical conversation to flesh this out.
It failed.