topic S_PROGRAM in Application Development and Automation Discussions

S_PROGRAM

Former Member — Thu, 31 Jul 2008 10:33:59 GMT

I have three questions.

I was going through the manual ADM950 and I understood that giving access to SA38 would mean that a user would have access to any executable program. I identified a program which is associated with SU01 "SAPMSUU0"(from SE93) and added SA38 to a test role which was then assigned to a test user. Logging in as the user, I executed SA38 and then executed "SAPMSUU0" however it threw a error stating that the user did not have access to SU01. I checked SU53 and noticed that the missing authorization was S_TCODE. I checked the code for this program and could not find any AUTHORITY_CHECK statements calling for S_TCODE. I am not sure as to why S_TCODE was being read as I was actually executing a program (which should inturn check S_PROGRAM). Any thoughts on this?

Next, If i have to assign a authorization group to a program I was to use RSCSAUTH. I ran this program from SA38 and this particular program seems to be like a report. I am not sure as to how I can add a authorization group to a program here. Any ideas?

Lastly, system programs Eg: SAPMSUU0M (associated with SU10) does not have a authorization group. Is it possible to assign Authorization groups to these system programs. If yes, then is it considered to be a best practice to add a authorization group for these programs?

regards

Ravi

Re: S_PROGRAM

Former Member — Thu, 31 Jul 2008 10:39:37 GMT

Hi,

Authorization group cannot be assigned to programs but to table updated by the program

Hope this helps

Re: S_PROGRAM

Bernhard_SAP — Thu, 31 Jul 2008 11:01:03 GMT


>  
>              Authorization group cannot be assigned to programs but to table updated by the program
>

Hi Trupti,

hmmm....

SAP Note #338177 tells something contrary....

b.rgds,

Bernhard

Re: S_PROGRAM

Former Member — Thu, 31 Jul 2008 11:02:23 GMT

The authorization object S_PROGRAM is only checked when you are trying to execute a program via SE38. It is only for the initiation of the program itself. So if you try to execute a program ZABCD assigned to a authorization group ZXX then as soon as you execute from SE38 a check is made whether you have access to S_PROGRAM and execute access for group ZXX.

While executing, the program itself may call other transactions and check other authorizations. This is as per the program code and hence additional authorizations will be needed as per the program code.

The program RSCSAUTH actually displays contents from the table SREPOATH (contains programs and associated auth groups). You have an option within the program itself to modify the table as per your need. You can try the same in a test system.

System programs generally should not be executed from SE38. Such programs usually have associated transactions which should be used instead. The associated auth check from the transaction itself will then come into play.

Hope this clears some doubts.

Regards,

Sanju.

Edited by: Sanju Chacko on Jul 31, 2008 11:04 AM

Re: S_PROGRAM

Bernhard_SAP — Thu, 31 Jul 2008 11:07:05 GMT

Hi,

regarding SAPMSUU0:

the call stack of the check for s_tcode is:

1 SAPMSUU0 EVENT START-OF-SELECTION

2 SAPLSUSE FUNCTION AUTHORITY_CHECK_TCODE

In the FM AUTHORITY_CHECK_TCODE then:

.....

3. main part: check for authorization:

CALL 'AUTH_CHECK_TCODE'

ID 'TCODE' FIELD tcode.

IF sy-subrc = 0.

RAISE ok.

ELSE.

message i077(s#) with tcode raising not_ok.

endif.

.....

So for security reason the check for s_tcode SU01 is triggered explicitely by the coding of SAPMSUU0.

b.rgds, Bernhard

Re: S_PROGRAM

Former Member — Thu, 31 Jul 2008 18:22:52 GMT

Goto SE38

fill in the program name: ZBLAH_BLAH

choose option: Attributes

click display. here you have the option to change assignment of Auth groups to programs.

However, you "might" be prompted for an access key..

Hope this helps.

Re: S_PROGRAM

Former Member — Thu, 31 Jul 2008 19:05:41 GMT


> Goto SE38
> fill in the program name: ZBLAH_BLAH
> choose option: Attributes
> click display. here you have the option to change assignment of Auth groups to programs.
> 
> However, you "might" be prompted for an access key..
> 
> Hope this helps.

Take look at this thread:

There is a comment in it somewhere about a warning which SE38 or other code editors will throw at you if the program group is changed via the attributes. This happens when you have maintained an authorization group using report RSCSAUTH => read the documentation on program RSCSAUTH (Use the "Documentation" button in transaction SE38).

@Trupti: This link is some recommended reading for you as well...

Cheers,

Julius