https://community.sap.com/t5/application-development-and-automation-discussions/programs-without-authorization-objects/m-p/7087666#M1506817 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You can check these details through program RSABAPSC. However you need to check one report at a time.</P><P></P><P>With abap report RPR_ABAP_SOURCE_SCAN you can execute a 'bulk scan' on abap code context (such as "AUTHORITY-CHECK") but only within ABAP programs.</P><P></P><P></P><P>or</P><P></P><P>1. Goto transaction se16 --&gt; enter table name usobt</P><P>2. and in the resultant screen enter transaction code (in this case me21n) and press F8.</P><P>3. you can find all the authorization objects checked for a particular transaction.</P><P></P><P></P><P>PS: Apart from that some authorization are attached in SE93 also.</P><P></P><P><A href="http://sap.ittoolbox.com/groups/technical-functional/sap-security/how-to-get-a-list-of-custom-abap-programs-without-authoritycheck-3555570" target="test_blank">http://sap.ittoolbox.com/groups/technical-functional/sap-security/how-to-get-a-list-of-custom-abap-programs-without-authoritycheck-3555570</A></P><P></P><P>Thanks,</P><P>Sri Sonia</P></BODY></HTML> Mon, 28 Jun 2010 15:35:49 GMT Former Member 2010-06-28T15:35:49Z https://community.sap.com/t5/application-development-and-automation-discussions/programs-without-authorization-objects/m-p/7087665#M1506816 <HTML><HEAD></HEAD><BODY><P>Hi guys,</P><P>Do u know a way to list all SAP programs (standard and customized) that do not run authorization check when executed?</P><P></P><P>Thank you</P></BODY></HTML> Mon, 28 Jun 2010 14:36:29 GMT https://community.sap.com/t5/application-development-and-automation-discussions/programs-without-authorization-objects/m-p/7087665#M1506816 Former Member 2010-06-28T14:36:29Z https://community.sap.com/t5/application-development-and-automation-discussions/programs-without-authorization-objects/m-p/7087666#M1506817 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You can check these details through program RSABAPSC. However you need to check one report at a time.</P><P></P><P>With abap report RPR_ABAP_SOURCE_SCAN you can execute a 'bulk scan' on abap code context (such as "AUTHORITY-CHECK") but only within ABAP programs.</P><P></P><P></P><P>or</P><P></P><P>1. Goto transaction se16 --&gt; enter table name usobt</P><P>2. and in the resultant screen enter transaction code (in this case me21n) and press F8.</P><P>3. you can find all the authorization objects checked for a particular transaction.</P><P></P><P></P><P>PS: Apart from that some authorization are attached in SE93 also.</P><P></P><P><A href="http://sap.ittoolbox.com/groups/technical-functional/sap-security/how-to-get-a-list-of-custom-abap-programs-without-authoritycheck-3555570" target="test_blank">http://sap.ittoolbox.com/groups/technical-functional/sap-security/how-to-get-a-list-of-custom-abap-programs-without-authoritycheck-3555570</A></P><P></P><P>Thanks,</P><P>Sri Sonia</P></BODY></HTML> Mon, 28 Jun 2010 15:35:49 GMT https://community.sap.com/t5/application-development-and-automation-discussions/programs-without-authorization-objects/m-p/7087666#M1506817 Former Member 2010-06-28T15:35:49Z https://community.sap.com/t5/application-development-and-automation-discussions/programs-without-authorization-objects/m-p/7087667#M1506818 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Please check this post </P><P></P><P></P><P><A class="jive_macro jive_macro_message" href="https://community.sap.com/" __jive_macro_name="message" modifiedtitle="true" __default_attr="7234942"></A></P><P></P><P></P><P>also there is a good post on ITTOOLBOX answered in June.</P><P></P><P></P><P>Debug mode might be the best task but if you have lot of Customized task that will be a time consuming activity.</P></BODY></HTML> Mon, 28 Jun 2010 17:36:08 GMT https://community.sap.com/t5/application-development-and-automation-discussions/programs-without-authorization-objects/m-p/7087667#M1506818 Former Member 2010-06-28T17:36:08Z https://community.sap.com/t5/application-development-and-automation-discussions/programs-without-authorization-objects/m-p/7087668#M1506819 <HTML><HEAD></HEAD><BODY><P>There is no automated medication against this legacy ailment <SPAN __jive_emoticon_name="happy"></SPAN></P><P></P><P>Some checks are "remote" in function modules and ABAP OO methods, so you will not even necessarily see them in a code scan, nor whether and how the calling program reacts to the check result or "catches" it and then does <EM>something completely different</EM> ...</P><P></P><P>Even with tools (CodeInspector, CodeProfiler, etc) to analyze ABAP code, you need a programming guideline for developers to stick to and a human eye to spot security deviations or errors.</P><P></P><P>This is an [art form|/people/matthew.billingham/blog/2009/09/13/ancient-art-of-code-review] to do correctly and approach large numbers of programs in such a way that you can base it on risk and make "quick wins". For example, do you have generic includes?</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Mon, 28 Jun 2010 18:20:22 GMT https://community.sap.com/t5/application-development-and-automation-discussions/programs-without-authorization-objects/m-p/7087668#M1506819 Former Member 2010-06-28T18:20:22Z https://community.sap.com/t5/application-development-and-automation-discussions/programs-without-authorization-objects/m-p/7087669#M1506820 <HTML><HEAD></HEAD><BODY><P>This message was moderated.</P></BODY></HTML> Mon, 28 Jun 2010 18:33:57 GMT https://community.sap.com/t5/application-development-and-automation-discussions/programs-without-authorization-objects/m-p/7087669#M1506820 Former Member 2010-06-28T18:33:57Z https://community.sap.com/t5/application-development-and-automation-discussions/programs-without-authorization-objects/m-p/7087670#M1506821 <HTML><HEAD></HEAD><BODY><P>Oops.... here is the correct link to the recording of [The ancient and noble art of code review|https://sap.emea.pgiconnect.com/p87357333/] by ABAP Guru Matt Billingham.</P><P></P><P>The other was the introduction song only...</P><P></P><P>FYI: Matt won the "Spot the security bug in the code" competition at the TechEd '09 in Vienna. He found more bugs in the code than what was intended to be found to win the prize <SPAN __jive_emoticon_name="wink"></SPAN></P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Mon, 28 Jun 2010 18:43:47 GMT https://community.sap.com/t5/application-development-and-automation-discussions/programs-without-authorization-objects/m-p/7087670#M1506821 Former Member 2010-06-28T18:43:47Z