https://community.sap.com/t5/application-development-and-automation-discussions/bapi-acc-document-post-authorizations/m-p/1329445#M168224 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>in those cases create a Wrapper RFC enabled FM, inside that you can check the Authorizations and call the BAPI .</P><P></P><P></P><P>Regards</P><P>vijay</P></BODY></HTML> Tue, 23 May 2006 14:49:42 GMT Former Member 2006-05-23T14:49:42Z https://community.sap.com/t5/application-development-and-automation-discussions/bapi-acc-document-post-authorizations/m-p/1329444#M168223 <HTML><HEAD></HEAD><BODY><P>This is quite a popular BAPI for posting FI documents due to it's excellent speed in contrast to traditional call transaction or BDC processing for FI document creation.</P><P></P><P>Just wondered if many people using it have implemented appropriate security around it, as it does not perform any FI document posting authorization checks. So no Company code F_BKPF_BUK, GL Account F_BKPF_BES, Customer F_BKPF_BED, Vendor F_BKPF_BEK, etc. auth checks are done.</P><P></P><P>I've used the BADI called within the above and the BAPI_ACC_DOCUMENT_CHECK function, the ACC_DOCUMENT BADI to put tight checks in akin to the ones that occur in FB01. I added code within an implementation of BADI's CHANGE method, it works well as a solution. </P><P></P><P>Just wondering how other people have dealt with this BAPIs lack of auth checks ?</P><P></P><P></P><P>Message was edited by: Declan Kearney</P><P></P></BODY></HTML> Sat, 13 May 2006 12:51:41 GMT https://community.sap.com/t5/application-development-and-automation-discussions/bapi-acc-document-post-authorizations/m-p/1329444#M168223 Former Member 2006-05-13T12:51:41Z https://community.sap.com/t5/application-development-and-automation-discussions/bapi-acc-document-post-authorizations/m-p/1329445#M168224 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>in those cases create a Wrapper RFC enabled FM, inside that you can check the Authorizations and call the BAPI .</P><P></P><P></P><P>Regards</P><P>vijay</P></BODY></HTML> Tue, 23 May 2006 14:49:42 GMT https://community.sap.com/t5/application-development-and-automation-discussions/bapi-acc-document-post-authorizations/m-p/1329445#M168224 Former Member 2006-05-23T14:49:42Z https://community.sap.com/t5/application-development-and-automation-discussions/bapi-acc-document-post-authorizations/m-p/1329446#M168225 <HTML><HEAD></HEAD><BODY><P>Or Before calling the BAPI check the authorizations inside the Program and accordingly call the BAPI. if the BAPI call is inside the Program.</P><P></P><P>or if it is RFC Call then above suggestion works.</P><P></P><P>Regards</P><P>vijay</P></BODY></HTML> Tue, 23 May 2006 14:52:10 GMT https://community.sap.com/t5/application-development-and-automation-discussions/bapi-acc-document-post-authorizations/m-p/1329446#M168225 Former Member 2006-05-23T14:52:10Z https://community.sap.com/t5/application-development-and-automation-discussions/bapi-acc-document-post-authorizations/m-p/1329447#M168226 <HTML><HEAD></HEAD><BODY><P>Creating a Wrapper RFC function to front a standard SAP BAPI (which itself is RFC enabled ) , would work but to me is just adding more layers and not solving the underlying weakness. So long as someone has S_RFC access they can still post when you would not want them to by calling this BAPI directly</P><P></P><P></P><P>Message was edited by: Declan Kearney</P><P></P><P></P><P>Message was edited by: Declan Kearney</P><P></P></BODY></HTML> Tue, 23 May 2006 15:07:16 GMT https://community.sap.com/t5/application-development-and-automation-discussions/bapi-acc-document-post-authorizations/m-p/1329447#M168226 Former Member 2006-05-23T15:07:16Z https://community.sap.com/t5/application-development-and-automation-discussions/bapi-acc-document-post-authorizations/m-p/1329448#M168227 <HTML><HEAD></HEAD><BODY><P>apart from s_rfc you will check other Authrization objects also. not simply one RFC access check. even you can create your own Authority objects and stop them to use before calling the BAPI by using Authority Check,.</P><P></P><P>Regards</P><P>vijay</P></BODY></HTML> Tue, 23 May 2006 15:29:27 GMT https://community.sap.com/t5/application-development-and-automation-discussions/bapi-acc-document-post-authorizations/m-p/1329448#M168227 Former Member 2006-05-23T15:29:27Z