topic Re: Avoiding Hard coded user names in ABAP code in Application Development and Automation Discussions

Avoiding Hard coded user names in ABAP code

Former Member — Wed, 14 Aug 2013 07:33:07 GMT

Hi SDN's,

i am using a Hard-coded user name in my Z program while go for Extended program check it' showing as Error like 'The use of the hard-coded user name XXXXX can acuse security problems' in Security Tests.

how can i avoid this error free from EPC .....Any one help.....

Regards,

Suba.

Re: Avoiding Hard coded user names in ABAP code

Former Member — Wed, 14 Aug 2013 10:40:07 GMT

Hi,

I guess I'll not be the only one suggesting that you should take the hard coded user names out.

If you can explain why you think this hard coding is the right approach you may get some views on either how it could be changed or how the EPC message can be avoided.

Regards,

Nick

Re: Avoiding Hard coded user names in ABAP code

Former Member — Wed, 14 Aug 2013 11:07:02 GMT

Hi Suba ,

Hard Coding the User names is not a right approach , you can use set leaf instead of hardcoding ,

Maintain sets in Tcode : GS01

Save and Coding Part is ,

DATA: t_set TYPE TABLE OF rgsb4,
wa_set TYPE rgsb4.
DATA: v_check TYPE C VALUE ' '.

CALL FUNCTION 'G_SET_GET_ALL_VALUES'

    EXPORTING
      client        = sy-mandt
      setnr         = 'ZTEST1'
      table         = 'USR01'
      class         = '0000'
      fieldname     = 'BNAME'
    TABLES
      set_values    = t_set
    EXCEPTIONS
      set_not_found = 1
      OTHERS        = 2.

LOOP AT T_SET INTO WA_SET.
    IF WA_SET-FROM = SY-UNAME .
      v_check = 'X' .
    ENDIF.
ENDLOOP.

IF v_check <> 'X'.
YOUR CONDITION

ELSE.
YOUR CONDITION

ENDIF.

Re: Avoiding Hard coded user names in ABAP code

venkatakrishna — Wed, 14 Aug 2013 11:13:52 GMT

Hi..

Is there any Particular reason for using Hard coded Breakpoints ..?

Regards,

Venkat

Re: Avoiding Hard coded user names in ABAP code

Former Member — Wed, 14 Aug 2013 11:15:33 GMT

Hi Suba Reddy,

Please let know where exactly and why you are making use of usernames so that would help in providing the correct solution.

apart from that , inorder to avoid the hardcode text, u can use Text Elements. this will sort out the above error...instead if u want to pick the username dynamically , i suggest u to have a custom table with username and any other common field.

revert back if any issues.

Thanks,

Azhar

Re: Avoiding Hard coded user names in ABAP code

matt — Wed, 14 Aug 2013 11:27:32 GMT

You can avoid the message by removing the breakpoint. If you have the breakpoint in production, that is a security issue.

Re: Avoiding Hard coded user names in ABAP code

Former Member — Wed, 14 Aug 2013 12:08:08 GMT

in my Z program i need to check for a specific user wise ,so i am giving as

if sy-uname = 'XXXXX'.

do something.

endif.

so, while go for Extended program check it's giving as error message as 'The use of the hard-coded user name XXXXX can acuse security problems'

i want to avoid this error ....any help regarding...

Regards,

Suba.

Re: Avoiding Hard coded user names in ABAP code

Former Member — Wed, 14 Aug 2013 12:41:21 GMT

Hi Suba,

You've just repeated your question again, this isn't giving us anything new to work from.

The key here is why you feel you need to check for a specific user name? Is it for bebugging? Is it to limit or extend the functionality of the code? Is it an authorisation check? Is it for test purposes?

There are many ways of avoiding hard coded user names (some of them mentioned in the answers to this thread so far), but unless you explain why you think you need to do this there's no way of knowing which is the correct approach.

Regards,

Nick

Re: Avoiding Hard coded user names in ABAP code

FredericGirod — Wed, 14 Aug 2013 12:45:29 GMT

I have see so many times hard coded username in standard SAP programs

Re: Avoiding Hard coded user names in ABAP code

FredericGirod — Wed, 14 Aug 2013 12:46:39 GMT

If you only want specific user to do something. Create a specific authorization object SU20/SU21, assign this object to your transaction SU24. And in your program check for this authorization.

you don't hard code something ... and the result is the same.

regards

Fred

Re: Avoiding Hard coded user names in ABAP code

Former Member — Wed, 14 Aug 2013 12:59:29 GMT

Hello ,

Yes hardcoding username is an issue but many people does it.

especially smth like break sdogan...

and the code goes to prod like that

why?

Because the developer wants to debug at prod too to make life easier!!

As life gets easy secuirity is breached for sure!!

How do we stop using the username in your code?

Questions:

Can you assign a auth object to that user only?

if not then

Can you seperate the code for that user only?

if not then

Another approach:

Create a config table where you give 2 columns like username and role etc..

then enter the username in that table, via table maintenance generator

lets say the table name is z_special_users

Then read that config and

do smth like

***Here you can check the role

class zcl_config_loader defnition.

public section:

class-methods: class_constructor.

class-methods: get_role.

endclass.

class zcl_config_loader implementation

method class_constructor.

select * from z_special_users

into table gt_special_users

endmethod.

method get_role.

**return the table

endmethod.

endclass.

and in your code, main program

if zcl_config_loader=>get_role( ) = 'xxxRole '.

endif..

Re: Avoiding Hard coded user names in ABAP code

Former Member — Wed, 14 Aug 2013 13:09:47 GMT

Hi Solen,

Can't say I'm a fan of user names in config tables, think of your poor user admin team who have to keep this thing accurate and up to date.

SAP comes with a (reasonably) useful authorisation concept, if the development needs to behave differently for different users (and let's face it what we actually mean here is different roles) then authorisation objects is the way to go.

Regards,

Nick

Re: Avoiding Hard coded user names in ABAP code

Former Member — Wed, 14 Aug 2013 13:32:50 GMT

Hi Suba,

if sy-uname = 'XXXXX'.

do something.

end if.

the above code which u said is generally used to get easier during debuugging of code, but it not recommended to move the that code with those lines to production.

or i guess u can go with building ranges for usernames and check..

if sy-uname = r_usernames. ( r_usernames contain all the usernames)

do something.

end if.

thanks,

Azhar

Re: Avoiding Hard coded user names in ABAP code

matt — Thu, 15 Aug 2013 05:57:18 GMT

So have I. Especially when applying the security notes that remove that hardcoding!

If you hard code a username you are creating a development cycle when that user leaves - you have to edit the program and get it to production again with the new user.

Re: Avoiding Hard coded user names in ABAP code

Venkat_Sesha — Thu, 15 Aug 2013 06:32:29 GMT

Hi Suba reddy,

I wonder why dont you use a Constant to check your IF condition as shown below.

CONSTANTS : C_SUBARED Type SYST-UNAME VALUE 'SUBAREDDY'.

IF SY-UNAME = C_SUBARED.

" Do some thing.

ENDIF.

BR,

Bhargav

Re: Avoiding Hard coded user names in ABAP code

Former Member — Thu, 15 Aug 2013 06:46:39 GMT

Hi Suba,

Creating Authorization Objects and Authority-Check is the best approach.

If you dont want to use it and if you are only concerned about EPC error, then replace the username with constatns.

CONSTANTS : c_username type sy-uname value 'USERNAME'.

if sy-uname = C_USERNAME.

do something.

endif.

With this you can pass the EPC check. But still it is not the right appraoch.

Go for Authorization Objects and use Authority Check statement for it is the correct approach.

Re: Avoiding Hard coded user names in ABAP code

Former Member — Fri, 16 Aug 2013 03:33:12 GMT

Hi Bhargav,

i tried what you mentioned,but still in EPC error not cleared it's showing same error...

any other solution...

Regards,

Suba.

Re: Avoiding Hard coded user names in ABAP code

Former Member — Fri, 16 Aug 2013 03:34:14 GMT

Hi Azhar,

i tried what you mentioned,but still in EPC error not cleared it's showing same error...

any other solution...

Regards,

Suba.

Re: Avoiding Hard coded user names in ABAP code

Former Member — Fri, 16 Aug 2013 04:30:58 GMT

Dear Suba

1. Create one Authorization Object using the transaction code SU21.

2. Create a role using the transaction code PFCG and assign the Authorization Object to the created role.

3. To whom all users you wish to assign this role, assign these roles using the transaction code SU01.

4. Using the keyword, AUTHORITY CHECK, check whether the current user is authorized to do the particular action in your program. If the check raises sy-subrc <> 0, then raise an error, else continue.

This way you can check the user authorization to do a particular task, without hardcoding the username in the program.

Thanks and Regards,

Rinzy Deena Mathews

Applexus Technologies (P) Ltd.

Re: Avoiding Hard coded user names in ABAP code

Venkat_Sesha — Fri, 16 Aug 2013 06:07:40 GMT

No Suba it should not be in EPC error if you have declared in Constants and compared with Sy-Uname.

Any how to understand the issue in more detail, it helps a lot to the forum if you can put the screen shot of the issue. so that you can get your problem solved soon. May be it is not an error in others perspective and a Warning. So please upload the screen print. Thanks..

Happy coding