topic Re: Forcing Authorization for a transaction code without authorization check in in Application Development and Automation Discussions

Forcing Authorization for a transaction code without authorization check in

jitendra_mehta — Mon, 13 Nov 2006 21:45:33 GMT

Transaction code 'PP02' has an authorization object P_TCODE. So when a user who does not have authorization to transaction 'PP02' tries to execute it from command prompt, the SAP system appropriately restricts user saying "You have no authorization".

However, If Ia program has "Call transaction" verb calling this transaction and if the restricted user runs this report or module program, it does not restrict the user to access the transaction.

Is there any way to restrict user to access the transaction from program without explicitly doing authorization check from within the program?

Jitendra Mehta

Re: Forcing Authorization for a transaction code without authorization check in

Former Member — Mon, 13 Nov 2006 21:55:21 GMT

Hi Jitendra,

well I'm not absolutely sure, but as far as I'm aware, the authorization object S_TCODE is checked on CALL TRANSACTION as well.

The more severe problem are the report-transactions. You have to restrict the auth objects for report names in the transactions SE38, SA38, SE80, SM37.

Info: In our production system, the report-start transaction are considered to be critical authorizations.

That's from my side. There might be some more detailed contributions coming up.

Best wishes,

Florin

Re: Forcing Authorization for a transaction code without authorization check in

jitendra_mehta — Wed, 15 Nov 2006 20:43:42 GMT

Hi Florin:

S_TCODE restricts the user only at command prompt level, not if you run the transaction for program using "CALL TRANSACTION" verb.

If we assign auth.object P_TCODE with some other transaction values (not one for which we want to restrict), then the authority check works for the above.

But say, if I have no other transaction code values to be assigned to auth. object P_TCODE for the restricted user ( therefore, obviously I don't assign auth. object P_TCODE to any auth. profile for the restricted user) then again, I am out of luck.

The only way, I have seen this working is to assign value space ( ' ' ) to auth. object P_TCODE and then assign this auth.object to one of the auth. profiles of the restricted user, BINGO!, then it works.

But our Authorization team has an objection saying "We assign the transactions ( to auth. object ) which the user should have access. It is not proper to assign a no value to auth. object ( assigning space value ) "

I do not know how much merit their argument has, however, I was wondering if there is another way I could achieve it without relying on tens of hundred of programs doing auth. checks whenever they call the restricted transaction.

Please let me know your thoughts.

Thanks.

Jitendra Mehta

Re: Forcing Authorization for a transaction code without authorization check in

uwe_schieferstein — Wed, 15 Nov 2006 21:12:12 GMT

Hello Jitendra

You are right about the CALL TRANSACTION statement. Here is what the SAP documentation says:

Note

At the statement CALL TRANSACTION, the authorization of the current user to execute the called transaction is not checked automatically. If the calling program does not execute a check, the called program must check the authorization. To do this, the called program must call function module AUTHORITY_CHECK_TCODE.

I have no simple solution for SAP standard report making use of the CALL TRANSACTION statement. However, if you need to call an transaction within a customer report you can use function module ABAP4_CALL_TRANSACTION which does the authority check.

Regards

Uwe