topic Re: Authorization Check in Application Development and Automation Discussions

Authorization Check

Former Member — Tue, 01 Apr 2008 11:51:45 GMT

Hi,

Can you please tell me in detail, how does the check is carried out for an authorization object with the check flag value ' only check '?

Thanks in advance.

Regards,

Sachhidanand

Re: Authorization Check

Former Member — Tue, 01 Apr 2008 12:36:20 GMT

Hi,

Take a carefull read through this thread:

Particularly the closing statements from Frank Buchholz about "Check" indicating that there is a navigation possibility in the transaction, however the authorization required to use it should come from a different transaction (with "Check/maintain") if that navigation option is desired.

=> "Check only" does nothing. It is information only.

Cheers,

Julius

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 08:33:42 GMT

To protect business data and functions against unauthorized access, SAP programs

utilize authorization checks.

In order to pass an authorization check of this type, a user needs the appropriate authorization.

Authorizations are assigned using profiles in the form of roles, which are entered into the user master record.

The ABAP statement "authority-check" is used to check the authorization object

assigned to the transaction. The check is performed during transaction start by

the ABAP program called by the transaction. Certain field values are always required for authorization objects whcich are mentioned in the "authority-check".

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 12:15:49 GMT

Hi Julius,

Thanks for your reply.

In my project, S_RZL_ADM has the check flag value' x '( ie ' check only ' ) with respect to SM36 in USOBX, as well as USOBX_C. Now, the access to S_RZL_ADM with ACTVT=01 is required if a person wants to include an external command/ program in a background job as a step- one of the major functionalities provided by SM36. So I think, we can't say authorization objects with the check flag value' x ' are generally related to the minor functionalities provided by a transaction.

Second thing, I am doubtful about what you are saying( The access for the authorization objects with the check flag value' x ' should come from the transactions, where these authorization objects have the check flag value' y ' ie' check & maintain '. ). The reason is, I have created a test user in the same system( which I am referring in the above paragraph ) & assigned a test role, which contains only SM36 in the menu. I haven't added S_RZL_ADM in the authorization data by any means. And still the user is able to include external commands. In addition to this, I checked the program for SM36, it contains the check for S_RZL_ADM.

Can you please provide me your views on this?

Thanks in advance.

Regards,

Sachhidanand

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 12:33:02 GMT

>Now, the access to S_RZL_ADM with ACTVT=01 is required if a person wants to include an external command/ program in a background job as a step- one of the major functionalities provided by SM36. So I think, we can't say authorization objects with the check flag value' x ' are generally related to the minor functionalities provided by a transaction.

That is a rare occurance. Realistically very few activities require access to run an external command (I hope you have tightly secured S_LOG_COM). There are always exceptions but in general......

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 12:34:05 GMT

Hi Sachhidanand,

My view is that you do not have to schedule an external command in a job step (you can also schedule a program => object S_PROGRAM), so you do not have to add S_RZL_ADM to the user's authority, so why should SU24 automatically pull it in?

Regarding your second observation, this is most likely because you (the scheduler) have S_BTCH_ADM = 'Y' authority. Try to release it and see whether the step does infact execute the command (or fails due to missing authority)?

Cheers,

Julius

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 13:33:30 GMT

Hi Alex,

I think, this is not a rare occurence. The program for SM36 makes it mandatory that, the user( who wants to include an external command/ program in a backgrond job as a step ) should have access to S_RZL_ADM with ACTVT=01.

And as you are telling, S_LOG_COM is related to the execution of an external command/ program.

Regards,

Sachhidanand

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 13:53:01 GMT

Hi Sachhidanand

We will have to agree to disagree. Scheduling a job which runs an external OS command is a rare occurance in my book when considered within the context of the usual jobs which are scheduled. Furthermore this activity is typically performed by people who would already have these authorisations and inherit this auth object. S_RZL_ADM is certainly not an authorisation you would want to give as default to the majority of people with SM36.

Cheers

Alex

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 15:06:39 GMT

Hi Julius,

Sometimes( might be rarely ) it is required to include an external command/ program in a background job. So S_RZL_ADM is important.

Regarding the second observation, that test user( scheduler ) does not have S_BTCH_ADM with BTCADMIN=Y. Sorry, I forgot to mention in this my previous message. And I checked,

the test user is able to release a job containing an external command.

Regards,

Sachhidanand

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 15:15:56 GMT

Hi Alex,

As you are telling, the inclusion of an external command/ program in a background job might be rare. I wanted to tell, the check for S_RZL_ADM with ACTVT=01 is not rare. Means whenever a person tries to include an external command/ program in a background job, this check takes place, provided the check flag value has not been changed from' check only '( SAP proposal ) to' do not check ' & the program for SM36 has not been changed.

Regards,

Sachhidanand

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 15:23:45 GMT

Hi Sachhidanand,

If all your users with access to SM36 are also (intendedly) to have S_RZL_ADM authorizations, then you could add S_RZL_ADM with values to the SU24 "check/Maintain" indicator for SM36... however such users would most likely have access to tcode SM49 as well (from which they, in my opinion correctly, will have the authority and the check indicators are already maintained in the default SU24 indicators (ie. SU22).

I don't know why your job step is executing the command, so I can only guess.... you have a different user entered in the job step and than the scheduler of the job (and creator of the job step), and you yourself have SAP_ALL (so you have S_RZL_ADM and S_BTCH_NAM...)?

Cheers,

Julius

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 15:36:08 GMT


> Hi Alex,
> 
> As you are telling, the inclusion of an external command/ program in a background job might be rare. I wanted to tell, the check for S_RZL_ADM with ACTVT=01 is not rare. Means whenever a person tries to include an external command/ program in a background job, this check takes place, provided the check flag value has not been changed from' check only '( SAP proposal ) to' do not check ' & the program for SM36 has not been changed.
> 
> Regards,
> Sachhidanand

Hi Sachhidanand

The check for S_RZL_ADM is rare as it is a fundamental system level auth value and is used in relatively few situations in the majority of implementations.

It would appear that in <i>your</i> implementation there are a lot of background jobs running external commands. You are getting checks against S_RZL_ADM because SAP knows that there is high risk in doing this and is checking against an auth object which should reflect adequate authorisation.

Considering what external commands have the ability to do (thanks to the user executing them on the OS having rather high privileges - not quite root but close enough), jobs involving these should be part of a structured scheduling process, scheduled by people who know exactly what they are doing.

Typically only Basis and maybe batch users have this authorisation, it is not something that users outside these teams should have in a production environment. Give this in prod to end users and it is likely that your external auditors will comment on this.

When you understand what this controls it's easy to see why it would be foolhardy of SAP to include S_RZL_ADM, ACTVT=01 as a proposal value for everyone with SM36.

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 15:37:54 GMT

> Sachhidanand Rankhambe wrote:

> I wanted to tell, the check for S_RZL_ADM with ACTVT=01 is not rare. Means whenever a person tries to include an external command/ program in a background job, this check takes place, provided the check flag value has not been changed from' check only '( SAP proposal ) to' do not check ' & the program for SM36 has not been changed.

If that is the way your processes are designed and your users are trained, then that is what you get for it => lots of S_RZL_ADM access is needed for any all (or most) users authorized for SM36.

So yes, you can add it in SU24 to the "Check/Maintain" indicator with values so that you are reminded of this every time you add SM36 to a role. That is what SU24 is there for...

Cheers,

Julius

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 15:49:59 GMT

> Alex Ayers wrote:

> ... jobs involving these should be part of a structured scheduling process, scheduled by people who know exactly what they are doing.

Assuming that only people who know what they are doing have access to SM36 to administrate scheduled jobs, then perhaps it is okay to add it in SU24. But I agree that SAP should not add it to SU22 (for all the rest of us).

Okay Sachhidanand, I give up... please tell us the answer?

Cheers,

Julius

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 15:59:27 GMT

Hi Julius,

The step user is the test user itself( having only SM36 access ).

And I think, we are deviating from my main concern. Using this example I wanted to tell, I think,

1) authorization objects with the check flag value' check only ' have some importance. They are not just for information.

2) the users having access to a transaction automatically get the access to the authorization objetcs related to that transaction & having the check flag value' check only '.

Regards,

Sachhidanand

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 16:06:29 GMT

> Assuming that only people who know what they are doing have access to SM36 to administrate scheduled jobs, then perhaps it is okay to add it in SU24. But I agree that SAP should not add it to SU22 (for all the rest of us).

That's a nice assumption

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 16:13:26 GMT

Hi Julius,

I am extremely sorry, I have never used SU22 & am not authorized for the same. So no idea about its use.

And regarding my previous message( where I have mentioned two points ) I have specifically mentioned, I think. Means I am not sure about the second point & want to confirm the same with you people.

Regards,

Sachhidanand

Re: Authorization Check

Former Member — Wed, 02 Apr 2008 19:55:26 GMT

Hello Sachhidanand,

> The step user is the test user itself( having only SM36 access ).

So (in my own words to confirm I understand): You logged on with this test user (a dialog user), created a job in SM36 and scheduled an OS command in a jobstep which has this user as the step user as well. The role of the test user does not have any S_BTCH_ADM object authority, nor does it have any S_RZL_ADM object authority. You released the job, and the command executed.

Is that what happened?

Can this same test user also go into an existing job and change a command in an existing jobstep?

> 1) authorization objects with the check flag value' check only ' have some importance. They are not just for information.

If the check is not in the program, adding "Check" flags to SU24 will not help.

I find it very usefull information, but what is it then (a "check" flag in SU24) if not information only?

> 2) the users having access to a transaction automatically get the access to the authorization objetcs related to that transaction & having the check flag value' check only '.

No, that would be "Check/Maintain" (in higher releases: "Proposal = Yes").

> ...I have never used SU22 & am not authorized for the same. So no idea about its use.

SU22 is for SAP to maintain the "out-of-the-box" delivered defaults for the SU24 defaults of PFCG. You should not normally ever need to change SU22 (only tune SU24 to suite your requirements). Have you performed the intial steps in SU25 to set up SU24?

Cheers,

Julius

PS: A few years ago, back on 4.6C, I worked with someone who created a transaction variant for the screen program, to hide the command options if not authorized (I think S_RZL_ADM ACTVT '03' was used, which is also the only field of this object b.t.w...) and change the "program" to select them only from report transactions (as type of transaction) for which the user must be authorized (object S_TCODE), however the program name was still entered when the transaction name was selected by the user, of course. It looked nice, from the end user perspective

Re: Authorization Check

Former Member — Thu, 03 Apr 2008 14:50:58 GMT

Hi Julius,

Yes, you are almost correct. Two corrections, S_BTCH_ADM is there, but unmaintained( I have kept as it is. ) & I deleted the job before execution because I am not authorized.

The test user is able to change the command.

And I agree with you, if not coded properly, there is no use of checks in SU24.

Regarding my second point, the following facts cause me to think in this way.

1) S_RZL_ADM has the check flag value' check only ' with respect to SM36.

2) The program for SM36 contains the check for S_RZL_ADM with ACTVT=01.

3) Though I am unable to find S_RZL_ADM in the authorization data of that test role, as well as in the user buffer of the test user, the test user is able to include an external command in a background job.

Thank you very much for giving the information on SU22.:-)

But I kindly request you to

1) explain SU22 in detail( possibly with an eg ).

2) tell, when we should go for SU22( possibly with an eg ).

No, I have never used SU24 & SU25. Even not authorized to try. But I have little bit idea.

Regards,

Sachhidanand

Re: Authorization Check

Former Member — Thu, 03 Apr 2008 14:56:03 GMT

Hi Julius,

I forgot to mention, I am getting,

3 <- S_RZL_ADM:ACTVT=01

in ST01 for the test user.

Can you please tell me, what does 3 indicate? Even 1.

Thanks in advance.

Regards,

Sachhidanand