Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Auth. object S_Develop problem

Go to solution
openrico
Participant

‎2014 Jun 17 1:17 PM

0 Likes
5,611

Hello Experts,

I have the following problem:

I would like to use the authority object s_develop to authorize user to execute some reports, but every user has to display all reports. ( with Transaction SE38)

So I put 2 different forms of s_develop into one user role.

First form:

ACTVT: 16

DEVCLASS: *

OBJNAME: *

OBJTYPE: PROG

P_GROUP: FI*

Second form:

ACTVT: 03

DEVCLASS: *

OBJNAME: PROG

OBJTYPE: P_GROUP: *

The problem is that both forms complement each other, so every user can display AND execute all reports.

Is there somehow a possibility to implement my requirements from above with the authority Object S_Develope or is this a bug and there exists a SAP Note?

Thank you for your Help!
Best regards

Enrico

1 ACCEPTED SOLUTION
Read only

Go to solution
Former Member

‎2014 Jun 17 4:07 PM

0 Likes
4,064

Hi Enrico,

The authorizations are not actually complementing eachother in the way you think they do. When executing a program through SE38, SAP will perform following checks:

1) S_DEVELOP with ACTVT 16 ; OBJTYPE PROG and OBJNAME = the name of the program you are trying to execute. The check with ACTVT 16 will not check for the program group.

2) S_DEVELOP with ACTVT 03 and all other fields according to the selected program, including the program group (if any)

3) In case there's a program group, S_PROGRAM will also be checked.

The "additional" check for ACTVT 16 is documented in note "1012066 - Security note: Authorization check when executing reports"

While it is perfectly possible to allow users to display all programs and only execute specific programs through SE38 by using the OBJNAME field with ACTVT 16, this is not recommended. Like Colleen said, it's best practice to create a tcode for every program you want to call on a production environment.

Kind regards,

Brent

3 REPLIES 3
Read only

Go to solution
Colleen
Product and Topic Expert
Product and Topic Expert

‎2014 Jun 17 1:23 PM

0 Likes
4,064

Revoke SE38 and build custom transactions codes for the necessary reports.

Read only

Go to solution
Former Member

‎2014 Jun 17 3:23 PM

0 Likes
4,064

This note might be helpful: 338177 - Authorization check when executing programs

Read only

Go to solution
Former Member

‎2014 Jun 17 4:07 PM

0 Likes
4,065

Hi Enrico,

The authorizations are not actually complementing eachother in the way you think they do. When executing a program through SE38, SAP will perform following checks:

1) S_DEVELOP with ACTVT 16 ; OBJTYPE PROG and OBJNAME = the name of the program you are trying to execute. The check with ACTVT 16 will not check for the program group.

2) S_DEVELOP with ACTVT 03 and all other fields according to the selected program, including the program group (if any)

3) In case there's a program group, S_PROGRAM will also be checked.

The "additional" check for ACTVT 16 is documented in note "1012066 - Security note: Authorization check when executing reports"

While it is perfectly possible to allow users to display all programs and only execute specific programs through SE38 by using the OBJNAME field with ACTVT 16, this is not recommended. Like Colleen said, it's best practice to create a tcode for every program you want to call on a production environment.

Kind regards,

Brent