Solved: Debugging authorization objects

OttoGold · ‎2010 Apr 21

Dear sirs,

I would like to know how can I find a list of authorization objects which are being tested when a document is created. I think the mechanism will be the same in the whole system, if not, my special interst is in transaction FMBB. Is there a way how to debug out which field has been tested with what values (activity, value etc.).

Thank you, Otto

ThomasZloch · ‎2010 Apr 21

In transaction ST01, you can activate the system trace specifically for authorization checks, the resulting log tells you everything after FMBB (for example) has been executed.

Thomas

ThomasZloch · ‎2010 Apr 21

In transaction ST01, you can activate the system trace specifically for authorization checks, the resulting log tells you everything after FMBB (for example) has been executed.

Thomas

OttoGold · ‎2010 Apr 21

Great:)) Thank you, lets take the next step:

I have a service user here (XIAPPUSER) with SAP_ALL. I have the data from FMBB tx to create a document here. I have a login of the user who has sent the data. I need to test if the sender-user would pass the AUTHORITY CHECK, I need to explicitely ask if that user can perform that activity. How can I call the check for another user (I have a list for me, I need to test the whole list of auth objects for the user when I have his username).

Any idea regarding this?

Thank you for your time and effort, Otto

ThomasZloch · ‎2010 Apr 21

I know of two ways, either via where-used list of the authorization object values (transaction SUIM), or by calling a test frame of function module AUTHORITY_CHECK in SE37.

Actually, this is more security than ABAP related, so I will ask to have the thread moved to the appropriate forum.

Thomas

StD11 · ‎2010 Apr 21

You could try FM SUSR_GET_USERS_WITH_SPEC_VALS.

Table VALUE fill with all objects and their values user should have and then test if user name is returned in table USERS.

OttoGold · ‎2010 Apr 21

How exactly this is supposed to work? I have a data to create a document. I have a service user with SAP_ALL. I have a UNAME of the user who sent the data (and of course exists in the receiver system with the same attributes, especially regarding the security). I need to perform the sequence of authority checks to prove the sending user has rights to create the document. Or... I don´t know how to express myself... if the user (not me, not the service, the sender, that SMITHJ or something) could run my transaction and create a document in it with the values he has sent.

Maybe I don´t understand the magic within, I though this must be a task performed like zillion times a day all over the globe. To test if the user can do something. If it is my fault, please elaborate a little.

thank you very much, Otto

Former Member · ‎2010 Apr 21

> I have a service user with SAP_ALL

There is a grey area where building a role to use an application is the task of the application developer, or whether it is a specialized task of a security administrator.

Personally I think the former is the best option as the developer has the chance to know most about what the application does and which controls are possible via authorizations (more than just "make it run..."). However the latter is in more widespread use.

Your weapon of choice should be ST01, as already mentioned. Note that it is application server specific so you might need to know which app server the user is logged onto, or switch servers in Sm51 and activate them all.

Your best defense tactic is to maintain the values you need consistently for the service as default proposals in transaction SU24. This is was SAP also does.

If you want to use the Rolls-Royce tool, then see [SAP Note 543164|https://service.sap.com/sap/support/notes/543164]

I leave it up to you to decide whether you want to keep this thread in the ABAPer domain, or pass it on to security (forum)...

Cheers,

Julius

OttoGold · ‎2010 Apr 21

Or maybe if I could change my "indetity" for a single FM call (I would try to create a document as a user SMITHJ not as me) and if that would return an error about the authority check, I would know, the user is not allowed to create a document using the provided data. Something like that. Otto

OttoGold · ‎2010 Apr 22

Hello again, sirs,

I (probably) have the answer.

A friend who is doing the XI stuff will provide information about the data (convert it to the table where row is fieldname + value), about the user and some customizing (which is not important for the idea).

Then I construct a table of arguments for a authority check call and the exceptions table. One of parameters will be the user, next one the auth. object and of course the field value and activity. To perform this I run this one:

    CALL FUNCTION 'AUTHORITY_CHECK'
      PARAMETER-TABLE
        ptab
      EXCEPTION-TABLE
        etab.

You can find all the details when:

1) check CALL FUNCTION F1 help for some more info about the table parameters construction

2) check the FM AUTHORITY_CHECK using "where-used" (or with _RFC addition) to see the example how to check the authority of another user.

Hope that will help somebody in the future.

Regards Otto

ThomasZloch · ‎2010 Apr 22

Thanks Otto for following up. Under program control you might as well use ABAP statement AUTHORITY-CHECK OBJECT ... FOR USER ..., I suggested that function module rather for ad-hoc checks via SE37 test frame.

Thomas

SuhaSaha · ‎2010 Apr 22

Hey Thomas,

Is the addition valid from Release7.0 ? Because in the note you have

"As of Release 7.0, this addition made the use of function module AUTHORITY_CHECK redundant. "

BR,

Suhas

ThomasZloch · ‎2010 Apr 22

Yes, available from 700. When the software version is not stated in the thread (= most of the times), I'm assuming the one I'm working with

Thomas

SuhaSaha · ‎2010 Apr 22

@Otto: I don't know if we can use dynamic tokens with AUTHORITY-CHECK OBJECT. Thomas was just giving an option whereby you can specify the user for which you want to check the authorization against the auth. object.

@Thomas: I am still stuck in ECC5.0. Lucky you 😄

Former Member · ‎2010 Apr 22

IMO you should be carefull with this and document it well, as the "use case" is very limited and almost completely "invisible" to any security or basis admin unless they read all your documentation (and all the documentation of all other developers who used the technique as well).

For example, they may notice that the FOR USER is not logging on or never did and delete the ID because it is not used anywhere... Ka'boom!!

Anyway, you can achieve exactly the same via reference type users, with the limitation of 1 of them only per user ID. The real advantage here is really just performance of the AUTHORITY-CHECK itself and no dodgey coding is needed.

Cheers,

Julius

OttoGold · ‎2010 Apr 22

The problem is solved, but i wonder.. how could I create a dynamic authority check call without the mentioned function module? How would I create/ concatenate the code together if the number of the variables changes? Otto