Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict access to tables when using Eclipse ABAP Tools

Hi,

I use Eclipse together with SAP Development Tools to develop in ABAP. I use also quite often the SQL Browser to test complex OpenSQL statements without need to write a test report.

But here now comes the problem. Authorizations are not checked when accessing e.g. tables of the user masterdata (like PA001). Of course in the development system that is not an issue. But I do not get the needed SAP permissions from our admins for our productive SAP system because then I would have access to the PA* tables that I cannot access with SE16n.

My question is:

Can I restrict the access to critial tables when I use the SAP Development Tools?

In the document Configuring the ABAP Back-end for ABAP Development ToolsClient Version 3.4 I found the authorization object S_ADT_RES where I can define e.g. the URI prefix /sap/bc/adt/ddic/*. Could I herebey list the SAP tables that should be accessible?

Kind regards

Florian

3 REPLIES 3

matt
Active Contributor

Hah - my employment speciality (I develop tools in the security area)!

Using ST01 I found that the query is not direct against the database (assuming you're using right-click on the project and SQL Console) but through the application server. FM VIEW_AUTHORITY_CHECK interrogates the authorisations of your user id when using SQL browers. So you need a role, I guess, with the the usual S_TABU_NAM and S_TABU_DIS. Or rather, since access is to be restricted, I guess without these? Or at least not the PA tables.

0 Kudos

Hi Matthew,

thanks for your answer/suggestion. I will check it together with our authorization admins and will report back if it solves my problem.

Kind regards

Florian

bmayhs
Advisor
Advisor
0 Kudos

Hi Florian,

Data Preview Authorization Flow we have few checks in place.

It checks if the user is authorized with VIEW_AUTHORITY_CHECK FM. This internally checks against S_TABU_NAM/S_TABU_DIS authority objects. If NOT, then it checks if the user has a more generic S_DEVELOP available. If that is the case then we allow the preview of data.

You can restrict access by providing only the necessary authority object to the user. Hope this helps.

Thanks and Regards,

Shyam