2008 Oct 17 4:07 AM
Hi,
How can I restricted a user to seeing only a particular unix directory in AL11? By default all the configured directories can be seen.
I only want the user to see a particular configured directory. I tried specifying the directory name in "Physical file name (filename)" in S_DATASET but it doesn't seem to work.
Thanks in advance.
2008 Oct 19 9:11 AM
Hi,
Here is the answer for your question.
First create an alias. Go to t-code AL11 > configure > create alias. Let say we are trying to restrict alias DIR_TEMP which is /tmp. Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as mentioned below
Activity 33
Physical file name /tmp/*
Program Name with Search Help *
Regards
Anandm
2008 Oct 17 4:49 AM
2008 Oct 17 10:12 AM
Yes, it talks about it but does not really solve it in my opinion.
Take a read through function module AUTHORITY_CHECK_DATASET which you should call before the file system operation is performed, because the S_DATASET checks (and S_PATH for the directory) are invoked by the OPEN, READ, DELETE DATASET statements themselves, not only by the AUTHORITY-CHECK statement.
2008 Oct 19 9:11 AM
Hi,
Here is the answer for your question.
First create an alias. Go to t-code AL11 > configure > create alias. Let say we are trying to restrict alias DIR_TEMP which is /tmp. Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as mentioned below
Activity 33
Physical file name /tmp/*
Program Name with Search Help *
Regards
Anandm
2008 Oct 19 10:04 AM
>
> First create an alias. Go to t-code AL11 > configure > create alias. Let say we are trying to restrict alias DIR_TEMP which is /tmp. Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as mentioned below
> Activity 33
> Physical file name /tmp/*
> Program Name with Search Help *
Thanks for sharing. I didn't know about this option and will test whether it works. Does it also work if the path hook is not activated?
But I still have a doubt => if the user can break out of the AL11 or has access to start reports (the file system can be read from many many reports) then there is no restriction to the program context (field: Program Name) from which the dataset is read. Who knows what all those programs do, and where in all of them the "physical file name" is an input parameter which the user can influence...
Personally, I think the (initial) security gain is greater from restricting the "Program Name" and ensuring that the applications sufficiently take care of their security requirements, than restricting AL11 only.
Cheers,
Julius
2008 Oct 21 1:56 AM
thanks all for the reply...
@Anand : tried your suggestion but it didn't work... executing AL11 still allow me to access all the directories...
2008 Oct 21 2:39 AM
Hi Sisab,
S_DATASET is for Authorization for file access, and unfortunately NOT for directory access.
AL11 just gives display access to all directories by default, you can further restrict files by S_DATASET. Once restricted, a user cannot do anything within the directory anyway!
Sometimes, its better to just push back on requirements.
Hope this is useful
Abhishek
2008 Oct 21 3:30 AM
Hi Abhishek,
Thanks for your reply.
Basically, it's to restrict "prying" eyes looking into the system.
I understand the control of S_DATASET but really I just want to limit upfront what the user can see in AL11.
Regards