Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Restricting AL11

Former Member
0 Kudos
3,927

Hi,

How can I restricted a user to seeing only a particular unix directory in AL11? By default all the configured directories can be seen.

I only want the user to see a particular configured directory. I tried specifying the directory name in "Physical file name (filename)" in S_DATASET but it doesn't seem to work.

Thanks in advance.

1 ACCEPTED SOLUTION

Former Member
0 Kudos
608

Hi,

Here is the answer for your question.

First create an alias. Go to t-code AL11 > configure > create alias. Let say we are trying to restrict alias DIR_TEMP which is /tmp. Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as mentioned below

Activity 33

Physical file name /tmp/*

Program Name with Search Help *

Regards

Anandm

7 REPLIES 7

Former Member
0 Kudos
608

Hi Sisab,

There is a thread already that talks about your problem:

Hope this helps.

Regards,

Kiran Kandepalli.

0 Kudos
608

Yes, it talks about it but does not really solve it in my opinion.

Take a read through function module AUTHORITY_CHECK_DATASET which you should call before the file system operation is performed, because the S_DATASET checks (and S_PATH for the directory) are invoked by the OPEN, READ, DELETE DATASET statements themselves, not only by the AUTHORITY-CHECK statement.

Former Member
0 Kudos
609

Hi,

Here is the answer for your question.

First create an alias. Go to t-code AL11 > configure > create alias. Let say we are trying to restrict alias DIR_TEMP which is /tmp. Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as mentioned below

Activity 33

Physical file name /tmp/*

Program Name with Search Help *

Regards

Anandm

0 Kudos
608

>

> First create an alias. Go to t-code AL11 > configure > create alias. Let say we are trying to restrict alias DIR_TEMP which is /tmp. Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as mentioned below

> Activity 33

> Physical file name /tmp/*

> Program Name with Search Help *

Thanks for sharing. I didn't know about this option and will test whether it works. Does it also work if the path hook is not activated?

But I still have a doubt => if the user can break out of the AL11 or has access to start reports (the file system can be read from many many reports) then there is no restriction to the program context (field: Program Name) from which the dataset is read. Who knows what all those programs do, and where in all of them the "physical file name" is an input parameter which the user can influence...

Personally, I think the (initial) security gain is greater from restricting the "Program Name" and ensuring that the applications sufficiently take care of their security requirements, than restricting AL11 only.

Cheers,

Julius

0 Kudos
608

thanks all for the reply...

@Anand : tried your suggestion but it didn't work... executing AL11 still allow me to access all the directories...

0 Kudos
608

Hi Sisab,

S_DATASET is for Authorization for file access, and unfortunately NOT for directory access.

AL11 just gives display access to all directories by default, you can further restrict files by S_DATASET. Once restricted, a user cannot do anything within the directory anyway!

Sometimes, its better to just push back on requirements.

Hope this is useful

Abhishek

0 Kudos
608

Hi Abhishek,

Thanks for your reply.

Basically, it's to restrict "prying" eyes looking into the system.

I understand the control of S_DATASET but really I just want to limit upfront what the user can see in AL11.

Regards