Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
Showing results for 
Search instead for 
Did you mean: 

Forcing Authorization for a transaction code without authorization check in

0 Kudos

Transaction code 'PP02' has an authorization object P_TCODE. So when a user who does not have authorization to transaction 'PP02' tries to execute it from command prompt, the SAP system appropriately restricts user saying "You have no authorization".

However, If Ia program has "Call transaction" verb calling this transaction and if the restricted user runs this report or module program, it does not restrict the user to access the transaction.

Is there any way to restrict user to access the transaction from program without explicitly doing authorization check from within the program?

Jitendra Mehta


Former Member
0 Kudos

Hi Jitendra,

well I'm not <i>absolutely</i> sure, but as far as I'm aware, the authorization object S_TCODE <i>is</i> checked on CALL TRANSACTION as well.

The more severe problem are the report-transactions. You have to restrict the auth objects for report names in the transactions SE38, SA38, SE80, SM37.

<i>Info:</i> In our production system, the report-start transaction are considered to be critical authorizations.

That's from my side. There might be some more detailed contributions coming up.

Best wishes,


0 Kudos

Hi Florin:

S_TCODE restricts the user only at command prompt level, not if you run the transaction for program using "CALL TRANSACTION" verb.

If we assign auth.object P_TCODE with some other transaction values (not one for which we want to restrict), then the authority check works for the above.

But say, if I have no other transaction code values to be assigned to auth. object P_TCODE for the restricted user ( therefore, obviously I don't assign auth. object P_TCODE to any auth. profile for the restricted user) then again, I am out of luck.

The only way, I have seen this working is to assign value space ( ' ' ) to auth. object P_TCODE and then assign this auth.object to one of the auth. profiles of the restricted user, BINGO!, then it works.

But our Authorization team has an objection saying "We assign the transactions ( to auth. object ) which the user should have access. It is not proper to assign a no value to auth. object ( assigning space value ) "

I do not know how much merit their argument has, however, I was wondering if there is another way I could achieve it without relying on tens of hundred of programs doing auth. checks whenever they call the restricted transaction.

Please let me know your thoughts.


Jitendra Mehta

0 Kudos

Hello Jitendra

You are right about the CALL TRANSACTION statement. Here is what the SAP documentation says:


At the statement <b>CALL TRANSACTION</b>, the authorization of the current user to execute the called transaction is not checked automatically. If the calling program does not execute a check, the called program must check the authorization. To do this, the called program must call function module AUTHORITY_CHECK_TCODE.</i>

I have no simple solution for SAP standard report making use of the CALL TRANSACTION statement. However, if you need to call an transaction within a <u>customer report</u> you can use function module <b>ABAP4_CALL_TRANSACTION</b> which does the authority check.