cancel
Showing results for 
Search instead for 
Did you mean: 

SAP does not check S_TCODE for F110 when called via CALL TRANSACTION

Former Member
0 Kudos

Hi All,

SAP documentation for Rel 4.7 says:

<i>"The authorization for starting a transaction initially checks if the caller is actually authorized to start the transaction. So that the caller can start a transaction, the authorization object S_TCODE must be entered in the user master....If you use CALL TRANSACTION, the calling transaction itself <b><u>normally</u></b> checks if the authorization to start the transaction exists. In this case, an authorization check for the transaction called does not make sense". </i>

I found this to be incorrect. The documentation is also not very clear if S_TCODE is checked on all transactions at the CALL TRANSACTION statement level or not. What does it mean by "normally"?? Then it goes on to say:

<i>

<b><u>"If the check is not performed by the transaction itself</u></b>, you must program the check. To do this, insert the following lines before the CALL TRANSACTION statement:

Example

DATA: tcod LIKE sy-tcode.

CALL FUNCTION 'AUTHORITY_CHECK_TCODE'

EXPORTING

TCODE = tcod

EXCEPTIONS

OK = 0

NOT_OK = 2

OTHERS = 3

.

IF SY-SUBRC <> 0.

MESSAGE E172(00) WITH tcod.

ENDIF."

</i>

What is this supposed to mean? Are we to guess and/or test every transaction whether to check the S_TCODE authorisation explicitly in our custom programs?!

I've a scenario where I've developed a report with a pushbutton which calls transaction F110. I didn't code any S_TCODE authorisation check before calling F110 thinking that the system will do this first hand. To my surprise I found a user who is not authorised to F110, can push this button from my report to go to F110, enter parameter and even create payment proposals!!!

Am I missing something?

Any suggestion/comments is highly appreciated.

Cheers,

Syd.

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

What the documentation says is correct. 'Calling' transaction/program has to check for the authorization. Only a minority of SAP transactions do the check within the code of the txn, so essentially if you are writing a 'Call transaction', you should do the authority-check beforehand (it is your program which is the 'calling' program/txn).

Former Member
0 Kudos

That's precisely my point. Why would the developer have to do the explicit authority check on every call transaction when the SAP doco says <i>"If you use CALL TRANSACTION, the calling transaction itself normally checks if the authorization to start the transaction exists. <u>In this case, an authorization check for the transaction called does not make sense"</u></i>.

This is not correct and on the contrary to what you said, therefore can't we say the documentation is incorrect?

This is not acceptable from a developer's point of view. The system is inconsistent with S_TCODE check when we use syntax CALL TRANSACTION from a custom program...for some it will check, for others it won't check!! I reckon its funny and weird mate unless I'm missing some switch in the config.

Cheers,

Syd.

Former Member
0 Kudos

The ABAP statement 'Call Transaction' doesn't invoke the authority check for S_TCODE. This is consistent across the system.

With ABAP you can do almost everything (eg try violating a foreign key relationship with an INSERT in a child table and you will be able to), hence, if you are writing ABAP code, you are expected to do all the necessary checks there (including authorization checks for any 'Call transaction') to keep the system consistent.

However, in certain SAP transactions, there is additional check built in the code to not allow such calls. I agree this exception needs some explanation, and I am sure SAP has one. (For example, certain Goods movement txn capture the TCODE in the tables, and in customizing you are allowed to setup the TCODEs which can post such txns; in such case these txns do have this additional checks to ensure you are not allowed to make unauthorized calls to such txns).

Former Member
0 Kudos

Ajay,

I'd really like to know SAP's explanation on this, if there's any! )

You said "The ABAP statement 'Call Transaction' doesn't invoke the authority check for S_TCODE. This is consistent across the system." - But in your absence I've to rely on SAP help doco. on CALL TRANSACTION statement, which states "If you use CALL TRANSACTION, the calling transaction itself normally checks if the authorization to start the transaction exists."!!!!!!

Cheers,

Syd.

Former Member
0 Kudos

Well, we differ on how we interpret this (SAP Help) statement. To me it means that calling transaction has to 'explicitly' check the authorization (which is what is normally done), whereas you probably mean that it is taken care of by the runtime system implicitly.

In my opinion, the statement you quote means that the calling program/txn has to check it explicitly. In case of SAP code doing such a call transaction, SAP has put such auth check in the calling program, and, in a custom code doing such call, it will have to be done by the user in the custom code.

What I do know for sure is that the ABAP runtime system doesn't invoke S_TCODE authority check when a 'Call transaction' is executed. It has to be coded explicitly if it is to be checked for authorization.

Former Member
0 Kudos

Removing duplicate msg, some problem with the server caused it.

Message was edited by: Ajay Das

Former Member
0 Kudos

Removing duplicate msg, some problem with the server caused it.

Message was edited by: Ajay Das

Former Member
0 Kudos

Removing duplicate msg, some problem with the server caused it.

Message was edited by: Ajay Das

Former Member
0 Kudos

Removing duplicate msg, some problem with the server caused it.

Message was edited by: Ajay Das

Former Member
0 Kudos

Removing duplicate msg, some problem with the server caused it.

Message was edited by: Ajay Das

Former Member
0 Kudos

Removing duplicate msg, some problem with the server caused it.

Message was edited by: Ajay Das

Former Member
0 Kudos

Removing duplicate msg, some problem with the server caused it.

Message was edited by: Ajay Das

Former Member
0 Kudos

Check this link

http://3i-consulting.com/wug/html/File_SAP-WUG_LOG0306D/00000071.htm

CALL FUNCTION 'AUTHORITY_CHECK_TCODE'
               EXPORTING
                    tcode  = 'XK03'
               EXCEPTIONS
                    ok     = 1
                    not_ok = 2
                    OTHERS = 3.
 
          IF sy-subrc > 1.
*           No authorization for transaction &1
            MESSAGE i063(vo) WITH 'XK03'.
          ELSE.
            SET PARAMETER ID 'LIF' FIELD gwa_alvouttab-kunnr .
            SET PARAMETER ID 'KDY' FIELD '/130/120/111'. " General data
            CALL TRANSACTION 'XK03' AND SKIP FIRST SCREEN."#EC CI_CALLTA
          ENDIF.
 
        ENDIF.

See this thread

Former Member
0 Kudos

Judith,

I don't think you got my point but thanks anyway.

FYI, transaction SE97 will only work for transactions which call other underlying transactions. I've already checked it out that it does not work to my requirements.

Cheers,

Syd.