This website is not affiliated with, sponsored by, or approved by SAP AG.

Interval in Authorization Objects

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

Interval in Authorization Objects

Postby rmeier » Sun May 29, 2011 9:40 am

Hi Everybody,

I try to clean up our authorization roles. In one role I found a strange setting.
The Following Values where assigned to the object S_TCODE

Object: S_TCODE
Field: TCD
Value: S_* - SM32

I thought that the user who has assigned this role can start at least the Transaction SM31, but when I test this than he was not able to start the transaction.
I'm now a little bit confused, because I did not understand how SAP handles the intervals (numeric, character, special character) using the Low High Intervals in Authorization objects.

Could someone explain me how the logic on the interval is?

This would be great because I searched the inet and didn't find anything herefore.

Thanks a lot
Ralf
rmeier
 
Posts: 16
Joined: Wed May 24, 2006 11:11 am

Re: Interval in Authorization Objects

Postby jurjen » Mon May 30, 2011 12:48 am

If you query table TSTC with the same interval you should see which transactions can be started with this S_TCODE setting. It is still possible to get an error message, even with just a * in S_TCODE because other authorization checks within the software may stop it from executing properly.

Jurjen
jurjen
 
Posts: 298
Joined: Wed May 17, 2006 8:17 am
Location: The Netherlands

Re: Interval in Authorization Objects

Postby gauts99 » Mon May 30, 2011 5:49 am

Remove the underscore after the S. That should do it.
gauts99
 
Posts: 48
Joined: Mon Mar 06, 2006 8:45 pm
Location: Ottawa, Ontario

Re: Interval in Authorization Objects

Postby rmeier » Mon May 30, 2011 6:55 am

Hi,

thanks a lot for your help.

To understand the logic of SAP:
The order of the tcodes is stored in the TSTC. So SAP takes the first entry (LOW) and search the information in the TSTC and then takes the second entry (HIGH) to seatch also in the TSTC. All Transaction between both hits are then in the interval.

Is this right? Or is there another logic?

Thanks for your help.
Kind regards
Ralf
rmeier
 
Posts: 16
Joined: Wed May 24, 2006 11:11 am

Re: Interval in Authorization Objects

Postby jurjen » Mon May 30, 2011 12:16 pm

Hi Ralf,

That's a yes if you take into account that the table is sorted in the ASCII character order, it's not an SAP proprietary thing.

I tried querying TSTC with the given range myself in SE16 this afternoon and got a warning that my LOW search term was larger than the HIGH one. Something I'd missed before and I wasn't alone ;-)

It turns out that S_* - SM32 isn't really a valid range since the underscore has a higher ASCII value (95) than capital 'M' (ASCII 77). See http://www.asciitable.com for the order.
These object values will possibly grant access to all S_* transactions and SM32 but I'm not really sure about that.

Jurjen
jurjen
 
Posts: 298
Joined: Wed May 17, 2006 8:17 am
Location: The Netherlands

Re: Interval in Authorization Objects

Postby Sharpshooter » Tue May 31, 2011 6:16 am

jurjen wrote:I tried querying TSTC with the given range myself in SE16 this afternoon and got a warning that my LOW search term was larger than the HIGH one. Something I'd missed before and I wasn't alone ;-)
Jurjen


I have seen this happen when the operating system was changed from EBCDIC to ASCII. The sort order changes, especially in the case of special characters.
A valid interval becomes invalid and no warning. Things just stop working!
Good luck!
Sharpshooter
 
Posts: 1171
Joined: Wed Mar 17, 2010 12:01 pm
Location: In the dark


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 1 guest





loading...


This website is not affiliated with, sponsored by, or approved by SAP AG.