This website is not affiliated with, sponsored by, or approved by SAP AG.

Authorization for entry only thru pgm

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

Authorization for entry only thru pgm

Postby Shobhana » Thu Nov 07, 2002 7:15 am

If I want a user to pass a document only via an ABAP Program(The program in turn has a BDC Call) and prevent him from passing the document thru the transaction screen, is there any way to do this?
If the authorization for the transaction is removed, the program fails(bcos of the BDC call) and if the authorization is given, the user can't be prevented from passing the entry externally.
Any suggestions?


Postby Guest » Thu Nov 07, 2002 8:04 am

Hi Shobhana,

My ABAP is pretty rusty, but is you are using BDC session then function module BDC_OPEN_GROUP can create a session into which the BDC_INSERT can be used to insert batch input data.

The syntax for the function (excluding exceptions) is:-

Code: Select all
                   EXPORTING  CLIENT           = VALUE
                                      GROUP           = VALUE
                                      HOLDDATE      = VALUE
                                      KEEP               = VALUE
                                      USER     = USER FOR AUTH CHECK

The great thing about this function is that you can specify the user for the authorisation check. If you specify a dedicated background user with the relevant auths, the job will run OK as all the code performed within the session will use the authorisations of the user specified. Therefore the user doesn't need the authorisations for the sensitive transaction.

Security requirements where applicable should be included within the functional spec of any custom ABAP, but this is often overlooked.

It is poor design for functional teams to make workaround to suit the developers unless there are no other options.

If it's a SAP Standard ABAP then it's a different story & I'm sorry I can't help. User Exits?
There may be some other ways of doing this via auth's only, but I can't think of any right now.

Good Luck.

Postby John A. Jarboe » Thu Nov 07, 2002 8:49 am

In versions prior to 4.6 this was not a problem since the CALL TRANSACTION function bypassed the S_TCODE check. In 4.6 you have to go into transaction code SE97 and tell SAP NOT to check on a CALL TRANSACTION. You do have to be at a very high patch level since some programmers HARD CODED the S_TCODE check in some of SAP's Tcodes which bypasses the SE97 feature.

As suggested above creating a BDC session to run rather than a "direct" call transaction is also a good approach. If you want the Document to be tied to the user who ran it though you will have to run the BDC session under the ID the of the requesting user and not the seragate user.
Still the use running the "transaction" will need the underlying authorizations, so while they may not be able to run a specific tcode they may be able to accomplish the same through another set of screen for a tcode they do have.
John A. Jarboe

Thanks-Still Testing

Postby Shobhana » Thu Nov 14, 2002 11:10 pm

This is Shobhana again. Thanks for the suggestions. I am still in the process of testing the program. The functions I have used are BDC_OPEN_GROUP, BDC_INSERT, BDC_CLOSE_GROUP, JOB_OPEN, SUBMIT(This also seems too play a vital role in checking the auth) and JOB_CLOSE.
Will keep you informed how the testing goes.

Thanks once again!


Postby Shobhana » Mon Dec 02, 2002 6:12 am

My test has been successful - A point to note is that the user id to check authorisations has to be passed even with the SUBMIT command else the authorisation fails. Also one drawback is that the environment parameters do not get set in the current session and therefore to retrieve the same one has to necessarily access the database tables which may prove to be time-consuming.



Return to SAP Security

Who is online

Users browsing this forum: No registered users and 2 guests

This website is not affiliated with, sponsored by, or approved by SAP AG.