- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Deactivate authorization checks in BSP or function...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Deactivate authorization checks in BSP or function modules?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-05-2008 1:15 PM
Hi all
I have a BSP application that seems to use a standard function module that performs an unwanted authorization check on object M_MATE_VKO (Material check on sales organization)
I know it is possible to globally deactivate authorization checks in certain SAP transactions (SU24)
Does anyone know if there is a similar functionality for BSP applications or function modules? Any suggestions on how to deactivate such authorization checks in BSP applications?
Regards
Mike
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-05-2008 11:36 PM
In the case of function modules, you need to find the correct one.
Generally, those which are released (see tcode BAPI for example) will ensure that the referencial integrity and (intended) customizing dependencies are respected, otherwise not updated, generally.
So if you are updating a field for which object M_MATE_VKO is foreseen, then that is what you get for it. There might however be a SPRO option for this - sometimes there are special "no check" flags (ask your functional guru).
Some unreleased FM's will give you the option to deactivate the checks selectively, but they might not respect the above mentioned referencial integrity and customizing dependencies, so you can generally use them at your own risk (particularly if they are not released - in which case they can change without notice). At least check how the standard programs call them....
If there are no specific answers to your question here (in the security forum), then let me know whether you would like to have it moved to the ABAP or WebDynpro forums.
If you think there is a SPRO possibility worth persuing, we can try the ERP MM forum.
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-05-2008 11:45 PM
We have developed the BSP application and function module to automate all security process (Access creation and changes with three level approval) with MS share point coding, we also have security reports designed in BSP with table access.
to make sure certain authorisation check, customized authorisation check in our Z* Fm and BSP have been implemented. how ever in your case it is standard FM /BSP and changing may not be possible.
Based on my work so far on such tech, I would ask that why do you want to remove auth check? as this will provide good security practice.
If you are developing some form based automated procedure or work around the webservices, why not give this access to user who will be using this FM or BSP as service user.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-05-2008 11:58 PM
Yes, that is a valid point!
You can take care of the security you require for the user in the application they use, and hand some of the tasks (and consequential authority-checks) over to a service or a logical destination.
A potential problem here is that the update tasks go through under the user ID's of the services or system users.
Instead of BAPI's, it might be worth looking into WAPI's...
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2008 12:47 AM
That's true,
However, point I already consider is, Risk already been define to access M_MATE_VKO with this BAPI.
If not than there is no point to go blind in this activity as it will be hard at later stage to audit such things as there will be service user who is going to use.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2008 10:23 AM
Actually, calling only this function module with a generic service user (restricted with the same roles, but with access to all sales organizations) could be the solution!
Thanks a lot for your help,
Cheers!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2008 9:35 AM
Thanks for your replies,
This is actually a customer developed cProjects BSP, that is using standard function module IDOC_INPUT_MATMAS01
Interesting note is that this worked fine two weeks ago, but with the recent patches from SAP it seems like we have a more strict authorization control
I agree this check now works as expected/intended by SAP, but what we would like to achieve is that users can access all sales organizations in the BSP application (cause this BSP includes other authorization checks), but on the R3 back-end side their SAP roles should still be restricted on sales organization (i.e. applied when logging on via SAP Gui)
In this case, I thought deactivating the authorization object check only on this BSP, or perhaps the function module, would be a simple and effective solution that would not interfere with any audit standards (since we have documented other authorization checks in our BSP)
Thanks for tip regarding customizing - I will check with our functional MM experts
I will also check with my developer if this function module has any return codes etc that can be useful for a custom authorization check. However, I thought these checks were all done within the function module and that it will only return a true/false authorization, sort of... and I am not sure it's a good idea to override all standard authorization checks in this function module
Regards
Mikael
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2008 9:38 PM
> I will also check with my developer if this function module has any return codes etc that can be useful for a custom authorization check. However, I thought these checks were all done within the function module and that it will only return a true/false authorization, sort of... and I am not sure it's a good idea to override all standard authorization checks in this function module
Sometimes you can handle the messages, but your developer will be able to help you decide whether that is a good idea or not.
Globally deactivating the object for the whole system is most likely not a good idea, as you seem not to want to grant it because you need it somewhere else...
Deactivating all checks for the function module is probably not wise either, as I would think that it applies to the whole function group. Developers can do such things sometimes, but often it results in all end users being able to do the same.
I know that proposal indicators can be set for function modules, but have not tried check indicators. Again, I suspect that it would apply to the whole function group.
I would think that a carefull choice of function module and consulting with your functional guru about config which will not interfer with other requirements is the best route to take.
I like threads like this. If I bump into a specific solution I will remember it. Try using the search here at SDN on the names of some of the FM's which you are considering - someone might already have solved it...
Cheers,
Julius
- SAP Managed Tags:
- Security
