11-11-2008 8:31 PM
hi all,
we created a customized tcode. our auditors asked us to add authorization group (P_group) to the attribute of the program and we did that.
when some one runs this tcode it should check for Auth group and allow access to run this program based on this auth group.
custom tcode does not have any objects in SU24.
can i add object S_PROGRAM to that customized tcode in SU24 with out changing the program?
i mean with out adding this object in the abap code and putting authority check.
will this serve the purpose.
thanks,
Sun.
11-11-2008 8:42 PM
> can i add object S_PROGRAM to that customized tcode in SU24 with out changing the program?
Why not?
> i mean with out adding this object in the abap code and putting authority check.
Yes, in this case the check is not in the code, but invoked by ABAP statement SUBMIT.
Best practice is to maintain this group via report RSCSAUTH - and not via the attributes in SE38.
If you read the documentation (on the report and su24) it will be clear to you.
Cheers,
Julius
11-11-2008 8:42 PM
> can i add object S_PROGRAM to that customized tcode in SU24 with out changing the program?
Why not?
> i mean with out adding this object in the abap code and putting authority check.
Yes, in this case the check is not in the code, but invoked by ABAP statement SUBMIT.
Best practice is to maintain this group via report RSCSAUTH - and not via the attributes in SE38.
If you read the documentation (on the report and su24) it will be clear to you.
Cheers,
Julius
11-11-2008 8:49 PM
Hi Julius,
our abaper already added this through program rscsauth.
he asked how this can be restricted from security side.
i mean his point of view is, if we assign this custom tcode to a user, how this is going to check whether user has access to the authorization group that they added to the program.
thanks,
Sun
11-11-2008 9:12 PM
> our abaper already added this through program rscsauth.
Okay, then it will be added to the object repository attribute as well (as if you had changed it from SE38, but will now warn you that you are bringing the groups out of sync if tried to change again from SE38).
> he asked how this can be restricted from security side.
It will be restricted now for submitable reports, and via granting access to S_PROGRAM p_action 'SUBMIT' for that p_group name, the user can run the report(s) if authorized.
Note that p_action 'VARIANT' is also sufficient to submit the report (via it's selection screen) as the user can change the variant anyway.
> i mean his point of view is, if we assign this custom tcode to a user, how this is going to check whether user has access to the authorization group that they added to the program.
If it is a report-type transaction, it will submit the report when you start the transaction and check S_PROGRAM is the report is protected by an authorization group.
From the perspective of a transaction to start a report, this restriction will work.
Tell your developer to take a read through the ABAP coding of transaction START_REPORT (and you can as well) to see how this works from transactions, report trees, menu's etc.
BTW: Another way of starting reports is via shortcuts. We stripped all .sap file attachments (and links) from our mail system for that reason and are very carefull with transaction SUB%.
Cheers,
Julius
11-11-2008 9:21 PM
Ok Thanks Julius for your answer.
so from my understanding you said that we need to assign user an authorization object S_PROGRAM either manually or through SE38. along with this custom tcode, is it correct? ( i mean this custom tcode cannot be assigned to user alone with out SE38 or S_PROGRAM)
so that it will check for the auth group that we assgined to user in S_PROGRAM.
Other wise if dont put S_PROGRAM every one who gets access to this custom tcode can execute the program right?
thanks,
Sreekanth S
Edited by: sun on Nov 11, 2008 10:27 PM
11-11-2008 9:38 PM
No, only the custom tcode and the S_PROGRAM authority (preferably pulled in from SU24).
The rest (SE38, START_REPORT, etc etc) are not required otherwise the user would need more authority and could more easily start any report which is not protected. The system will take care of starting the report for you when it submits the report (after you enter the z-transaction).
Good luck,
Julius
11-11-2008 9:44 PM
Ok thanks Julius,
I will add S_PROGRAM in SU24 to that custom tcode.
Thanks very much for your help
thanks,
Sun
Edited by: sun on Nov 11, 2008 10:45 PM