Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

RE: Adding new auth obj in SU24

sreekanth_sunkara
Active Participant
0 Kudos

hi all,

we created a customized tcode. our auditors asked us to add authorization group (P_group) to the attribute of the program and we did that.

when some one runs this tcode it should check for Auth group and allow access to run this program based on this auth group.

custom tcode does not have any objects in SU24.

can i add object S_PROGRAM to that customized tcode in SU24 with out changing the program?

i mean with out adding this object in the abap code and putting authority check.

will this serve the purpose.

thanks,

Sun.

1 ACCEPTED SOLUTION

Former Member
0 Kudos

> can i add object S_PROGRAM to that customized tcode in SU24 with out changing the program?

Why not?

> i mean with out adding this object in the abap code and putting authority check.

Yes, in this case the check is not in the code, but invoked by ABAP statement SUBMIT.

Best practice is to maintain this group via report RSCSAUTH - and not via the attributes in SE38.

If you read the documentation (on the report and su24) it will be clear to you.

Cheers,

Julius

6 REPLIES 6

Former Member
0 Kudos

> can i add object S_PROGRAM to that customized tcode in SU24 with out changing the program?

Why not?

> i mean with out adding this object in the abap code and putting authority check.

Yes, in this case the check is not in the code, but invoked by ABAP statement SUBMIT.

Best practice is to maintain this group via report RSCSAUTH - and not via the attributes in SE38.

If you read the documentation (on the report and su24) it will be clear to you.

Cheers,

Julius

0 Kudos

Hi Julius,

our abaper already added this through program rscsauth.

he asked how this can be restricted from security side.

i mean his point of view is, if we assign this custom tcode to a user, how this is going to check whether user has access to the authorization group that they added to the program.

thanks,

Sun

0 Kudos

> our abaper already added this through program rscsauth.

Okay, then it will be added to the object repository attribute as well (as if you had changed it from SE38, but will now warn you that you are bringing the groups out of sync if tried to change again from SE38).

> he asked how this can be restricted from security side.

It will be restricted now for submitable reports, and via granting access to S_PROGRAM p_action 'SUBMIT' for that p_group name, the user can run the report(s) if authorized.

Note that p_action 'VARIANT' is also sufficient to submit the report (via it's selection screen) as the user can change the variant anyway.

> i mean his point of view is, if we assign this custom tcode to a user, how this is going to check whether user has access to the authorization group that they added to the program.

If it is a report-type transaction, it will submit the report when you start the transaction and check S_PROGRAM is the report is protected by an authorization group.

From the perspective of a transaction to start a report, this restriction will work.

Tell your developer to take a read through the ABAP coding of transaction START_REPORT (and you can as well) to see how this works from transactions, report trees, menu's etc.

BTW: Another way of starting reports is via shortcuts. We stripped all .sap file attachments (and links) from our mail system for that reason and are very carefull with transaction SUB%.

Cheers,

Julius

0 Kudos

Ok Thanks Julius for your answer.

so from my understanding you said that we need to assign user an authorization object S_PROGRAM either manually or through SE38. along with this custom tcode, is it correct? ( i mean this custom tcode cannot be assigned to user alone with out SE38 or S_PROGRAM)

so that it will check for the auth group that we assgined to user in S_PROGRAM.

Other wise if dont put S_PROGRAM every one who gets access to this custom tcode can execute the program right?

thanks,

Sreekanth S

Edited by: sun on Nov 11, 2008 10:27 PM

0 Kudos

No, only the custom tcode and the S_PROGRAM authority (preferably pulled in from SU24).

The rest (SE38, START_REPORT, etc etc) are not required otherwise the user would need more authority and could more easily start any report which is not protected. The system will take care of starting the report for you when it submits the report (after you enter the z-transaction).

Good luck,

Julius

0 Kudos

Ok thanks Julius,

I will add S_PROGRAM in SU24 to that custom tcode.

Thanks very much for your help

thanks,

Sun

Edited by: sun on Nov 11, 2008 10:45 PM