Solved: Authorization Checks in Z programs

Former Member · ‎04-21-2010

Dear Experts,

Fist of all, thanks for your time. We're being asked to review each Functional Specification in the company to suggest to the developement team the standard objects that should be included in the code in order to restrict the access within each developement. My understanding was that, as an standard practice, developers only use bapis, standard functions or call transactions in their code, for which we should be covered, as SAP includes standard object checks in them (so when using a bapi associated to VA01, the objects in the code for VA01 are being checked). The exception for this are reports, for which we have a Z object with most of the Organizational Values like Company Code, Plant, etc to allow restrictions to take place (and developers are supposed to include this check in this code).

My first question is: is it true that bapis, standard functions and call transactions use the regular standard objects when being executed?.

If this is the case, is there any point in suggesting the objects to be checked to the developers?. It looks as if this would be redundant, as SAP is making sure they're being checked when bapis, standard functions and call transactions are executed...(exception made for reports, as mentioned)

Thanks a lot for your help!!

Best regards,

CMPT

mvoros · ‎04-22-2010

>


> My first question is: is it true that bapis, standard functions and call transactions use the regular standard objects when being executed?

That's not true. Some BAPIs do authorization checks, some BAPIs don't. The only way to check it is running ST01 on particular BAPI call and see if there are any authorization checks. For example BAPI BAPI_PO_CREATE performs authorization checks. But as far as I remember there are no authorization checks in BAPI BAPI_PROJECT_MAINTAIN. The standard FMs are basically same as BAPIs. Each FM is different. The standard transactions are protected using authorization objects.

Cheers

mvoros · ‎04-22-2010

>


> My first question is: is it true that bapis, standard functions and call transactions use the regular standard objects when being executed?

That's not true. Some BAPIs do authorization checks, some BAPIs don't. The only way to check it is running ST01 on particular BAPI call and see if there are any authorization checks. For example BAPI BAPI_PO_CREATE performs authorization checks. But as far as I remember there are no authorization checks in BAPI BAPI_PROJECT_MAINTAIN. The standard FMs are basically same as BAPIs. Each FM is different. The standard transactions are protected using authorization objects.

Cheers

Former Member · ‎04-22-2010

Hi there,

Thanks for your repplies. Therefore, can we say that, as a general rule for each SAP implementation, each FS has to be analyzed to determine which authorization checks should be included in it?. If so, how do you do that?. Do you have the Functional Consultant suggesting how to restrict the tcode or would you rather suggest having the security consultant reviewing the FS to recommend the authorization checks to be included?.

I was thinking on maybe having each Z Tcode linked to a standard tcode, in order to add into the roles the same auth. objects (once the checks for them have been included in the code)?

Thanks in advance.

Regards,

CMPT

Former Member · ‎04-23-2010

Hi,

It is always a good idea for the Z transaction review to be performed by the Security consultant. After all it will be his responsibility later on to restrict access to the transaction. You can always ask for the functional consultant's help with understanding the use of the transaction

In case the custom transaction has been created similar to or is an enhancement on a standard SAP transaction, then it is always a good idea to have at least the same authorization checks for the Z txn also.

For new developments you need to ensure that the authorization checks need to be implemented based on the functionality of the txn and the data it manipulates. For eg., if you have a Z-txn to make changes to purchase orders, you need to ensure that the program checks for change activity for Purchasing Org, Purchasing Group and Plant values and any other authorization relevant data.

The auth objects to be used depends entirely on the data and the functional module the custom program belongs to. I generally prefer to use SAP standard objects where possible. Else create new auth objects as per requirement.

Regards,

Sanju

Former Member · ‎04-23-2010

Hi All,

This is a complex discussion. During support mode, it might be possible to check the new developements being implemented. However, during project mode, I really doubt the security consultant should do it. From a process perspective, I think FS authors should be responsible for defining authorization checks, as it's almost impossible that a security consultant can fully understand each and every FS...

Regards,

CMPT

Former Member · ‎04-22-2010

Hi CMPT,

Use program RSABAPSC to find authorisation object is included for authority-check in program or FM or any standard or Z transactions.

I hope the above program is helpful for you

Regards,

Firoz.

Edited by: Firoz Basha on Apr 22, 2010 6:58 AM

Former Member · ‎04-23-2010

Please make sure to check AUTHORITY CHECK in the Z program.

It is required for secruity point ofview.