Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Programs without authorization objects

Former Member

‎06-28-2010 3:36 PM

0 Kudos

Hi guys,

Do u know a way to list all SAP programs (standard and customized) that do not run authorization check when executed?

Thank you

5 REPLIES 5

Former Member

‎06-28-2010 4:35 PM

0 Kudos

Hi,

You can check these details through program RSABAPSC. However you need to check one report at a time.

With abap report RPR_ABAP_SOURCE_SCAN you can execute a 'bulk scan' on abap code context (such as "AUTHORITY-CHECK") but only within ABAP programs.

or

1. Goto transaction se16 --> enter table name usobt

2. and in the resultant screen enter transaction code (in this case me21n) and press F8.

3. you can find all the authorization objects checked for a particular transaction.

PS: Apart from that some authorization are attached in SE93 also.

http://sap.ittoolbox.com/groups/technical-functional/sap-security/how-to-get-a-list-of-custom-abap-p...

Thanks,

Sri Sonia

Former Member

‎06-28-2010 6:36 PM

0 Kudos

Hi,

Please check this post

also there is a good post on ITTOOLBOX answered in June.

Debug mode might be the best task but if you have lot of Customized task that will be a time consuming activity.

Former Member

‎06-28-2010 7:20 PM

0 Kudos

There is no automated medication against this legacy ailment

Some checks are "remote" in function modules and ABAP OO methods, so you will not even necessarily see them in a code scan, nor whether and how the calling program reacts to the check result or "catches" it and then does something completely different ...

Even with tools (CodeInspector, CodeProfiler, etc) to analyze ABAP code, you need a programming guideline for developers to stick to and a human eye to spot security deviations or errors.

This is an [art form|/people/matthew.billingham/blog/2009/09/13/ancient-art-of-code-review] to do correctly and approach large numbers of programs in such a way that you can base it on risk and make "quick wins". For example, do you have generic includes?

Cheers,

Julius

Former Member
In response to Former Member

‎06-28-2010 7:33 PM

0 Kudos

This message was moderated.

Former Member
In response to Former Member

‎06-28-2010 7:43 PM

0 Kudos

Oops.... here is the correct link to the recording of [The ancient and noble art of code review|https://sap.emea.pgiconnect.com/p87357333/] by ABAP Guru Matt Billingham.

The other was the introduction song only...

FYI: Matt won the "Spot the security bug in the code" competition at the TechEd '09 in Vienna. He found more bugs in the code than what was intended to be found to win the prize

Cheers,

Julius