Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Report to check authorization object used in customized programs

Former Member

‎11-25-2010 8:40 AM

0 Kudos

Hi Guys,

An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!

Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

10 REPLIES 10

Former Member

‎11-25-2010 9:11 AM

0 Kudos

Hi,

The RSABAPSC program can be used to trace the authority-check commands used in a program and its sub programs.

Alternatively, goto SE93, enter the tcode and double-click the program. Check for AUTHORITY_CHECK statement to identify the auth objects.

Best Rgds,

Raghu

Edited by: Raghu Boddu on Nov 25, 2010 2:42 PM

mvoros
Active Contributor

‎11-25-2010 9:29 AM

0 Kudos

Hi,

you have to be careful about SU24. The record in SU24 does not have to be complete and it may miss some objects. The only way is to scan code as it was mentioned.

Cheers

Former Member

‎11-25-2010 10:01 AM

0 Kudos

Hi Jarod,

It is also recommended to tag all the associated auth objects to the custom tcodes thru SU24 transaction code. This is a consistent approach and is appreciated by the management and auditors too

Since you are taking up this activity, I recommend you to maintain the identified auth objects in SU24. Make a note of the custom tcodes that are used to maintain tables and ensure that you are restricting them (Check TDDAT table to identify the authorization groups) with the appropriate auth groups.

Hope this helps!!

Best Regards,

Raghu

sdipanjan
Active Contributor

‎11-25-2010 12:05 PM

0 Kudos

Hi Jarod,

Besides of RSABAPSC there is another program which can help you to look into the program in more descriptive manner. The report is RSANAL00. More than Authority-Check can be found out by using this. Specially call functions and and other security restrictions not by means of a Native SQL statement.

Regards,

Dipanjan

Former Member
In response to sdipanjan

‎11-25-2010 4:31 PM

0 Kudos

Hi Dipanjan,

The RSANAL00 might be too complex and has its own limitations. The good advantage with RSABAPSC is you can enter the desired depth for the search, so that it will search for the AUTHORITY CHECK statement in to that depth.

Regards,

Raghu

Former Member
In response to sdipanjan

‎11-26-2010 1:51 AM

0 Kudos

Hi Raghu and Dipanjan,

Program RSABAPSC would be the program/report that I am searching for but this program can only search 1 program at a time. Like Dipanjan said, this program does not check for call functions which most of my customized programs are using call functions to perform authorization checks. The result given is not that promising. Is there a way to check all of the codes and give an accurate result? Appreciate your advice.

Program RSANAL00 was terminated when I executed it. Not sure how to use this program. Can give me a short guide on how to use this program to check for authorization?

Regards

Jarod

Former Member
In response to sdipanjan

‎11-26-2010 2:34 AM

0 Kudos

Hi Jarod,

You can define the depth. When you execute the program it will prompt to enter the depth. Make sure to give a number not more than 10, since you do not require to look in so depth.

As mentioned earlier, the alternative is to verify individual tcodes to identify the AUTHORITY CHECK statements, Table authorizations etc., Go through the below link which may help you to analyze the custom transaction codes more effectively:

http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/10c22217-75c9-2d10-83a0-9716c2ccc0f4

Regards,

Raghu

Former Member

‎11-26-2010 3:04 AM

0 Kudos

Thank guys!!

Frank_Buchholz
Product and Topic Expert
Product and Topic Expert

‎11-29-2010 5:58 PM

0 Kudos

Be careful and check your programming style first: RSABAPSC works fine for simple good old ABAP but it does not support new ABAP concepts like ABAP-OO.

Kind regards

Frank Buchholz

Former Member

‎11-29-2010 10:08 PM

0 Kudos

Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.

To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.

Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.

Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.

Code review is an art form!

Cheers,

Julius