Solved: ability to run start_report without authorization

Former Member · ‎01-11-2011

Hi guys,

We have some transactions which use start_program.

Question: Will a user with these transactions be able to run a report (or any other program) which is not assigned to a Authorization Group (user is not authorized to run start_report directly).

Thanks in advance.

Former Member · ‎01-11-2011

Hi,

The transaction START_REPORT (I assume 'start_program' in your post is a typo) are called by Parameter Transactions.

START_REPORT is used in the parameter transaction to call reports/programs along with few additional features like preassigning values to fields on initial screen of program and hence suppress the initial screen of program when the transaction is executed. START_REPORT can also start SQL queries, report writer, transaction with variants, etc

S_TCODE is not checked for START_REPORT unless specifically defined in SE97 (reflected in TCDCOUPLES), S_TCODE is only checked for the calling transaction (parameter transaction). Even though users not having direct access to START_REPORT will not be allowed to execute it directly and the tcode can be only called by the parameter transactions, however the ST01 trace will show entries this generic tcode -START_REPORT under object S_TCODE.

However, users having direct access START_REPORT can access programs/report which are not protected by Auth groups. But if tcode is called via a parameter transaction, the initial screen can be suppressed and values can be preassigned to restrict users from running any programs which he is not supposed to.

Thanks

Sandipan

Former Member · ‎01-11-2011

Hi,

The transaction START_REPORT (I assume 'start_program' in your post is a typo) are called by Parameter Transactions.

START_REPORT is used in the parameter transaction to call reports/programs along with few additional features like preassigning values to fields on initial screen of program and hence suppress the initial screen of program when the transaction is executed. START_REPORT can also start SQL queries, report writer, transaction with variants, etc

S_TCODE is not checked for START_REPORT unless specifically defined in SE97 (reflected in TCDCOUPLES), S_TCODE is only checked for the calling transaction (parameter transaction). Even though users not having direct access to START_REPORT will not be allowed to execute it directly and the tcode can be only called by the parameter transactions, however the ST01 trace will show entries this generic tcode -START_REPORT under object S_TCODE.

However, users having direct access START_REPORT can access programs/report which are not protected by Auth groups. But if tcode is called via a parameter transaction, the initial screen can be suppressed and values can be preassigned to restrict users from running any programs which he is not supposed to.

Thanks

Sandipan

Former Member · ‎01-13-2011

thnx Sandipan

arpan_paik · ‎01-11-2011

 Will a user with these transactions be able to run a report (or any other program) which is not assigned to a Authorization Group (user is not authorized to run start_report directly)

User should not be able to run any report or program provided below additional condition

1. User do not have access to execute report by some other transaction (like SA38, SE38, SE90 etc) rather that START_REPORT

2. User should be able to run some FM that provide access to run report

Regards,

Arpan Paik