Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Custom transactions, programs and auth checks

Former Member

‎02-08-2011 10:01 PM

0 Kudos

I did do a high level search on this forum but couldn't find the exact answer I am looking for so I though I would post a question.

I am doing security at a company who is in the infant stage of using SAP (ECC). I am having a hard time getting developers to understand the need for authority checks in custom programs and on custom transactions. My question is this:

I am asking them for an auth check in the abap code

I am asking them to create a custom t-code if the program is an executable.

I am asking them to add the auth object check to the t-code in SU24 so that it comes into the role when the code is added.

Am I asking for too much? Is this not the proper way to do it? They are not using auth groups on programs so the auth object statement in the program and on the t-code seem logical to me.

Any comments or suggestions are appreciated

Thanks

Bobbi

6 REPLIES 6

brad_bohn
Active Contributor

‎02-08-2011 10:22 PM

0 Kudos

You're certainly not asking too much, but there will be different approaches depending on who you ask. I would suggest that you hash out the process with the development lead and set the standards in place. You're in control of security, so a good development lead should be willing to work with you on a process that makes sense for you and one that's easy to implement on the development side as well.

Former Member

‎02-08-2011 10:24 PM

0 Kudos

>

> 

> I did do a high level search on this forum but couldn't find the exact answer I am looking for so I though I would post a question.
> 
> 
> I am asking them for an auth check in the abap code
> I am asking them to create a custom t-code if the program is an executable.
> I am asking them to add the auth object check to the t-code in SU24 so that it comes into the role when the code is added.
> 
> Am I asking for too much? Is this not the proper way to do it? They are not using auth groups on programs so the auth object statement in the program and on the t-code seem logical to me.
> Thanks
> Bobbi

Auth groups on the programs and/or custom t-code for executable program is definitely reasonable... Depending on the client, developers rarely access su24 so usually security team manages the authorization for t-code.

Auth check in ABAP code is something i have done on a case by case basis, but not all the time;

Former Member
In response to Former Member

‎02-08-2011 10:27 PM

0 Kudos

That is part of the problem...we have no standards and only very new ABAP developers. Some of our abap is done by consultants whom I would think know about authority checks but apparently they do not or else do not use them unless specifically told to.

It sounds like I am not out of line asking for this. The SU24 piece could certainly be done by the Security team. I have done it in the past at other companies so I can surely train the security person here to do that as well.

Thanks for the input.

Former Member
In response to Former Member

‎02-08-2011 10:46 PM

0 Kudos

I am not surprised. In our case, Security is defined at the time of requirements gathering. Lot of reports unless there is a specific reason to restrict it by Org Units, we do not code auth checks.

My personal feeling is that , Auth group on the program should always be defined...In addition to the auth group, Any special restrictions (auth checks in program) should be part of the requirement gathering (clearly defined by functional person).

Former Member
In response to Former Member

‎02-08-2011 11:00 PM

0 Kudos

You are preaching to the choir! I have tried my best to help them understand the need for functional and technical specs and the need to include security at the beginning of new process development, not at the end. All so far to no avail. I just get the answer that there is no bandwidth to do it at this time. I have even provided some suggestions and some documents but so far nothing. I am hoping they will hire an ABAP manager so that we can get code reviews and some best practice standards in place. In the meantime I am doing my best and hoping some of it will stick!

Bobbi

brad_bohn
Active Contributor
In response to Former Member

‎02-09-2011 1:18 AM

0 Kudos

Well, best of luck. Working quickly on a new implementation without a development lead, standards, and reviews is a difficult thing. I don't know what 'type' of consultants you have there, but surely one of them is senior enough to take the lead and help the process along? Maybe not - it sounds like you're dealing with a gaggle of individuals. You're still the client and the security lead - how does a consultant, independent or not, get away with ignoring you and still get paid? Interesting politics and project...