Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Custom transaction attached to SAP delivered code

Former Member
0 Kudos

HI

We have a requirement that all custom program and transactions are secure. Usually we have the developers add an auth check statement to the program and add that check to the custom t-code in SU24.

today I have the situation that we are using SAP delivered code and attaching a custom transaction. Since we don't want to modify the SAP code, how is it possible to get any check on the transaction? I know that SU24 won't force the check unless the program is changed. So is there any way to have any type of auth object checked? Or is this a situation where no check would be needed and no objects added to the role when the new tcode is added? (SE93?)

Hope that makes sense!

Thanks

Bobbi

9 REPLIES 9

Former Member
0 Kudos

Hi,

Are there any checks in the standard SAP program?

If not then taking a risk based approach is there any requirement for it? Don't forget you can add a static check in SE93 that may provide an acceptable level of control.

Former Member
0 Kudos

It really depends on what the program does. Some programs are not allowed to make any checks as they should always be able to run (there is more to SAP than FI-CO reporting... :-).

If the program does something and is executable for users (i.e. a tcode, a report type program, an RFC enabled function module or a webservice) an is not protected by a semantically correct authority-check, then you should open a customer message on www.service.sap.com/notes to report it.

If it does make checks, then these are "owned" by SAP and the statements provide the concept for you to work with.

Some code also offer customizing, exits, Badis, enhancement "nodes" etc for you to influence the program behaviour from a security perspective.

An ancient concept which can be used to some extent is object S_PROGRAM to create optional groups of them, but I hope that SAP does away with it oneday because it is very blunt and not scalable for modularization of programs and localizing the calling tcode contexts (i.e. the entry points).

Note that if your custom programs are well written, then you often do not have to add any checks because they are "native" in the SAP APIs your custom code uses. This is true in the BC-SEC area. Other areas are less so.

Cheers,

Julius

0 Kudos

Here is where I run into problems. I am not a developer and have a hard time reading the code. This particular report is to display vendor address data. As far as I can tell I do not see anything that appears to be authority checks.

This is the top level of the code:

report AQZZZVEND=======ZVEND_ADDR====.

include /1BCDWB/IQG000000000055DAT.

data %dtab type standard table of /1BCDWB/IQG000000000055 with header line.

data %subrc type sy-subrc.

include /1BCDWB/IQG000000000055SSCR.

include /1BCDWB/IQG000000000055SSCRAT.

start-of-selection.

if %runmode-extr_on <> space.

call function '/1BCDWB/IQG000000000055EXTR'

tables %selopt = %seloptions

%dtab = %dtab

changing %rtmode = %runmode

exceptions no_data = 1

others = 2.

%subrc = sy-subrc.

call function 'RSAQRT_CHECK_EXTR'

exporting extr_subrc = %subrc

tables dtab = %dtab

changing rtmode = %runmode.

endif.

end-of-selection.

if %runmode-show_on <> space.

call function '/1BCDWB/IQG000000000055SHOW'

tables %dtab = %dtab

changing %rtmode = %runmode.

endif.

*----


  • special code for old API and BW extractor calls

*----


form %set_data changing p_lines type i.

import ldata to %dtab from memory id 'AQLISTDATA'.

describe table %dtab lines p_lines.

free memory id 'AQLISTDATA'.

endform.

form %get_data tables p_dtab structure %dtab

using p_first type i

p_last type i.

append lines of %dtab from p_first to p_last to p_dtab.

endform.

form %get_ref_to_table using p_lid type aql_lid

p_ref type ref to data

p_subrc type i.

if p_lid = %iqid-lid.

create data p_ref like %dtab[].

p_subrc = 0.

else.

p_subrc = 4.

endif.

endform.

================================================================================================

The abaper doesn't seem to understand what I am asking of him so I am stuck. It appears this custom transaction will go in without any checks on it unless you can perhaps advise me on how to proceed. Any help is appreciated.

0 Kudos

Hi,

that program corresponds to query ZVEND_ADDR (user group ZVEND) which is in customer namespace. So you should be able to add authorization check in SQ01. The first function module extracts dat and the second displays them. Hence you need to ammend the logic of the first one. BTW instead of directly assigning this program to transaction you should creater a variant for transaction START_REPORT.

Cheers

0 Kudos

Thank you! Now I can see it in SQ01. The developer couldn't even tell me that it was a query.

So when you say to secure it in SQ01 what does that mean?

And in your opinion should I ask the developer to use a variant on Start_Report instead?

We are a new SAP shop and are all learning.

0 Kudos

Hi,

you need to adjust infoset used in that query to perform authorization checks. More info [here|http://help.sap.com/saphelp_tm80/helpdata/en/d2/cb3efb455611d189710000e8322d00/frameset.htm]. Yes, I would use START_REPORT instead of direct assignment. That's how all those transactions with weird name like S_<many numbers> are set up.

Cheers

martin_voros
Active Contributor
0 Kudos

Hi,

Speak with developers about enhanment framework. In every program there are implicit enhancement points like start of routine. It's a powerful tool. But first I would try methods mentioned by guys above.

Cheers

Former Member
0 Kudos

>

> HI

>

> today I have the situation that we are using SAP delivered code and attaching a custom transaction. Since we don't want to modify the SAP code, how is it possible to get any check on the transaction? > Thanks

> Bobbi

How about creating a Z custom code by copying from SAP delivered code and then adding your authority check and creating a Z t-code for it.

0 Kudos

Copying standard programs is the ultimate last resort and should be avoided. If the SAP code is spagetti without an API, then okay but it produces more spagetti and maintenance overhead...!

A simple ST01 authorization trace will show whether statitcly coded authority-checks are not required, because they are in the search helps of screen parameters (also dangerous...) or the programs of the logical database system (LDB) which this program uses - which appears to be the case here.

You cannot statically scan or use the "find" to see all checks. With ABAP OO and ABAP WDA you are highly unlikely to find anything at all by just looking at the main program.

Your weapon of prefered choice should be an ST01 trace and then jump to the coding location of the check.

You will need to learn some ABAP skills for this extra analysis you are attempting to do.

The new coding techniques and improvements to ABAP add a lot of security value at tge time of designing the application and runtime, but you cannot read it like a (long) book anymore.

Good luck,

Julius

ps: if you run this code through transaction SCI then you will find some additional "hints"...

Edited by: Julius Bussche on Apr 18, 2011 10:09 PM