04-14-2011 7:55 PM
HI
We have a requirement that all custom program and transactions are secure. Usually we have the developers add an auth check statement to the program and add that check to the custom t-code in SU24.
today I have the situation that we are using SAP delivered code and attaching a custom transaction. Since we don't want to modify the SAP code, how is it possible to get any check on the transaction? I know that SU24 won't force the check unless the program is changed. So is there any way to have any type of auth object checked? Or is this a situation where no check would be needed and no objects added to the role when the new tcode is added? (SE93?)
Hope that makes sense!
Thanks
Bobbi
04-14-2011 9:07 PM
Hi,
Are there any checks in the standard SAP program?
If not then taking a risk based approach is there any requirement for it? Don't forget you can add a static check in SE93 that may provide an acceptable level of control.
04-14-2011 10:08 PM
It really depends on what the program does. Some programs are not allowed to make any checks as they should always be able to run (there is more to SAP than FI-CO reporting... :-).
If the program does something and is executable for users (i.e. a tcode, a report type program, an RFC enabled function module or a webservice) an is not protected by a semantically correct authority-check, then you should open a customer message on www.service.sap.com/notes to report it.
If it does make checks, then these are "owned" by SAP and the statements provide the concept for you to work with.
Some code also offer customizing, exits, Badis, enhancement "nodes" etc for you to influence the program behaviour from a security perspective.
An ancient concept which can be used to some extent is object S_PROGRAM to create optional groups of them, but I hope that SAP does away with it oneday because it is very blunt and not scalable for modularization of programs and localizing the calling tcode contexts (i.e. the entry points).
Note that if your custom programs are well written, then you often do not have to add any checks because they are "native" in the SAP APIs your custom code uses. This is true in the BC-SEC area. Other areas are less so.
Cheers,
Julius
04-18-2011 3:44 PM
Here is where I run into problems. I am not a developer and have a hard time reading the code. This particular report is to display vendor address data. As far as I can tell I do not see anything that appears to be authority checks.
This is the top level of the code:
report AQZZZVEND=======ZVEND_ADDR====.
include /1BCDWB/IQG000000000055DAT.
data %dtab type standard table of /1BCDWB/IQG000000000055 with header line.
data %subrc type sy-subrc.
include /1BCDWB/IQG000000000055SSCR.
include /1BCDWB/IQG000000000055SSCRAT.
start-of-selection.
if %runmode-extr_on <> space.
call function '/1BCDWB/IQG000000000055EXTR'
tables %selopt = %seloptions
%dtab = %dtab
changing %rtmode = %runmode
exceptions no_data = 1
others = 2.
%subrc = sy-subrc.
call function 'RSAQRT_CHECK_EXTR'
exporting extr_subrc = %subrc
tables dtab = %dtab
changing rtmode = %runmode.
endif.
end-of-selection.
if %runmode-show_on <> space.
call function '/1BCDWB/IQG000000000055SHOW'
tables %dtab = %dtab
changing %rtmode = %runmode.
endif.
*----
special code for old API and BW extractor calls
*----
form %set_data changing p_lines type i.
import ldata to %dtab from memory id 'AQLISTDATA'.
describe table %dtab lines p_lines.
free memory id 'AQLISTDATA'.
endform.
form %get_data tables p_dtab structure %dtab
using p_first type i
p_last type i.
append lines of %dtab from p_first to p_last to p_dtab.
endform.
form %get_ref_to_table using p_lid type aql_lid
p_ref type ref to data
p_subrc type i.
if p_lid = %iqid-lid.
create data p_ref like %dtab[].
p_subrc = 0.
else.
p_subrc = 4.
endif.
endform.
================================================================================================
The abaper doesn't seem to understand what I am asking of him so I am stuck. It appears this custom transaction will go in without any checks on it unless you can perhaps advise me on how to proceed. Any help is appreciated.
04-19-2011 12:16 AM
Hi,
that program corresponds to query ZVEND_ADDR (user group ZVEND) which is in customer namespace. So you should be able to add authorization check in SQ01. The first function module extracts dat and the second displays them. Hence you need to ammend the logic of the first one. BTW instead of directly assigning this program to transaction you should creater a variant for transaction START_REPORT.
Cheers
04-19-2011 5:16 PM
Thank you! Now I can see it in SQ01. The developer couldn't even tell me that it was a query.
So when you say to secure it in SQ01 what does that mean?
And in your opinion should I ask the developer to use a variant on Start_Report instead?
We are a new SAP shop and are all learning.
04-20-2011 12:21 AM
Hi,
you need to adjust infoset used in that query to perform authorization checks. More info [here|http://help.sap.com/saphelp_tm80/helpdata/en/d2/cb3efb455611d189710000e8322d00/frameset.htm]. Yes, I would use START_REPORT instead of direct assignment. That's how all those transactions with weird name like S_<many numbers> are set up.
Cheers
04-14-2011 11:48 PM
Hi,
Speak with developers about enhanment framework. In every program there are implicit enhancement points like start of routine. It's a powerful tool. But first I would try methods mentioned by guys above.
Cheers
04-18-2011 4:18 PM
>
> HI
>
> today I have the situation that we are using SAP delivered code and attaching a custom transaction. Since we don't want to modify the SAP code, how is it possible to get any check on the transaction? > Thanks
> Bobbi
How about creating a Z custom code by copying from SAP delivered code and then adding your authority check and creating a Z t-code for it.
04-18-2011 9:07 PM
Copying standard programs is the ultimate last resort and should be avoided. If the SAP code is spagetti without an API, then okay but it produces more spagetti and maintenance overhead...!
A simple ST01 authorization trace will show whether statitcly coded authority-checks are not required, because they are in the search helps of screen parameters (also dangerous...) or the programs of the logical database system (LDB) which this program uses - which appears to be the case here.
You cannot statically scan or use the "find" to see all checks. With ABAP OO and ABAP WDA you are highly unlikely to find anything at all by just looking at the main program.
Your weapon of prefered choice should be an ST01 trace and then jump to the coding location of the check.
You will need to learn some ABAP skills for this extra analysis you are attempting to do.
The new coding techniques and improvements to ABAP add a lot of security value at tge time of designing the application and runtime, but you cannot read it like a (long) book anymore.
Good luck,
Julius
ps: if you run this code through transaction SCI then you will find some additional "hints"...
Edited by: Julius Bussche on Apr 18, 2011 10:09 PM