ZSA38 transaction : restriction to ABAP programs

Former Member · ‎08-23-2011

Hello,

A custom transaction ZSA38 has been created that allows access to ABAP programs that are assigned to certain specific authorization groups. However it still allows running of those programs that are not assigned to any group.

Is it possible to restrict the execution of ABAP Programs not assigned to any group in the ZSA38 transaction? If yes, how can it be done? Other than assigning those uncategorized programs to some auth group?

koehntopp · ‎08-23-2011

If you have assigned the programs to auth groups, and have identified which users should have access to which groups - why don't you go the logical next step and assign transaction (and proper authorization proposals!) to those reports, too?

No need to bend SA38 - it's all there...

Frank.

Former Member · ‎08-23-2011

There are some programs that are not assigned to authorization groups yet, and let's say assigning those programs to authorization groups will not be possible just now. The object S_PROGRAM cannot restrict the execution of those programs. Is there any other way to restrict their execution?

Former Member · ‎08-23-2011

Hi,

Check on S_PROGRAM via SA38/SE38 is very typical amongst other SAP standard auth objects. If a program is not assigned to any auth groups, no S_PROGRAM check is performed by SA38/SE38 program and for only those programs which are assigned to an auth groups, S_PROGRAM will be checked (this is different from S_TABU_DIS concept). You can assign a default auth group to all your unclassified programs right now so as to be able to restrict based on S_PROGRAM

By the way I would like to know what tweaking have you done via your ZSA38 tcode. Please let me know.

Thanks

Sandipan

Edited by: Sandipan Choudhury on Aug 23, 2011 10:40 PM

Former Member · ‎08-23-2011

If you copied the module pool and the includes with it, then you could try to change the select of TRDIR-SECU to react by exiting to screen 0 in the stead of suppressing the S_PROGRAM check... but it will not work reliably.

There are OK-codes and menu options in SA38. From them you can navigate back into SA38.

If you have applied recent Support Packs or Security Notes then it is better, but you still live with the risk of copied coding.

Plan B would actually be standard SE38. Here you can control on the program name via S_DEVELOP actvt 16 for PROG in additiona to S_PROGRAM (also SP dependent!). But the problem is that you cannot group programs - you must list them individually or have a prior naming convention to mask the authorization values.

Another downside is that the auditors will still pester you about the tcode being authorized and some of the menu options are really meant for developers and not end users.

So I would suggest creating your own "launch pad" and the best and easiest way to do this is by adding them to a folder in a role menu... but that brings you back to Frank's solution... (which does work).

Cheers,

Julius

Former Member · ‎08-24-2011

I was wondering if a parameter transaction for START_REPORT can enable restricting execution of programs that are not grouped. We do not really have authorization to create transactions in our systems so we couldn't try this option, so could you advise on this please?

Edited by: Madhurima RC on Aug 24, 2011 3:24 PM

Former Member · ‎08-24-2011

Won't work, because the check is suppressed if no group is found.

You will have to code it yourself.

Note that doing this will also force you to assign groups to all programs you want to run from it. That is possibly not a best approach either.

Cheers,

Julius