Hi Martin,

A SAP note will soon be released about this (compatible back to 6.40)

There is a light version available in 7.3 to transfer data between PFCG and ST01.

There is an optional Rolls-Royce version available for Z-codes / functions and the import parameter specific checks. The trick is to keep the original context of the call and maintain the proposals to the RFC enabled entry point, and know whether the tcode triggered it or the external caller.

There is a service delivered which is context sensitive (e.g. the message type of the IDOC determines the application authorizations needed for synchronous processing, so SAP cannot deliver SU24 reliable proposals and the ones they tried for the /SDF/ are very isolated..).

You need a "common functions" role for the basic scenarios like you have for interactive SAPGUI end-users, and then you need a runtime analyzer to perfect SU24 context sensitively. You also need to distinguish between a local BAPI (context is tcode) and remote one (context is RFC protocol, or http protocol... etc)

That comes with the SAP Note... (it is not released yet. I will update this with the number in the next weeks.)

--> Just a little heads-up and insight that there is some light at the end of the tunnel and you can even order it as a service from SAP to fix your Z-problems for you. The question happened to match that which I know SAP is working on.

Cheers,

Julius

Disclaimer : I have done many such spagetti fixes in the wild and developed the tool and services for customer scenarios together with SAP from my experiences, it is one of my favourite topics --> the Rolls-Royce version with Z-functions, hard-wired external RFC clients and configuration scenario dependent checks includes consulting fees if you want SAP to secure your own scenarios for you. The tools help this, but you cannot fully automate or propose it fro SU24 in "factory settings".

ok,

So with all, I think that the correct procedure when a developer delivery a program with its Z transaction is previously pass the ST01 in order to asign the objects uses through SU24. In this way the work to assign roles will be less and easy with PFCG.

Another question related with that, is possible to have nested autority-checks? so although I have check the objets with ST01 maybe dependending on the input parameteres the objects cheked could be different. This is was Martin comments. So this case can not be avoided (except if a developer or tester checks all input parameter possibilietes) until autorization incident been reported by productive user.

Do you consider correct this explanations? Is there any documentation / course related with this topic or how do create customer programs taking account autorizations?

Thanks

Edited by: jordis on Feb 27, 2012 12:51 PM

 So with all, I think that the correct procedure when a developer delivery a program with its Z transaction is previously pass the ST01 in order to asign the objects uses through SU24. In this way the work to assign roles will be less and easy with PFCG.

I could not have said that better than you did.. Exactly that is the best practice approach! The developer or the customizing consultant knows most about what the interface is actually going to be doing and what it will need and what not when they implement it, however it is only once in a blue moon that SU24 is maintained for anything other than a transaction code.

See [SAP Note 1682316 - Optimizing RFC user authorizations|https://service.sap.com/sap/support/notes/1682316] mentioned above.

Cheers,

Julius