Auth objects for WebDynpro

Former Member · ‎02-24-2012

Hi,

My customer has implemented Maintenance Technician Business Package. This package offers standard Webdynpros in order to create notifications and more functionalities.

Related to security is necessary to create roles with necessary auth objects. With ST01 I can trace the objects and assign to the roles. My question is that the standard WebDynpro shows the object tcode with no values, that is blank. My customer does not want that this value been blank due to it is considered a bad practice.

My question is that if this is standard behaviour of SAP webdynpro applications? It seems strange.

Realted with other message I have posted, how is possible to know auth objects requiered by standard WebDynpro, (that calls functions modules) in order to create the corresponding roles with the greather level of detail.

Thanks in advance

former_member204634 · ‎02-24-2012

Hi

You may want to check SU24 entries for type of application: TADIR Service

Program Id: R3TR

Object Type: WDYA

Object Name depending on which web dynpro object you check.

Hope this helps.

Best Regards

Prashant Tripathi

Former Member · ‎02-24-2012

I have already tried but the standard WD aplication is not shown in SU24 with this selection.

Thanks

martin_voros · ‎02-24-2012

Hi,

then SAP did not maintain values for this web dynpro app. What you can do is to activate parameter auth/authorization_trace (check RZ11 for more info) in your development system and run your web dynpro app. That will create records in SU22. You can maintain settings there and then copy them to SU24.

Cheers

Former Member · ‎02-24-2012

Actually you should avoid SU22 at all costs, as it uses timestamps.

Report it to SAP via OSS and maintain it in SU24 manually. It will then be delivered in the next SP and synchronize itself.

You should never maintain SU22.

Cheers,

Julius

martin_voros · ‎02-24-2012

As far as I remember you can't maintain values for it unless there is an empty record. So one way is to run trace to generate records in SU22 and then copy them to SU24. It's true that you mess with SAP namespace. I did this for custom apps which can not collide with SAP apps.

There is also a function module that can be used to create empty record. So execution in SE37 creates a required record and then you can maintain values in SU24. So probably this workaround is better than running trace (I am ignoring possibility that SAP quickly provides missing values).

Cheers

Former Member · ‎02-24-2012

Yes, you are correct.

This is "original" data in SU22, but the developers did not always anonymize the entries (even as a customer you can do this).

I can recommend sticking to Su24 and if you do use the auth/authorization_trace then in most cases it is easier to read the table than automate the noise it makes.

Generally you have a handfull of WDYAs and WSs, so get the objects and values and don't forget to read the documentation in SU21 and take a look at the code again to be sure...

Add them in SU24 instead and you will often not have to look back (unless Su22 delivers something).

Certainly you wil not need to have the whole underworld running on SAP_ALL to make it work and the entry points are very restrictive. That is the main goal IMO.

Cheers,

Julius

Former Member · ‎02-27-2012

See SAP Note 1511363: WDA can be started independenty of ABAP tcodes starting the application. As of 7.30 there is a new object to join S_TCODE, S_RFC and S_SERVICE which is dedicated to starting WDAs ---> S_START.

Therefore you do not (necessarily) need S_TCODE and it does not really work reliably here anyway. S_START will be a standard authorization and S_TCODE most likely not required at all.

Cheers,

Julius

Former Member · ‎02-28-2012

Thanks both, but I think I need to understand more basics concepts about autorizations.

I have executed an WDA and I have traced it with ST01, then I have get the following values:

Object Text

I_QMEL RC=0 tcode= ;TCD=IW21;QMART=M1;

My doubt is about the field tcode which has no value. This field can be seen in all traces. In SAP R/3 programs this field is populated with the transaction code executed.

In SU21 if I display Auth Object I_QMEL, the fields shown are TCD and QMART. I don't understant the tcode field with WDA, but the securty department says that this field has to be filled.

Maybe I need more basic information about autorizations in order to understand your contributions. It seems that the way of manage authorizations in WD is different from SAP R/3 programs, is this ok?.

Could you give me more information, maybe some link for beginers.

Thanks in advance

martin_voros · ‎02-28-2012

Hi,

you don't execute any transaction when you run a web dynpro app. Hence you don't see any value in the field tcode. But that's not really important because the field tcode is just part of authorization trace. In authorization trace you have: authorization object, return value, transaction code and then list of values for fields of authorization object.

The authorization object I_QMEL has two fields: TCD and QMART. You can see that TCD is checked for IW21 in web dynpro app. So probably there is confusion between you and security department - they are saying that you need to provide value for field TCD (in this case IW21) but you don't see any value in trace field tcode. BTW probably if you give users access to IW21 then they will have sufficient authorization for those web dynpro apps. If you don't want to give access to tcode IW21 then you can just insert authorization template.

Cheers