That function module does use "call transaction" to run the transaction, and I know that this respects authority checks. What is doesn't do is check for an S_TCODE authorisation for the transaction itself. It may be that you can run, say, ME21N to create a purchase order, but you should not be able to actually save the order without the relevant authorisations for plant, purchasing group, purchasing org, etc. That assumes the transaction you are calling has authority checks in it. If it doesn't...

But, I've looked at two systems I have access to here. An older one (R/3 4.7 - basis release 6.20) behaves exactly as above. A newer one (ERP6 EHP5 - basis release 7.02) has an extra check that the user has authorisation to run the specified transaction. I believe, therefore, that in this case you would not be able to even start the transaction if you didn't have permission.

Which version of NetWeaver are you running? Does this match the behaviour you are seeing?

Steve.

So you want to give users the ability to run any FM they like, with the exception of call_transaction_from_table? Is that right? I honestly don't think that's going to solve your problem. There are plenty of other function modules that are going to allow them do undesirable things.

My point still stands, though. "call transaction" respects all the auth objects that the called transaction does. It does not bypass any authority checks. The only problem I can see is that early versions of the call_transaction_from_table did not check the S_TCODE auth object itself. I don't know when that extra check was introduced, but it is certainly in my systems. Look at the source code of call_transaction_from table and see if there's a "call function 'AUTHORITY_CHECK_TCODE'" near the top. I'm guessing that's not present in your systems.

But none of this addresses your fundamental problem. You have ABAP developers that don't respect your rules. You can put as many security checks as you want into the system, but if you have ABAP developers that want to bypass those checks, they will always find a way. Including "back doors" in reports and other custom code is easy to do and you'll only find them with a careful code review of everything before being transported to live.

By all means try to restrict use as much as possible. You should of course do that. But if your developers aren't trustworthy you'll still have a big problem.

I don't believe there is a way to achieve it, no. But even if there was, what's to stop a developer from writing their own version with identical source code and calling that instead?

Is this the production system we're talking about? If so, then I suggest the answer is to not allow access to SE37 at all. Just like you should not allow access to SE38, or SA38, or pretty much every other transaction code beginning with 'S' 🙂

Steve.

That's a pretty obscure note - well found! Yes, that is exactly the difference I was talking about above. My system must have the relevant support pack installed already, and I guess Tabrayz's system doesn't.

However, this still really doesn't address the problem.

Steve.

Hi Tabrayz,

You can simply put restriction on this FM. Because it is standard SAP FM and they have not even maintained any authorization object for this.

But what I am not convinced is the fact that ABAPERs can move transport using this FM by running t.code se01. Because if you have not given the authorization for se01 or any other transaction to the users ( ABAPERs) then they can not execute it even by using this FM, as this FM is only launching the t.code and nothing else.

If the user can't transport the changes using t.code SE01 then they can not even do that using this FM.

But even if it is creating trouble for you then you can either opt for disabling this FM ( as this FM is of not much significance ), or raise an OSS to SAP to provide some authorization object for this FM .

For disabling the FM you can try using the below approach :

1. By using the SAP GUI, logon to the SAP system.
2. Run the SE16 transaction code.
3. Enter /IBMMON/ITM_CNFG as the table name.
4. To create a new entry, press F5.
5. In the PARM NAME field, enter the name of the SAP function module.
6. In the VALUE CHAR field, enter No.
7. Click Save.

Though I am not very sure it would work as in many new versions this table is not active. So, in worst case raise it to SAP to disable the FM .

Regards

Gaurang

That table is associated with IBM Tivoli Monitoring. I don't see how that's of any help here.