Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

how to search authorization objects by field?

Former Member
0 Kudos

A developer wrote a custom report.  It uses some fields that are sensitive.  I tell developer he must write AUTHORITY-CHECK into the code and then he asks me "ok... I will do that, but which authorization objects should I check?".   Well both of us don't know how to find auth objects containing certain fields.

Best I can think of is searching USOBT table.  if no match, search USOBT_C table.  then if no match, conclude that no existing auth objects use that field.   But is there a better way?   maybe SE80 or some workbench tools?

Basically how do ABAP developers know which authorization objects need to be checked in a custom program/report?

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Tough question... which is also why developers mostly do not voluntarily build authority-checks into code... particularly if they don't have much confidence or knowledge about the implementation of the authorization concept.

We built our own tool which scans the code for data used in it and is output back to the surphase again. It then scans for corresponding auth checks and how the program stack deals with it.

It then suggests the symantically correct object to check or central FM to call and the coding location it is best suited to be fit into.

This helps a lot if you have a big mess or the developers need content to suggest solutions to them.

For individual programs, you can also get by if you understand the code and the authorization conceot and the data.

Cheers,

Julius

12 REPLIES 12

Former Member
0 Kudos

Tough question... which is also why developers mostly do not voluntarily build authority-checks into code... particularly if they don't have much confidence or knowledge about the implementation of the authorization concept.

We built our own tool which scans the code for data used in it and is output back to the surphase again. It then scans for corresponding auth checks and how the program stack deals with it.

It then suggests the symantically correct object to check or central FM to call and the coding location it is best suited to be fit into.

This helps a lot if you have a big mess or the developers need content to suggest solutions to them.

For individual programs, you can also get by if you understand the code and the authorization conceot and the data.

Cheers,

Julius

0 Kudos

Thanks Julius.  I hoped you would see this post and respond.  If anyone has experience working with developers and security it's you.

Since we don't have our own tool like yours, our answer so far has been doing those scans in USOBT & USOBT_C.  It feels awkward doing that, and so much trust is placed into the ABAP developer to tell honestly what data and fields they are using....but .. better than no auth check I suppose.

0 Kudos

A check which is incorrect (e.g. too strict) is however also not correct.

I like your idea is scanning USOBT_C. There you can often find a comparable transaction which does the same or similar as what your custom code wants. Perhaps you dont even need the custom code anymore..

If you take it a step further by searching for the use cases of the object via SU21, then you can also often find central function modules and methods which do all the checks for you and consider customizing etc).

You are on the right track IMO  😉

Cheers,

Julius

Former Member
0 Kudos

It won't give you everything you need, but take a look at table TOBJ. This table will give you authorization field to authorization object. You can use your known technical field names to filter out the returned authorization objects. That should give you a head start at least.

Former Member
0 Kudos

Basically, I don't think ABAP developers are able to determine the AUTHORITY-CHECKS that needs to be build in. This is where the Security manager comes in.

Based on the information:

- who will be working with the program (departments/ function(s)

- what sensitive data is in the program

You can decide the Authority checks that needs to be implemented.

For example if the program will show you information about material info records, I would add the authorization checks that are included with the transaction MM03.

I know that the example is very simple and in real live it can be hard to decide and the security manager probably does not have detailed authorization object knowledge, but together with the authorization/role maintainer they will hopefuly be able to find a solution.

0 Kudos

Meta - you are right and we are experiencing this, especially in cases where Developer used fields from different functional areas in a report, such as Material Number, Sales Org, Plant, etc.   When searching USOBT (or TOBJ, thanks, Joseph!) it's not easily possible to search a logical OR because of the way data is stored in the field column.

But we do want the developers to try.  I don't like when they give up and say "I don't know anything about security", I think it should be in their job requirements to understand the concept of TCode vs auth object and understand basically which functional area they are coding.

But again, you're right.  Our security team gets involved often, and I think it's fine and unavoidable.  For example, if we see "Movement Type" as a selection field in a report, then we are going to advise the Developer to choose an M_MSEG auth and give some suggestions.  Working with developer, we can find auth objects that are relevant for the data in the report.

I opened this question because I was hoping there was a way to scan source code (not RSABAPSC) and suggest an auth object, or scan data fields and find or suggest an auth object.   I guess that does not exist as I hoped.

0 Kudos

Hello,

I am a "security aware developer" and would like to recommend two things here:

a) WHERE-USED list of objects in SU21 is your best friend (as pointed out by Julius)!!

b) spend (allow your developers spend) more time on choosing the "tools" (like BAPIs). It is worth the effort IMO. Be strict, forbid BDC etc.

To elaborate on b):

I was always in a hurry when I started with programming (long before ABAP) and didn't spend much/ enough time on checking what was already available. With ABAP it is crucial to get yourself familiar will all the standard coding that you can reuse even more (this lesson is so important for me that I even blogged about SAP standard and reusability several times, you may find it useful...).

There are many other cases when you appreciate SAP standard, not just security. You can get the performance wrong, DB access wrong (when this is allowed and you make a mistake... BOOM... you know what I mean).

One of the examples when you can almost force developers to use these APIs is when you use the Code Inspector and you're a tough security and quality manager. Code inspector gives you the weapon to do scans quickly (although they're very limited) and the tool is not that strict to provoke heavy resistance. Many of my customer are much stricter than what Code Inspector allows/ highlights and they operate well and their developers still deliver.

Extreme example: I recommend my customers not to allow kernel function calls in custom coding (unless there is no standard code that calls the function and can be reused, but in that case one should contact OSS and request a fix/ reusable block IMO and the developer must prove there is no other way at the moment).

Why I mention this is that in 98% cases (my personal statistics) there is a way how to get things done using SAP standard (without brutal hacks! just pure clever reuse).

If your numbers are different, maybe your developers need a push to learn more about the available tools. In case your numbers are different and it is not because of the team deficiencies, I would love to read a blog about it, maybe you can help SAP build something better

Anyway I am glad we get to read interesting discussions also for developers here and good luck!

Cheers Otto

0 Kudos

Thanks Otto.

Why do you want to avoid BDC?  Honestly, I like when coders include CALL TRANSACTION statements and use BDC, because in these cases our security work is clear - we simply look at the called transaction in SU24 to see its associated auth objects (the ones with proposal=Yes), trace the custom Tcode, then determine which of the auth objects from the called SAP transaction were checked when the custom TCode was run, then we associate those auths with the custom TCode in SU24.  That is so much easier than getting into discussions with coders about "which fields do you use in the program" and "let's search SU21 together and find a suitable auth check", etc.  But I typically see the CALL TRANSACTION statements used together with BDC.   What issues are there with using BDC calls in code?

Former Member
0 Kudos

This message was moderated.

gshrivastava
Explorer
0 Kudos

Is our aim is to find all objects containing an authorization field say BUKRS ?

If this is the question then we can use SUIM for this.

Bernhard_SAP
Employee
Employee

Lets assume your developer selects from a particular table and you want to delimit that, based on one field of that table. One possible approach could be:

1. start se11, display the table from which you want to select. (example: table FICOC_COND_AMT)

2. identify the field you want to be checked.(example FICOC_COND_AMT-O_CONDTYPE)

3.check the corresponding Data element for that field in se11 (example for O_CONDTYPE it's FICO_OCONDTYPE)

4.with that Data element select from table authx, enter the data element into selection field 'ROLLNAME'

5. with a bit of luck you will find 1 or more authorization fields defined by this data element.

6. the rest is easy.... display the field(s) in su20->on the bottom of the auth-field display-screen you have the authorization object(s) which contain that field

b.rgds,Bernhard


0 Kudos

this helps. thank you very much