Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Tcode ranges not working as expected

Former Member

‎12-11-2013 3:37 PM

0 Kudos

Hoping one of you can help me with the following question:

I created a role with a tcode range (although that's probably not a good practice) that has a from value S_ to SBC@. It seems to me that SA38 would be in the range (based on the ASCII table and a sorting of these values in Excel). However, users with that role cannot execute SA38.

Is there any detailed information out there as to how SAP works with ranges?

Thanks in advance!

Jose

5 REPLIES 5

mvoros
Active Contributor

‎12-11-2013 10:18 PM

0 Kudos

Hi,

S_ is after SBC@ so that interval is not valid. The character _ is after letter B. Sorting in Excel is different than sorting in ABAP AS. The following simple program can be used to test intervals.

REPORT  zmv_test.

TABLES: anek.

SELECT-OPTIONS: s_tcode FOR anek-tcode.

START-OF-SELECTION.

   IF 'SA38' IN s_tcode.

     WRITE: / 'OK'.

   ELSE.

     WRITE: / 'Fail'.

   ENDIF.


Also don't forget that SA38 has additional authorization object S_PROGRAM attached to it.


Cheers

Former Member
In response to mvoros

‎12-11-2013 10:34 PM

0 Kudos

Exactly.

Additionally the TSTCA check at the start of SA38 requests at least some authority for S_PROGRAM. But S_PROGRAM is suppressed for programs without groups and SUBMIT is not needed to start programs -> VARIANT is enough.

If you can start a transaction but the TSTCA check fails, then you are also informed that you are not authorized for the transaction as it makes no sense to continue (depending on how sensible the TSTCA is maintained..).

There is unfortunately no syntax check or input validation on it. So it sometimes contains nonsense.

Cheers,

Julius

Former Member
In response to mvoros

‎12-17-2013 11:39 AM

0 Kudos

Hi Martin and Espin,

A much simpler go would be going the table TSTC, use the select options, go to Select Ranges tab, paste the range that you wanted to check and see the results (Max. number of hits is something that needs to be removed without saying).

The program that Martin was mentioning definitely works, but just in case that everyone might not have a Developer key in hand.

Regards,

Pranaam

Preview file
98 KB

Former Member

‎12-12-2013 11:33 AM

0 Kudos

I'm wondering why you are using t code ranges instead of assigning the transaction codes? I can't imagine people would need the complete range of transactions. Assign tcodes themself instead of adding them to the manual object s_tcode will probably result in a better maintainable authorization concept.

Kind regards,

Meta

OttoGold
Active Contributor
In response to Former Member

‎12-18-2013 3:38 PM

0 Kudos

Hi Meta,

I can see it quite often out there in the wild. If not in the normal roles, then at least in the developer or sys.admin roles meant for the DEV and TEST system. In such case there is a menu which pulls the SU24 proposals and stuff, so the role is built with a little bit of thought and purpose.

The Tcode ranges are there in addition (as manual objects S_TCODE) to provide "non-application" access ("entry point" access I mean...something like the ancient AIS roles if you're familiar with that) to things that the user is authorized to use with his/her "application access".

Because Jose got caught by SA38, I would say this is exactly his requirement.

Cheers Otto