02-05-2014 8:32 AM
Hi,
Consider case of TCDCOUPLES table; When a transaction is being called inside another transaction- whether the authority checks(ABAP code) for Called transactions is also checked except S_TCODE check?
e.g. checking table TCDCOUPLES- called transaction MM02; lists below transactions that calls MM02:
Calling Called
ADIP MM02
ADPT MM02
ADRE MM02
AUT10 MM02
BD10 MM02
C223 MM02
CA01 MM02
CA02 MM02
CANCDIS01 MM02
CC01 MM02
CC02 MM02
CC03 MM02
CC04 MM02
CC31 MM02
CC33 MM02
CCM2 MM02
CK40N MM02
Here if MM02 is called via CA02 - should user have authority check objects for MM02(except S_TCODE) as well in his profile?
Note: I am aware that S_TCODE check can suppressed via SE97, but my query is about other authority check objects in program code of called transaction!!
Best Regards,
Naveen
02-05-2014 9:01 AM
Hello Naveen,
Yes it will check for other authorization object also inside MM02 apart from S_TCODE when you try to change the material..
Eg: Steps:
1. First Check for S_TCODE : CA02
2. Checks for S_TCODE : MM02
when you try to change the Material it will check for M_MATE_STA
Note: Even though you reached MM02 via another tcode. when u enter in to MM02 tcode screen authorization check are normal.
authorization Check are same inside the tcode.
Regards
Kiran.S
02-05-2014 9:01 AM
Hello Naveen,
Yes it will check for other authorization object also inside MM02 apart from S_TCODE when you try to change the material..
Eg: Steps:
1. First Check for S_TCODE : CA02
2. Checks for S_TCODE : MM02
when you try to change the Material it will check for M_MATE_STA
Note: Even though you reached MM02 via another tcode. when u enter in to MM02 tcode screen authorization check are normal.
authorization Check are same inside the tcode.
Regards
Kiran.S
02-05-2014 10:30 AM
Thanks for the quick response Kiran!!
This leads to below query:
Scenario.1) Will this be valid for all the entries in table TCDCOUPLES?
e.g. If i filter by "called transaction MM02", i get a list of 262- SAP standard transactions.
so, If any of these 262 transactions calls MM02 - then authority check object for MM02 are also being checked? e.g. M_MATE_STA is being checked whenever material details are being accessed.
If this is correct, then- it would be a hectic task for Security team to maintain even single transaction in a role!!
Scenario.2) all coupled transactions(in TCDCOUPLES) not necessarily calls the authority check for called transactions- it might depend on program e.g. if dialog screen for MM02 is being called then only checks would happen for M_MATE_STA.
In this case, via testing only we can figure out which calling transaction would require MM authorization object(e.g. M_MATE_STA) access!!
Please let me know- which scenario is correct!! or am i missing anything?
Best Regards,
Naveen
02-05-2014 11:47 AM
Hello Naveen,
Scenario.2)
Authority-Check are same either you access the Tcode directly or via calling transaction codes.
So Calling tcodes concept is only a short cut way to reach the relevant transaction codes.it does not mean that it will bypass the authorization check.
Regards
Kiran.S
02-05-2014 2:58 PM
Hi All,
To add another point- MM01/02 is being called by QA01, but actually you turn on trace for QA01, no other objects would be checked for Material Management!!
Seems, I need to check each and every case one by one and their is some trick in SAP coding- when different transactions are being called!!
Best Regards,
Naveen
02-05-2014 6:30 PM
You are mistaking CALL TRANSACTION 'MM01' for an AUTHORITY-CHECK on S_TCODE 'MM01'.
Those are two very different things.
The latter happens often to dedermine availability of buttons or navigation options.
In the trace you will also see a tag called "REASON". Keep an eye out for a value called "B".
Cheers,
Julius
02-06-2014 8:06 AM
Thanks Julius!!
To correct - i mean "CALL TRANSACTION MM01"
Best Regards,
Naveen
02-06-2014 9:39 AM
Such customer objects will generally be checked in customer exits.
Either that exit is not being reached or in the coding there is a condition (which is usual as it makes sense).
IF sy-tcode = 'xxx' OR sy-dynnr = 'yyy' OR bwart = '551' ....
AUTHORITY-CHECK 'Z....
ELSE. " no check
ENDIF.
You will either have to look into the code or post your code and tell us the location of the check.
Cheers,
Julius
02-06-2014 3:10 AM
Hi Naveen,
understand like this - Transaction Codes are nothing but package of Authorization Objects.
user to execute any tcode required all its related authorization objects(as per SU24 setting)
Authorization check will be perform based on multiple parameters like:
1) SU24/SU25 setting
2) AUTHORITY-CHECK in programs
3) SE93 setting
4) profile parameter AUTH/NO_CHECK_IN_SOME_CASES
large number of authorization objects are often checked when transactions are executed, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload. You can therefore deactivate authorization checks of this type in a targeted manner using transaction SU24.
Please check SU24 setting for any any calling Transaction (Ex. CA02) and here you will see it checks M_MATE_STA object which is also part of called Transaction. however M_MATE_STA object will not be included in profile generator (Role) to reduce Maintenance workload.
Regards,
Satyajit
02-06-2014 7:52 AM
Hi!!
Good points mentioned by Julius and Satyajit...Thanks!!
Basically my area of analysis was much concerned on- table Tcdcouples and Authorization check for call transactions
Reason: Development team in my project has done changes in SAP standard code- by adding two new custom objects ZOBJ1 and ZOBJ2: this affects transaction MM01,MM02 and MM03.
e.g. whenever user executes MM03- enters material -displays- below objects are being checked:
M_MATE_STA followed by -> ZOBJ1 -> ZOBJ2
Requirement: I need to figure out which all roles would be affected by this code change!!
Here i agree for below mentioned- step.1 but, Is 2nd step required!!
Step.1) Maintain SU24 for MM01/MM02/MM03- for ZOBJ1 and ZOBJ2.
followed by regenerating all roles with MM01/MM02/MM03- in expert mode.
Step.2) Check all calling transactions(for MM01/MM02/MM03) from table TCDCOUPLES and maintain ZOBJ1 and ZOBJ2 in those roles manually?
Reiterating my query: Does whole ABAP code gets checked for called transaction(mentioned in table TCDCOUPLES)? or depending on program code/call it may differ from case to case?
Is testing only the way the figure out my requirements?
Please correct me if i am missing anything!!
Best Regards,
Naveen
02-12-2014 8:11 PM
Hi Naveen,
I observed two points here :
1) if CA02 is going into MM02's screen then it will check everything(all auth objects) for MM02
2) if CA02 is internally calling MM02 via program and getting information without going into MM02's screen it will not check for authorization objects for MM02.
I think trace will give some idea - i did it for SU01 and observed this.
Regards,
Satyajit
03-09-2014 6:11 PM