06-24-2014 11:23 AM
Hi all,
I am an associate basis consultant, recently I came to know that the Authorizations can be bypassed through programs. Is there any way to restrict the authorization bypassing.
Regards,
Vineet
06-24-2014 11:28 AM
Do you mean executing the associated program using transaction from SE38? or the Z programs?
06-25-2014 7:51 AM
hi sunil,
I was talking about Z tranx codes, in which a transaction can be done without having authorization to particular tcode.
thanx
06-24-2014 11:36 AM
06-25-2014 7:49 AM
Hi colleen,
thanx for ur attention, actually my doubt is that how could we make auth checks in Z tranx codes so that the auth can't be bypassed. Unable to give any example, sorry.
06-25-2014 8:09 AM
Hi Vineet
There are different transactions but I will limit my comment to the scope of creating a transaction to execute a program. In this case it custom transaction can be created to either execute a SAP standard program or you built a custom program and you want to execute it
In either case your security is as following:
There are a few other cases of 'byapssing' - for example SE97 with Call transaction but that is a bit different to launching a custom transaction direct. Also more scenarios depending on the type of transaction
**When it comes to additional checks in the code: if this is a custom program then tell the developer to add checks to the code. I find a lot of Z* programs are lacking checks because the developer never got told to put them there. If it's SAP standard it will depend on the situation but if restriction is inadequate you might need to raise an incident or have developer enhance the code (as I'm not a developer I'm getting to my limit here - so I'm linking you to Otto's document below)
One thing for sure - you can't restrict security if the program doesn't cater for it.
Anything more, you might want to go back to the person you overheard comment from and get an example. Based on that one of us might be able to direct you in the place to look at how to best restrict it.
Regards
Colleen
06-25-2014 10:20 AM
06-24-2014 7:31 PM
Force users to use standard transactional logic i.e. only run their authorised. No direct access to programs, function modules & all that good stuff. Ensure no-one has ability to debug & replace or they can hobble most auth checks.
That should give you somewhere to start
cheers
06-25-2014 7:47 AM
Hi Alex,
Thanx for ur respose, actually I want to know if there is any way in basis so that any ABAPer who has all development right can't bypass the auth checks.
cheers
06-25-2014 8:11 AM
Hi Vineet
I recommend you google "sap debug change access" and to learn what authorisation should not be granted to a user in Production that is allows bypassing of checks
Development systems are different as you developers need to debug change. Generally, developers should have very limited access to Production.
Regards
Colleen