Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Need to know regarding Authroization object S_PROGNAM

Go to solution
Former Member

‎10-02-2014 3:21 PM

0 Kudos


Hi Experts,

During upgrade we have found switchable authorization object S_PROGNAM is getting checked in BW while trying to activate a data source through SE38. However, we have not found out any transaction in SU22 which is tied with this authorization object.

My question is for which transaction authorization object S_PROGNAM needs to be checked and maintained ?

Also, will this authorization object S_PROGNAM also needed in ECC and needs to be checked and maintained for any transaction?

Thanks

Somnath

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎10-03-2014 3:15 AM

Dear all,

There were some complaints about this thread as Somnath has not done enough own research and expects others to do it. OK, normally this will be moderated, but this special case is very new and does have a discussion value for others about how SAP in future introduces optional authority-checks or activates recommended checks without intruding on the existing authorization conce^pt directly.

There is a big difference between S_PROGRAM and S_PROGNAM.

The real big difference is not the distinction between program groups (if maintained, which is a very blunt concept) but rather program names (which is always known).

To activate this concept you need to actively enable it for the application, but that only works for applications which support it.

This is controlled via the SACF ( SAP Authorization Control Framework) (for optional activation of checks).

Basically, if an authorization control is "retro fitted", then it is only checked in the coding if the customer actively enables it and the scenario supports it.

This is primarily used by the SAP Security Notes mechanism if these security notes don't eliminate functionality but rather introduce missing authority-checks to control the use of the functionality.

You can control this in transaction SACF as of 7.40 (backporting to earlier releases is difficult to implement IMO, so rather upgrade if you want to use it).

Upgrade to EhP7 works quite smoothly at the moment with the latest kernels to accompany it.

Cheers,

Julius

6 REPLIES 6

Go to solution
ACE-SAP
Active Contributor

‎10-02-2014 8:39 PM

0 Kudos

Hi

That object is part of a reinforced control on submitted program.

S_PROGRAM authorization check was only taking place if the program is assigned to an authorization group.

1946079 - Initial Authorization Check in Function SUBMIT_REPORT

The programmatic submit of reports is secured by the authorization group the report is assigned to. In case the authorization group is empty, the report may be executed without an initial authorization check.

With this note we provide the following functional improvements:

  1. New authorization and API provided by class CL_SABE, method AUTH_CHECK_PROGNAM. In detail the API wraps the following functionality:
    1. Authorization object S_PROGNAM to be used as a switchable authorization.
    2. Authorization scenario BC_GENERIC_REPORT_START.
  2. The change in function SUBMIT_REPORT to invoke CL_SABE and as such provide an initial authorization check in case the check is turned on.

Regards

Go to solution
Former Member
In response to ACE-SAP

‎10-02-2014 8:47 PM

0 Kudos

Hi Expert,

Could you please let me know how to check if the report  is secured by the authorization group or it has empty authorization?

Go to solution
ACE-SAP
Active Contributor
In response to ACE-SAP

‎10-02-2014 9:39 PM

0 Kudos

You can check it in SE38 [attribute]... and find that most of the programs do no have an auth. gpe defined !

Check that great thread on that subject => How safe is S_PROGRAM?

Preview file
5 KB

Go to solution
OttoGold
Active Contributor
In response to ACE-SAP

‎10-15-2014 9:38 PM

0 Kudos

Hello Yves,

is there a OSS note available on how I can use this new functionality in the custom code? Like how I can create my own scenario, how to transport it, how to code the CL_SABE based check in my custom code?

If there was such a note I would be very interested in reading it since this is a very powerful tool which customers (often "shared services centers" and "internal consultancies" offering services to the real customers) and partners would probably love to use just like me.

Hope I haven't overlooked it, I have done my research before asking. All the mentions of "customer system" in the main FAQ note are about importing SAP delivered scenarios into a customer system and not about using the mechanism outside of SAP. Do you know if that is even possible?

thanks Otto

Go to solution
ACE-SAP
Active Contributor
In response to ACE-SAP

‎10-16-2014 7:53 PM

0 Kudos

Hello Otto

Sorry I do not have more information on this subject. I just dig in OSS to answer Somnath's question as I was curious about that new object.

By the way thanks for your great On the way to granularity post

Best regards

Go to solution
Former Member

‎10-03-2014 3:15 AM

Dear all,

There were some complaints about this thread as Somnath has not done enough own research and expects others to do it. OK, normally this will be moderated, but this special case is very new and does have a discussion value for others about how SAP in future introduces optional authority-checks or activates recommended checks without intruding on the existing authorization conce^pt directly.

There is a big difference between S_PROGRAM and S_PROGNAM.

The real big difference is not the distinction between program groups (if maintained, which is a very blunt concept) but rather program names (which is always known).

To activate this concept you need to actively enable it for the application, but that only works for applications which support it.

This is controlled via the SACF ( SAP Authorization Control Framework) (for optional activation of checks).

Basically, if an authorization control is "retro fitted", then it is only checked in the coding if the customer actively enables it and the scenario supports it.

This is primarily used by the SAP Security Notes mechanism if these security notes don't eliminate functionality but rather introduce missing authority-checks to control the use of the functionality.

You can control this in transaction SACF as of 7.40 (backporting to earlier releases is difficult to implement IMO, so rather upgrade if you want to use it).

Upgrade to EhP7 works quite smoothly at the moment with the latest kernels to accompany it.

Cheers,

Julius