Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Object Check status in switchable authorizations

Former Member
0 Kudos

Hello,

In reference to SAP Note 1922808 on the use case for SACF in switchable authorization framework, I have a question on 'Object Status' = N.

I built a test scenario to include an authority object with check status N - "Check always passes" (always successful).

Extending the demo example, AUTH_CHECK_SPEC method is leveraged to invoke a check using the test scenario. The result is success with (return code 0).

I followed it up with an immediate authorization check with the statement AUTHORITY-CHECK on that same object and the check fails (RC is non zero). I ran this test on a system with basis component currently on NW74 SP07.

Is this the expected behavior? If so, I am trying to understand how is this useful to alter the program behavior in a business process scenario.

If you have tried the scenario, please provide inputs.

Thanks,
Pawan.

3 REPLIES 3

Former Member
0 Kudos

Very interesting experiment!

ABAP statements are in the end kernel functions and some of them protect their call stacks so that you can only call them from scenarios which are released and activated for your scenario.

You must use tcode SACF and then you must use the API.

You cannot hardcode it.

That the kernel now does not set sy-subrc = 0 for such tests is an interesting development though. At least you know that your code does not work if you only do a positive test..  🙂

Thank you for the experiment! I would probably have taken the bait myself sooner or later... 🙂

ps: did you activate the SE80 exit or do you have a submit launch cockpit? In the later case, just convert the submits to call transaction and user Fm AUTHORITY_CHECK_TCODE before you call the tcode or start the report. You achieve the same and have the option to create "friends" via tcode SE97.

Cheers,

Julius

0 Kudos

Ahh, I guess thats why I guess somewhere there was a mention of vendors making use of switchable framework, to introduce newer auth checks for increased security. I used SACF to define the scenario and made it a productive version, and used it in the method call of class CL_SACF. And did not resort to any user exits. I'd like to try the tcdcouples feature you mentioned. Thanks for the reply.

Pawan.

0 Kudos

I assumed that you are trying to control a UI "nest" with submits.

Converting to tcodes is one option.

Making correct application auth checks in the programs in addition to the tcode checks is even better and you can maintain SU24 proposals.

S_PROGNAM is seldom checked and as you habe seen, value * will wander into roles very quickly once folks start using it.

Lets see.. I will eat my hat if it realy works in praxis.

Cheers,

Julius