cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to open the programs, tcodes and thier authorizations.

Former Member

on ‎12-10-2007 9:18 PM

0 Kudos

Hi folks,

I have to find out programs like ZAFGU021 their tcodes and aouthorization attached with these programs. Pls help me its urgent.

Thanks in advance

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎12-11-2007 9:53 AM
0 Kudos

Also check table TSTCP, as there may be parameter transactions using the program or the transaction(s).

Regarding "aouthorization attached with these programs" you might be refering to transaction SU24 (status and default indicators)? For parameter transactions it is advisable to maintain these as well, otherwise the defaults of the parameterized transaction / program will be used.

Show replies
Show replies
Former Member
‎12-11-2007 8:21 AM
0 Kudos

Hi,

Another way of finding if there is a transaction assigned to a program, you can use table TSTC and filter on the program name.

If you want to see what auth checks are in a custom program then you either need to:

1. run through the code and look for AUTHORITY-CHECK (and hope that developers haven't been idiots and hard coded checks on SY-UNAME or Parameter ID's)

I've not used it in the most recent versions, but you might be able to use program RSABAPSC to scan through each program to look for key word AUTHORITY-CHECK

2. run all the way through the transaction with an auth trace switched on (ST01) and see if there are any auth checks.

Show replies
Show replies
Former Member
‎12-11-2007 10:19 AM
0 Kudos

Hi Alex,

Though principally hard-coding is ugly, I agree with you, I do think the noun is a bit harsh as there are cases where it does make sense (at least to me) to exclude access irrespective of the authority. For example to exclude certain user or user types from running a program as there is absolutely no foreseen case for it to occur under those conditions.

I have found that searching or scanning for AUTHORITY-CHECK statements alone will not show <i>all</i> possibilities to secure or use logical security in a program. Validations, exception handling and authority-checks which are invoked by statements other than AUTHORITY-CHECK can sometimes even only be analyzed at runtime (that is where tracing and debugging are helpfull).

Cheers,

Julius

Former Member
‎12-11-2007 11:12 AM
0 Kudos

Hi Julius,

I still stand my my use of the term for the majority those hardcoders

Unfortunately I have experienced the sorts of chaos that it can cause due to people not thinking about the consequences of hard coding something.

By it's very nature, using hardcoded checks to provide restriction is an inflexible approach in an area (user and role management) that regularly changes and benefits from an uniform approach to providing restriction (hence the reference to PIDs too). We already have a reasonably flexible restriction mechanism so let's use it!

Comparing SAP code to custom code, there is very little in the way of hard coded restriction coming out of Walldorf. With custom code it's not exactly uncommon to see the likes of IF SY-UNAME= Developer, skip the auth check....in the production environment.

From a practical perspective, the ability to dip into ABAP is not a particularly common skill within the security function. While there is a very strong argument to say that a basic understanding is an invaluable skill to have, I still would not recommend working outside the standard security mechanism unless absolutely necessary. The fewer "gotcha's" and exceptions the better.

In terms of the code scanner, I agree it's not perfect and has limitations. In the past I have found it very useful for quickly identifying the existence of an AUTHORITY-CHECK statement in a particular program - better than Alt-F on "AUTHORITY"

Taking a pragmatic view, custom code tends to use fewer includes & jumps to other programs than SAP standard code, probably due to the reduced complexity in many cases.

Trace is still my preference all day long as long as there aren't any pesky hard coded checks going on........

Cheers

Alex

Former Member
‎12-11-2007 11:29 AM
0 Kudos

Good points, particularly this one:

> I still would not recommend working outside the standard security mechanism

> unless absolutely necessary. The fewer "gotcha's" and exceptions the better.

I was an auditor for some time as well and used to scan for IF-SYNAME. Yes, the majority of it was short-cuts, forgetfulness, missing QA checks and even lack of confidence in the implementation of an authorization concept - symptoms of bigger issues than the practice itself...

Another one is BREAK-<bname>.

Try also BUKRS = '

or CALL '

Julius

Former Member
‎12-11-2007 11:44 AM
0 Kudos

Exactly! all good fun to find and fix though.

Former Member
‎12-11-2007 1:09 PM
0 Kudos

Also usefull for checking programs (amongst other objects) for security aspects (amongst other aspects) is the SAP Code Inspector (transaction SCI).

I heard that the TMS can be set up such that it forces a code inspection of objects prior to releasing the transport request - but I am still investigating the details of that one.

Former Member
‎12-10-2007 10:41 PM
0 Kudos

In se38,

1. Put your program name

2. Click Display

3. Utilities > Where-used>Select transaction codes

regards

tamilboy

Show replies
Show replies
Ask a Question