Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

FLD with ' '

Former Member
0 Kudos

HI,

When We have a object that has a ACTVT as ' ' ie what does that mean ? I tried to leave it blank but then the color is yellow..which is not very pleasent ...if i need it green I need some value so what does that ' ' mean ?

12 REPLIES 12

jurjen_heeck
Active Contributor
0 Kudos

In general a field with ' ' is there because the corresponding authority-check will be triggered with a space for empty screenfields.

If it is an activity field I'd consider it strange and suggest you to disable the object and, if that has no impact on functionality, delete it from the role.

Was this value something you've inherited or was it suggested by PFCG as default value? If it was a default, with which transaction did it tag along?

0 Kudos

Juergen,

I have an object S_WFAR_OBJ

it has 4 feilds all of which including ACTVTwhich is ' '

0 Kudos

And this is in an existing role? Or did it pop up in a new one? If so, which transaction(s) is/are in the role?

0 Kudos

"And this is in an existing role? Or did it pop up in a new one? If so, which transaction(s) is/are in the role?"

No I am creating one ..its for a system user ...there are NO tcodes ..purely object access

0 Kudos

As I said, Ive seen them before, to avoid empty selection fields triggering authorization messages.

If this auth is missing SU53 will report a failed check on "<DUMMY>"

Edited by: Jurjen Heeck on Feb 11, 2008 10:03 PM

Come to think of it (what a good night's sleep can do for a man....) there are more objects which have ' ' as a possible field value.

They even turn up as boolean where 'X' = yes and ' ' = no.

Edited by: Jurjen Heeck on Feb 12, 2008 8:27 AM

Former Member
0 Kudos

That sounds strange to me...

In which transaction does SAP perform an authority-check on an object where ACTVT is checked for DUMMY?

It is not uncommon to find the reverse situation (ACTVT checks with DUMMY values for other fields, which prior had been checked when selecting the document, together with a "display" ACTVT check).

Cheers,

Julius

0 Kudos

>

> That sounds strange to me...

>

> In which transaction does SAP perform an authority-check on an object where ACTVT is checked for DUMMY?

Yeah, that is strange.

I now think that George stumbled upon an object where one of the possible field values is ' ' . For that see my earlier comment about the boolean fields/values. For other types of fields I've seen ' ' as auth field value to suppress messages about <DUMMY>.

0 Kudos

It doesn't really add much to the debate, but from memory the only time I have seen a dummy value in an activity field was thanks to some dodgy code in APO. Anyone who has done security in early versions of APO will know that spurious field values are the least of their concerns..............

0 Kudos

Yes, I have also seen it used sometimes to get lists to select items from, without having to use or hand out authorizations which you don't intend to use or want to hand out.

But I cannot recall seeing this with ACTVT.

0 Kudos

Folks !!

Its NOT that I hit on an ACTVT " " but in one of the vendors to us has in the design document for the object S_WFAR_OBJ.

This object has 4 Flds : ACTVT, OAARCHIV, OADOKUMENT, OAOBJECEKTE the value fld for all these isrequired as " " hence the doubt.

0 Kudos

That would make sense to me.

Does the documentation not state that the vendor product (or a configurable or even open source version of it) has the capability of performing the available activities (see table TACTZ) to objects / documents / archives of your choice, and it is up to you to restrict the access on the backend as well (or "the archive engine") to be able to do only that which you intend to use it for?

From a security perspective, in my opinion, this backend security is preferable (even if it appears more difficult at first) as it can be even trickier to control frontend behaviour.

Cheers,

Julius

Former Member
0 Kudos

Just to add to the conversation about using ' ' for an Activity field,

I have encountered problems with custom programs where AUTHORITY CHECK statements were written and <DUMMY> given for the activity.

While Role testing a new z authorization object, if a user did not have the new role, SU53 data showed SHD0 as the missing authorization. Not wanting that to be the behaviour of SU53 if users did not have the new authorization object when trying to report it to SAP Security Administration, I worked with the ABAPer and found that once they removed <DUMMY> for activity in their authority check statement and entered a valid activity such as 02, and retested, the SU53 would correctly report on the Z authorization obejct, (when testing users who did not have the new role)