SAP documentation for Rel 4.7 says:
<i>"The authorization for starting a transaction initially checks if the caller is actually authorized to start the transaction. So that the caller can start a transaction, the authorization object S_TCODE must be entered in the user master....If you use CALL TRANSACTION, the calling transaction itself <b><u>normally</u></b> checks if the authorization to start the transaction exists. In this case, an authorization check for the transaction called does not make sense". </i>
I found this to be incorrect. The documentation is also not very clear if S_TCODE is checked on all transactions at the CALL TRANSACTION statement level or not. What does it mean by "normally"?? Then it goes on to say:
<b><u>"If the check is not performed by the transaction itself</u></b>, you must program the check. To do this, insert the following lines before the CALL TRANSACTION statement:
DATA: tcod LIKE sy-tcode.
CALL FUNCTION 'AUTHORITY_CHECK_TCODE'
TCODE = tcod
OK = 0
NOT_OK = 2
OTHERS = 3
IF SY-SUBRC <> 0.
MESSAGE E172(00) WITH tcod.
What is this supposed to mean? Are we to guess and/or test every transaction whether to check the S_TCODE authorisation explicitly in our custom programs?!
I've a scenario where I've developed a report with a pushbutton which calls transaction F110. I didn't code any S_TCODE authorisation check before calling F110 thinking that the system will do this first hand. To my surprise I found a user who is not authorised to F110, can push this button from my report to go to F110, enter parameter and even create payment proposals!!!
Am I missing something?
Any suggestion/comments is highly appreciated.