Skip to Content
0
Former Member
Oct 07, 2005 at 06:33 AM

SAP does not check S_TCODE for F110 when called via CALL TRANSACTION

425 Views

Hi All,

SAP documentation for Rel 4.7 says:

<i>"The authorization for starting a transaction initially checks if the caller is actually authorized to start the transaction. So that the caller can start a transaction, the authorization object S_TCODE must be entered in the user master....If you use CALL TRANSACTION, the calling transaction itself <b><u>normally</u></b> checks if the authorization to start the transaction exists. In this case, an authorization check for the transaction called does not make sense". </i>

I found this to be incorrect. The documentation is also not very clear if S_TCODE is checked on all transactions at the CALL TRANSACTION statement level or not. What does it mean by "normally"?? Then it goes on to say:

<i>

<b><u>"If the check is not performed by the transaction itself</u></b>, you must program the check. To do this, insert the following lines before the CALL TRANSACTION statement:

Example

DATA: tcod LIKE sy-tcode.

CALL FUNCTION 'AUTHORITY_CHECK_TCODE'

EXPORTING

TCODE = tcod

EXCEPTIONS

OK = 0

NOT_OK = 2

OTHERS = 3

.

IF SY-SUBRC <> 0.

MESSAGE E172(00) WITH tcod.

ENDIF."

</i>

What is this supposed to mean? Are we to guess and/or test every transaction whether to check the S_TCODE authorisation explicitly in our custom programs?!

I've a scenario where I've developed a report with a pushbutton which calls transaction F110. I didn't code any S_TCODE authorisation check before calling F110 thinking that the system will do this first hand. To my surprise I found a user who is not authorised to F110, can push this button from my report to go to F110, enter parameter and even create payment proposals!!!

Am I missing something?

Any suggestion/comments is highly appreciated.

Cheers,

Syd.