Skip to Content
avatar image
Former Member

NW74 authority check on call transaction

Hello,

On NW74, ABAP help mentions that usage of CALL TRANSACTION statement without the new additions WITH AUTHORITY-CHECK or WITHOUT AUTHORITY-CHECK is obsolete; And among other things, these additions override the content of TCDCOUPLES.

Does that mean maintenance of calling-called tcode pairs in SE97/TCDCOUPLES beyond NW731 is not longer necessary?

I actually ran a test for SM21 that calls SM21_OLD, when the SM21-->SM21_OLD check in SE97 is disabled, the auth.check for SM21_OLD still takes place and shows in trace too!

And is it correct to infer that MM-- tcodes calling MM01 mean MM01 will need to be added to the relevant security roles?

I've searched forum for relevant posts/blogs, could not find any close hits on this find. Please share your thoughts, and if you found a way to still enforce such checks.

Thanks,

Pawan.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    avatar image
    Former Member
    Dec 30, 2014 at 09:24 PM

    :-)

    CALL TRANSACTION has always checked S_TCODE, it is just that the sy-subrc was set to 0 regardless of authorizations.

    SE97 gives you an option of coupling exceptions based on the calling transaction -> if checked before the call you can turn it OFF. If checked in the target transaction program you can turn ON (disable the check).

    The new syntax basically hardcodes these two options in the calling program.

    Not using them is obsolete, but that does not mean that CALL TRANSACTION does not work anymore. It just means that you should not use it anymore without explicitly indicating in the calling transaction whether the check is wanted there or not. It forces developers to think about it and show intention.

    Whether it happens anyway and SE97 is respected in the called transaction is a different topic (if the target program performs AUTHORITY-CHECKs or calls AUTHORITY_CHECK_TCODE of it's own).

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      I proceeded to test and find on my own, and I must agree with what you wrote.

      Denying a test user any authorizations on the called transaction only granting the calling transaction, after running a dozen test cases, I was able to find that:

      WITHOUT clause - Does not check for TSTCA, TCDCOUPLES, and only stops at the hard-coded AUTHORITY-CHECK 'S_TCODE' statement in the called program with RC=4

      Omit the clauses WITH/WITHOUT altogether - TSTCA is not checked, but properly maintained TCDCOUPLES and hard-coded checks in called program can come in handy

      WITH clause - strongest with all other checks


      Thanks again,

      Pawan.