Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AUTHORITY_CHECK_TCODE Authorization error

naresh_bammidi
Contributor

‎05-13-2015 8:14 AM

0 Kudos

Hi All,

I got a requirement to fix all security issues in a report.

In my report we are calling one custom Tcode using the statement CALL TRANSACTION.

But as per security fixes,i need to check authorization before calling the transaction.

for that I used FM AUTHORITY_CHECK_TCODE to check authorization for the tcode.

After addition of above code,it's showing authorization error for the user in production.

After R&D I got to know that, CALL TRANSACTION won't check for authorization for the TCODE.
Now its checking Tcode authorization  in production.

But my doubt is YTOCDE is not assigned with any authorization objects not event S_TCODE in SU24.

in that case user should not get authorization error as there is not auth object assigned.

Can any one tell me why authorization is failing?

Thanks

Naresh

Preview file
9 KB
3 REPLIES 3

Former Member

‎05-13-2015 8:24 AM

0 Kudos

Hi Naresh,

Please read the below documetation related to authority check issue while calling tcode using CALL TRANSACTION.

  • If no authorization check is performed for CALL TRANSACTION and no check is performed in the called program, a check can be run in the called program by calling the function module AUTHORITY_CHECK_TCODE. This function module checks the authorization object S_TCODE, if the database field OKFLAG in TCDCOUPLES has the value "X" or is empty. If the field has the value "N", the function module does not perform a check. If the authorization is to be checked regardless of the table entries, the statement AUTHORITY-CHECK needs to be used.

  • The entries in the database table TCDCOUPLES can be defined in transaction SE97. The entry in the column MAINTFLAG controls the program behavior if the authorization is missing.

  • The standard behavior described here for the authorization check can be overridden by the hidden profile parameter auth/check/calltransaction. This profile parameter is not provided as standard but it can be created manually. The following table shows the value combinations - value in OKFLAG in TCDCOUPLES (first column) and value of existing profile parameter (first row) - for which an authorization check is performed.
     |  0  1  2  3
------------------
"X"  |  -  x  x  x
"N"  |  -  x  -  -
" "  |  -  x  -  x
The last row also describes the behavior for when TCDCOUPLES does not contain a corresponding entry. Value 2 for the profile parameter is the standard behavior. If the profile parameter is available, it influences the AUTHORITY_CHECK_TCODE function module.
Regards
Mani

naresh_bammidi
Contributor
In response to Former Member

‎05-13-2015 11:04 AM

0 Kudos

Hi Nagamani,

1. Tcode is not assigned with S_TCODE authorization object.
2. There is no entry in the table TCDCOUPLES

As mentioned in the document if there is no entry in the above table FM skips the auth check.

But in my case its checking for authorization.What could be the reason?

3. I couldn't understand third point.what is that profile parameter?

Thanks
Naresh Bammidi

Former Member
In response to Former Member

‎05-13-2015 11:18 AM

0 Kudos

Hi Naresh,

Then maintain the TCDCOUPLES table with the values as

TCODE --- is your main program tcode

CALLED ---- is your YTCODE

AND

OKFLAG  ---- 'N'

then the system will bypass all the authorization checks related to that called transaction.

and other way is check wether that user has authorization for that tcode in the production system or not. If not mainatin TCODE in the authorization object S_TCODE.

Regards

Mani

Preview file
11 KB