Skip to Content

AUTHORITY_CHECK_TCODE Authorization error

Hi All,

I got a requirement to fix all security issues in a report.

In my report we are calling one custom Tcode using the statement CALL TRANSACTION.

But as per security fixes,i need to check authorization before calling the transaction.

for that I used FM AUTHORITY_CHECK_TCODE to check authorization for the tcode.

After addition of above code,it's showing authorization error for the user in production.

After R&D I got to know that, CALL TRANSACTION won't check for authorization for the TCODE.
Now its checking Tcode authorization in production.

But my doubt is YTOCDE is not assigned with any authorization objects not event S_TCODE in SU24.

in that case user should not get authorization error as there is not auth object assigned.

Can any one tell me why authorization is failing?



Capture.PNG (8.8 kB)
Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • author's profile photo Former Member
    Former Member
    Posted on May 13, 2015 at 07:24 AM

    Hi Naresh,

    Please read the below documetation related to authority check issue while calling tcode using CALL TRANSACTION.

    • If no authorization check is performed for CALL TRANSACTION and no check is performed in the called program, a check can be run in the called program by calling the function module AUTHORITY_CHECK_TCODE. This function module checks the authorization object S_TCODE, if the database field OKFLAG in TCDCOUPLES has the value "X" or is empty. If the field has the value "N", the function module does not perform a check. If the authorization is to be checked regardless of the table entries, the statement AUTHORITY-CHECK needs to be used.

    • The entries in the database table TCDCOUPLES can be defined in transaction SE97. The entry in the column MAINTFLAG controls the program behavior if the authorization is missing.

    • The standard behavior described here for the authorization check can be overridden by the hidden profile parameter auth/check/calltransaction. This profile parameter is not provided as standard but it can be created manually. The following table shows the value combinations - value in OKFLAG in TCDCOUPLES (first column) and value of existing profile parameter (first row) - for which an authorization check is performed.
    | 0 1 2 3
    "X" | - x x x
    "N" | - x - -
    " " | - x - x
    The last row also describes the behavior for when TCDCOUPLES does not contain a corresponding entry. Value 2 for the profile parameter is the standard behavior. If the profile parameter is available, it influences the AUTHORITY_CHECK_TCODE function module.
    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Naresh Bammidi

      Hi Naresh,

      Then maintain the TCDCOUPLES table with the values as

      TCODE --- is your main program tcode

      CALLED ---- is your YTCODE


      OKFLAG ---- 'N'

      then the system will bypass all the authorization checks related to that called transaction.

      and other way is check wether that user has authorization for that tcode in the production system or not. If not mainatin TCODE in the authorization object S_TCODE.



      pastedImage_0.png (10.3 kB)

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.