Solved: Restricting AL11

Former Member · ‎10-17-2008

Hi,

How can I restricted a user to seeing only a particular unix directory in AL11? By default all the configured directories can be seen.

I only want the user to see a particular configured directory. I tried specifying the directory name in "Physical file name (filename)" in S_DATASET but it doesn't seem to work.

Thanks in advance.

Former Member · ‎10-19-2008

Hi,

Here is the answer for your question.

First create an alias. Go to t-code AL11 > configure > create alias. Let say we are trying to restrict alias DIR_TEMP which is /tmp. Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as mentioned below

Activity 33

Physical file name /tmp/*

Program Name with Search Help *

Regards

Anandm

Former Member · ‎10-17-2008

Hi Sisab,

There is a thread already that talks about your problem:

Hope this helps.

Regards,

Kiran Kandepalli.

Former Member · ‎10-17-2008

Yes, it talks about it but does not really solve it in my opinion.

Take a read through function module AUTHORITY_CHECK_DATASET which you should call before the file system operation is performed, because the S_DATASET checks (and S_PATH for the directory) are invoked by the OPEN, READ, DELETE DATASET statements themselves, not only by the AUTHORITY-CHECK statement.

Former Member · ‎10-19-2008

Hi,

Here is the answer for your question.

First create an alias. Go to t-code AL11 > configure > create alias. Let say we are trying to restrict alias DIR_TEMP which is /tmp. Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as mentioned below

Activity 33

Physical file name /tmp/*

Program Name with Search Help *

Regards

Anandm

Former Member · ‎10-19-2008

>


> First create an alias. Go to t-code AL11 > configure > create alias. Let say we are trying to restrict alias DIR_TEMP which is /tmp. Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as mentioned below 
>      Activity      33 
>      Physical file name      /tmp/* 
>      Program Name with Search Help      *

Thanks for sharing. I didn't know about this option and will test whether it works. Does it also work if the path hook is not activated?

But I still have a doubt => if the user can break out of the AL11 or has access to start reports (the file system can be read from many many reports) then there is no restriction to the program context (field: Program Name) from which the dataset is read. Who knows what all those programs do, and where in all of them the "physical file name" is an input parameter which the user can influence...

Personally, I think the (initial) security gain is greater from restricting the "Program Name" and ensuring that the applications sufficiently take care of their security requirements, than restricting AL11 only.

Cheers,

Julius

Former Member · ‎10-21-2008

thanks all for the reply...

@Anand : tried your suggestion but it didn't work... executing AL11 still allow me to access all the directories...

Former Member · ‎10-21-2008

Hi Sisab,

S_DATASET is for Authorization for file access, and unfortunately NOT for directory access.

AL11 just gives display access to all directories by default, you can further restrict files by S_DATASET. Once restricted, a user cannot do anything within the directory anyway!

Sometimes, its better to just push back on requirements.

Hope this is useful

Abhishek

Former Member · ‎10-21-2008

Hi Abhishek,

Thanks for your reply.

Basically, it's to restrict "prying" eyes looking into the system.

I understand the control of S_DATASET but really I just want to limit upfront what the user can see in AL11.

Regards