cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is it possible to implement a custom transaction execution authorisation check ?

tim_alsop
Active Contributor

on ‎08-20-2018 3:38 PM

0 Kudos

We are trying to find out if any BAdI or user exit or function module exit is available in SAP NetWeaver ABAP which is invoked when any transaction is run by a user. We want to write some ABAP code that checks if a user is authorised to run the transaction or not (using information that changes in addition to the static info like roles/profiles that are already checked) and based on the exit code returned by our code we expect SAP NetWeaver to block the execution of the transaction (showing a friendly message to the user) or allow it. Is this possible ?

Show replies
Show replies
tim_alsop
Active Contributor
‎08-20-2018 6:42 PM
0 Kudos

I don't think it does help, but I appreciate your help so far on this topic. The posts you have shared seem to explain how to add authority checks into your own code. We don't want to do that - we want to let the user logon and run any standard transaction, e.g. su01, sm30, ME23N, etc. We then want to implement some code which gets invoked (e.g. via a user exit, BAdI, function module exit) and that code will check whether the user is allowed to run the transaction. Is there such a user exit, BAdI or function module exit, or some other way to code this ?

NTeunckens
Active Contributor
‎08-21-2018 12:14 PM
0 Kudos

I don't see any SAP-enabled Enhancement-point, but you could insert a Modification in FM "SFW_GET_SWITCHPOS" or "S_UI_CLASS_DEPENDENCIES"?

The FM "SFW_GET_SWITCHPOS" exports a "SWITCHTAB"-Table that holds the transaction that is executed ... Or you could obviously use the System-Parameters ...

See if that is an option you / your Organisation is willing to investigate ...

srinivas_cheruku
Explorer
‎08-21-2018 1:31 PM
0 Kudos

Hello Nic,

I am working with Tim on this enhancement and appreciate your help on this.

When I debug any transaction, I can see that the FMs "S_UI_CLASS_DEPENDENCIES" and "SFW_GET_SWITCHPOS" are called before showing the transaction's main screen. Are you suggesting that we need to Modify these FMs code to include our ABAP code that checks whether user is allowed to run the transaction or not?

I found that the AUTH_CHECK_TCODE or AUTHORITY_CHECK_TCODE FMs are also called when a transaction is run to check for authorizations. So, do you think it is better to change one of these FMs code to include our ABAP code that checks whether user is allowed to run the transaction or not?

If we change SAP standard code, a SAP software upgrade / enhancement package install might overwrite these changes? Do you think it is ok to change SAP standard code?

I didn't understand your reference to SWITCHTAB table. Are you suggesting that we need to write code to lookup the table to know the transaction code being run ? If so, surely it would be better to change the AUTH_CHECK_TCODE FM instead, since this FM knows the transaction code already. In your opinion, which would be better ?

Thanks,

Srini

Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

alessandr0
Active Contributor
‎08-31-2018 2:03 PM

Hello,

that's simply not possible as otherwise smart security firms would have done that already to increase the security. There are some approaches that use a policy server to achieve what you want. However, it requires huge implementation effort and will break when you upgrade. Try to use SAP standard through roles and authorizations, SU24, TSTCA, etc. Everything else will end in a mess.

Regards, Alessandro

Show replies
Show replies
tim_alsop
Active Contributor
‎08-31-2018 2:31 PM
0 Kudos

Thank you. Your point is understood.

On a similar topic, do you know how we can invoke some code whenever a user accesses or tries to change a certain field type ?

Thanks

Tim

Ask a Question