Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ABAP Query Auth-Check

chris_hall2
Participant

‎03-17-2010 3:21 PM

0 Kudos

Hello,

I have an issue in regards to ABAP Queries that are accessed via SQ00. The issue was that a lot of the reports (based on a sample) do not have any authorization check.

There is over a 1000 queries, is there any way for me to check the code for the auth check on mass ? It is very tedious and time consuming going in one at a time to look for the auth check. Any help would be greatly appreciated.

Thank you

5 REPLIES 5

koehntopp
Product and Topic Expert
Product and Topic Expert

‎03-17-2010 9:48 PM

0 Kudos

Moved to Security Forum.

sdipanjan
Active Contributor

‎03-17-2010 10:08 PM

0 Kudos

There is an Object S_QUERY which is basically used for query execution. But you have to check if there are any report transaction (which i often found people to say and create confusion) then you can start with S_TCode for them. Can you please provide more information on these queries?

Regards,

Dipanjan

Former Member

‎03-18-2010 5:39 PM

0 Kudos

Hi Chris,

As standard there is no data level auth check in SAP Queries. Just one reason why they are often a poor solution for reporting.

Those based on Logical Databases have any checks that are present in the LDB.

Auth checks are placed in the infoset code, so it's only the infosets that you need to review to see if auth checks are included. If you have lots of queries hanging off a small number of infosets, this will be a fair bit easier. Your dev team should be able to point you towards the relevant section of the infoset that contains any additional validation code.

chris_hall2
Participant
In response to Former Member

‎03-18-2010 5:57 PM

0 Kudos

I totally agree with them being a poor solution. One of the issues is we do not utilize BW and the common practice in the past was to use reporting via SQ00.

I have been looking for a solution to analyze the queries info set quickly on mass, but we may have to to in one at a time. I figure about 3-4 minutes per query at a minimum of 1000 queries, that is a lot of time wasted (~66 hrs).

Former Member
In response to Former Member

‎03-18-2010 9:42 PM

0 Kudos

I understand your pain. We had a similar exercise where we needed to add auth checks to approx 1500 infosets.

We spoke to some experienced developers & SAP to see if there was a quick way to do the analysis and subsequent update but the conclusion was that doing it manually would be faster