I did do a high level search on this forum but couldn't find the exact answer I am looking for so I though I would post a question.
I am doing security at a company who is in the infant stage of using SAP (ECC). I am having a hard time getting developers to understand the need for authority checks in custom programs and on custom transactions. My question is this:
I am asking them for an auth check in the abap code
I am asking them to create a custom t-code if the program is an executable.
I am asking them to add the auth object check to the t-code in SU24 so that it comes into the role when the code is added.
Am I asking for too much? Is this not the proper way to do it? They are not using auth groups on programs so the auth object statement in the program and on the t-code seem logical to me.
Any comments or suggestions are appreciated