Solved: about authority check~

Former Member · ‎04-16-2005

Hi!

Let me ask something.

As usual, when we call a program using T-CODE in command field, R3 checks the authority. even BDC prog.

But, in program text, I programed like this. "CALL TRANSACTION XXX".

the system doesn't check authority.

for example, A user type 'XD01' in command field, system denyed. but, A user call 'XD01' through my progam. system admitted it. and in my program, I coded like this "CALL TRANSACTION 'XD01'.

I don't know why... Have you ever seen like this?

If sb know this, please let me know! what shold I do for it!

sorry for my poor english, I need your help~~

Former Member · ‎04-16-2005

Hello,

as far as I know the system checks transaction authority only if the user tries to start the transaction interactively, i. e. by entering the transaction code into the command field or clicking on the corresponding entry in the menu.

In a program this authority is not checked by default. You have to check it by yourself. The appropriate ABAP command is AUTHORITY-CHECK (lookup in online help), if I remember correctly (I dont have access to SAP system right now) the corresponding authority object is TCODE.

Hope that helps (please reward me if id does ,

Joerg

Former Member · ‎04-16-2005

Hello,

as far as I know the system checks transaction authority only if the user tries to start the transaction interactively, i. e. by entering the transaction code into the command field or clicking on the corresponding entry in the menu.

In a program this authority is not checked by default. You have to check it by yourself. The appropriate ABAP command is AUTHORITY-CHECK (lookup in online help), if I remember correctly (I dont have access to SAP system right now) the corresponding authority object is TCODE.

Hope that helps (please reward me if id does ,

Joerg

Former Member · ‎04-16-2005

Hi,

thank you for helping me. but I would like to know the mechanism... more.

Regards

kyung woo

Former Member · ‎04-16-2005

Hi Kyung Woo,

When the user enters the transaction code, let's say XD01, the R/3 system would get the authorization information as defined in the user's profile and check if the authority object required to execute the transaction exists in the user's profile. This is just a preliminary check. It prevents the non-technical users from accessing the transaction.

But when it comes to a technical user like an ABAP Programmer, almost anything can be done within the R/3 system. For example, you can just write a small program of about a few lines and cause serious damage to the entire R/3 System.

The point is that when you use the CALL TRANSACTION statement, it means that you are writing the program to accomplish some functionality. The preliminary check is bypassed in this case. But if there's an authority check coded into the transaction, then even the CALL TRANSACTION method won't work.

But remember one thing - so long as you are an ABAPer, with the authorization to create a program in SE38 and execute it, along with the authorization for Debugging, you can do almost anything within the R/3 system.

It is upto the programmer and the company to take care of any such mishaps happening. Anyways, when it comes to the Production system, your hands are all tied up. you would never have the authorization to do any development directly in there. If you do, then somebody is in very deep trouble !!:-).

As far as the Development system is concerned, nobody really bothers too much about them, because they do not affect any real-time data.

Regards,

Anand Mandalika.

Former Member · ‎04-16-2005

Hi,

Thank you for helping me. That's exactly what I want to know!^^.

you're been great help...

thanks.

have a good day~~

Regards

kyung woo