Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

extended syntax checks off

Go to solution
Former Member

‎07-18-2006 10:09 AM

0 Kudos

I have a program which has the extended syntax checks turned off and only turned on again after all the form pools, checks and update routines are performed. Is there any security implication from this extended check being off considering that it makes no sence to secure it with an authorization group?

Message was edited by: jbussche

AH! I see that I forgot to say "please". )

Does anyone have any infos on this other than the abap keyword documentation, please?

Message was edited by: jbussche

1 ACCEPTED SOLUTION

Go to solution
Frank_Buchholz
Product and Topic Expert
Product and Topic Expert

‎08-14-2006 10:02 AM

0 Kudos

Hello Julius,

I don't see any serious security implication with the extended syntax checks turned off. (But it might have implications to the quality of the program...)

You run the (extended) syntax checks during development.

There is one check which is related to security: The authorizations test checks whether the specified authorization object occurs in the table TOBJ and whether the authorization fields are correctly specified. -> This test checks the syntax of AUTHORITY-CHECK statements.

Authorization groups are not related to the extended syntax check: The system checks the authorization for the authorization object S_PROGRAM based on an authorization group assignment before starting a report.

Kind Regards

Frank Buchholz

Checking a Program

http://help.sap.com/saphelp_nw2004s/helpdata/en/d1/801af0454211d189710000e8322d00/frameset.htm

5 REPLIES 5

Go to solution
Frank_Buchholz
Product and Topic Expert
Product and Topic Expert

‎08-14-2006 10:02 AM

0 Kudos

Hello Julius,

I don't see any serious security implication with the extended syntax checks turned off. (But it might have implications to the quality of the program...)

You run the (extended) syntax checks during development.

There is one check which is related to security: The authorizations test checks whether the specified authorization object occurs in the table TOBJ and whether the authorization fields are correctly specified. -> This test checks the syntax of AUTHORITY-CHECK statements.

Authorization groups are not related to the extended syntax check: The system checks the authorization for the authorization object S_PROGRAM based on an authorization group assignment before starting a report.

Kind Regards

Frank Buchholz

Checking a Program

http://help.sap.com/saphelp_nw2004s/helpdata/en/d1/801af0454211d189710000e8322d00/frameset.htm

Go to solution
Former Member
In response to Frank_Buchholz

‎08-14-2006 10:20 AM

0 Kudos

Hello Frank,

Thanks. My concern / comment was that it being a module pool, I cannot rely on an s_program based authorization but must use the individual authority-check objects.

Therefore I was interested in the effect of thesyntax check.

So if I understand correctly: If the check is perminently off for any performs assigned to the module pool, then an auth object checked would not need to "exist" in the TOBJ sense of them existing at all, and the authorization fields checked would not need to exist (or be correct) either?

I guess one could use this to place an authority-check against some object and / or field which does not exist and therefore cannot normally be granted via a role... or the developer wants the program to tolerate some inconsistencies for what ever reason.

Kind regards,

Julius

Go to solution
Frank_Buchholz
Product and Topic Expert
Product and Topic Expert
In response to Frank_Buchholz

‎08-14-2006 10:31 AM

0 Kudos

Hello Julius,

you cannot execute a modul pool directly as you can do it with a report. Therefore an authorization check for S_PROGRAM is not neccessary.

You execute a modul pool using a transaction. The transaction has appropriate authorization checks (S_TCODE and a special authorization defined with SE93).

Well, yes, a developer can code a lot of nonsense like a defect AUTHORITY-CHECK statement... The standard syntax check which is obligate to complile an ABAP program does not check for this kind of error. The optional extended syntax check would find it. Therefore it's a good idea

- to run the extended syntax check for your transports (SE09 -> Request/Task -> Complete Check -> Objects)

- not to switch of the extended syntax check if not neccessary

Kind regards

Frank

Go to solution
Former Member
In response to Frank_Buchholz

‎08-14-2006 10:56 AM

0 Kudos

Hi Frank,

I agree, hence the s_program cannot be used to contain it to a group.

In addition to a dialog / parameter transaction, a module pool can be performed from another program. E.g. perform search_profiles (sapmso1j).

My concern / interest is what the impact is of the syntax checks being inactive.

Kind regards,

Julius

Go to solution
Former Member
In response to Frank_Buchholz

‎08-18-2006 5:51 AM

0 Kudos

I would say that there is no 'security' impact in that security controls can't be bypassed. If they do check for an auth object and/or field that doesn't exist, the program will still check for it! So, the only risk is that the user will have an authorisation failure, followed by a bit of confusion from the security developers!

Also, it's not possible to turn the check off in SU24 unless the auth object already exists, so again, there's no security risk. A user still won't be able to run the program without due authorisation.