cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to check if an user has a required authorization role in ABAP?

Go to solution
MikeB
Contributor

on ‎03-27-2020 5:29 PM

0 Kudos

I want to add an authorization check prior execution of function module. I need to ensure that the user has a specific role to be able to execute the function module.

Currently, I have two possible approaches:

  1. Create a TCODE for the function module and check an access to the TCODE with S_TCODE:
AUTHORITY-CHECK OBJECT 'S_TCODE'
ID 'TCD' FIELD 'TCODE'.
IF sy-subrc <> 0.
  WRITE: 'Access denied'.
  EXIT.
ENDIF.
  1. Write an SQL-query and get the data directly from the AGR_USERS table.

Both of these approaches will do the job, but it looks like more work around rather then a best practice.

My question:
Is there any common approach to check if a user is allowed to execute specific function module?

Show replies
Show replies
matt
Active Contributor
‎08-04-2020 3:55 PM
0 Kudos

You always check against authorisation objects (authority-check), never against roles.

Answer
View Entire Topic
venkateswaran_k
Active Contributor
‎03-27-2020 6:10 PM

Dear Mike

This may be helpful to you S_RFC object, assigning ACTVT to 16 will allows you to execute the RFC.

Check this link - if it gives you details of what you are looking for.

https://help.highbond.com/helpdocs/direct-link/8/user-guide/en-us/Content/installation/assigning_sap...

Regards,

Venkat

Show replies
Show replies
Sandra_Rossi
Active Contributor
‎03-27-2020 7:03 PM
0 Kudos

The OP never said that it was a RFC call.

MikeB
Contributor
‎03-27-2020 7:06 PM
0 Kudos

Thanks Venkateswaran (Venkat) Krishnamurthy,

I already considered this approach, but I also read to not rely on S_RFC:
Don't rely on S_RFC authorizations. They only determine, *if* a function module can be invoked remotely. They are by no means related to the specific business logic of your custom code. You don't want users with S_RFC * authorizations to be able to issue purchase orders or to raise someone's salary. Auditors don't like this either

I've already tried the following approach:

AUTHORITY-CHECK OBJECT 'S_RFC'
ID 'RFC_NAME' FIELD 'UN_EXISTIG_FUNG_GR'
ID 'RFC_TYPE' FIELD 'FUGR'
ID 'ACTVT' FIELD '16'.
IF sy-subrc <> 0.
  WRITE: 'Access denied'.
  EXIT.
ENDIF.

And I always get Authorization check successful, although the function group UN_EXISTIG_FUNG_GR does not exist.

Do you have any idea why?

matt
Active Contributor
‎03-28-2020 8:12 AM

The values of authority-check are only connected to authorisation objects in roles. They are not connected to the business or technical object to which they're associated.

S_TCODE does not check that the transaction code exists. It checks if you have a role which authorises the use of the transaction.

MikeB
Contributor
‎03-31-2020 8:43 AM
0 Kudos

Thanks for the link, at the end I applied the S_RFC with check of FUGR:

AUTHORITY-CHECK OBJECT 'S_RFC'
ID 'RFC_NAME' FIELD '/COMP/DOMAIN/PROJECT_A_FUGR'
ID 'RFC_TYPE' FIELD 'FUGR'
ID 'ACTVT' FIELD '16'.
IF sy-subrc <> 0.

The problem was that I checked a permission for the specific function group, e.g. /COMP/DOMAIN/PROJECT_A_FUGR, while a test user has more general permissions, e.g. /COMP/DOMAIN/*. That's why my initial check didn't work out.

Sandra_Rossi
Active Contributor
‎03-31-2020 8:56 AM

Be careful, if you use S_RFC, any external program can execute your function module. Do you really want to make your function group visible to the outside world, and so possibly subject to attacks? Make sure that the security team agrees.

MikeB
Contributor
‎03-31-2020 9:03 AM
0 Kudos

@Venkateswaran (Venkat) Krishnamurthy, one more question.

In the post "Ten golden rules for ABAP authorization checks", the author strongly recommends to use SAP APIs for authorization checks, e.g. AUTHORITY_CHECK_RFC instead of plain ABAP AUTHORITY-CHECK OBJECT 'S_RFC'.

Is it really much more reliable/best practice to use such APIs?

MikeB
Contributor
‎04-01-2020 1:56 PM
0 Kudos

> Be careful, if you use S_RFC, any external program can execute your function module. Do you really want to make your function group visible to the outside world, and so possibly subject to attacks? Make sure that the security team agrees.

Should I add an additional AUTHORITY-CHECK with an another authorization object to ensure that only those users, who have a role for the specific function group will be able to execute these FMs?

Sandra_Rossi
Active Contributor
‎04-01-2020 2:07 PM
0 Kudos

If you don't want external programs call your function module, then don't use S_RFC. It means implicitly that if you want to do an authorization check, you need to use another authorization object (and if you want to be sure to not have side effects, create a custom one).

MikeB
Contributor
‎04-01-2020 2:54 PM
0 Kudos

These FMs are called via JCo, therefore they must be exposed to RFC interface. According to your "any external program can execute your function module", any program can call my FMs via RFC, but if that's the case, what is the added value of S_RFC/FUGR check? I assumed, that the purpose of S_RFC/FUGR is to limit an execution permission only to those users/jobs, who have in their profile a role with an appropriate function group. Am I wrong?

Sandra_Rossi
Active Contributor
‎04-01-2020 3:57 PM

When your function module is called by RFC, SAP will first automatically do an authorization check on S_RFC (*) for the function module name, and if there's no corresponding authorization it will do a check with the name of its function group. So you don't need to do it in your program.

So, you're right.

(*) Except if the profile parameter auth/rfc_authority_check is set to 0 but it's very rare and not recommended. See SAP documentation if you need more information: SAP Library: RFC Authorizations, Note 931252 - Security Note: Authority Check for Function Group SRFC, https://support.sap.com/en/security-whitepapers.html (concerning RFC)

Ask a Question