on 03-27-2020 5:29 PM
I want to add an authorization check prior execution of function module. I need to ensure that the user has a specific role to be able to execute the function module.
Currently, I have two possible approaches:
AUTHORITY-CHECK OBJECT 'S_TCODE'
ID 'TCD' FIELD 'TCODE'.
IF sy-subrc <> 0.
WRITE: 'Access denied'.
EXIT.
ENDIF.
Both of these approaches will do the job, but it looks like more work around rather then a best practice.
My question:
Is there any common approach to check if a user is allowed to execute specific function module?
Dear Mike
This may be helpful to you S_RFC object, assigning ACTVT to 16 will allows you to execute the RFC.
Check this link - if it gives you details of what you are looking for.
Regards,
Venkat
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Venkateswaran (Venkat) Krishnamurthy,
I already considered this approach, but I also read to not rely on S_RFC:
Don't rely on S_RFC authorizations. They only determine, *if* a function module can be invoked remotely. They are by no means related to the specific business logic of your custom code. You don't want users with S_RFC * authorizations to be able to issue purchase orders or to raise someone's salary. Auditors don't like this either…
I've already tried the following approach:
AUTHORITY-CHECK OBJECT 'S_RFC'
ID 'RFC_NAME' FIELD 'UN_EXISTIG_FUNG_GR'
ID 'RFC_TYPE' FIELD 'FUGR'
ID 'ACTVT' FIELD '16'.
IF sy-subrc <> 0.
WRITE: 'Access denied'.
EXIT.
ENDIF.
And I always get Authorization check successful, although the function group UN_EXISTIG_FUNG_GR does not exist.
Do you have any idea why?
The values of authority-check are only connected to authorisation objects in roles. They are not connected to the business or technical object to which they're associated.
S_TCODE does not check that the transaction code exists. It checks if you have a role which authorises the use of the transaction.
Thanks for the link, at the end I applied the S_RFC with check of FUGR:
AUTHORITY-CHECK OBJECT 'S_RFC'
ID 'RFC_NAME' FIELD '/COMP/DOMAIN/PROJECT_A_FUGR'
ID 'RFC_TYPE' FIELD 'FUGR'
ID 'ACTVT' FIELD '16'.
IF sy-subrc <> 0.
The problem was that I checked a permission for the specific function group, e.g. /COMP/DOMAIN/PROJECT_A_FUGR, while a test user has more general permissions, e.g. /COMP/DOMAIN/*. That's why my initial check didn't work out.
Be careful, if you use S_RFC, any external program can execute your function module. Do you really want to make your function group visible to the outside world, and so possibly subject to attacks? Make sure that the security team agrees.
@Venkateswaran (Venkat) Krishnamurthy, one more question.
In the post "Ten golden rules for ABAP authorization checks", the author strongly recommends to use SAP APIs for authorization checks, e.g. AUTHORITY_CHECK_RFC instead of plain ABAP AUTHORITY-CHECK OBJECT 'S_RFC'.
Is it really much more reliable/best practice to use such APIs?
> Be careful, if you use S_RFC, any external program can execute your function module. Do you really want to make your function group visible to the outside world, and so possibly subject to attacks? Make sure that the security team agrees.
Should I add an additional AUTHORITY-CHECK with an another authorization object to ensure that only those users, who have a role for the specific function group will be able to execute these FMs?
These FMs are called via JCo, therefore they must be exposed to RFC interface. According to your "any external program can execute your function module", any program can call my FMs via RFC, but if that's the case, what is the added value of S_RFC/FUGR check? I assumed, that the purpose of S_RFC/FUGR is to limit an execution permission only to those users/jobs, who have in their profile a role with an appropriate function group. Am I wrong?
When your function module is called by RFC, SAP will first automatically do an authorization check on S_RFC (*) for the function module name, and if there's no corresponding authorization it will do a check with the name of its function group. So you don't need to do it in your program.
So, you're right.
(*) Except if the profile parameter auth/rfc_authority_check is set to 0 but it's very rare and not recommended. See SAP documentation if you need more information: SAP Library: RFC Authorizations, Note 931252 - Security Note: Authority Check for Function Group SRFC, https://support.sap.com/en/security-whitepapers.html (concerning RFC)
User | Count |
---|---|
82 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.