Kontakt

Ansicht
Dokumentation

ABENAUTHORITY_SCRTY - AUTHORITY SCRTY

ABENAUTHORITY_SCRTY - AUTHORITY SCRTY

rdisp/max_wprun_time - Maximum work process run time   PERFORM Short Reference  
This documentation is copyright by SAP AG.
SAP E-Book

Insufficient Authorization Checks

Adequate authorization checks are an important part of secure ABAP programming. In many statements, an appropriate authorization check is performed implicitly, for example:

There are, however, many critical statements where no implicit authorization checks are performed, for example:

  • SQL reads performed on database tables

Any places in a program that a user can reach without sufficient authorizations and where no implicit authorization check takes place must be secured explicitly using the statement AUTHORITY-CHECK and the result of the check analyzed carefully.

A prerequisite for both implicit and explicit authorization checks is that all components required for the SAP authorization concept, such as authorizations, authorization objects, authorization objects, and so on are defined. Care must also be taken to set the check indicator correctly, to enable all required checks to take place.

Example

Checks explicitly whether the current user can create temporary programs. This check could be used to secure the ABAP command injections example.

AUTHORITY-CHECK OBJECT 'S_DEVELOP'
  ID 'DEVCLASS' FIELD '$TMP'
  ID 'OBJTYPE'  FIELD 'PROG'
  ID 'OBJNAME'  DUMMY
  ID 'P_GROUP'  DUMMY
  ID 'ACTVT'    FIELD '02'.
IF sy-subrc <> 0.
  LEAVE PROGRAM.
ENDIF.






ROGBILLS - Synchronize billing plans   rdisp/max_wprun_time - Maximum work process run time  
This documentation is copyright by SAP AG.

Length: 3725 Date: 20240426 Time: 211942     sap01-206 ( 47 ms )