09-18-2007 12:46 PM
Hi!
As a rule we always implement authorization group in the attributes of our ABAP programs. We also insert an include which contains a check:
AUTHORITY-CHECK OBJECT 'S_PROGRAM'
ID 'P_GROUP' FIELD W-SECU
ID 'P_ACTION' DUMMY.
where W_SECU is the given authorization group.
My question is : do we really need this check in saperp2005 systems? I have a feeling that this check is included in the SE38 transaction already now. Why I think this: someone forgot th copy the content of the mentioned include into our upgraded system, and if I try to run a program with a specfied authorization group I do not have access to , I get a message about this automatically from SE38.
Regards, Tine
09-18-2007 1:18 PM
Hi,
that must be wrong. You must differentiate between calling transaction SE38 (for which you need an authorization) and executing the program (which you insert as an include). On one side, transaction SA38 is the one your users must call for this. On the other side, I´m also working with MySAP 2005 and SE38 does not check the authority for the program.
09-18-2007 1:25 PM
But how do I get this message:
"SUBMIT authorization ZH01 required for program ZHRTRANSFER_PERSONAL_PLANNER_2" when I have only inserted the auth.group ZH01 as an attribute in this program and <b>no</b> AUTHORITY-CHECK in the program itself?
Regards, Tine
09-18-2007 1:29 PM
Just want to add that no ordinary users have access to SA38 or SE38 in production. We create a transaction code for every report. But technical persons have access to SE38/SA38 and in some cases should not be allowed to execeute programs (fex. HR programs containing sensitive data). Then we insert a special authorization group to avoid technical people to run the program directly.
regards, tine