Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Use of Authorization groups - do we need check on S_PROGRAM as well?

Former Member
0 Kudos

Hi!

As a rule we always implement authorization group in the attributes of our ABAP programs. We also insert an include which contains a check:

AUTHORITY-CHECK OBJECT 'S_PROGRAM'

ID 'P_GROUP' FIELD W-SECU

ID 'P_ACTION' DUMMY.

where W_SECU is the given authorization group.

My question is : do we really need this check in saperp2005 systems? I have a feeling that this check is included in the SE38 transaction already now. Why I think this: someone forgot th copy the content of the mentioned include into our upgraded system, and if I try to run a program with a specfied authorization group I do not have access to , I get a message about this automatically from SE38.

Regards, Tine

3 REPLIES 3

Former Member
0 Kudos

Hi,

that must be wrong. You must differentiate between calling transaction SE38 (for which you need an authorization) and executing the program (which you insert as an include). On one side, transaction SA38 is the one your users must call for this. On the other side, I´m also working with MySAP 2005 and SE38 does not check the authority for the program.

Former Member
0 Kudos

But how do I get this message:

"SUBMIT authorization ZH01 required for program ZHRTRANSFER_PERSONAL_PLANNER_2" when I have only inserted the auth.group ZH01 as an attribute in this program and <b>no</b> AUTHORITY-CHECK in the program itself?

Regards, Tine

Former Member
0 Kudos

Just want to add that no ordinary users have access to SA38 or SE38 in production. We create a transaction code for every report. But technical persons have access to SE38/SA38 and in some cases should not be allowed to execeute programs (fex. HR programs containing sensitive data). Then we insert a special authorization group to avoid technical people to run the program directly.

regards, tine