ARTICLE
Insufficient Authorization Checks
Adequate authorization checks are an important part of secure ABAP
programming. In many statements, an appropriate authorization check is
performed implicitly, for example:
Using the addition WITH
AUTHORITY-CHECK in LEAVE TO
TRANSACTION and CALL TRANSACTION
.
When an authorization group is
created for the called program in SUBMIT .
Both these instances uses the
automatic authorization checks in the
ABAP file interface .
There are, however, many critical statements where no implicit
authorization checks are performed, for example:
CALL TRANSACTION without the
addition WITH AUTHORITY-CHECK
(and if the table TCDCOUPLES
does not contain any appropriate entries).
SUBMIT for programs without
authorization groups
SQL reads performed on database tables.
Any places in a program that a user can reach without sufficient
authorizations and where no implicit authorization check takes place
must be secured explicitly using the statement
AUTHORITY-CHECK and the result of the check analyzed
carefully.
A prerequisite for both implicit and explicit authorization checks is
that components such as authorizations ,
authorization objects ,
authorization objects , and so
on are defined. Care must also be taken to set the
check indicator correctly, to enable
all required checks to take place.
Example
Checks explicitly whether the current user can create temporary
programs. This check could be used to secure the
ABAP command injections example.
AUTHORITY-CHECK OBJECT 'S_DEVELOP'
ID 'DEVCLASS' FIELD '$TMP'
ID 'OBJTYPE' FIELD 'PROG'
ID 'OBJNAME' DUMMY
ID 'P_GROUP' DUMMY
ID 'ACTVT' FIELD '02'.
IF sy-subrc <(><<)>> 0.
LEAVE PROGRAM.
ENDIF.
Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved