SAP DATASET AUTH SELF documentation, setup help and example usage

ARTICLE

Validation of File Names
Alongside the automatic authorization checks , it may be necessary to validate field names before they are used. This is particularly important if

the automatic authorization checks are not enough, for example because the database table SPTH or the authorizations for the authorization object S_DATASET have not been defined in full.

programs with physical file names are used, and these file names are provided using external interfaces such as API s or UI .

Using Logical File Names
File names do not usually need to be validated if a program is consistent in using only logical file names created by the system administrator in the transactions FILE or SF01 . The set of logical file names available to an application then defines the set of possible physical file names in a whitelist . The associated physical file names are not edited explicitly in the program. Instead, the function module FILE_GET_NAME is used to generate the physical file name from the logical file name directly before it is used in a
statement of the file interface and used for file access.

Using Physical File Names
If a program uses physical file names
, then the name almost always needs to be validated.

Self-Programmed Validation
If valid directories and file names are defined precisely (as is often the case in programs from the technical infrastructure), a validation of this nature can be skipped easily. The following can be used, for example:

Methods from character string processing ,

Methods from class CL_ABAP_DYN_PRG for checking whitelists ,

Methods in the class CL_FS_PATH

Logical File Names as a Whitelist
In many cases, directories and file names are generic, and are predefined by the system administrator when configuring the system. They can be modified or enhanced while the system is running. In these cases, the concept of logical file names should be employed when handling physical file names explicitly.
As in the case above, where a program uses only logical file names, the associations between logical and physical can also be useful when handling physical file names as a whitelist . As long as the list of logical file names is complete, the function module FILE_VALIDATE_NAME can be called before a file is accessed. This module checks whether the physical file name is associated with a logical file name or whether the directory is valid. In this way, it checks whether the physical file exists in the whitelist defined by the logical file names.