Comments
SAP FILE INTERFACE AUTHORITY documentation, setup help and example usage
ARTICLE
Automatic Authorization Checks
The following authorization checks take place automatically during data access:
Checks in the Operating System
From the point of view of the application server's operating system, all file accesses are carried out by the AS ABAP . As a consequence, the user of an operating system in an AS ABAP must have the authority to read and write to all files and directories that are handled by the ABAP file interface. If this authorization does not exist, the file interface statements can only be partially carried out, or not at all. If a statement cannot be executed because of lack of authorization in the operating system, the return value sy-subrc is set to not equal to 0.
Program-Independent Checks on Access Rights
For access to files using the statements OPEN DATASET , READ DATASET , TRANSFER , and
DELETE DATASET , a verification check of the entry in the database table SPTH is carried out automatically. The entries in the database table SPTH control the general read and write accesses from ABAP programs to files and whether files should be backed up or not.
In the database table SPTH , read and write accesses can be generally forbidden for generic, specifiable files, independent of the authorization objects . For the remaining files (those that are generally allowed to be accessed for read or write according to the database table SPTH ), authorization checks can be carried out on the basis of authorization objects. In the database table SPTH
authorization groups from the table
SPTHB (texts in SPTHT , shared view V_SPT ) for program-independent authorization checks can be defined. The following table shows the columns of the database table SPTH . If the check on the database table SPTH has a negative result, an untreatable exception will occur.
Column Meaning
PATH Column for generic file names. The attributes specified in the other columns of this row apply to all the files of the application server that are best described by the entry in this column.
SAVEFLAG If this column contains the value "X" , the files entered in the PATH are included in the backup procedure.
FS_NOREAD If this column contains the value "X" , the files specified in the PATH column cannot be accessed from ABAP. This setting overrides the setting in the columns FS_NOWRITE and FS_BRGRU as well as the authorization check on the authorization object S_DATASET .
FS_NOWRITE If this column contains the value "X" , the files specified in the PATH column cannot be write-accessed from ABAP. This setting overrides the setting in the column FS_BRGRU as well as the authorization check on the authorization object
S_DATASET .
FS_BRGRU In this column, it is possible to define an authorization group using a name of your choice. The files of multiple rows can be grouped together in this way. During the evaluation of the database table SPTH , an authorization check is carried out for the current user against the authorization object S_PATH that contains two authorization fields RS_BRGRU and ACTVT . In this way, access to the files specified in PATH can be granted independently from the user. If no name is entered, no authorization check is carried out against the authorization object S_PATH .
Note
In comparison to the authorization check using the authorization object S_DATASET (see below), an authorization check using the authorization object S_PATH is independent of the ABAP program in which it occurs. Furthermore, the check is not limited to a single file, but includes all the generically specified files of the PATH column.
Example
The table SPTH is filled as follows:
PATH SAVEFLAG FS_NOREAD
FS_NOWRITE FS_BRGRU
* - X X -
/tmp ----
/tmp/myfiles X -- FILE
The entries in the
/tmp , except for the files in the path /tmp/myfiles ,
These entries specify that no ABAP program can access any files on the application server, except for the files in the path /tmp . All ABAP programs have both read and write access to the files in the path /tmp . Only users who have an authorization for the authorization group FILE can use ABAP programs that have read and write access to the files in the path /tmp/myfiles . The files in this paths are also designed for backup purposes. Using the table above, the following program lines produce a runtime error for all users:
fname = `/system/files`.
OPEN DATASET fname FOR OUTPUT IN BINARY MODE.
Authorization Check for Special Files
Every time a PSE file (file with the extension .pse for a Personal Security Environment) is accessed, an automatic authorization check for the current user is performed with the value "01" for the field ACTVT of the authorization object S_RZL_ADM of the system administrator.
Authorization Checks for Users and Programs for Individual Files
Every time a file is opened or deleted using the ABAP file interface, an automatic authorization check is carried out for the current user and the current program using the predefined authorization object
S_DATASET . This authorization object contains the authorization fields PROGRAM for the program names, FILENAME for the opened files, and ACTVT with the activities Delete ,
Read , Write , Read with Filter , and Write with Filter . If the user or program does not have the necessary authorization, a treatable exception occurs. To avoid this, the function module AUTHORITY_CHECK_DATASET can be called before the relevant ABAP statement to check whether authorization exists.
Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved
