Search code examples
permissionsabaprolesuser-permissions

User access control of ABAP reports

There is an ABAP report, which on production system should be protected by access control to avoid an execution by unauthorized person.

What is a proper way to limit and control an access to ABAP report and tables for authorized persons only?

Solution

  • A comprehensive approach would consist of two parts:

    1. A proper configuration of the entire system with limiting the key transactions on a target system, e.g. SE38 and many others. Usually, performed by the basis team or system owner, based on SAP security guidelines.

    2. An implementation of the authorization check inside the report itself. That's a duty of an ABAP-developer.

    Below, I'm focusing on a part #2, performed by an ABAP-developer. To ensure the reliable access control, we need:

    • to verify that a person has a permission to the report itself;

    • to check if the person has an required access to the tables.

    Since in the most of production environment the direct report execution via SE38 is blocked, we should follow these steps:

    1. Create a transaction, e.g. MY_TCODE, for the report via SE93.

    2. Assign the MY_TCODE to the report.

    3. Add an AUTHORITY-CHECK OBJECT 'S_TCODE' into the report for the transaction MY_TCODE.

    4. Add an AUTHORITY-CHECK OBJECT 'S_TABU_NAM' to the report for the required table, e.g. MY_TABLE, according to wanted activity.

    5. Add to user profile a role with permission to execute the MY_TCODE via SU01.

    As a result, the authorization logic will behave as follows:

    • If you run a MY_TCODE, SAP verifies if you have a permission due to step #5.

    • If you run a report, then the report will execute an AUTHORITY-CHECK OBJECT 'S_TCODE' for the specified MY_TCODE according to step A.

    • If you steps "A" and "B" are OK, then the report will execute an AUTHORITY-CHECK OBJECT 'S_TABU_NAM' for the required table.

    The final ABAP-code:

    " check the access-right for the tcode
AUTHORITY-CHECK OBJECT 'S_TCODE'
ID 'TCD' FIELD 'MY_TCODE'.
IF sy-subrc <> 0.
  MESSAGE 'Access denied to the TCODE MY_TCODE' TYPE 'E'.
  EXIT.
ENDIF.

" check write permission for the table
AUTHORITY-CHECK OBJECT 'S_TABU_NAM'
ID 'ACTVT' FIELD '02'
ID 'TABLE' FIELD 'MY_TABLE'.
IF sy-subrc <> 0.
  MESSAGE 'Access denied to the table MY_TABLE' TYPE 'E'.
  EXIT.
ENDIF.