[71] in sapr3-soft
Re: Security problems
daemon@ATHENA.MIT.EDU (Phil Badger)
Mon Feb 24 13:37:16 1997
To: sapr3-soft@MIT.EDU
Date: 23 Feb 1997 08:09:12 -0500
From: "Phil Badger" <Philip_Badger@techsol.com> (by way of SAP Moderator <sap-request@realtimeusa.com>)
Arnaud BOHELAYby way of SAP Moderator <Bohelay@imaginet.fr> wrote:
> Hi !
>
> I wanted to know how the security system of SAP Works : Is an access only
> restricted to ***some*** transactions . Is there an other way to set
> accounts ?
>
> Thanks for the answer.
>
>
> Arnaud BOHELAY.
Bonjour Arnaud!
The SAP authorization concept is a BIG topic and an issue for every
organization that plans to implement SAP. Unfortunately, it is not always
given the time or attention it needs.
There are two ways to assign authorizations within a transaction. For each
transaction, you can assign a single authorization check, which you
accomplish through SM31 (table TSTC) or SE93. This is occasionally
suitable, but if you need to regulate data access based on a number of
criteria (for example, document types, company codes, accounts, etc) you
need to use the AUTHORITY-CHECK function within the ABAP/4 program.
You will find that there are some transactions which don't have an
authorization object within TSTC. Some rely on the AUTHORITY-CHECK; others
don't have any security whatsoever, allowing anyone to run them.
I hope this information is useful for you,
Regards,
Phil Badger
Philip_Badger@techsol.com
