SQL Server administration and T-SQL development, Web Programming with ASP.NET, HTML5 and Javascript, Windows Phone 8 app development, SAP Smartforms and ABAP Programming, Windows 7, Visual Studio and MS Office software SAP ABAP Programming and HANA Database Tutorials
Development resources, articles, tutorials, samples, codes and tools for .Net, SQL Server, Windows, Windows Phone, SAP and ABAP, like SAP UI5, Screen Personas, etc.




CRM Companies List
Web Based CRM Software


The authorization for the authorization object S_TCODE is not checked


"The authorization for the authorization object S_TCODE is not checked" warnings are in ABAP Test Cockpit, ATC checks for secure ABAP coding in development SAP systems and ABAP programs. To build more secure ABAP programs and identify code vulnerability, ATC (ABAP Test Cockpit) outcome are good starting points to re-code your existing ABAP developments.


Authority-Check Object S_TCODE

When I execute Code Inspector, I can see following items classified under Information.

The authorization for the authorization object S_TCODE is not checked.

The authorization for the authorization object S_TCODE is not checked

Double click on the message text, it will direct the developer to the ABAP code line which causes Code Inspector to react.

set parameter id 'AUN' field p_st_sel-value.
call transaction 'VA03' and skip first screen.

It is a best practise to check if the user has authorization to call SAP transaction VA03 for example in this case, before actually launching it.

So a better way to build the same task in ABAP code will be as:

authority-check object 'S_TCODE'
 id 'TCD' field 'VA03'.
if sy-subrc = 0.
 set parameter id 'AUN' field p_st_sel-value.
 call transaction 'VA03' and skip first screen.
else.
 message i001 with text-e26. " not authorized
endif.

Applying the below ABAP code block (authority-check for object S_TCODE) where you launch a SAP transaction by using "CALL Transaction" command will produce a clear Code Inspector output.

ABAP code using Authority-Check for SAP transaction code


Call Transaction with Authority-Check

If the above code modification does not help you solve the problem, please use CALL TRANSACTION command with WITH AUTHORITY-CHECK as follows:

set parameter id 'AUN' field rs_selfield-value .
call transaction 'VA03' with authority-check and skip first screen .

Following ABAP "Call Transaction" code used with "with Authority-Check" passes ATC (ABAP Test Cockpit) checks for code vulnerability

Call Transaction with Authority Check in ABAP Code ATC check






SAP Tutorials

SAP Tutorial

SAP Forums

SAP Tools

SAP Transaction Codes Table








Copyright © 2004 - 2017 Eralper YILMAZ. All rights reserved.
Community Server by Telligent Systems