SQL Server administration and T-SQL development, Web Programming with ASP.NET, HTML5 and Javascript, Windows Phone 8 app development, SAP Smartforms and ABAP Programming, Windows 7, Visual Studio and MS Office software
Development resources, articles, tutorials, code samples, tools and downloads for SAP HANA and ABAP, HANA Database, SQLScript, SAP UI5, Screen Personas, Web Dynpro, Workflow

The authorization for the authorization object S_TCODE is not checked


"The authorization for the authorization object S_TCODE is not checked" warnings are in ABAP Test Cockpit, ATC checks for secure ABAP coding in development SAP systems and ABAP programs. To build more secure ABAP programs and identify code vulnerability, ATC (ABAP Test Cockpit) outcome are good starting points to re-code your existing ABAP developments.


Authority-Check Object S_TCODE

When I execute Code Inspector, I can see following items classified under Information.

The authorization for the authorization object S_TCODE is not checked.

The authorization for the authorization object S_TCODE is not checked

Double click on the message text, it will direct the developer to the ABAP code line which causes Code Inspector to react.

set parameter id 'AUN' field p_st_sel-value.
call transaction 'VA03' and skip first screen.
Code

It is a best practise to check if the user has authorization to call SAP transaction VA03 for example in this case, before actually launching it.

So a better way to build the same task in ABAP code will be as:

authority-check object 'S_TCODE'
 id 'TCD' field 'VA03'.
if sy-subrc = 0.
 set parameter id 'AUN' field p_st_sel-value.
 call transaction 'VA03' and skip first screen.
else.
 message i001 with text-e26. " not authorized
endif.
Code

Applying the below ABAP code block (authority-check for object S_TCODE) where you launch a SAP transaction by using "CALL Transaction" command will produce a clear Code Inspector output.

ABAP code using Authority-Check for SAP transaction code


Call Transaction with Authority-Check

If the above code modification does not help you solve the problem, please use CALL TRANSACTION command with WITH AUTHORITY-CHECK as follows:

set parameter id 'AUN' field rs_selfield-value .
call transaction 'VA03' with authority-check and skip first screen .
Code

Following ABAP "Call Transaction" code used with "with Authority-Check" passes ATC (ABAP Test Cockpit) checks for code vulnerability

Call Transaction with Authority Check in ABAP Code ATC check



SAP HANA and ABAP

Install SAP Free
CRM Companies List
Web Based CRM Software


Copyright © 2004 - 2021 Eralper YILMAZ. All rights reserved.