No 'call transaction' security from inbox?

Dart, Jocelyn jocelyn.dart at sap.com
Mon Jun 30 00:58:38 EDT 2003 

Hi Mike,
It definitely should be checking the transaction authority automatically if the user is executing the step under their own authority.  I've never had a problem with this not being checked - if anything the reverse (i.e. it checks it when you don't want it to - the joys of substitution!).  Think you had better take this up with OSS and get a developer to look at it.
Regards,
        Jocelyn Dart
Consultant (SRM, EBP, Workflow)
and co-author of the book
"Practical Workflow for SAP"
SAP Australia
email: jocelyn.dart at sap.com
phone: +61 412 390 267
fax:   +61 2 9935 4880
 
 
 
 
-----Original Message-----
From: Michael Pokraka [mailto:workflow at quirky.me.uk]
Sent: Friday,27 June 2003 6:57 PM
To: SAP-WUG at MITVMA.MIT.EDU
Subject: Re: No 'call transaction' security from inbox?
 
 
Hi,
Jocelyn - it's a plain call transaction - see my test code below.
 
Phil - it's easy enough to put in an AUTHORITY-CHECK, but the situation is something we've discovered in an existing implementation with a number of flows also including some SAP standard methods.
People can get the wrong task for a variety of reasons, forwarding/substitution is our main concern ... via this 'feraturette' any transaction that doesn't do explicit authorization checks is available to anyone.
 
Thanks both for your feedback
Cheers
Mike
 
BEGIN_METHOD DOTRANSACTION CHANGING CONTAINER.
DATA: TRANSACTIONCODE LIKE TSTC-TCODE.
  SWC_GET_ELEMENT CONTAINER 'TransactionCode' TRANSACTIONCODE.
  break-point.
  call transaction transactioncode. "and skip first screen.
 
END_METHOD.
 
 
On Fri, Jun 27, 2003 at 01:30:16AM +0200, Dart, Jocelyn wrote:
> Hmmm - Are you just using CALL TRANSACTION or are you using CALL TRANSACTION USING ???
> Regards,
>         Jocelyn Dart
> Consultant (SRM, EBP, Workflow)
> and co-author of the book
> "Practical Workflow for SAP"
> SAP Australia
> email: jocelyn.dart at sap.com
> phone: +61 412 390 267
> fax:   +61 2 9935 4880
>
>
>
>
> -----Original Message-----
>> From: Michael Pokraka [mailto:workflow at quirky.me.uk]
> Sent: Friday,27 June 2003 1:31 AM
> To: SAP-WUG at MITVMA.MIT.EDU
> Subject: No 'call transaction' security from inbox?
>
>
> Hi all,
> Scenario: transaction security based on S_TCODE, 4.6c system. This works well, except when a task does a CALL TRANSACTION as part of a dialog item.
> If an item is executed from the inbox for a transaction which is NOT authorized, it happily ignores the auth check. I've put in a BREAK-POINT just to make sure: it stays in the same user context, the break point is reached, SY-UNAME is whgat is expected, and debugging reveals exactly nothing. (get to CALL TRANSACTION, hit F5, and it immediately jumps to the transaction's ABAP).
> The same thing executed via SE38 does fail an authorization check.
>
> Any thoughts?
> Cheers
> Mike

More information about the SAP-WUG mailing list