No 'call transaction' security from inbox?

Michael Pokraka workflow at quirky.me.uk
Mon Jun 30 06:44:18 EDT 2003 

Hi Jocelyn,
I think you've hit the nail on the head. As it's perfectly reproducable and quite obviously incorrect, I will log this with OSS.
Thanks for your input,
Cheers
Mike
 
On Mon, Jun 30, 2003 at 06:58:38AM +0200, Dart, Jocelyn wrote:
> Hi Mike,
> It definitely should be checking the transaction authority automatically if the user is executing the step under their own authority.  I've never had a problem with this not being checked - if anything the reverse (i.e. it checks it when you don't want it to - the joys of substitution!).  Think you had better take this up with OSS and get a developer to look at it.
> Regards,
>         Jocelyn Dart
> Consultant (SRM, EBP, Workflow)
> and co-author of the book
> "Practical Workflow for SAP"
> SAP Australia
> email: jocelyn.dart at sap.com
> phone: +61 412 390 267
> fax:   +61 2 9935 4880
>
>
>
>
> -----Original Message-----
>> From: Michael Pokraka [mailto:workflow at quirky.me.uk]
> Sent: Friday,27 June 2003 6:57 PM
> To: SAP-WUG at MITVMA.MIT.EDU
> Subject: Re: No 'call transaction' security from inbox?
>
>
> Hi,
> Jocelyn - it's a plain call transaction - see my test code below.
>
> Phil - it's easy enough to put in an AUTHORITY-CHECK, but the situation is something we've discovered in an existing implementation with a number of flows also including some SAP standard methods.
> People can get the wrong task for a variety of reasons, forwarding/substitution is our main concern ... via this 'feraturette' any transaction that doesn't do explicit authorization checks is available to anyone.
>
> Thanks both for your feedback
> Cheers
> Mike
>
> BEGIN_METHOD DOTRANSACTION CHANGING CONTAINER.
> DATA: TRANSACTIONCODE LIKE TSTC-TCODE.
>   SWC_GET_ELEMENT CONTAINER 'TransactionCode' TRANSACTIONCODE.
>   break-point.
>   call transaction transactioncode. "and skip first screen.
>
> END_METHOD.
>
>
> On Fri, Jun 27, 2003 at 01:30:16AM +0200, Dart, Jocelyn wrote:
> > Hmmm - Are you just using CALL TRANSACTION or are you using CALL TRANSACTION USING ???
> > Regards,
> >         Jocelyn Dart
> > Consultant (SRM, EBP, Workflow)
> > and co-author of the book
> > "Practical Workflow for SAP"
> > SAP Australia
> > email: jocelyn.dart at sap.com
> > phone: +61 412 390 267
> > fax:   +61 2 9935 4880
> >
> >
> >
> >
> > -----Original Message-----
> > From: Michael Pokraka [mailto:workflow at quirky.me.uk]
> > Sent: Friday,27 June 2003 1:31 AM
> > To: SAP-WUG at MITVMA.MIT.EDU
> > Subject: No 'call transaction' security from inbox?
> >
> >
> > Hi all,
> > Scenario: transaction security based on S_TCODE, 4.6c system. This works well, except when a task does a CALL TRANSACTION as part of a dialog item.
> > If an item is executed from the inbox for a transaction which is NOT authorized, it happily ignores the auth check. I've put in a BREAK-POINT just to make sure: it stays in the same user context, the break point is reached, SY-UNAME is whgat is expected, and debugging reveals exactly nothing. (get to CALL TRANSACTION, hit F5, and it immediately jumps to the transaction's ABAP).
> > The same thing executed via SE38 does fail an authorization check.
> >
> > Any thoughts?
> > Cheers
> > Mike

More information about the SAP-WUG mailing list