ABAP Keyword Documentation → ABAP - Security Notes → Further Security Risks
Insufficient Authorization Checks
Adequate authorization checks are an important part of secure ABAP programming. In many statements, an appropriate authorization check is performed implicitly, for example:
- In
CALL TRANSACTION
(with the addition WITH AUTHORITY-CHECK) and inLEAVE TO TRANSACTION
.
- When an authorization
group is created for the called program in
SUBMIT
.
- Both these instances uses the automatic authorization checks in the ABAP file interface.
There are, however, many critical statements where no implicit authorization checks are performed, for example:
CALL TRANSACTION
without the additionWITH AUTHORITY-CHECK
(and if the table TCDCOUPLES does not contain any appropriate entries).
SUBMIT
for programs without authorization groups
- SQL reads performed on database tables.
Any places in a program that a user can reach without sufficient authorizations and where no implicit
authorization check takes place must be secured explicitly using the statement AUTHORITY-CHECK
and the result of the check analyzed carefully.
A prerequisite for both implicit and explicit authorization checks is that components such as authorizations, authorization objects, authorization objects, and so on are defined. Care must also be taken to set the check indicator correctly, to enable all required checks to take place.
Other versions:
7.31 | 7.40 | 7.54
Example
Checks explicitly whether the current user can create temporary programs. This check could be used to secure the ABAP command injections example.
ID 'DEVCLASS' FIELD '$TMP'
ID 'OBJTYPE' FIELD 'PROG'
ID 'OBJNAME' DUMMY
ID 'P_GROUP' DUMMY
ID 'ACTVT' FIELD '02'.
IF sy-subrc <> 0.
LEAVE PROGRAM.
ENDIF.