ABAP Keyword Documentation → ABAP - Reference → Processing External Data → ABAP File Interface → Authorization for File Access
Automatic Authorization Checks
The following authorization checks take place automatically during data access:
- Checks in the Operating System
- Program-Independent Checks on Access Rights
- Authorization Check for Special Files
- Authorization Checks for Users and Programs for Individual Files
Other versions: 7.31 | 7.40 | 7.54
Checks in the Operating System
From the point of view of the application server's operating system, all file accesses are carried out by the
AS ABAP. As a consequence, the user of an operating system in an
AS ABAP must have the authority
to read and write to all files and directories that are handled by the ABAP file interface. If this
authorization does not exist, the file interface statements can only be partially carried out, or not
at all. If a statement cannot be executed because of lack of authorization in the operating system, the return value
sy-subrc is set to not equal to 0.
Program-Independent Checks on Access Rights
For access to files using the statements OPEN
DELETE DATASET, a verification check of the entry in the database table
SPTH is carried out automatically. The entries in the database table SPTH control the general read and write accesses from ABAP programs to files and whether files should be backed up or not.
In the database table SPTH, read and write accesses can be generally forbidden for generic, specifiable files, independent of the authorization objects. For the remaining files (those that are generally allowed to be accessed for read or write according to the database table SPTH), authorization checks can be carried out on the basis of authorization objects. In the database table SPTH, authorization groups from the table SPTHB (texts in SPTHT, shared view V_SPT) for program-independent authorization checks can be defined. The following table shows the columns of the database table SPTH. If the check on the database table SPTH has a negative result, a non-handleable exception is raised.
|PATH||Column for generic file names. The attributes specified in the other columns of this row apply to all the files of the application server that are best described by the entry in this column.|
|SAVEFLAG||If this column contains the value "X", the files entered in the PATH are included in the backup procedure.|
|FS_NOREAD||If this column contains the value "X", the files specified in thePATH column cannot be accessed from ABAP. This setting overrides the setting in the columns FS_NOWRITE and FS_BRGRU as well as the authorization check on the authorization object S_DATASET.|
|FS_NOWRITE||If this column contains the value "X", the files specified in thePATH column cannot be write-accessed from ABAP. This setting overrides the setting in the column FS_BRGRU as well as the authorization check on the authorization object S_DATASET.|
|FS_BRGRU||In this column, it is possible to define an authorization group using a free choice of name. Thefiles of multiple rows can be grouped together in this way. During the evaluation of the database tableSPTH, an authorization check is carried out for the current user against the authorization object S_PATHthat contains two authorization fields RS_BRGRU and ACTVT. In this way, access to the files specifiedin PATH can be granted independently from the user. If no name is entered, no authorization check is carried out against the authorization object S_PATH.|
In comparison to the authorization check using the authorization object S_DATASET (see below), an authorization check using the authorization object S_PATH is independent of the ABAP program in which it occurs. Furthermore, the check is not limited to a single file, but includes all the generically specified files of the PATH column.
The table SPTH is filled as follows:
The entries in the
- first row apply to all files of the application server except for those in the path /tmp,
- second row apply to all files of the application server in the path /tmp, except for the files in the path /tmp/myfiles,
- third row apply to the files in the path /tmp/myfiles.
These entries specify that no ABAP program can access any files on the application server, except for the files in the path /tmp. All ABAP programs have both read and write access to the files in the path /tmp. Only users who have an authorization for the authorization group FILE can use ABAP programs that have read and write access to the files in the path /tmp/myfiles. The files in this paths are also designed for backup purposes. Using the table above, the following program lines produce a runtime error for all users:
DATA fname TYPE string.
fname = `/system/files`.
OPEN DATASET fname FOR OUTPUT IN BINARY MODE.
Authorization Checks for Special Files
Every time a PSE file (file with the extension .pse for a Personal Security Environment) is accessed, an automatic authorization check for the current user is performed with the value "01" for the field ACTVT of the authorization object S_RZL_ADM of the system administrator.
Authorization Checks for Users and Programs for Individual Files
ReadWriteRead with Filter Write with Filter