Automatic Authorization Checks
The following authorization checks take place automatically when data is accessed:
Authorization Check in the Operating System
From the point of view of the operating system on the
host computer of a AS Instance, all files are accessed from
AS ABAP. As a consequence, the user of the operating system that creates an instance of the
AS ABAP AS Instance must
have the authority to read and write to all files and directories that are handled by the ABAP file
interface. If this authorization does not exist, the file interface statements can only be partially
carried out, or not at all. If a statement cannot be executed because of lack of authorization in the operating system, the return value
sy-subrc is set to not equal to 0.
Authorization Checks for Special Files
Every time a PSE file (file with the extension .pse for a Personal Security Environment) is accessed, an automatic authorization check for the current user is performed with the value "01" for the field ACTVT of the authorization object S_RZL_ADM of the system administrator.
Authorization Object S_DATASET
An authorization check is performed for the current user each time a file is opened or deleted using the following:
Also, the current program is executed using the predefined authorization object S_DATASET. This authorization object contains the authorization fields PROGRAM for the program names, FILENAME for the opened files, and ACTVT with the activities Delete, Read, Write, Read with Filter, and Write with Filter. If the user or program does not have the necessary authorization, a handleable exception of the class CX_SY_FILE_AUTHORITY is raised. To avoid this, the function module AUTHORITY_CHECK_DATASET can be called before the relevant ABAP statement to check whether the authorization exists.
In the authorization check with the authorization object S_DATASET, the physical file name used in the statements above and the values of the authorization field FILENAME are subject to a literal comparison. Any relative paths specified are not transformed to absolute paths. To avoid unexpected results, it is best to specify only absolute paths in physical file names.
Database Table SPTH and Authorization Object S_PATH
An automatic check is made when the following statements access files:
This check is made on entries in the database tables SPTH. The entries in the database table SPTH control the general read and write accesses from ABAP programs to files and whether files should be backed up or not.
In the database table SPTH, reads and writes can be forbidden on all files specified absolutely or relatively, regardless of the authorization objects. For the remaining files (those that are generally allowed to be accessed for read or write according to the database table SPTH), authorization checks can be carried out on the basis of authorization objects. In the database table SPTH, authorization groups from the table SPTHB (texts in SPTHT, shared view V_SPT) for program-independent authorization checks can be defined. The following table shows the columns of the database table SPTH. If the check on the database table SPTH has a negative result, a handleable exception of the class CX_SY_FILE_AUTHORITY is raised.
|PATH||Absolute or relative path specified for directory names or file names. The content specified inthe other columns of this row applies to all the files of the AS Instance that are best described by the entry in this column.|
|SAVEFLAG||The value "X" in this column can be evaluated by backups. The ABAP runtime environment does not itself make any backups.|
|FS_NOREAD||If this column contains the value "X", the files specified in thecolumn PATH cannot be accessed from ABAP. This setting overrides the setting in the columns FS_NOWRITE and FS_BRGRU as well as the authorization check on the authorization object S_DATASET.|
|FS_NOWRITE||If this column contains the value "X", writes cannot be performedon the files specified in the column PATH from ABAP. This setting overrides the setting in the column FS_BRGRU as well as the authorization check on the authorization object S_DATASET.|
|FS_BRGRU||In this column, an authorization group can be specified that is defined in the table SPTHB.The files of multiple rows can be grouped together in this way. When the database table SPTH is evaluated,an authorization check for the current user is made against the authorization object S_PATH (which containsan authorization field FS_BRGRU and an authorization field ACTVT with the possible values "03"(Display), "02" (Change), "A6" (Displaywith Addition
... <P=name> ...
When evaluated, a placeholder is replaced by the value of the profile parameter specified in name or by the current client ID. The possible values for name are specified in the documentation of the table SPTH.
When a file is accessed using the statements
OPEN DATASET and
DELETE DATASET, a
physical file name
is used. When the content of the database table SPTH is transformed, a check is made to see whether
the physical file name starts with an entry in the column PATH and the row with the longest matching path is used. Before the check, a specified path in the physical file name is standardized as follows:
- Any ../ segments are removed. For example, a path specified as /tmp/sub1/../sub2/file is transformed to /tmp/sub2/file.
- If the operating system is not an MS Windows operating system, the / characters are converted to \ characters and all letters are changed to uppercase letters.
If no matching path is specified in the column PATH, the row is used in which the column PATH contains the entry "*". If this entry does not exist either, no automatic authorization check is made.
The character "*" in the column PATH is relevant only if it is the only character entered here. When specified within paths, is subject to literal comparisons and is not used as a wildcard character.
- In comparison to the authorization check using the authorization object S_DATASET (see above), an authorization check using the authorization object S_PATH is independent of the ABAP program in which it occurs.
- Paths specified in the column PATH should usually exist in a standardized form.
- When the path specified is standardized to a physical file name, any relative paths specified are not transformed to absolute paths. Any links and any other changeable information are not resolved.
- The comparison rule for a path specified in the column PATH with a physical file name used to access a file is both literal and (due to the check on whether the initial segment matches) generic too. The following aspects should be noted to avoid unexpected results:
- The character "*" only has a special function if it is the only character in the column PATH.
- The table SPTH should always contain an entry with the value "*" for the column PATH. This entry is used whenever no other entries match.
- The names of directories should always be closed with the character "/". If this is not the case, a path specified as "/tmp" in the column PATH specifies all files and directories that start with "/tmp" (like "/tmpxxx") and not just the directory "/tmp/".
- Any path specified in the column PATH is not unique. It can contain hard links and soft links. Mount points, network paths, and similar entries can also be specified. This means the following must be noted:
- A combination of paths specified in the column PATH with values "X" in the columns FS_NOREAD and FS_NOWRITE defines non-user-specific blacklists of forbidden paths. The access rights are not necessarily unique, which makes them difficult to delimit sufficiently.
- A combination of paths specified in the column PATH with authorization groups in the column FS_BRGRU defines whitelists of valid paths for authorized users. In this case, the lack of uniqueness of the access rights is not critical.
- Unlike in an authorization check using the authorization object S_PATH, checks made on the columns FS_NOREAD and FS_NOWRITE are not made as part of the general authorization concept and none of the associated log entries are written.
- For compatibility reasons, even empty values are accepted for the activity when the authorization
object S_PATH is checked, which means that files can be opened using the addition
- The column SAVEFLAG, used for backups, should only be used together with a value in another column, preferably FS_BRGRU. If not, no authorization check is made on files covered by the path specified in PATH.
The table SPTH is filled as follows:
These entries have the following effects:
- Every user can make reads and writes on files in the directory /dir_open and its subdirectories, since no restrictions are entered.
- Only users with an authorization for the authorization group UWRK can access files in the directory /tmp/sub/data/work/ and its subdirectories.
- Only users with an authorization for the authorization group UDAT can access files in the directory /tmp/sub/data/ and its subdirectories (with the exception of /tmp/sub/data/work/). Instead, an authorization for the authorization group UWRK is required for /tmp/sub/data/work/.
- Users with an authorization for the authorization group UPRE can access not just those files in the directory /tmp/sub whose names start with prefix but also all files in subdirectories whose names start with /tmp/sub/prefix. If restricted access to files in a subdirectory /tmp/sub/prefix is required, the entry made in PATH must be closed using "/".
- User with an authorization for the authorization group ROOT can access files in any directory, as long as the physical file name is specified with "/" at the start or is absolute.
- Users with an authorization for the authorization group SUPR can access files in any directories specified as relative directories as long as the directories are not specified with "/" at the start.
The table SPTH is filled as follows:
The entries have the following properties:
- The entries in the first row apply to all fields on the AS Instance except for those in the paths /, /tmp/, and their subdirectories.
- The entries in the second row apply to all fields on the AS Instance in the path / except for the files in the path /tmp and its subdirectories.
- The entries in the third row apply to all fields on the AS Instance in the path /tmp except for the files in the path /tmp/myfiles and its subdirectories.
- The entries in the fourth row apply to the fields in the path /tmp/myfiles and its subdirectories.
The entries dictate that no user can make reads or writes on files specified using relative paths. Users with authorization for the authorization group ROOT can access all files specified using absolute paths except for the files in the path /tmp/myfiles. All users can make both reads and writes on the files in the path /tmp. Only users who have an authorization for the authorization group FILE can make reads and writes on the files in the path /tmp/myfiles. When the table above is applied, this means that the following program lines produce a runtime error for all users except those with authorization for the authorization group ROOT,
DATA fname TYPE string.
fname = `/system/files`.
OPEN DATASET fname FOR OUTPUT IN BINARY MODE.
This configuration forbids the use of any relative paths when files are accessed. This rule is generally only advisable if this behavior is explicitly required.
- All permitted paths should be specified in the table SPTH and associated with the appropriate authorization groups.
- Access to the path specified as "* should also be subject to an authorization group permitting access using any relative paths for authorized users.