Question:
hi experts
how can i create restrictions for a z programme which internally calls 2 standard programmes(vl01n&vl10d). The requiement is that the user should not have access to vl01n&vl10d, but create deliveries from the z programme.
Regards
ARUN
Answer:
hi experts
how can i create restrictions for a z programme which internally calls 2 standard programmes(vl01n&vl10d). The requiement is that the user should not have access to vl01n&vl10d, but create deliveries from the z programme.
Regards
ARUN
These V transx's will have their own auth checks that will require values to be met in the profile to procede.
You need a new Z program that does what you want, 'cause you can't use profiles to determine what is checked.
Answer:
I think the best place to ask this would be in the ABAP forum because this is going to be coded for you, right?
They will get around the VL* tcodes, but the user might aswell if you don't talk to your developer.
Answer:
This is sad. You shouldn't go to an ABAP forum for security advice. That is what we do or it should be. That is why security is in such a sad state. Almost no one in security knows anything but a collection of esoteric rules that they don't understand the reasosn for.
Answer:
Arun,
Let the users execute this program but don't give them any authority (S_TCODE) for the two transactions called. You'll have to give them other authorizations but not the transaction code. Then assign your new program to a transaction and give your users that transdaction.
Ok that is a technical solution. Now for the practical side. Why would you let someone use a collection of screens from ine starting point but not another? Are you doing anything to make sure they can't use your new program to do what they could have done if they went in directly to the transactions? Before you go too far dowen the path on this ask yourself what is at risk and ask yourself if the structure of your program inherently addresses the risk. If it does my suggestion may be useful. If not then you're just kidding yourself.
Answer:
And then again not.
The question is about a Z programme. It is indeed a security question concerning vl01n and vl10d, but how would you go around implementing security in a Z programme, if your developers have not implemented any auth checks in the code?
I totally agree with your concerns, but if your developers do not implement auth checks in their codes, then security has no effect at all.
/Blast
Answer:
They may not need to implement any checks in the code. And if they do, they better be the ones security tells them to implement. If you leave them to their own devices they will likely screw it up. And given the rates for security consultants vs. developers if they know what they are doing security-wise they are not writing ABAP they are doing security consulting.
Answer:
As a security consultant I agree totally
I think what Tarryn means (my interpretation) is that how can you answer a question about security in a Z programme?
/Blast
Answer:
Are you doing anything to make sure they can't use your new program to do what they could have done if they went in directly to the transactions?
That's it + extd chk o/i.
Developers could do anything, both checked or unchecked. But what YOU want is secure functionality. Talk to them and design it with them.
This will presumably be a new concept for them and you and they will behave.. as if they have been debugged... and you might feel as if youn want to donate you past 5 years salary to child welfare... for a while.
But eventually you'll settle into it.
PS: You may also need to learn a foreign language!!!
Tarr
Answer:
This is sad. You shouldn't go to an ABAP forum for security advice.
Yes. Dream on.