Show TOC

 Restrict Authorizations for Executing External CommandsLocate this document in the navigation structure

You can execute external commands using the transaction SM49.

SAP Systems contain detailed information for each external command, including the operating system command itself, the pre-defined parameters in their full length, and information about whether additional parameters are permitted.

Before the SAP System executes an external command, the additional parameters are checked. If impermissible characters are found, the command is not executed and the SECURITY_RISK exception is raised.

Users who execute external commands need to have the authorization object S_LOG_COM in their user master records with the following fields defined:

  • ·        Command      (name of external command)
  • ·        Opsystem      (operating system for which the command was defined)
  • ·        Host  (symbolic hostname of the target system)

The fields Command and Opsystem are used to uniquely identify the external command, while Host defines the authorizations for executing commands on certain target computers.

Be restrictive with assigning this authorization.

The authorization S_LOGCOM_ALL (based on the authorization object: S_LOG_COM), which allows for the execution of all commands, is included in the standard delivery in the authorization profiles S_A.SYSTEM and S_A.ADMIN.

Note

To call external commands in your own developments, you should use the function module COMMAND_EXECUTE instead of CALL_SYSTEM. With COMMAND_EXECUTE, you can enforce a more extensive authorization check by including authorization profile arguments in the parameter ADDITIONAL_PARAMETERS. In addition, unlike CALL_SYSTEM, COMMAND_EXECUTE does not use RFC for its purposes. For more information, see Programming with External Commands.