Authorization Checks for Programs and Files (SAP Library

Authorization Checks for Programs and Files

When you access sequential files on the application server using the following statements:

OPEN DATASET
READ DATASET
TRANSFER
DELETE DATASET

the system automatically checks the user’s authorization against the authorization object S_DATASET.

This object allows you to assign authorization for particular files from particular programs. You can also assign the authorization to use operating system commands as a file filter.

Note

Do not use S_DATASET to control general access rights to files from ABAP, or user-dependent authorization checks. Instead, use table SPTH (see also General Checks for Accessing Files).

The Authorization Object S_DATASET

The object S_DATASET consists of the following fields:

· ABAP program name

Name of the ABAP program from which access is allowed. This allows you to restrict file access to a few programs specifically for that task.

· Activity

The possible values are:

33: Read file normally

34: Write to or delete file normally

A6: Read file with filter (operating system command)

A7: Write to file with filter (operating system command)

· File name

Name of the operating system file. This allows you to restrict the files to which the user has access.

For more information about authorization objects, refer to the Users and Authorizations documentation.

Caution

If the result of the automatic authorization check is negative, a runtime error occurs.

You should therefore check the authorization in your ABAP program before accessing the file using the function module AUTHORITY_CHECK_DATASET.

The Function Module AUTHORITY_CHECK_DATASET

This function module allows you to check whether the user is authorized to access a file before the system tries to open it. This preempts a possible runtime error that can otherwise occur in the automatic authorization check.

The function module has the following import parameters:

PROGRAM

Name of the ABAP program from which the file is to be opened. If you do not specify a program name, the system assumes the current program.

ACTIVITY

Access type, with the following possible values:

- READ: Read file

- WRITE: Change file

- READ_WITH_FILTER: Read file using filter functions

- WRITE_WITH_FILTER: Change file using filter functions

- DELETE: Delete file

These values are defined as constants in the type group SABC as follows:

TYPE-POOL SABC .
CONSTANTS:
  SABC_ACT_READ(4)               VALUE 'READ',
  SABC_ACT_WRITE(5)              VALUE 'WRITE',
  SABC_ACT_READ_WITH_FILTER(16)  VALUE 'READ_WITH_FILTER',
  SABC_ACT_WRITE_WITH_FILTER(17) VALUE 'WRITE_WITH_FILTER',
  SABC_ACT_DELETE(6)             VALUE 'DELETE',
  SABC_ACT_INIT(4)               VALUE 'INIT',
  SABC_ACT_ACCEPT(6)             VALUE 'ACCEPT',
  SABC_ACT_CALL(4)               VALUE 'CALL'.

FILENAME

Name of the file that you want to access.

Example

TYPE-POOLS SABC.

.....

CALL FUNCTION 'AUTHORITY_CHECK_DATASET'
     EXPORTING  PROGRAM          = SY-REPID
                ACTIVITY         = SABC_ACT_READ
                FILENAME         = '/tmp/sapv01'
     EXCEPTIONS NO_AUTHORITY     = 1
                ACTIVITY_UNKNOWN = 2.

......

This function module call finds out whether the current program may access the file ‘/tmp/sapv01’.