Show TOC

General Checks for File AccessLocate this document in the navigation structure

 General Checks for File Access

When you access sequential files on the application server using the following statements

  • OPEN DATASET
  • TRANSFER
  • DELETE DATASET

the system automatically checks against table SPTH. This table regulates general read and write access from ABAP to files, and whether files should be included in security procedures.

In table SPTH, you can prevent read or write access to generically-specified files, independently of the SAP authorization concept. For all other files (that is, those for which read and write access is allowed according to table SPTH), you can execute authorization checks with the SAP authorization concept. To enable you to do this, you can specify authorization groups in table SPTH for program-independent user authorization checks.

SPTH contains the following columns for this purpose:

  • PATH

    This column contains generic filenames. This means that the files on the application server to which an entry in this column applies retain the attributes specified in the remaining columns of this line.

    Tip

    Suppose SPTH contains the following three entries in the column PATH:

    *

    /tmp

    /tmp/myfile 

    The entries are then valid as follows:

-    First line: All files on the application server apart from the path '/tmp'

-    Second line: All files on the application server in the path '/tmp' apart from the file '/tmp/myfile'

-    Third line: The application server file '/tmp/myfile'

  • SAVEFLAG

    This column is a flag that you set using 'X'.

    If the flag is set, the files specified in the PATH column are included in security procedures.

  • FS_NOREAD

    This column is a flag that you set using 'X'.

    If the flag is set, this means that no access to the files specified in the PATH column is allowed from ABAP. This flag overrides all user authorizations. If you set FS_NOREAD, FS_NOWRITE is also automatically set.

    If the flag is not set, it is possible to access the files from ABAP if the authorization checks are successful (see also the FSBRGRU column and Authorization Check for Particular Programs and Files ).

  • FS_NOWRITE

    This column is a flag that you set using 'X'.

    If the flag is set, this means that no write access is allowed to the files specified in the PATH column. This flag overrides all user authorizations.

    If the flag is not set, it is possible to change the files from ABAP if the authorization checks are successful (see also the FSBRGRU column and Authorization Check for Particular Programs and Files ).

  • FSBRGRU

    This column contains the names of authorization groups.

    An authorization group corresponds to the first field (RS_BRGRU) of the authorization object S_PATH. You can use the second field of the authorization object S_PATH (ACTVT) to check whether the user has authorization to read (value 3) or change (value 2) the files in he authorization group.

    Entries in FSBRGRU specify groups of files on the application server. You can control the access to files by assigning authorizations for the authorization object S_PATH.

    Note

    Unlike authorization checks using the authorization object S_DATASET (see Authorization Checks for Particular Programs and Files ), the authorization check against the authorization object S_PATH is independent of the ABAP program used to access the files. Furthermore, the check is not restricted to individual files. Instead, it extends to all of the generically-specified files in the PATH column.

    If there is no entry in the column FSBRGRU, the files in the column PATH are not assigned to an authorization group, and there is no authorization check against the authorization object S_PATH.

    Caution

    If the automatic check for a file access fails, a runtime error occurs.

    Tip

    Suppose the table SPTH contains the following entries:

    PATH

    SAVEFLAG

    FS_NOREAD

    FS_NOWRITE

    FSBRGRU

    *

    X

    X

    /tmp

    /tmp/files

    X

    FILE

    With these settings, ABAP programs cannot access any files on the application server apart from those in the path '(/tmp').

    All ABAP programs can read from and write to the files in that path.

    Only users with authorizations for the authorization group FILE can use ABAP program that read from or write to files in the path '/tmp/files'. These files are also included in the security procedure.

    With the above table entries, the following program extract would cause a runtime error for any user:

    DATA: fname(60) TYPE c.

    fname = '/system/files'.

    OPEN DATASET fname FOR OUTPUT.