General Checks for File Access
When you access sequential files on the application server using the following statements
the system automatically checks against table SPTH. This table regulates general read and write access from ABAP to files, and whether files should be included in security procedures.
In table SPTH, you can prevent read or write access to generically-specified files, independently of the R/3 authorization concept. For all other files (that is, those for which read and write access is allowed according to table SPTH), you can use the R/3 authorization concept to check authorizations. To enable you to do this, you can specify authorization groups in table SPTH for program-independent user authorization checks.
SPTH contains the following columns for this purpose:
This column contains generic filenames. This means that the files on the application server to which an entry in this column applies, retain the attributes specified in the remaining columns of the line.
Suppose SPTH contains the following three entries in the column PATH:
*
/tmp
/tmp/myfile
The entries are then valid as follows:
– First line: All files on the application server apart from the path ‘/tmp’
– Second line: All files on the application server in the path ‘/tmp’ apart from the file ‘/tmp/myfile’
– Third line: The application server file ‘/tmp/myfile’
This column is a flag that you set using ‘X’.
If the flag is set, the files specified in the PATH column are included in security procedures.
This column is a flag that you set using ‘X’.
If the flag is set, the files specified in the PATH column may not be accessed at all from ABAP. This flag overrides all user authorizations. If you set FS_NOREAD, FS_NOWRITE is also automatically set.
If the flag is not set, it is possible to access the files from ABAP if the authorization checks are successful (see also the FSBRGRU column and
This column is a flag that you set using ‘X’.
If the flag is set, the files specified in the PATH column may not be accessed for changing from ABAP. This flag overrides all user authorizations.
If the flag is not set, it is possible to change the files from ABAP if the authorization checks are successful (see also the FSBRGRU column and
This column contains the names of authorization groups.
An authorization group corresponds to the first field (RS_BRGRU) of the authorization object S_PATH. You can use the second field of the authorization object S_PATH (ACTVT) to check whether the user has authorization to read (value 3) or change (value 2) the files in he authorization group.
Entries in FSBRGRU specify groups of files on the application server. You can control the access to files by assigning authorizations for the authorization object S_PATH.
Unlike authorization checks using the authorization object S_DATASET (see
If there is no entry in the column FSBRGRU, the files in the column PATH are not assigned to an authorization group, and there is no authorization check against the authorization object S_PATH.
If the automatic check for a file access fails, a runtime error occurs.
Suppose the table SPTH contains the following entries:
PATH |
SAVEFLAG |
FS_NOREAD |
FS_NOWRITE |
FSBRGRU |
* |
X |
X |
||
/tmp |
||||
/tmp/files |
X |
FILE |
With these settings, ABAP programs cannot access any files on the application server apart from those in the path ‘(/tmp’).
All ABAP programs can read from and write to the files in that path.
Only users with authorizations for the authorization group FILE can use ABAP program that read from or write to files in the path ‘/tmp/files’. These files are also included in the security procedure.
With the above table entries, the following program extract would cause a runtime error for any user:
DATA: FNAME(60).
FNAME = '/system/files'.
OPEN DATASET FNAME FOR OUTPUT.
