Link Search Menu Expand Document

Broken Authorization in ABAP

Play SecureFlag Play ABAP Labs on this vulnerability with SecureFlag!

ABAP provides authorization methods that the programmer can implement to allow the user administrator to determine which users can execute a function or access an object.

Authorization Check

Explicit authorization checks must be enforced to verify that the current user has the required authorization by checking the field in an authorization object in the user master record.

The authorization is automatically checked when manually starting transactions in the SAP GUI or when using LEAVE TO TRANSACTION or SUBMIT, but must be performed explicitly by using AUTHORITY-CHECK in the code.

The result of the AUTHORITY-CHECK is saved in the system field sy-subrc, which must always be checked for correctness.

Transactions invoked using CALL TRANSACTION must also be protected by adding the WITH AUTHORITY-CHECK clause or following the appropriate AUTHORITY-CHECK or AUTHORITY_CHECK_TCODE checks.

References

MITRE - CWE 285 - Improper Authorization

OWASP Top 10 2021 - Broken Access Control

OWASP - Authorization Cheat Sheet

SAP - Code Vulnerability Analyzer Checks