Broken Authorization in ABAP
ABAP provides authorization methods that the programmer can implement to allow the user administrator to determine which users can execute a function or access an object.
Authorization Check
Explicit authorization checks must be enforced to verify that the current user has the required authorization by checking the field in an authorization object in the user master record.
The authorization is automatically checked when manually starting transactions in the SAP GUI or when using LEAVE TO TRANSACTION
or SUBMIT
, but must be performed explicitly by using AUTHORITY-CHECK
in the code.
The result of the AUTHORITY-CHECK
is saved in the system field sy-subrc
, which must always be checked for correctness.
Transactions invoked using CALL TRANSACTION
must also be protected by adding the WITH AUTHORITY-CHECK
clause or following the appropriate AUTHORITY-CHECK
or AUTHORITY_CHECK_TCODE
checks.
References
MITRE - CWE 285 - Improper Authorization
OWASP Top 10 2021 - Broken Access Control