General Checks for File Access

Một phần của tài liệu BC ABAP Programming PHẦN 3 pps (Trang 106 - 109)

When you access sequential files on the application server using the following statements

• OPEN DATASET

• TRANSFER

• DELETE DATASET

the system automatically checks against table SPTH. This table regulates general read and write access from ABAP to files, and whether files should be included in security procedures.

In table SPTH, you can prevent read or write access to generically-specified files,

independently of the R/3 authorization concept. For all other files (that is, those for which read and write access is allowed according to table SPTH), you can use the R/3 authorization concept to check authorizations. To enable you to do this, you can specify authorization groups in table SPTH for program-independent user authorization checks.

SPTH contains the following columns for this purpose:

• PATH

This column contains generic filenames. This means that the files on the application server to which an entry in this column applies, retain the attributes specified in the remaining columns of the line.

Suppose SPTH contains the following three entries in the column PATH:

* /tmp /tmp/myfile

The entries are then valid as follows:

– First line: All files on the application server apart from the path ‘/tmp’

– Second line: All files on the application server in the path ‘/tmp’ apart from the file ‘/tmp/myfile’

– Third line: The application server file ‘/tmp/myfile’

• SAVEFLAG

This column is a flag that you set using ‘X’.

If the flag is set, the files specified in the PATH column are included in security procedures.

• FS_NOREAD

This column is a flag that you set using ‘X’.

If the flag is set, the files specified in the PATH column may not be accessed at all from ABAP. This flag overrides all user authorizations. If you set FS_NOREAD,

FS_NOWRITE is also automatically set.

Authorization Checks for Programs and Files

December 1999 415

If the flag is not set, it is possible to access the files from ABAP if the authorization checks are successful (see also the FSBRGRU column and Authorization Check for Particular Programs and Files [Page 411]).

• FS_NOWRITE

This column is a flag that you set using ‘X’.

If the flag is set, the files specified in the PATH column may not be accessed for changing from ABAP. This flag overrides all user authorizations.

If the flag is not set, it is possible to change the files from ABAP if the authorization checks are successful (see also the FSBRGRU column and Authorization Check for Particular Programs and Files [Page 411]).

• FSBRGRU

This column contains the names of authorization groups.

An authorization group corresponds to the first field (RS_BRGRU) of the authorization object S_PATH. You can use the second field of the authorization object S_PATH (ACTVT) to check whether the user has authorization to read (value 3) or change (value 2) the files in he authorization group.

Entries in FSBRGRU specify groups of files on the application server. You can control the access to files by assigning authorizations for the authorization object S_PATH.

Unlike authorization checks using the authorization object S_DATASET (see Authorization Checks for Particular Programs and Files [Page 411]), the

authorization check against the authorization object S_PATH is independent of the ABAP program used to access the files. Furthermore, the check is not restricted to individual files. Instead, it extends to all of the generically-specified files in the PATH column.

If there is no entry in the column FSBRGRU, the files in the column PATH are not assigned to an authorization group, and there is no authorization check against the authorization object S_PATH.

If the automatic check for a file access fails, a runtime error occurs.

Suppose the table SPTH contains the following entries:

PATH S

A V EF LA G

FS_

NO RE AD

FS_N OWR ITE

F S B R G R U

* X X

/tmp

Authorization Checks for Programs and Files

/tmp/files X F

I L E With these settings, ABAP programs cannot access any files on the application server apart from those in the path ‘(/tmp’).

All ABAP programs can read from and write to the files in that path.

Only users with authorizations for the authorization group FILE can use ABAP program that read from or write to files in the path ‘/tmp/files’. These files are also included in the security procedure.

With the above table entries, the following program extract would cause a runtime error for any user:

DATA: FNAME(60).

FNAME = '/system/files'.

OPEN DATASET FNAME FOR OUTPUT.

Một phần của tài liệu BC ABAP Programming PHẦN 3 pps (Trang 106 - 109)

Tải bản đầy đủ (PDF)

(153 trang)