Solution : https://service.sap.com/sap/support/notes/16669 (SAP Service marketplace login required)
Summary :
When executing reports via SA38 or SE38, or using the SUBMIT command, an issue arises as no authorization check occurs if no authorization group is specified in the report's attributes. This exposure allows unrestricted report execution. The remediation involves specifying an authorization group in the report attributes, ensuring that authorization checks, managed by either the logical databases at runtime or by inherited statuses within the reporting tree, are enforced. As of Release 3.0, SA38's function will integrate into a reporting tree system, delivering better-controlled access through structured authorization checks at each node of the reporting tree, enhancing security measures without altering individual report attributes.
Key words :
trdiradditional-descriptorsbranch additional key words reporting tree, addition sap standard reports, install comprehensive authorization protection, customer- defined reports, abap runtime environment, reporting tree, authorization check, authorization group, user authorization, authorization checks
Related Notes :
826994 | RACHECK1: entering authorization group as security |
338177 | Authorization check when executing programs |
33154 | Report authorizations without SSCR |
7642 | Authorization protection of ABAP/4 programs |