Dear all,
I need to restrict user access to certain technical programs where standard authorization objects are not applicable. Assigning authorization groups in the program attributes via RSCSAUTH combined with roles featuring the necessary S_PROGRAM authorization seems to be the way to go. However I'm wondering whether this is a 100% waterproof protection, considering that no further AUTHORITY-CHECK statements appear in the code and all roles are carefully constructed to not include sloppy asterisk logic.
I have tested the following program execution methods and found the appropriate traces in ST01:
- SA38, SE38, SC38, SE80, SUB%
- transaction and area menu
- SUBMIT from other programs
- .sap shortcut on desktop
- job scheduling
Is there more ways of executing a program?
Have you heard of any loopholes in the S_PROGRAM protection, especially regarding RFC calls?
Many thanks
Thomas