Rule Definition
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
Remediation
Use "WITH AUTHORITY-CHECK" addition with "call transaction" statements.
Violation Code Sample
Example 1: The following code calls a transaction that can execute any ABAP program.
DATA: carrid TYPE spfli-carrid,
connid TYPE spfli-connid.
...
SET PARAMETER ID: 'CAR' FIELD carrid,
'CON' FIELD connid.
TRY:
CALL TRANSACTION 'FLIGHT_TA'. // violation
CATCH cx_sy_authorization_error.
RETURN.
ENDTRY.
Fixed Code Sample
Example 1: The following code calls a transaction that can execute any ABAP program.
DATA: carrid TYPE spfli-carrid,
connid TYPE spfli-connid.
...
SET PARAMETER ID: 'CAR' FIELD carrid,
'CON' FIELD connid.
TRY:
CALL TRANSACTION 'FLIGHT_TA' WITH AUTHORITY-CHECK. // Violation FIXED
CATCH cx_sy_authorization_error.
RETURN.
ENDTRY.
Reference
https://help.sap.com/doc/abapdocu_751_index_htm/7.51/en-US/abapcall_transaction_authority.htm#!ABAP_ADDITION_1@1@
Related Technologies
Technical Criterion
Secure Coding - Input Validation
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.