The authorization for the authorization object S_TCODE is not checked
"The authorization for the authorization object S_TCODE is not checked" warnings are in ABAP Test Cockpit, ATC checks for secure ABAP coding in development SAP systems and ABAP programs. To build more secure ABAP programs and identify code vulnerability, ATC (ABAP Test Cockpit) outcome are good starting points to re-code your existing ABAP developments.
Authority-Check Object S_TCODE
When I execute Code Inspector, I can see following items classified under Information.
The authorization for the authorization object S_TCODE is not checked.
Double click on the message text, it will direct the developer to the ABAP code line which causes Code Inspector to react.
set parameter id 'AUN' field p_st_sel-value.
call transaction 'VA03' and skip first screen.
It is a best practise to check if the user has authorization to call SAP transaction VA03 for example in this case, before actually launching it.
So a better way to build the same task in ABAP code will be as:
authority-check object 'S_TCODE'
id 'TCD' field 'VA03'.
if sy-subrc = 0.
set parameter id 'AUN' field p_st_sel-value.
call transaction 'VA03' and skip first screen.
else.
message i001 with text-e26. " not authorized
endif.
Applying the below ABAP code block (authority-check for object S_TCODE) where you launch a SAP transaction by using "CALL Transaction" command will produce a clear Code Inspector output.
Call Transaction with Authority-Check
If the above code modification does not help you solve the problem, please use CALL TRANSACTION command with WITH AUTHORITY-CHECK as follows:
set parameter id 'AUN' field rs_selfield-value .
call transaction 'VA03' with authority-check and skip first screen .
Following ABAP "Call Transaction" code used with "with Authority-Check" passes ATC (ABAP Test Cockpit) checks for code vulnerability
