Greetings everyone,
As far as I know users with access to SE38 can run any ABAP program that is not assigned to an authorization group (and does not have authorization check in the code i guess). My understanding is that this is a security hole is SAP systems which has always been highlighted in SAP security literature.
I was raising this issue to our basis administrator and we ran a small test as follows:
We created a test user and gave him only the following access:
S_TCODE
SE38
S_Program
activity: Submit
Auth: *
When we tried to execute programs that has no authorization group assigned with this user we were NOT able to, we got a message saying "You have no authorization to execute the report SE80/SE38"
How can this be the case? What are the authorizations necessary to be able to run programs not assigned to authorization groups through SE38?
Your prompt response is highly appreciated.
Many thanks in advance
Issam