There are many creative ways, in addition to the standard SAP, to manage authorizations.
Let us begin by saying what is the only recommended way. Authorization control using the statement ABAP AUTHORITY-CHECK.
What are other ways to manage SAP authorization controls? More importantly, why shouldn’t you use them?
Among the bad practices the method definitely most used is to create a custom table where users are inserted.
Technically, in the program code (related to the SAP transaction) a user presence check is inserted (often in addition to certain other conditions) in the defined custom table, so that it is possible to continue.
But why is this not right and what risks does it entail?
Which are therefore the advantages of using custom tables for authorization control?
Unfortunately, there is no unambiguous answer, depends on how much these situations are present in the processes.
For a few cases it can be relatively simple, for many even impossible.
Not so common but still possible today. The insertion objects' technical names of objects into the ABAP code.
For example: if the user has assigned at that time (maybe without even checking the validity of the attribution) a certain role (technical name) then you can perform a certain operation.
Similar to the previous one but this time directly on the technical user. If I am using a certain user, then I will be able to perform a certain operation.
What does it means? Here is a real scenario
The user must run a certain functionality in background mode. During the submission of the activity the user is replaces by the program with a technical user.
The result is that a technical user is used to carry out a certain activity rather than the user of the person who actually carried out the operation.
In the case of accounting records, for example?
How can you discriminate if it is an action actually carried out by technical users or made by real users through technical users? During an audit this could be very important.
A specific audit at the level of developed ABAP programs can bring out the above case studied.
Blog post originally translated from: https://www.aglea.com/blog/autorizzazioni-sap-10-cose-da-non-fare