Skip the Authority Check with the ABAP Debugger Script
This is my third post on practical uses of the ABAP Debugger Script you can find the first one at How to Create a Watchpoint for a Field Symbol in the ABAP Debugger and the second at Tracing a Program with the ABAP Debugger Script.
Sometimes programs can have complicated authorization checks and we may not have authorization to do certain things while testing. When this has happened to me in the past, I selected to create a break point on the ABAP command AUTHORITY-CHECK. When the program stopped, I stepped the program forward once and changed sy-subrc to 0, so that I could test the secured area. While this process works, it can also be time consuming if there are many authority checks scattered throughout. To speed up the process, you can use the debugger script and automate tricking the authority check.
To create the script, go to transaction SAS and click on the tab. Erase any code or comments that is currently in the script method. Now we need to add the command for moving the debugger forward one step. To do this, click on the
and select the Debug Step option under the debugger control folder. The code for controlling the debugger will be copied to the script method. Copy the execute value (CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_OVER) to be passed as the P_COMMAND parameter. Remove the stars commenting out the try and catch block code.
Next, we want to add the code to change the value of sy-subrc to 0 so that the program thinks we passed the authority check. Place your cursor a couple of lines after the ENDTRY from the earlier command and click the button. Expand the folder titled “Variable Information” and then expand the folder titled “Change Variable Value” and select “Simple Variable or String”. Set the P_NEW_VALUE parameter to ‘0’ and the P_VARNAME parameter to ‘sy-subrc’ (both with single quotes). Now, remove the stars commenting out the try and catch block code.
Your script method should look like the below:
[abap]
METHOD script.
*************************************************
* debugger commands (p_command):
* Step into(F5) -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_INTO
* Execute(F6) -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_OVER
* Return(F7) -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_OUT
* Continue(F8) -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_CONTINUE
*************************************************
****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_DEBUGGER_CTRL / METHOD = DEBUG_STEP )
*Importing
* REFERENCE( P_COMMAND ) TYPE I
****************************************************************
TRY.
CALL METHOD debugger_controller->debug_step
EXPORTING
p_command = cl_tpda_script_debugger_ctrl=>debug_step_over.
CATCH cx_tpda_scr_rtctrl_status .
CATCH cx_tpda_scr_rtctrl .
ENDTRY.
****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_DATA_DESCR / METHOD = CHANGE_VALUE )
*Importing
* REFERENCE( P_NEW_VALUE ) TYPE STRING
* REFERENCE( P_OFFSET ) TYPE I
* REFERENCE( P_LENGTH ) TYPE I
* REFERENCE( P_VARNAME ) TYPE STRING
****************************************************************
TRY.
CALL METHOD cl_tpda_script_data_descr=>change_value
EXPORTING
p_new_value = '0'
* p_offset = -1
* p_length = -1
p_varname = 'sy-subrc'.
CATCH cx_tpda_varname .
CATCH cx_tpda_scr_auth .
ENDTRY.
ENDMETHOD. "script
[/abap]
Now, uncheck the “Debugger Single Step” checkbox in the trigger selections and check the checkbox for “Breakpoint Reached” and click the pencil edit button as pictured below. Click the button to create a new break point and add one for the ABAP command “AUTHORITY-CHECK” and click the green checkmark button. This will make it so our script only runs when the debugger reaches the AUTHORITY-CHECK command.
You can now save your script. To run it, type /h in the transaction bar before running the program. Then click on the script tab in the debugger, click load script and enter your script. Lastly, click the button and that’s it no more authority issues! Another use of this script is to change the sy-subrc value to 4 to test your program to see what happens when you do not have the proper authorization.
Stoplight image by Uwe Hermann @ flickr
Got any ideas of other things we could do with the debugger script? Leave them in the comments below!
Hello Brian,
thank you for your explanations about debugger scripting. They are very helpful!
What I would like to do with a script is to get current attribute values out of a deep object hierachry withoud clicking through dozens of layers.
If you take BOL / GenIL for example it allways needs several clicks to reach the information you want to know. I assume this could be easier with a script.
Best regards,
Markus
Hi Markus,
That sounds like a really good use of the debugger script!
-Brian
I am betting I can think of many uses for this - but yes, definitely, setting sy-subrc to 4 would be great, as well as bypassing the auth checks. Sometimes it's very difficult to 'stage' the data so that you can ensure a sy-subrc 4 - but you know darned well it will happen in real life - particularly if it hasn't been tested.
Sue
Hello Brian,
Good one....I believe in the code snippet, the value of p_new_value should be 0 and not 4..
Good catch!
I must have been testing the failed authority when I copied it! 😳
This has been corrected.
-Brian
Note that this does not completely give you SAP_ALL equivalent powers... 🙂
There are exceptions such as objects S_TCODE, S_C_FUNCT, S_DATASET, S_START, etc (if they dont have any where-used-list then it is a good sign that it is one of them or SAP never actually checks the object directly).
These AUTHORITY-CHECKs are (also) implemented in kernel functions for good reasons and some of them not only set sy-subrc for the ABAP program to react to but react to the return codes themselves by exiting.
It seems you cannot debug them or set sy-subrc for this reason unless....
-> this is the next challenge for Brian... 🙂
Cheers,
Julius
Little tip: there are 2 ways.
Thanks for the comment Julius!
Sounds interesting! I'm going to do some research in to this and mess with some kernel calls on my personal instance!
-Brian
As long as folks are aware that the debugger is also a dangerous tool, then it becomes a wonderfull tool. It has turned many a landscape into pulp.... 🙂
Cheers,
Julius
Good use case Brian!
What if i want to read a particular row of an internal table (a deep structure), is there a workaround for it? 'Coz if i understand correctly currently the debugger scripts supports variable value reading for flat variables.
BR,
Suhas
Hello brain! Quite useful post. i read from the beginning to the end...and when i wanted to try in my sap system it is saying that Transaction SAS Does not exist.
Altough i am checking out in our production system as our Dev system is currently down.
We have Sap version 4.6 Ecc 6.
Is that Possible that the same transaction exist in Dev system and does not exist in Prod. system?
Moreover, From Few Month i Have been trying To Bypass the Authorization Checks........Point To be noted >> not considering this post >>The Procedure of changing the value of Sy-Subrc in debugging after authority check statement works only in some cases..only in those transactions..where system does go in debugging.
However, when using the transaction from the command box...no matter how much efforts you put...but the system does not go in debugging and thus those authority checks can not be suppresed.
Please correct me if i am wrong.
What may be the reason that transaction SAS Does not exist in our system, or should i wait till our Dev system works.
Hi Abhishek,
You will need NW 7.0 Ehp2 to get the debugger script functionality. 🙁
Some authorization checks are on the kernel level and are there for a reason, like Julius von dem Bussche mentioned. You will need authorization to call a specific transaction for example.
You should gather all the developers in your group and push hard to upgrade to 7.0 Ehp 2, there are many updates that really help developers. You can read about it at What's New in ABAP with SAP NetWeaver 7.0 EhP2.
There are even more developer related upgrades in future releases such as ABAP in eclipse!
-Brian
brain, we would have updated our sap system. as our organisation is facing financial crises..therefore we haven't renewed our sap license. we have lost our entire support from Sap.
taking that into consideration can we update to 7.0 Ehp2.??
New Learning.. Thanks..
Good one and it is a new learning. Till date I was doing it in the traditional method by setting break point with the ABAP command and changing the value of subrc to 0 and continuing.
Its really very usefull finding
Hi,
useful and interesting.
Thanks a lot for sharing
Cheers
Ivan
interesting, why not just add "call transaction 'xxx' " in the debug script and simply execute it. it should also work.
That won't work. But you can try and tell us.