Checking logged users' permissions by comparing their name to a hardcoded string can create security vulnerabilities. It prevents system
administrators from changing users' permissions when needed (example: when their account has been compromised). Thus system fields
SY-UNAME
and SYST-UNAME
should not be compared to hardcoded strings. Use instead AUTHORITY-CHECK
to check
users' permissions.
This rule raises an issue when either of the system fields SY-UNAME
or SYST-UNAME
are compared to a hardcoded value in a
CASE
statement or using one of the following operators: =
, EQ
, <>
, NE
.
Noncompliant code example
IF SY-UNAME = 'ALICE'. " Noncompliant
ENDIF.
CASE SY-UNAME.
WHEN 'A'. " Noncompliant
ENDCASE.
Compliant solution
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'CARRID' FIELD mycarrid.
IF sy-subrc <> 0.
MESSAGE 'Not authorized' TYPE 'E'.
ENDIF.