Checking logged users' permissions by comparing their name to a hardcoded string can create security vulnerabilities. It prevents system
administrators from changing users' permissions when needed (example: when their account has been compromised). Thus system fields
SYST-UNAME should not be compared to hardcoded strings. Use instead
AUTHORITY-CHECK to check
This rule raises an issue when either of the system fields
SYST-UNAME are compared to a hardcoded value in a
CASE statement or using one of the following operators:
Noncompliant Code Example
IF SY-UNAME = 'ALICE'. " Noncompliant
WHEN 'A'. " Noncompliant
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'CARRID' FIELD mycarrid.
IF sy-subrc <> 0.
MESSAGE 'Not authorized' TYPE 'E'.