Web Dynpro start authorization

In this blog post I will describe the start authorization for Web Dynpro for ABAP applications and, most importantly, how it is controlled.

Similar to the authorization object S_TCODE, which is being checked during the call of a transaction, during the call of Web Dynpro ABAP applications the authorization object S_START is being checked. 

This start authorization check is delivered in an inactive state, which means that you need to actively change it in your system.
Note: 1413011 – New start authorization check for Web Dynpro ABAP – SAP ONE Support Launchpad

How to activate the check? 

The start authorization check is controlled by a table entry in the table USOBAUTHINACTIVE. To check or activate the start authorization check, call transaction SM30 and enter the table name “USOBAUTHINACTIVE” in the field “Table/View”.  Choose “Maintain”:

SM30

SM30

If in the column “Inactive” the checks are selected, then the checks are not active.

To activate the start authorization check for Web Dynpro ABAP applications and Web Dynpro ABAP application configurations, remove the checkmark in the “Inactive” column for the application types R3TR WDYA and R3TR WDCA. Save your changes. The start authorization check is now active in all clients throughout the system.

Table%20USOBAUTHINACTIVE

Table USOBAUTHINACTIVE

What does this change mean for the current authorization concept?

When this authorization check is set to active, the system will check for the object S_START and give an authorization error if this object is not authorized. If there are any Web Dynpro ABAP Applications that are being used but are not present in the roles, they need to be added in the roles using the transaction PFCG.  

Note: If the Web Dynpro ABAP applications are added into the menu of a role, the authorization object S_START is added to the authorizations tab. 

PFCG

PFCG

From S/4HANA 2021 on the Web Dynpro start authorization is active by default.

In SAP S/4HANA, on-premise edition 2021, SAP S/4HANA Foundation, on-premise edition 2021, and SAP BW/4HANA 2021 (and all future releases), this start authorization check is already activated during the installation/migration for Web Dynpro applications (object type R3TR WDYA) and Web Dynpro application configurations (object type R3TR WDCA). 

Therefore, the active role concept is affected if the required start authorizations (authorization object S_START) is missing in the roles. The affected roles need to be updated. It is also possible to deactivate the checks in SU25, although this is not recommended. For more information please check the Note 3064888 – Start authorization check for Web Dynpro applications and Web Dynpro application configurations in SAP S/4HANA – SAP ONE Support Launchpad .

More information on Secure by Default can be found in this blog post: The story resumes – Secure By Default for SAP S/4HANA 2021 | SAP Blogs

Also feel free to ask questions in the SAP Community: https://answers.sap.com/questions/ask.html?primaryTagId=462330605920974660730944876913277