SAP NetWeaver AS ABAP Release 740, ©Copyright 2014 SAP AG. All rights reserved.
ABAP Keyword Documentation → ABAP - Security Notes → Further Security Risks →User-Dependent Program Flow
The use of user names in ABAP programs to control program behavior can be a security risk. In the worst case scenario, a back door can be created and used by developers to access unauthorized data or functions in systems where they do not have authorization. On the other hand, these can also be code sections used for test purposes during development and then forgotten. Generally speaking, user-dependent source code should always be avoided and removed if necessary. In cases where user-dependent source code is absolutely necessary, a special exemption must be granted for the program so that it can pass the appropriate security tests.
In ABAP, user-dependent program flows can occur in the following instances:
sy-uname is usually redundant when specified explicitly after the addition USER and carries the risk of the content being manipulated in advance, for example in ABAP Debugger.
User names passed to the program from the outside should never be used. If this does become necessary, however, the names must be checked carefully.
Note
If the current user name is required in a program, it is safer to determine it used the method GET_USER_NAME of the class CL_ABAP_SYST than taking it from the system field sy-uname, which is easier to manipulate.
Example
The following program section demonstrates a back door where an authorization check for a user is ignored intentionally. The program must be repaired by removing the IF control block with the sy-uname query.