== Why is this an issue?

Checking logged users' permissions by comparing their name to a hardcoded string can create security vulnerabilities. It prevents system administrators from changing users' permissions when needed (example: when their account has been compromised). Thus system fields ``++SY-UNAME++`` and ``++SYST-UNAME++`` should not be compared to hardcoded strings. Use instead ``++AUTHORITY-CHECK++`` to check users' permissions.


This rule raises an issue when either of the system fields ``++SY-UNAME++`` or ``++SYST-UNAME++`` are compared to a hardcoded value in a ``++CASE++`` statement or using one of the following operators: ``++=++``, ``++EQ++``, ``++<>++``, ``++NE++``.


=== Noncompliant code example

[source,abap]
----
IF SY-UNAME = 'ALICE'. " Noncompliant
ENDIF.

CASE SY-UNAME.
WHEN 'A'. " Noncompliant
ENDCASE.
----


=== Compliant solution

[source,abap]
----
AUTHORITY-CHECK OBJECT 'S_CARRID' 
  ID 'CARRID' FIELD mycarrid.
IF sy-subrc <> 0. 
  MESSAGE 'Not authorized' TYPE 'E'. 
ENDIF. 
----


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Replace this hard-coded comparison of "SY-UNAME" with an "AUTHORITY-CHECK".

Replace this hard-coded comparison of "SYST-UNAME" with an "AUTHORITY-CHECK".


'''
== Comments And Links
(visible only on this page)

=== on 20 Dec 2018, 15:53:00 Nicolas Harraudeau wrote:
For now this rule exists only for ABAP but this is a common mistake in many programming languages. ACL libraries should be preferred to hardcoded reference to a specific user.

endif::env-github,rspecator-view[]