Authorization Check Field Name

Hi,
Do we need to specify all field names when coding authorization check in abap?

Hi,
Plz go through this...
AUTHORITY-CHECK OBJECT object
ID name1 FIELD f1
ID name2 FIELD f2
ID name10 FIELD f10.
Explanation of IDs:
object Field which contains the name of the object for which the authorization is to be checked.
name1 ... Fields which contain the names of the name10 authorization fields defined in the object.
f1 ... Fields which contain the values for which the f10 authorization is to be checked.
AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
You must specify all authorizations for an object and a also a value for each ID (or DUMMY ).
The system checks the values for the ID s by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
If the return code SY-SUBRC = 0, the user has the required authorization and may continue.
The return code is modified to suit the different error scenarios.
The return code values have the following meaning:
4 User has no authorization in the SAP System for such an action. If necessary, change the user master record.
8 Too many parameters (fields, values). Maximum allowed is 10.
12 Specified object not maintained in the user master record.
16 No profile entered in the user master record.
24 The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
28 Incorrect structure for user master record.
32 Incorrect structure for user master record.
36 Incorrect structure for user master record.
If the return code value is 8 or possibly 24, inform the person responsible for the program. If the return code value is 4, 12, 15 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP, since authorizations have probably been destroyed.
Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
Instead of ID name FIELD f , you can also write ID name DUMMY . This means that no check is performed for the field concerned.
The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.

Similar Messages

  • Authorization object to display table field names in english text in SE17

    Hi,
    One of users have issues with the filed name getting displayed in technical format instead of english text while browsing table information in SE17. Normally we can set this in through Settings->User Parameters. But here for this user, user parameter option is greyed out and he doesn't have access to SE16.
    Is there any other way to change user specific parameters, instead of granting him accesss to SE16 or enabling user parameters in SE17?
    Thanks,
    Mano

    Hi,
    I made him run SU53 on SE17 transaction the log is showing that authorization check failed for S_ALV_LAYO with value 23.
    Actually i have access SE16 and for me also, user parameter option is greyed out in SE17. I ran SU53 on SE17 in my session i also got same log.
    One more observation is, the user's colleague also doesn't have access to SE16 and user parameter option is greyed out in SE17 but he can view the table field names in english. So we are wondering if some authorization object is missing here.
    We do not want user to make any changes through GUI.
    Thanks,
    Mano.

  • Authorization check on technical name for statistical key figures

    Dear experts,
    I need an authorization check on the technical name for statistical key figures. I would like to avoid that local users can change/modify centrally defined key figures which follow a given naming convention.
    I checked the authorization object K_KA03 for statistical key figures but this doesn't help as it only checks controlling area and activity. I also couldn't find the technical name as an authorization field.
    What can I do to set up an authorization check on the technical name of the statistical key figure if it is not foreseen in the standard?
    Thanks for any ideas,
    René

    Try something in similar lines as suggested in below link:
    https://wiki.sdn.sap.com/wiki/display/PLM/COValidationstoadditionalauthorisations+checks
    Regards
    Sreenivas

  • 'DUMMY' value of the field in Authorization Check

    Hello everyone!
    I have some misunderstanding. I made an authorization check in transaction SU53 and i see a class, an object and the field which need to be DUMMY. What does it mean? What Value of this field I  have to choose when I give an authorization for myself?

    Sorry, but that's not correct.
    "DUMMY" is equivalent to "don't care" or "any value".
    That is different from requesting a SPACE value (which is just one distinct value).
    If a "dummy" value is requested, actually no value is requested - any value will satisfy the request.
    See <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/9f/dbaccb35c111d1829f0000e829fbfe/frameset.htm">ABAP Online Documentation</a>.

  • Mapping authorization field IDs to field names (description)

    Hello Folks,
    I am trying to map the authorization field (technical ) names to field descriptions (long names)
    Backgroud: I do not have enough input from the functional team yet on restrictions at data level. I have pulled out a list of orgfield values from USORG. Now i am trying to map the other authorization fields to their descriptions.
    Table AUTHX only maps the field to the data element and while table DD04V lists the long field names for a given data element, i need to drill down before i get the description and thats for each fieldname / data element.
    Question: Is going through SU20 for each object the best way to map the field description or is there a better way to map the auth field IDs to their description. And i mean for multiple input as there are scores of auth fields...
    Regards,
    Prashant

    Thanks Jurjen, that helped a lot.
    I downloaded the authorizations into an excel tough, (did not use uncoverted format).
    Solution in Excel: Since there are a lot of blank cell values
    -- name the columns clearly
    create a pivot table
    In the pivot select only the field technical name and field description columns
    For some reason when the other columns are selected, everything is going blank for values
    I am sure others are better with Excel than i am
    Regards,
    Prashant

  • SM30 Field level authorization check

    Hi,
    I have a requirement to add the authorization check in SM30 for the company field in the custom table. Please suggest.
    Thanks,
    Gagan Chodhry

    Hi,
    I have this requirement for both type of tables i.e. custom as well as standard. Tables has got field profit center.. I need to show the table based on the loggedin user authorization to the profit center.
    If it is a custom table then as mentioned by Siva, there is a way I heared that we can check the authorization in PAI event, but when I tried to do a small test, I could get the field symbol with the values, but I was not able to skip that record for disply.
    If anyone can send the sample or the way to skip the record based on the check.
    Also is there any other way to add the field level authorization to custom and standard tables...
    Thanks,
    Gagan Chodhry

  • Authorization check for select-options field - Company code.

    Hi experts,
    i have company code field on the report selection screen and i have to validate the authorization check for BUKRS.
    How to do authorization check for a select-options field?
    Any function modules used to write the authorization check for a SELECT-OPTIONS FIELD?
    Thanks.

    >
    RNB wrote:
    > Any function modules used to write the authorization check for a SELECT-OPTIONS FIELD?
    Does it hurt to type a few lines of code? Why do you need an FM for this my friend?
    Anyways can you please tell which SAP application area (viz. FI, SD etc.) do you want to run the report?
    Suhas

  • Authorization check

    Hi ,
    i new to authorization so i need help ,
    i go to transaction SU21 and i choose some object for example:
    Object R_CPM_BSC
    Text Authorization Object SEM: BSC Elements
    Class SEM Strategic Enterprise Management*
    Author STASTNY
    Field name Heading
    SEMSCARD Scorecard
    SEMOBJTYPE Scorecard Elements: Object Type
    SEMOBJKEY Scorecard Elements: Object Key
    ACTVT Activity
    And when i push on permitted activities i get:
    R_CPM_BSC Authorization Object SE
    ACTVT Activity
    activists
    01 Create or generate
    02 Change
    03 Display
    04 Print, edit messages
    1. i have always just permitted activities for ACTVT ?
    if i wont that user just have display Authorization how i have to write it like below?
    AUTHORITY-CHECK OBJECT R_CPM_BSC
    ID ACTVT FIELD '03'
    thats it i don't use the other fields?
    Regards

    Hi,
    In general different users will be given different authorizations based on their role in the orgn.
    We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
    USe SUIM and SU21 T codes for this.
    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
    This means you have to allocate an authorization object in the definition of the transaction.
    For example:
    program an AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT <authorization object>
    ID <authority field 1> FIELD <field value 1>.
    ID <authority field 2> FIELD <field value 2>.
    ID <authority-field n> FIELD <field value n>.
    The OBJECT parameter specifies the authorization object.
    The ID parameter specifies an authorization field (in the authorization object).
    The FIELD parameter specifies a value for the authorization field.
    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
    Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
    You program the authorization check using the ABAP statement AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
    ID 'ACTVT' FIELD '02'
    ID 'CUSTTYPE' FIELD 'B'.
    IF SY-SUBRC 0.
    MESSAGE E...
    ENDIF.
    'S_TRVL_BKS' is a auth. object
    ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
    This Authorization concept is somewhat linked with BASIS people.
    As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
    Take the help of the basis Guy and create and use.
    Thanks
    Vikranth

  • Authorization check failed

    hello experts!
    i created a program via smartforms but when my user try to generate a printed form an error message appear than FORM
    cannot be displayed. when i check Tcode: SU53 Authorization check failed.
    Object Class HR Human Resources
    Authorization Obj. P_ABAP  HR Reporting\
    Authorization Field COARS Degree of simplification for authorizaton check       1
    Authorization field REPID ABAP program name     ZHRPY00018C
    Please help on this one...
    How to fixed this
    Thank you

    hello...
    actually this report has 2 display a List display and via smartforms...
    we laready add this program  in her authorization profile... the only problem
    is when she try to generate the report via smartform she cannot produced the
    the output print docu. because an error appears that my FORM cannot be display.
    But when i check it in the development i can produced a test document.
    please help...

  • User authorization check in report

    Hi All,
    I want check user name in report while event (at user-command) trigger.
    Have 2 buttons in report A.Process B. Display.
    any user can press display button. but some of the user only can press Process button.
    how can I do this using authorization objetcs.
    I donot want to check by sy-uname, because I donot want to hardcode user names.
    Thanks & Regards
    Gupta......

    Hi,
    You need to ask to BASIS guy to create the authorization object.
    Whenever user clicks the button PROCESS in PAI of that screen you need to write the authority check statement.
    For example if i need to validate the country for the particular user :
    MODULE user_command_9000 INPUT.
    *Authority Check for Country*
    AUTHORITY-CHECK OBJECT 'ZO9_CNTRY'
        ID 'COUNTRY' FIELD g_soldto_country.
    if sy-subrc ne 0.
         clear g_ok_code.
         message E001(ZMESSAGE_AS) with g_soldto_country.
    endif.
    I hope this will be useful to you.
    Plz reward if useful.
    Thanks,
    Dhanashri

  • Authorization check in OB52

    Hi,
    We have a following client requirement.
    u2022     In OB52, once user logged In then only the respective company code ( to whom he belongs) should be available for editing i.e. opening / closing of periods and Other company codes should be in grayed out status.
    Can we built a check like that?
    Regards
    Anuj

    Hi
    If you have several company codes and want your users only to be able to open and close periods
    (transaction OB52) belonging to their posting period variant (=company code). 
    First you configure the Posting Variant :-
    1) FI- FI Global Settings - Document - Posting Periods - Define Variants for Posting Periods 
    2) FI- FI Global Settings - Document - Posting Periods - Assign Variants to Company Code
    Second Step:-
    Goto SE11 copy the view V_T001B to ZV_T001B_000X (000X indicate the Posting Variant)
    In Change mode, tabstrips Selection Conditions Insert line 2 with
    Table     Field Name   Operator   Comparative Value    AND/OR
    T001B   BUKRS           EQ            '000X'                          AND
    Save your entries
    Third Step :-
    Goto SE54, Options Generated Objects -> Create
    Authorizations Group  FC31
    Function Group          Z00F0
    Maintenance Type     One Type
    Overview Screen       65
    Single Screen             0
    Final Step :-
    Goto SE93, Create a new transaction code ZOB52_000X
    Start object - Transaction with parameters (parameter transaction)
    Transaction SM30, Tick Skip initial screen
    Regards
    Sanil Bhandari

  • Authorization check by Cost centers

    Hello all,
    I developed a report in Report Painter and the requirement is that the users be able to run it only for their own CCtrs - challenge is that we are trying to not use variants, custom transactions and also modifying / checking authorization at at SU01 level.
    Is there any other way to do this and if yes can you pls provide some details.
    Thanks,
    Richa

    hi richa,
    Authorizations with Variables
    Definition
    Instead of using a single value or interval, you can also use variables in authorizations. The Customer Exit is called up for these variables while the authorization check is running. The call is carried out with I_STEP = 0. The intervals of characteristic values or hierarchies for which the user is authorized can be returned here. By doing this, the maintenance load for authorizations and profiles can be reduced significantly.
    Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to ‘XXXX’ (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This then has to be entered in the user master record for the cost center manager.
    Using variables reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to ‘$VARCOST’, as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable ‘VARCOST’ is then set for runtime during the authorization check by the CUSTOMER-EXIT ‘RSR00001’.
    Maintaining the authorizations restricts the entries for the values to the length of the existing InfoObject. It is possible, however, to use both limits of the interval. In the example 0COSTCENTER with 4 spaces, the variable ‘VARCOST’ is, therefore, entered as ‘$VAR’ – ‘COST’.
    There is a buffer for these variables. If this buffer is switched on, the customer exit is only called up once for a variable with the authorization check. In doing so, you avoid calling up the customer exit for variables over and over, as well as decreasing performance. If you want to call up the customer exit each time, you have to deactivate this buffer in the Setting Up Reporting Authorizations. To do this, go to the main menu and choose Extras  ® Compatibility  ® Buffer for Variables (Customer-Exit)  ® Deactivate..
    You can also call up the customer exit for authorizations for hierarchies. There are two ways to do this:
           1.      Enter the variable in the authorization for characteristic 0TCTAUTHH. The customer exit is then called up while the authorization check is running. In the LOW fields of the return table E_T_RANGE, the system anticipates the technical name for the hierarchy authorization that you specified in the authorization maintenance (transaction RSSM).
    As a result, all parameters are available for such an authorization. Nevertheless, you must also create a new definition for each node.                                    
           2.      Where many authorizations differ from an authorization for a hierarchy only in respect to the nodes and not to the other authorizations, we suggest the following solution: Different users can be authorized for a specific hierarchy area (subtree). The highest node is different for each user.                                          
    Do this by creating an authorization for a hierarchy in the transaction RSSM and enter this in the authorization or role. Instead of specifying a particular node, you specify the variable in the authorization maintenance (transaction RSSM). The customer exit is then called up for the node while the authorization check is running. The return table E_T_RANGE must be filled according to the customer exit documentation (nodes in the LOW field, InfoObject of the node in the HIGH field
    Setting Up Reporting Authorizations
    Use
    Before you are able to set up reporting authorizations, you have to create authorization objects.
    As soon as an authorization object is saved, it can be checked when a query is run. The user may not have the appropriate authorizations if he or she has not yet been assigned this authorization object.
    Only when the user has been assigned the appropriate authorizations can he/she define and execute a query or navigate in an existing query.
    If in the query a characteristic value or a node is excluded, a complete authorization check “*” is required.
    Procedure
    Creating an authorization object
           1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose the path SAP Menu ® Business Explorer ® Authorizations ® Reporting Authorization Objects.
           2.      Choose Authorization Object ® Create. Give the authorization object a technical name and a regular name. Save your entries.
           3.      On the right-hand side of the screen, an overview of all the InfoObjects that are authorization-relevant is displayed.
    Only those characteristics that have been flagged as authorization-relevant previously in the InfoObject maintenance screen can be assigned as fields for an authorization object. See also: Creating InfoObjects: Characteristics
           4.      Assign the InfoObject fields to the authorization object:
    ¡        Select the characteristics for which you want an authorization check of the selection conditions to be carried out.
    ¡        Select the InfoObject key figure (1KYFNM) if you want to restrict the authorization to a single key figure.
    ¡        Select the InfoObject (0TCTAUTHH) if you want to check authorizations for a hierarchy.
    ¡        Include the authorization field activity (ACTVT) in the authorization object if you want to check authorizations for documents.
           5.      Save your entries.
           6.      Go back to the initial screen of the authorization maintenance.
           7.      Choose Check for InfoProviders ® Display to get a list of the InfoProviders that contain the InfoObjects that you selected and are therefore subject to an authorization check (where-used list). In the change mode you can exclude individual InfoProviders from the authorization check for this authorization object by removing the flag.
    Authorization object:           S_RSRSAREA
    Name:                   Sales area
    Fields:                         DIVISION, CUSTGROUP, 1KYFNM
    Creating authorizations
    Authorizations are created and maintained in the role maintenance screens.
           1.      Choose Authorizations ® Roles ® Change.
           2.      Specify the roles that you want to change and choose Change. This takes you to the role maintenance screen.
           3.      On the Authorizations tabstrip, choose the Expert mode for generating profiles option.
           4.      Choose the Enter Authorization Objects Manually option, and specify the objects that you require. Choose Enter. The authorization object is added to the role.
           5.      Choose Generate.
    For more information, see Changing and Assigning Roles.
    Result
    The user is now able to work with queries
    Authorizations to Work with a Query
    Use
    Authorizations to work with a query are first checked in the dialog box to open a query.
    Furthermore, when a query is opened, the authorizations for the individual objects are checked.
    See also: Authorization Check When Executing a Query..
    Structure
    Check in the Open Dialog Box:
    When you open a query, you will see four buttons in the dialog box. The History, Favorites and Roles buttons only display your own queries and those queries intended for you per role definition.
    The InfoAreas button enables you to look at all queries for which the user has display authorization. If this display authorization is not restricted to queries, the user will see all available queries in the system here. It is possible to hide the InfoAreas button if you do not want the user to see all queries in the system. The authorization object S_RS_FOLD with the field SUP_FOLDER can be used here. In order to hide the InfoArea button, set this field to X when authorizing, otherwise leave the field blank “ “ or set it to * (asterisk – all authorizations).. The button will be displayed if the authorization check fails.
    Authorizations by User
    It is also possible to make queries from particular users (= OWNER = query creator) available to other users (= USER) for display or processing. The authorization object S_RS_COMP1 with four fields (COMPID, COMPTYPE, OWNER, ACTVT) is used here.
    You can grant this authorization to a particular team or use the variable $USER to give all users the authorization for queries that they created themselves. $USER is replaced by the corresponding user name during the authorization check.
    See also the Example for Reporting Authorizations.
    Authorizations for the BEx Broadcaster
    Using the authorization object S_RS_BCS, you can determine which user is allowed to register broadcasting settings for execution and in which way.
    Note:
    ·        The only authorization necessary for the online execution of broadcasting settings is the authorization for the execution of the underlying reporting objects (for example, the Web template).
    ·        Every user that has authorization to create background jobs also has authorization for direct scheduling in the background.
    ·        If you need to work under the name of another user to execute broadcast settings (for example with user-specific precalculations), the authorization object S_BTCH_NAM for background scheduling is also required for the other user. For more information, see Authorizations for Background Processing and Definition of Users for Background Processing
    Authorizations for Selection Criteria
    Definition
    The selection criteria of a query determine which data can be displayed after you have entered it in a workbook.
    An authorization check for certain InfoObjects only takes place if an authorization object with this InfoObject was already created in the authorization object class Business Information Warehouse.
    As soon as an authorization object is created, only authorized users can select query data.
    Use
    To decide whether a user should be authorized to work with a query, you should check whether authorization has been given to him/her for all selection criteria.
    Essential to the authorization of selection criteria is the authorization object S_RS_ICUBE.
    Definitions of authorizations for working with certain InfoCubes must be transported separately.
    See: Transporting Additional Information
    In general, it is not sufficient to give authorizations for individual InfoObjects (characteristics and key figures), or to check them separately from one another. It more usual that specific authorizations should be given for combinations of characteristics and key figures.
    It is therefore feasible that a "Sales Manager" is allowed to view the respective total sales figures for all sales areas, but is only authorized to break down "his/her" area (0001) according to the individual sales personnel. In this case, the following authorizations, which are grouped together, would be created and assigned.
    Sales area = *
    Sales personnel = :
    Key figure = Sales figures
    (‘:’ represents the authorization to view the values aggregated with the characteristic.
    Sales area = 0001
    Sales personnel = *
    Key figure = Sales figures
    The user frequently uses these "multidimensional" authorities in companies that are regional as well as product-oriented (matrix organization). In this way, you could arrange for the person responsible for the combination of a certain division and a certain sales area to have the exact authorization for the output of the relevant values, without him/her necessarily also having access to the data for the whole division or the whole sales area.
    Authorizations for the Query Definition
    Authorizations can be granted for the following objects for the query definition in the Business Explorer:
    The entire query
    Structures
    Calculated key figures
    Restricted key figures
    Variables
    The activities for the query definition are specified in the authorization object S_RS_COMP (Business Explorer - components). The authorization object has the following fields: InfoArea, InfoCube, component type, component name and activity.
    The following values are possible for the component type:
    REP: Entire query
    STR: Structure
    CKF: Calculated key figure
    RKF: Restricted key figure
    VAR: Variables
    By specifying an InfoArea or an InfoCube, you can further restrict the component types. By specifying a component name, you can specify the authorization for individual components in more detail. Components that begin with 0 are delivered by SAP and cannot be changed. Components that are within the customer name range must begin with a letter of the alphabet.
    Valid activities are:
    01 (create)
    02 (change)
    03 (display)
    06 (delete)
    At the moment, activities 16 (Execute) and 22 (Save for Reuse) are not checked for the query definition.
    User A is allowed to create, change or delete queries beginning with A1 and A6 within InfoArea 0001 in InfoCube 0002. In addition, the user is allowed to change the calculated key figures and structures (templates) already defined in this InfoProvider.
    Related authorizations for user A:
    InfoArea: ‘0001’
    InfoProvider: ‘0002’
    Component type: ‘REP’
    Component Name: ‘A1’, ‘A6’
    Activity: ‘01’, ‘02’, ‘06’
    InfoArea: ‘*’
    InfoProvider: ‘0002*’
    Component type: ‘STR’, ‘CKF’
    Component name: ‘*’
    Activity: ‘02’
    Authorizations for Display Attributes
    Definition
    Authorization-relevant display attributes are hidden in the query if the user does not have sufficient authorization to view them.
    Use
    For characteristics:
    The user needs to have complete authorization (*) to see the display attribute in the query.
    For the characteristic 0EMPLOYEE, the 0EMPLSTATUS attribute is authorization-relevant. Only users with authorization "*" for 0EMPLSTATUS can display the attribute in the query.
    For key figures:
    Key figures cannot be marked as authorization-relevant. To use this function nonetheless for key figure attributes, the system checks against meta object 1KYFNM. For this, the user requires authorization for the field 1KYFNM in the authorization object.
    The key figure attribute 0ANSALARY is contained in the 0EMPLOYEE characteristic.
    If the user has the 1KYFNM field in his or her authorization object, and authorization "*", he or she can display all key figure attributes.
    If the user has the 1KYFNM field in the authorization object and the 0ANSALARY key figure as a value of the authorization, he or she can only see this key figure attribute. If the user is not supposed to see this attribute, do not give the authorization "*" but only assign the key figures for authorization that are to be displayed.
    Authorizations for Navigation Attributes
    Use
    During authorization checks for navigation attributes, it is always the characteristic that is being used as a navigation attribute that is checked.
    Integration
    If referencing characteristics are used as navigation attributes, authorization for the basic characteristic is checked. You should, however, change this logic so that the referencing characteristic is checked for instead. In the maintenance screen for reporting authorizations, choose the following path from the main menu Extras  ® Compatibility  ® Navigation Attributes ® Switch Off.
    This function exists for reasons of compatibility. The authorization logic of referencing characteristics worked differently with the beginning of Release BW 2.0. From BW 2.0, Support Package 20 and in all of the releases that follow, for referencing characteristics as well, the authorization for exactly this characteristic (and not the basic characteristic, as was the case previously) is checked.
    Example
    In the query, you use characteristic A with the navigation attributes A__B and A__R. Characteristic R references characteristic B. For these navigation attributes, authorization for the basic characteristic B is checked. If you switch off the compatibility for navigation attributes option, B is checked for A__B, and R is check for A__R.
    Maintaining Authorizations for Hierarchies
    Use
    Authorizations for hierarchies determine up to which subarea of a hierarchy a user may drilldown.
    Prerequisites
    Before you can set authorizations for hierarchies, you must first transfer and activate the InfoObject 0TCTAUTHH from the Business Content. Make sure that the indicator Relevant for Authorization is set. You must also create an authorization object for which you want to set the authorization.
    Authorization for a hierarchy on the Profit Center characteristic (0PROFIT_CTR):
    Define an authorization object with 0PROFIT_CTR and 0TCTAUTHH.
    Example: You define a hierarchy for the basic characteristic B. For characteristic B there is a referencing characteristic R. If you use this hierarchy for characteristic R in the query, authorization for the basic characteristic B is checked. However, you can change this logic so that characteristic R is checked for instead. In the maintenance screen for reporting authorizations, choose the following path from the main menu Extras ® Compatibility ® Ref. Characteristics with Hierarchy ® Switch Off.
    You need the characteristic 0TCTAUTHH to specify the hierarchy in the authorization. If you add this characteristic to an authorization object, you can specify authorizations for hierarchies for all InfoObjects in the authorization object.
    Procedure
           1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose SAP Menu ® Business Explorer ®Reporting Authorization Objects.
           2.      Choose Authorizations ® Authorization Definition for Hierarchies ® Change.
           3.      In the Definition, select the InfoObject, hierarchy and node.
    If there are several users who are authorized to work with just one part of a hierarchy (subtree) but the top node is different for each, you have the option of specifying a variable instead of a node.
    See also: Variable Types
    Instead of selecting a node, you can also set the Top of hierarchy indicator. This enables you to ensure that a user is authorized to use a hierarchy from the top node down to a determined level.
    You can select the top node here. However, if the hierarchy is being used in a query without a filter on this node, the user will not be able to execute the query.
    This is because the top-most visible node does not represent the actual top of the hierarchy. As, for example, there are other Remaining Leaves, there should always be exactly one internal node at the top of the hierarchy. Therefore, there is one internal node above the top-most visible node. If the hierarchy is used in a query without the top-most node being determined, it is compared with this unseen, internal node. So that the user has the correct authorizations, select the internal top of the hierarchy for this option.
           4.      Select the authorization type:
    ¡        0 for the node
    ¡        1 for a subtree below the node
    ¡        2 for a subtree below the node up to and including a level (absolute)
    You must define a level for this type. A typical example of an absolute level is data protection with regard to the degree of detail of the data (works council ruling: no reports at employee level only at more summarized levels).
    ¡        3 for the entire hierarchy
    ¡        4 for a subtree below the node up to and including a level (relative)
    You must specify a level that is defined relative to the node for this type. It makes sense to specify a relative distance if an employee may only expand the hierarchy to a certain depth below his or her initial node, but this node moves to another level when the hierarchy is restructured.
           5.      For types 2 and 4 you can specify, in Hierarchy Level, the level to which the user can expand the hierarchy.
    ¡        With authorization type 2 (up to and including a level, absolute) the level refers to the absolute number of the level in the hierarchy where the top-most node of the hierarchy is level 1.
    ¡        With authorization type 4 (up to and including a level, relative) the level number refers to the number of levels starting from the selected node itself which is level 1.
           6.      In the Validity Area you specify in exactly which ways a hierarchy authorization has to match a selected display hierarchy for it to be included in the authorization check.
    ¡        Type 0 (very high) : The name, version and key date of the hierarchy on which the hierarchy authorization is based have to agree with the selected display hierarchy.
    ¡        Type 1: The name and version of the hierarchy on which the hierarchy authorization is based have to agree with the selected display hierarchy.
    ¡        Type 2: The name of the hierarchy on which the hierarchy authorization is based has to agree with the display hierarchy.
    ¡        Type 3 (lowest) : None of the characteristics have to match.
    Note that in some circumstances, setting a check level that is too low may lead to more nodes being selected using hierarchy node variables that are filled from authorizations, than actually exist in the display hierarchy for the query. This can cause an error message.
    As a general rule, select the highest possible level for the check.
           7.      If you set the Node variable default value indicator, this definition of an authorization for a hierarchy is used as the default value for node variables.
    If more than several authorizations are assigned to a user for different subareas of the same hierarchy, one of these authorizations has to be defined as the default value. Only one node can be selected for a node variable on the variable screen of a query. So that this variable can be filled from the authorizations, the correct variable type has to be selected and an authorization has to be determined as the default value.
           8.      Specify a technical name for this definition. If you do not enter a value, a unique ID is set.
           9.      Now create an authorization for the new authorization object. To do this, enter the technical name of the definition as a characteristic value for the characteristic 0TCTAUTHH. Hierarchy authorizations and authorizations for characteristic values are added:
    ¡        Specify the value ‘ ‘ (a blank character) as a characteristic value if only hierarchy authorizations are to be in effect. If you specify more values these are authorized additionally.
    ¡        Specify the value “:” (a colon) when queries are also allowed without this characteristic.
    The value '’ (all characteristic values) is not supported for the characteristic 0TCTAUTHH. Nevertheless, if you specify the value ‚’ a ‚:’ is automatically generated instead because no other valid value is found.
    If you would like the user to be able to see all values and hierarchies for a characteristic, use the value '*' for this characteristic.
    If you use a drilldown hierarchy in the query, you restrict the highest node by a fixed node or a node variable.
    Definitions of authorizations for hierarchies must be transported separately. See: Transporting Additional Information
    Alternative Procedure:
    Manually Maintaining Reporting Authorizations
    Use
    You usually maintain authorizations in the role maintenance. However, in exceptional cases it could be more practical to create authorizations manually. This is the case if you have to assign every user his/her own role.
    Prerequisites
    Reporting authorization objects have been created.
    Procedure
    Assign Authorization Objects
           1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose SAP Menu ® Business Explorer ® Authorizations ® Reporting Authorization Objects.
           2.      Choose Authorizations ® Authorizations for Several Users. Enter an interval and choose Change.
           3.      Select a characteristic from the left side of the screen. You can then display master data as a list or as a hierarchy. The right side of the screen shows you a list of all the selected users with the authorization profiles and roles you assigned.
           4.      You can now use Drag&Drop to assign additional authorization objects to the user.
           5.      Choose Generate authorizations. The system creates the authorizations and assigns them to the users.
    Assigning Authorizations for Hierarchies
    You can also make authorizations for hierarchies in the same transaction.
           1.      Select a characteristic.
           2.      You can use the context menu on the authorization object to determine up to which hierarchy level the authorization should apply.
    You can currently select exactly 1 level for each hierarchy and user.
           3.      Choose Generate authorizations. The system creates the authorizations and assigns them to the user.
    Result
    The system has created individual authorization profiles.
    thanks
    karthik
    reward me ipoints if the above is usefull to you

  • Authorization-check and Match code

    Hi
    How do we declare authorization check?Plase provide me  syntax?
    does match code relates to it?
    Thanks in advance.

    Hi RK,
    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
    AUTHORITY – CHECK OBJECT <object name>
                  ID <name1> FIELD <f1>
                  ID <name2> FIELD <f2>
                  IF SY-SUBRC NE 0.
    For Matchcode (which is now called Search help) go to the link
    http://help.sap.com/saphelp_nw04s/helpdata/en/c9/83eb02be4c11d1950200a0c929b3c3/content.htm
    http://help.sap.com/saphelp_nw04s/helpdata/en/cf/21ee93446011d189700000e8322d00/content.htm
    Reward points if this helps.
    Manish

  • Authorization checks in WDA View

    Hi All,
    I have a single WDA Compnent having one View. This View has some buttons that only certain users should be allowed to access. So I need to carry out authorization checks in Backend. Can someone please give me an example of how to proceed on such a scenario? Appreciate your help.
    Thks in advance, Liz

    Hi Liz..
    1) Create a field Zatt  " tcode:su20"and assign DATa Element (Type : WDYBOOLEAN).
    2) Create an ObjetClasse Zclass "tcode: su21"
    3) In this objectclass you create an authorization Object. Z2 that contain ACTVT and the Field Zatt .
    4) Now you can create one role "tcode : pfcg" with one authorization Z2 -> assign tha ACTVT : 03 and the Zatt to false.
    5) Assign this role to the user that "tcode: SU01".
    Finally in the WDY componant, you create a node with an attribute : Visibility type WDYBOOLEAN.
    you bind the attribute VISIBLE of boutons that you like to Hide .
    Finally -> In the method WDDOINIT of the main Insert this code :
    Authority-check Object 'ROLE_NAME'
        ID 'ACTVT' Field '03'
        ID 'Zatt' FIELD Visibility.
      IF sy-subrc EQ 0.
          Visibility = 'X'.
          lo_el_NADE_NAME->set_attribute(
          name =  `NODE_NAME`
          value = Visibility ).
      ENDIF.
    Hope It's Help
    Best Regards
    Edited by: Jcrios on Jun 4, 2010 4:21 PM

  • What are authorization checks? And where and what will you write?

    hai, plz anybody send me the answer?

    Hi
    In general different users will be given different authorizations based on their role in the orgn.
    We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
    USe SUIM and SU21 T codes for this.
    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
    This means you have to allocate an authorization object in the definition of the transaction.
    For example:
    program an AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT <authorization object>
    ID <authority field 1> FIELD <field value 1>.
    ID <authority field 2> FIELD <field value 2>.
    ID <authority-field n> FIELD <field value n>.
    The OBJECT parameter specifies the authorization object.
    The ID parameter specifies an authorization field (in the authorization object).
    The FIELD parameter specifies a value for the authorization field.
    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
    Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
    You program the authorization check using the ABAP statement AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
    ID 'ACTVT' FIELD '02'
    ID 'CUSTTYPE' FIELD 'B'.
    IF SY-SUBRC <> 0.
    MESSAGE E...
    ENDIF.
    'S_TRVL_BKS' is a auth. object
    ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
    This Authorization concept is somewhat linked with BASIS people.
    As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
    Take the help of the basis Guy and create and use.
    As the name suggest it if for Authority check so that the person who is not having authorization for some data/transaction can be restricted from viewing it. It is very imortant for the security of data. Check below link for details on authorization.
    http://help.sap.com/saphelp_nw04/helpdata/en/9f/dbaccb35c111d1829f0000e829fbfe/content.htm

Maybe you are looking for

  • Error while installing SAP NetWeaver 7.0

    Hello, I  try to install SAP netweaver Application Abap and have the following message "An error occurred while processing option SAP NetWeaver 7.0 including Enhancement Package 2 > SAP Application Server ABAP > MaxDB > Central System > Central Syste

  • Why does my iBook not have a file size on the iBookstore?

    Hi everyone, I apologise if this has already been answered, however, I could not find an answer anywhere. Basically, I submitted a children's iBook (The Tale Of Blob-Ba-Cus) to the iBookstore in June. In the section on the iBookstore where is says au

  • Linking Dynamic text boxes?

    Hi there, This might be straight forward, but I would like to know how could one link dynamic text boxes so that the information would flow? In a way, the information would flow from: (XML) Input A into BOXA00, BOXA01, BOXA02, BOXA03, etc. (XML) Inpu

  • Text missing in converted email

    Using Acrobat Std 9.2, Convert to PDF in Lotus Notes 8.5. [Windows XP] PDF of some emails contain only email header - no body text.  Most PDFs are OK. In problem emails, original email contains text with a number of fonts, including font Default Mono

  • Mapping Issue - - Part II

    Hi All, My source structure is <root> <a></a> <type> <val1> </val1> </type> <type1> <val2> </val2> </type1> </root> Here the cardinality goes like this <a> 1..1 <type> 1..unbounded <val1> 1..1 <type1> 1..unbounded <val2> 1..1 Target structure <test>