Authorization checks and objects

Similar Messages

• Authorization-check and Match code

  Hi
  How do we declare authorization check?Plase provide me  syntax?
  does match code relates to it?
  Thanks in advance.

  Hi RK,
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  AUTHORITY – CHECK OBJECT <object name>
                ID <name1> FIELD <f1>
                ID <name2> FIELD <f2>
                IF SY-SUBRC NE 0.
  For Matchcode (which is now called Search help) go to the link
  http://help.sap.com/saphelp_nw04s/helpdata/en/c9/83eb02be4c11d1950200a0c929b3c3/content.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/cf/21ee93446011d189700000e8322d00/content.htm
  Reward points if this helps.
  Manish

• Deactivate authorization checks in BSP or function modules?

  Hi all
  I have a BSP application that seems to use a standard function module that performs an unwanted authorization check on object M_MATE_VKO (Material check on sales organization)
  I know it is possible to globally deactivate authorization checks in certain SAP transactions (SU24)
  Does anyone know if there is a similar functionality for BSP applications or function modules? Any suggestions on how to deactivate such authorization checks in BSP applications?
  Regards
  Mike

  > I will also check with my developer if this function module has any return codes etc that can be useful for a custom authorization check. However, I thought these checks were all done within the function module and that it will only return a true/false authorization, sort of... and I am not sure it's a good idea to override all standard authorization checks in this function module
  Sometimes you can handle the messages, but your developer will be able to help you decide whether that is a good idea or not.
  Globally deactivating the object for the whole system is most likely not a good idea, as you seem not to want to grant it because you need it somewhere else...
  Deactivating all checks for the function module is probably not wise either, as I would think that it applies to the whole function group. Developers can do such things sometimes, but often it results in all end users being able to do the same.
  I know that proposal indicators can be set for function modules, but have not tried check indicators. Again, I suspect that it would apply to the whole function group.
  I would think that a carefull choice of function module and consulting with your functional guru about config which will not interfer with other requirements is the best route to take.
  I like threads like this. If I bump into a specific solution I will remember it. Try using the search here at SDN on the names of some of the FM's which you are considering - someone might already have solved it...
  Cheers,
  Julius

• How to find which custom program uses authorization checks

  Hi all,
  I have been asked to find out which custom ABAP program in our organization is using Authorizations checks and which is not.
  Since there are thousands of custom programs I will need to automatize this process somehow.  But I am not an ABAP expert and I will need some help.
  Could any of you give me an idea of what would be the best strategy to find out if authorization objects/checks exist in a number of ABAP programs?  (would a simple text search do?).
  Many thanks,
  Aldo

  If you are looking out for Authorization related to Execution of any program, then look for entries in table TRDIR where field SECU (Authorization Group) is not blank.
  Below SAP documentation may help you:
  Authorization Group
  Authorization group to which the program is assigned.
  The assignment of a program to an authorization group plays a role when the system checks whether the user is authorized to:
  Execute a program
  --> Authorization object S_PROGRAM
  Edit a program (-Include) in the ABAP Workbench
  --> Authorization object S_DEVELOP
  Programs that are not assigned to an authorization group are not protected against display and execution.
  Security-related programs should, therefore, always be assigned to an authorization group.
  Report RSCSAUTH can also be used to assign programs to authorization groups. This report is documented in detail.

• Authorization check for ME54N   v/s Authorization check for ME54

  Hi,
  We have created th PR and release it, with reference to PR we have created the PO. When we try to revoke the PR releas using the t-code ME54 systems gives me a error message, that  PO is already created for this PR.
  however, if i try to revoke this pr using ME54N system allows me to revoke it.
  My requirement is that the user should not revoke the Pr once the PO is created against this using t-code ME54N. is there any authorization check or object to control the t-code ME54N.
  Regards
  Ajit

  >
  Alex Ayers wrote:
  > Why do you not remove access to ME54N if they are supposed to use ME54?
  I apologise, Alex - but I do not think that is a good advise. ME54 N is there for a reason. It will one day substitute ME54 and anyway, changes bugfixes etc may no longer be developed for the 'old' transaction.
  Futhermore: compensating lacking functionality or a bug with withdrawing authorisations to the new functionality is -if any- a temporary option only. The OP's phenomenon has to be solved sooner or later.
  So my advise would be:
  First check in SMP whether one of the several notes on ME54N and 'release' applies to your system/version/process.
  Consider opening a call with SAP.

• Authorization check for surveys

  Hello Friends,
  Does anybody know if there is Authorization check for surveys?
  I want to restrict access to surveys, depend on user and status of surveys (answered or not).
  Thanks for any help.
  Lalas

  Dear Lalas,
  Unfortunately the survey runtime itself doesn't check any authorization.
  But for my personal point of view, you might be able to look into the
  following to fulfil your requirement:
  1.add java script into the survey xml file
  Or
  2.define your own function module with additional authorization check,
    and assign it to survey attributes in transaction CRM_SURVEY_SUITE,
    as PBO or PAI function module.
    (relevant steps necessary to activate the customer defined
     authorization obj.)
  Hope these could do help!
  Regards, Gerhard

• How to check and maintain authorization objects

  Hi  Alll            
  Let me knowhow to check and maintain authorization objects  in SU24 ECC 6.0.
  Thanks
  sathies

  Hi Sathies,
  the old check flags
  U
  Unmaintained
  No indicator set. The check for corresponding authorization object is always executed. Field values are not displayed in the Profile Generator.
  N
  No check
  Check disabled. Field values are not displayed in the Profile Generator. This indicator cannot be set for HR and Basis authorization objects.
  C
  Check
  Check always executed. Field values are not displayed in the Profile Generator. For example: Printer authorizations.
  CM
  Check/maintain
  Check always executed. Field values are displayed for changing in the Profile Generator (yellow light).
  Have been divided now in
  Checkindicator : Check/NoCheck
  and
  Proposal: Yes/No.
  If defaults=yes, then you can modify them after clicking on the apropriate button.
  Please refer to the online help for SU24 too.
  Although the look of su24 has been changed significantly, the technique behind it is still the same.
  Once you have pressed the 'edit'-button on the top left corner, additional editing options will appear in the right-top-frame.
  b.rgds,
  Bernhard

• LDB PNP authorization check authorization object

  Hi,
  I have used LDB PNP for HR reports.
  We are using the authority check also, but the problem is all the records/data for all the people is being read by the report where some of the people data should not have been read as they belong to some other personal area that the role of the executer (user).
  Hence it appears that authorization check is not working properly.
  Following is how I am using it, Please suggest corrections or alternate way to correct this issue.
      rp-provide-from-last p0002 space gwa_outlist-begda 
                                                      gwa_outlist-begda.
      IF pnp-sw-found NE '1' OR
          pnp-sw-auth-skipped-record EQ '1'.
          EXIT.
      ELSE.
          ls_tab-vorna = p0002-vorna.
          ls_tab-nachn = p0002-nachn.
      ENDIF.
  Please reply with the corrections ore alterations,
  Thanks in advance.
  Akash.

  Hi,
  (1)
  Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
  So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
  ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
  (2)
  In some case you do not work with LDB report, then you need to do the authority check by yourself. General function  AUTHORITY_CHECK is what you need.  AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
  P_ORGIN    HR: Master Data
  PLOG       Personnel Planning
  P_PCLX     HR: Clusters
  P_TCODE    HR: Transaction codes
  Sample of checking personal area:
  CALL FUNCTION 'AUTHORITY_CHECK'
       EXPORTING
            FIELD1              = ' PERSA'
            OBJECT              = 'P_ORGIN'
            USER                = 'SAPSUPPORT1'
            VALUE1              = 'Z001'  
       EXCEPTIONS
            USER_DONT_EXIST     = 1
            USER_IS_AUTHORIZED  = 2
            USER_NOT_AUTHORIZED = 3
            USER_IS_LOCKED      = 4
            OTHERS              = 5.  
  IF SY-SUBRC NE 2.
  MESSAGE E001(01) RAISING AUTH_FAILED.
  ENDIF.
  Reward if helpful pls!

• Selection screen and authorization check for plant from 2 diff tables?

  Hi,
  Could anyone help me out?
  how to write code for  this?
  u2022   Fields for selection
  Plant : WERKS (one selection) - check authorization access u2013 Mandatory .
  Material code MATNR (one selection) - Mandatory
  and while doing the authorization check how should i check it ? here iam taking the table as t001w for werks and for selection screen iam taking it from another Z table......i should take 2 different tables here.....for selection and for authorization.
  my code is pasted below:
                   Data Declarations                                  *
  data: s_werks type t001w-werks.
                   Selection Screen                                    *
    SELECTION-SCREEN BEGIN OF BLOCK b1 WITH FRAME TITLE text-h01.
    PARAMETER : p_werks like Ztable-werks OBLIGATORY,
                p_matnr like mara-matnr  OBLIGATORY.
    SELECTION-SCREEN END OF BLOCK b1.
                   Start-of-Selection                                  *
  START-OF-SELECTION.
  **-Get Plants for Authorization check.
     SELECT werks
            FROM t001w
            INTO TABLE it_werks
        WHERE werks IN s_werks.
      LOOP AT it_werks INTO x_werks.
         v_werks = x_werks.
  Regards,
  Reddy

  Plant : WERKS (one selection)
  That means only 1 plant value to be given? Then you can use PARAMETERS instead of SELECT-OPTIONS. And additionally, you'll only have to check that plant value.
  Using SELECT-OPTIONS you would indeed retrieve the plants and check each individual selected plant. Your code for that is good enough to start with.
  I wouldn't do the check in the START-OF-SELECTION event, but rather in the AT SELECTION_SCREEN event.
  To perform an authorisation check; try the ABAP help on AUTHORITY-CHECK. And you will need to know which authorisation object you need to use.
  Just noticed you're using PARAMETERS
  WHERE werks IN s_werks
  should be
  WHERE werks eq p_werks
  But actually you don't need to select T001W. Just use the value in p_werks.
  Edited by: Maen Anachronos on Oct 10, 2008 7:53 PM

• How to turn off the authorization checks for a object in infoproviders?

  Hi - how can I turn off the authorization check for an object (ex: 0orgunit) in infoproviders?
  I have 0orgunit as an authorization-relevant object and is used in one of the cubes. When reports are run for this cube, this is causing authorization issues. The object is present in other cubes also but I have to remove or turn off the authorization check of this cube alone. How to do this? Please help.
  Thanks,
  Raj.

  Hi Raj,
  Srinivas, is right , however in BI7 the correct transaction is RSECADMIN and not RSADMIN.
  In BW3.5, use RSSM transaction to do thins.
  OR
  Go to transaction RSECAUTH ---> Choose  the authorization object that has been created for org unit(and has been assigned to the user). Go to change mode. Remove the cube from the dimension 0TCAIPROV
  If you are using old authorization concept in 3.5 or in 7.0
  Go to RSSM. In the checks for infoprovider, enter your infoprovider name. Choose change.Here you will see a checkbox to switch off the authorization.
  Hope this helps you,
  Best regards,
  Sunmit.

• What are authorization checks? And where and what will you write?

  hai, plz anybody send me the answer?

  Hi
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  As the name suggest it if for Authority check so that the person who is not having authorization for some data/transaction can be restricted from viewing it. It is very imortant for the security of data. Check below link for details on authorization.
  http://help.sap.com/saphelp_nw04/helpdata/en/9f/dbaccb35c111d1829f0000e829fbfe/content.htm

• Tcode to create activity group and authorization check,

  hi,
    can any one say me the transaction code to create activity group and authorization check.

  Hi
  I'm not sure about what you want to do, anyway have you try the trxs SU20 and SU21?
  Max

• Disabling authorizations checks for transactions SU53 and/or SU56.

  Greetings.
  I seem to remember reading that there was either a system profile parameter or a table entry that can be used to disable all authorizations checks for transactions SU53 and/or SU56.
  Any truth in this or is my mind playing tricks on me?

  Hi,
  I guess theres is profile param auth/tcodes_not_checked(I guess thats right), this will exclude SU53/SU56 from checks on transaction code.
  This can be done using RZ10 and need to restart the system.
  Rakesh

• Authority Object? Authorization Check for Period

  We consolidated from R3 to SEM tax reporting. So we now are using a  different authority-check object. However, all of the parameters that were in the 'Authorization Check for Period' in R3 are not in SEM. Can you manually add parameters for to the authority-check. I am not even sure how to change or activate. Is this a Basis thing?
  To be honest I do not know what this object checks when processing. It cannot be debugged?
  I do not think my authorization level will be fully defined with the new object.
  Any suggestions?
            Thanks.
  *In old ERP we used*
  AUTHORITY-CHECK OBJECT 'E_CS_PERMO'
     ID 'PERMO' FIELD '1'   "Open period
     ID 'DIMEN' FIELD g_dimen
     ID 'RVERS' FIELD g_rvers
     ID 'BUNIT' DUMMY
     ID 'CONGR' FIELD g_congr.
  In new SEM system we now need to use:
  AUTHORITY-CHECK OBJECT 'R_UC_PERIO'
             ID 'ACTVT'     FIELD 'PA'          "open period
             ID 'CONS_AREA' FIELD g_congr.
            ID 'TASK_FLD1' FIELD '__________'
            ID 'TASK_FLD2' FIELD '__________'
            ID 'TASK_FLD3' FIELD '__________'
            ID 'TASK_FLD4' FIELD '__________'
            ID 'TASK_FLD5' FIELD '__________'
            ID 'TASK_FLD6' FIELD '__________'
            ID 'TASK_FLD7' FIELD '__________'
            ID 'TASK_FLD8' FIELD '__________'.

  Resolved issue.

• BI AUTHORISATION - Aggregation Check and Aggregation Authorization

  Hi all,
  The Aggregation Check and Aggregation Authorization in BI Analysis AUTHORISATION?  I want to know why is it when I take the ( out of my 0EMPLOYEE
  0HRPOSITION and 0ORGUNIT, it comes up with a authorisation failures, but when I add this ( colan it works fine.
  im kind of understood what it means, but not aware of why when i add and remove its behaving like this?
  thanks everyone.

  Hi there again,
  Then you can try this:
  Pickup a query as an example. That query is build over lets say infoProvider A.
  Than you go to transaction RSECADMIN and create a ZDUMMY authorization. You give a description. Then you click on the InfoProvider button and insert the name A and click enter. Mark all characteristics but don't mark the options of : values neither the * values.
  You'll see several characteristics added to your new authorization but with no values. Now double click each one and assign the values you want the test user to access.
  Afterwards click on the special charact. button at the left of the InfoProvider button. Now, three new characteristics are added:
  0TCAACTVT
  0TCAIPROV
  0TCAVALID
  And values are automatically assigned to them. They can be left like that, they will be OK. 0TCAACTVT represents activity and can have the value 03, of display of the values; 0TCAIPROV represents InfoProvider and by default those authorization values will be for every InfoProvider, if you want you can change it from * to the value A, in this case, your InfoProvider A; 0TCAVALID can be *, which is valid for ever.
  After that save the authorization and assign it to the test user.
  Now test it, and you'll see only the values that you assign before in your ZDUMMY authorization will be valid for that query.
  Diogo.