HR ABAP Custom Authorization Check

Hi all,
We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
GET PERNR.
    I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
Thanks in Advance.

There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
Some special differences are:
- The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
- Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
- Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
Cheers,
Julius
Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

Similar Messages

  • Abap programe 'AUTHORIZATION-CHECK'

    What is abap programe 'AUTHORIZATION-CHECK' how can i navigate there

    Hi,
    You can navigate to the Code this way
    1)
    SE93> Display>Double click in the Entry corresponding to Program-->then you enter the Source Code here select find and give the search string as
    "Authority-Check" this displays you whatever entries are there in the code.
    This method is useful if you know the Tcode and want to see what check statemetns are there in ABAP code corresponding to it.
    2)On the other hand if you know the program then go to
    SE38> enter the program name> Select Source Code> Press Display>
    and from there search with the string mentioned above justlike the case mentioned above...
    Hope this helps
    Regards,
    Manohar

  • Abap Report Authorization Checks

    Hi. I have some question on customized abap report to be based on user role organizational level.
    May I know how to program the abap report such that the report will show only data based on user role organizational level (Plant, Company, SalesOrg etc)?
    For instance, if userA role organizational level for plant is plantA, the abap report will only show data for plantA. If userB role organizational level for plant is plantB, the abap report will show data for plantB.
    May i know how to program the abap report?
    Appreciate any guidelines.

    Hi,
    Assign the Users with predefined roles.
    Attach the Orn Units(Plants/St locn, CC/etc) in the roles .
    create a Tcode for the report  and attach that Tcode in that role.
    So now the user can execute that report with that siplant to which he is authorised.
    Hope this helps.
    Regards,
    Anji
    Message was edited by:
            Anji Reddy Vangala

  • Authorization Check Infotype Header

    Hi all,
    i posted the following threat in HCM Forum, but i think it is also a question for ABAP Forum
    Authorization Check Infotype Header
    Thanks & regards

    1. authorisations in hr cannot be controlled at infotype-header level and/or infotype field level.
    2. If only a few fields of a specific infotype are to be allowed for a user the most efective way of doing it is by way of creating a view for the infotype with only the allowed fields in it.
    3. another way of doing it is by way of a custom authorisation object (potentially) but then again your requirement is not going into explicit details,. so this option is a possibility you may want to do some due diligence on.
    cheers

  • Deactivate authorization checks in BSP or function modules?

    Hi all
    I have a BSP application that seems to use a standard function module that performs an unwanted authorization check on object M_MATE_VKO (Material check on sales organization)
    I know it is possible to globally deactivate authorization checks in certain SAP transactions (SU24)
    Does anyone know if there is a similar functionality for BSP applications or function modules? Any suggestions on how to deactivate such authorization checks in BSP applications?
    Regards
    Mike

    > I will also check with my developer if this function module has any return codes etc that can be useful for a custom authorization check. However, I thought these checks were all done within the function module and that it will only return a true/false authorization, sort of... and I am not sure it's a good idea to override all standard authorization checks in this function module
    Sometimes you can handle the messages, but your developer will be able to help you decide whether that is a good idea or not.
    Globally deactivating the object for the whole system is most likely not a good idea, as you seem not to want to grant it because you need it somewhere else...
    Deactivating all checks for the function module is probably not wise either, as I would think that it applies to the whole function group. Developers can do such things sometimes, but often it results in all end users being able to do the same.
    I know that proposal indicators can be set for function modules, but have not tried check indicators. Again, I suspect that it would apply to the whole function group.
    I would think that a carefull choice of function module and consulting with your functional guru about config which will not interfer with other requirements is the best route to take.
    I like threads like this. If I bump into a specific solution I will remember it. Try using the search here at SDN on the names of some of the FM's which you are considering - someone might already have solved it...
    Cheers,
    Julius

  • Custom authorization object and check logic

    Hi gurus,
    we need to apply additional authorization check in our custom reports.
    so i created a custom fields & object, and put the statement
          AUTHORITY-CHECK OBJECT 'ZHR_APP01' FOR USER uname
                   ID 'ZROLEID' FIELD '03'
                   ID 'ZSOBID'  FIELD zzdwbm.
    in a abap class method centrally, so it could be called by many reports.
    but the test show that the sy-subrc always set to 0, even for users without any authorization.
    what i missed for adding custom auth check?
    for this case, do i need to maintain authorization check indicator in SU24?
    what i am confused is that , su24, you have to maintain a transaction , but our authorization check is not for transaction , but for reports and bsp application, how should i maintain su24 for that?
    thanks and best regards.
    Jun

    Hi,
    I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
    I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
    Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
    We've ran the report RPUACG00 also which is mentioned in this thread.
    We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
    I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
    but still it is taking the P_ORGIN object.

  • How to find which custom program uses authorization checks

    Hi all,
    I have been asked to find out which custom ABAP program in our organization is using Authorizations checks and which is not.
    Since there are thousands of custom programs I will need to automatize this process somehow.  But I am not an ABAP expert and I will need some help.
    Could any of you give me an idea of what would be the best strategy to find out if authorization objects/checks exist in a number of ABAP programs?  (would a simple text search do?).
    Many thanks,
    Aldo

    If you are looking out for Authorization related to Execution of any program, then look for entries in table TRDIR where field SECU (Authorization Group) is not blank.
    Below SAP documentation may help you:
    Authorization Group
    Authorization group to which the program is assigned.
    The assignment of a program to an authorization group plays a role when the system checks whether the user is authorized to:
    Execute a program
    --> Authorization object S_PROGRAM
    Edit a program (-Include) in the ABAP Workbench
    --> Authorization object S_DEVELOP
    Programs that are not assigned to an authorization group are not protected against display and execution.
    Security-related programs should, therefore, always be assigned to an authorization group.
    Report RSCSAUTH can also be used to assign programs to authorization groups. This report is documented in detail.

  • Add authorization check in Infopackage Scheduler for option 6-ABAP Routine

    We want to add an authorization check in routine rssm_routines_maintain.    This is in the Infopackage scheduler in the Data Selection tab  under the column Type after selecting type=6(ABAP Routine).    This is a core modification.   We have checked with our Security team with traces and found nothing available to help us.
    Two questions:
    1) Is there any other way we can control who can create/change ABAP code by this method ?
    2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
    Your help would be appreciated.
    Robert Begin,
    450-677-9411 or
    514-924-4311
    or email at [email protected]

    Hi Chandran,  we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
    The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
    Do you have any solution/suggestions to lock this down?
    Much appreciated,
    Regards,
    Robert.

  • Authorization check - customer exit EXIT_SAPLRRS0_001

    Hi gurus,
    a question on customer exit about EXIT_SAPLRRS0_001 related to i_step = 0 (Authorization check).
    I have two InfoObjects: 0WS_CAT and 0WSCATQ. The last one has a compounding that is 0WS_CAT.
    In the exit: I need to check the 0WS_OBSFLAG (a simple flag attribute) to determine if the entries in 0WSCATQ Master data are valid or no.
    If I found that the entry is valid I add the value to the e_t_range export table in this way:
    if ( i_step = 0 ).
        l_s_range-sign = 'I'.
        l_s_range-opt = 'EQ'.
        l_s_range-low = '00000001'.
        append l_s_range to e_t_range.
    endif.
    The problem is the compound, how can specify the value key for the export table?
    For example ... in the table I have three entries:
    0001 00000001 #
    0002 00000001 X
    0003 00000001 #
    The valid entries are:
    0001 00000001 #
    0003 00000001 #
    How can specify '0001' or '0003'? Because if I assign only the value  '00000001' to l_s_range-low then the entries valid in the authorization for 0WS_CATQ are three and not two.
    It's important for me to find a solution.
    Regards, Roberto

    Hi Roberto,
    you have to build your logic into a variable for the other infoobject 0WS_CAT and find your values 0001 and 0003 the way you described.
    You might have to restrict the selection for 0WSCATQ to a single value, in case you have a record like this in addition to the 3 you have listed.
    0002 00000005 #
    Best,
    Ralf

  • Error for customer specific Authorization check (User Exit)

    Dear Experts,
    I am facing a problem in PM.
    I have created a maintenace plan for calibration via t code IP42 and mentioned the order type PM05. Scheduling is done for the order. I got the order number.
    I have released the order and got the inspection lot number.
    While entering the results recording through t code QE17, the reluts are out of the specified range, i have given the valuation Rejected, immediately system is giving an error message as below:
    "Error for customer specific Authorization check (User Exit)"
    Though there is no user exit activated in the system, this message is coming and not allowing the result recoring for rejection.
    If I'm entering the result recording within the specified range, then valuation is Accepted and its allowing to save.
    I have checked the following user exits:
    QQMA0002: QM: Authorization Check for Entry into Notif. Transaction
    QQMA0026: PM/SM: Auth. check when accessing notification transaction.
    The above 2 User Exits are not active.
    I have also checked a note 429066. But it says incase of any dump for that user exit only its applicable and more over the current version of the system is ECC 6.0 packae 15, where as that note is applicable upto 4.6C.
    Please some one help me on this issue.
    Thanks and Regards,
    Praveen.

    Dear Pete,
    I have cheked with my technical team, There is no hotpacks updated recently. This is the implementaion project I'm in, so performing the cycle for the first time.
    Any how I got it solved, in T code QE17, after entering the Inspection lot in next screen goto menu path Settings - User settings - Defects recording mention the reprt type and tick on Reprt type Changable.
    At the time of result recording if the valuation is Rejected then it ask for defects recording close that window if not rwequired then save, the error message no longer apperaing now.
    Regards,
    Praveen

  • Structural authorization check in HR-ABAP

    Hello Friends,
    I am not able to get how to do the structural authorization check, my exact problem was : There is a report where it diplays all the qualifications of the employees and now I should restrict to only the employees who belongs to the organization unit depending upon the user who is running the report belongs to. It should check some more authorization profiles also.
    Regards,
    Yoganand.

    Hi Yoganand,
    if you use logical database PCH in your report, it should work by default.
    Manually search for RHSTRUAUTH in transaction SE37. There
    is a function modul which gives a list with the person the user has authorization.
    With this list you could compare the list with selected persons.
    hope this helps.
    Regards
    Bernd

  • ABAP: Modify PA infotype without authorization check

    Hello everyone,
    Short version:
    I know two FM that can modify PA infotype data:  HR_MAINTAIN_MASTERDATA and HR_INFOTYPE_OPERATION. However, neither of those includes a parameter that allows using them without them automatically checking authorizations (like you can do with, say, FM RH_INSERT_INFTY which has parameter AUTHY to disable authorization checks but only works with OM infotypes, but not PA infotypes).
    Does anybody know a solution?
    Long version:
    We want the travel department to be able to maintain infotype 17, and only infotype 17. In fact, there are only two fields there that need to be maintained in our company. That department should not have access to any other infotypes, and we are not going to give them PA30. On the other hand, they shall be able to do so for any employee, no matter from which personnel area, subarea, and organizational unit.
    So I have created a small program with a mask specifically tailored to their needs. But we do not want to give them any PA authorizations. Giving them P_ORGIN to infotype 17 might not be a big deal, but then we would also need to give them structural authorization to all companies (= org units and personnel areas). Unlimited structural authorization is a big deal, and I would rather avoid granting that to someone who is not supposed to be doing anything but this tiny bit in HR. The only authorization that I would like to see in place is transaction authorization for my program. Anyone who has that should be allowed to maintain these IT 17 fields for any employee, but nothing else.
    The problem is that upon writing the data, FM HR_INFOTYPE_OPERATION auto-checks the authorization required for maintaining the infotype, including structural authorization, and so does FM HR_MAINTAIN_MASTERDATA, as far as I understand. Is there an alternative I could go for?

    ECM stands for Employee Compensation management and is one of the SAP HR module.
    But I doubt you can use ECM specific function module to modify/insert infotype 17 values as below are the main infotypes for ECM module.
      Employee Infotype
      Description
    0758
    Compensation Program
    0759
    Compensation Process
    0760
    Compensation Eligibility Override
    0761
    LTI Granting
    0762
    LTI Exercising
    0763
    LTI Participant Data

  • How to add custom authorization object to a SAP standard transaction

    Hi All,
    I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
    Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
    - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
    - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
    - tcode SU24 - insert of new authorization field e check indicator (green)
    - tcode SU22 - check indicator - check (green)
    After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
    We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
    It seems new authorization object was not checked.
    My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
    Thanks
    Maurizio

    > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
    >
    No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
    So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
    Regards,
    Dipanjan

  • ABAP CUSTOM PROGRAMS vs SOX - What is your best approach?

    SOX defines you must put in place controls to be sure your users can do only those activities wich are not able to create a risk for your company assets.
    You can use GRC AC to get clean and stay clean, but the problem is in your custom developments. Indirectly called transactions are not included in the transaction start check, so I think you must use "authority checks" to validate either stantdard authorization objetcs (sy-tcode, company code...) or custom authorization objects before to call a transacction/BAPI inside a custom program to be sure the user has the right permissions to complete this task.
    Should i validate any single authoritation object defined in SU24 for each single transaction called Indirectly?
    Any other quick win approach?
    thx.

    Manuel,
    There are various types of controls that could be put in place for accomplishing this. Below are some things you could consider to mitigate this risk as I have done in the past which has been sufficent to auditors.
    1) Have a solid review process for Functional Design Specs (FDS) reviews of RICEFW objects being developed into your SAP enviroment and be sure to have the process and review documented. This process will allow you to proactively seek out potential issues before they are coded to senstive areas where the potential risk to financial reporting could arise.
    2) Implement coding standards for Security such as use of Program Auth Groups, Table Auth Groups, and implement certian SAP notes to secure S_DEVELOP object properly. Refer to https://websmp110.sap-ag.de/securitynotes for security notes.
    3) Have a review/monitoring process in place to review access and authorizations to critical objects and transactions. GRC AC is one way to approach this.
    You can use abap program "RSABAPSC : Statistical program analysis to find ABAP language commands" to seek out Authority-Checks in custom development as part of a quality review.
    Thanks,
    Matt

  • Authorization Check for Special Stock Indicator in IE02

    Dear Gurus,
    Would like to check with you if there is an authorization check for change in Special Stock Indicator in IE02-SerData Tab?
    For example, the User will only be allowed to change the Special Stock Indicator only to "E" - Sales Order.
    Would appreciate your help.
    Thanks.

    Hi,
    This cannot be done by using standard auth object. Standard SAP doesnt support control via this field.
    Take help of your ABAP team and create an customized authorization object "Z_OBJECT" with field SOBKZ and which check these field value in table EQBS. Assign this auth object to role and profile you want.
    Use the user exit IEQM0003 Additional checks before equipment update. Give a logic to check auth object when while using equipment change tcode.

Maybe you are looking for