USE Standard Authorization object in Z Program

Similar Messages

• How to use Standard Authorization Object 'M_MATE_WRK'  in SE38?

  Hi all,
  We have developed one program which calculates the commercial price of the material   
    and update the same in the material master.
  Now we want to implement authorization checks at Plant Level.
  For this purpose I am Using 'M_MATE_WRK' which is standard authorization object.
  But in my Program when I am checking for it, its giving the sy-subrc value as 0.
  This indicates that either it is successful or the object is not active for this particular  program. In my case I know that its the second case only.
  So now somewhere i need to 'Check' this object for this particular Program.
  I have checked SU22 , SU24 but couldn't figure out where should i do the respective  setting.
  I am working on ECC 6.0
  Please help me on this.
  Bare with me if i am asking a silly question.

  Hello All,
  The Problem is resolved now.
  Actually it was the first case only.
  When i created the new user id and checked i realized that its working fine and there was
  some mistake while checking previously.
  Anyways thanks for ur reply.

• How to add authorization field to a standard authorization object

  Hi All,
  I'm trying to limit user to can only create & change X type of order type in PM module. This can be fullfill by creating suer with assigned role with only allow X type of order type.
  But when I assigned a display role which has authorization to display all order type (maintained as authorization object), now my user can create and change all order type.
  How to limit user to can only create & change X order type and only display the rest of order type?
  I assume by adding authorization field: AUFART(order type) in authorization object: I_TCODE will solve the problem, is it right? and is it possible to do that?
  regards,
  Andre

  Hi,
  your assumption is incorrect. First of all, adding a new field to standard authorization object is a bad idea. You would have to modify all checks for that object. For standard SAP object it means that you would have to modify many SAP programs.
  The authorization object I_TCODE is checked in PM transactions. It gives you authorization to run that transactions. That object can't be used to limit what you do in that transaction or what order type you can process. You are looking for some other authorization object(s). You need to go to SU24 which gives you what authorization objects are checked in particular transaction. It does not have to cover all objects but it's a good starting point.
  Cheers

• Where we can use standard ODS Object and Trasactional ODS Object ?

  Where we can use standard ODS Object and Trasactional ODS Object ?

  Hi,
  In a standard ODS object, data is stored in different versions (active, delta, modified), whereas a transactional ODS object contains the data in a single version.  Therefore, data is stored in precisely the same form in which it was written to the transactional ODS object by the application. In BW, you can use a transaction ODS object as a data target for an analysis process. The transactional ODS object is also required by diverse applications, such as SAP Strategic Enterprise Management (SEM) for example, as well as other external applications.Transactional ODS objects allow data to be available quickly. The data from this kind of ODS object is accessed transactionally, that is, data is written to the ODS object (possibly by several users at the same time) and reread as soon as possible.
  It offers no replacement for the standard ODS object. Instead, an additional function displays those that can be used for special applications.
  Regards,
  R.Ravi

• What is standard authorization object for  Personal development  P_PLOG

  Hi,
  Recently i got a object in HR and i dont have any experince in HR.Could you guide me how to asssign standard authorisation object for the personal development p_plog? how to see the infotypes and what is the header field in innfotypes?

  1-First of all the object is "PLOG"  for personal planning. There’s no object with  p_plog , most of time to maintain HR master we use object P_ORGIN.
  2- You want to assign authorization for certain infotypes?
  if yes, you have to go TR.PFCG  and assign the authorization to that specific role.
  Now you might have question , how you’ll will track down the roles against the authorization object .
  There’re several ways , you can go to Tr.SUIM and find reports by user , roles etc.
  You can also go SE16-> give table AGR_1251, give object and you can see the values in table.
  After finding the suitable roles you can go to PFCG and assign the values to the roles.
  As a good practice its better to create your OWN role Z:hrXXXX and assign it to users.
  Hope this’ll give you idea!!
  <b>P.S award the points.</b>
  Good luck
  Thanks
  Saquib Khan
  "Knowledge comes but wisdom lingers!!"

• Standard authorization object for Infotype 41

  hi
  Just wondering did anyone came across standard profile that can define access based on date types?
  thanks

  1-First of all the object is "PLOG"  for personal planning. There’s no object with  p_plog , most of time to maintain HR master we use object P_ORGIN.
  2- You want to assign authorization for certain infotypes?
  if yes, you have to go TR.PFCG  and assign the authorization to that specific role.
  Now you might have question , how you’ll will track down the roles against the authorization object .
  There’re several ways , you can go to Tr.SUIM and find reports by user , roles etc.
  You can also go SE16-> give table AGR_1251, give object and you can see the values in table.
  After finding the suitable roles you can go to PFCG and assign the values to the roles.
  As a good practice its better to create your OWN role Z:hrXXXX and assign it to users.
  Hope this’ll give you idea!!
  <b>P.S award the points.</b>
  Good luck
  Thanks
  Saquib Khan
  "Knowledge comes but wisdom lingers!!"

• How to use CRM authorization object.

  Hi All,
  I have a specific requirement to restrict user while he/she tries to save a record. It appears that if that restrictions are implemented the save logic for an entity has to be changed because there are some validation regarding relationship management in SAP system. SO I need to bypass that validation to allow some users of specific(Marketting) role to save the entity record bypassing that validation. here I am planning to use the CRM authorization objects. But dont know how to use these and which authorization object to refer.
  Please let me know if you guys have any idea.
  Regards,
  Bikramjit.

  Hi Bikramjit.,
  You might need to create a Custom authorization object and then use it. Else you can create one Z table and maintain the User ID of all users. The mainatin one field with flag and set it to X for the user that are aloowed to save the transaction.
  Also once you maintain the table, generate the table maintenance so that it becomes easier for future use.
  Hope this helps

• Use the authorization object while creating RFC

  Hi All,
  I'm able to create a RFC, can login from one sap system to another sap system and use the  following FM.  Here my concern is how to make the RFC more secure, i mean any user can access the target system with my login. Meanwhile came across a authorization object text box in the LOGON and SECURE tab while creating RFC.
  so please put on light on how to authenticate the specific user to logon using the RFC.
  Thanks in Advance.
  Regards
  Lalitkumar.

  Hi Lalit,
  Usually for RFC connection will be done with the, user type   system user type (means,they should not be able to login to system thru GUI)
  2. Even if the user know the login id / password, he should  have auth to create RFC like (SM59 and related auth objects)
  and even for remote connection also we have different auth to restrict
  3. These type of authorization will be  given to basis guys only.
  4. Logon/Security 
               Lang-En
               Client-` client no
               user-  user
               Password - bw password.
  Here you will be specfying the  user id  ( system type)  / password for connecting from one system to another.
  and in next tab you can do Test connection.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a08fbe33-0501-0010-2d9c-fb37e9795fd9
  Thanks,
  Sri

• Where-used list for objects of a program

  Hi all,
  I need find a FM, Method, etc, to get all the objects are used by a program. Similar SE80's tree. Someone knows what I can use?
  Thanks!

  Hi Priscila_56,
  you may try with lcl_dev_cross_ref=>get_reqobj class method, defined in [Wiki SDN: ABAP program to read where-used lists|http://wiki.sdn.sap.com/wiki/display/ABAP/ABAPprogramtoreadwhere-used+lists]
  BR
  Sandra

• How to use standard Authorisation object?

  Hi, suppose in PFCG in a Z role suppose i have added a standard tcode (exp. VA01). Now in the authorisation field if I go to chage it it will automatically populate all maintain screens regarding that TCODE where we can maintain authorisations.
  Now suppose I have used a standard authority obj (for exp V_VBAK_AAT ) in at-selection screen of my Zprogram. Now while assiging the Ztcode in the role I m not getting the maintains screen which generates automatically for standards. I have to use the standard authotity obj, but while assigning how can we call the maintainance screen for the used autho-obj?

  Hello All,
  The Problem is resolved now.
  Actually it was the first case only.
  When i created the new user id and checked i realized that its working fine and there was
  some mistake while checking previously.
  Anyways thanks for ur reply.

• How to Use new Authorization Objects

  Hi guys i need to implement the new schema of authorizations and i have created an authrization and add the 0comp_code characteristic (previously i set i it up as authorization relevant) and i need to add the restrictions for infoprovider but i need to add the new infoobjects 0TCAIPROV, 0TCAACTVT, 0TCAVALID, but this infoobjects i ve activated are not authorization relevant and i am not using them in any infocube, thats the reason why i cant use them in an authorization.....
  Do i need to add them in my infocube or theres another configuration in order to use them?
  Regards

  Hello Oscar,
  You do not have to add the 0TCA* characteristics to your InfoCube. Instead you have to set these characteristics to authorization relevant. Then everything should work as intended.
  General information on how to use the new analysis authorizations can be found here: https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144
  Kind regards,
  Stefan

• How can I use HTTP authorization in my program?

  I'm writing full-featured proxy server in Java and want to require users to provide login and password and then use their login-name internally to provide different permissions, different quotas, etc... for different users. How can I do that with Java? I prefer to use standard HTTP method for this (classic pop-up login/password dialog in client browser). This is typical solution for all password-protected proxies.
  This question sounds so simple... How to popup a standard dialog asking for login/password in client browser and get its values for farther processing. But I googled for the solution and found nothing. In the Internet, there is a lot of information about how I can use password-protected proxy but none about how I can write one myself with Java.
  Thanks. I need at least some clues...

  I'm asking exactly what I'm asking for in the title :) . Maybe I need to give an example with additional explanation?
  I'm writing a proxy. It has different settings for each user so it must recognize user name and password. Of course, user want to use a browser or other program (possibly another proxy - for example Proxomitron or Privoxy to filter banners and ads) to make requests via my proxy. Browser (not my proxy) should pop-up a dialog asking for a login and password if my proxy server will require authorization. Of course not every program will pop-up a dialog: for example in case of Privoxy or Proxomitron user must provide login and password for parent proxy. In this example "parent proxy" is my proxy. Question is: how I can request HTTP authorization (by sending Proxy-Authenticate) and handle the input? Is there any standard API for that in Java?
  There is big difference between standard HTTP authorization and custom pop-up dialog or custom web-interface login page. In first case user can use standard settings in his/her program/browser to provide password automatically (in this case user just need to enter his/her password once). HTTP authorization is the standard. My proxy need to handle Proxy-Authorization request-header field.
  The Proxy-Authorization request-header field allows the client to identify itself (or its user) to my proxy which (should be able to) require authentication. The Proxy-Authorization field value consists of credentials containing the authentication information of the user agent for the proxy and/or realm of the resource being requested.
  So more complete question would be: is there standard API or third-party API in Java for requesting Proxy-Authorization field from a client and process its values (for example: if password and login is correct then user is allowed to use the proxy; if not user will be asked for login and password again).
  If someone knows proxy server (with source code in Java) which can use standard password protection this will be good answer to my question too.
  Unfortunately it seems that I will need to write account-management code for my proxy myself. Oh, this isn't too hard but for C/C++ there is a lot of examples and ready-to-use pieces of code which I can use immediately. This is why I'm asking here this question: before I will write HTTP authorization class in Java from scratch I want to make sure there is no "ready-to-use piece of code". I don't want to "reinvent the wheel".
  For now, I even cannot find a proxy server with Java source code with ability to use standard password protection to prevent access for non-authorized users. So I'm asking here if there is ready-to-use API (class) for doing HTTP authorization or I need to write one myself.
  Message was edited by:
  Dark_Dragon

• How to use authorization object P_PERNR ?

  Hi, Gurus~
  In our system, there is a user whose User ID is "00041", and she can modify her own 0008, we want to control it so that she can only display her own 0008, but process 0008 for all other employees
  So, i use the authorization object P_PERNR to do this, i set the fields value like this (totally copy from the SAP help for P_PERNR....):
  Authorization level:  W,S,D,E
  Infotype: 0008
  Interpretation of assignment personnel number: E
  Subtype: *
  and then, i maintain her master data 0105's subtype 0001-system user name as 00041
  i think she shouldn't maintain her own 0008 now ,but she still can maintain it
  i want to know why and how to solve it, did i do it in the right way?
  Thank you in advance!

  P_PERNR   HR: Master Data - Personnel Number Check
  You use the HR: Master Data - Personnel Number Check authorization object if you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures.
  The following values are possible for the PSIGN field:
  I   =          Authorization for personnel number assigned, that is for own personnel number
  E  =          Authorization for all personnel numbers excluding own personnel number
  You can assign a user a personnel number using infotype 0105, subtype 0001 (in earlier releases using the V_T513A view).
  This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own. In other words, this check is completely irrelevant for personnel numbers that are not assigned to the user.
  Example of Personnel Number Check P_PERNR
  The authorization checks for P_ORGIN and P_PERNR are activated in the system. In addition, there are user assignments for some personnel numbers.
  The user in our example is assigned a personnel number and is administrator responsible for the Basic Pay infotype (0008) of a personnel area (that is, the user has the corresponding P_ORGIN authorization). The employee should also be able to display his or her own data but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. The corresponding authorizations for the P_PERNR authorization object must be set up as follows: AUTHC = R, M
  PSIGN = I
  INFTY = *
  SUBTY = * AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0008
  SUBTY = *
  In our example, the user is an administrator responsible for the basic pay (infotype 0008) of a personnel area (since the administrator has the corresponding HR: Master Data authorization). The employee should also be able to display his or her own data at all times but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. You need to set up the appropriate authorizations for the HR: Personnel Number Check object as shown in this example.
  The first authorization grants the employee read authorization for all infotypes that are stored under the employee's personnel number. The second authorization denies write access to all data records of infotype 0008 for the employee's own personnel number in case the administrator is responsible at some point in the future for the personnel area to which he or she belongs.
  As the following examples illustrate, inconsistent authorizations can be granted.
  Example 1:
  AUTHC = *
  PSIGN = I
  INFTY = 0014
  SUBTY = M* AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0014
  SUBTY = *
  The first authorization grants the employee read authorization (AUTHC = R) for the Recurrent Payments/Deductions infotype (0014), subtype M120, which allows the employee to access the data stored under his or her personnel number. In this case, the second authorization is irrelevant.
  The first authorization grants the employee write authorization (AUTHC = W) for the Recurrent Payments/Deductions infotype (0014), subtype B030, which denies the employee access to the data stored under his or her personnel number. In this case, the first authorization is irrelevant.
  The first authorization grants the employee write authorization for the Recurrent Payments/Deductions infotype (0014), subtype M120, the second authorization denies the employee this authorization. The desired system response is unclear from this example. According to the documentation, the system response is undefined in such situations. In reality, the authorization check always denies authorization in unclear situations, that is E is stronger than I and therefore the authorization is not granted.
  Example 2:
  AUTHC = *
  PSIGN = *
  INFTY = *
  SUBTY = *
  This type of authorization is required by superusers with unlimited access, for example. The above authorization is appropriate if an employee wants to access an infotype. However, since PSIGN = * and * can be substituted for any value, PSIGN and E can also be interpreted as I. This can also lead to an undefined situation. In earlier releases, the authorization was denied on the basis of the rule E is stronger than I. This meant that superusers with assigned personnel numbers were not able to access their own personnel number. The programs have since been changed and now * is interpreted as I and is stronger than E. In other words, * is stronger than E and E is stronger than I, whereby * is interpreted as I.
  As already indicated in Example 1, the combination of different authorizations can produce a complicated result. We therefore recommend that you avoid combinations where P_PERNR authorizations can be interpreted differently for the same combination of AUTHC(Authorization Level), INFTY(Infotype) and SUBTY (Subtype).
  Misunderstandings arising from the complex situations described above are not the most frequent causes of customer inquiries, however. The most frequent cause is the incorrect assumption that authorizations by personnel number affect authorizations for non-assigned personnel numbers. This is not the case at all.
  If you use authorizations by personnel number, you should always first set up all non-personnel number-related authorizations. As soon as you have done this, you should create different access authorizations for the personnel numbers that are assigned to users using appropriate P_PERNR authorizations. This is always possible since the P_PERNR authorizations override all other authorizations directly (except Test Procedures).
  P_PERNR authorization checks cannot bypass test procedures directly. For instance, a test procedure is only carried out on the Recurring Payments/Deductions infotype (0014) if a corresponding P_PERNR authorization (with PSIGN = I) exists. If an appropriate authorization for the corresponding subtype of the infotype 0130 exists, it can be used effectively to carry out the test procedures.

• Authorization object in program

  Hi All,
  I have a requirement to determine the sales areas that a business partner is authorized to edit in my report program. Can this be done by programatically using the Authorization object CRM_BP_SA.
  Thanks,
  Shilpi

  Hi Shilpa,
  Actually you have confirm first that the report is only for display or doing some changes,later
  select all the entries from the check table .(like for plants(WERKS)  t001w).
  take the entry .
  data: t_werks type range of werks.
  data:ft_werks type range of werks.
  data: wa_weks type werks.
  select werks from t001w into t_werks .
  loop at t_werks into wa_werks.
  Authority-check-object = '?'
                          ID 'WERKS'  field    = wa_werks
                          ID 'ACTIV'   field = '*'.
  if sy-subrc in initial.
  append wa_werks into ft_werks.
  endif.
  use table ft_werks for F4 help .
  Regards,
  Kiran Kumar

• Authorization object coding in ABAP report

  Hi,
  I am working on a report. The output of the report is details regarding vendor based on purchasing organization. When user executes the reports, they should be only able to see details if they are authorized to (create, change and display) for the purchasing org of vendor.
  The authrorization object by SAP security team is 'M_LFM1_EKO' for standard access to vendors (via MK01, MK02 AND MK03).
  How can I use same authorization object to do check in my program for the user in ABAP so that if user is not authroized he will not be able to see details during output for those vendor.
  Regards,
  Tgshah.

  Hi ,
  Basically you need to call Authority-check using the pattern option and then pass the object name and field name .If the user has been assigned that object in his profile sy-subrc will succed otherwise fail .
  AUTHORITY-CHECK OBJECT 'M_LFM1_EKO'
           ID 'ACTVT' FIELD '1/2/3'
           ID 'EKORG' FIELD 'value of purchase organization'.
  IF sy-subrc eq 0 .
  WRITE :'authorization' .
  ELSE .
    WRITE 'no authorization' .
  ENDIF.
  The below lonk explains it more ...
  [http://help.sap.com/saphelp_40b/helpdata/fr/d4/e02c7dd435d1118b3f0060b03ca329/content.htm]
  Thank you .
  Anjaneya .