Abap hr authorization

Similar Messages

• Abap programe 'AUTHORIZATION-CHECK'

  What is abap programe 'AUTHORIZATION-CHECK' how can i navigate there

  Hi,
  You can navigate to the Code this way
  1)
  SE93> Display>Double click in the Entry corresponding to Program-->then you enter the Source Code here select find and give the search string as
  "Authority-Check" this displays you whatever entries are there in the code.
  This method is useful if you know the Tcode and want to see what check statemetns are there in ABAP code corresponding to it.
  2)On the other hand if you know the program then go to
  SE38> enter the program name> Select Source Code> Press Display>
  and from there search with the string mentioned above justlike the case mentioned above...
  Hope this helps
  Regards,
  Manohar

• ABAP Proxy authorization issue when sending message.

  Hi
  We have an interface which uses ABAP proxies. This is used to send a message with attachment, but when i send the message I am getting a 401 error message which says unauthorized.
  I checked all the configs on the sending side and i cant fine anythin wrong. I tried SLDCHECK and all looks fine there as well. I have done the configuration in the Integration engine on the sending side as mentioned in the BLOG - Activating ABAP Proxies.
  We have 3 XI systems Dev, QA and Prod sharing the same SLD. The configs that we have on the sending system (App Sys.) is given below.
  SM59
  HTTP connection : SAPISU_XID
  Host : XI Dev hostname Service Number 8080 (80 <sys number>)
  Path Prefix : /sap/xi/engine?type=entry
  USER  : XIAPPLUSER
  The TCP/IP connections LCRSAPRFC and SAPSLDAPI are also setup on the system which connects to our SLD.
  The TCP/IP connections works fine and i am able to test it succesfully, but the HTTP connection fails with an authorization error (401) when i test it. Now the wierd thing is if I use XIAFUSER instead of appuser it works fine, but if i make a copy of XIAFUSER and try that... It fails again.. I know it sounds strange. So i was wondering if there is any setting on XI which restricts HTTP connections to a particular user??
  I would really aprpeaciate if you could please give me your thought on this issue...
  Cheers
  Prav

  Hi Manish
  Thanks for the input again.
  I checked SICF on the XI system and its not set to any user.
  The HTTP connection on out prod environment is working fine without any issues and its uses a user which is a copy of XIAPPLUSER. SICF in prod also does not have any user configured for service SAP\XI\Engine.
  Thanks for the link, had a look at it, but It looks like these users mentioned are only available with XI7. Our server was upgraded from 3 to 7 and I am not able to find these users on the system.
  I tried testing the HTTP connection in prod using a diffrent user and found its the same story there. If i use any use other than the cutom one.. it fails.. could there be any setting in the exchage profile that can affect this??
  Thanks for your time and help.
  Prav

• Regarding ABAP Query authorization group

  Hi Team,
  This is regarding ABAP Query!
  I have created one authorization group, for testing i have assigned my id in authorization group.
  After creation of ABAP query,standard program got generated. Now i have created one transaction code at the last for the ABAP Query.
  Now the isse is even though i have deleted my id from the authorization group. I am able to execute the query from SQ01 and with the Transaction code .
  It should not happen...i want who soever id is mapped to the transaction code ...that member should only be able to run that query, otherwise there is no use of authorization group.
  Please help me out in this case.
  Thanks & Regards,
  Anil Kumar Sahni

  Are you sure that you don't have access to that authorisation group? Execute report RSUSR002. In the 'Authorization Object 1' block inform  S_TABU_DIS in 'Auth.Object' and accept. Then inform Activity=03 and Auth.Gruop= your group.
  You will get a list of all the users which, theoretically, will be able to execute the query. If you press 'Roles' or 'Profiles' in the toolbar of the listing you will get to know why you have authorisation. May be you have the SAP_ALL profile.
  Also, one more thing to take into account: how have you created your transaction? Is it referring directly to the generated report? Then it is an error, you should execute program SAP_QUERY_CALL. Read this post: [Relate transaction to query;

• Webdynpro ABAP content authorization object in SAP portal ?

  Hi
  We are on EHP 6.06 , we have an authorization problem in sap portal for the webdynpro abap content. our standart users got the error "page can not be found" for the services provided from webdynpro abap. when I assign the user to administrator group in sap portal the services working fine. I also checked the SAP ERP roles no problem is there.  I guess I should create a new portal role for them cause its the only difference between users who can reach or not but have no idea what to put in it in SAP portal. Any idea ?

  in portal content directory => double click on the Content provided by sap folder. Than you should have a dropdown somewhere where you can select "Authorizations". You should add the group endusers and check the checkbox.

• HR-ABAP Infotype Authorization issue!

  Hello Experts,
  Need your quick suggestions and inputs, which we're currently facing in our project.
  We're using the PNPCE Logical Database for processing/retrieving the records from infotypes and ALV reports are generated.
  Currently, we have an authorization control which will restrict the user roles in accessing certain infotypes. Thus, the user role is assigned with necessary infotype access in PFCG.
  Now the issue is if a particular user role donot have the authorization to infotye XXXX, which is defined in the Global Declaration (Top Include) in the INFOTYPES statement. Eg: INFOTYPES: XXXX.
  Thus, when the report is executed, the following XXXX infotype authorization is checked as it is defined in INFOTYPES statement, but since the user role is not given the XXXX infotype authorization in PFCG the report execution fails when it checks the infotype authorization when it enters GET PERAS. Thus, a blank screen is thrown with standard SAP error... "No authorization for XXXX infotype".
  Is there any way this error message which blocks the execution of the report be by-passed? If yes, please help to suggest the necessary steps to do so. Thus, the report execution should not be blocked and the ALV report should be displayed with blank values for those XXXX infotypes which donot have authorization even though defined in INFOTYPES statement in Top Include.
  Hope am much clear in describing the major issue that we're currently facing.
  Any inputs to get this issue resolved will be highly appreciated.
  Thanks in anticipation.
  Regards,
  Sundar

  Have you explored the option of using the BAdI HRPAD00AUTH_CHECK?
  ~Suresh

• HR ABAP Custom Authorization Check

  Hi all,
  We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
  GET PERNR.
      I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
  Thanks in Advance.

  There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
  Some special differences are:
  - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
  - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
  - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
  This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
  Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

• Abap Report Authorization Checks

  Hi. I have some question on customized abap report to be based on user role organizational level.
  May I know how to program the abap report such that the report will show only data based on user role organizational level (Plant, Company, SalesOrg etc)?
  For instance, if userA role organizational level for plant is plantA, the abap report will only show data for plantA. If userB role organizational level for plant is plantB, the abap report will show data for plantB.
  May i know how to program the abap report?
  Appreciate any guidelines.

  Hi,
  Assign the Users with predefined roles.
  Attach the Orn Units(Plants/St locn, CC/etc) in the roles .
  create a Tcode for the report  and attach that Tcode in that role.
  So now the user can execute that report with that siplant to which he is authorised.
  Hope this helps.
  Regards,
  Anji
  Message was edited by:
          Anji Reddy Vangala

• How do the "Authorization" in ABAP mathch to "Action" in Java?

  Recently I am studying the CC of GRC and some concept really confused me. When creating a new function we need to add some related "Actions" to it, but the concept "Action" only exists in SAP Web AS Java scope, not the ABAP scope. How do the authorization concepts in ABAP like "Authorization Object", "Authorizaton" match to things in Java scope? Obviously we need those ABAP authroization unit when defining the risk among the business processes.
  Thanks

  Hi Dustin,
  in CC functions, the term "action" was chosen because we do need to include actions for non-SAP systems, too.
  In an SAP ABAP context, this can be translated to "TCODE". When you look at the UME connector in 5.3, "Action" also rings a bell in an SAP context.
  Kind regards,
  Frank.

• BW Authorizations Hirerachy Error

  Hello Experts,
  I am experiencing a strange error with regards to the hirerachy authorizations..
  My objective is to create roles (25) that wouldgrant access to the different cost center under cost center hierarchy.So that if a Business Manager is assigned with a role on Particular cost center then when he execute BW report he is supposed to see only BW data on that particular cost center....
  Steps Followed.
  T:Code- RSSM
  Created a authorization object
  Selected the data targets
  'Authorization for several users' (rssm)...selected the authourization object (Context Menu) create profile...
  By selecting required node drag and droped the node so that would generate a profile.
  T:Code-PFCG
  Create a role
  Change authorization data
  edit-insert authorization for profil and inserted the profile generated in rssm..
  Like wise i created 25 different authorizations objects and a profile for each and inserted them in 25 different roles...
  My Error
  If a user is assigned with a roles to authorize to view data on Cost center 1
  If I execute a report by selecting the variable selection button and select my variable the report execute perfectly…
  But if I select the same report again and execute it the it shows me error
  When checking your authorizations for object 'Cheif Executive's Department' (technical name: ZCCCHO) it was established that you do not have authorization in your user master record for this object (return code 12).
  System response
  Procedure
  How you continue depends on the return code. See the online documentation for ABAP language element "AUTHORITY-CHECK". Please note:
  • With a return code of 12, the object 'Cheif Executive's Department' has not been maintained in the user master, meaning there is no profile in the user master record in which this authorization object has been entered. This is, however, absolutely necessary, as all of the authorization objects created in the development class RSR are validated in the 'and' link. If the authorization is missing for only one object, the request is rejected as unauthorized.
  • Get the person responsible for your authorization to create you a profile containing authorization for object Cheif Executive's Department.
  Notification Number BRAIN 805
  But if I select the report again and choose the variable selection button and execute it it will execute perfectly
  This is strange how can I solve this
  Please update me on this ASAP…Urgent
  Thanks
  WILL DEFINITELY ASSIGN POINTS

  Hi
  Thanks for update
  Did you assign the Custom Object in a role given to the user directly?
  yes i did
  Yes it is authorization releavent and
  WHERE CAN I CHECK THESE SETTINGS
  did yoy make it readuy for input or did yiou thick the box Can be changed in query navigation
  What is abap programe 'AUTHORIZATION-CHECK' how can i navigate there
  Thanks

• Change of ABAP report properties by RFC

  Hi there,
  does anyone know a function module SE37 (remote capable!!!)
  which can change the properties of an existing ABAP report (authorization group, title, etc.)
  Thanks on advance,
  Andi

  >
  A. Hartmann wrote:
  > Hi there,
  > does anyone know a function module SE37 (remote capable!!!)
  > which can change the properties of an existing ABAP report (authorization group, title, etc.)
  >
  > Thanks on advance,
  > Andi
  Hi A. Hartmann,
    There are function modules that can be used to change Texts, Status, Menus etc...All these might not be remote enabled but then we can always write an API to Wrap these function modules. They are as follows:-
  Function Modules                     Description
  RS_CUA_ABAR_CHANGE             Change the Menu Bars
  RS_CUA_CHANGE                  Graphical User Interface: Change a
  RS_CUA_FUNL_CHANGE             Change Function Texts
  RS_CUA_MENU_CHANGE             Changes to Menu List
  RS_CUA_PFKL_CHANGE             Change Function Key Settings
  RS_CUA_SINGLE_ABAR_CHANGE      Change a Menu Bar
  RS_CUA_SINGLE_MENU_CHANGE      Change a menu
  RS_CUA_SINGLE_PFK_CHANGE       Change A Function Key Setting
  RS_CUA_SINGLE_TITLE_CHANGE
  RS_CUA_STATEXT_CHANGE          Change status short texts
  RS_CUA_TITLE_CHANGE
  Regards,
  Ravi.

• Authorization Check Infotype Header

  Hi all,
  i posted the following threat in HCM Forum, but i think it is also a question for ABAP Forum
  Authorization Check Infotype Header
  Thanks & regards

  1. authorisations in hr cannot be controlled at infotype-header level and/or infotype field level.
  2. If only a few fields of a specific infotype are to be allowed for a user the most efective way of doing it is by way of creating a view for the infotype with only the allowed fields in it.
  3. another way of doing it is by way of a custom authorisation object (potentially) but then again your requirement is not going into explicit details,. so this option is a possibility you may want to do some due diligence on.
  cheers

• ABAP QUERY STEPS

  Hi Friends,
  can i send me Creation of ABAP QUERY...
  REGARDS,

  What Is SAP Queries
  Many times a need arises for SAP Users and Functional Consultants to generate quick reports without getting any ABAP coding done – time taken to complete the coding in development, transport and test it in QA system and then transport to production – is sometimes too long. In such cases, ABAP/4 query is a tool provided by SAP for generating these kind of reports.
  Type of Report Desired:
  Before starting to write an ABAP query, its advisable to decide the type of report that the user wants. ABAP query provides the following type of reports:
  Basic List Simple report
  Statistics Report containing statistical functions like Average &Percentage
  Ranked List Report written for analytical purpose
  The output is always seen in the order of Basic List, then Statistics and then Ranked List if any. One ABAP query can have one basic list, maximum of 9 statistics and maximum of 9 ranked lists.
  In a nutshell, an ABAP/4 query can be designed in four steps
  - Creation of a user group
  - Creation of functional area
  - Assignment of user group to functional area
  - Creation of the query based on functional area
  The various objects that form an ABAP query can be created in the following 2 ways:
  - Tools => ABAP/4 Workbench => Utilities => ABAP/4 Query
  OR
  - By executing the transaction codes mentioned below:
  SQ01 ABAP/4 Query
  SQ02 Functional Area
  SQ03 User group
  Step I - Create Functional Area
  In the functional area section, the user indicates from which part of the SAP database the data is going to be retrieved and how the data is to be retrieved by the query. One functional area can be assigned to many user groups. A functional area can be created with or without a logical database. To create a functional area with a logical database, one has to mention the name of the database and then select the fields from the tables that form the logical database.
  ABAP Query Authorizations: To use an ABAP query, the user must have appropriate authorizations. Two ways of providing authorizations to the users are as follows:
  - User groups
  The user should be a part of at least one user group to run the corresponding ABAP query. This automatically restricts the access of the user to specific functional areas, and thus the corresponding underlying logical databases.
  - Authorizations
  The authorization object S_QUERY should be used to give proper authorizations to the user for a query. This authorization object has a field named ACTVT which can take values 02 for Change, 23 for Maintain and 67 for Translate.
  This value determines whether the user can create and modify the query. The possible authorizations in the object are as follows:
  S_QUERY_ALL Change, maintain and translate query
  S_QUERY_UPD Change and Translate
  Though the general concept of an ABAP query is moderately difficult, the results and the long term use of the ABAP query is worth the effort.
  Creating the ABAP Query
  To create the query use the menu path Environment => Queries
  · Give a name to the query and click on the Create button
  · Give the description of the query in the next screen. Specify the output length and select the processing option from the Further Processing Options box. The data can be displayed in various formats such as table, download to a file, and display in Word etc.
  · Click on the Next screen icon. Select the functional group screen. All the functional groups created in the functional area are displayed. Select the groups that you desire – fields from only these groups will be displayed in the output. Click on the respective check boxes and click on the Next Screen icon.
  · The Select Field screen gets displayed. Select all the fields from the user group that you need to display on the output of the query. If required, specify the short names for the fields using the menu path Edit => Short Names => Switch On/Off or you can also change the selection text contains in the order you want to appear on the selection screen. You can also maintain column headers for the fields by using the menu path Edit => Column Header => Maintain. 
  ·         Click on the Next Screen icon to get the Selections Screen. Here you can check against the fields that you require to be shown on the selection screen.
  ·         Now we need to specify the output type for the query as Basic List, Statistics or Ranked List. Choose the option Basic List.
  ·         On the Basic List line structure screen the following things can be done
  o        Specify the report layout in detail – lines on which the fields will appear.
  o        Order in which the fields will appear in the output
  o        Sort order for the fields – this is optional.
  o        For the numeric fields you can check against the fields for which you require totals in the output.
  o        Beautify the output according to the options provided.
  ·         Click on the next screen icon, to specify the control levels as mentioned below
  o        Specify the sort order. The default sort order is ascending and can be changed to descending if required.
  o        Totals for each field selected for sorting can be displayed
  o        To display the output of a field in a box click on the check box against box. To display a line after the output of a field, click on the check box against BlnkLn
  o        To display the output of a field on a new page click on the check box against New Page
  ·         Click on the next screen icon to get the List Line options Screen. Here you can specify the background color for displaying the output.
  ·         Click on the next screen icon to get the Field Output Option screen. In this you can specify the following:
  o        Change the output length or the display positions of the fields
  o        Specify the display position of the unit for quantity or currency fields. Click left radio button to display it before the figure, middle radio button to display it after the figure while last radio button to hide the unit altogether.
  o        Specify color for the column of every field under the Format option.
  o        Specify the label against the output of sort fields.
  ·         Click on the Next screen option to go to the Basic List Header screen. Here you can specify
  o        Give page header and page footer for the output
  o        Include user name and date by specifying &N and &D respectively.
  After providing all the above options you can save the query and execute it by clicking the Execute button twice
  Regards,
  Maha

• How to find which custom program uses authorization checks

  Hi all,
  I have been asked to find out which custom ABAP program in our organization is using Authorizations checks and which is not.
  Since there are thousands of custom programs I will need to automatize this process somehow.  But I am not an ABAP expert and I will need some help.
  Could any of you give me an idea of what would be the best strategy to find out if authorization objects/checks exist in a number of ABAP programs?  (would a simple text search do?).
  Many thanks,
  Aldo

  If you are looking out for Authorization related to Execution of any program, then look for entries in table TRDIR where field SECU (Authorization Group) is not blank.
  Below SAP documentation may help you:
  Authorization Group
  Authorization group to which the program is assigned.
  The assignment of a program to an authorization group plays a role when the system checks whether the user is authorized to:
  Execute a program
  --> Authorization object S_PROGRAM
  Edit a program (-Include) in the ABAP Workbench
  --> Authorization object S_DEVELOP
  Programs that are not assigned to an authorization group are not protected against display and execution.
  Security-related programs should, therefore, always be assigned to an authorization group.
  Report RSCSAUTH can also be used to assign programs to authorization groups. This report is documented in detail.

• KOB1 authorization group mising

  Hi,
  when i'm excuting KOB1 i'm getting the output report shows all the line items as per given selection in quality system,
  when i'm using the different user ID and same quality its not showing the line items some authorizations missing .
  how can i check and how can i fix this issue.
  thanks in advance.

  hi,
    There are authorization given for  many transaction  .
    Developer don't have that authorization  tell your FUNCTIONal  Member  about this and Get it done from basis TEAM .
  SAP AUTHORIZATION OBJECT TABLE
  Table Name  Description
  TOBJ Authorization Objects
  TACT Activities which can be Protected (Standard activities authorization fields in the system)
  TACTZ Valid activities for each authorization object
  TDDAT Maintenance Areas for Tables
  TSTC SAP Transaction Codes
  TPGP ABAP/4 Authorization Groups
  USOBT Relation transaction > authorization object
  USOBX Check table for table USOBT
  USOBT_C Relation Transaction   > Auth. Object (Customer)
  USOBX_C Check Table for Table USOBT_C
  USR01 User master record (runtime data)
  USR02 Logon data
  USR03 User address data
  USR04 User master authorizations
  USR05 User Master Parameter ID
  USR06 Additional Data per User
  USR07 Object/values of last authorization check that failed
  USR08 Table for user menu entries
  USR09 Entries for user menus (work areas)
  USR10 User master authorization profiles
  USR11 User Master Texts for Profiles (USR10)
  USR12 User master authorization values
  USR13 Short Texts for Authorizations
  USR14 Surchargeable Language Versions per User
  USR30 Additional Information for User Menu
  USH02 Change history for logon data
  USH04 Change history for authorizations
  USH10 Change history for authorization profiles
  USH12 Change history for authorization values
  UST04 User masters
  UST10C User master: Composite profiles
  UST10S User master: Single profiles
  UST12 User master: Authorizations
  Regards
  Deepak.
  Edited by: Deepak Dhamat on Oct 2, 2010 7:00 AM
  Edited by: Deepak Dhamat on Oct 2, 2010 7:04 AM