Abap hr authorization
Hi All,
I'm new in ABAP HR and want to clear some doubts till now according to my knowlege PA30 is the Tcode to maintain HR Master Data.. like the PA,Benefits,Time & Payroll Infotypes can all be mainatined via this Trx.. and database tables could be from PA0000 thru PA9999.. the 9000 series being the Custom Infotypes"
So My doubts are..
1-Each infotype like infotype 0001 , 0002 all realted data is maintained in data base table like PA0001....PA0033...?
2- If user has any Authorization Restriction LIke P_ORIGIN for Personnel area and users are not able to view employee data from other personal areas. so will this restriction also works for same user in case of related infotype data tables( in se11) like in PA0001....00045.
Regards,
Anuj jain
Hello
Here's the answers for your questions
1) Yes for Employee data. But for Applicants the tables will be PB0001, PB0002 ....
2) Not sure what exactly is your questions here. If you intend to know whether users can view data of other employees not under his/her authorizations profile through SE11, yes that is possible. HR structural auth. is only dependant at the transactional level.
- Ranganath
Similar Messages
-
Abap programe 'AUTHORIZATION-CHECK'
What is abap programe 'AUTHORIZATION-CHECK' how can i navigate there
Hi,
You can navigate to the Code this way
1)
SE93> Display>Double click in the Entry corresponding to Program-->then you enter the Source Code here select find and give the search string as
"Authority-Check" this displays you whatever entries are there in the code.
This method is useful if you know the Tcode and want to see what check statemetns are there in ABAP code corresponding to it.
2)On the other hand if you know the program then go to
SE38> enter the program name> Select Source Code> Press Display>
and from there search with the string mentioned above justlike the case mentioned above...
Hope this helps
Regards,
Manohar -
ABAP Proxy authorization issue when sending message.
Hi
We have an interface which uses ABAP proxies. This is used to send a message with attachment, but when i send the message I am getting a 401 error message which says unauthorized.
I checked all the configs on the sending side and i cant fine anythin wrong. I tried SLDCHECK and all looks fine there as well. I have done the configuration in the Integration engine on the sending side as mentioned in the BLOG - Activating ABAP Proxies.
We have 3 XI systems Dev, QA and Prod sharing the same SLD. The configs that we have on the sending system (App Sys.) is given below.
SM59
HTTP connection : SAPISU_XID
Host : XI Dev hostname Service Number 8080 (80 <sys number>)
Path Prefix : /sap/xi/engine?type=entry
USER : XIAPPLUSER
The TCP/IP connections LCRSAPRFC and SAPSLDAPI are also setup on the system which connects to our SLD.
The TCP/IP connections works fine and i am able to test it succesfully, but the HTTP connection fails with an authorization error (401) when i test it. Now the wierd thing is if I use XIAFUSER instead of appuser it works fine, but if i make a copy of XIAFUSER and try that... It fails again.. I know it sounds strange. So i was wondering if there is any setting on XI which restricts HTTP connections to a particular user??
I would really aprpeaciate if you could please give me your thought on this issue...
Cheers
PravHi Manish
Thanks for the input again.
I checked SICF on the XI system and its not set to any user.
The HTTP connection on out prod environment is working fine without any issues and its uses a user which is a copy of XIAPPLUSER. SICF in prod also does not have any user configured for service SAP\XI\Engine.
Thanks for the link, had a look at it, but It looks like these users mentioned are only available with XI7. Our server was upgraded from 3 to 7 and I am not able to find these users on the system.
I tried testing the HTTP connection in prod using a diffrent user and found its the same story there. If i use any use other than the cutom one.. it fails.. could there be any setting in the exchage profile that can affect this??
Thanks for your time and help.
Prav -
Regarding ABAP Query authorization group
Hi Team,
This is regarding ABAP Query!
I have created one authorization group, for testing i have assigned my id in authorization group.
After creation of ABAP query,standard program got generated. Now i have created one transaction code at the last for the ABAP Query.
Now the isse is even though i have deleted my id from the authorization group. I am able to execute the query from SQ01 and with the Transaction code .
It should not happen...i want who soever id is mapped to the transaction code ...that member should only be able to run that query, otherwise there is no use of authorization group.
Please help me out in this case.
Thanks & Regards,
Anil Kumar SahniAre you sure that you don't have access to that authorisation group? Execute report RSUSR002. In the 'Authorization Object 1' block inform S_TABU_DIS in 'Auth.Object' and accept. Then inform Activity=03 and Auth.Gruop= your group.
You will get a list of all the users which, theoretically, will be able to execute the query. If you press 'Roles' or 'Profiles' in the toolbar of the listing you will get to know why you have authorisation. May be you have the SAP_ALL profile.
Also, one more thing to take into account: how have you created your transaction? Is it referring directly to the generated report? Then it is an error, you should execute program SAP_QUERY_CALL. Read this post: [Relate transaction to query; -
Webdynpro ABAP content authorization object in SAP portal ?
Hi
We are on EHP 6.06 , we have an authorization problem in sap portal for the webdynpro abap content. our standart users got the error "page can not be found" for the services provided from webdynpro abap. when I assign the user to administrator group in sap portal the services working fine. I also checked the SAP ERP roles no problem is there. I guess I should create a new portal role for them cause its the only difference between users who can reach or not but have no idea what to put in it in SAP portal. Any idea ?in portal content directory => double click on the Content provided by sap folder. Than you should have a dropdown somewhere where you can select "Authorizations". You should add the group endusers and check the checkbox.
-
HR-ABAP Infotype Authorization issue!
Hello Experts,
Need your quick suggestions and inputs, which we're currently facing in our project.
We're using the PNPCE Logical Database for processing/retrieving the records from infotypes and ALV reports are generated.
Currently, we have an authorization control which will restrict the user roles in accessing certain infotypes. Thus, the user role is assigned with necessary infotype access in PFCG.
Now the issue is if a particular user role donot have the authorization to infotye XXXX, which is defined in the Global Declaration (Top Include) in the INFOTYPES statement. Eg: INFOTYPES: XXXX.
Thus, when the report is executed, the following XXXX infotype authorization is checked as it is defined in INFOTYPES statement, but since the user role is not given the XXXX infotype authorization in PFCG the report execution fails when it checks the infotype authorization when it enters GET PERAS. Thus, a blank screen is thrown with standard SAP error... "No authorization for XXXX infotype".
Is there any way this error message which blocks the execution of the report be by-passed? If yes, please help to suggest the necessary steps to do so. Thus, the report execution should not be blocked and the ALV report should be displayed with blank values for those XXXX infotypes which donot have authorization even though defined in INFOTYPES statement in Top Include.
Hope am much clear in describing the major issue that we're currently facing.
Any inputs to get this issue resolved will be highly appreciated.
Thanks in anticipation.
Regards,
SundarHave you explored the option of using the BAdI HRPAD00AUTH_CHECK?
~Suresh -
HR ABAP Custom Authorization Check
Hi all,
We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
GET PERNR.
I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
Thanks in Advance.There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
Some special differences are:
- The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
- Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
- Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
Cheers,
Julius
Edited by: Julius Bussche on Apr 27, 2009 9:03 PM -
Abap Report Authorization Checks
Hi. I have some question on customized abap report to be based on user role organizational level.
May I know how to program the abap report such that the report will show only data based on user role organizational level (Plant, Company, SalesOrg etc)?
For instance, if userA role organizational level for plant is plantA, the abap report will only show data for plantA. If userB role organizational level for plant is plantB, the abap report will show data for plantB.
May i know how to program the abap report?
Appreciate any guidelines.Hi,
Assign the Users with predefined roles.
Attach the Orn Units(Plants/St locn, CC/etc) in the roles .
create a Tcode for the report and attach that Tcode in that role.
So now the user can execute that report with that siplant to which he is authorised.
Hope this helps.
Regards,
Anji
Message was edited by:
Anji Reddy Vangala -
How do the "Authorization" in ABAP mathch to "Action" in Java?
Recently I am studying the CC of GRC and some concept really confused me. When creating a new function we need to add some related "Actions" to it, but the concept "Action" only exists in SAP Web AS Java scope, not the ABAP scope. How do the authorization concepts in ABAP like "Authorization Object", "Authorizaton" match to things in Java scope? Obviously we need those ABAP authroization unit when defining the risk among the business processes.
ThanksHi Dustin,
in CC functions, the term "action" was chosen because we do need to include actions for non-SAP systems, too.
In an SAP ABAP context, this can be translated to "TCODE". When you look at the UME connector in 5.3, "Action" also rings a bell in an SAP context.
Kind regards,
Frank. -
BW Authorizations Hirerachy Error
Hello Experts,
I am experiencing a strange error with regards to the hirerachy authorizations..
My objective is to create roles (25) that wouldgrant access to the different cost center under cost center hierarchy.So that if a Business Manager is assigned with a role on Particular cost center then when he execute BW report he is supposed to see only BW data on that particular cost center....
Steps Followed.
T:Code- RSSM
Created a authorization object
Selected the data targets
'Authorization for several users' (rssm)...selected the authourization object (Context Menu) create profile...
By selecting required node drag and droped the node so that would generate a profile.
T:Code-PFCG
Create a role
Change authorization data
edit-insert authorization for profil and inserted the profile generated in rssm..
Like wise i created 25 different authorizations objects and a profile for each and inserted them in 25 different roles...
My Error
If a user is assigned with a roles to authorize to view data on Cost center 1
If I execute a report by selecting the variable selection button and select my variable the report execute perfectly
But if I select the same report again and execute it the it shows me error
When checking your authorizations for object 'Cheif Executive's Department' (technical name: ZCCCHO) it was established that you do not have authorization in your user master record for this object (return code 12).
System response
Procedure
How you continue depends on the return code. See the online documentation for ABAP language element "AUTHORITY-CHECK". Please note:
With a return code of 12, the object 'Cheif Executive's Department' has not been maintained in the user master, meaning there is no profile in the user master record in which this authorization object has been entered. This is, however, absolutely necessary, as all of the authorization objects created in the development class RSR are validated in the 'and' link. If the authorization is missing for only one object, the request is rejected as unauthorized.
Get the person responsible for your authorization to create you a profile containing authorization for object Cheif Executive's Department.
Notification Number BRAIN 805
But if I select the report again and choose the variable selection button and execute it it will execute perfectly
This is strange how can I solve this
Please update me on this ASAP Urgent
Thanks
WILL DEFINITELY ASSIGN POINTSHi
Thanks for update
Did you assign the Custom Object in a role given to the user directly?
yes i did
Yes it is authorization releavent and
WHERE CAN I CHECK THESE SETTINGS
did yoy make it readuy for input or did yiou thick the box Can be changed in query navigation
What is abap programe 'AUTHORIZATION-CHECK' how can i navigate there
Thanks -
Change of ABAP report properties by RFC
Hi there,
does anyone know a function module SE37 (remote capable!!!)
which can change the properties of an existing ABAP report (authorization group, title, etc.)
Thanks on advance,
Andi>
A. Hartmann wrote:
> Hi there,
> does anyone know a function module SE37 (remote capable!!!)
> which can change the properties of an existing ABAP report (authorization group, title, etc.)
>
> Thanks on advance,
> Andi
Hi A. Hartmann,
There are function modules that can be used to change Texts, Status, Menus etc...All these might not be remote enabled but then we can always write an API to Wrap these function modules. They are as follows:-
Function Modules Description
RS_CUA_ABAR_CHANGE Change the Menu Bars
RS_CUA_CHANGE Graphical User Interface: Change a
RS_CUA_FUNL_CHANGE Change Function Texts
RS_CUA_MENU_CHANGE Changes to Menu List
RS_CUA_PFKL_CHANGE Change Function Key Settings
RS_CUA_SINGLE_ABAR_CHANGE Change a Menu Bar
RS_CUA_SINGLE_MENU_CHANGE Change a menu
RS_CUA_SINGLE_PFK_CHANGE Change A Function Key Setting
RS_CUA_SINGLE_TITLE_CHANGE
RS_CUA_STATEXT_CHANGE Change status short texts
RS_CUA_TITLE_CHANGE
Regards,
Ravi. -
Authorization Check Infotype Header
Hi all,
i posted the following threat in HCM Forum, but i think it is also a question for ABAP Forum
Authorization Check Infotype Header
Thanks & regards1. authorisations in hr cannot be controlled at infotype-header level and/or infotype field level.
2. If only a few fields of a specific infotype are to be allowed for a user the most efective way of doing it is by way of creating a view for the infotype with only the allowed fields in it.
3. another way of doing it is by way of a custom authorisation object (potentially) but then again your requirement is not going into explicit details,. so this option is a possibility you may want to do some due diligence on.
cheers -
Hi Friends,
can i send me Creation of ABAP QUERY...
REGARDS,What Is SAP Queries
Many times a need arises for SAP Users and Functional Consultants to generate quick reports without getting any ABAP coding done time taken to complete the coding in development, transport and test it in QA system and then transport to production is sometimes too long. In such cases, ABAP/4 query is a tool provided by SAP for generating these kind of reports.
Type of Report Desired:
Before starting to write an ABAP query, its advisable to decide the type of report that the user wants. ABAP query provides the following type of reports:
Basic List Simple report
Statistics Report containing statistical functions like Average &Percentage
Ranked List Report written for analytical purpose
The output is always seen in the order of Basic List, then Statistics and then Ranked List if any. One ABAP query can have one basic list, maximum of 9 statistics and maximum of 9 ranked lists.
In a nutshell, an ABAP/4 query can be designed in four steps
- Creation of a user group
- Creation of functional area
- Assignment of user group to functional area
- Creation of the query based on functional area
The various objects that form an ABAP query can be created in the following 2 ways:
- Tools => ABAP/4 Workbench => Utilities => ABAP/4 Query
OR
- By executing the transaction codes mentioned below:
SQ01 ABAP/4 Query
SQ02 Functional Area
SQ03 User group
Step I - Create Functional Area
In the functional area section, the user indicates from which part of the SAP database the data is going to be retrieved and how the data is to be retrieved by the query. One functional area can be assigned to many user groups. A functional area can be created with or without a logical database. To create a functional area with a logical database, one has to mention the name of the database and then select the fields from the tables that form the logical database.
ABAP Query Authorizations: To use an ABAP query, the user must have appropriate authorizations. Two ways of providing authorizations to the users are as follows:
- User groups
The user should be a part of at least one user group to run the corresponding ABAP query. This automatically restricts the access of the user to specific functional areas, and thus the corresponding underlying logical databases.
- Authorizations
The authorization object S_QUERY should be used to give proper authorizations to the user for a query. This authorization object has a field named ACTVT which can take values 02 for Change, 23 for Maintain and 67 for Translate.
This value determines whether the user can create and modify the query. The possible authorizations in the object are as follows:
S_QUERY_ALL Change, maintain and translate query
S_QUERY_UPD Change and Translate
Though the general concept of an ABAP query is moderately difficult, the results and the long term use of the ABAP query is worth the effort.
Creating the ABAP Query
To create the query use the menu path Environment => Queries
· Give a name to the query and click on the Create button
· Give the description of the query in the next screen. Specify the output length and select the processing option from the Further Processing Options box. The data can be displayed in various formats such as table, download to a file, and display in Word etc.
· Click on the Next screen icon. Select the functional group screen. All the functional groups created in the functional area are displayed. Select the groups that you desire fields from only these groups will be displayed in the output. Click on the respective check boxes and click on the Next Screen icon.
· The Select Field screen gets displayed. Select all the fields from the user group that you need to display on the output of the query. If required, specify the short names for the fields using the menu path Edit => Short Names => Switch On/Off or you can also change the selection text contains in the order you want to appear on the selection screen. You can also maintain column headers for the fields by using the menu path Edit => Column Header => Maintain.
· Click on the Next Screen icon to get the Selections Screen. Here you can check against the fields that you require to be shown on the selection screen.
· Now we need to specify the output type for the query as Basic List, Statistics or Ranked List. Choose the option Basic List.
· On the Basic List line structure screen the following things can be done
o Specify the report layout in detail lines on which the fields will appear.
o Order in which the fields will appear in the output
o Sort order for the fields this is optional.
o For the numeric fields you can check against the fields for which you require totals in the output.
o Beautify the output according to the options provided.
· Click on the next screen icon, to specify the control levels as mentioned below
o Specify the sort order. The default sort order is ascending and can be changed to descending if required.
o Totals for each field selected for sorting can be displayed
o To display the output of a field in a box click on the check box against box. To display a line after the output of a field, click on the check box against BlnkLn
o To display the output of a field on a new page click on the check box against New Page
· Click on the next screen icon to get the List Line options Screen. Here you can specify the background color for displaying the output.
· Click on the next screen icon to get the Field Output Option screen. In this you can specify the following:
o Change the output length or the display positions of the fields
o Specify the display position of the unit for quantity or currency fields. Click left radio button to display it before the figure, middle radio button to display it after the figure while last radio button to hide the unit altogether.
o Specify color for the column of every field under the Format option.
o Specify the label against the output of sort fields.
· Click on the Next screen option to go to the Basic List Header screen. Here you can specify
o Give page header and page footer for the output
o Include user name and date by specifying &N and &D respectively.
After providing all the above options you can save the query and execute it by clicking the Execute button twice
Regards,
Maha -
How to find which custom program uses authorization checks
Hi all,
I have been asked to find out which custom ABAP program in our organization is using Authorizations checks and which is not.
Since there are thousands of custom programs I will need to automatize this process somehow. But I am not an ABAP expert and I will need some help.
Could any of you give me an idea of what would be the best strategy to find out if authorization objects/checks exist in a number of ABAP programs? (would a simple text search do?).
Many thanks,
AldoIf you are looking out for Authorization related to Execution of any program, then look for entries in table TRDIR where field SECU (Authorization Group) is not blank.
Below SAP documentation may help you:
Authorization Group
Authorization group to which the program is assigned.
The assignment of a program to an authorization group plays a role when the system checks whether the user is authorized to:
Execute a program
--> Authorization object S_PROGRAM
Edit a program (-Include) in the ABAP Workbench
--> Authorization object S_DEVELOP
Programs that are not assigned to an authorization group are not protected against display and execution.
Security-related programs should, therefore, always be assigned to an authorization group.
Report RSCSAUTH can also be used to assign programs to authorization groups. This report is documented in detail. -
KOB1 authorization group mising
Hi,
when i'm excuting KOB1 i'm getting the output report shows all the line items as per given selection in quality system,
when i'm using the different user ID and same quality its not showing the line items some authorizations missing .
how can i check and how can i fix this issue.
thanks in advance.hi,
There are authorization given for many transaction .
Developer don't have that authorization tell your FUNCTIONal Member about this and Get it done from basis TEAM .
SAP AUTHORIZATION OBJECT TABLE
Table Name Description
TOBJ Authorization Objects
TACT Activities which can be Protected (Standard activities authorization fields in the system)
TACTZ Valid activities for each authorization object
TDDAT Maintenance Areas for Tables
TSTC SAP Transaction Codes
TPGP ABAP/4 Authorization Groups
USOBT Relation transaction > authorization object
USOBX Check table for table USOBT
USOBT_C Relation Transaction > Auth. Object (Customer)
USOBX_C Check Table for Table USOBT_C
USR01 User master record (runtime data)
USR02 Logon data
USR03 User address data
USR04 User master authorizations
USR05 User Master Parameter ID
USR06 Additional Data per User
USR07 Object/values of last authorization check that failed
USR08 Table for user menu entries
USR09 Entries for user menus (work areas)
USR10 User master authorization profiles
USR11 User Master Texts for Profiles (USR10)
USR12 User master authorization values
USR13 Short Texts for Authorizations
USR14 Surchargeable Language Versions per User
USR30 Additional Information for User Menu
USH02 Change history for logon data
USH04 Change history for authorizations
USH10 Change history for authorization profiles
USH12 Change history for authorization values
UST04 User masters
UST10C User master: Composite profiles
UST10S User master: Single profiles
UST12 User master: Authorizations
Regards
Deepak.
Edited by: Deepak Dhamat on Oct 2, 2010 7:00 AM
Edited by: Deepak Dhamat on Oct 2, 2010 7:04 AM
Maybe you are looking for
-
Applescript to open the Choose Folder dialog box and close the message after moving it
I've been trying to figure out how to get the same functionality as the Windows version of Outlook has so that the open message gets closed when it's moved to another folder. It seems pretty simple to move a message to a pre-defined folder, but I can
-
Updating to iOS 4.2.1 Backup Problems?
I have an iPod Touch 2nd Gen. It is currently iOS 3.1.2 I am trying to update it to iOS 4.2.1 I synced it/backed it up right before i updated it & its taking a long to to back up for the update, then this message appears: An error occurred while bac
-
i have MSI N770 2GB TF OC. do I have to install the driver from the NVIDIA site or from the MSI website? ====================== I also have a MSI N760 2GB TF OC, a new use for 6 months, but already suffered damage. My PC can not boot, and the motherb
-
I received an Mac Pro (2007). It was shipped without a hard drive. I ordered a hard drive, 1TB Barracuda Sata but cannot get it to partition. I have OSX Mavericks on a USB drive. Help?
-
URGENT : Challenge questions query: Oracle Access Manager 10g
Hi all, This is a query regarding password challenge questions in Oracle Access Manager 10g. We have created password policies for a specific container in OID (say cn=xxx,cn=users,dc=oracle,dc=com) and it is working fine. In order to exclude certain