Abap Report Authorization Checks

Similar Messages

• Abap programe 'AUTHORIZATION-CHECK'

  What is abap programe 'AUTHORIZATION-CHECK' how can i navigate there

  Hi,
  You can navigate to the Code this way
  1)
  SE93> Display>Double click in the Entry corresponding to Program-->then you enter the Source Code here select find and give the search string as
  "Authority-Check" this displays you whatever entries are there in the code.
  This method is useful if you know the Tcode and want to see what check statemetns are there in ABAP code corresponding to it.
  2)On the other hand if you know the program then go to
  SE38> enter the program name> Select Source Code> Press Display>
  and from there search with the string mentioned above justlike the case mentioned above...
  Hope this helps
  Regards,
  Manohar

• HR ABAP Custom Authorization Check

  Hi all,
  We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
  GET PERNR.
      I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
  Thanks in Advance.

  There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
  Some special differences are:
  - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
  - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
  - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
  This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
  Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

• Custom HR Report--Authorization check required

  Hello,
  I have a requirement where in we have created a custom report.Now when user logs in and run this particular report as their authorisation is restricted to india or whatever, they should only see data relating to their company code/country. They must not be able to see data from any other country / company code.
  Another scenario is for some users authorisations is restricted to certain Org Units and when a Key User whose authorisation is restricted to a certain Org Unit, they should only see data relating to that Org. Unit and not every one's data.
  Is there any authorization object already existing that can acheive this functionality.
  Please suggest!!
  Thank you
  Arvind
  Edited by: Arvind Soni on Sep 17, 2009 3:43 PM
  Edited by: Arvind Soni on Sep 17, 2009 3:43 PM

  Hi,
  There are some auth. objects exist in HR. Such as P_ORGIN, P_ORGXX, P_ORGINCON, P_PERNR, P_APPL, PLOG,etc..
  Make the requried setting via t-code: OOAC
  Also you can define structural auth. via t-code OOSP, OOSB.
  If you use logical database of HR (PNP,PNPCE,PCH,PAP)or standard FM to read HR data, auth. check of these auth. object will be carried out automaticlly.
  You can change the profile of the users to achieve.
  Regards,
  Chen Jian

• PS reports authorization check

  Hi guys,
  I am experiencing an unexpected behavior in PS module.
  I have two different project areas using PS WBS.
  I am running some test due to a lack of security. I can control all access on WBS  using ACL configuration but ACL cannot control PS reports access. So a PS area can see the budget of another area and this is the main issue.
  So I suppose I could control all reports with C_PRPS_VNR authorization object in order to allow access using diferent roles with C_PRPS_VNR value according WBS.
  I run a test with S_ALR_87013558 report and in the authorization trace I found the following:
  10:27:27:305 AUTH    - - -   C_PRPS_VNR RC=12 PS_VERNR=01010101;PS_ACTVT=03;
  10:27:27:305 AUTH    - - -   C_PRPS_VNR RC=12 PS_VERNR=01010101;PS_ACTVT=24;
  10:27:27:305 AUTH    - - -   C_PRPS_VNR RC=12 PS_VERNR=01010101;PS_ACTVT=26;
  10:27:27:305 AUTH    - - -   C_PRPS_VNR RC=12 PS_VERNR=01010101;PS_ACTVT=28;
  Even with the RC=12 I can see all data!
  I found the same symptom in a lot of S_ALR_* reports.
  My question is: why the RC=12 donu2019t deny my access?
  Best Regards,
  LMG

  Hi  LMG,
  1. I would suggest you to build a role with the reports you are trying to run with a test user and see if you get the same result.
  2. I am guessing that you have another role which might be performing the same actions/activities or you have SAP ALL/SAP NEW
  3. I found these definitions for you to understand what  RC -12 could be.
  4 User has no authorization in the SAP System for such an action. If necessary, change the user master record.
  8 Too many parameters (fields, values). Maximum allowed is 10.
  12 Specified object not maintained in the user master record.
  16 No profile entered in the user master record.
  24 The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
  28 Incorrect structure for user master record.
  32 Incorrect structure for user master record.
  36 Incorrect structure for user master record.

• ABAP report - Check Po items Material group

  Hi All,
  I would like in my abap report to check efficiently each line item in the Purchase order and make sure each line item should have the same material group.
  Any ideas appreciated.
  Meghna

  You can gather all the PO items from the table EKPO into a STANDARD TABLE like the the EKPO. For each line of the table LT_EKPO you will searching into the MARA (MARA-MATNR = EKPO-MATNR) and you will collect the MARA-MATKL into an internal table that will have only one field, the Material Group. At the end you will check how many lines has the internal table. Becouse you wil you the COLLECT instead of APPEND, if the PO has only one Material Group then this table should have only one line.
  Check the following code (it has been written by hard)
  With Regards
  George
  TABLES: MARA, EKPO.
  TYPES: BEGIN OF TY_GROUP,
                   MATKL LIKE MARA-MATKL,
               END OF TY_GROUP.
  DATA: lt_group TYPE STANDARD TABLE OF TY_GROUP,
              wa_group LIKE LINE OF lt_group.
  DATA: lt_ekpo LIKE EKPO occurs 0,
              wa_ekpo LIKE LINE OF lt_ekpo,
              lines_count TYPE I.
  SELECT * FROM EKPO INTO TABLE lt_ekpo
    WHERE EBELN = p_ebeln.
  SORT lt_ekpo.
  LOOP AT lt_ekpo INTO wa_ekpo.
      CLEAR MARA.
      SELECT SINGLE * FROM MARA
         WHERE MATNR = wa_ekpo-matnr.
      WA_GROUP-MATKL = MARA-MATKL.
     COLLECT wa_group INTO lt_group.
     CLEAR wa_group.
  ENDLOOP.
  DESCRIBE TABLE lt_group LINES lines_count.
  IF lines_count > 1.
  DO SOMETHING.
  ENDIF.

• Change of ABAP report properties by RFC

  Hi there,
  does anyone know a function module SE37 (remote capable!!!)
  which can change the properties of an existing ABAP report (authorization group, title, etc.)
  Thanks on advance,
  Andi

  >
  A. Hartmann wrote:
  > Hi there,
  > does anyone know a function module SE37 (remote capable!!!)
  > which can change the properties of an existing ABAP report (authorization group, title, etc.)
  >
  > Thanks on advance,
  > Andi
  Hi A. Hartmann,
    There are function modules that can be used to change Texts, Status, Menus etc...All these might not be remote enabled but then we can always write an API to Wrap these function modules. They are as follows:-
  Function Modules                     Description
  RS_CUA_ABAR_CHANGE             Change the Menu Bars
  RS_CUA_CHANGE                  Graphical User Interface: Change a
  RS_CUA_FUNL_CHANGE             Change Function Texts
  RS_CUA_MENU_CHANGE             Changes to Menu List
  RS_CUA_PFKL_CHANGE             Change Function Key Settings
  RS_CUA_SINGLE_ABAR_CHANGE      Change a Menu Bar
  RS_CUA_SINGLE_MENU_CHANGE      Change a menu
  RS_CUA_SINGLE_PFK_CHANGE       Change A Function Key Setting
  RS_CUA_SINGLE_TITLE_CHANGE
  RS_CUA_STATEXT_CHANGE          Change status short texts
  RS_CUA_TITLE_CHANGE
  Regards,
  Ravi.

• Authorization Check Infotype Header

  Hi all,
  i posted the following threat in HCM Forum, but i think it is also a question for ABAP Forum
  Authorization Check Infotype Header
  Thanks & regards

  1. authorisations in hr cannot be controlled at infotype-header level and/or infotype field level.
  2. If only a few fields of a specific infotype are to be allowed for a user the most efective way of doing it is by way of creating a view for the infotype with only the allowed fields in it.
  3. another way of doing it is by way of a custom authorisation object (potentially) but then again your requirement is not going into explicit details,. so this option is a possibility you may want to do some due diligence on.
  cheers

• BW authorizations objects in Custom abap report

  Hi,
  we develop a BW custom abap report which we have to roll out to certain end users.
  We would like use our BW authorization design, and need therefore to incorperate these auth. objects into the abap.
  What is the best way to this? Can we use function modules?
  Any help welcome?
  Regards,
  Hans

  Hello Hans,
  please check out the following
  http://help.sap.com/bp_biv235/BI_EN/documentation/Authorization_BW_Proj.pdf
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/39f29890-0201-0010-1197-f0ed3a0d279f
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/e1cba990-0201-0010-43ae-af579aee7a73
  Hope it helps..
  thanks,

• Create authorization check for a report

  Hi,
  I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
  Say the report name is ZHR_TIMEABC.
  Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
  Thanks in advance,
  VG

  Hi,
  Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
  If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
  Your inputs will be helpful to understand this concept.
  Thanks,
  VG

• Re: Setting Authorization Check in Report Writer

  Hi,
  In ABAP Query or ABAP customized program, it is possible to set authorization object checking.
  In Report Writer, how can I do it?
  <REMOVED BY MODERATOR - REQUEST OR OFFER POINTS ARE FORBIDDEN>
  Thanks
  Edited by: Alvaro Tejada Galindo on Dec 26, 2008 10:59 AM

  Hi Colin,
  I would like to suggest,
  Creating an Authorization object & then using it in the report program is the preffered way.
  I would like to suggest a couple of references, quite similar to your issue,
  [SDN - Reference for using authorization checks at the report level|User authorisation check in ABAP-HR program;
  [SAP HELP - Standard Reference for Programming Autorization checks|http://help.sap.com/saphelp_nw04/helpdata/en/52/6712ac439b11d1896f0000e8322d00/frameset.htm]
  [SAP HELP - Standard Reference for Authorization checks|http://help.sap.com/saphelp_nw04s/helpdata/en/fc/eb3ba5358411d1829f0000e829fbfe/frameset.htm]
  Hope that's usefull.
  Good Luck & Regards.
  Harsh Dave

• Report to check authorization object used in customized programs

  Hi Guys,
  An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
  Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

  Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
  To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
  Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
  Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
  Code review is an art form!
  Cheers,
  Julius

• Use of foreign key check in ABAP reports

  Hi,
  I'm trying to understand if it's possible to use a foreign key integrity check in an ABAP reports. I have understood that this kind of check is deactivated for performance reasons, is it right?
  In this case I'd like to know if it is possible to activate the foreign key check "on demand", or just for a particular table.
  As an example, I'd like to use the foreign key defined on attribute AKONT of table KNB1, that points on the related attribute of table SKB1.
  Thanks,
  Gabriele

  Welcome on SCN!
  I'm trying to understand if it's possible to use a foreign key integrity check in an ABAP reports. I have understood that this kind of check is deactivated for performance reasons, is it right?
  Most likely yes. Integrity is turned OFF for Open SQL statements but is turned ON for screen fields.
  If you just create screen parameter like
  parameters pa_akont type knb1-akont.
  ...then input help for that field will be automatically provided. This means that you will not be able to pick or enter value different that this allowed from SKB1 table (foreign key relationship will be checked).
  You can explicitly assign different input help or search help for certain screen field independently of type it is refering i.e by means of fm F4IF_FIELD_VALUE_REQUEST .
  This however still relates only to screen fields, not fields used directly in ABAP statement.
  Regards
  Marcin

• Add authorization check in Infopackage Scheduler for option 6-ABAP Routine

  We want to add an authorization check in routine rssm_routines_maintain.    This is in the Infopackage scheduler in the Data Selection tab  under the column Type after selecting type=6(ABAP Routine).    This is a core modification.   We have checked with our Security team with traces and found nothing available to help us.
  Two questions:
  1) Is there any other way we can control who can create/change ABAP code by this method ?
  2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
  Your help would be appreciated.
  Robert Begin,
  450-677-9411 or
  514-924-4311
  or email at [email protected]

  Hi Chandran,  we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
  The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
  Do you have any solution/suggestions to lock this down?
  Much appreciated,
  Regards,
  Robert.

• Structural authorization check in HR-ABAP

  Hello Friends,
  I am not able to get how to do the structural authorization check, my exact problem was : There is a report where it diplays all the qualifications of the employees and now I should restrict to only the employees who belongs to the organization unit depending upon the user who is running the report belongs to. It should check some more authorization profiles also.
  Regards,
  Yoganand.

  Hi Yoganand,
  if you use logical database PCH in your report, it should work by default.
  Manually search for RHSTRUAUTH in transaction SE37. There
  is a function modul which gives a list with the person the user has authorization.
  With this list you could compare the list with selected persons.
  hope this helps.
  Regards
  Bernd