About authority check~

Similar Messages

• About authority-check object 'M_MATE_WGR'

  hi all
        I have a problem about authority-check object 'M_MATE_WGR'. the detail is bleow:
  Read table T023 where the material group is in select option s_matkl. Then loop at the results and check for every found material group. If the user is authorized to use it with the ABAP statement AUTHORITY-CHECK with object M_MATE_WGR with parameters ACTVT = ‘03’ (display) and BEGRU = ‘the material group’. When the user is allowed to use it, store it in an internal table and continue with the remaining materials groups from T023. When the user is not allowed to use it, set the status flag to X and don’t save the current material group in the internal table.
  After all checks have been done, empty the select option s_matkl. Loop over the internal table with the allowed material groups and fill up the select option s_matkl again with these records.
  Thank you in advance .
  Nick

  You are on the right track. Authorization object M_MATE_WGR checks the Authorization Group (BEGRU) not the Material Group. You read table T023 with the Material Group to get the Authorization Group.
  Step 1: Read table T023 where MATKL = the Material Group you want to check authorization.
  Step 2: Retreive the value in field BEGRU from the record in table T023. Use the value in T023-BEGRU to pass to the AUTHORITY-CHECK object M_MATE_WGR.
  Hope that helps.

• Info about AUTHORITY-CHECK

  Hi all.
  in CJ02 I have this autorization check:
  AUTHORITY-CHECK OBJECT 'C_DRAD_OBJ'
               ID 'ACTVT' FIELD lt_display-mode        
               ID 'DOKOB' FIELD object
               ID 'STATUS' FIELD ls_draw-dokst
               ID 'DOKAR'  FIELD ls_draw-dokar.
      IF sy-subrc <> 0 .
  no AUTHORITY
  the sy-subrc is <> 0. how can I see the data into this object? can i add data into?

  Hi Fabrizio,
  1. This is a normal
     'authorisation not there'
    issue.
  2. Contact your basis team
     and they will help out
     by assigning the values
     for the particular auth object
     for the required profile
     for the particular user !
  regards,
  amit m.

• How to create Authority check object

  Hello Gurus,
  How to create Authority-check object 'ZABC'
                                                           ID 'TABLE' FIELD 'ZTABLE'.
  Please tell me detailed procedure.
  Thanks in advance.
  Best Regards,
  zubera

  Dear Zubera,
  Creating Authorization Fields
  In authorization objects, authorization fields represent the values to be tested during authorization checks.
  To create authorization fields, choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects ® Fields.
  To create a authorization field:
  1. Choose Create authorization field.
  2. On the next screen, enter the name of the field. Field names    must be unique and must begin with the letter Y or Z.
  3. Assign a data element from the ABAP Dictionary to the field.
  4. If desired, enter a check table for the possible entries. For    more information about check tables.
  For more information about AUTHORITY-CHECK, see the keyword documentation of the ABAP Editor.
  You can often use the fields defined by SAP in your own authorization objects. If you create a new authorization object, you do not need to define your own fields. For example, you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system.
  Assigning an Authorization Object to an Object Class
  Each authorization object must be assigned to an object class when it is created.
  Choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects --> Objects.
  You can also create authorization objects in the Object Navigator (SE80).
  Creating / Choosing Object Classes
  The system displays a list of existing object classes.
  Object classes are organized according to the components of the system.
  Before you can create a new object, you must define the object class for the component in which you are working. The objects are not overwritten when you install new releases.
  You can also define your own object classes. If you do so, select class names that begin with Y or Z to avoid conflicts with SAP names.
  Creating an Object
  Enter a unique object name and the fields that belong to the object. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects.
  You can enter up to ten authorization fields in an object definition. You must also enter a description of the object and create documentation for it.
  Ensure that the object definition matches the AUTHORITY-CHECK calls that refer to the object.
  Do not change or delete authorization objects defined by SAP. This disables SAP programs that use the objects.
  You can regenerate the profile SAP_ALL after creating an authorization object.
  Best Regards,
  Rajesh
  Please reward points if found helpful.

• ALV GRID and AUTHORITY-CHECK

  Hi all !!! 
  I'm using the ALV Grid control with checkboxes and I want to control if the actual user have the appropriate authorization to check/uncheck them.
  In the AUTHORITY-CHECK call, I want to make the authorization test on the "DEPARTMENT" of the user (from Table USER_ADDR or SU01).
  For example :
  DEPARTMENT AA1 --> check/uncheck OK
  DEPARTMENT AA2 --> check/uncheck NOT OK
  DEPARTMENT AA3 --> check/uncheck OK
  ... etc.
  How can I do ? Create an new authorization object/field ?
  PS : it's the first time I'm using AUTHORITY-CHECK..

  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check. 
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object> 
     ID <authority field 1> FIELD <field value 1>. 
     ID <authority field 2> FIELD <field value 2>. 
     ID <authority-field n> FIELD <field value n>. 
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  Example ;
  REPORT  EXAMPLE MESSAGE-ID Z1.
  TABLES: USR02.
  PARAMETERS: LOCK AS CHECKBOX, LISTLOCK AS CHECKBOX.
  DATA: UFLAGVAL TYPE I, LOCKSTRING(8) TYPE C.
  ---- Authorization check -
  AUTHORITY-CHECK OBJECT 'ZPROG_RUN' ID 'PROGRAM' FIELD SY-CPROG.
  IF SY-SUBRC <> 0.
    IF SY-SUBRC = 4.
      MESSAGE E000 WITH SY-CPROG. "some message about authorization check failure
    ELSE.
      MESSAGE E005 WITH SY-SUBRC. "some message about authorization check failure
    ENDIF.
  ENDIF.
  IF LISTLOCK = 'X'.
    WRITE:/ 'List all locked users: '.
    SELECT * FROM USR02 WHERE UFLAG = 64.
      WRITE: / USR02-BNAME.
    ENDSELECT.
    EXIT.
  ENDIF.
  IF LOCK = 'X'.
    UFLAGVAL = 64.                       "lock all users
    LOCKSTRING = 'locked'.
  ELSE.
    UFLAGVAL = 0.                        "unlock all users
    LOCKSTRING = 'unlocked'.
  ENDIF.
  SELECT * FROM USR02 WHERE BNAME <> 'SAP*' AND BNAME <> SY-UNAME.
    IF USR02-UFLAG <> 0 AND USR02-UFLAG <> 64.
      WRITE: 'User', USR02-BNAME, 'untouched; please handle manually.'.
      CONTINUE.
    ENDIF.
  check that user has authority to make these changes
    AUTHORITY-CHECK OBJECT 'S_USER_GRP'
        ID 'CLASS' FIELD USR02-CLASS
        ID 'ACTVT' FIELD '05'.
    IF SY-SUBRC <> 0.
      IF SY-SUBRC = 4.
        WRITE: /'You are not authorized to lock/unlock user ',
          USR02-BNAME, USR02-CLASS.
      ELSE.
        WRITE: /'Authorization error checking user ',
               USR02-BNAME, USR02-CLASS, '(return code', SY-SUBRC, ').'.
      ENDIF.
    ELSE.                                "has authority
      UPDATE USR02 SET UFLAG = UFLAGVAL WHERE BNAME = USR02-BNAME.
      WRITE: / 'User', USR02-BNAME, LOCKSTRING, '.'.
    ENDIF.

• Web Service Homepage: Authority check failed

  Dear Colleagues,
  I have created a Web Service and now I want to test it via its Web Service Homepage (TA WSADMIN). The Homepage is displayed correctly, but testing leads to an error:
  Authority check failed
  Are there any prerequisites I maybe do not accomplish?
  (I tested a very similar web service in another system, and there it works)
  Here are some more information about my service:
  - Service was build with Web Service Wizzard out of a function module
  - Here you can see the conversation resulting of the test:
  POST /sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003 HTTP/1.1
  Host: bsl8011.wdf.sap.corp:50073
  Content-Type: text/xml; charset=UTF-8
  Connection: close
  Cookie: <value is hidden>
  Cookie: <value is hidden>
  Authorization: <value is hidden>
  Content-Length: 381
  SOAPAction: ""
  <?xml version="1.0" encoding="UTF-8" ?>
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <SOAP-ENV:Body>
  <ns1:Z_TEST_WS_CONFIG xmlns:ns1='urn:sap-com:document:sap:rfc:functions'>
  <INPUT>TEST</INPUT>
  </ns1:Z_TEST_WS_CONFIG>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  HTTP/1.1 500 Internal Server Error
  content-type: text/xml; charset=utf-8
  content-length: 363
  sap-srt_id: 20060404/125124/v1.00_final_6.40/1B0831447838C429E10000000A424016
  server: SAP Web Application Server (1.0;700)
  <soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
  <soap-env:Body>
  <soap-env:Fault>
  <faultcode xmlns:n0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">n0:FailedAuthentication</faultcode>
  <faultstring xml:lang="e">Authority check failed</faultstring>
  </soap-env:Fault>
  </soap-env:Body>
  </soap-env:Envelope>
  The WSDL-Document looks as follows:
  <?xml version="1.0" encoding="utf-8"?><wsdl:definitions targetNamespace="urn:sap-com:document:sap:rfc:functions" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="urn:sap-com:document:sap:rfc:functions" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><wsdl:types><xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:tns="urn:sap-com:document:sap:rfc:functions" targetNamespace="urn:sap-com:document:sap:rfc:functions" elementFormDefault="unqualified" attributeFormDefault="qualified"><xsd:simpleType name="char60"><xsd:restriction base="xsd:string"><xsd:maxLength value="60"/></xsd:restriction></xsd:simpleType><xsd:element name="Z_TEST_WS_CONFIG"><xsd:complexType><xsd:sequence><xsd:element name="INPUT" minOccurs="0" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element><xsd:element name="Z_TEST_WS_CONFIGResponse"><xsd:complexType><xsd:sequence><xsd:element name="OUTPUT" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element></xsd:schema></wsdl:types><wsdl:message name="Z_TEST_WS_CONFIG"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIG"/></wsdl:message><wsdl:message name="Z_TEST_WS_CONFIGResponse"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:message><wsdl:portType name="Z_TEST_Q73_CONFIG_WS"><wsdl:operation name="Z_TEST_WS_CONFIG"><wsdl:input message="tns:Z_TEST_WS_CONFIG"/><wsdl:output message="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:operation></wsdl:portType><wsdl:binding name="Z_TEST_Q73_CONFIG_WSSoapBinding" type="tns:Z_TEST_Q73_CONFIG_WS"><soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/><wsdl:operation name="Z_TEST_WS_CONFIG"><soap:operation soapAction=""/><wsdl:input><soap:body use="literal"/></wsdl:input><wsdl:output><soap:body use="literal"/></wsdl:output></wsdl:operation></wsdl:binding><wsdl:service name="Z_TEST_Q73_CONFIG_WSService"><wsdl:port name="Z_TEST_Q73_CONFIG_WSSoapBinding" binding="tns:Z_TEST_Q73_CONFIG_WSSoapBinding"><soap:address location="http://bsl8011.wdf.sap.corp:50073/sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003"/></wsdl:port></wsdl:service></wsdl:definitions>
  Can anyone help me, I have no Idea
  Message was edited by: Hans-Peter Bauer

  The message server defined in the SAP-Logon is us4278.wdf.sap.corp
  But the url of the web service starts with  http://us4185:58500/wsnavigator/jsps/explorer.jsp?description=WebServiceZ_TEST_Q73_CONFIG_WS
  But I think that's not the problem, is it? As I mentioned above the test page can be shown, but the after filling in the input parameters an pressing send, there appears the authorisation error.
  For better illustration I made some screenshots for you:
  1) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_OVERVIEW.gif
  2) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_INPUT_FORM.gif
  3) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_reqest_response.gif
  What can be wrong, if the error "n0:FailedAuthentication" appears?
  Regards,
  Peter
  Message was edited by: Hans-Peter Bauer

• Authority check based on the tables used in a programme

  based on the tables used in a programme can I see authority checks available in the system.If yes how do i go about it .

  Using the below FM:
  SUSR_USER_AUTH_FOR_OBJ_GET
  EFG_USER_AUTH_FOR_OBJ_GET
  You can get all the autority check available for a user.
  Regards,
  Prakash.

• With regard to lock object and authority check

  hi all
  i would like to know about lock object and authority check specifically in reports. there is a coding in sap library with regard to authority check, but there is no coding to restrict user (i mean there is no user names that the object is restricting for a particular user or any user has got permission to change or display object). 
  further, the code mentions that you need an authorization in your user master record for the object, could any of u explain where is user master record.
  below is the code for authority check.
  *&      Module  USER_COMMAND_0100  INPUT
  MODULE USER_COMMAND_0100 INPUT.
    CASE OK_CODE.
      WHEN 'SHOW'.
     AUTHORITY-CHECK OBJECT 'S_CARRID'
  ID 'CARRID' FIELD '*'
  ID 'ACTVT'  FIELD '03'.
     IF SY-SUBRC NE 0. MESSAGE E009. ENDIF.
     MODE = CON_SHOW.
     SELECT SINGLE * FROM  SPFLI
      WHERE  CARRID      = SPFLI-CARRID
      AND    CONNID      = SPFLI-CONNID.
     IF SY-SUBRC NE 0.
  MESSAGE E005 WITH SPFLI-CARRID SPFLI-CONNID.
     ENDIF.
     CLEAR OK_CODE.
     SET SCREEN 200.
      WHEN 'CHNG'.
     AUTHORITY-CHECK OBJECT 'S_CARRID'
  ID 'CARRID' FIELD '*'
  ID 'ACTVT'  FIELD '02'.
     IF SY-SUBRC NE 0. MESSAGE E010. ENDIF.
     MODE = CON_CHANGE.
     SELECT SINGLE * FROM  SPFLI
      WHERE  CARRID      = SPFLI-CARRID
      AND    CONNID      = SPFLI-CONNID.
     IF SY-SUBRC NE 0.
       MESSAGE E005 WITH SPFLI-CARRID SPFLI-CONNID.
     ENDIF.
     OLD_SPFLI = SPFLI.
     CLEAR OK_CODE.
     SET SCREEN 200.
    ENDCASE.
  ENDMODULE.                 " USER_COMMAND_0100  INPUT
  i thank u all for the help in advance.

  hi
  this might help
  REPORT YUSRLOCK NO STANDARD PAGE HEADING.
  TABLES: TRDIR, USR02.
  DATA: MARK,CNTR TYPE I,
        ACCNT LIKE USR02-ACCNT, ERDAT LIKE USR02-ERDAT,
        ANAME LIKE USR02-ANAME, CLI(3) VALUE 'AAA', SZIN TYPE I,
        SYDATUM LIKE SY-DATUM, FLAG(3).
  TABLES: UINFO.
  DATA: OPCODE TYPE X VALUE 2.
  DATA: BEGIN OF USR_TABL OCCURS 10.
          INCLUDE STRUCTURE UINFO.
  DATA: END OF USR_TABL.
  START-OF-SELECTION.
    CALL 'ThUsrInfo' ID 'OPCODE' FIELD OPCODE
      ID 'TAB' FIELD USR_TABL-SYS.
    SELECT * FROM USR02 CLIENT SPECIFIED ORDER BY MANDT BNAME.
      IF USR02-MANDT <> CLI.
        SZIN = SZIN + 1. SZIN = SZIN MOD 2.
        CLI = USR02-MANDT.
      ENDIF.
      IF USR02-UFLAG = 0.
        MARK = ' '.
      ELSE.
        MARK = 'X'.
      ENDIF.
      CLEAR FLAG.
      LOOP AT USR_TABL.
        IF USR_TABL-BNAME = USR02-BNAME AND USR_TABL-MANDT = USR02-MANDT.
          FLAG = '!!!'.
        ENDIF.
      ENDLOOP.
      SYDATUM = SY-DATUM - 30.
      IF SYDATUM < USR02-TRDAT.
        IF SZIN = 0.
          WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 2,
                ' ',USR02-MANDT COLOR 2,
                '   ',USR02-USTYP COLOR 2,
                ' ',USR02-TRDAT COLOR 2, USR02-LTIME COLOR 2,
                ' ',FLAG COLOR 6.
        ELSE.
          WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 3,
                ' ',USR02-MANDT COLOR 2,
                '   ',USR02-USTYP COLOR 2,
                ' ',USR02-TRDAT COLOR 2, USR02-LTIME COLOR 2,
                ' ',FLAG COLOR 6.
        ENDIF.
      ELSE.
        IF SZIN = 0.
          WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 2,
                ' ',USR02-MANDT COLOR 2,
                '   ',USR02-USTYP COLOR 2,
                ' ',USR02-TRDAT COLOR 4, USR02-LTIME COLOR 4,
                ' ',FLAG COLOR 6.
        ELSE.
          WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 3,
                ' ',USR02-MANDT COLOR 2,
                '   ',USR02-USTYP COLOR 2,
                ' ',USR02-TRDAT COLOR 4, USR02-LTIME COLOR 4,
                ' ',FLAG COLOR 6.
        ENDIF.
      ENDIF.
      HIDE: USR02-BNAME, USR02-MANDT.
    ENDSELECT.
    CLEAR USR02.
  TOP-OF-PAGE.
  WRITE:/ 'LOCK   USER         CLIENT  TYPE     LAST lOGIN     ' COLOR 6.
    SKIP.
  AT USER-COMMAND.
    IF SY-UCOMM = 'SEL'.
      DO.
        CLEAR MARK.
        READ LINE SY-INDEX FIELD VALUE MARK.
        IF SY-SUBRC NE 0.  EXIT. ENDIF.
        IF USR02-BNAME IS INITIAL.CONTINUE.ENDIF.
        SELECT SINGLE * FROM USR02 CLIENT SPECIFIED WHERE
        MANDT = USR02-MANDT AND BNAME = USR02-BNAME.
        IF MARK = 'X' AND USR02-UFLAG = 0.
          USR02-UFLAG = 64.
          UPDATE USR02 CLIENT SPECIFIED SET: UFLAG = 64 WHERE
          MANDT = USR02-MANDT AND
          BNAME = USR02-BNAME.
          COMMIT WORK.
        ENDIF.
        IF MARK = ' ' AND USR02-UFLAG = 64.
          USR02-UFLAG = 0.
          UPDATE USR02 CLIENT SPECIFIED SET: UFLAG = 0 WHERE
          MANDT = USR02-MANDT AND
          BNAME = USR02-BNAME.
          COMMIT WORK.
        ENDIF.
      ENDDO.
      CLEAR USR02.
    ENDIF.
  regards
  Arun

• User role and Authority-check ?

  Hello,
  Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
  Thanks in advance

  Hello Martin,
  I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
  Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
  @OP:
  The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
  BR,
  Suhas

• Do I need to do authority check for Logical Database?

  Hi,
  Just to check, do I need to code authority check into a Logical Database or Logical Database will do the check by itself without me coding?
  This is because I have a user which does not have rights to infotypes 2000 and above and the logical database still show the user data which belongs to the infotypes 2000 and above.
  If I have to code it, how do I go about to do the coding of authority check?
  Thanks in advance.  Will reward points for good solutions.
  Lawrence

  Let me give an example
  Tables : pernr.
  infotypes: 0000, 0001, 2001.
  Get pernr.
  Do you mean that the 'get pernr' command will not return any data for users who do not have authorisation for infotype 2001?

• Is there authority check in every BAPI?

  Hi guys,
      Does anyone know whether every BAPI have authoriyt check? I read some BAPI's documents,and I found that some documents don't explain BAPI check which authority object.Dose that mean this BAPI don't have anthority check?
  thanks all.
  Best regards.

  Small caveat to contradict the answers so far given, because the correct statement is not every BAPI contains an authorization check, though almost all of them should...
  My simple counter examples are BAPI_MATERIAL_EXISTENCECHECK and BAPI_MATERIALGROUP_GET_LIST. Now of course they are rather trivial BAPIs, but it clearly shows that not all BAPI's have a builtin authorization check. Note that I'm talking here about authorization checks in ABAP coding via [authority-check|http://help.sap.com/abapdocu_70/en/ABAPAUTHORITY-CHECK.htm]. The story is a bit different if you'd call those BAPI's via [RFC|http://help.sap.com/abapdocu_70/en/ABENRFC_INTRO_OVIEW.htm], because SAP has builtin authorization checks on function group and since fairly recently also on function module name (see authorization object [S_RFC|http://help.sap.com/saphelp_nw70/helpdata/en/60/305140c770cd01e10000000a155106/frameset.htm]).
  If you look at any BAPI returning/creating/updating a more complex object you should expect that SAP does some application authorization check. This is especially true for BAPI's that are supposed to mimic any transaction like VA01, etc. However, if you require such a check in a specific situation I'd say it usually doesn't hurt to take a quick peek at the used BAPI to confirm it (and if the BAPI is complex just execute it with an <em>authorization trace</em>).
  I apologize for nitpicking, but I couldn't resist since the statements where a bit too broad in my opinion...
  Cheers, harald

• RRMX Authority check

  hi,
  There are two SAP BW systems , one with component SAP_BW SAPKW70017 (say B1) , and other one with SAP_BW component SAPKW70103 ( say B2)
  In B2 , When a user executes RRMX , it takes them to the Business explorer(excel sheet) , however it throws a message in the GUI that "No authorization to change role <role>
  Message no. S#423"
  This message is received as soon as you get the excel sheet opened .
  When further looked into the situation , seems like in B2 , the follwing select statement is executed ,( as soon as u execute RRMX)for checking the change access for all the users "assigned roles" ( I wonder why all roles?) with the object S_USER_AGr and throws the message when there is no 02 activity for any of the roles present with the user .
  SELECT agr_name FROM agr_users INTO l_agr_name WHERE uname = sy-uname.
      CALL FUNCTION 'PRGN_AUTH_ACTIVITY_GROUP'  -
  > "this further throws the message"
        EXPORTING
          activity_group = l_agr_name
          action_change  = 'X'
        EXCEPTIONS
          not_authorized = 12
          OTHERS         = 13.
      IF sy-subrc = 0.
        e_s_system_info-can_change_pfcg_roles = rs_c_true.
  Whereas in B1 (old release) no such message is thrown for the same user . seems there is no such change activity check in the begining?( not too sure) and only when the user clicks the Role option in Query dialog , S_USER_AGR is checked as per the ST01 trace.
  Is this a bug in SAP_BW 701 release ? If so , do you the SAP notes for correcting the same ?please reply at the earliest .Thanks in advance

  Some customers have S_USER_GRP actvt '02' in production environments for the RRMX "key" users who publish queries to be able to add them to the menu for the users. A change in authorization data might not be required, typically.
  But this "change" authority gives more access than just the menu, and the user will need other authorizations for S_USER_TCD and VAL as well.
  It has been replaced by the BEXWeb, which you should take a look into.
  As SAP "owns" the authority-checks in their programs, they seemed to have felt it appropriate to add the same check to RRMX for "key" users.
  > Is this a bug in SAP_BW 701 release ?
  I don't think it is a bug in BW 7.01. Arguably they could have added it earlier.
  There is an approach to control this via the sideinfo.dat file using the program ID of the query - but I guess few did that or even knew about it. It is not intuitive.
  Cheers,
  Julius

• How go about Autohrity check

  Hi,
  I need to create an Authority-check for a push button on output list, The requirement is when an authorized user clicks the button - the records should be displayed. can any one tell me how to go about this?
  Also there is already some authority-check is doing to the existing code. Is it possible to use the existing check for my pushbutton or do i need to create different authority object?
  Thanks
  Bly

  HI,
    Consult your Basis team for the authorization object. If you want a display authorization, the you can probably use a standard object. But if it is confined to your module and you want this authorization object to be assigned to users using this application, then you may need to create a new object. COnsult your Basis team for Auth Object creation.
  Click the link below to know how to use the Auth Object.
  http://help.sap.com/saphelp_47x200/helpdata/en/fc/eb3ba5358411d1829f0000e829fbfe/content.htm
  Checking User Authorizations
  http://help.sap.com/saphelp_47x200/helpdata/en/9f/dbacbe35c111d1829f0000e829fbfe/content.htm
  To define an auth object
  http://help.sap.com/saphelp_47x200/helpdata/en/9f/dbaccb35c111d1829f0000e829fbfe/content.htm
  Regards,
  Vara

• Authority check at field level in sales order

  Dear all, our business requirement is the following:
  only some users should be able to see the prices (including netwr, netpr,...) in the sales order depending on the authority check performed on the sales group field.
  This means that for an order of sales group 'A':
  a user of sales group 'A' can see the prices and change the order, a user of sales group 'B' cannnot see the prices but can change the order, a user of sales group 'C' can display the order but cannnot see the prices.
  I ask you if such a scenario can be realized in SAP.
  We currently run SAP ECC 5.0.
  thx all !
  bye Roberto

  Hi agree with Jan and Auke,
  To my knowledge it is object V_KONH_VKO which you are looking for. See the documentation in SU24 - SD class.
  But whether or not that will influence the visibility / editability of the screen in VA02 etc when turned the check on in SU24, I am not sure.
  If not, search the forum for topics relating to "transaction variants", "variant transactions" and "screen variants" to see whether those solutions will fulfill the requirement.
  Cheers,
  Julius

• Authority check on Creation of Purchase order usin badi BBP_ITEM_CHECK_BADI

  hi all,
  i have to apply authority checks on creation of Purchase order and shopping cart in SRM using badi BBP_ITEM_CHECK_BADI.
  i have applied checks on creation of shopping cart   using this badi which have some filters but how to apply on purchasing order using BBP_ITEM_CHECK_BADI.

  hi,
    You can use the BBP_DOC_CHECK_BADI.
  BR,
  Disha.
  Pls rewar points for useful answers.