Add authorization check in Infopackage Scheduler for option 6-ABAP Routine
We want to add an authorization check in routine rssm_routines_maintain. This is in the Infopackage scheduler in the Data Selection tab under the column Type after selecting type=6(ABAP Routine). This is a core modification. We have checked with our Security team with traces and found nothing available to help us.
Two questions:
1) Is there any other way we can control who can create/change ABAP code by this method ?
2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
Your help would be appreciated.
Robert Begin,
450-677-9411 or
514-924-4311
or email at [email protected]
Hi Chandran, we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
Do you have any solution/suggestions to lock this down?
Much appreciated,
Regards,
Robert.
Similar Messages
-
Add authorization checks to the table maintenance
i have created a table maintenance and I have authorization object and the field for it which will take some values this i got from basis people . Then how to add authorization checks to the table maintenance.
U can try to use the event, after generating table maintenance program:
Enviroment->Modification->Events: the events 05/18 could be good for you
Max -
Using vriables in To field when using "Schedule For" option
My Software:
Crystal Reprts Server XI R2
My Scenario:
I am using the "Schedule For" option when scheduling a report to a group of people. The email address i want to use is based on the their user name. That is
SI_USERID(AT)domain.com
So i tried setting the "To" field with the following
%SI_USERID%(AT)domain.com
this didn't seem to work. Am i using the right variable?
As a note, when i used %SI_EMAIL_ADDRESS% in the "To" field it worked BUT as i'm trying to avoid entering an email address into every user i would rather use something like %SI_USERID%(AT)domain.com
Thanks
PS: Had to use (AT) instead of @ as the post was dissallowed for having email adresses in it.Solution found:
%SI_OWNER% will return the user name. So
%SI_OWNER%(AT)domain.com will work
On a note the documentation on which variables are available seems scarce to me -
How add Authorization check for user with assigened role for t.code-MIR4
Hi All,
Regarding authorization how to check authorizations check for user whith assigned roles for the t.code MIR4 using ABAP.
In Detail:2) All users are allowed to go to MIR4(invoice number), But ONLY for users with role: MM_RELEASE_INVOICE can proceed to do the posting.
suggest me...
Thanks,
srii..Hi Sri ,
first u need to find out in which user rules u are using this object , after that if u want to restrict users then remove create/change values from that object values .
make use of Tcode SUIM to find out all roles which are using this Object.
or
ask ur basis guy to remove authorizations to create/change....
regards
Prabhu -
Authorization check on technical name for statistical key figures
Dear experts,
I need an authorization check on the technical name for statistical key figures. I would like to avoid that local users can change/modify centrally defined key figures which follow a given naming convention.
I checked the authorization object K_KA03 for statistical key figures but this doesn't help as it only checks controlling area and activity. I also couldn't find the technical name as an authorization field.
What can I do to set up an authorization check on the technical name of the statistical key figure if it is not foreseen in the standard?
Thanks for any ideas,
RenéTry something in similar lines as suggested in below link:
https://wiki.sdn.sap.com/wiki/display/PLM/COValidationstoadditionalauthorisations+checks
Regards
Sreenivas -
Infopackage Selections Tab-OLAP Variable/ABAP Routine
Hi Experts
In my Infopackage Selections Tab i had Cal Mon/Year field....
As per my requirment i have to write a selection condion that when we execute info package (it is a monthly data load) it will extract data only for the months greater than or equal to current month
Please update me on how can i achieve this either by using OLAP Variable or ABAP Routine in infopackage...will be great if can provide the required ABAP Code
Thanks in Advancehere's an example that fills the fiscal year from last month (bold is customer code... the rest is standard):
data: l_idx like sy-tabix.
read table l_t_range with key
fieldname = 'PARAM_P_GJAHR'.
l_idx = sy-tabix.
data:
v_caldy type /BI0/OICALDAY,
v_calmn type /BI0/OICALMONTH,
v_calyr type /BI0/OICALYEAR.
v_caldy = sy-datum.
determine first day*
v_caldy+6(2) = '01'.
determine last month*
subtract 1 from v_caldy.
v_calyr = v_caldy(4).
l_t_range-sign = 'I'.
l_t_range-option = 'EQ'.
l_t_range-low = v_calyr.
modify l_t_range index l_idx.
p_subrc = 0. -
Authorization-check in company code for GR55 reports
Hi to all!
Created User: ZTESTUSER
The scenario is this.
We created a report in GR55(Report Painter) and we want users (ex. ZTESTUSER) to access only company codes 7000 to 7999. How will I be able to do that?
I am thinking of creating a role or profile then assign it to the user, but I was not be able to locate an authorization object for GR55 reports.
The authorization object in GR51 is not doing what we want. It only control the create/change/display and execution transactions.
I tried using validation in GGB0 but I can't find a parameters where the GR55 reports will be checked so the users will be limited by company code.
Can somebody help me?
Thanks a lot.I programmed a company code check for a report like this.
===========================================================
data: lv_text(4) type c.
if p_bukrs is not initial.
select single * from T001
where bukrs = p_bukrs.
if sy-subrc <> 0.
message e321(FR) with p_bukrs.
endif.
AUTHORITY-CHECK OBJECT 'F_SKA1_BUK'
ID 'BUKRS' field T001-BUKRS
ID 'ACTVT' field '03'.
if sy-subrc <> 0.
clear lv_text.
lv_text = p_bukrs.
message e800(FR) with p_bukrs.
endif.
endif.
============================================================
but I was not able to do that in GR55 reports because the program is automatically generated by SAP named GPXXXXXXXXXXXXXXXXXXXXXXXXXXXX. -
Authorization check in tocde CJ20N for WBS elements
Hi Experts,
in cj20n tocde, if we give authorization to wbs element then networks and activities attached to this wbs element are authorized for edit,create..This is my requirement. I used 3 function modules EXIT_SAPLCNAU_002, EXIT_SAPLCNAU_003, EXIT_SAPLCNAU_004. It is working fine.
My problem is when network or activity of other wbs element is linked, then it is failing. Because it is checking its parent level instead of checking upper level.
Please help me on this.
thanks in advanceHi Gurus,
Thanks for your responses.
I am explaing issue cearly with example.
wbs0001 has one network net0001 and this network has one activity act0001
similarly wbs0002 has one network net0002 and this network has one activity act0002
now if i give authorization to wbs0001 then net0001 and act0001 has authorization..this is OK
issue is if act0002 is linked to wbs0001 and if i give authorization to wbs0001 then net0001 and act0001 has authorization but act0002 has no authorization.
My requirement is act0002 also should have authorization as this parent wbs0001 has authorization.
Please help me.
rgds
Ali -
Authorization Check exist in BAPI for Transaction
Hi,
I am using the standard BAPIs for Costcenter create, change and profitcenter change. Will these std BAPIs perform authority check for specific transaction with respect to the actions performed(KS01-CC create, KS02-CC Change, KE52-PC change)?
Thanks and Regards,
Vimala PHello Vimala,
You can check whether authorisation check is performed during the BAPI call by using System Trace(ST01).
Further read available on: [http://help.sap.com/saphelp_nw04s/helpdata/en/1f/83114c4bc511d189750000e8322d00/content.htm]
BR,
Suhas -
SMD Self Check returns an error for "Diagnostic prerequisite ABAP"
Dears,
when I run a SMD self check it returns the following error for the "Diagnostic prerequisite Abap":
Please install or upgrade the software component 'ST-A/PI release '01K_CRM560' with at least Support Package (or patch) level: '0'
When I check the version of ST-A/PI in spam I see that 01L_CRM570 is installed. Because of this I can not install the one requested by the SMD check.
can someone please help me out ?
kind regards
DavyDears,
no need to search anymore, the problem is solved by implementing note 1289441
kind regards
Davy -
Options 0 to 7(olap variable) in infopackage Scheduler screen
Hi Pioneers,
I've seen 0 to 7 options in the selection Tabpage of Infopackage scheduler screen(option TYPE beside a date selection).
0(Yesterday),1(last week),2(last month)....6(Abap code),7(Olap variable).Could any one please let me know what do these options does?If I am not wrong are these to pick data accordingly(weeek,month..).Please give me a clear picture
Thanks in Advance
Jameshi James
this field is to used to populate date range field dynamically
suppose u r loading any particular infopackage weekly for previous weeks data (monthly or daily) then u can use option 1 (2 or 0).
but if u want u r own logic to populate this range in data selection tab for loading then u have to write routine in ABAP in option 6.
Message was edited by:
Arun Purohit -
Authorization check activation for infoprovider
Hello SDN Experts,
I am using BW 3.5 and I want to activate authorization on one infoprovider. I created authorization object using RSSM in dev server and selected only that object in infoprovider.
My problem is, I can add newly created authorization object in change request but am unable to add authorization checked infoprovider. Please help me if any one has faced similar situation.
Thanks & Regards,
Priyanka JoshiPriyanka J Joshi wrote:
Hello SDN Experts,
> I am using BW 3.5 and I want to activate authorization on one infoprovider. I created authorization object using RSSM in dev server and selected only that object in infoprovider.
>
> My problem is, I can add newly created authorization object in change request but am unable to add authorization checked infoprovider. Please help me if any one has faced similar situation.
>
> Thanks & Regards,
> Priyanka Joshi
Priyanka
1) Adding Authorization Objects to change requests - when you create an authorization object in RSSM - it prompts a transport. You can save it as a local object and later transport it but best practice is to use the prompt transport
2) In RSSM, we do not transport checked infoprovider. After you click on Transport: Hier Auth, InfoProvide Check button, you will select the report object - Z-Object for which you want to transport the Infoprovider check, it will be followed by a hier prompt for which you will have to select one. This step will pick all the InfoProvider checks for the reporting objects and collect them in the transport. -
Authorization check for production order settlement
Hi All,
Production order settlement currently can be done by any user of any company code. there is a high risk involved in the same since unauthorized postings may happen. Hence we need to add authorization check for production order settlement. Can we maintain the same at the plant or the company code level?
Waiting for your replies. Thanks in advance!
Regards,
Aman Goelhi
What venki has told abt the exit, its absolutely correct.Even i have used the same exit
From table CAUFV pick Material(PLNBEZ),Basic Start Date(GLTRP),Plant(WERKS) .
Pass parameter Material(PLNBEZ) and Plant(Werks) in table MBEW in respective fields i.e. Material(MATNR) and Plant(WERKS).
Pick the latest record for the current period(LFMON) and year(LFGJA).
Pick Product Cost Estimate number(KALN1) from the record and pass it to table KEKO.
Check if Production Order Basic Start Date(GLTRP)<= BIDAT, if NO post Error Message.
This is the FS for EXit PPco0007
Reward if useful
Amit -
Authorization at Company Code Level for table FEBKO
Hello Experts,
I need to add authorization check on my report program that accesses and displays data from table FEBKO. However the user should only be able to access the data of table FEBKO particular only for their company code. How can I apply this? Thanks in advance for all your responses!
Best Regards,
KurttHi,
if it is in your own report, you can define your own authorization object with field for company code. Check transaction SU21 or ask your security guy. Then you will check if an user have authorization for this object.
Cheers -
Regarding authorization checks
Dear forumers,
I have a new custom transaction code, and this transaction code is defined for a custom report program.
The custom report program provides end users with an interface to view and manually maintain data records in a custom table.
I wish to add authorization checks to this via SU24. After doing this, however, I noticed that if a user without the necessary authorization is unable to access the custom transaction code, he is still able to run it via SE38 by entering the custom program name.
How can this be resolved - so that, for a user who does not have the sufficient authorization, he cannot access both the transaction code and the program name manually?
Appreciate any advice on this at all. Thanks.If that is a custom program you can put the following in your program code before processing starts, right after START-OF-SELECTION and throw an error message if the function returns anything other than value 2. Replace VA42 with your transaction code
This will ensure that the user won't be able to executed it in SE38 even, if they don't have authorization to execute the transaction
CALL FUNCTION 'AUTHORITY_CHECK'
EXPORTING
user = sy-uname
object = 'S_TCODE'
field1 = 'TCD'
value1 = 'VA42'
EXCEPTIONS
user_dont_exist = 1
user_is_authorized = 2
user_not_authorized = 3
user_is_locked = 4
OTHERS = 5.
IF sy-subrc NE 2.
MESSAGE TYPE 'E'....
ENDIF.
Maybe you are looking for
-
when I plug my iPhone in to my computer, iTunes doesn't recognize it as a device. I have deleted and re-downloaded iTunes twice which seems to fix the problem temporarily but then the next time I plug my phone in, the device is not recognized.
-
How to copy songs that's already in the ipod into the computer hard disk?
I had some "music" mp3 files, so I put them into my ipod by using iTune. I pick a mp3 file and I drop it into the "MUSIC" section under the "iPOD" section, in iTune. After this, I didn't make any backup, for exemple, place them into the iTUNE's "MUSI
-
Help converting RGB Images to CMYK?
I am working with a CMYK Freehand design, and it includes a cut out image on top layer. The image is in RGB. When I export it, I am getting a colour shift on the transparent areas. Should I be working with a CMYK cut out image? If so, how do I conver
-
After effects and Photoshop server run in background upon opening Encore CS4
Hello all . Have Cs4 video suite. Received a trail to evaluate awhile back, am now doing so. One thing I can not seem to find a reason for is that when opining up encore, I notice that AE, Photoshop server and the dynamic link run in the background.
-
Repeated purchasing groups across purchasing org
Hi there, My client's setup requires the same set of purchasing groups across purchasing organizations. For example: Purchasing Org 1: PGRP1: SM1 PGRP2: SM2 Purchasing Org 2: PGRP1: SM1 PGRP2: SM2 Reason being this is how it is setup in our R/3 syste