Auth check on IM12

Similar Messages

• Can we give more than one value for an Authorization field in Auth-Check.

  Hi all,
  Can we give more than one value for an Authorization field in Auth-Check.
  Ex: AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD <Value 1> <Value 2> <Value 3>.
  IF SY-SUBRC 0.
  MESSAGE E...
  ENDIF.
  If yes, please help me with exact syntax.
  Think it will be like
  ID 'CUSTTYPE' FIELD: <Value 1>, <Value 2>, <Value 3>.

  Hi,
  yes we can give more than one field.
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object> 
     ID <authority field 1> FIELD <field value 1>. 
     ID <authority field 2> FIELD <field value 2>. 
     ID <authority-field n> FIELD <field value n>. 
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  please reward points, if it is useful.
  satish.

• Suppress a normal auth check

  I know in most business scenarios this is not normal.  However, please consider this question.
  A developer, at the request of the business partner, wants to create a  custom transaction code like a traditional transaction...say me22n.  It's purpose is to update a standard PO (NB), which the user is not normally authorized to do.   The developer has been asked to only offer 2 fields for update, not all fields.
  So, normally, the user would have me22n, but not have m_best_bsa for updating an NB type of purchase order - but he is allowed to update other types of purchase orders.  However, though this  custom transaction, we would like him to be able to update the standard PO, but only two fields. 
  Because the custom transaction runs the standard program, the normal auth checks are taking place, preventing the person from updating the standard purchase order.  If we grant the access required by the program, we will introduce a problem.  The user already HAS me22n to update other types of purchase orders "legally"...but now we've granted the object they did not have.  Via me22n, they can now update all fields on a standard purchase order (type NB).
  So, do you copy the standard program and make a custom program, and then suppress the auth checks in it?  Therefore, you never have to grant m_best_bsa update to type NB.  And through ME22n, they can't update a standard PO, which is what we want.
  OR, is there another, better way to do this.

  You may want to play around with the SU24 settings for your new transaction.
  See [SAPhelp on Authorization Checks|http://help.sap.com/saphelp_nw04/helpdata/en/52/67129f439b11d1896f0000e8322d00/frameset.htm] for more information.
  Jurjen

• Need to deactivate structural auth. check for a custom Report

  Hi all experts:
  I have a report that is based on PNPCE logical database and it displays work hours for a project, all non-sensitive information.  We would like a wide range of users to have access to this but since this is based on PNPCE logical database whenever a user runs it, the str. authorization check is performed.  I have tried deactivate this check with P_ABAP object and coers 2 but it only ignores infotype auth. check but still checks the structural.  We don't want to expand str. profile for users. 
  Do you know if there is a way to deactive this just for one report?
  Your help will be greatly appreciated.
  Regards,
  Net

  Thanks Kiran. I had tried that value but still got the same message.  I am having problem understanding exactly when this value 2 ignores structural authorization because it works on some reports and not others.  Anyway, we implemented BADI for this report to ignore structural auth. check and it is working fine.
  Thanks again,
  NT

• Sec. Optimization self-service - Customer specific auth Checks

  Hi There,
  checking some automatic check like 0750 I see in SolMan there are some tabs like Green, Red, Recommendation (0705)
  checking the Customer specific auth Checks I found out only some of them.... I would be interested to know if it is possible to configure "something" in order to have the  tab Recommendation (9XXX)  for Customer specific auth Checks .
  Thanks
  FedeX.

  Hi,
  I still test and no quit sure if I am doing the right process...what I have done:
  use st13 to create my own alerts > 9000.
  use st14 for creating the report on target system... I check on the target system and by viewing data of the generated report there is a list of users because security specification > 9000.
  export report to SolMan ... successfully
  on SolMan ... what are the steps that I have to do?..I am not quit sure ... I go to session workbench ...here there are already some info of the previous check that I did days before ......  I click on the option collect data (ST13, ST14)..I delete the old number and introduce the new GUI Number and click on collect button... the rest of the fields are filled in ... and no additional message appear..
  one of the existing entries on the left side  is Customer specific Auth check ...it is in red..
  being on the collect data (ST13, ST14) entry I just click on save + next open check an the focus/cursor jump automatically to the last entry check session consistency  I do not identify any change in the entry Customer specific Auth check which still red and not showing the expected list ( what I see in target system)
  well hope this give some idea about the issue and possible solution
  Thanks
  FedeX

• ABAP Query Auth-Check

  Hello,
       I have an issue in regards to ABAP Queries that are accessed via SQ00.  The issue was that a lot of the reports (based on a sample) do not have any authorization check.
  There is over a 1000 queries, is there any way for me to check the code for the auth check on mass ?  It is very tedious and time consuming going in one at a time to look for the auth check.  Any help would be greatly appreciated.
  Thank you

  Hi Chris,
  As standard there is no data level auth check in SAP Queries.  Just one reason why they are often a poor solution for reporting.
  Those based on Logical Databases have any checks that are present in the LDB.
  Auth checks are placed in the infoset code, so it's only the infosets that you need to review to see if auth checks are included.  If you have lots of queries hanging off a small number of infosets, this will be a fair bit easier.  Your dev team should be able to point you towards the relevant section of the infoset that contains any additional validation code.

• EHSM: Use Auth Check BAdI to hide Incident

  Hi all,
  I have enhanced the standard Auth Check BAdI BADI_EHHSS_INC_EXT_AUTH_CHECK for EHSM. Works like a charm.  But I just got another requirement and thought maybe someone else has done this before.
  Right now, I have it set up so people with out the correct access can only view incidents.  Is there a way to use the BAdI to completely hide an incident when a user clicks on it?
  Hope this makes sense.
  Cheers,
  Kevin

  Hey all,
  Our requirements ended up changing a bit but ended up putting authorization checks into class methods that control visibility for the sections of EHSM that we wanted to hide.  So, we got the result we were looking for.
  Cheers,
  Kevin

• Deselect auth. check for infocubes (Checks for infocubes) in RSSM

  Hi,
  An infocube I installed contains an authorisation relavant object (already exists) in BW3.5 system. By default the infocube is selected for auth. check in RSSM.
  After I transported the cube to target system I realised the auth check in RSSM has also been transported with the cube.
  Hence, I have deselected the auth. check for the infocube "Checks for infocubes" in RSSM and saved it. Then, I created a second transport and only transported the cube. But the changes I made in RSSM hasn't been transported.
  Please can you advise me how to transport the changes I made in "Checks for infocubes" in RSSM?
  Thanks a lot
  Murali

  Hi,
  check this threads:
  Re: RSSM: Checks Authorization Objects for Infoprovider are not activ
  Re: RSSM Transports
  Normally system would check all the authorization relevant objects whenever a new Info cube is imported and in case if you want to transport these changes to Production system manually then follow the below listed steps:
  1) In Development system, check or un-check the authorization relevancy using the transaction RSSM on a given Info provider
  2) These changes are stored in table RSSTOBJDIR
  3) Create a manuall transport request and include these entries covering the required Authorization objects manually.
  R3TR TABU RSSTOBJDIR
  Ex: If Info object 'A' is authorization relevant in Development system but not in Production system and you want to transport this change to Production system then include object 'A' table entries manually.
  Regards
  Andreas

• No auth checks for custom transactions

  Hi,
  In my SAP system there are many custom trasanactions in which there are no auth checks in their respective programs,
  Is their any way to restrict these transactions based on the organisational levels without doing any changes to the program.
  Can we restrict these transactions by adding a authorization through se93 ?
  If any documents are there on the same issue please share.
  Thanks,
  Sanketh.

  I would take a slightly different approach, as a least worste option.
  > Assuming that there is reluctance/inability to modify the code
  In that case the code is modularized, but the security front-end is lazy.
  What you can do is assign an authorization group to the report type program as well which has the org.value in the P_GROUP field of S_PROGRAM in it, and create a variant for it protected by P_ACTION = VARIANT. The users can submit reports if they are authorizated for the variant action as well, but not directly.
  Then create an myriad of parameter transactions per org level and submit the report via transaction START_REPORT (so, via the varint!) with the variant set for the org. level in the selection screen.
  But this completely defies thze concept of modularizing code and not maintaining redundant code, as well as redundant variants, and redundant menus of roles which could have been modularized as well.
  The only potential "up side" of this is maintaining the SU24 data of the parameter transactions, but who does that?
  Yes, if you maintained SE93 then the system would do it for you (automatic adjustement) but the scalability and flexibility of org. level maintenance in roles and well as the modularization (and maintainability) of code would be toasted.
  Probably developers would not make authority-checks at all anymore, and that would be like going back to the conceptual stone ages.
  Even the Commodore 64 was more modularized than that....
  Cheers,
  Julius

• BRFPlus - Control Rule maintenance using Auth checks (BADI?)

  Hello BRFPlus gurus,
  We are reviewing BRFPlus for use in our global project and here is our question.
  We want to develop some rules, for use in Business Workflow, using BRFPlus and make them available for change to users. Some of these rules are going to be based on company code and we want to control rule maintenance based on company code to ensure users can only modify/create/display rule (e.g. decision table entries) entries only for the company code that they belong to. e.g. user for company code 0001 should not be able to change decision table entry for company code 0002.
  currently we have similar rules maintained using ECC custom table maintenance and we use  table maintenance Events' to code authority checks for custom auth objects.
  I am wondering if BRFPlus has any BADI (or similar mechanism) available to allow us program these auth checks depending on 'Element' values.
  I would greatly appreciate your response.
  Thanks,
  Saurabh

  Hi Carsten,
  Thanks for making us aware of that hidden feature that we could use.
  would you mind sharing some high-leve steps that we could follow to complete the BRFPlus prototype we are doing?
  Ability to control modification of these objects using auth is one of the key criteria for prototype success .
  Looking forward to learn more about this rule engine.
  Thanks,
  Saurabh

• HR Auth check

  Hi
  Our HR department are restricted to running reports and HR transactions based on basic pay on all org keys other then their own. Therefore HR employees are not allowed to view each others salaries.
  A new person has recently joined the HR department as a re-entry and this problem has now arisen that all HR employees can now see this persons salary if they run a transaction or report based on basic pay. The auth restrictions are still in place for all of the other members of the HR department.
  This problem is really strange and I’m not 100% sure if it’s an authorisation issue or not as it only effects one HR employee from the HR department. It’s as if this employee has fallen outside of the authorisation check.  
  I have checked the new HR employess MASTER DATA record under organisational assignment and everything looks perfect. That is Personnel Area, Employee Group, Employee Subgroup and Organisational Key are as they should be in our company. The only thing that has happened is this HR employee has come from another department as a reentry. Therefore the employee’s record was changed from leaver to reentry.
  If someone could please take a look I would be very grateful
  Thanks
  Siobhan

  Hi,
       Please refer to the SAP Note 1150762 - Authorization objects with many fields: Long runtime.
  Symptom:
  A report or query terminates because the maximum runtime was exceeded. The error message often specifies the program CL_HRPAD00AUTH_CHECK_STD======CP as the cause of the error.
  Reason and Prerequisites:
  Kernel patch 7.00 level 143 introduced a new algorithm  to accelerate the authorization check, particularly when you call a transaction (see Note 1124615).
  However, this new algorithm is slower for authorization objects that have multiple fields, since the assigned authorizations are rarely defined in all fields that have single values but they are defined in some fields that have templates or areas.
  Solution:
  These corrections combine both algorithms. For authorization checks with a field, the system first checks all of the authorizations for a suitable single value. If this is unsuccessful, the system then searches for authorizations with templates or areas. For authorization checks that have several fields, the system does not perform a direct search for single values, but it completely checks all of the authorizations in the same way.
  Kernel patch 7.00 is scheduled to be available as of calendar week 12/2008. As a workaround, you can downgrade to patch level 142 or lower.
  Implement the following SAP Note 150762.
  BR
  Tanmoy

• Addisional auth. check in FPL9

  Hi
  Is there anyone that knows (user-excit etc) where to check if the user is permitted to show item:s for a specific BP.
  I try to find a place where to check when the user have filled in BP and CA and press enter but I cant find a place to check if the user is allowed to see the items,
  I have a field in but000(augrp)that I can use in auth. object B_BUPA__GRP and see if the user is permitted.
  Please help if you know

  Hi Jan,
  you can use an event.
  Use transaction FQEVENTS and look for 'account'. I'd recommend to use event 1200 (Acct Balance: Set Header Data).
  You have to create and set active a function module. This function should be a copy of
  FKK_SAMPLE_1200
  In the interface, you get company code (I_BUKRS), business partner (I_GPART) and contract account (I_VKONT).
  Check those values, do the AUTHORITY check and issue an E message if the user is not allowed.
  Hope it helps,
  Clemens
  Message was edited by: Clemens Li

• MIGO auth check

  Hello all,
  In tcode MIGO, i want the authorization check to pass from a specific object, so as if the role has different values than these the user enters, it will display an authorization error.
  Auth Obj : M_MSEG_LGO.
  Thank you!

  maybe your configuration doesn't imply checking the storage location. verify this by going to
  SPRO --> Materials Management --> Inventory Management and Physical Inventory --> Authorization Management --> Authorization Check for Storage Locations.
  check whether the storage location you want checked is flagged.

• Auth check in VA03 & VA05

  Hi,
  I have a query regarding authorization in one transaction in SD. We have created one custom auth object for WERKS and assigned to VA01. Here it is working fine and assigned to user for their perticular plant. This way they are restricted to their own plant and can not run the transaction for other plant.
  Same way we want to do it for VA03 and VA05 so that user can run the transaction for their own plant. It seems that these transactions are not checking authorization at plant level.
  Can any body help on the same pls?
  Thanks in advance..
  Regards,
  Prashant

  HI,
  Thanks a lot for your reply.
  I have done the same thing but unfortunately it is not working in the case of va03 while it is working perfectly fine for va01.I have observed that in role, if i assign only va01, it is adding plant in authorisations. Where as in va03, it is not adding plant at organization level. Probably in VA03 it is not checkin at plant level at all.
  Any other way to check or restrict would really help me. Pls guide me.
  Thanks in advance,
  Prashant

• Interpretation of values in log generated for auth checks(using RSECADMIN)

  Hi experts
  Could you please help me in reading the error log which is created using transaction RSECADMIN.My question is in particular about the interpretation of the values which occurs in front of the authorization relevant characteristics in the section "main checks" of the error log.
  For example if I run a query , assumption(user is configured for auth. logs using rsecadmin and then finally when the query gets completed we see the authorization logs using rsecadmin only). Then in the log it shows what values were checked for the authorizations against authorized values/sets. Lets say there are 2 characteristics char1 and char2 which have hierarchies below them and I run a query with some values(any random nodes from hierarchy below char 1) for Char 1 and some values(any random nodes from hierarchy below char 2) for char2 in the query selection screen and after I run the query and see the log then below values are shown for log:
  Authorization Check  
  Detail Check for InfoProvider <INFOPROV > 
  and then comes the section related to value checks ( MAIN CHECK)
  Main Check
  Subselection (Technical SUBNR) 1  
  Following Set Is Checked                           Comparison with Following Authorized Set 
  Characteristic | Contents                           Characteristics |  Contents                                                                               result
  Char 1           | Node 0 4 0                           Char 1           | All values of nodes for Char1 for which user is authorized.          Ok/NOK
                       | 121339 1
  Char 2          | Node 3 1 98
                     | 121333 1                             Char 2                | All values of nodes for char 2 which user is authorized             Ok/NOK
  Could you please help in getting how shall I interperate the values which are being checked.I mean how exactly should i get the characteristic values from the below shown values
  Char 1           | Node 0 4 0      
                       | 121339 1
  Char 2          | Node 3 1 98
                     | 121333 1   
  I know that this might have some sids related to those values which are passed as nodes in the query selections but I am not sure how shall I get the values which are being passed for checks to the authorized set of values using above notification from sap.
  Could you please help me so that I can find out what values are passed for checks .
  I actually want to know how shall I use the values 0 4 0 121339 1 after the node for char 1 and 3 1 98 121333 after the node for char2.
  The values for the authorized set can be knows as they are shown at the end of the log but nothing is said about the node values which are passed for being checked.
  Please give me light on above so that i can use above informtion to find out what actually the user is not authorized for.
  I hope I explained the requirement to best of levels but still if this is not clear , please let me know.It might be possible that while posting the question some lines get merged (apology for the same but i could not fine the best way to put the same here).
  Thanks
  Vishal

  Hi Chandu
  Thanks for reply. But using the transaction RSECPROT and seeing the log from the rsecadmin both are same as the main program related to both of them is RSEC_PROTOCOL_MAIN.
  My question was related to this generated log only. I know that is in readable format but in log when you see what values are being checked against the authorized set then the part which is not clear to me is that what does the values in front of characteristic (for the node is selected as input value ( selection filter ) to see the data ) signifies.
  Please see example above (as given by me) and please help in interpreation of those generated values in front of charactertistics char1 and char2 (if possible) .
  Regards
  Vishal