Auth Group vs Authority Check
Hello -
I am adding an Auth Group to my programs using SE38 in the Attributes screen. Is it also necessary to have code in my program that checks for S_PROGRAM or is it sufficient to add the Auth Group to just the attributes section.
Thank you for any insight.
Mary Kathryn
Adding a authorisation grp is sufficient no need to check the authorisation object within the code. The assignment of a program to an authorization group plays a role when the system checks whether the user is authorized to:
Execute a program
--> Authorization object S_PROGRAM
Regards,
JOy.
Similar Messages
-
Authority Check at the T.Code level for the user in particular User Group
Hi Friends,
I have created a ZREPORT and assigned this report to a ZTRANSACTION CODE.
Need to give Authority Check at the T.Code level for the user in particular User Group.
I have searched in SCN, but not get suitable pages.
How to solve this?
Regards,
Viji.Hi Viji.
Saha way is actual way for authority tcode but user authority in TCODE:- SE38 he/she can run report(ZREPORT) wise program is run is no authority check.
Another way is you have also check authority in program level.
DATA: T_ROLE_USERS TYPE STR_AGRS OCCURS 0 WITH HEADER LINE.
INITIALIZATION.
CALL FUNCTION 'ESS_USERS_OF_ROLE_GET'
EXPORTING
ROLE = 'ZROLE'' " Role define
TABLES
ROLE_USERS = T_ROLE_USERS.
READ TABLE T_ROLE_USERS WITH KEY UNAME = SY-UNAME.
IF SY-SUBRC NE 0.
RETURN.
ENDIF.
Thanks & Regards
Rahul -
Authority check - in terms of User Group
Hi all,
I need restrict the usage of a finnance report by order of users.the report has order grup as an input, only certain order groups should be viewed by certain users. in authority check can do the checking by using user groups instead of individual used.i.e create separate object for seperate order group and for each order group can i check against user group instead of individual users. kindly help.
thanks.hi,
Authorizationcheck can be done for:
1.Transactions
2.ABAP programs
in abap programs use the below code as reference for authorization check
AUTHORITY-CHECK OBJECT 0.
MESSAGE e184(sabapdocu) WITH text-010.
ENDIF.
rewards points if useful.
regards
sandhya -
AUTHORITY-CHECK on cost center
We have set the authorisation (using object cost center) to time admin such that they can maintain leave for certain group of the user.
The question is now how to program the abap code so that my customised leave report can validate the authorisation to ensure that when he generate the leave report, other those employees who are in the cost center that he is authorise to view is listed?
Appreciate if you can share the code.Hi,
see the help link also.
[http://help.sap.com/saphelp_nw70/helpdata/en/9f/dbaccb35c111d1829f0000e829fbfe/content.htm]
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use. -
Authority check at field level in the sales order
Dear all, our business requirement is the following:
only some users should be able to see the prices (including netwr, netpr,...) in the sales order depending on the authority check performed on the sales group field.
This means that for an order of sales group 'A':
a user of sales group 'A' can see the prices and change the order, a user of sales group 'B' cannnot see the prices but can change the order, a user of sales group 'C' can display the order but cannnot see the prices.
I ask you if such a scenario can be realized in SAP.
We currently run SAP ECC 5.0.
thx all !
bye RobertoHi
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
<b><REMOVED BY MODERATOR></b>
regards
Anji
Message was edited by:
Alvaro Tejada Galindo -
Authority Check - Best Practice - Optimum Way
Hi Experts,
I want to use authority check in my reports. The requirement is to filter data on the selection screen and execute the query. Error messages are not to be thrown because, a user will find it difficult to enter all the document types/company codes/sales areas etc authorized and remove the ones not authorized from the range.
I am planning to create range tables and populate it with the authorized values and use it in the select queries.
I have two concerns:
1. I will have to build range tables based on the values authorized. This will take some time, keeping in mind that append is an expensive statement.
2. What if the range table becomes big enough to give me a dump in the select query in some scenario. (What if scenario? Its a rare possibility that some field like this also needs to be authorized)
What is the best practice or rule of the thumb that you have figured out.
Thanks,
Abdullah Ismail.Are they asking you to check the authorisations for each of the following?
1. Sales Organization
2. Distribution Channel
3. Division
4. Sales Group
5. Sales Office
6. Sales Document Type
7. Sales Country
8. Material Group(Brands)
If so that is completely over engineered and good luck with that. Surely you only need to check at one level of the sales structure, the lowest level I would guess. Your auths team should be able to guide you here and I cannot imagine they would want that level of auths as it would be a nightmare for them to build it. I suppose you might want one on material group as well.
Therefore they auths team or functional consultants will need to tell you at what level you are checking for each report, there will only be a small number at each level, (think you will struggle to get near the 12,000 Rob points out would cause an issue with a range) of the sales structure so I would use a range, you wonu2019t have that many appends and it wonu2019t add much to the time of the report. While for all entries is great you can also use the range where the report may have already used for all entries on a select and better not to have to rebuild the whole report.
Also I would do the auths check first up and make the field mandatory if they really want it nice and tight so the user has to choose, you can use a PID to make it a bit more friendly.
If you know the setup is the same each time you could use a standard include and subroutine, or ABAP objects would probably be the best route with a set of standard methods to call.
Hope that helps,
Tim -
Function module for se16 with out authority check for se16
Hi ,
I am creating a tode YSE16 which has same functionality as SE16 but having its own authority check. I am calling a function module RS_TABLE_LIST_CREATE function module to get the functionality of SE16. But is there any way that i can get the function module which do not check for the authorization for se16 and execute my tcode.
Regards,
Sri.Hi Sri,
If I am not wrong this is the question?
Guys , Sri is modifying the YSE16 as per this requirement. Do u have some other solution? Thanks.
Requirement is to create customized tcodes YSE16, YSM30 and YSE38 for se16, sm0 and se38. Lets start with YSE16.
Client want YSE16 tcode to restrict users based on some tables within a authorization group or even * value for auth group field.
SE16 restricted on:
S_TABU_DIS
Auth Group and Activity
As per Requirement YSE16 tcode sld be restricted on :
Y_TABU_DI2 (customized object)
Auth Group, Activity and Table name
We dont want to give SE16 to users in Production. So basically requirement is to restrict users on table name with YSE16 irrespective on authorization group. User sld only be able to access the table mentioned in Table name field.
so Srilu is trying to modify the Program. Can you please suggest some other way to modify it.
Thanks.
Regards,
Naveen Dalal -
What does mean &NC& auth group?
Hi Gautam,
Strictly speaking, it will not default the authorization group on the table to &NC&, but rather, when the user has access to standard table display / maintenance transactions (SM34, SM31, SM30, SE16, N, SE11, SE17, etc), the program will make an authority-check against '&NC&' IF the table has not been assigned to a table group (S_TABU_DIS authoritation group).
This effectively groups all tables without an authorization group into a symbolic group (for the purpose of table display and possibly even maintenance, though the latter would not make sense...).
Cheers,
Julius -
Authority check at field level in sales order
Dear all, our business requirement is the following:
only some users should be able to see the prices (including netwr, netpr,...) in the sales order depending on the authority check performed on the sales group field.
This means that for an order of sales group 'A':
a user of sales group 'A' can see the prices and change the order, a user of sales group 'B' cannnot see the prices but can change the order, a user of sales group 'C' can display the order but cannnot see the prices.
I ask you if such a scenario can be realized in SAP.
We currently run SAP ECC 5.0.
thx all !
bye RobertoHi agree with Jan and Auke,
To my knowledge it is object V_KONH_VKO which you are looking for. See the documentation in SU24 - SD class.
But whether or not that will influence the visibility / editability of the screen in VA02 etc when turned the check on in SU24, I am not sure.
If not, search the forum for topics relating to "transaction variants", "variant transactions" and "screen variants" to see whether those solutions will fulfill the requirement.
Cheers,
Julius -
How to use the AUTHORITY-CHECK in ABAP
I am a security guy but am trying to understand how the AUTHORITY-CHECK works. I have read the help on it but it doesn't answer to my understanding. I want a check in a report so that no matter what the user selects the program goes out and checks the authorization in the users master record and only displays what he has access to. I am sure this is basic but I am not a programmer.
ThanksHi Greg,
Basically a AUTHORITY-CHECK is a programmatic way to check a auth object a user has. This is only as good as the person writing the code makes is.
Here is a basic example of how it could work. Lets say you have auth objects for users that limit them to see company code. User A can see cc 10, User B can see cc 20 and user C can see both.
In the code the programmer would have to first do the authcheck to see what CC the user has access to. Then they would have to limit his reporting based on the results of the authority check. So they might do it by saying SELECT * FROM XYZTAB WHERE COMPANY CODE = AUTHCC
This is what I think you are looking for. There are other ways to use the auth check. You can do a check and end the program with a message if they don't have authorization.
If you need more info, let me know
John -
Authority-check for particular comp code
Hi All,
when i'm using standard Authority Object F_BKPF_BUK for a particular standard code say 'CO01'. but it is working for all company code, but i want work for only one company code say 'CO01' ONLY.i'm using in report program (zreport prog)
I written code as
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'BUKRS' FIELD 'BE10'
ID 'ACTVT' FIELD '03'.
Please can u advice on this .
Many Thanks in Advance for u r Answer
NarenHi
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Reward points if useful
Regards
Anji -
AUTHORITY-CHECK & customized program
Hi,
I've applied an authority-check to my customized program. What I did was, I've created an authorization object name 'ZFI_PGRM' in SU21 and tie it with authorization fields BUKRS, ACTVT. This authority-check will validate on the company code (BUKRS) entered from the selection screen. Below are my lines in the customized program :
DATA: text TYPE string,
m_text TYPE string.
text = 'You are not authorised for Company Code'.
DATA: t_t001 LIKE t001 OCCURS 0 WITH HEADER LINE..
SELECT * FROM t001
INTO TABLE t_t001
WHERE bukrs IN s_bukrs.
LOOP AT t_t001.
AUTHORITY-CHECK OBJECT 'ZFI_PGRM'
ID 'BUKRS' FIELD t_t001-bukrs
ID 'ACTVT' FIELD '03'.
IF sy-subrc <> 0.
CONCATENATE text t_t001-bukrs INTO m_text SEPARATED BY space.
ENDIF.
ENDLOOP.
At the same time BASIS tie the autorization object 'ZFI_PGRM' to the user role in order to access the program using PFCG. The problem now is the result that I'm getting always SY-SUBRC = 12 eventhough the user is allowed to access the company's report. Please help...
HaryatiRun transaction SU53 after the auth check fails and maybe it will give you a clue as to what is going on.
-
Hi,
I am new in core abap. For my report i have to do AUTHORITY-CHECK for kunnr. I am not finding any suitable object to use. kIndly suggest.
Currently i am using the following code.
UNPACK p_kunnr TO ws_werks.
AUTHORITY-CHECK OBJECT 'M_MSEG_WWE'
ID 'ACTVT' FIELD '01'
ID 'WERKS' FIELD ws_werks.
But this is giving dump in case KUNNR contains some alphabets because of type mismatch. Kindly suggest how can i achieve the same.
Regards,
Pankaj AggarwalDon't use a WERKS authorization for KUNNR, did you foresee the problems that may will arise when you will manage the user authorisations and roles, this authorization is checked in many standard programs on WERKS fields.
- SU20 - Create an authorization field with data element KUNNR and check table KNA1 (or use template KNDNR, look via SE16 at table AUTHX look for authorization fields using KNA1 as a control table)
- SU21 - Create an authorization object in a Z-customer class which use this field and the ACTVT field (template W_AUFT_RMB)
- Use the new object in your program
- Give the object name to those who manage roles via PFCG
Perform some search on subject like [Creating a Customer-Specific Authorization Object|http://help.sap.com/saphelp_ish471/helpdata/EN/9e/74ba3bd14a6a6ae10000000a114084/frameset.htm]
Look also at some authorization objects like BRGRU which were intended to manage groups of customers.
Regards,
Raymond -
AUTHORITY-CHECK always Return sy-subrc 0
Hi,
I have created a Authorization Object 'ZAUTH_ATCH' and created Roles also. This role is assigned to only my Userid.
When in Report program I do a check:
AUTHORITY-CHECK OBJECT 'ZAUTH_ATCH'
ID 'USER' FIELD l_syuname .
But the AUTHORITY-CHECK return 0 for all User IDs.
Pls help what could be the Issue.
Thanks
MohammedHi,
May be you would need to change the auth object and add the following two fields:
REPID ABAP Program Name
ACTVT Activity
allowed values for ACTVT :
01 Create or generate
02 Change
03 Display
16 Execute
In the code you can check
AUTHORITY-CHECK OBJECT "OBJECT_NAME"
ID 'ACTVT' FIELD '16'.
ID 'REPID' FIELD sy-cprog.
Hope it helps.
Anju -
Execute Authority Check With an different User then the logged on one
Hello,
is there any possibilty to make the command "AUTHORITY-CHECK" with another user then the user which is actually logged in into the system.
For Example: my Username "USER1".
Login with user "USER1".
Run ABAP Pogramm to check if user "USER2" has the autority for an auth. object per command "AUTHORITY-CHECK".
Thanks for all Ideas.
Best Regards
MarcusTry the FM AUTHORITY_CHECK!
Cheers,
Ramki.
Maybe you are looking for
-
Can you share purchased books with Home Sharing?
Can you share purchased books (from IBooks) with Home Sharing? Music seems to share fine-books seem to be a problem.
-
How can I import from scanner on Photoshop Element 10. Bought online from App store.
-
Function returns several values
hi, is it possible that function would return several values, for ex.: select myfunct().val1, myfunct().val2 from dummy_table
-
Where can i find the photo files?
Hi, I am trying to find where sre the actual photo files in my MacBook. When I do a search from iphoto and read the info about the picture, it shows me a series of folders in which I suppose they are saved. But when I try to find these folder throu
-
i am tring to download an iso image of latest version but it is not available.The version of osx i am running is not working properly and not installing apps because there is no app store in this version.what i do.i cant buy an latest version because