AUTHORITY-CHECK always Return sy-subrc 0

Similar Messages

• Authority Check on Table - Restrict Entries based on check

  Hi,
  I need to add an authorization check to a table.
  The check will restrict certain entries from displaying, based on the check of some table fields.
  The table is custom and I know which authority object to use, as well as which fields to restrict.
  How do I do this?
  Thanks!

  Hi N.,
  select all data into internal table, loop at the table, do authority check for each table, delete records that fail authority check, display results.
  Or use SELECT INTO structure, check authority , append if authority check is OK (SY-SUBRC = 0), ENDSELECT, then display.
  Try which way is better based on memory requirement and performance.
  I hope this answer will help you. If not, feel free to ask for details.
  Regards,
  Clemens

• ALV GRID and AUTHORITY-CHECK

  Hi all !!! 
  I'm using the ALV Grid control with checkboxes and I want to control if the actual user have the appropriate authorization to check/uncheck them.
  In the AUTHORITY-CHECK call, I want to make the authorization test on the "DEPARTMENT" of the user (from Table USER_ADDR or SU01).
  For example :
  DEPARTMENT AA1 --> check/uncheck OK
  DEPARTMENT AA2 --> check/uncheck NOT OK
  DEPARTMENT AA3 --> check/uncheck OK
  ... etc.
  How can I do ? Create an new authorization object/field ?
  PS : it's the first time I'm using AUTHORITY-CHECK..

  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check. 
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object> 
     ID <authority field 1> FIELD <field value 1>. 
     ID <authority field 2> FIELD <field value 2>. 
     ID <authority-field n> FIELD <field value n>. 
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  Example ;
  REPORT  EXAMPLE MESSAGE-ID Z1.
  TABLES: USR02.
  PARAMETERS: LOCK AS CHECKBOX, LISTLOCK AS CHECKBOX.
  DATA: UFLAGVAL TYPE I, LOCKSTRING(8) TYPE C.
  ---- Authorization check -
  AUTHORITY-CHECK OBJECT 'ZPROG_RUN' ID 'PROGRAM' FIELD SY-CPROG.
  IF SY-SUBRC <> 0.
    IF SY-SUBRC = 4.
      MESSAGE E000 WITH SY-CPROG. "some message about authorization check failure
    ELSE.
      MESSAGE E005 WITH SY-SUBRC. "some message about authorization check failure
    ENDIF.
  ENDIF.
  IF LISTLOCK = 'X'.
    WRITE:/ 'List all locked users: '.
    SELECT * FROM USR02 WHERE UFLAG = 64.
      WRITE: / USR02-BNAME.
    ENDSELECT.
    EXIT.
  ENDIF.
  IF LOCK = 'X'.
    UFLAGVAL = 64.                       "lock all users
    LOCKSTRING = 'locked'.
  ELSE.
    UFLAGVAL = 0.                        "unlock all users
    LOCKSTRING = 'unlocked'.
  ENDIF.
  SELECT * FROM USR02 WHERE BNAME <> 'SAP*' AND BNAME <> SY-UNAME.
    IF USR02-UFLAG <> 0 AND USR02-UFLAG <> 64.
      WRITE: 'User', USR02-BNAME, 'untouched; please handle manually.'.
      CONTINUE.
    ENDIF.
  check that user has authority to make these changes
    AUTHORITY-CHECK OBJECT 'S_USER_GRP'
        ID 'CLASS' FIELD USR02-CLASS
        ID 'ACTVT' FIELD '05'.
    IF SY-SUBRC <> 0.
      IF SY-SUBRC = 4.
        WRITE: /'You are not authorized to lock/unlock user ',
          USR02-BNAME, USR02-CLASS.
      ELSE.
        WRITE: /'Authorization error checking user ',
               USR02-BNAME, USR02-CLASS, '(return code', SY-SUBRC, ').'.
      ENDIF.
    ELSE.                                "has authority
      UPDATE USR02 SET UFLAG = UFLAGVAL WHERE BNAME = USR02-BNAME.
      WRITE: / 'User', USR02-BNAME, LOCKSTRING, '.'.
    ENDIF.

• AUTHORITY-CHECK & customized program

  Hi,
  I've applied an authority-check to my customized program. What I did was, I've created an authorization object name 'ZFI_PGRM' in SU21 and tie it with authorization fields BUKRS, ACTVT. This authority-check will validate on the company code (BUKRS) entered from the selection screen. Below are my lines in the customized program :
  DATA: text      TYPE string,
            m_text  TYPE string.
  text = 'You are not authorised for Company Code'.
  DATA: t_t001 LIKE t001 OCCURS 0 WITH HEADER LINE..
  SELECT * FROM t001
         INTO TABLE t_t001
               WHERE bukrs IN s_bukrs.
  LOOP AT t_t001.
    AUTHORITY-CHECK OBJECT 'ZFI_PGRM'
        ID 'BUKRS' FIELD t_t001-bukrs
        ID 'ACTVT' FIELD '03'.
    IF sy-subrc <> 0.
      CONCATENATE text t_t001-bukrs INTO m_text SEPARATED BY space.
    ENDIF.
  ENDLOOP.
  At the same time BASIS tie the autorization object 'ZFI_PGRM' to the user role in order to access the program using PFCG. The problem now is the result that I'm getting always SY-SUBRC = 12 eventhough the user is allowed to access the company's report. Please help...
  Haryati

  Run transaction SU53 after the auth check fails and maybe it will give you a clue as to what is going on.

• Authority Check at the T.Code level for the user in particular User Group

  Hi Friends,
  I have created a ZREPORT and assigned this report to a ZTRANSACTION CODE.
  Need to give Authority Check at the T.Code level for the user in particular User Group.
  I have searched in SCN, but not get suitable pages.
  How to solve this?
  Regards,
  Viji.

  Hi Viji.
  Saha way is actual way for authority tcode but user authority in TCODE:- SE38 he/she can run report(ZREPORT) wise program is run is no authority check.
  Another way is you have also check authority in program level.
  DATA: T_ROLE_USERS TYPE STR_AGRS OCCURS 0 WITH HEADER LINE.
     INITIALIZATION.
    CALL FUNCTION 'ESS_USERS_OF_ROLE_GET'
      EXPORTING
        ROLE       = 'ZROLE''  " Role define
      TABLES
        ROLE_USERS = T_ROLE_USERS.
    READ TABLE T_ROLE_USERS WITH KEY UNAME = SY-UNAME.
     IF SY-SUBRC NE 0.
     RETURN.
     ENDIF.
  Thanks & Regards
  Rahul

• Authority-Check in UPDATE TASK CALL

  Hi Gurus,
  Does anybody know, from the Technical point of view, if there is any special issue with an Authority-Check put in a user-exit called in UPDATE TASK?
  Thanks & Regards
  Ernesto.

  Hello Michael,
  Thank you for your reply. I was asking this because I have a problem regarding an Authority Check and I do not know what the problem is. In user exit EXIT_SAPLL03T_002 (executed in Update TASK) I want to check for Storage Type condition from the object L_LGNUM. The user that executes LT12 transaction has one role only that has object L_LGNUM like this:
  Object L_LGNUM
  Warehouse Number - LNUM = 200
  Storage Type - LGTYP = 100, 200, 300, 400, 500, 600, 700, 800
  The two checks I am doing are:
    Check Source Storage Type
      AUTHORITY-CHECK OBJECT 'L_LGNUM'
               ID 'LGNUM' FIELD i_ltak_vb-lgnum (200)
               ID 'LGTYP' FIELD ls_ltap_vb-vltyp (902)
      Check Destination Storage Type
        AUTHORITY-CHECK OBJECT 'L_LGNUM'
                 ID 'LGNUM' FIELD i_ltak_vb-lgnum (200)
                 ID 'LGTYP' FIELD ls_ltap_vb-nltyp (002)
  And for no reason SAP doesn't return sy-subrc NE 0 when it should. I've checked the role and it has no conflict with another one as it is the only role the user has. Any idea?
  Thanks & Regards
  Ernesto

• Reg:Authority Check object

  Dear All,
  I am calling two authority check object M_MATE_MAR  and M_MSEG_BMB in my report.
  Now for a user if i see the Role the second object  M_MSEG_BMB is maintained and the object M_MATE_MAR is not maintained.
  Now in my program for the object M_MATE_MAR(as it is not maintained),my sy-subrc is returning 12,hence check faing and for
  M_MSEG_BMB sy-subrc = 4 as check is failng.
  My requirement is the user should not see some movement types irrespective of the material ,
  If i pass a material in the selection screen report , movement type records are deleting fine along with that others are alos deleting becs of sy-subrc <> 0(sy-subrc = 12).so i get a blank report as output.
  so wht should be done in my case.
  Regards

  Hi Rajendra,
  When you hit F1 on the Authority-check,
  If Sy-subrc = 4, Authorization check not successful. One or several authorizations were indeed found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect or too many authorization fields were specified.
  If Sy-subrc = 12, No authorization was found for the authorization object in the user master record.
  When Sy-subrc = 24, Incorrect authorization fields or an incorrect number of authorization fields was found. This return value is no longer set since Release 6.20. Up to Release 4.6 it is set only if the profile parameter "auth/new_buffering" has a value less than 3.
  When sy-subrc = 40, An invalid user ID has been entered in user.
  Hope it helps.
  Sujay

• Authority Check in Programs

  Hi all
  Does anyone know tell me which table I check the check the program authority.
  Thanks,

  Hi Rodrigo,
  Use following code to get it done in programs.
  Say, for object V_VBAK_VKO (which you can see in SU24), you can do it like this.
  AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
  ID 'VKORG' FIELD VKORG
  ID 'VTWEG' FIELD VTWEG
  ID 'SPART' FIELD SPART.
  IF sy-subrc ne 0.
  show an error message.
  endif.
  Here , VKORG, VTWEG and SPART you have to pass from program and check sy-subrc return value.
  Hope this helps.
  Regards,
  Naveen

• SQ02 AUTHORITY-CHECK

  Hello,
  I try to control the access of the financial center of the table FICTR by FMFCTRT function AUTHORITY-CHECK in Infoset (SQ02 TX).
  I assume that this code is correct:
  AUTHORITY-CHECK OBJECT 'F_FICA_CTR'
  'd FM_AUTHACT 'FIELD '03'
  'd FM_FIKRS 'DUMMY
  'd FM_FICTR 'FIELD' XXX '. "XXX is the selected variable in the selection that I can not recover !!!!!
  IF sy-subrc NE 0.
  write 'NO ACCESS'.
  LEAVE LIST-PROCESSING.
  ENDIF.
  If someone could tell me what section of code must be placed and whether the program is correct (no error generation).
  Knowing that when I go into the code AT SELECTION SCREEN, I am automatically redirected to the code DATA??
  And how to retrieve FM_FICTR has been selected to power the test.
  Thank you in advance for your answers!

  Use the logical database as the data source for the query:
  " < ... > you should always use logical databases as the data source within InfoSets that are used for query-based reporting. Using a logical database as your data source guarantees that the SAP solution is smart enough to know which areas of the data a user is allowed to see so that only the appropriate data will show in an SAP query report. Regardless of what type of security access the person who created the report has, the system is smart enough to display only the appropriate data for the user executing the report. (Note that this is the case only when logical databases are used as the data source if a SAP query is created using an InfoSet that is based on anything other than a logical database (for example, a table, a table join, a program). It is fair to say that no security whatsoever is in place when the query is run because all records within the tables are displayed in the report output.)"
  Edited by: Jelena Perfiljeva on Jan 20, 2009 5:15 PM
  Edited by: Jelena Perfiljeva on Jan 20, 2009 5:15 PM

• Authority Check on DatabaseConnection for HANA

  Hi,
  we are setting up our configuration for HANA.
  We want to make a Package within HANA for each functional domain. We also want to make separate connections to HANA (as secondary database) for each functional domain (Finance, Logistics, HR, ...) in DBCOCKPIT. But we want to control which application/user uses which connection; We don't want FI to use the HR-connection.
  Am I right when I think we might use authorization object S_DBCON to accomplish this?
  Thanks.
  Kris

  Hi,
  If different packages are customized development and assigned to different DB connection name, there is a possibility you can use S_DBCON object to check though that is not the original intention as Lars mentioned.
  Sample routine:
  * Check authority to access the specified connection
    IF con_name IS NOT INITIAL.
      AUTHORITY-CHECK OBJECT 'S_DBCON'
               ID 'DBA_DBHOST' FIELD space
               ID 'DBA_DBSID'  FIELD con_name
               ID 'DBA_DBUSER' FIELD space
               ID 'ACTVT'      FIELD '03'.
    ENDIF.
    IF sy-subrc <> 0.
      MESSAGE
        'You are not authorized to run this program' TYPE 'I'.
      RETURN.
  A user without the assigned DB connection name is unable to execute objects in a package when that connection is not assigned to him.
  Regards.
  YS

• Help reg  authority-check

  Hi all,
  can anyone explain what this statement does.
  authority-check object 'Z_Abc_def'
    id 'ZAbc_defI' field '*'.
  Thanks in advance

  Check the sap provided help:
  here is an excerpt:
  AUTHORITY-CHECK
  Basic form
  AUTHORITY-CHECK OBJECT object
      ID name1  FIELD f1
      ID name2  FIELD f2
      ID name10 FIELD f10.
  Effect
  Explanation of IDs:
  object
  Field which contains the name of the object for which the authorization is to be checked.
  name1 ...
  Fields which contain the names of the
  name10
  authorization fields defined in the object.
  f1 ...
  Fields which contain the values for which the
  f10
  authorization is to be checked.
  AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
  You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
  The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
  If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
  If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
  The return code value changes according to the different error scenarios. The return code values have the following meaning:
  4
  User has no authorization in the SAP System for such an action. If necessary, change the user master record.
  8
  Too many parameters (fields, values). Maximum allowed is 10.
  12
  Specified object not maintained in the user master record.
  16
  No profile entered in the user master record.
  24
  The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
  28
  Incorrect structure for user master record.
  32
  Incorrect structure for user master record.
  36
  Incorrect structure for user master record.
  If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
  Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
  Note
  Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
  The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
  Example
  Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
  Table OBJ: Definition of authorization object
  M_EINF_WRK
     ACTVT
     WERKS
  Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
  M_EINF_WRK_BERECH1
     ACTVT 01-03
     WERKS 0001-0003 .
  can display and change plants within the Purchasing and Materials Management areas.
  Such a user would thus pass the checks
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' FIELD '0002'
      ID 'ACTVT' FIELD '02'.
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' DUMMY
      ID 'ACTVT' FIELD '01':
  but would fail the check
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' FIELD '0005'
      ID 'ACTVT' FIELD '04'.
  To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.
  Regards,
  ravi

• Java always returns 15 minutes greater than the current time.

  Hi,
  I am using Microsoft Windows Server 2003R2,Standard X64 edition with Service Pack 2 and jdk1.6.0-03.
  Java always returns time 15 minutes greater than the current system time.
  eg:
  SimpleDateFormat simpleDateFormat=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
  System.out.println("Now time: "+simpleDateFormat.format(new Date()));
  System.out.println("Now time: "+new Date());The output of the program is :
  Now time: 2008-12-22 18:47:04
  Now time: Mon Dec 22 18:47:04 NPT 2008
  When my actual system time is 6:32 PM or (18:32)
  I have checked the current time with other programming languages like python and it always returns the actual date and time.
  Note: To my observation java is always utilizing a time which is 15 minutes greater than the current time even for its log.
  Thanks,
  Rajeswari (Msys)

  I think a more practical time machine would be one that actually travels back in time rather than forward (by 15 minutes). Sounds like it needs some more work.
  Anyway, I suggest changing the system time on your computer to some other value (say, 2 hours ahead), then running the program again. If its off by 2 hours and 15 minutes, its getting the time from your computer. However, if its still off by only 15 minutes (from your wristwatch's time), then its getting the time form somehere other than the computer clock.

• Company code authority check

  Hi
  we have created ZTTL01 table maintenance view. Should not allow unauthorized company code to update/create or display.
  I searched thru forums and collected below points. but could not test it successfully.
  Authorization object (Z_XXX_BUK) was created.But <Permitted activities> Button is not available in display authorization object(SU21) to see what are the activities are permitted.
  In su01 for my user no roles or profiles are defined.
  To do
  Trying to write  below code in PBO and PAI flow logic of ZCHECK_BUK table for screen 01
  PBO & PAI
  *First statement
  Module Authorictycheck.
  module Authoritycheck
    LOOP AT EXTRACT.
      AUTHORITY-CHECK OBJECT 'ZCHECK_BUK'
                          ID 'ACTVT' FIELD '01,02,03'
                          ID 'BUKRS' FIELD ZTTL01-BUKRS.
      IF sy-subrc <> 0.
        MESSAGE e000(zrpt) WITH 'You do not have the authorization to'
      EXIT.                          'access Bukrs'extract-bukrs.
      ENDIF.
    ENDLOOP.
  endmodule
  Can i use above code in PBO and PAI to check change of company code?
  I am sharing role and profile created by other user, which allows only company code 'A10'.
  How to test this now?
  se11->Utilities->table contents create should not allow me to input A11 or other company codes? pls confirm.
  Regards
  Chandra

  Hi Suhas
  Regarding 1) It works when i remove the FORM routine assinged for EVENTS.
  Thanks for ur input.
  Regarding 2)When the user displays record in SM30 for a table, he must not be able to see the company code AD01.
  To achieve this can i use EVENT AA?
  I create FORM routine <hide_cocode> in EVENT AA and store at include LZXXXXF01.
  FORM ZHIDE_COCODE.
  DATA: F_INDEX LIKE SY-TABIX."Index to note the lines found"
  LOOP AT TOTAL.
  READ TABLE EXTRACT WITH KEY <vim_xtotal_key>.
  IF SY-SUBRC EQ 0.
  F_INDEX = SY-TABIX.
  ELSE.
  CLEAR F_INDEX.
  ENDIF. "(make desired changes to the line TOTAL)
  MODIFY TOTAL.
  CHECK F_INDEX GT 0.
  EXTRACT = TOTAL.
  MODIFY EXTRACT INDEX F_INDEX.
  *ENDIF.
  ENDLOOP.
  SY-SUBRC = 0.
  ENDFORM.
  I made break point at line LOOP at Total. and executed SM30 and clicked Display button.
  Sorry Code stops here and table TOTAL has flat line structure of empty.Loop at total is skipping
  what should be done now?
  Regards
  Chandra

• Authority check on company code

  Hi ,
        How i need to check whether the company codes in an internal table is having creation access to the particular user or not ?.
       In authority check what is  ACTVT - 01,02,03  signifies ??
  Thanks in adv.
  varma

  LOOP ...
  AUTHORITY-CHECK OBJECT 'F_LFA1_BUK'
  ID 'BUKRS' FIELD T_COMP_CODES-BUKRS
  ID 'ACTVT' FIELD '01'.
  IF SY-SUBRC <> 0.
  move  w_COMP_CODES-bukrs to (itab1).
  ENDIF.
  AUTHORITY-CHECK OBJECT 'F_LFA1_BUK'
  ID 'BUKRS' FIELD T_COMP_CODES-BUKRS
  ID 'ACTVT' FIELD '02'.
  IF SY-SUBRC <> 0.
  move  w_COMP_CODES-bukrs to (itab2).
  ENDIF.
  ENDLOOP.
  Hence segregating all the Company codes as per the authorization.

• Authority check in hr payroll infotype report

  Hi all,
  We have developed a report which gives infotypewise employee details.here we are checking authority for reading employee data.we are applying authority check at selection-screen and while reading the data from database tables.following is the sample code.
  do .
  if  s_abkrs-high < s_abkrs-low.
      authority-check object 'P_PCR'
                id 'ABRKS' field s_abkrs-high
                id 'ACTVT' field '01'
                id 'ACTVT' field '02'.
      if sy-subrc <> 0.
        message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
      endif.
  exit.
  endif.
      authority-check object 'P_PCR'
                id 'ABRKS' field s_abkrs-low
                id 'ACTVT' field '01'
                id 'ACTVT' field '02'.
      if sy-subrc <> 0.
        message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
      endif.
    s_abkrs-low = s_abkrs-low + 1.
  enddo.
  my senior says this code is right but it is not checking authority for all infotypes.can anyone suggest what changes are required in this code so that it will check authority for all infotypes.
  Thanks in advance.
  Regards,
  Harshada

  Hi ,
        A select-option will have a structure with four fields (sign , option , low , high) .
        So if you want to use your below code : you cannot check authority.
  loop at s_abkrs.
  authority-check object 'P_PCR'
  id 'ABRKS' field s_abkrs  <-- is an internal table
  id 'ACTVT' field '01'
  id 'ACTVT' field '02'.
  if sy-subrc 0.
  message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
  endif.
  endloop.
  The other option is :
  If your select option has values only in low ... then you can loop thru it ...
  loop at s_abkrs.
  authority-check object 'P_PCR'
  id 'ABRKS' field s_abkrs-low
  endloop.
  Regards,
  Srini.