AUTHORITY-CHECK & customized program

Similar Messages

• How to debug a authority check in program and a authorisation object in tco

  Can anyone tell me how to debug a authority check in program and a authorisation object in tcode
  i just want to know the flow of authorisation object in debugging how user is assocaited with authorisation object and roles.
  i know if sy-subrc ne 0 is authorisation failed ,so please help me anyone on this.
  every time when i put breakpoint ,if its program level only, i am able to decide only through sy-subrc but iam unable o view the flow .

  flow cannot be seen, we have to be based on sy-subrc only...
  you cannot see the flow in read table... describe table... transfer...
  the authorization object will be assigned to the data element, that data element has some realtion to the roles given to the users. So if the role of the user and data element value doesnt match the sy-subrc NE 0.

• Authority Check in Programs

  Hi all
  Does anyone know tell me which table I check the check the program authority.
  Thanks,

  Hi Rodrigo,
  Use following code to get it done in programs.
  Say, for object V_VBAK_VKO (which you can see in SU24), you can do it like this.
  AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
  ID 'VKORG' FIELD VKORG
  ID 'VTWEG' FIELD VTWEG
  ID 'SPART' FIELD SPART.
  IF sy-subrc ne 0.
  show an error message.
  endif.
  Here , VKORG, VTWEG and SPART you have to pass from program and check sy-subrc return value.
  Hope this helps.
  Regards,
  Naveen

• How to find which custom program uses authorization checks

  Hi all,
  I have been asked to find out which custom ABAP program in our organization is using Authorizations checks and which is not.
  Since there are thousands of custom programs I will need to automatize this process somehow.  But I am not an ABAP expert and I will need some help.
  Could any of you give me an idea of what would be the best strategy to find out if authorization objects/checks exist in a number of ABAP programs?  (would a simple text search do?).
  Many thanks,
  Aldo

  If you are looking out for Authorization related to Execution of any program, then look for entries in table TRDIR where field SECU (Authorization Group) is not blank.
  Below SAP documentation may help you:
  Authorization Group
  Authorization group to which the program is assigned.
  The assignment of a program to an authorization group plays a role when the system checks whether the user is authorized to:
  Execute a program
  --> Authorization object S_PROGRAM
  Edit a program (-Include) in the ABAP Workbench
  --> Authorization object S_DEVELOP
  Programs that are not assigned to an authorization group are not protected against display and execution.
  Security-related programs should, therefore, always be assigned to an authorization group.
  Report RSCSAUTH can also be used to assign programs to authorization groups. This report is documented in detail.

• Report to check authorization object used in customized programs

  Hi Guys,
  An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
  Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

  Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
  To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
  Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
  Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
  Code review is an art form!
  Cheers,
  Julius

• Authority check in ABAP program

  Hello All
  I am having some trouble with authority object in ABAP programming
  This is the situation.
  I have a field "plant" which is a select options in the selection screen.
  I have to write an authority-check for this "plant" field in the program and display the report for only the plants for which the user is authorised. There is a select statement in the program which selects all the plants entered. If it is single plant entry and the user is not authorised or the user is not authorised to none of the plants entered for multiple plant entries, an error message should be displayed saying "no authority to display plants x, y, z"
  How can I incorporate this logic in the report.
  This the current coding
  AT SELECTION-SCREEN.
  AUTHORITY-CHECK OBJECT 'C_ROUT'
            ID 'ACTVT' FIELD '03'
            ID 'PLNTY' FIELD 'DUMMY'
            ID 'WERKS' FIELD s_werks
            ID 'STATU' FIELD 'DUMMY'
            ID 'VERWE' FIELD 'DUMMY'.
  START-OF-SELECTION.
    SELECT amatnr  aplnnr aplnal awerks aplnty bstlnr b~stlal INTO TABLE t_mapl FROM mapl AS a INNER JOIN mast AS b
                             ON amatnr = bmatnr
                              AND awerks = bwerks
                           WHERE a~matnr IN s_matnr
                                 AND a~plnnr IN s_plnnr
                            AND a~plnal IN s_plnal
                          AND a~werks IN s_werks
                         AND a~plnty IN s_plnty
                         AND b~stlnr IN s_stlnr
                           AND b~stlal IN s_stlal. "(ALT BOM)
  Thanks
  Ricky

  Hi Ricky,
  to check each individual plant in the selection, you can not use s_plant in the authority chek, here you need to give the value..
  Code like this:
  DATA : BEGIN of t_werks OCCURS 0,
                werks TYPE t001w-werks,
  END OF t_werks.
  DATA : w_text(30) TYPE c.
  AT SELECTION-SCREEN.
  IF NOT s_werks[] IS INITIAL.
  REFRESH t_werks.
  SELECT werks
  FROM t001w
  INTO TABLE t_werks
  WHERE werks IN s_werks.
  IF sy-subrc EQ 0.
  LOOP AT t_werks.
  AUTHORITY CHECK...
  ID 'WERKS' FIELD t_werks-werks.
  IF sy-subrc EQ 0.
  DELETE t_werks.
  ENDIF.
  ENDLOOP.
  IF NOT t_werks[] IS INITIAL.
  LOOP AT t_werks.
  CONCATENATE t_werks-werks
                           w_text
                  INTO w_text.
  ENDLOOP.
  MESSAGE exxx WITH 'No authorisation for '
                                    w_text.
  ENDIF.
  ENDIF.
  ENDIF.
  Thanks and Best Regards,
  Vikas Bittera.
  **Reward if useful**

• Custom Authority Check across system

  Hi all
  I have got an authority check requirement I need help with. I have to restrict certain users --which have a specified role- to not be able to access certain profit/cost centers in any reporting activity.
  When these users run any report transaction, example" FBL3N; they do not see the profit/cost center line items (documents) which are not assigned to them.
  Anyone have a solution for this?
  Some thoughts i have;
  1) Create an authorization field and assign a check table with the values i wish to be shown. Create an authority check statement in an enhancement on EVERY tcode.
  2) Create the authorization object and assign to the user role.
  Looking forward for a reply.
  Points will be rewarded.
  Thanks

  Well did some working on it.  Created an authorization class,object and assigned it the PRCTR field.
  Then we assigned it at the organizational level- prctr from 201 to 201-
  Then we tried FB03, document list and then tried to view documents. Unfortunately it still shows all documents regardless of the profit center being other then 201.
  Am I missing something here?

• Need to check all custom programs with open data set

  Hi all ,
  i have  to list all custom programs and f.m.  which are using ftp server (file share).
  Is there any way to list that programs

  Hi,
  You can use program RPR_ABAP_SOURCE_SCAN to find custom programs with providing find string criteria (i.e open data set).
  Regards,
  Ferry Lianto

• ABAP CUSTOM PROGRAMS vs SOX - What is your best approach?

  SOX defines you must put in place controls to be sure your users can do only those activities wich are not able to create a risk for your company assets.
  You can use GRC AC to get clean and stay clean, but the problem is in your custom developments. Indirectly called transactions are not included in the transaction start check, so I think you must use "authority checks" to validate either stantdard authorization objetcs (sy-tcode, company code...) or custom authorization objects before to call a transacction/BAPI inside a custom program to be sure the user has the right permissions to complete this task.
  Should i validate any single authoritation object defined in SU24 for each single transaction called Indirectly?
  Any other quick win approach?
  thx.

  Manuel,
  There are various types of controls that could be put in place for accomplishing this. Below are some things you could consider to mitigate this risk as I have done in the past which has been sufficent to auditors.
  1) Have a solid review process for Functional Design Specs (FDS) reviews of RICEFW objects being developed into your SAP enviroment and be sure to have the process and review documented. This process will allow you to proactively seek out potential issues before they are coded to senstive areas where the potential risk to financial reporting could arise.
  2) Implement coding standards for Security such as use of Program Auth Groups, Table Auth Groups, and implement certian SAP notes to secure S_DEVELOP object properly. Refer to https://websmp110.sap-ag.de/securitynotes for security notes.
  3) Have a review/monitoring process in place to review access and authorizations to critical objects and transactions. GRC AC is one way to approach this.
  You can use abap program "RSABAPSC : Statistical program analysis to find ABAP language commands" to seek out Authority-Checks in custom development as part of a quality review.
  Thanks,
  Matt

• AUTHORITY-CHECK for KUNNR

  Hi,
  I am new in core abap. For my report i have to do AUTHORITY-CHECK for kunnr. I am not finding any suitable object to use. kIndly suggest.
  Currently i am using the following code.
    UNPACK p_kunnr TO ws_werks.
    AUTHORITY-CHECK OBJECT 'M_MSEG_WWE'
             ID 'ACTVT' FIELD '01'
             ID 'WERKS' FIELD ws_werks.
  But this is giving dump in case KUNNR contains some alphabets because of type mismatch. Kindly suggest how can i achieve the same.
  Regards,
  Pankaj Aggarwal

  Don't use a WERKS authorization for KUNNR, did you foresee the problems that may will arise when you will manage the user authorisations and roles, this authorization is checked in many standard programs on WERKS fields.
  - SU20 - Create an authorization field with data element KUNNR and check table KNA1 (or use template KNDNR, look via SE16 at table AUTHX look for authorization fields using KNA1 as a control table)
  - SU21 - Create an authorization object in a Z-customer class which use this field and the ACTVT field (template W_AUFT_RMB)
  - Use the new object in your program
  - Give the object name to those who manage roles via PFCG
  Perform some search on subject like [Creating a Customer-Specific Authorization Object|http://help.sap.com/saphelp_ish471/helpdata/EN/9e/74ba3bd14a6a6ae10000000a114084/frameset.htm]
  Look also at some authorization objects like BRGRU which were intended to manage groups of customers.
  Regards,
  Raymond

• How to create authority check object and assign to  ztcode which is of modu

  Dear ,
           how to create authority check object and assign to  ztcode which is of custom module pool program.its urgent kindly help points rewarded.

  Manoj,
  You can check with your Basis team to create authorisation object and assigining tcodes to the user profiles.
  K.Kiran.

• Include an authorization check in program

  Hello,
  I am new to SDN .
  I got a requirement where i have to include an authorization check in programs this is required for all custom programs before they are added to roles . I am not sure what i have to do it .
  These programs if i try to open in se38 , i cannot view them .
  How do i include authorisation checks .
  Please let me know step by step .
  i will be grateful.
  thanks
  sumit
  Edited by: sumit123 on Jan 20, 2010 9:52 AM

  Hi Sumit,
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm
  Check this link.
  The following actions are authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid: .
  1.Starting SAP transactions (authorization object S_TCODE)
  2.Starting reports (authorization object S_PROGRAM)
  3.Calling RFC function modules (authorization object S_RFC)
  4.Table maintenance with generic tools (S_TABU_DIS)
  Authority check is done to restrict the execution of a report to certain users.
  Basis creates a authorisation group , includes certain roles in it, to which authorisation should be given.
  If one's id has that role then he is authorised to execute the report..
  IN the report the below code is written to do auth. check
  Authority check on plant
  AUTHORITY-CHECK OBJECT 'ZMMD_PROD'
  ID 'WERKS' FIELD wf_werks.
  Here authorisation is done on plant. and the authorisation object is ZMMD_PROD(to be created by BASIS)

• How to create Authority check object

  Hello Gurus,
  How to create Authority-check object 'ZABC'
                                                           ID 'TABLE' FIELD 'ZTABLE'.
  Please tell me detailed procedure.
  Thanks in advance.
  Best Regards,
  zubera

  Dear Zubera,
  Creating Authorization Fields
  In authorization objects, authorization fields represent the values to be tested during authorization checks.
  To create authorization fields, choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects ® Fields.
  To create a authorization field:
  1. Choose Create authorization field.
  2. On the next screen, enter the name of the field. Field names    must be unique and must begin with the letter Y or Z.
  3. Assign a data element from the ABAP Dictionary to the field.
  4. If desired, enter a check table for the possible entries. For    more information about check tables.
  For more information about AUTHORITY-CHECK, see the keyword documentation of the ABAP Editor.
  You can often use the fields defined by SAP in your own authorization objects. If you create a new authorization object, you do not need to define your own fields. For example, you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system.
  Assigning an Authorization Object to an Object Class
  Each authorization object must be assigned to an object class when it is created.
  Choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects --> Objects.
  You can also create authorization objects in the Object Navigator (SE80).
  Creating / Choosing Object Classes
  The system displays a list of existing object classes.
  Object classes are organized according to the components of the system.
  Before you can create a new object, you must define the object class for the component in which you are working. The objects are not overwritten when you install new releases.
  You can also define your own object classes. If you do so, select class names that begin with Y or Z to avoid conflicts with SAP names.
  Creating an Object
  Enter a unique object name and the fields that belong to the object. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects.
  You can enter up to ten authorization fields in an object definition. You must also enter a description of the object and create documentation for it.
  Ensure that the object definition matches the AUTHORITY-CHECK calls that refer to the object.
  Do not change or delete authorization objects defined by SAP. This disables SAP programs that use the objects.
  You can regenerate the profile SAP_ALL after creating an authorization object.
  Best Regards,
  Rajesh
  Please reward points if found helpful.

• RE: Authority checks included in the info set of the query

  Hi all,
  I am checking the program code for one of our custom tcodes and i asked ABAP team to add authority check to the program code because there is no auth check in the code and abapers told me that the authority check is included inside the info set of the query and not in the program . the program is used to execute the query in the Tcode.
  how to find the Authority checks included in the info set of the query.
  Thanks in advance,
  Sun.

  If you have the BI support roles assigned to you  and the security admin  roles please login to the BI system
  execute transaction RSECADMIN, click on the analysis tab and execute as the user who is assigned the role with restrictions.
  For variables in authorizations like ( type customer exit )
  use RSECADMIN - maintain authorization tab - Click on value authorization tab.
  Keytransaction is RSECADMIN  & infoobject maintenance details you can get from RSD1.
  Regards

• Authority Check on DatabaseConnection for HANA

  Hi,
  we are setting up our configuration for HANA.
  We want to make a Package within HANA for each functional domain. We also want to make separate connections to HANA (as secondary database) for each functional domain (Finance, Logistics, HR, ...) in DBCOCKPIT. But we want to control which application/user uses which connection; We don't want FI to use the HR-connection.
  Am I right when I think we might use authorization object S_DBCON to accomplish this?
  Thanks.
  Kris

  Hi,
  If different packages are customized development and assigned to different DB connection name, there is a possibility you can use S_DBCON object to check though that is not the original intention as Lars mentioned.
  Sample routine:
  * Check authority to access the specified connection
    IF con_name IS NOT INITIAL.
      AUTHORITY-CHECK OBJECT 'S_DBCON'
               ID 'DBA_DBHOST' FIELD space
               ID 'DBA_DBSID'  FIELD con_name
               ID 'DBA_DBUSER' FIELD space
               ID 'ACTVT'      FIELD '03'.
    ENDIF.
    IF sy-subrc <> 0.
      MESSAGE
        'You are not authorized to run this program' TYPE 'I'.
      RETURN.
  A user without the assigned DB connection name is unable to execute objects in a package when that connection is not assigned to him.
  Regards.
  YS