Authority check error + su53 + autho object
Hello,
My userid is having misising authorization for one authorization object. We have the authorization object, but it is not included in any profile / role.
Please advice me how the authority check works?
Where do we need to inlcude the authority object , In a role or profile?
Thanks and regards,
Anand
please send a screen shot of your SU53 to your SAP security team - they will know what to do with it.
Similar Messages
-
Troubleshooting through Authority check
Hello All,
Please let me know the procedure for troubleshooting at programming level. I understand, we have to go thru SE38 then authority check but, I want to know the correct program name for authority check at the auth.object level , the tcode level and steps after executing the program.
Regard's
Salman>
> Can We do troubleshooting at the programming level ? If yes, then please let me know the steps to proceed.
>
Seems your requirement is to find out the meaning and requirement of Authority Check.
You know each Transaction Codes consist of several screens through which we used to navigate by clicking some buttons. These screens are basically represented by separate programs called Dynpro (Dynamic Program). You know the Authorization Objects are the control point of measuring access to a user. These Objects are not checked for their values just because you see them in SU24 or in USOBT_C. They are basically checked by a typical ABAP program statement called "AUTHORITY-CHECK".
Now if you want to see the AUTHORITY-CHECK statements involved for a specific TCode: You can do this by using the report RSABAPSC.
Regards,
Dipanjan -
Incorrect authorization object is checked in SU53. SU53 checks the wrong BP
Hi all,
I am setting up a new user and a new role in CRM 4.0.
When coming to BP maintenance I get some frustrating errors.
I have created a role with BP and SU53 transaction codes assigned.
I have given the authorization to two BP roles:
- 000000 (BP General) Activity: Display
- ZCRM41 (Potential customer) Activity: Display and Edit.
I can display the BP role '000000' but when trying to change to BP role 'ZCRM41' I get No authorization.
SU53 indicates that I am trying to enter another BP role than ZCRM41.
As a result no authorization is given. If I add the BP role the SU53 indicates and retry SU53 another BP role is checked and so on...
Anyone who knows what is wrong?
Points will be rewared!
Thanks,
//andersHello Anders,
Thanks for providing me the details. Now I am clear abt the problem.
This is a sort of puzzling tome. Such a behavior should not happen. It can happen only:
a) In SU53, are you seeing the role 'ZCRM41' and customer role as an additional check? If this is the case, there might be some dependency assigned like role groupings (check in SPRO under business partner if these two roles form a role) or if there is any functional dependency.
b) Also make sure that you have assigned and generated the right profile for the role. Some time in a hurry we might miss to cross check this.
c) For business partners, the role authority check is done inside function module BUP_BUPA_EVENT_AUTH1. We need to debug here to find cause for this problem.
Hope this helps.
Regards, Sudheer. -
System error - User not authorized to access requested Info Object!
Hi, Experts,
I have a user ID begin with S***, but when I click some links, the following message shows:
"System error - User not authorized to access requested Info Object!"
How could I have authorization to see these links?
Thanks!
LorrieHi Lorrie,
If you are a superuser, you should not get this error.
If not, you can not change any autohorizations.
Check it out. For your job, you have to be a super user.
Thanks,
Gordon -
Error Individual check for creating the object WBS Element required
Hi Expert,
I've a requirement to create WBS elements using BAPI. And I am using BAPIs in the following manner.
CALL FUNCTION 'BAPI_PS_INITIALIZATION'
CALL FUNCTION 'BAPI_BUS2054_CREATE_MULTI'
EXPORTING
i_project_definition = g_pdwbs
TABLES
it_wbs_element = it_wbs_element
et_return = it_return
EXTENSIONIN =
EXTENSIONOUT =
CALL FUNCTION 'BAPI_PS_PRECOMMIT'
CALL FUNCTION 'BAPI_TRANSACTION_COMMIT'.
When I do so I am getting the below errors. Please suggest.
"Individual check for creating the object WBS Element C-497082 required ".
"Individual check for creating the object WBS Element C-497082-0001 required".
Please suggest how to correct this error.Hi Karthikeya,
I think the project profile which you are using has a different mask and the WBS element you are passing is different to the BAPI.
Are you able to create manually from CJ01 using the same WBS element?
Create a project manually and it will give the list of the mandatory fields set in the config. Using that list populate the BAPI struture accordingly.
Hope this helps.
Thanks
Lakshman. -
Authority-Check Object for PLANT(WERKS)?
Hi Experts,
By using "V_VBAK_VKO" Authority Object am checking the user Authentication against the sales area(Sales OrgDistr. ChannelDivision) in my custom report. Below is the code,
AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
ID 'VKORG' FIELD s_vkorg
ID 'VTWEG' FIELD s_vtweg
ID 'SPART' FIELD s_spart
ID 'ACTVT' FIELD '01'
ID 'ACTVT' FIELD '02'.
(Note: My report is for SD/OTC module)
I also need to check the authenmtication of user against entered PLANT (WERKS) in selection screen, so, pls. let me know that What is the Authority-Check Object for PLANT(WERKS)
Thank youHi,
Transaction SU20, search for WERKS.
When you find it, double click on the row, in the bottom half of the resulting screen there is a list of authorisation objects that contain the field.
Unfortunately, you can't navigate from this list into the definition of the objects, so you'll need to cross-reference against transaction SU21.
Regards,
Nick -
How to create authority check object and assign to ztcode which is of modu
Dear ,
how to create authority check object and assign to ztcode which is of custom module pool program.its urgent kindly help points rewarded.Manoj,
You can check with your Basis team to create authorisation object and assigining tcodes to the user profiles.
K.Kiran. -
With regard to lock object and authority check
hi all
i would like to know about lock object and authority check specifically in reports. there is a coding in sap library with regard to authority check, but there is no coding to restrict user (i mean there is no user names that the object is restricting for a particular user or any user has got permission to change or display object).
further, the code mentions that you need an authorization in your user master record for the object, could any of u explain where is user master record.
below is the code for authority check.
*& Module USER_COMMAND_0100 INPUT
MODULE USER_COMMAND_0100 INPUT.
CASE OK_CODE.
WHEN 'SHOW'.
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'CARRID' FIELD '*'
ID 'ACTVT' FIELD '03'.
IF SY-SUBRC NE 0. MESSAGE E009. ENDIF.
MODE = CON_SHOW.
SELECT SINGLE * FROM SPFLI
WHERE CARRID = SPFLI-CARRID
AND CONNID = SPFLI-CONNID.
IF SY-SUBRC NE 0.
MESSAGE E005 WITH SPFLI-CARRID SPFLI-CONNID.
ENDIF.
CLEAR OK_CODE.
SET SCREEN 200.
WHEN 'CHNG'.
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'CARRID' FIELD '*'
ID 'ACTVT' FIELD '02'.
IF SY-SUBRC NE 0. MESSAGE E010. ENDIF.
MODE = CON_CHANGE.
SELECT SINGLE * FROM SPFLI
WHERE CARRID = SPFLI-CARRID
AND CONNID = SPFLI-CONNID.
IF SY-SUBRC NE 0.
MESSAGE E005 WITH SPFLI-CARRID SPFLI-CONNID.
ENDIF.
OLD_SPFLI = SPFLI.
CLEAR OK_CODE.
SET SCREEN 200.
ENDCASE.
ENDMODULE. " USER_COMMAND_0100 INPUT
i thank u all for the help in advance.hi
this might help
REPORT YUSRLOCK NO STANDARD PAGE HEADING.
TABLES: TRDIR, USR02.
DATA: MARK,CNTR TYPE I,
ACCNT LIKE USR02-ACCNT, ERDAT LIKE USR02-ERDAT,
ANAME LIKE USR02-ANAME, CLI(3) VALUE 'AAA', SZIN TYPE I,
SYDATUM LIKE SY-DATUM, FLAG(3).
TABLES: UINFO.
DATA: OPCODE TYPE X VALUE 2.
DATA: BEGIN OF USR_TABL OCCURS 10.
INCLUDE STRUCTURE UINFO.
DATA: END OF USR_TABL.
START-OF-SELECTION.
CALL 'ThUsrInfo' ID 'OPCODE' FIELD OPCODE
ID 'TAB' FIELD USR_TABL-SYS.
SELECT * FROM USR02 CLIENT SPECIFIED ORDER BY MANDT BNAME.
IF USR02-MANDT <> CLI.
SZIN = SZIN + 1. SZIN = SZIN MOD 2.
CLI = USR02-MANDT.
ENDIF.
IF USR02-UFLAG = 0.
MARK = ' '.
ELSE.
MARK = 'X'.
ENDIF.
CLEAR FLAG.
LOOP AT USR_TABL.
IF USR_TABL-BNAME = USR02-BNAME AND USR_TABL-MANDT = USR02-MANDT.
FLAG = '!!!'.
ENDIF.
ENDLOOP.
SYDATUM = SY-DATUM - 30.
IF SYDATUM < USR02-TRDAT.
IF SZIN = 0.
WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 2,
' ',USR02-MANDT COLOR 2,
' ',USR02-USTYP COLOR 2,
' ',USR02-TRDAT COLOR 2, USR02-LTIME COLOR 2,
' ',FLAG COLOR 6.
ELSE.
WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 3,
' ',USR02-MANDT COLOR 2,
' ',USR02-USTYP COLOR 2,
' ',USR02-TRDAT COLOR 2, USR02-LTIME COLOR 2,
' ',FLAG COLOR 6.
ENDIF.
ELSE.
IF SZIN = 0.
WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 2,
' ',USR02-MANDT COLOR 2,
' ',USR02-USTYP COLOR 2,
' ',USR02-TRDAT COLOR 4, USR02-LTIME COLOR 4,
' ',FLAG COLOR 6.
ELSE.
WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 3,
' ',USR02-MANDT COLOR 2,
' ',USR02-USTYP COLOR 2,
' ',USR02-TRDAT COLOR 4, USR02-LTIME COLOR 4,
' ',FLAG COLOR 6.
ENDIF.
ENDIF.
HIDE: USR02-BNAME, USR02-MANDT.
ENDSELECT.
CLEAR USR02.
TOP-OF-PAGE.
WRITE:/ 'LOCK USER CLIENT TYPE LAST lOGIN ' COLOR 6.
SKIP.
AT USER-COMMAND.
IF SY-UCOMM = 'SEL'.
DO.
CLEAR MARK.
READ LINE SY-INDEX FIELD VALUE MARK.
IF SY-SUBRC NE 0. EXIT. ENDIF.
IF USR02-BNAME IS INITIAL.CONTINUE.ENDIF.
SELECT SINGLE * FROM USR02 CLIENT SPECIFIED WHERE
MANDT = USR02-MANDT AND BNAME = USR02-BNAME.
IF MARK = 'X' AND USR02-UFLAG = 0.
USR02-UFLAG = 64.
UPDATE USR02 CLIENT SPECIFIED SET: UFLAG = 64 WHERE
MANDT = USR02-MANDT AND
BNAME = USR02-BNAME.
COMMIT WORK.
ENDIF.
IF MARK = ' ' AND USR02-UFLAG = 64.
USR02-UFLAG = 0.
UPDATE USR02 CLIENT SPECIFIED SET: UFLAG = 0 WHERE
MANDT = USR02-MANDT AND
BNAME = USR02-BNAME.
COMMIT WORK.
ENDIF.
ENDDO.
CLEAR USR02.
ENDIF.
regards
Arun -
Plz tell me how to create authority check objects and how to usein prg
dear sir,
plz tell me how to create authority check objects and how to usein prghttp://help.sap.com/saphelp_46c/helpdata/en/5c/deaa74d3d411d3970a0000e82de14a/content.htm
http://help.sap.com/saphelp_nw70/helpdata/en/52/6716a6439b11d1896f0000e8322d00/content.ht
Create custom authorization Customer specific object
If you have requirements that cannot be met using the P_ORGIN and P_ORGXX authorization objects (for example, because you want to build your authorization checks on additional fields of the Organizational Assignment infotype (0001) that are customer-specific), you can include an authorization object in the authorization checks yourself.
Create the authorization object using transaction SU21. Make sure you keep to the customer name range (Z/Y). To be able to use the new authorization object you have created in the master data authorization check, the object must contain the INFTY, SUBTY, and AUTHC fields. You can use any of the fields of the Organizational Assignment infotype (0001) for the other fields. You can also use customer-specific additional fields provided they are CHAR or NUMC type fields.
After you have created the object, you must start the RPUACG00 report. This report overwrites the MPPAUTZZ standard include with the code that is needed to evaluate the authorization object you created. Note: Technically speaking, this involves a modification. However, SAP fully supports this procedure. And you should not have more maintenance work as a result of this modification.
Note: that if you use customer-specific authorization objects, you must maintain these objects in transaction SU24 (Maintain Assignment of Authorization Objects to Transactions) in the same way as you maintain the authorization objects P_ORGIN, P_ORGXX, and P_PERNR
AUTHORITY CHECK OBJECT Object_name
ID fieldname1 FIELD fieldvalue1
ID fieldname2 FIELD fieldvalue2
ID fieldname3 FIELD fieldvalue3.
If sy-subrc eq 0. "Authorization exists
Endif.
http://articles.techrepublic.com.com/5100-6329_11-5110893.html
Edited by: JackandJay on Jan 16, 2008 10:21 AM -
How to create Authority check object
Hello Gurus,
How to create Authority-check object 'ZABC'
ID 'TABLE' FIELD 'ZTABLE'.
Please tell me detailed procedure.
Thanks in advance.
Best Regards,
zuberaDear Zubera,
Creating Authorization Fields
In authorization objects, authorization fields represent the values to be tested during authorization checks.
To create authorization fields, choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects ® Fields.
To create a authorization field:
1. Choose Create authorization field.
2. On the next screen, enter the name of the field. Field names must be unique and must begin with the letter Y or Z.
3. Assign a data element from the ABAP Dictionary to the field.
4. If desired, enter a check table for the possible entries. For more information about check tables.
For more information about AUTHORITY-CHECK, see the keyword documentation of the ABAP Editor.
You can often use the fields defined by SAP in your own authorization objects. If you create a new authorization object, you do not need to define your own fields. For example, you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system.
Assigning an Authorization Object to an Object Class
Each authorization object must be assigned to an object class when it is created.
Choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects --> Objects.
You can also create authorization objects in the Object Navigator (SE80).
Creating / Choosing Object Classes
The system displays a list of existing object classes.
Object classes are organized according to the components of the system.
Before you can create a new object, you must define the object class for the component in which you are working. The objects are not overwritten when you install new releases.
You can also define your own object classes. If you do so, select class names that begin with Y or Z to avoid conflicts with SAP names.
Creating an Object
Enter a unique object name and the fields that belong to the object. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects.
You can enter up to ten authorization fields in an object definition. You must also enter a description of the object and create documentation for it.
Ensure that the object definition matches the AUTHORITY-CHECK calls that refer to the object.
Do not change or delete authorization objects defined by SAP. This disables SAP programs that use the objects.
You can regenerate the profile SAP_ALL after creating an authorization object.
Best Regards,
Rajesh
Please reward points if found helpful. -
About authority-check object 'M_MATE_WGR'
hi all
I have a problem about authority-check object 'M_MATE_WGR'. the detail is bleow:
Read table T023 where the material group is in select option s_matkl. Then loop at the results and check for every found material group. If the user is authorized to use it with the ABAP statement AUTHORITY-CHECK with object M_MATE_WGR with parameters ACTVT = 03 (display) and BEGRU = the material group. When the user is allowed to use it, store it in an internal table and continue with the remaining materials groups from T023. When the user is not allowed to use it, set the status flag to X and dont save the current material group in the internal table.
After all checks have been done, empty the select option s_matkl. Loop over the internal table with the allowed material groups and fill up the select option s_matkl again with these records.
Thank you in advance .
NickYou are on the right track. Authorization object M_MATE_WGR checks the Authorization Group (BEGRU) not the Material Group. You read table T023 with the Material Group to get the Authorization Group.
Step 1: Read table T023 where MATKL = the Material Group you want to check authorization.
Step 2: Retreive the value in field BEGRU from the record in table T023. Use the value in T023-BEGRU to pass to the AUTHORITY-CHECK object M_MATE_WGR.
Hope that helps. -
How to debug a authority check in program and a authorisation object in tco
Can anyone tell me how to debug a authority check in program and a authorisation object in tcode
i just want to know the flow of authorisation object in debugging how user is assocaited with authorisation object and roles.
i know if sy-subrc ne 0 is authorisation failed ,so please help me anyone on this.
every time when i put breakpoint ,if its program level only, i am able to decide only through sy-subrc but iam unable o view the flow .flow cannot be seen, we have to be based on sy-subrc only...
you cannot see the flow in read table... describe table... transfer...
the authorization object will be assigned to the data element, that data element has some realtion to the roles given to the users. So if the role of the user and data element value doesnt match the sy-subrc NE 0. -
Securing action box items with authority-check object
In a 4.6c environment I have setup action box items for various sm and QM notifications.
I would like to secure some of the action box items that their execution is only allowed by authorized personnel using authority-check objects.
Is there a way to secure the action box item by the item number? If not the action box items are using a function module. Maybe I could use the fm name in the authority-check.
Any ideas would be greatly appreciated.Hi,
just see these examples
SAPTLIST_TREE_CONTROL_DEMO_HDR
SAPTLIST_TREE_CONTROL_DEMO
SAPTLIST_TREE_MODEL_DEMO
and for getting a checkbox we have to repalce the icon what is there in the example program and handle the checked and unchecked event for the checkbox.
this can be achieved by using object oriented methods...
reward if helpful
rgds,
Prajith
Prajith -
Reg:Authority Check object
Dear All,
I am calling two authority check object M_MATE_MAR and M_MSEG_BMB in my report.
Now for a user if i see the Role the second object M_MSEG_BMB is maintained and the object M_MATE_MAR is not maintained.
Now in my program for the object M_MATE_MAR(as it is not maintained),my sy-subrc is returning 12,hence check faing and for
M_MSEG_BMB sy-subrc = 4 as check is failng.
My requirement is the user should not see some movement types irrespective of the material ,
If i pass a material in the selection screen report , movement type records are deleting fine along with that others are alos deleting becs of sy-subrc <> 0(sy-subrc = 12).so i get a blank report as output.
so wht should be done in my case.
RegardsHi Rajendra,
When you hit F1 on the Authority-check,
If Sy-subrc = 4, Authorization check not successful. One or several authorizations were indeed found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect or too many authorization fields were specified.
If Sy-subrc = 12, No authorization was found for the authorization object in the user master record.
When Sy-subrc = 24, Incorrect authorization fields or an incorrect number of authorization fields was found. This return value is no longer set since Release 6.20. Up to Release 4.6 it is set only if the profile parameter "auth/new_buffering" has a value less than 3.
When sy-subrc = 40, An invalid user ID has been entered in user.
Hope it helps.
Sujay -
Hello Freinds,
If there is a field from custamize table for exa.(Zmara-werks )then can we use standard authority check object? or should we create custamize authority object.
Please guide me...........
Thanks,
AmarHi ,
To Find Authorization Object for a particular field, use TCode SU21. Click on Find button and enter the filed name to know the Authorization Object.
If suitable combination of required fields is not found in Authorization objects, new objects need to be created. Use TCode SU21 to create new authorization objects. Click on Create Button and enter new object class name and press save button.
Maybe you are looking for
-
The host is not authorized to connect to this Backup Server
Hi experts, I'm trying to connect to a remote backup server S2_BS running on VM2 from a data server S1 running on VM1. When I issued following command in isql 1> SYB_BACKUP...sp_who 2> go Msg 7221, Level 14, State 2: Server 'S1', Line 1: Login to sit
-
CURRENT_DATE in EclipseLink/JPA
When I use CURRENT_DATE in JPA queries for date comparisions, it seems to be taking time into consideration as well. So when I comapre a date with CURRENT_DATE, even though the date I am comparing is today's date, the results state that CURRENT_DATE
-
Unlocking a iphone bought in UK to use with local service provider
I bought an iphone 4 when I was a student in London in 2011. When my semester was finished, I moved back to my home in Colombia and would like to use it with my provider here. How would I be able to release the lock so I can continue to use my phon
-
Problem in Services PO: Urgent
Hi Experts, I have a big problem with the services PO. Issue is described as under. 1. One PO was created with Quantity of Services 28. (Price: 1000 INR) 2. The first SES was created for quantity of 4. 3. 2nd SES was created for the quantity 11. 4. I
-
Welcome page with out any password pop up
Hi All, I have one req. that we have to make one BSP page in page with flow logic. And that page should not ask for any user id and password. Can you please help me out? Thanks and regards, Kuldeep Verma