Authority check in ABAP program

Similar Messages

• Authentication or Security Checks for ABAP programs

  Dear experts,
       Please tell me where do we give the authentication or security checks to our ABAP programs and how do we do that. ( Do not allow all to execute our developed programs).
  Regards,
  Maanasa

  If you know the authorization group u can use the following ways.
  1. In the Attributes u can specify the authorization gourp name
  2. AT SELECTION-SCREEN
  AUTHORITY-CHECK OBJECT 'Z_TABU_DIS'
              ID 'ACTVT' FIELD '03'
             ID 'CUSTTYPE' FIELD v_class
              ID 'TABLENAME' FIELD p_dbtble.
    CASE SY-SUBRC.
     WHEN 0.
      WHEN OTHERS.
  Error message
       message I419(MO).
       STOP.
    ENDCASE.

• How to use the AUTHORITY-CHECK in ABAP

  I am a security guy but am trying to understand how the AUTHORITY-CHECK works. I have read the help on it but it doesn't answer to my understanding. I want a check in a report so that no matter what the user selects the program goes out and checks the authorization in the users master record and only displays what he has access to. I am sure this is basic but I am not a programmer.
  Thanks

  Hi Greg,
    Basically a AUTHORITY-CHECK is a programmatic way to check a auth object a user has.  This is only as good as the person writing the code makes is.
  Here is a basic example of how it could work.  Lets say you have auth objects for users that limit them to see company code. User A can see cc 10, User B can see cc 20 and user C can see both.
  In the code the programmer would have to first do the authcheck to see what CC the user has access to.  Then they would have to limit his reporting based on the results of the authority check.  So they might do it by saying SELECT * FROM XYZTAB WHERE COMPANY CODE = AUTHCC
  This is what I think you are looking for.  There are other ways to use the auth check.  You can do a check and end the program with a message if they don't have authorization. 
  If you need more info, let me know
  John

• Authority-Check in ABAP Query

  Hello,
          I have a requirement to add authority check on two fields "Sales Organization" & "Plant" in a ABAP Query.
  Please let me know how can I do it?
  Will I be required to add some "Authority-check" code in sq02 or is there any button/checkbox available to do the same.
  Please let me know.
  Thanks in advance.
  Best regards,
  Tejas Savla

  Hi Ronak,
  Check this thread, this might help you.
  Authorisation on field
  Regards,
  Chandra Sekhar

• How to check if ABAP program is running in another instance?

  Hey Guys,
  I need to ensure that a given ABAP program is only running in one instance.
  Here is what I tried so far:
  1) FM TH_WPINFO
  The problem with this is that the Z (custom) program calls lot of SAP function modules and when inside those, the WP_REPORT field of WPLIST table has something else and not the Z program name.
  2) FM ENQUEUE_ESINDX
  When I used the code below the following happened:
  -The First instance runs fine
  -The Second instance fails in the locking and exits the way it is supposed to but then
  -If I run the program the Third time, it runs with a succesful lock - probably because the after second instance the lock was cleared???
  CALL FUNCTION 'ENQUEUE_ESINDX'
      EXPORTING
       MODE_INDX            = 'E'
       MANDT                = SY-MANDT
       RELID                = 'ZZ'
       SRTFD                = PROGRAM
  *     SRTF2                =
  *     X_RELID              = ' '
  *     X_SRTFD              = ' '
  *     X_SRTF2              = ' '
  *     _SCOPE               = '2'
  *     _WAIT                = ' '
  *     _COLLECT             = ' '
      EXCEPTIONS
        FOREIGN_LOCK         = 1
        SYSTEM_FAILURE       = 2
        OTHERS               = 3.
  Any other idea, how I could accomplish this?
  Thanks a lot,
  Viktor

  -----> Include this perform in Initalization or in Start-of-Selection screen event.
  *&      Form  LOCK_CURRENT_INSTANCE
  * Perform to lock the current instance of the
  * program, so that only one
  * instance can be runned at a given time.
  FORM lock_current_instance .
  *---FM to lock the current instance of the program
      CALL FUNCTION 'ENQUEUE_E_TRDIR'
        EXPORTING
          mode_trdir     = abap_true
          name           = sy-repid
        EXCEPTIONS
          foreign_lock   = 1
          system_failure = 2
          OTHERS         = 3.
      IF sy-subrc <> 0.
        IF sy-batch = abap_true.
          MESSAGE e016 WITH 'Already one Instance of the Program is Running'.
        ELSE.
          MESSAGE s016 WITH 'Already one Instance of the Program is Running' DISPLAY LIKE 'E' .
          LEAVE LIST-PROCESSING.
        ENDIF.
      ENDIF.
  ENDFORM.                    " LOCK_CURRENT_INSTANCE
  ---->and include this perform as a last perform in End-of-Selection screen event.
  *&      Form  UNLOCK_CURRENT_INSTANCE
  * This perform is used to unlock the instance of the
  * running program
  FORM unlock_current_instance .
  *---FM to release the lock on the running program
    CALL FUNCTION 'DEQUEUE_E_TRDIR'
      EXPORTING
        mode_trdir = abap_true
        name       = sy-repid.
  ENDFORM.                    " UNLOCK_CURRENT_INSTANCE

• Is it possible to bypass authority check in standard program?

  Dear gurus,
  I met a problem, i am trying to build a costom program, which will call a sap standard function module, but the problem is:
  in the standard function module , there is a check against authorization object p_tcode, i dont want to give user this authorization in pfcg, so i want to bypass this check in the standard module , is that possible?
  I mean, in my program , before calling the sap fm, do something to trick the system that the curent user have the required authorization, after execute the fm , restore everything.
  is that possisible?
  thanks and best regards.
  netz

  Hi,
  What is the problem with giving them maintain authority for the transaction code that is being checked against ?
  Surely your program is allowing them to do the same functionality as the standard transaction or is there a lot more functional stuff you don't want them to have ?
  If it is an ESS function you are developing then surely they are accessing SAP via the portal and therefore cannot login to SAP directly and run the transaction anyway .....
  Kind regards
  Colin

• Authorization checking in ABAP program

  I have a customed report which shows sales order information, with sales order no., sales. org, distribution channel, division and some others as selection criteria.
  How I can limit a user that can view only 1 or 2 specific sales. org. (according to his/her authorization profile) even though he/she hasn't input anything in the sales org. field during selection?
  Thanks!

  Hi Gundam
     If the user doesnt input any sales organization then
  you can get the list of sales organizations defined from
  table TVKO and then check for the authorization using each entry. Prepare a range for all sales organizations
  whereby later you can use in extraction process.
     Other better way is to make the parameter/select-option
  mandatory so the user has to enter the sales organization.
    Hope the above info helps you.
  Kind Regards
  Eswar

• Help in abap program

  hellow i have a table itab with value (ex. error value) and i wont to select some value from tables ( defined below.) and put it in table err_itab my problem is in the loop i dont now how to continued from their i thihk with append to intrernal tables and after to do read to err_itab, but im not sure this is my program any suggestion. thankes for your time and suggestion.
  form write_2_file .
  IF file_ser IS INITIAL.
  CALL FUNCTION 'WS_UPLOAD'
  EXPORTING
  CODEPAGE = ' '
  filename = l_name
  FILETYPE = 'ASC'
  HEADLEN = ' '
  LINE_EXIT = ' '
  TRUNCLEN = ' '
  USER_FORM = ' '
  USER_PROG = ' '
  DAT_D_FORMAT = ' '
  IMPORTING
  FILELENGTH =
  TABLES
  data_tab = itab
  EXCEPTIONS
  conversion_error = 1
  file_open_error = 2
  file_read_error = 3
  invalid_type = 4
  no_batch = 5
  unknown_error = 6
  invalid_table_width = 7
  gui_refuse_filetransfer = 8
  customer_error = 9
  no_authority = 10
  OTHERS = 11
  IF sy-subrc <> 0.
  MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
  WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
  ENDIF.
  ELSE.
  OPEN DATASET file_ser IN TEXT MODE
  ENCODING DEFAULT FOR INPUT.
  IF sy-subrc NE 0.
  MESSAGE e002(yhr) .
  ENDIF.
  DO.
  READ DATASET file_ser INTO wa_itab.
  IF sy-subrc NE 0.
  EXIT.
  ENDIF.
  APPEND wa_itab TO itab.
  ENDDO.
  ENDIF.
  endform. " write_2_file
  FORM get_data .
  CLEAR wa_itab.
  LOOP AT itab INTO wa_itab.
  IF wa_itab-action = 'y1'
  OR wa_itab-action = 'y2'
  OR wa_itab-action = 'y3'.
  SELECT SINGLE ansvh
  FROM t542a
  INTO wa_b_itab-ansvh
  WHERE molga ='IL'
  AND ansvh = wa_itab-contract.
  IF sy-subrc <> 0.
  APPEND wa_b_itab TO b_itab.
  SELECT SINGLE werks btrtl
  FROM t001p
  INTO (wa_c_itab-werks, wa_c_itab-btrtl)
  WHERE molga ='IL'
  AND werks = wa_itab-personnel_area
  AND btrtl = wa_itab-personnel_subarea.
  IF sy-subrc <> 0.
  APPEND wa_c_itab TO c_itab.
  SELECT SINGLE objid
  FROM hrp1000
  INTO wa_d_itab-objid
  WHERE otype = 'S'
  AND objid = wa_itab-plans
  AND begda <= currnt_date
  AND endda >= currnt_date.
  APPEND wa_d_itab TO d_itab.
  ENDIF.
  ENDIF.
  ENDIF.
  ENDLOOP.

  <i>I have added authorization check in ABAP program(Progran level security).</i>
  i assume you have coded call authority within the program.
  <i>If an end user runs the transactionm, then which authorization check will fire first?</i>
  if he calls the transaction, then first authorization attached to the transaction will be checked.
  but if he executes the program attached to the transaction, then the authorization attached to the transaction dosent help here, the one coded in side the program is checked.
  <i>If I have web enabled my ABAP program via SICF (in other words, ITS).</i>
  it depends,
  if you are calling your transaction like
  webgui/?~transaction=<tcode> then first tcode level authorization.
  if you generate the templates for the program and callign the same, then i guess its progam level. (i need to check this)
  Regards
  Raja

• Question on security in ABAP program with ITS. Please help!

  Hi Experts,
          I have a question on security in ABAP program.
  I have a ABAP program which has a transaction attached.
  I have added authorization check in ABAP program(Progran level security).
  I have also attached the authorization object to the transaction.(Transaction level security)
  If an end user runs the transactionm, then which authorization check will fire first? Will it be transaction level?
  If I have web enabled my ABAP program via SICF (in other words, ITS). Then when I try to run my ITS service in the browser will the transaction level authorization fire? or Will the program level authorization fire?
  Please help me understand this security aspect.
  Thanks
  Gopal

  <i>I have added authorization check in ABAP program(Progran level security).</i>
  i assume you have coded call authority within the program.
  <i>If an end user runs the transactionm, then which authorization check will fire first?</i>
  if he calls the transaction, then first authorization attached to the transaction will be checked.
  but if he executes the program attached to the transaction, then the authorization attached to the transaction dosent help here, the one coded in side the program is checked.
  <i>If I have web enabled my ABAP program via SICF (in other words, ITS).</i>
  it depends,
  if you are calling your transaction like
  webgui/?~transaction=<tcode> then first tcode level authorization.
  if you generate the templates for the program and callign the same, then i guess its progam level. (i need to check this)
  Regards
  Raja

• Is there any BAPI or FM to authorization object to user in ABAP program??

  Hi guys.
             My requirment is to assign  authorization object to user in ABAP program,is there any FM OR Bapi to do this?

  Hai  ,
  In order to do the authority check in the program ,   in your report at selection-screen event   you need to check for the corresponding authority output .
  example :
  T SELECTION-SCREEN ON p_carrid.
    IF p_carrid IS INITIAL.
      MESSAGE 'Please enter a value' TYPE 'E'.
    ENDIF.
    AUTHORITY-CHECK OBJECT 'S_CARRID'
                        ID 'CARRID' FIELD p_carrid
                        ID 'ACTVT'  FIELD '03'.
  Regards,
  K.VinayKumar

• RE: Authority checks included in the info set of the query

  Hi all,
  I am checking the program code for one of our custom tcodes and i asked ABAP team to add authority check to the program code because there is no auth check in the code and abapers told me that the authority check is included inside the info set of the query and not in the program . the program is used to execute the query in the Tcode.
  how to find the Authority checks included in the info set of the query.
  Thanks in advance,
  Sun.

  If you have the BI support roles assigned to you  and the security admin  roles please login to the BI system
  execute transaction RSECADMIN, click on the analysis tab and execute as the user who is assigned the role with restrictions.
  For variables in authorizations like ( type customer exit )
  use RSECADMIN - maintain authorization tab - Click on value authorization tab.
  Keytransaction is RSECADMIN  & infoobject maintenance details you can get from RSD1.
  Regards

• Hi   authority check  in prog

  hi
  could anyone tell me how to use authority check in report program.
  please provide me with code in report only.
  thanx
  rocky robo

  PARAMETERS: P_BUKRS LIKE T001-BUKRS.
  SELECT-OPTIONS:
                  S_VKBUR FOR ZSD_BILLINFO-VKBUR OBLIGATORY,
  AT SELECTION-SCREEN.
    AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
        ID 'BUKRS' FIELD P_BUKRS
        ID 'ACTVT' FIELD '03'.
    if sy-subrc <> 0.
      message e001(ZAUT) with P_BUKRS.
    endif.
  loop at S_VKBUR.
      AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
          ID 'VKBUR' FIELD S_VKBUR-LOW
          ID 'ACTVT' FIELD '03'.
      if sy-subrc <> 0.
        message e001(ZAUT) with S_VKBUR-low.
      endif.
      if S_VKBUR-high <> space.
        AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
            ID 'VKBUR' FIELD S_VKBUR-HIGH
            ID 'ACTVT' FIELD '03'.
        if sy-subrc <> 0.
          message e001(ZAUT) with S_VKBUR-high.
        endif.
      endif.
    endloop.

• ABAP Program Warning

  Hi Experts,
  I got below error when checking an ABAP program, which was generated in maintaining datasouce with RSA6.
  Description:
  Type Group RSFH
  In Unicode programs, the "-" character canot appear in names, as it does here in the name "RSFH_C_TFMETHODE-TEST".
  Any input will be very appreciated.
  Thanks,
  Bill

  Hi
  It should be Warning Message, not an error i think.. Which Version of SAP you are working...
  Still you can Execute the Program, as if its only Warning..
  You can see that in the Attributes of the Program..
  If it has a Program name , then goto SE38 -> give program name -> select Attributes Radio button.-> display....
  You can see that is unicode enabled or not....
  \[removed by moderator\]
  Edited by: Jan Stallkamp on Jul 9, 2008 8:27 AM

• User role and Authority-check ?

  Hello,
  Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
  Thanks in advance

  Hello Martin,
  I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
  Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
  @OP:
  The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
  BR,
  Suhas

• Delete Abap program via change reqeust

  Hi,
      We deleted some ABAP report source code via tcode(SE38) at development system. The system ask insert the delete action to one change request. I have added it to the change request. The ABAP source code have delete at development system. We transported the change request to our QA and PRD system. The deleted ABAP program source code is still exist in QA and PRD system. We want to delete the QA and PRD system ABAP source code. Could you pls advise how to delete it? Thanks.
  Best Regards
  Park Han

  My delete ABAP program process, Pls help check it correct or not. And How to delete the QA and PRD system ABAP program source code? Pls advise.
  1. Access Tcode(SE38)
  2. Input the delete program, Click Delete button.
  3. The system ask generate the change request. I have create the change request.
  4. Release and transport the change request to QA and PRD system.
  5. The development ABAP program has deleted. I can't find it via Tcode(SE38).
  6. We checked the ABAP program at QA and PRD system. It is still exist.
  Best Regards
  Park Han