Authority check in ABAP program
Hello All
I am having some trouble with authority object in ABAP programming
This is the situation.
I have a field "plant" which is a select options in the selection screen.
I have to write an authority-check for this "plant" field in the program and display the report for only the plants for which the user is authorised. There is a select statement in the program which selects all the plants entered. If it is single plant entry and the user is not authorised or the user is not authorised to none of the plants entered for multiple plant entries, an error message should be displayed saying "no authority to display plants x, y, z"
How can I incorporate this logic in the report.
This the current coding
AT SELECTION-SCREEN.
AUTHORITY-CHECK OBJECT 'C_ROUT'
ID 'ACTVT' FIELD '03'
ID 'PLNTY' FIELD 'DUMMY'
ID 'WERKS' FIELD s_werks
ID 'STATU' FIELD 'DUMMY'
ID 'VERWE' FIELD 'DUMMY'.
START-OF-SELECTION.
SELECT amatnr aplnnr aplnal awerks aplnty bstlnr b~stlal INTO TABLE t_mapl FROM mapl AS a INNER JOIN mast AS b
ON amatnr = bmatnr
AND awerks = bwerks
WHERE a~matnr IN s_matnr
AND a~plnnr IN s_plnnr
AND a~plnal IN s_plnal
AND a~werks IN s_werks
AND a~plnty IN s_plnty
AND b~stlnr IN s_stlnr
AND b~stlal IN s_stlal. "(ALT BOM)
Thanks
Ricky
Hi Ricky,
to check each individual plant in the selection, you can not use s_plant in the authority chek, here you need to give the value..
Code like this:
DATA : BEGIN of t_werks OCCURS 0,
werks TYPE t001w-werks,
END OF t_werks.
DATA : w_text(30) TYPE c.
AT SELECTION-SCREEN.
IF NOT s_werks[] IS INITIAL.
REFRESH t_werks.
SELECT werks
FROM t001w
INTO TABLE t_werks
WHERE werks IN s_werks.
IF sy-subrc EQ 0.
LOOP AT t_werks.
AUTHORITY CHECK...
ID 'WERKS' FIELD t_werks-werks.
IF sy-subrc EQ 0.
DELETE t_werks.
ENDIF.
ENDLOOP.
IF NOT t_werks[] IS INITIAL.
LOOP AT t_werks.
CONCATENATE t_werks-werks
w_text
INTO w_text.
ENDLOOP.
MESSAGE exxx WITH 'No authorisation for '
w_text.
ENDIF.
ENDIF.
ENDIF.
Thanks and Best Regards,
Vikas Bittera.
**Reward if useful**
Similar Messages
-
Authentication or Security Checks for ABAP programs
Dear experts,
Please tell me where do we give the authentication or security checks to our ABAP programs and how do we do that. ( Do not allow all to execute our developed programs).
Regards,
MaanasaIf you know the authorization group u can use the following ways.
1. In the Attributes u can specify the authorization gourp name
2. AT SELECTION-SCREEN
AUTHORITY-CHECK OBJECT 'Z_TABU_DIS'
ID 'ACTVT' FIELD '03'
ID 'CUSTTYPE' FIELD v_class
ID 'TABLENAME' FIELD p_dbtble.
CASE SY-SUBRC.
WHEN 0.
WHEN OTHERS.
Error message
message I419(MO).
STOP.
ENDCASE. -
How to use the AUTHORITY-CHECK in ABAP
I am a security guy but am trying to understand how the AUTHORITY-CHECK works. I have read the help on it but it doesn't answer to my understanding. I want a check in a report so that no matter what the user selects the program goes out and checks the authorization in the users master record and only displays what he has access to. I am sure this is basic but I am not a programmer.
ThanksHi Greg,
Basically a AUTHORITY-CHECK is a programmatic way to check a auth object a user has. This is only as good as the person writing the code makes is.
Here is a basic example of how it could work. Lets say you have auth objects for users that limit them to see company code. User A can see cc 10, User B can see cc 20 and user C can see both.
In the code the programmer would have to first do the authcheck to see what CC the user has access to. Then they would have to limit his reporting based on the results of the authority check. So they might do it by saying SELECT * FROM XYZTAB WHERE COMPANY CODE = AUTHCC
This is what I think you are looking for. There are other ways to use the auth check. You can do a check and end the program with a message if they don't have authorization.
If you need more info, let me know
John -
Hello,
I have a requirement to add authority check on two fields "Sales Organization" & "Plant" in a ABAP Query.
Please let me know how can I do it?
Will I be required to add some "Authority-check" code in sq02 or is there any button/checkbox available to do the same.
Please let me know.
Thanks in advance.
Best regards,
Tejas SavlaHi Ronak,
Check this thread, this might help you.
Authorisation on field
Regards,
Chandra Sekhar -
How to check if ABAP program is running in another instance?
Hey Guys,
I need to ensure that a given ABAP program is only running in one instance.
Here is what I tried so far:
1) FM TH_WPINFO
The problem with this is that the Z (custom) program calls lot of SAP function modules and when inside those, the WP_REPORT field of WPLIST table has something else and not the Z program name.
2) FM ENQUEUE_ESINDX
When I used the code below the following happened:
-The First instance runs fine
-The Second instance fails in the locking and exits the way it is supposed to but then
-If I run the program the Third time, it runs with a succesful lock - probably because the after second instance the lock was cleared???
CALL FUNCTION 'ENQUEUE_ESINDX'
EXPORTING
MODE_INDX = 'E'
MANDT = SY-MANDT
RELID = 'ZZ'
SRTFD = PROGRAM
* SRTF2 =
* X_RELID = ' '
* X_SRTFD = ' '
* X_SRTF2 = ' '
* _SCOPE = '2'
* _WAIT = ' '
* _COLLECT = ' '
EXCEPTIONS
FOREIGN_LOCK = 1
SYSTEM_FAILURE = 2
OTHERS = 3.
Any other idea, how I could accomplish this?
Thanks a lot,
Viktor-----> Include this perform in Initalization or in Start-of-Selection screen event.
*& Form LOCK_CURRENT_INSTANCE
* Perform to lock the current instance of the
* program, so that only one
* instance can be runned at a given time.
FORM lock_current_instance .
*---FM to lock the current instance of the program
CALL FUNCTION 'ENQUEUE_E_TRDIR'
EXPORTING
mode_trdir = abap_true
name = sy-repid
EXCEPTIONS
foreign_lock = 1
system_failure = 2
OTHERS = 3.
IF sy-subrc <> 0.
IF sy-batch = abap_true.
MESSAGE e016 WITH 'Already one Instance of the Program is Running'.
ELSE.
MESSAGE s016 WITH 'Already one Instance of the Program is Running' DISPLAY LIKE 'E' .
LEAVE LIST-PROCESSING.
ENDIF.
ENDIF.
ENDFORM. " LOCK_CURRENT_INSTANCE
---->and include this perform as a last perform in End-of-Selection screen event.
*& Form UNLOCK_CURRENT_INSTANCE
* This perform is used to unlock the instance of the
* running program
FORM unlock_current_instance .
*---FM to release the lock on the running program
CALL FUNCTION 'DEQUEUE_E_TRDIR'
EXPORTING
mode_trdir = abap_true
name = sy-repid.
ENDFORM. " UNLOCK_CURRENT_INSTANCE -
Is it possible to bypass authority check in standard program?
Dear gurus,
I met a problem, i am trying to build a costom program, which will call a sap standard function module, but the problem is:
in the standard function module , there is a check against authorization object p_tcode, i dont want to give user this authorization in pfcg, so i want to bypass this check in the standard module , is that possible?
I mean, in my program , before calling the sap fm, do something to trick the system that the curent user have the required authorization, after execute the fm , restore everything.
is that possisible?
thanks and best regards.
netzHi,
What is the problem with giving them maintain authority for the transaction code that is being checked against ?
Surely your program is allowing them to do the same functionality as the standard transaction or is there a lot more functional stuff you don't want them to have ?
If it is an ESS function you are developing then surely they are accessing SAP via the portal and therefore cannot login to SAP directly and run the transaction anyway .....
Kind regards
Colin -
Authorization checking in ABAP program
I have a customed report which shows sales order information, with sales order no., sales. org, distribution channel, division and some others as selection criteria.
How I can limit a user that can view only 1 or 2 specific sales. org. (according to his/her authorization profile) even though he/she hasn't input anything in the sales org. field during selection?
Thanks!Hi Gundam
If the user doesnt input any sales organization then
you can get the list of sales organizations defined from
table TVKO and then check for the authorization using each entry. Prepare a range for all sales organizations
whereby later you can use in extraction process.
Other better way is to make the parameter/select-option
mandatory so the user has to enter the sales organization.
Hope the above info helps you.
Kind Regards
Eswar -
hellow i have a table itab with value (ex. error value) and i wont to select some value from tables ( defined below.) and put it in table err_itab my problem is in the loop i dont now how to continued from their i thihk with append to intrernal tables and after to do read to err_itab, but im not sure this is my program any suggestion. thankes for your time and suggestion.
form write_2_file .
IF file_ser IS INITIAL.
CALL FUNCTION 'WS_UPLOAD'
EXPORTING
CODEPAGE = ' '
filename = l_name
FILETYPE = 'ASC'
HEADLEN = ' '
LINE_EXIT = ' '
TRUNCLEN = ' '
USER_FORM = ' '
USER_PROG = ' '
DAT_D_FORMAT = ' '
IMPORTING
FILELENGTH =
TABLES
data_tab = itab
EXCEPTIONS
conversion_error = 1
file_open_error = 2
file_read_error = 3
invalid_type = 4
no_batch = 5
unknown_error = 6
invalid_table_width = 7
gui_refuse_filetransfer = 8
customer_error = 9
no_authority = 10
OTHERS = 11
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.
ELSE.
OPEN DATASET file_ser IN TEXT MODE
ENCODING DEFAULT FOR INPUT.
IF sy-subrc NE 0.
MESSAGE e002(yhr) .
ENDIF.
DO.
READ DATASET file_ser INTO wa_itab.
IF sy-subrc NE 0.
EXIT.
ENDIF.
APPEND wa_itab TO itab.
ENDDO.
ENDIF.
endform. " write_2_file
FORM get_data .
CLEAR wa_itab.
LOOP AT itab INTO wa_itab.
IF wa_itab-action = 'y1'
OR wa_itab-action = 'y2'
OR wa_itab-action = 'y3'.
SELECT SINGLE ansvh
FROM t542a
INTO wa_b_itab-ansvh
WHERE molga ='IL'
AND ansvh = wa_itab-contract.
IF sy-subrc <> 0.
APPEND wa_b_itab TO b_itab.
SELECT SINGLE werks btrtl
FROM t001p
INTO (wa_c_itab-werks, wa_c_itab-btrtl)
WHERE molga ='IL'
AND werks = wa_itab-personnel_area
AND btrtl = wa_itab-personnel_subarea.
IF sy-subrc <> 0.
APPEND wa_c_itab TO c_itab.
SELECT SINGLE objid
FROM hrp1000
INTO wa_d_itab-objid
WHERE otype = 'S'
AND objid = wa_itab-plans
AND begda <= currnt_date
AND endda >= currnt_date.
APPEND wa_d_itab TO d_itab.
ENDIF.
ENDIF.
ENDIF.
ENDLOOP.<i>I have added authorization check in ABAP program(Progran level security).</i>
i assume you have coded call authority within the program.
<i>If an end user runs the transactionm, then which authorization check will fire first?</i>
if he calls the transaction, then first authorization attached to the transaction will be checked.
but if he executes the program attached to the transaction, then the authorization attached to the transaction dosent help here, the one coded in side the program is checked.
<i>If I have web enabled my ABAP program via SICF (in other words, ITS).</i>
it depends,
if you are calling your transaction like
webgui/?~transaction=<tcode> then first tcode level authorization.
if you generate the templates for the program and callign the same, then i guess its progam level. (i need to check this)
Regards
Raja -
Question on security in ABAP program with ITS. Please help!
Hi Experts,
I have a question on security in ABAP program.
I have a ABAP program which has a transaction attached.
I have added authorization check in ABAP program(Progran level security).
I have also attached the authorization object to the transaction.(Transaction level security)
If an end user runs the transactionm, then which authorization check will fire first? Will it be transaction level?
If I have web enabled my ABAP program via SICF (in other words, ITS). Then when I try to run my ITS service in the browser will the transaction level authorization fire? or Will the program level authorization fire?
Please help me understand this security aspect.
Thanks
Gopal<i>I have added authorization check in ABAP program(Progran level security).</i>
i assume you have coded call authority within the program.
<i>If an end user runs the transactionm, then which authorization check will fire first?</i>
if he calls the transaction, then first authorization attached to the transaction will be checked.
but if he executes the program attached to the transaction, then the authorization attached to the transaction dosent help here, the one coded in side the program is checked.
<i>If I have web enabled my ABAP program via SICF (in other words, ITS).</i>
it depends,
if you are calling your transaction like
webgui/?~transaction=<tcode> then first tcode level authorization.
if you generate the templates for the program and callign the same, then i guess its progam level. (i need to check this)
Regards
Raja -
Is there any BAPI or FM to authorization object to user in ABAP program??
Hi guys.
My requirment is to assign authorization object to user in ABAP program,is there any FM OR Bapi to do this?Hai ,
In order to do the authority check in the program , in your report at selection-screen event you need to check for the corresponding authority output .
example :
T SELECTION-SCREEN ON p_carrid.
IF p_carrid IS INITIAL.
MESSAGE 'Please enter a value' TYPE 'E'.
ENDIF.
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'CARRID' FIELD p_carrid
ID 'ACTVT' FIELD '03'.
Regards,
K.VinayKumar -
RE: Authority checks included in the info set of the query
Hi all,
I am checking the program code for one of our custom tcodes and i asked ABAP team to add authority check to the program code because there is no auth check in the code and abapers told me that the authority check is included inside the info set of the query and not in the program . the program is used to execute the query in the Tcode.
how to find the Authority checks included in the info set of the query.
Thanks in advance,
Sun.If you have the BI support roles assigned to you and the security admin roles please login to the BI system
execute transaction RSECADMIN, click on the analysis tab and execute as the user who is assigned the role with restrictions.
For variables in authorizations like ( type customer exit )
use RSECADMIN - maintain authorization tab - Click on value authorization tab.
Keytransaction is RSECADMIN & infoobject maintenance details you can get from RSD1.
Regards -
hi
could anyone tell me how to use authority check in report program.
please provide me with code in report only.
thanx
rocky roboPARAMETERS: P_BUKRS LIKE T001-BUKRS.
SELECT-OPTIONS:
S_VKBUR FOR ZSD_BILLINFO-VKBUR OBLIGATORY,
AT SELECTION-SCREEN.
AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
ID 'BUKRS' FIELD P_BUKRS
ID 'ACTVT' FIELD '03'.
if sy-subrc <> 0.
message e001(ZAUT) with P_BUKRS.
endif.
loop at S_VKBUR.
AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
ID 'VKBUR' FIELD S_VKBUR-LOW
ID 'ACTVT' FIELD '03'.
if sy-subrc <> 0.
message e001(ZAUT) with S_VKBUR-low.
endif.
if S_VKBUR-high <> space.
AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
ID 'VKBUR' FIELD S_VKBUR-HIGH
ID 'ACTVT' FIELD '03'.
if sy-subrc <> 0.
message e001(ZAUT) with S_VKBUR-high.
endif.
endif.
endloop. -
Hi Experts,
I got below error when checking an ABAP program, which was generated in maintaining datasouce with RSA6.
Description:
Type Group RSFH
In Unicode programs, the "-" character canot appear in names, as it does here in the name "RSFH_C_TFMETHODE-TEST".
Any input will be very appreciated.
Thanks,
BillHi
It should be Warning Message, not an error i think.. Which Version of SAP you are working...
Still you can Execute the Program, as if its only Warning..
You can see that in the Attributes of the Program..
If it has a Program name , then goto SE38 -> give program name -> select Attributes Radio button.-> display....
You can see that is unicode enabled or not....
\[removed by moderator\]
Edited by: Jan Stallkamp on Jul 9, 2008 8:27 AM -
User role and Authority-check ?
Hello,
Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
Thanks in advanceHello Martin,
I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
@OP:
The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
BR,
Suhas -
Delete Abap program via change reqeust
Hi,
We deleted some ABAP report source code via tcode(SE38) at development system. The system ask insert the delete action to one change request. I have added it to the change request. The ABAP source code have delete at development system. We transported the change request to our QA and PRD system. The deleted ABAP program source code is still exist in QA and PRD system. We want to delete the QA and PRD system ABAP source code. Could you pls advise how to delete it? Thanks.
Best Regards
Park HanMy delete ABAP program process, Pls help check it correct or not. And How to delete the QA and PRD system ABAP program source code? Pls advise.
1. Access Tcode(SE38)
2. Input the delete program, Click Delete button.
3. The system ask generate the change request. I have create the change request.
4. Release and transport the change request to QA and PRD system.
5. The development ABAP program has deleted. I can't find it via Tcode(SE38).
6. We checked the ABAP program at QA and PRD system. It is still exist.
Best Regards
Park Han
Maybe you are looking for
-
Question: why is sso rewriting the url from .../pls/apex/f?p=.. to .../plsapex/f?p=? Can anyone help? Thanks. Abstract: APEX 3.1.2.00.02 install with sso config, error "requested url ../plsapex/f .. was not found" Situation: Upgraded from Apex 3.0.0.
-
Why Can't I create a new folder in yahoo email? (I can if I use Internet Explorer)
I still use yahoo email a lot. I am also a big fan of firefox. But today I noticed a problem. I wanted to move an email to a new folder but I can't get yahoo to give me a prompt so that I can put in a folder name. Also I wanted to print an email an e
-
Apple mail asking for "update" of my credit card information. Could this be a fraud?
I received a mail from Apple, asking me to follow a link in order to update my information with Apple iTunes. The mail looks very original and trustworthy, however, I don't understand what "account" I'm supposed to give my information to, nor do I re
-
¿Is it possible to filter items in a list?
Hi all. I've created a custom list in authoring tool to the service request form. My question is : ¿ Is it possible to filter some items only for some users ? Tks. Regards.
-
I have updated both my macbook Pro and my 27inch iMac to Yosemite. When I get e mails there is no problem with my macbook pro but with my iMac for some reason I don't get some of the emails. I get the title of the email but I do not get the email con