Authority check in hr payroll infotype report
Hi all,
We have developed a report which gives infotypewise employee details.here we are checking authority for reading employee data.we are applying authority check at selection-screen and while reading the data from database tables.following is the sample code.
do .
if s_abkrs-high < s_abkrs-low.
authority-check object 'P_PCR'
id 'ABRKS' field s_abkrs-high
id 'ACTVT' field '01'
id 'ACTVT' field '02'.
if sy-subrc <> 0.
message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
endif.
exit.
endif.
authority-check object 'P_PCR'
id 'ABRKS' field s_abkrs-low
id 'ACTVT' field '01'
id 'ACTVT' field '02'.
if sy-subrc <> 0.
message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
endif.
s_abkrs-low = s_abkrs-low + 1.
enddo.
my senior says this code is right but it is not checking authority for all infotypes.can anyone suggest what changes are required in this code so that it will check authority for all infotypes.
Thanks in advance.
Regards,
Harshada
Hi ,
A select-option will have a structure with four fields (sign , option , low , high) .
So if you want to use your below code : you cannot check authority.
loop at s_abkrs.
authority-check object 'P_PCR'
id 'ABRKS' field s_abkrs <-- is an internal table
id 'ACTVT' field '01'
id 'ACTVT' field '02'.
if sy-subrc 0.
message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
endif.
endloop.
The other option is :
If your select option has values only in low ... then you can loop thru it ...
loop at s_abkrs.
authority-check object 'P_PCR'
id 'ABRKS' field s_abkrs-low
endloop.
Regards,
Srini.
Similar Messages
-
Check Writer & Payroll Activity report failing
Hi,
After upgrade from 10.2.0.3 to 11.2.0.2 database in R12.0.6 application, the Check Writer & Payroll Activity report is failing with following errors:
REP-0069: Internal error
REP-57054: In-process job terminated:Finished successfully but output is voided
R_6990_HRPROC_CHQ_SRW2_FAILED
APP-PAY-06990: Report Writer report failed with an error
Pl let me know if anyone has had similar issue?
thanksPlease see the suggested solutions in these docs.
Error Hr_6990_hrproc_chq_srw2_failed When Running Canadian Chequewriter [ID 1087796.1]
Checkwriter Fails With APP-PAY-06859, APP-PAY-06990,APP-FND-00500: AFPPRN and kgepop Errors in 11.5 [ID 227408.1]
Checkwriter Fails With Errors HR_6990_HRPROC_CHQ_SRW2_FAILED, APP-PAY-06990 [ID 263862.1]
Check Writer Fails with Error HR_6990_HRPROC_CHQ_SRW2_FAILED [ID 242563.1]
Error running the cheque writer process PAY-06990 HR_6990_HRPROC_CHQ_SRW2_FAILED [ID 402550.1]
Thanks,
Hussein -
Payroll Reconciliation Report - HR ABAP --- Urgent
Hi Guys,
I am having a doubt regarding a standard report very commonly used in HR Reporting in SAP.
How does it selects the Payroll Results from the cluster ? Based on which date ...?
Is it Check Date/Payment date or some other date ?
Actually I have a requirement where i need to fetch the amount for a wagetype.
In this I need to fetch the values of that wage type based on the check date, i.e. when the company has paid the amount to the person.
I have to fetch the amount of this wage type for all the payroll runs :
1 - Regular
2 - Retro.
3 - Offcycle.
I have used the Payroll Reconciliation Report and exporting the final total table which has all the results for the wage type selected on the selection screen for the person between a particular start date and end date.
But I want to be sure that this way I will get the accurate results.
If anyone has any idea or know any link to follow please help me out.Hi ,
sample code..
LOOP AT fp_i_final INTO l_wa_final.
FORM read_rgdir USING fp_v_pernr TYPE persno
CHANGING fp_i_rgdir TYPE ty_t_rgdir.
fp_i_errorlog TYPE ty_t_errorlog.
*-- Local Declaration
DATA: l_wa_errorlog TYPE ty_errorlog. " Errorlog Work Area
*----> FM for Read routines for cluster CD
CALL FUNCTION 'CU_READ_RGDIR'
EXPORTING
persnr = fp_v_pernr
TABLES
in_rgdir = fp_i_rgdir
EXCEPTIONS
no_record_found = 0
OTHERS = 0.
*---> Cluster Directory details for Payroll
*---> Results is initial for perticular employee then continue .
IF l_i_rgdir IS INITIAL.
CONTINUE.
ENDIF.
*----> Off-cycle dates
IF cb_ocy NE l_c_x.
ELSE.
*---> Off-cycle dates
IF s_bondt-low IS NOT INITIAL AND
s_bondt-high IS NOT INITIAL .
DELETE l_i_rgdir WHERE fpbeg LT s_bondt-low OR
fpend GT s_bondt-high.
ENDIF.
ENDIF.
*----> Check the ARRRES check box
IF cb_arr = l_c_x.
*---> Delete the cluster directory details from check date and check the low date.
IF NOT s_paydt-low IS INITIAL.
DELETE l_i_rgdir WHERE paydt LT s_paydt-low .
ENDIF.
*---> Delete the cluster directory details from check date and check the high and low dates.
IF NOT s_paydt-low IS INITIAL AND
NOT s_paydt-high IS INITIAL.
DELETE l_i_rgdir WHERE paydt LT s_paydt-low OR
paydt GT s_paydt-high .
ENDIF.
ENDIF.
*-- Get the Payroll details for all Personnel Numbers entered
*-- on Selection Screen
LOOP AT l_i_rgdir INTO l_wa_rgdir.
*---> Check for the flag
IF l_wa_rgdir-srtza NE l_c_p AND
l_wa_rgdir-srtza NE l_c_o .
*----> Sub-Routine to get the Payroll results into the
*----> Payroll RESULTS Table
*-- Local Declaration
DATA: l_wa_errorlog TYPE ty_errorlog. " Errorlog Work Area
*----> FM to get Payroll Results table
CALL FUNCTION 'PYXX_READ_PAYROLL_RESULT'
EXPORTING
employeenumber = fp_v_pernr
sequencenumber = fp_v_seqnr
read_only_international = c_x
CHANGING
payroll_result = fp_i_payresult
EXCEPTIONS
illegal_isocode_or_clusterid = 1
error_generating_import = 2
import_mismatch_error = 3
subpool_dir_full = 4
no_read_authority = 5
no_record_found = 6
versions_do_not_match = 7
error_reading_archive = 8
error_reading_relid = 9
OTHERS = 10.
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4
INTO l_wa_errorlog-line.
*-- Populate Errorlog Int table
APPEND l_wa_errorlog TO fp_i_errorlog.
CLEAR l_wa_errorlog.
ENDIF.
*----> Check the check boxs are either ARRRS,Deductions are not taken and Off-cycle.
IF ( cb_arr = l_c_x AND cb_ded = l_c_x AND cb_ocy = l_c_x ) OR
( cb_arr = l_c_x AND cb_ocy = l_c_x ) OR ( cb_ded = l_c_x AND cb_ocy = l_c_x ).
*----> Check for the Normal Run, Retroactive run and off-cycle run.
*---> Check the Normal run in pc_payresult
IF ( l_wa_rgdir-fpper EQ l_wa_rgdir-inper AND
l_wa_rgdir-ocrsn IS INITIAL AND l_wa_rgdir-inocr IS INITIAL ) OR
*----> Check the Retroactive run pc_payresult
( ( l_wa_rgdir-fpper NE l_wa_rgdir-inper ) AND
( l_wa_rgdir-ocrsn IS INITIAL ) AND ( l_wa_rgdir-inocr IS INITIAL ) ) OR
*----> Check the Off-cycle run pc_payresult
( ( l_wa_rgdir-fpper NE l_wa_rgdir-inper ) AND
( l_wa_rgdir-ocrsn IS NOT INITIAL ) OR ( l_wa_rgdir-inocr IS NOT INITIAL ) ).
*---> Get the Amount for particular Wagetype based on Wagetype
*---> entered on selection screen
CLEAR l_wa_lgart.
LOOP AT fp_p_lgart INTO l_wa_lgart.
SORT fp_l_i_payresult-inter-rt BY lgart.
CLEAR l_wa_rt.
*---> Read the rt cluster results based on the wage type
LOOP AT fp_l_i_payresult-inter-rt INTO l_wa_rt WHERE lgart = l_wa_lgart-lgart.
l_wa_final-betrg = l_wa_rt-betrg.
l_wa_final-lgart = l_wa_lgart-lgart.
*---> Read the fp_i_vendor internal table based on wage type and
*---> append the lifnr and ernam value to final internal table.
SORT fp_i_vendor BY lgart.
CLEAR l_wa_vendor.
READ TABLE fp_i_vendor INTO l_wa_vendor WITH KEY lgart = l_wa_lgart-lgart BINARY SEARCH.
IF sy-subrc EQ 0.
l_wa_final-lifnr = l_wa_vendor-lifnr.
l_wa_final-crenr = l_wa_vendor-ernam.
ENDIF.
l_v_lifnr = l_wa_vendor-lifnr.
l_v_crenr = l_wa_vendor-ernam.
ENDIF.
l_wa_final-lifnr = l_v_lifnr.
l_wa_final-crenr = l_v_crenr.
CLEAR : l_v_crenr,l_v_lifnr.
APPEND l_wa_final TO i_final1.
*---> Modify the tax authority to final internal table .
SORT fp_l_i_payresult-nat-tcrt BY lgart.
CLEAR l_wa_tcrt.
*---> Read the tcrt cluster results based on the wage type and
*---> Get the tax id and tax authority from tcrt cluster.
READ TABLE fp_l_i_payresult-nat-tcrt INTO l_wa_tcrt
WITH KEY lgart = l_wa_final-lgart BINARY SEARCH.
IF sy-subrc = 0.
READ TABLE i_final1 INTO l_wa_final WITH KEY lgart = l_wa_tcrt-lgart."l_wa_final-lgart.
IF sy-subrc = 0.
l_wa_final-txcmp = l_wa_tcrt-txcmp.
l_wa_final-taxau = l_wa_tcrt-taxau.
MODIFY i_final1 FROM l_wa_final INDEX sy-tabix.
ENDIF.
ENDIF.
ENDLOOP.
*---Crt
SORT fp_l_i_payresult-inter-crt BY lgart.
CLEAR l_wa_crt.
*---> Read the crt cluster results based on the wage type
LOOP AT fp_l_i_payresult-inter-crt INTO l_wa_crt
WHERE lgart = l_wa_lgart-lgart.
l_wa_final-betrg = l_wa_crt-betrg.
l_wa_final-lgart = l_wa_lgart-lgart.
IF ( l_wa_crt-cumty = l_c_y ) OR ( l_wa_crt-cumty = l_c_k )
OR ( l_wa_crt-cumty = l_c_d ).
l_wa_final-ytd = l_wa_crt-betrg.
ELSEIF
( l_wa_crt-cumty = l_c_f ) OR ( l_wa_crt-cumty = l_c_m ).
l_wa_final-mtd = l_wa_crt-betrg.
ELSEIF
( l_wa_crt-cumty = l_c_h ) OR ( l_wa_crt-cumty = l_c_q ).
l_wa_final-qtd = l_wa_crt-betrg.
ENDIF.
SORT fp_i_vendor BY lgart.
CLEAR l_wa_vendor.
READ TABLE fp_i_vendor INTO l_wa_vendor WITH KEY lgart = l_wa_lgart-lgart BINARY SEARCH.
IF sy-subrc EQ 0.
l_wa_final-lifnr = l_wa_vendor-lifnr.
l_wa_final-crenr = l_wa_vendor-ernam.
ENDIF.
l_v_lifnr = l_wa_vendor-lifnr.
l_v_crenr = l_wa_vendor-ernam.
ENDIF.
l_wa_final-lifnr = l_v_lifnr.
l_wa_final-crenr = l_v_crenr.
CLEAR : l_v_crenr,l_v_lifnr.
APPEND l_wa_final TO i_final1 .
*---> Modify the tax authority to final internal table .
SORT fp_l_i_payresult-nat-tcrt BY lgart.
CLEAR l_wa_tcrt.
*---> Read the tcrt cluster results based on the wage type and
*---> Get the tax id and tax authority from tcrt cluster.
READ TABLE fp_l_i_payresult-nat-tcrt INTO l_wa_tcrt
WITH KEY lgart = l_wa_final-lgart BINARY SEARCH.
IF sy-subrc = 0.
READ TABLE i_final1 INTO l_wa_final WITH KEY lgart = l_wa_tcrt-lgart."l_wa_final-lgart.
IF sy-subrc = 0.
l_wa_final-txcmp = l_wa_tcrt-txcmp.
l_wa_final-taxau = l_wa_tcrt-taxau.
MODIFY i_final1 FROM l_wa_final INDEX sy-tabix.
ENDIF.
ENDIF.
CLEAR : l_wa_crt.
ENDLOOP.
*---DDNTK
SORT fp_l_i_payresult-inter-ddntk BY lgart.
CLEAR l_wa_ddntk.
*---> Read the ddntk cluster results based on the wage type
LOOP AT fp_l_i_payresult-inter-ddntk INTO l_wa_ddntk
WHERE lgart = l_wa_lgart-lgart .
l_wa_final-betrg = l_wa_ddntk-betrg.
l_wa_final-lgart = l_wa_lgart-lgart.
*---> Read the fp_i_vendor internal table based on wage type and
*---> append the lifnr and ernam value to final internal table.
SORT fp_i_vendor BY lgart.
READ TABLE fp_i_vendor INTO l_wa_vendor WITH KEY lgart = l_wa_lgart-lgart BINARY SEARCH.
IF sy-subrc EQ 0.
l_wa_final-lifnr = l_wa_vendor-lifnr.
l_wa_final-crenr = l_wa_vendor-ernam.
ENDIF.
l_v_lifnr = l_wa_vendor-lifnr.
l_v_crenr = l_wa_vendor-ernam.
ENDIF.
l_wa_final-lifnr = l_v_lifnr.
l_wa_final-crenr = l_v_crenr.
CLEAR : l_v_crenr,l_v_lifnr.
APPEND l_wa_final TO i_final1 .
**---> Modify the tax authority to final internal table .
SORT fp_l_i_payresult-nat-tcrt BY lgart.
CLEAR l_wa_tcrt.
*---> Read the tcrt cluster results based on the wage type and
*---> Get the tax id and tax authority from tcrt cluster.
READ TABLE fp_l_i_payresult-nat-tcrt INTO l_wa_tcrt
WITH KEY lgart = l_wa_final-lgart BINARY SEARCH.
IF sy-subrc = 0.
READ TABLE i_final1 INTO l_wa_final WITH KEY lgart = l_wa_tcrt-lgart."l_wa_final-lgart.
IF sy-subrc = 0.
l_wa_final-txcmp = l_wa_tcrt-txcmp.
l_wa_final-taxau = l_wa_tcrt-taxau.
MODIFY i_final1 FROM l_wa_final INDEX sy-tabix.
ENDIF.
ENDIF.
ENDLOOP.
*---ARRRS
SORT fp_l_i_payresult-inter-arrrs BY lgart.
CLEAR l_wa_arrrs.
*---> Read the arrrs cluster results based on the wage type
LOOP AT fp_l_i_payresult-inter-arrrs INTO l_wa_arrrs
WHERE lgart = l_wa_lgart-lgart .
l_wa_final-betrg = l_wa_arrrs-betrg.
l_wa_final-lgart = l_wa_lgart-lgart.
SORT fp_i_vendor BY lgart.
CLEAR l_wa_vendor.
READ TABLE fp_i_vendor INTO l_wa_vendor WITH KEY lgart = l_wa_lgart-lgart BINARY SEARCH.
IF sy-subrc EQ 0.
l_wa_final-lifnr = l_wa_vendor-lifnr.
l_wa_final-crenr = l_wa_vendor-ernam.
ENDIF.
l_v_lifnr = l_wa_vendor-lifnr.
l_v_crenr = l_wa_vendor-ernam.
ENDIF.
l_wa_final-lifnr = l_v_lifnr.
l_wa_final-crenr = l_v_crenr.
CLEAR : l_v_crenr,l_v_lifnr.
APPEND l_wa_final TO i_final1 .
**---> Modify the tax authority to final internal table .
SORT fp_l_i_payresult-nat-tcrt BY lgart.
CLEAR l_wa_tcrt.
*---> Read the tcrt cluster results based on the wage type and
*---> Get the tax id and tax authority from tcrt cluster.
READ TABLE fp_l_i_payresult-nat-tcrt INTO l_wa_tcrt
WITH KEY lgart = l_wa_final-lgart BINARY SEARCH.
IF sy-subrc = 0.
READ TABLE i_final1 INTO l_wa_final WITH KEY lgart = l_wa_tcrt-lgart."l_wa_final-lgart.
IF sy-subrc = 0.
l_wa_final-txcmp = l_wa_tcrt-txcmp.
l_wa_final-taxau = l_wa_tcrt-taxau.
MODIFY i_final1 FROM l_wa_final INDEX sy-tabix.
ENDIF.
ENDIF.
ENDLOOP.
ENDLOOP.
ENDIF.
ENDLOOP.
**---> Cluster Directory details for Payroll Results is initial
IF l_i_rgdir IS INITIAL.
MESSAGE i393 . " no record found for the selection criteria
LEAVE LIST-PROCESSING .
ENDIF.
*---> Final internal table details for Payroll Results is initial
IF i_final1 IS INITIAL.
MESSAGE i393 . " no record found for the selection criteria
LEAVE LIST-PROCESSING .
ENDIF.
If u have any further clarification i will send one sample program..
Navin.. -
Hi all,
I have a problem with authority check in a report.
I have to access to a field in an infotype and subtype.
I have all authorizations for this subtype and infotype.
I'm trying to retrieve this data from an employee, but this employee has informed another subtype in this infotype where I haven't permisions.
As in the source code there aren't access to this subtype where I haven't permisions, I found that the systems make it's authority check before the START-OF-SELECTION in class CL_HRPAD00AUTH_CHECK_STD, method IF_EX_HRPAD00AUTH_CHECK~CHECK_AUTHORIZATION.
The system takes the employee number, gets all its informed infotypes and subtypes and perform the authority check for my user, so I can't access to this employee information.
I think this authority check is made by the use of PNP logical database.
Is there any way to avoid this authority check?
Regards,
Angel CepaHi Angel Cepa,
first of all: maybe you can use logical database PNPCE, because PNP is obsolet.
Anyway, please refer to the documentation of PNPCE (transaction SE36), that may solve your problem.
PNP/PNPCE knows two ways to check authority:
1. If no authorization exists for even one individual data record of one of the infotypes used, processing of the personnel numbers is terminated by default (switch "PNP_SW_SKIP_PERNR" = Y)
2. If you set this switch (at the INITIALIZATION or START-OF-SELECTION events) to N, no more personnel numbers (without authorization) are skipped. Only the data records for which no authorization exists are rejected (that is, not made available).
So, simply set the switch, mentioned above, to "N" and you will have access to this employee (except the infotype-records, you don't have authority for).
Regards
CHRIS -
HR PNP LDB and authority check
Hello All,
Can someone plzz tell me if there is any major difference between CODE1 and CODE2 below? I understand if we use LDB we dont need to do authority check but is there is any exceptional case where we do this kind of codeing...
CODE1:
Start-of-selection
GET pernr.
CALL FUNCTION 'HR_CHECK_AUTHORITY_INFTY'
EXPORTING
tclas = w_tclas
pernr = pernr-pernr
infty = '0001'
subty = space
begda = pn-begda
endda = pn-endda
level = w_level
EXCEPTIONS
no_authorization = 1
internal_error = 2
OTHERS = 3.
if not sy-subrc is initial.
reject.
endif.
PERFORM list_data.
END-OF-SELECTION.
CODE2:
Start-of-selection
GET pernr.
PERFORM list_data.
END-OF-SELECTION.
Thanks in advance...
-MuktarHi Muktar,
In my opinion, certain infotypes hold certain level of access by different user who is using that report to view HR information. Particularly sensitive infotype like 0008 (basic pay) and other pay involving infotypes can be use to check for authority before it is display or modify by users. So HR_CHECK_AUTHORITY_INFTY is used.
Get PERNR does not validate the authority because PERNR itself is just a structure that contains a few PA Keys and several of other infotype structure that doesn't tell the authority to read by any specific users. Get PERNR contains the PROVIDE macro and in it does not do any authorization, if i am not mistaken.
This is my understanding. I hope my explanation is correct and have help you in a way.
Thanks
William Wilstroth -
Plz tell me how to create authority check objects and how to usein prg
dear sir,
plz tell me how to create authority check objects and how to usein prghttp://help.sap.com/saphelp_46c/helpdata/en/5c/deaa74d3d411d3970a0000e82de14a/content.htm
http://help.sap.com/saphelp_nw70/helpdata/en/52/6716a6439b11d1896f0000e8322d00/content.ht
Create custom authorization Customer specific object
If you have requirements that cannot be met using the P_ORGIN and P_ORGXX authorization objects (for example, because you want to build your authorization checks on additional fields of the Organizational Assignment infotype (0001) that are customer-specific), you can include an authorization object in the authorization checks yourself.
Create the authorization object using transaction SU21. Make sure you keep to the customer name range (Z/Y). To be able to use the new authorization object you have created in the master data authorization check, the object must contain the INFTY, SUBTY, and AUTHC fields. You can use any of the fields of the Organizational Assignment infotype (0001) for the other fields. You can also use customer-specific additional fields provided they are CHAR or NUMC type fields.
After you have created the object, you must start the RPUACG00 report. This report overwrites the MPPAUTZZ standard include with the code that is needed to evaluate the authorization object you created. Note: Technically speaking, this involves a modification. However, SAP fully supports this procedure. And you should not have more maintenance work as a result of this modification.
Note: that if you use customer-specific authorization objects, you must maintain these objects in transaction SU24 (Maintain Assignment of Authorization Objects to Transactions) in the same way as you maintain the authorization objects P_ORGIN, P_ORGXX, and P_PERNR
AUTHORITY CHECK OBJECT Object_name
ID fieldname1 FIELD fieldvalue1
ID fieldname2 FIELD fieldvalue2
ID fieldname3 FIELD fieldvalue3.
If sy-subrc eq 0. "Authorization exists
Endif.
http://articles.techrepublic.com.com/5100-6329_11-5110893.html
Edited by: JackandJay on Jan 16, 2008 10:21 AM -
Urgent(Authority-check)
HI Gurus..
I have used PNP L.database.
But i have used few select statements to read data from infotypes.
do i need to do authority check separately
or L database will take care of it.
Please provide me with the acurate answers.. as its an urgent issue..To create authority check object you can use transaction SU21. Here you can decide if you only want to create a new object and assign it to an existing class or if you can to create both object and class.
While defining the object you will have to provide what fields will be in this object. For example if i am creating a custom object to be used in SD based on customer and plant, i would include fields such as KUNNR and WERKS in my authority object. In addition to that if i also want to check for display/change/create access, i would also add a field called ACTVT (activity).
Once the object is defined, the authorization team will assign it to different authorization profiles with relevant values like for display only access for customer XYZ and plant 0001, these values will be provided in the authorization profile to this object. (As a developer this is not your headache )
You would be using it in your reports or transactions using Authority-check statements. You will be calling the specific object in your authority-check statement and passing it some values(say Actvt 03 customer ASD, plant 0002) and checking the value of sy-subrc. If subrc is 0 means the authority check is OK, the user has the authorization.
I think this will give you an idea on how to proceed.
Cheers -
Hi all !!!
I'm using the ALV Grid control with checkboxes and I want to control if the actual user have the appropriate authorization to check/uncheck them.
In the AUTHORITY-CHECK call, I want to make the authorization test on the "DEPARTMENT" of the user (from Table USER_ADDR or SU01).
For example :
DEPARTMENT AA1 --> check/uncheck OK
DEPARTMENT AA2 --> check/uncheck NOT OK
DEPARTMENT AA3 --> check/uncheck OK
... etc.
How can I do ? Create an new authorization object/field ?
PS : it's the first time I'm using AUTHORITY-CHECK..Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
Example ;
REPORT EXAMPLE MESSAGE-ID Z1.
TABLES: USR02.
PARAMETERS: LOCK AS CHECKBOX, LISTLOCK AS CHECKBOX.
DATA: UFLAGVAL TYPE I, LOCKSTRING(8) TYPE C.
---- Authorization check -
AUTHORITY-CHECK OBJECT 'ZPROG_RUN' ID 'PROGRAM' FIELD SY-CPROG.
IF SY-SUBRC <> 0.
IF SY-SUBRC = 4.
MESSAGE E000 WITH SY-CPROG. "some message about authorization check failure
ELSE.
MESSAGE E005 WITH SY-SUBRC. "some message about authorization check failure
ENDIF.
ENDIF.
IF LISTLOCK = 'X'.
WRITE:/ 'List all locked users: '.
SELECT * FROM USR02 WHERE UFLAG = 64.
WRITE: / USR02-BNAME.
ENDSELECT.
EXIT.
ENDIF.
IF LOCK = 'X'.
UFLAGVAL = 64. "lock all users
LOCKSTRING = 'locked'.
ELSE.
UFLAGVAL = 0. "unlock all users
LOCKSTRING = 'unlocked'.
ENDIF.
SELECT * FROM USR02 WHERE BNAME <> 'SAP*' AND BNAME <> SY-UNAME.
IF USR02-UFLAG <> 0 AND USR02-UFLAG <> 64.
WRITE: 'User', USR02-BNAME, 'untouched; please handle manually.'.
CONTINUE.
ENDIF.
check that user has authority to make these changes
AUTHORITY-CHECK OBJECT 'S_USER_GRP'
ID 'CLASS' FIELD USR02-CLASS
ID 'ACTVT' FIELD '05'.
IF SY-SUBRC <> 0.
IF SY-SUBRC = 4.
WRITE: /'You are not authorized to lock/unlock user ',
USR02-BNAME, USR02-CLASS.
ELSE.
WRITE: /'Authorization error checking user ',
USR02-BNAME, USR02-CLASS, '(return code', SY-SUBRC, ').'.
ENDIF.
ELSE. "has authority
UPDATE USR02 SET UFLAG = UFLAGVAL WHERE BNAME = USR02-BNAME.
WRITE: / 'User', USR02-BNAME, LOCKSTRING, '.'.
ENDIF. -
How to use the AUTHORITY-CHECK in ABAP
I am a security guy but am trying to understand how the AUTHORITY-CHECK works. I have read the help on it but it doesn't answer to my understanding. I want a check in a report so that no matter what the user selects the program goes out and checks the authorization in the users master record and only displays what he has access to. I am sure this is basic but I am not a programmer.
ThanksHi Greg,
Basically a AUTHORITY-CHECK is a programmatic way to check a auth object a user has. This is only as good as the person writing the code makes is.
Here is a basic example of how it could work. Lets say you have auth objects for users that limit them to see company code. User A can see cc 10, User B can see cc 20 and user C can see both.
In the code the programmer would have to first do the authcheck to see what CC the user has access to. Then they would have to limit his reporting based on the results of the authority check. So they might do it by saying SELECT * FROM XYZTAB WHERE COMPANY CODE = AUTHCC
This is what I think you are looking for. There are other ways to use the auth check. You can do a check and end the program with a message if they don't have authorization.
If you need more info, let me know
John -
Authority check in ABAP program
Hello All
I am having some trouble with authority object in ABAP programming
This is the situation.
I have a field "plant" which is a select options in the selection screen.
I have to write an authority-check for this "plant" field in the program and display the report for only the plants for which the user is authorised. There is a select statement in the program which selects all the plants entered. If it is single plant entry and the user is not authorised or the user is not authorised to none of the plants entered for multiple plant entries, an error message should be displayed saying "no authority to display plants x, y, z"
How can I incorporate this logic in the report.
This the current coding
AT SELECTION-SCREEN.
AUTHORITY-CHECK OBJECT 'C_ROUT'
ID 'ACTVT' FIELD '03'
ID 'PLNTY' FIELD 'DUMMY'
ID 'WERKS' FIELD s_werks
ID 'STATU' FIELD 'DUMMY'
ID 'VERWE' FIELD 'DUMMY'.
START-OF-SELECTION.
SELECT amatnr aplnnr aplnal awerks aplnty bstlnr b~stlal INTO TABLE t_mapl FROM mapl AS a INNER JOIN mast AS b
ON amatnr = bmatnr
AND awerks = bwerks
WHERE a~matnr IN s_matnr
AND a~plnnr IN s_plnnr
AND a~plnal IN s_plnal
AND a~werks IN s_werks
AND a~plnty IN s_plnty
AND b~stlnr IN s_stlnr
AND b~stlal IN s_stlal. "(ALT BOM)
Thanks
RickyHi Ricky,
to check each individual plant in the selection, you can not use s_plant in the authority chek, here you need to give the value..
Code like this:
DATA : BEGIN of t_werks OCCURS 0,
werks TYPE t001w-werks,
END OF t_werks.
DATA : w_text(30) TYPE c.
AT SELECTION-SCREEN.
IF NOT s_werks[] IS INITIAL.
REFRESH t_werks.
SELECT werks
FROM t001w
INTO TABLE t_werks
WHERE werks IN s_werks.
IF sy-subrc EQ 0.
LOOP AT t_werks.
AUTHORITY CHECK...
ID 'WERKS' FIELD t_werks-werks.
IF sy-subrc EQ 0.
DELETE t_werks.
ENDIF.
ENDLOOP.
IF NOT t_werks[] IS INITIAL.
LOOP AT t_werks.
CONCATENATE t_werks-werks
w_text
INTO w_text.
ENDLOOP.
MESSAGE exxx WITH 'No authorisation for '
w_text.
ENDIF.
ENDIF.
ENDIF.
Thanks and Best Regards,
Vikas Bittera.
**Reward if useful** -
Hi Guru's,
I want to have a authority check for table control field KOMG-KBSTAT in the screen 1850 for the program SAPMV13A.
I know how to create the authorisation object and also tested a sample code for a z-report .
I want the details how to apply it to a standard program. Please guide me for this issue.
Thanx in Advance,
ArcahanHello ,
I will elaborate my requirement.
See in the program SAPMV13A , screen no 1850 , the table control field is komg-kbstat .
The possible value's for komg-kbstat are as mentioned -
> 01-blocked , 02 - Released
Now I want the User ' XYZ' should have the authority to block only and not to release.
Regards,
W. Archana -
Authority-check for particular comp code
Hi All,
when i'm using standard Authority Object F_BKPF_BUK for a particular standard code say 'CO01'. but it is working for all company code, but i want work for only one company code say 'CO01' ONLY.i'm using in report program (zreport prog)
I written code as
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'BUKRS' FIELD 'BE10'
ID 'ACTVT' FIELD '03'.
Please can u advice on this .
Many Thanks in Advance for u r Answer
NarenHi
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Reward points if useful
Regards
Anji -
AUTHORITY-CHECK & customized program
Hi,
I've applied an authority-check to my customized program. What I did was, I've created an authorization object name 'ZFI_PGRM' in SU21 and tie it with authorization fields BUKRS, ACTVT. This authority-check will validate on the company code (BUKRS) entered from the selection screen. Below are my lines in the customized program :
DATA: text TYPE string,
m_text TYPE string.
text = 'You are not authorised for Company Code'.
DATA: t_t001 LIKE t001 OCCURS 0 WITH HEADER LINE..
SELECT * FROM t001
INTO TABLE t_t001
WHERE bukrs IN s_bukrs.
LOOP AT t_t001.
AUTHORITY-CHECK OBJECT 'ZFI_PGRM'
ID 'BUKRS' FIELD t_t001-bukrs
ID 'ACTVT' FIELD '03'.
IF sy-subrc <> 0.
CONCATENATE text t_t001-bukrs INTO m_text SEPARATED BY space.
ENDIF.
ENDLOOP.
At the same time BASIS tie the autorization object 'ZFI_PGRM' to the user role in order to access the program using PFCG. The problem now is the result that I'm getting always SY-SUBRC = 12 eventhough the user is allowed to access the company's report. Please help...
HaryatiRun transaction SU53 after the auth check fails and maybe it will give you a clue as to what is going on.
-
Hi All..
My requirement is to incorporate the Authority-Check for Sales Organization field ( VBAK-VKORG) inthe selection screen. In the meanwhlie, i should restrict further processing of Report, if unauthorized Sales Organzations.
Please help me in explaining the meaning of above requirement and can any one give me the code sample for this..????
Its urgent issue and kindly request you to help me out...Hi Pavan
Have made some changes to the code. Please check the same.
DATA: BEGIN OF lt_tvko OCCURS 0,
vkorg TYPE vkorg,
bukrs TYPE bukrs,
END OF lt_tvko.
SELECT vkorg bukrs FROM tvko INTO TABLE lt_tvko
WHERE vkorg IN lr_vkorg.
IF sy-subrc NE 0.
MESSAGE e085(wv).
ENDIF.
* Check all retrieved co.codes
SORT lt_tvko BY bukrs.
DELETE ADJACENT DUPLICATES FROM lt_tvko COMPARING bukrs.
LOOP AT lt_tvko.
* Error Message: No authorization for sales organization &1
PERFORM f_bukrs_auth_chk_p USING lt_tvko-bukrs 'ICC_FI_CN' 'E' '010'
lt_tvko-vkorg '' '' ''
CHANGING sy-subrc.
if sy-subrc ne 0.
delete lt_tvko.
endif.
ENDLOOP.
ranges: r_vkorg for tvko-vkorg.
if lt_tvko[] is initial.
Message eooo(00) with No authorization for any Sales Org input.
else.
r_vkorg-sign = 'I'.
r_vkorg-option = 'EQ'.
loop at lt_tvko.
r_vkorg-low = lt_tvko-vkorg.
append r_vkorg.
endlloop.
endif.
FORM f_bukrs_auth_chk_p USING value(lc_bukrs) TYPE bukrs
value(lc_msgid) LIKE sy-msgid
value(lc_msgty) LIKE sy-msgty
value(ln_msgno) LIKE sy-msgno
value(lc_msgv1)
value(lc_msgv2)
value(lc_msgv3)
value(lc_msgv4)
CHANGING p_subrc.
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'BUKRS' FIELD lc_bukrs
ID 'ACTVT' FIELD '03'.
p_subrc = sy-subrc.
ENDFORM. "f_bukrs_auth_chk_p
Now range
r_vkorg will have the list of authorized sales organizations. You can use it as the select-option for further processing.
Am not on SAP, have just coded from notepad. Please bear incase of any syntax errors.
Kind Regards
Eswar -
Hi,
I am new in core abap. For my report i have to do AUTHORITY-CHECK for kunnr. I am not finding any suitable object to use. kIndly suggest.
Currently i am using the following code.
UNPACK p_kunnr TO ws_werks.
AUTHORITY-CHECK OBJECT 'M_MSEG_WWE'
ID 'ACTVT' FIELD '01'
ID 'WERKS' FIELD ws_werks.
But this is giving dump in case KUNNR contains some alphabets because of type mismatch. Kindly suggest how can i achieve the same.
Regards,
Pankaj AggarwalDon't use a WERKS authorization for KUNNR, did you foresee the problems that may will arise when you will manage the user authorisations and roles, this authorization is checked in many standard programs on WERKS fields.
- SU20 - Create an authorization field with data element KUNNR and check table KNA1 (or use template KNDNR, look via SE16 at table AUTHX look for authorization fields using KNA1 as a control table)
- SU21 - Create an authorization object in a Z-customer class which use this field and the ACTVT field (template W_AUFT_RMB)
- Use the new object in your program
- Give the object name to those who manage roles via PFCG
Perform some search on subject like [Creating a Customer-Specific Authorization Object|http://help.sap.com/saphelp_ish471/helpdata/EN/9e/74ba3bd14a6a6ae10000000a114084/frameset.htm]
Look also at some authorization objects like BRGRU which were intended to manage groups of customers.
Regards,
Raymond
Maybe you are looking for
-
LBACSYS account not present on 11.2.0.3
I installed OLS , VPD and Advanced Security ( its installed default anyway) and I verified using runInstaller that they are installed. But when checking the user presence, i dont see the account, and furthermore, SQL> SELECT VALUE FROM V$OPTION WHERE
-
I was wondering if the color cartridges 564xl will fit in my printer? If they are big like the hpxl black cartridge they will not fit.
-
located the dialog to change/select the search engines that are visible in waterfox, they are all selected (checked) attempting to change (uncheck) any\all options does not work (box does not uncheck).
-
IFS installation - cross platform
I would like to install iFS software installed on NT and repository on Solaris. If yes where can I find more information about this?
-
Giving Authorizations to OSS ID
Hi, My user is super user,I want to create ossids for my consultants and and i want give some authorizations only for that ids(Ex:no download access like that).where i have to create ids and authorizations for them in service.sap.com. Thanku