Authority Check in Programs

Hi all
Does anyone know tell me which table I check the check the program authority.
Thanks,

Hi Rodrigo,
Use following code to get it done in programs.
Say, for object V_VBAK_VKO (which you can see in SU24), you can do it like this.
AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
ID 'VKORG' FIELD VKORG
ID 'VTWEG' FIELD VTWEG
ID 'SPART' FIELD SPART.
IF sy-subrc ne 0.
show an error message.
endif.
Here , VKORG, VTWEG and SPART you have to pass from program and check sy-subrc return value.
Hope this helps.
Regards,
Naveen

Similar Messages

  • How to debug a authority check in program and a authorisation object in tco

    Can anyone tell me how to debug a authority check in program and a authorisation object in tcode
    i just want to know the flow of authorisation object in debugging how user is assocaited with authorisation object and roles.
    i know if sy-subrc ne 0 is authorisation failed ,so please help me anyone on this.
    every time when i put breakpoint ,if its program level only, i am able to decide only through sy-subrc but iam unable o view the flow .

    flow cannot be seen, we have to be based on sy-subrc only...
    you cannot see the flow in read table... describe table... transfer...
    the authorization object will be assigned to the data element, that data element has some realtion to the roles given to the users. So if the role of the user and data element value doesnt match the sy-subrc NE 0.

  • AUTHORITY-CHECK & customized program

    Hi,
    I've applied an authority-check to my customized program. What I did was, I've created an authorization object name 'ZFI_PGRM' in SU21 and tie it with authorization fields BUKRS, ACTVT. This authority-check will validate on the company code (BUKRS) entered from the selection screen. Below are my lines in the customized program :
    DATA: text      TYPE string,
              m_text  TYPE string.
    text = 'You are not authorised for Company Code'.
    DATA: t_t001 LIKE t001 OCCURS 0 WITH HEADER LINE..
    SELECT * FROM t001
           INTO TABLE t_t001
                 WHERE bukrs IN s_bukrs.
    LOOP AT t_t001.
      AUTHORITY-CHECK OBJECT 'ZFI_PGRM'
          ID 'BUKRS' FIELD t_t001-bukrs
          ID 'ACTVT' FIELD '03'.
      IF sy-subrc <> 0.
        CONCATENATE text t_t001-bukrs INTO m_text SEPARATED BY space.
      ENDIF.
    ENDLOOP.
    At the same time BASIS tie the autorization object 'ZFI_PGRM' to the user role in order to access the program using PFCG. The problem now is the result that I'm getting always SY-SUBRC = 12 eventhough the user is allowed to access the company's report. Please help...
    Haryati

    Run transaction SU53 after the auth check fails and maybe it will give you a clue as to what is going on.

  • Authority check in ABAP program

    Hello All
    I am having some trouble with authority object in ABAP programming
    This is the situation.
    I have a field "plant" which is a select options in the selection screen.
    I have to write an authority-check for this "plant" field in the program and display the report for only the plants for which the user is authorised. There is a select statement in the program which selects all the plants entered. If it is single plant entry and the user is not authorised or the user is not authorised to none of the plants entered for multiple plant entries, an error message should be displayed saying "no authority to display plants x, y, z"
    How can I incorporate this logic in the report.
    This the current coding
    AT SELECTION-SCREEN.
    AUTHORITY-CHECK OBJECT 'C_ROUT'
              ID 'ACTVT' FIELD '03'
              ID 'PLNTY' FIELD 'DUMMY'
              ID 'WERKS' FIELD s_werks
              ID 'STATU' FIELD 'DUMMY'
              ID 'VERWE' FIELD 'DUMMY'.
    START-OF-SELECTION.
      SELECT amatnr  aplnnr aplnal awerks aplnty bstlnr b~stlal INTO TABLE t_mapl FROM mapl AS a INNER JOIN mast AS b
                               ON amatnr = bmatnr
                                AND awerks = bwerks
                             WHERE a~matnr IN s_matnr
                                   AND a~plnnr IN s_plnnr
                              AND a~plnal IN s_plnal
                            AND a~werks IN s_werks
                           AND a~plnty IN s_plnty
                           AND b~stlnr IN s_stlnr
                             AND b~stlal IN s_stlal. "(ALT BOM)
    Thanks
    Ricky

    Hi Ricky,
    to check each individual plant in the selection, you can not use s_plant in the authority chek, here you need to give the value..
    Code like this:
    DATA : BEGIN of t_werks OCCURS 0,
                  werks TYPE t001w-werks,
    END OF t_werks.
    DATA : w_text(30) TYPE c.
    AT SELECTION-SCREEN.
    IF NOT s_werks[] IS INITIAL.
    REFRESH t_werks.
    SELECT werks
    FROM t001w
    INTO TABLE t_werks
    WHERE werks IN s_werks.
    IF sy-subrc EQ 0.
    LOOP AT t_werks.
    AUTHORITY CHECK...
    ID 'WERKS' FIELD t_werks-werks.
    IF sy-subrc EQ 0.
    DELETE t_werks.
    ENDIF.
    ENDLOOP.
    IF NOT t_werks[] IS INITIAL.
    LOOP AT t_werks.
    CONCATENATE t_werks-werks
                             w_text
                    INTO w_text.
    ENDLOOP.
    MESSAGE exxx WITH 'No authorisation for '
                                      w_text.
    ENDIF.
    ENDIF.
    ENDIF.
    Thanks and Best Regards,
    Vikas Bittera.
    **Reward if useful**

  • ALV GRID and AUTHORITY-CHECK

    Hi all !!! 
    I'm using the ALV Grid control with checkboxes and I want to control if the actual user have the appropriate authorization to check/uncheck them.
    In the AUTHORITY-CHECK call, I want to make the authorization test on the "DEPARTMENT" of the user (from Table USER_ADDR or SU01).
    For example :
    DEPARTMENT AA1 --> check/uncheck OK
    DEPARTMENT AA2 --> check/uncheck NOT OK
    DEPARTMENT AA3 --> check/uncheck OK
    ... etc.
    How can I do ? Create an new authorization object/field ?
    PS : it's the first time I'm using AUTHORITY-CHECK..

    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check. 
    This means you have to allocate an authorization object in the definition of the transaction.
    For example:
    program an AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT <authorization object> 
       ID <authority field 1> FIELD <field value 1>. 
       ID <authority field 2> FIELD <field value 2>. 
       ID <authority-field n> FIELD <field value n>. 
    The OBJECT parameter specifies the authorization object.
    The ID parameter specifies an authorization field (in the authorization object).
    The FIELD parameter specifies a value for the authorization field.
    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
    Example ;
    REPORT  EXAMPLE MESSAGE-ID Z1.
    TABLES: USR02.
    PARAMETERS: LOCK AS CHECKBOX, LISTLOCK AS CHECKBOX.
    DATA: UFLAGVAL TYPE I, LOCKSTRING(8) TYPE C.
    ---- Authorization check -
    AUTHORITY-CHECK OBJECT 'ZPROG_RUN' ID 'PROGRAM' FIELD SY-CPROG.
    IF SY-SUBRC <> 0.
      IF SY-SUBRC = 4.
        MESSAGE E000 WITH SY-CPROG. "some message about authorization check failure
      ELSE.
        MESSAGE E005 WITH SY-SUBRC. "some message about authorization check failure
      ENDIF.
    ENDIF.
    IF LISTLOCK = 'X'.
      WRITE:/ 'List all locked users: '.
      SELECT * FROM USR02 WHERE UFLAG = 64.
        WRITE: / USR02-BNAME.
      ENDSELECT.
      EXIT.
    ENDIF.
    IF LOCK = 'X'.
      UFLAGVAL = 64.                       "lock all users
      LOCKSTRING = 'locked'.
    ELSE.
      UFLAGVAL = 0.                        "unlock all users
      LOCKSTRING = 'unlocked'.
    ENDIF.
    SELECT * FROM USR02 WHERE BNAME <> 'SAP*' AND BNAME <> SY-UNAME.
      IF USR02-UFLAG <> 0 AND USR02-UFLAG <> 64.
        WRITE: 'User', USR02-BNAME, 'untouched; please handle manually.'.
        CONTINUE.
      ENDIF.
    check that user has authority to make these changes
      AUTHORITY-CHECK OBJECT 'S_USER_GRP'
          ID 'CLASS' FIELD USR02-CLASS
          ID 'ACTVT' FIELD '05'.
      IF SY-SUBRC <> 0.
        IF SY-SUBRC = 4.
          WRITE: /'You are not authorized to lock/unlock user ',
            USR02-BNAME, USR02-CLASS.
        ELSE.
          WRITE: /'Authorization error checking user ',
                 USR02-BNAME, USR02-CLASS, '(return code', SY-SUBRC, ').'.
        ENDIF.
      ELSE.                                "has authority
        UPDATE USR02 SET UFLAG = UFLAGVAL WHERE BNAME = USR02-BNAME.
        WRITE: / 'User', USR02-BNAME, LOCKSTRING, '.'.
      ENDIF.

  • How to use the AUTHORITY-CHECK in ABAP

    I am a security guy but am trying to understand how the AUTHORITY-CHECK works. I have read the help on it but it doesn't answer to my understanding. I want a check in a report so that no matter what the user selects the program goes out and checks the authorization in the users master record and only displays what he has access to. I am sure this is basic but I am not a programmer.
    Thanks

    Hi Greg,
      Basically a AUTHORITY-CHECK is a programmatic way to check a auth object a user has.  This is only as good as the person writing the code makes is.
    Here is a basic example of how it could work.  Lets say you have auth objects for users that limit them to see company code. User A can see cc 10, User B can see cc 20 and user C can see both.
    In the code the programmer would have to first do the authcheck to see what CC the user has access to.  Then they would have to limit his reporting based on the results of the authority check.  So they might do it by saying SELECT * FROM XYZTAB WHERE COMPANY CODE = AUTHCC
    This is what I think you are looking for.  There are other ways to use the auth check.  You can do a check and end the program with a message if they don't have authorization. 
    If you need more info, let me know
    John

  • Authority CHeck VK11

    Hi Guru's,
    I want to have a authority check for  table control field KOMG-KBSTAT in the screen 1850 for the program SAPMV13A.
    I know how to create the authorisation object and also tested a sample code for a z-report .
    I want the details how to apply it to a standard program. Please guide me for this issue.
    Thanx in Advance,
    Arcahan

    Hello ,
    I will elaborate my requirement.
    See in the program SAPMV13A , screen no 1850 , the table control field is komg-kbstat .
    The possible value's for komg-kbstat are as mentioned -
    >  01-blocked  , 02 - Released
    Now  I want the User ' XYZ' should have the authority to block only and not to release.
    Regards,
    W. Archana

  • Authority-check for particular comp code

    Hi All,
    when i'm using standard Authority Object F_BKPF_BUK  for a particular standard code say 'CO01'. but it is working for all company code, but i want work for only one company code say 'CO01' ONLY.i'm using in report program (zreport prog)
    I written code as
    AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
        ID 'BUKRS' FIELD 'BE10'
        ID 'ACTVT' FIELD '03'.
    Please can u advice on this .
    Many Thanks in Advance for u r Answer
    Naren

    Hi
    In general different users will be given different authorizations based on their role in the orgn.
    We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
    USe SUIM and SU21 T codes for this.
    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
    This means you have to allocate an authorization object in the definition of the transaction.
    For example:
    program an AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT <authorization object>
    ID <authority field 1> FIELD <field value 1>.
    ID <authority field 2> FIELD <field value 2>.
    ID <authority-field n> FIELD <field value n>.
    The OBJECT parameter specifies the authorization object.
    The ID parameter specifies an authorization field (in the authorization object).
    The FIELD parameter specifies a value for the authorization field.
    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
    Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
    You program the authorization check using the ABAP statement AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
    ID 'ACTVT' FIELD '02'
    ID 'CUSTTYPE' FIELD 'B'.
    IF SY-SUBRC <> 0.
    MESSAGE E...
    ENDIF.
    'S_TRVL_BKS' is a auth. object
    ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
    This Authorization concept is somewhat linked with BASIS people.
    As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
    Take the help of the basis Guy and create and use.
    Reward points if useful
    Regards
    Anji

  • AUTHORITY-CHECK before Selection-screen?

    Hi,
    i want to check the authority before the selection-screen. I do it in this way:
    AT SELECTION-SCREEN OUTPUT.
      AUTHORITY-CHECK OBJECT 'Z_REPORT'
               ID 'PROGRAM' FIELD SY-REPID
               ID 'ACTVT'   FIELD '16'. "Ausführen
      IF SY-SUBRC <> 0.
        MESSAGE E010 WITH 'Keine Berechtigung für Programm: '
        SY-REPID.
      ENDIF.
    But the selection appears without any parameters.
    Is there a way to check without the selection-screen?
    thanks.
    regards, Dieter

    Hi Dieter,
    Please check the below code for at selection screen authorization check.
    Handling selection screen events
    AT SELECTION-SCREEN ON p_carrid.
      IF p_carrid IS INITIAL.
        MESSAGE 'Please enter a value' TYPE 'E'.
      ENDIF.
      AUTHORITY-CHECK OBJECT 'S_CARRID'
                          ID 'CARRID' FIELD p_carrid
                          ID 'ACTVT'  FIELD '03'.
      IF sy-subrc = 4.
        MESSAGE 'No authorization for carrier' TYPE 'E'.
      ELSEIF sy-subrc <> 0.
        MESSAGE 'Error in authority check' TYPE 'A'.
      ELSE.
        IF sy-ucomm = 'ONLI'.
          CALL SELECTION-SCREEN '0500'.
        ENDIF.
      ENDIF.
    Regards,
    Md Ziauddin

  • AUTHORITY-CHECK for KUNNR

    Hi,
    I am new in core abap. For my report i have to do AUTHORITY-CHECK for kunnr. I am not finding any suitable object to use. kIndly suggest.
    Currently i am using the following code.
      UNPACK p_kunnr TO ws_werks.
      AUTHORITY-CHECK OBJECT 'M_MSEG_WWE'
               ID 'ACTVT' FIELD '01'
               ID 'WERKS' FIELD ws_werks.
    But this is giving dump in case KUNNR contains some alphabets because of type mismatch. Kindly suggest how can i achieve the same.
    Regards,
    Pankaj Aggarwal

    Don't use a WERKS authorization for KUNNR, did you foresee the problems that may will arise when you will manage the user authorisations and roles, this authorization is checked in many standard programs on WERKS fields.
    - SU20 - Create an authorization field with data element KUNNR and check table KNA1 (or use template KNDNR, look via SE16 at table AUTHX look for authorization fields using KNA1 as a control table)
    - SU21 - Create an authorization object in a Z-customer class which use this field and the ACTVT field (template W_AUFT_RMB)
    - Use the new object in your program
    - Give the object name to those who manage roles via PFCG
    Perform some search on subject like [Creating a Customer-Specific Authorization Object|http://help.sap.com/saphelp_ish471/helpdata/EN/9e/74ba3bd14a6a6ae10000000a114084/frameset.htm]
    Look also at some authorization objects like BRGRU which were intended to manage groups of customers.
    Regards,
    Raymond

  • AUTHORITY-CHECK always Return sy-subrc 0

    Hi,
    I have created a Authorization Object  'ZAUTH_ATCH' and created Roles also. This role is assigned to only my Userid.
    When in Report program I do a check:
    AUTHORITY-CHECK OBJECT 'ZAUTH_ATCH'
             ID 'USER' FIELD l_syuname .
    But the AUTHORITY-CHECK return 0 for all User IDs.
    Pls help what could be the Issue.
    Thanks
    Mohammed

    Hi,
    May be you would need to change the auth object and add the following two fields:
    REPID        ABAP Program Name
    ACTVT      Activity
    allowed values for ACTVT :
                                 01     Create or generate
                                 02     Change
                                 03     Display
                                 16     Execute
    In the code you can check
    AUTHORITY-CHECK OBJECT   "OBJECT_NAME"
                          ID   'ACTVT'  FIELD '16'.
                          ID   'REPID'  FIELD sy-cprog.
    Hope it helps.
    Anju

  • Authority Check for the User

    Hi,
         In how many ways can we set authorizations? I mean, in how many levels? My requirement is, to check the Authorization for a specific user to see if he is authorized to execute a Specific Z-Transaction (Report) for a specific Plant. How do I do that? I assume I need to code the AUTHORITY-CHECK OBJECT.... in my report. If yes, in which event? Please let me know.
    Thanks and Regards,
    Venkat.

    Hi Venkat,
    You can put in the AUTHORITY-CHECK at a number of points, after initialisation, during selection, prior to output - it depends on what the program is doing and how the rest of it is coded.
    For example, doing a big select and then only outputting based on the authority check may not efficient with large volumes of data.

  • Authority Check at the T.Code level for the user in particular User Group

    Hi Friends,
    I have created a ZREPORT and assigned this report to a ZTRANSACTION CODE.
    Need to give Authority Check at the T.Code level for the user in particular User Group.
    I have searched in SCN, but not get suitable pages.
    How to solve this?
    Regards,
    Viji.

    Hi Viji.
    Saha way is actual way for authority tcode but user authority in TCODE:- SE38 he/she can run report(ZREPORT) wise program is run is no authority check.
    Another way is you have also check authority in program level.
    DATA: T_ROLE_USERS TYPE STR_AGRS OCCURS 0 WITH HEADER LINE.
       INITIALIZATION.
      CALL FUNCTION 'ESS_USERS_OF_ROLE_GET'
        EXPORTING
          ROLE       = 'ZROLE''  " Role define
        TABLES
          ROLE_USERS = T_ROLE_USERS.
      READ TABLE T_ROLE_USERS WITH KEY UNAME = SY-UNAME.
       IF SY-SUBRC NE 0.
       RETURN.
       ENDIF.
    Thanks & Regards
    Rahul

  • Hi   authority check  in prog

    hi
    could anyone tell me how to use authority check in report program.
    please provide me with code in report only.
    thanx
    rocky robo

    PARAMETERS: P_BUKRS LIKE T001-BUKRS.
    SELECT-OPTIONS:
                    S_VKBUR FOR ZSD_BILLINFO-VKBUR OBLIGATORY,
    AT SELECTION-SCREEN.
      AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
          ID 'BUKRS' FIELD P_BUKRS
          ID 'ACTVT' FIELD '03'.
      if sy-subrc <> 0.
        message e001(ZAUT) with P_BUKRS.
      endif.
    loop at S_VKBUR.
        AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
            ID 'VKBUR' FIELD S_VKBUR-LOW
            ID 'ACTVT' FIELD '03'.
        if sy-subrc <> 0.
          message e001(ZAUT) with S_VKBUR-low.
        endif.
        if S_VKBUR-high <> space.
          AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
              ID 'VKBUR' FIELD S_VKBUR-HIGH
              ID 'ACTVT' FIELD '03'.
          if sy-subrc <> 0.
            message e001(ZAUT) with S_VKBUR-high.
          endif.
        endif.
      endloop.

  • Authority check - in terms of User Group

    Hi all,
    I need restrict the usage of a finnance report by order of users.the report has order grup as an input, only certain order groups should be viewed by certain users. in authority check can do the checking by using user groups instead of individual used.i.e create separate object for seperate order group and for each order group can i check against user group instead of individual users. kindly help.
    thanks.

    hi,
    Authorizationcheck can be done  for:
    1.Transactions
    2.ABAP programs
    in abap programs use the below code as reference for authorization check
    AUTHORITY-CHECK OBJECT  0.
        MESSAGE e184(sabapdocu) WITH text-010.
      ENDIF.
    rewards points if useful.
    regards
    sandhya

Maybe you are looking for

  • Doubts in alv interactive report

    Hello Gurus i am new to abap  i have doubt regarding interactive alv .  i wrote one but it gives runtime error . i taken reference to a sample program availiable please explain this code so i can write interactive alv effectively. FORM POPULATE_EVENT

  • Default Data Parameter

    Post Author: despec CA Forum: General I have read that in previous CR version (before XI), you could default a date parameter to the current date.  Is there any way in CR XI to achieve this or our we SOL until we upgrade to CR 2008 (which I hear does

  • Anyone figure out how to get Powershot G2 to work again after update to 1.5

    All my raw files from my Powershot G2 are now "Unsupported" since the update. Has anyone figured out how to update the program to allow support for that camera again? Any help would be much appreciated! Thanks

  • My right click menu does not appear, I can not copy or save as pics, etc.

    I have to use different browser when I need to save a pic. It does work in safe mode. I have uninstalled mozilla and re installed (updated version).

  • What would be the steps needed to upgrade OIM, connector pack

    we are planning to upgrade OIM 9.0.3 to 9.1 . So what are the steps that need to be followed? I also wanted to know how take backup of connector pack ??? Also the steps to upgrade connector pack??? Version Corrected