Authority Check in Programs
Hi all
Does anyone know tell me which table I check the check the program authority.
Thanks,
Hi Rodrigo,
Use following code to get it done in programs.
Say, for object V_VBAK_VKO (which you can see in SU24), you can do it like this.
AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
ID 'VKORG' FIELD VKORG
ID 'VTWEG' FIELD VTWEG
ID 'SPART' FIELD SPART.
IF sy-subrc ne 0.
show an error message.
endif.
Here , VKORG, VTWEG and SPART you have to pass from program and check sy-subrc return value.
Hope this helps.
Regards,
Naveen
Similar Messages
-
How to debug a authority check in program and a authorisation object in tco
Can anyone tell me how to debug a authority check in program and a authorisation object in tcode
i just want to know the flow of authorisation object in debugging how user is assocaited with authorisation object and roles.
i know if sy-subrc ne 0 is authorisation failed ,so please help me anyone on this.
every time when i put breakpoint ,if its program level only, i am able to decide only through sy-subrc but iam unable o view the flow .flow cannot be seen, we have to be based on sy-subrc only...
you cannot see the flow in read table... describe table... transfer...
the authorization object will be assigned to the data element, that data element has some realtion to the roles given to the users. So if the role of the user and data element value doesnt match the sy-subrc NE 0. -
AUTHORITY-CHECK & customized program
Hi,
I've applied an authority-check to my customized program. What I did was, I've created an authorization object name 'ZFI_PGRM' in SU21 and tie it with authorization fields BUKRS, ACTVT. This authority-check will validate on the company code (BUKRS) entered from the selection screen. Below are my lines in the customized program :
DATA: text TYPE string,
m_text TYPE string.
text = 'You are not authorised for Company Code'.
DATA: t_t001 LIKE t001 OCCURS 0 WITH HEADER LINE..
SELECT * FROM t001
INTO TABLE t_t001
WHERE bukrs IN s_bukrs.
LOOP AT t_t001.
AUTHORITY-CHECK OBJECT 'ZFI_PGRM'
ID 'BUKRS' FIELD t_t001-bukrs
ID 'ACTVT' FIELD '03'.
IF sy-subrc <> 0.
CONCATENATE text t_t001-bukrs INTO m_text SEPARATED BY space.
ENDIF.
ENDLOOP.
At the same time BASIS tie the autorization object 'ZFI_PGRM' to the user role in order to access the program using PFCG. The problem now is the result that I'm getting always SY-SUBRC = 12 eventhough the user is allowed to access the company's report. Please help...
HaryatiRun transaction SU53 after the auth check fails and maybe it will give you a clue as to what is going on.
-
Authority check in ABAP program
Hello All
I am having some trouble with authority object in ABAP programming
This is the situation.
I have a field "plant" which is a select options in the selection screen.
I have to write an authority-check for this "plant" field in the program and display the report for only the plants for which the user is authorised. There is a select statement in the program which selects all the plants entered. If it is single plant entry and the user is not authorised or the user is not authorised to none of the plants entered for multiple plant entries, an error message should be displayed saying "no authority to display plants x, y, z"
How can I incorporate this logic in the report.
This the current coding
AT SELECTION-SCREEN.
AUTHORITY-CHECK OBJECT 'C_ROUT'
ID 'ACTVT' FIELD '03'
ID 'PLNTY' FIELD 'DUMMY'
ID 'WERKS' FIELD s_werks
ID 'STATU' FIELD 'DUMMY'
ID 'VERWE' FIELD 'DUMMY'.
START-OF-SELECTION.
SELECT amatnr aplnnr aplnal awerks aplnty bstlnr b~stlal INTO TABLE t_mapl FROM mapl AS a INNER JOIN mast AS b
ON amatnr = bmatnr
AND awerks = bwerks
WHERE a~matnr IN s_matnr
AND a~plnnr IN s_plnnr
AND a~plnal IN s_plnal
AND a~werks IN s_werks
AND a~plnty IN s_plnty
AND b~stlnr IN s_stlnr
AND b~stlal IN s_stlal. "(ALT BOM)
Thanks
RickyHi Ricky,
to check each individual plant in the selection, you can not use s_plant in the authority chek, here you need to give the value..
Code like this:
DATA : BEGIN of t_werks OCCURS 0,
werks TYPE t001w-werks,
END OF t_werks.
DATA : w_text(30) TYPE c.
AT SELECTION-SCREEN.
IF NOT s_werks[] IS INITIAL.
REFRESH t_werks.
SELECT werks
FROM t001w
INTO TABLE t_werks
WHERE werks IN s_werks.
IF sy-subrc EQ 0.
LOOP AT t_werks.
AUTHORITY CHECK...
ID 'WERKS' FIELD t_werks-werks.
IF sy-subrc EQ 0.
DELETE t_werks.
ENDIF.
ENDLOOP.
IF NOT t_werks[] IS INITIAL.
LOOP AT t_werks.
CONCATENATE t_werks-werks
w_text
INTO w_text.
ENDLOOP.
MESSAGE exxx WITH 'No authorisation for '
w_text.
ENDIF.
ENDIF.
ENDIF.
Thanks and Best Regards,
Vikas Bittera.
**Reward if useful** -
Hi all !!!
I'm using the ALV Grid control with checkboxes and I want to control if the actual user have the appropriate authorization to check/uncheck them.
In the AUTHORITY-CHECK call, I want to make the authorization test on the "DEPARTMENT" of the user (from Table USER_ADDR or SU01).
For example :
DEPARTMENT AA1 --> check/uncheck OK
DEPARTMENT AA2 --> check/uncheck NOT OK
DEPARTMENT AA3 --> check/uncheck OK
... etc.
How can I do ? Create an new authorization object/field ?
PS : it's the first time I'm using AUTHORITY-CHECK..Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
Example ;
REPORT EXAMPLE MESSAGE-ID Z1.
TABLES: USR02.
PARAMETERS: LOCK AS CHECKBOX, LISTLOCK AS CHECKBOX.
DATA: UFLAGVAL TYPE I, LOCKSTRING(8) TYPE C.
---- Authorization check -
AUTHORITY-CHECK OBJECT 'ZPROG_RUN' ID 'PROGRAM' FIELD SY-CPROG.
IF SY-SUBRC <> 0.
IF SY-SUBRC = 4.
MESSAGE E000 WITH SY-CPROG. "some message about authorization check failure
ELSE.
MESSAGE E005 WITH SY-SUBRC. "some message about authorization check failure
ENDIF.
ENDIF.
IF LISTLOCK = 'X'.
WRITE:/ 'List all locked users: '.
SELECT * FROM USR02 WHERE UFLAG = 64.
WRITE: / USR02-BNAME.
ENDSELECT.
EXIT.
ENDIF.
IF LOCK = 'X'.
UFLAGVAL = 64. "lock all users
LOCKSTRING = 'locked'.
ELSE.
UFLAGVAL = 0. "unlock all users
LOCKSTRING = 'unlocked'.
ENDIF.
SELECT * FROM USR02 WHERE BNAME <> 'SAP*' AND BNAME <> SY-UNAME.
IF USR02-UFLAG <> 0 AND USR02-UFLAG <> 64.
WRITE: 'User', USR02-BNAME, 'untouched; please handle manually.'.
CONTINUE.
ENDIF.
check that user has authority to make these changes
AUTHORITY-CHECK OBJECT 'S_USER_GRP'
ID 'CLASS' FIELD USR02-CLASS
ID 'ACTVT' FIELD '05'.
IF SY-SUBRC <> 0.
IF SY-SUBRC = 4.
WRITE: /'You are not authorized to lock/unlock user ',
USR02-BNAME, USR02-CLASS.
ELSE.
WRITE: /'Authorization error checking user ',
USR02-BNAME, USR02-CLASS, '(return code', SY-SUBRC, ').'.
ENDIF.
ELSE. "has authority
UPDATE USR02 SET UFLAG = UFLAGVAL WHERE BNAME = USR02-BNAME.
WRITE: / 'User', USR02-BNAME, LOCKSTRING, '.'.
ENDIF. -
How to use the AUTHORITY-CHECK in ABAP
I am a security guy but am trying to understand how the AUTHORITY-CHECK works. I have read the help on it but it doesn't answer to my understanding. I want a check in a report so that no matter what the user selects the program goes out and checks the authorization in the users master record and only displays what he has access to. I am sure this is basic but I am not a programmer.
ThanksHi Greg,
Basically a AUTHORITY-CHECK is a programmatic way to check a auth object a user has. This is only as good as the person writing the code makes is.
Here is a basic example of how it could work. Lets say you have auth objects for users that limit them to see company code. User A can see cc 10, User B can see cc 20 and user C can see both.
In the code the programmer would have to first do the authcheck to see what CC the user has access to. Then they would have to limit his reporting based on the results of the authority check. So they might do it by saying SELECT * FROM XYZTAB WHERE COMPANY CODE = AUTHCC
This is what I think you are looking for. There are other ways to use the auth check. You can do a check and end the program with a message if they don't have authorization.
If you need more info, let me know
John -
Hi Guru's,
I want to have a authority check for table control field KOMG-KBSTAT in the screen 1850 for the program SAPMV13A.
I know how to create the authorisation object and also tested a sample code for a z-report .
I want the details how to apply it to a standard program. Please guide me for this issue.
Thanx in Advance,
ArcahanHello ,
I will elaborate my requirement.
See in the program SAPMV13A , screen no 1850 , the table control field is komg-kbstat .
The possible value's for komg-kbstat are as mentioned -
> 01-blocked , 02 - Released
Now I want the User ' XYZ' should have the authority to block only and not to release.
Regards,
W. Archana -
Authority-check for particular comp code
Hi All,
when i'm using standard Authority Object F_BKPF_BUK for a particular standard code say 'CO01'. but it is working for all company code, but i want work for only one company code say 'CO01' ONLY.i'm using in report program (zreport prog)
I written code as
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'BUKRS' FIELD 'BE10'
ID 'ACTVT' FIELD '03'.
Please can u advice on this .
Many Thanks in Advance for u r Answer
NarenHi
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Reward points if useful
Regards
Anji -
AUTHORITY-CHECK before Selection-screen?
Hi,
i want to check the authority before the selection-screen. I do it in this way:
AT SELECTION-SCREEN OUTPUT.
AUTHORITY-CHECK OBJECT 'Z_REPORT'
ID 'PROGRAM' FIELD SY-REPID
ID 'ACTVT' FIELD '16'. "Ausführen
IF SY-SUBRC <> 0.
MESSAGE E010 WITH 'Keine Berechtigung für Programm: '
SY-REPID.
ENDIF.
But the selection appears without any parameters.
Is there a way to check without the selection-screen?
thanks.
regards, DieterHi Dieter,
Please check the below code for at selection screen authorization check.
Handling selection screen events
AT SELECTION-SCREEN ON p_carrid.
IF p_carrid IS INITIAL.
MESSAGE 'Please enter a value' TYPE 'E'.
ENDIF.
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'CARRID' FIELD p_carrid
ID 'ACTVT' FIELD '03'.
IF sy-subrc = 4.
MESSAGE 'No authorization for carrier' TYPE 'E'.
ELSEIF sy-subrc <> 0.
MESSAGE 'Error in authority check' TYPE 'A'.
ELSE.
IF sy-ucomm = 'ONLI'.
CALL SELECTION-SCREEN '0500'.
ENDIF.
ENDIF.
Regards,
Md Ziauddin -
Hi,
I am new in core abap. For my report i have to do AUTHORITY-CHECK for kunnr. I am not finding any suitable object to use. kIndly suggest.
Currently i am using the following code.
UNPACK p_kunnr TO ws_werks.
AUTHORITY-CHECK OBJECT 'M_MSEG_WWE'
ID 'ACTVT' FIELD '01'
ID 'WERKS' FIELD ws_werks.
But this is giving dump in case KUNNR contains some alphabets because of type mismatch. Kindly suggest how can i achieve the same.
Regards,
Pankaj AggarwalDon't use a WERKS authorization for KUNNR, did you foresee the problems that may will arise when you will manage the user authorisations and roles, this authorization is checked in many standard programs on WERKS fields.
- SU20 - Create an authorization field with data element KUNNR and check table KNA1 (or use template KNDNR, look via SE16 at table AUTHX look for authorization fields using KNA1 as a control table)
- SU21 - Create an authorization object in a Z-customer class which use this field and the ACTVT field (template W_AUFT_RMB)
- Use the new object in your program
- Give the object name to those who manage roles via PFCG
Perform some search on subject like [Creating a Customer-Specific Authorization Object|http://help.sap.com/saphelp_ish471/helpdata/EN/9e/74ba3bd14a6a6ae10000000a114084/frameset.htm]
Look also at some authorization objects like BRGRU which were intended to manage groups of customers.
Regards,
Raymond -
AUTHORITY-CHECK always Return sy-subrc 0
Hi,
I have created a Authorization Object 'ZAUTH_ATCH' and created Roles also. This role is assigned to only my Userid.
When in Report program I do a check:
AUTHORITY-CHECK OBJECT 'ZAUTH_ATCH'
ID 'USER' FIELD l_syuname .
But the AUTHORITY-CHECK return 0 for all User IDs.
Pls help what could be the Issue.
Thanks
MohammedHi,
May be you would need to change the auth object and add the following two fields:
REPID ABAP Program Name
ACTVT Activity
allowed values for ACTVT :
01 Create or generate
02 Change
03 Display
16 Execute
In the code you can check
AUTHORITY-CHECK OBJECT "OBJECT_NAME"
ID 'ACTVT' FIELD '16'.
ID 'REPID' FIELD sy-cprog.
Hope it helps.
Anju -
Hi,
In how many ways can we set authorizations? I mean, in how many levels? My requirement is, to check the Authorization for a specific user to see if he is authorized to execute a Specific Z-Transaction (Report) for a specific Plant. How do I do that? I assume I need to code the AUTHORITY-CHECK OBJECT.... in my report. If yes, in which event? Please let me know.
Thanks and Regards,
Venkat.Hi Venkat,
You can put in the AUTHORITY-CHECK at a number of points, after initialisation, during selection, prior to output - it depends on what the program is doing and how the rest of it is coded.
For example, doing a big select and then only outputting based on the authority check may not efficient with large volumes of data. -
Authority Check at the T.Code level for the user in particular User Group
Hi Friends,
I have created a ZREPORT and assigned this report to a ZTRANSACTION CODE.
Need to give Authority Check at the T.Code level for the user in particular User Group.
I have searched in SCN, but not get suitable pages.
How to solve this?
Regards,
Viji.Hi Viji.
Saha way is actual way for authority tcode but user authority in TCODE:- SE38 he/she can run report(ZREPORT) wise program is run is no authority check.
Another way is you have also check authority in program level.
DATA: T_ROLE_USERS TYPE STR_AGRS OCCURS 0 WITH HEADER LINE.
INITIALIZATION.
CALL FUNCTION 'ESS_USERS_OF_ROLE_GET'
EXPORTING
ROLE = 'ZROLE'' " Role define
TABLES
ROLE_USERS = T_ROLE_USERS.
READ TABLE T_ROLE_USERS WITH KEY UNAME = SY-UNAME.
IF SY-SUBRC NE 0.
RETURN.
ENDIF.
Thanks & Regards
Rahul -
hi
could anyone tell me how to use authority check in report program.
please provide me with code in report only.
thanx
rocky roboPARAMETERS: P_BUKRS LIKE T001-BUKRS.
SELECT-OPTIONS:
S_VKBUR FOR ZSD_BILLINFO-VKBUR OBLIGATORY,
AT SELECTION-SCREEN.
AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
ID 'BUKRS' FIELD P_BUKRS
ID 'ACTVT' FIELD '03'.
if sy-subrc <> 0.
message e001(ZAUT) with P_BUKRS.
endif.
loop at S_VKBUR.
AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
ID 'VKBUR' FIELD S_VKBUR-LOW
ID 'ACTVT' FIELD '03'.
if sy-subrc <> 0.
message e001(ZAUT) with S_VKBUR-low.
endif.
if S_VKBUR-high <> space.
AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
ID 'VKBUR' FIELD S_VKBUR-HIGH
ID 'ACTVT' FIELD '03'.
if sy-subrc <> 0.
message e001(ZAUT) with S_VKBUR-high.
endif.
endif.
endloop. -
Authority check - in terms of User Group
Hi all,
I need restrict the usage of a finnance report by order of users.the report has order grup as an input, only certain order groups should be viewed by certain users. in authority check can do the checking by using user groups instead of individual used.i.e create separate object for seperate order group and for each order group can i check against user group instead of individual users. kindly help.
thanks.hi,
Authorizationcheck can be done for:
1.Transactions
2.ABAP programs
in abap programs use the below code as reference for authorization check
AUTHORITY-CHECK OBJECT 0.
MESSAGE e184(sabapdocu) WITH text-010.
ENDIF.
rewards points if useful.
regards
sandhya
Maybe you are looking for
-
Doubts in alv interactive report
Hello Gurus i am new to abap i have doubt regarding interactive alv . i wrote one but it gives runtime error . i taken reference to a sample program availiable please explain this code so i can write interactive alv effectively. FORM POPULATE_EVENT
-
Post Author: despec CA Forum: General I have read that in previous CR version (before XI), you could default a date parameter to the current date. Is there any way in CR XI to achieve this or our we SOL until we upgrade to CR 2008 (which I hear does
-
Anyone figure out how to get Powershot G2 to work again after update to 1.5
All my raw files from my Powershot G2 are now "Unsupported" since the update. Has anyone figured out how to update the program to allow support for that camera again? Any help would be much appreciated! Thanks
-
My right click menu does not appear, I can not copy or save as pics, etc.
I have to use different browser when I need to save a pic. It does work in safe mode. I have uninstalled mozilla and re installed (updated version).
-
What would be the steps needed to upgrade OIM, connector pack
we are planning to upgrade OIM 9.0.3 to 9.1 . So what are the steps that need to be followed? I also wanted to know how take backup of connector pack ??? Also the steps to upgrade connector pack??? Version Corrected