Authority check - in terms of User Group

Similar Messages

• AUTHORITY-CHECK for an defined USER

  Hi,
  i write a abap (protokol) which shell be started every hour. In this report i will use
  an AUTHORITY-CHECK for an defined user, because i will send the protokol via email, but i have
  to check if this user is allowed to see the data.
  I will use this:
  AUTHORITY-CHECK OBJECT 'F_LFA1_BEK'
  ID 'BRGRU' FIELD '__________'
  ID 'ACTVT' FIELD '__________'.
  for an defined user.
  Is this possible, or how can i check this in another way?
  Thanks.
  Regards, Dieter

  Hi Eric,
  i tried it like this:
  UTHORITY-CHECK OBJECT 'F_LFA1_BEK'
           ID 'BRGRU' FIELD 'KRED'
           ID 'ACTVT' FIELD '03'.
  BREAK-POINT.
  CALL FUNCTION 'AUTHORITY_CHECK'
    EXPORTING
    NEW_BUFFERING             = 3
    USER                      = SY-UNAME
      OBJECT                    = 'F_LFA1_BEK'
      FIELD1                    = 'BRGRU'
      VALUE1                    = 'KRED'
      FIELD2                    = 'ACTVT'
      VALUE2                    = '03'
  EXCEPTIONS
     USER_DONT_EXIST           = 1
     USER_IS_AUTHORIZED        = 2
     USER_NOT_AUTHORIZED       = 3
     USER_IS_LOCKED            = 4
     OTHERS                    = 5.
  BREAK-POINT.
  at first breakt-point sy-subrc = 0 at second sy-subrc = 2. Can you tell why i get another sy-subrc?
  is my FM-Call correct?
  thanks.
  Regards, Dieter

• Execute Authority Check With an different User then the logged on one

  Hello,
  is there any possibilty to make the command "AUTHORITY-CHECK" with another user then the user which is actually logged in into the system.
  For Example: my Username "USER1".
  Login with user "USER1".
  Run ABAP Pogramm to check if user "USER2" has the autority for an auth. object per command "AUTHORITY-CHECK".
  Thanks for all Ideas.
  Best Regards
  Marcus

  Try the FM AUTHORITY_CHECK!
  Cheers,
  Ramki.

• Authority-check for transaction SU3 (User Parameters)

  Dear experts,
  we can not give the authority for transaction SU3 for all users in our seperated HR-System, because the screen numbers of dynpros can be set with parameters and therefore, user could have access to 'wrong' data.
  We are looking for a way to give the permission for some parameters only.
  Has someone had the same problem and found a nice solution without or with only small modifications?
  A new authority-object, ....?
  Thank your very much
  Johanna

  Hi, thank you very much.
  I tried to solve the problem with screen variants, but I can only set the whole column of parameter inputs to 'display' and not single fields.  Therfore, it doesn't works.
  Johanna
  Edited by: Johanna Hensler on Sep 8, 2008 12:24 PM

• Authority check at field level in sales order

  Dear all, our business requirement is the following:
  only some users should be able to see the prices (including netwr, netpr,...) in the sales order depending on the authority check performed on the sales group field.
  This means that for an order of sales group 'A':
  a user of sales group 'A' can see the prices and change the order, a user of sales group 'B' cannnot see the prices but can change the order, a user of sales group 'C' can display the order but cannnot see the prices.
  I ask you if such a scenario can be realized in SAP.
  We currently run SAP ECC 5.0.
  thx all !
  bye Roberto

  Hi agree with Jan and Auke,
  To my knowledge it is object V_KONH_VKO which you are looking for. See the documentation in SU24 - SD class.
  But whether or not that will influence the visibility / editability of the screen in VA02 etc when turned the check on in SU24, I am not sure.
  If not, search the forum for topics relating to "transaction variants", "variant transactions" and "screen variants" to see whether those solutions will fulfill the requirement.
  Cheers,
  Julius

• Authority check at field level in the sales order

  Dear all, our business requirement is the following:
  only some users should be able to see the prices (including netwr, netpr,...) in the sales order depending on the authority check performed on the sales group field.
  This means that for an order of sales group 'A':
  a user of sales group 'A' can see the prices and change the order, a user of sales group 'B' cannnot see the prices but can change the order, a user of sales group 'C' can display the order but cannnot see the prices.
  I ask you if such a scenario can be realized in SAP.
  We currently run SAP ECC 5.0.
  thx all !
  bye Roberto

  Hi
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  <b><REMOVED BY MODERATOR></b>
  regards
  Anji
  Message was edited by:
          Alvaro Tejada Galindo

• AUTHORITY-CHECK always Return sy-subrc 0

  Hi,
  I have created a Authorization Object  'ZAUTH_ATCH' and created Roles also. This role is assigned to only my Userid.
  When in Report program I do a check:
  AUTHORITY-CHECK OBJECT 'ZAUTH_ATCH'
           ID 'USER' FIELD l_syuname .
  But the AUTHORITY-CHECK return 0 for all User IDs.
  Pls help what could be the Issue.
  Thanks
  Mohammed

  Hi,
  May be you would need to change the auth object and add the following two fields:
  REPID        ABAP Program Name
  ACTVT      Activity
  allowed values for ACTVT :
                               01     Create or generate
                               02     Change
                               03     Display
                               16     Execute
  In the code you can check
  AUTHORITY-CHECK OBJECT   "OBJECT_NAME"
                        ID   'ACTVT'  FIELD '16'.
                        ID   'REPID'  FIELD sy-cprog.
  Hope it helps.
  Anju

• Authority-Check in UPDATE TASK CALL

  Hi Gurus,
  Does anybody know, from the Technical point of view, if there is any special issue with an Authority-Check put in a user-exit called in UPDATE TASK?
  Thanks & Regards
  Ernesto.

  Hello Michael,
  Thank you for your reply. I was asking this because I have a problem regarding an Authority Check and I do not know what the problem is. In user exit EXIT_SAPLL03T_002 (executed in Update TASK) I want to check for Storage Type condition from the object L_LGNUM. The user that executes LT12 transaction has one role only that has object L_LGNUM like this:
  Object L_LGNUM
  Warehouse Number - LNUM = 200
  Storage Type - LGTYP = 100, 200, 300, 400, 500, 600, 700, 800
  The two checks I am doing are:
    Check Source Storage Type
      AUTHORITY-CHECK OBJECT 'L_LGNUM'
               ID 'LGNUM' FIELD i_ltak_vb-lgnum (200)
               ID 'LGTYP' FIELD ls_ltap_vb-vltyp (902)
      Check Destination Storage Type
        AUTHORITY-CHECK OBJECT 'L_LGNUM'
                 ID 'LGNUM' FIELD i_ltak_vb-lgnum (200)
                 ID 'LGTYP' FIELD ls_ltap_vb-nltyp (002)
  And for no reason SAP doesn't return sy-subrc NE 0 when it should. I've checked the role and it has no conflict with another one as it is the only role the user has. Any idea?
  Thanks & Regards
  Ernesto

• Urgent(Authority-check)

  HI Gurus..
  I have used PNP L.database.
  But i have used few select statements to read data from infotypes.
  do i need to do authority check separately
  or L database will take care of it.
  Please provide me with the acurate answers.. as its an urgent issue..

  To create authority check object you can use transaction SU21. Here you can decide if you only want to create a new object and assign it to an existing class or if you can to create both object and class.
  While defining the object you will have to provide what fields will be in this object. For example if i am creating a custom object to be used in SD based on customer and plant, i would include fields such as KUNNR and WERKS in my authority object. In addition to that if i also want to check for display/change/create access, i would also add a field called ACTVT (activity).
  Once the object is defined, the authorization team will assign it to different authorization profiles with relevant values like for display only access for customer XYZ and plant 0001, these values will be provided in the authorization profile to this object. (As a developer this is not your headache )
  You would be using it in your reports or transactions using Authority-check statements. You will be calling the specific object in your authority-check statement and passing it some values(say Actvt 03 customer ASD, plant 0002) and checking the value of sy-subrc. If subrc is 0 means the authority check is OK, the user has the authorization.
  I think this will give you an idea on how to proceed.
  Cheers

• Authority Check at the T.Code level for the user in particular User Group

  Hi Friends,
  I have created a ZREPORT and assigned this report to a ZTRANSACTION CODE.
  Need to give Authority Check at the T.Code level for the user in particular User Group.
  I have searched in SCN, but not get suitable pages.
  How to solve this?
  Regards,
  Viji.

  Hi Viji.
  Saha way is actual way for authority tcode but user authority in TCODE:- SE38 he/she can run report(ZREPORT) wise program is run is no authority check.
  Another way is you have also check authority in program level.
  DATA: T_ROLE_USERS TYPE STR_AGRS OCCURS 0 WITH HEADER LINE.
     INITIALIZATION.
    CALL FUNCTION 'ESS_USERS_OF_ROLE_GET'
      EXPORTING
        ROLE       = 'ZROLE''  " Role define
      TABLES
        ROLE_USERS = T_ROLE_USERS.
    READ TABLE T_ROLE_USERS WITH KEY UNAME = SY-UNAME.
     IF SY-SUBRC NE 0.
     RETURN.
     ENDIF.
  Thanks & Regards
  Rahul

• Authority Check for the User

  Hi,
       In how many ways can we set authorizations? I mean, in how many levels? My requirement is, to check the Authorization for a specific user to see if he is authorized to execute a Specific Z-Transaction (Report) for a specific Plant. How do I do that? I assume I need to code the AUTHORITY-CHECK OBJECT.... in my report. If yes, in which event? Please let me know.
  Thanks and Regards,
  Venkat.

  Hi Venkat,
  You can put in the AUTHORITY-CHECK at a number of points, after initialisation, during selection, prior to output - it depends on what the program is doing and how the rest of it is coded.
  For example, doing a big select and then only outputting based on the authority check may not efficient with large volumes of data.

• GRC AC v10: User Request Field (User Group for Authorisation Check)

  Good Day,
  I am wondering if anyone has had any success in pulling across the User Group in the User Access Request Form. In EUP Default View settings, this is set as visible and editable. Yet, I am not seeing the field in the AR form. I would expect to see this field in the User Details tab. That being said, I am also curious about the User System Details tab. I would think the  User Group will come across in one of these two tabs. Appreciate any insight... ~Triera

  Hi,
  The user group of the selected user would be populated in 'User System Details' tab . This field is not there is user details tab as each system can have different user group and we can have multiple systems in the request .
  Please check if the user selected in the request has a usergroup assigned in the detail datasource system.
  Best Regards,
  Aman

• User role and Authority-check ?

  Hello,
  Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
  Thanks in advance

  Hello Martin,
  I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
  Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
  @OP:
  The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
  BR,
  Suhas

• Tcode for see AUTHORITY-CHECK asignement for User ?

  Hi everybody
  1. Does somebody knows a TCode for see an Authorization Object directly, that is i know to see them using SU21, then selecting an Authorization Class and then i see the corresponding Auth.Objetcs.  But, is there a Tcode for see the Auth.Objects without see first the Auth.Classes ?
  2, Is there a Tcode for see the Auth.Objects and values assigned for a user , that is, a Tcode for evaluate if an AUTHORITY-CHECK is going to be passed by an specific user-object-activity ?
  For example, i have the Auth.Object  'M_MATE_WRK' wich uses the Plant (WERKS) object.  Is there a Tcode wich allow me to know if a user has asigned this Auth.Object for specified Plant (WERKS) Value, and wich activities does the user has permited ?
  Thanks..
  Frank

  Hello Frank
  Call transaction <b>SUIM</b> (User Information System) and check the available reports there. I am sure you will find a report fulfilling your requirement.
  Regards
    Uwe

• Include authority check in PM User exit

  Dear all,
  Is there any user exit for adding an authority check object in IW31 transaction program?
  Kindly advise.
  Thanks.

  Hi,
  There is a Function module AUTHORITY-CHECK to check the authrization, here you can give the trnasaction code as well as the user name .. look at the function module in SE37..
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  <b>Reward points if useful</b>
  Regards
  Ashu