Authority Check issue
Hi Experts,
I am facing an issue in an authority-check statement in a standard program.
The role corresponding to the authorization object has been assigned to a user. But the user is getting the authorization error message that he does have the authorization.
However if the user gets into debugging mode, the program is executed Successfully. The authorization error message is not triggered in debug mode.
Please provide your valuable suggestions and solution to fix up this issue.
Thanks in Advance.
Regards,
K Arasu
Hi,
You may need to contact your basis and get more information on how they have setup the authorization for the role.
In general, if this scenario is in production, it should not be the case as you have described. No User is given debug rights except those from the prodn.support dev.team. Maybe the role is not assigned properly to the user.
This is what I can think of right now.
Regards,
Subramanian
Similar Messages
-
Hi Guru's,
I want to have a authority check for table control field KOMG-KBSTAT in the screen 1850 for the program SAPMV13A.
I know how to create the authorisation object and also tested a sample code for a z-report .
I want the details how to apply it to a standard program. Please guide me for this issue.
Thanx in Advance,
ArcahanHello ,
I will elaborate my requirement.
See in the program SAPMV13A , screen no 1850 , the table control field is komg-kbstat .
The possible value's for komg-kbstat are as mentioned -
> 01-blocked , 02 - Released
Now I want the User ' XYZ' should have the authority to block only and not to release.
Regards,
W. Archana -
Hi All..
My requirement is to incorporate the Authority-Check for Sales Organization field ( VBAK-VKORG) inthe selection screen. In the meanwhlie, i should restrict further processing of Report, if unauthorized Sales Organzations.
Please help me in explaining the meaning of above requirement and can any one give me the code sample for this..????
Its urgent issue and kindly request you to help me out...Hi Pavan
Have made some changes to the code. Please check the same.
DATA: BEGIN OF lt_tvko OCCURS 0,
vkorg TYPE vkorg,
bukrs TYPE bukrs,
END OF lt_tvko.
SELECT vkorg bukrs FROM tvko INTO TABLE lt_tvko
WHERE vkorg IN lr_vkorg.
IF sy-subrc NE 0.
MESSAGE e085(wv).
ENDIF.
* Check all retrieved co.codes
SORT lt_tvko BY bukrs.
DELETE ADJACENT DUPLICATES FROM lt_tvko COMPARING bukrs.
LOOP AT lt_tvko.
* Error Message: No authorization for sales organization &1
PERFORM f_bukrs_auth_chk_p USING lt_tvko-bukrs 'ICC_FI_CN' 'E' '010'
lt_tvko-vkorg '' '' ''
CHANGING sy-subrc.
if sy-subrc ne 0.
delete lt_tvko.
endif.
ENDLOOP.
ranges: r_vkorg for tvko-vkorg.
if lt_tvko[] is initial.
Message eooo(00) with No authorization for any Sales Org input.
else.
r_vkorg-sign = 'I'.
r_vkorg-option = 'EQ'.
loop at lt_tvko.
r_vkorg-low = lt_tvko-vkorg.
append r_vkorg.
endlloop.
endif.
FORM f_bukrs_auth_chk_p USING value(lc_bukrs) TYPE bukrs
value(lc_msgid) LIKE sy-msgid
value(lc_msgty) LIKE sy-msgty
value(ln_msgno) LIKE sy-msgno
value(lc_msgv1)
value(lc_msgv2)
value(lc_msgv3)
value(lc_msgv4)
CHANGING p_subrc.
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'BUKRS' FIELD lc_bukrs
ID 'ACTVT' FIELD '03'.
p_subrc = sy-subrc.
ENDFORM. "f_bukrs_auth_chk_p
Now range
r_vkorg will have the list of authorized sales organizations. You can use it as the select-option for further processing.
Am not on SAP, have just coded from notepad. Please bear incase of any syntax errors.
Kind Regards
Eswar -
AUTHORITY-CHECK always Return sy-subrc 0
Hi,
I have created a Authorization Object 'ZAUTH_ATCH' and created Roles also. This role is assigned to only my Userid.
When in Report program I do a check:
AUTHORITY-CHECK OBJECT 'ZAUTH_ATCH'
ID 'USER' FIELD l_syuname .
But the AUTHORITY-CHECK return 0 for all User IDs.
Pls help what could be the Issue.
Thanks
MohammedHi,
May be you would need to change the auth object and add the following two fields:
REPID ABAP Program Name
ACTVT Activity
allowed values for ACTVT :
01 Create or generate
02 Change
03 Display
16 Execute
In the code you can check
AUTHORITY-CHECK OBJECT "OBJECT_NAME"
ID 'ACTVT' FIELD '16'.
ID 'REPID' FIELD sy-cprog.
Hope it helps.
Anju -
Authority Check - Best Practice - Optimum Way
Hi Experts,
I want to use authority check in my reports. The requirement is to filter data on the selection screen and execute the query. Error messages are not to be thrown because, a user will find it difficult to enter all the document types/company codes/sales areas etc authorized and remove the ones not authorized from the range.
I am planning to create range tables and populate it with the authorized values and use it in the select queries.
I have two concerns:
1. I will have to build range tables based on the values authorized. This will take some time, keeping in mind that append is an expensive statement.
2. What if the range table becomes big enough to give me a dump in the select query in some scenario. (What if scenario? Its a rare possibility that some field like this also needs to be authorized)
What is the best practice or rule of the thumb that you have figured out.
Thanks,
Abdullah Ismail.Are they asking you to check the authorisations for each of the following?
1. Sales Organization
2. Distribution Channel
3. Division
4. Sales Group
5. Sales Office
6. Sales Document Type
7. Sales Country
8. Material Group(Brands)
If so that is completely over engineered and good luck with that. Surely you only need to check at one level of the sales structure, the lowest level I would guess. Your auths team should be able to guide you here and I cannot imagine they would want that level of auths as it would be a nightmare for them to build it. I suppose you might want one on material group as well.
Therefore they auths team or functional consultants will need to tell you at what level you are checking for each report, there will only be a small number at each level, (think you will struggle to get near the 12,000 Rob points out would cause an issue with a range) of the sales structure so I would use a range, you wonu2019t have that many appends and it wonu2019t add much to the time of the report. While for all entries is great you can also use the range where the report may have already used for all entries on a select and better not to have to rebuild the whole report.
Also I would do the auths check first up and make the field mandatory if they really want it nice and tight so the user has to choose, you can use a PID to make it a bit more friendly.
If you know the setup is the same each time you could use a standard include and subroutine, or ABAP objects would probably be the best route with a set of standard methods to call.
Hope that helps,
Tim -
Authority-Check in UPDATE TASK CALL
Hi Gurus,
Does anybody know, from the Technical point of view, if there is any special issue with an Authority-Check put in a user-exit called in UPDATE TASK?
Thanks & Regards
Ernesto.Hello Michael,
Thank you for your reply. I was asking this because I have a problem regarding an Authority Check and I do not know what the problem is. In user exit EXIT_SAPLL03T_002 (executed in Update TASK) I want to check for Storage Type condition from the object L_LGNUM. The user that executes LT12 transaction has one role only that has object L_LGNUM like this:
Object L_LGNUM
Warehouse Number - LNUM = 200
Storage Type - LGTYP = 100, 200, 300, 400, 500, 600, 700, 800
The two checks I am doing are:
Check Source Storage Type
AUTHORITY-CHECK OBJECT 'L_LGNUM'
ID 'LGNUM' FIELD i_ltak_vb-lgnum (200)
ID 'LGTYP' FIELD ls_ltap_vb-vltyp (902)
Check Destination Storage Type
AUTHORITY-CHECK OBJECT 'L_LGNUM'
ID 'LGNUM' FIELD i_ltak_vb-lgnum (200)
ID 'LGTYP' FIELD ls_ltap_vb-nltyp (002)
And for no reason SAP doesn't return sy-subrc NE 0 when it should. I've checked the role and it has no conflict with another one as it is the only role the user has. Any idea?
Thanks & Regards
Ernesto -
Hi all.
in CJ02 I have this autorization check:
AUTHORITY-CHECK OBJECT 'C_DRAD_OBJ'
ID 'ACTVT' FIELD lt_display-mode
ID 'DOKOB' FIELD object
ID 'STATUS' FIELD ls_draw-dokst
ID 'DOKAR' FIELD ls_draw-dokar.
IF sy-subrc <> 0 .
no AUTHORITY
the sy-subrc is <> 0. how can I see the data into this object? can i add data into?Hi Fabrizio,
1. This is a normal
'authorisation not there'
issue.
2. Contact your basis team
and they will help out
by assigning the values
for the particular auth object
for the required profile
for the particular user !
regards,
amit m. -
Hi,
I want to add an authority check on movement type using transaction LB13 and then create TO (both background as foreground) .
Are there any user-exits / BADI's avaibalbe to build in an extra check, which allow error messages and will be passed using LB13?
It seems that the only user-exit that is passed is EXIT_SAPML03T_002 but if I add an error message in this exit, it will end in an internal error, which of course I don't want to.
kind regards
MaartenHi ,
I don't know that you already resolved this issue. Any way try creating custome Authorization for plant and use it
Create Z_IS_WERKS with following authorization fields and assign permited value '03' for field ACTVT.
ACTVT Activity
WERKS Plant
Use this code.
AUTHORITY-CHECK OBJECT 'Z_IS_WERKS'
ID 'ACTVT' FIELD lv_display
ID 'WERKS' FIELD zmapw-werks.
Regards,
Babu -
Authority-check for a particular company code
Hi,
I need to check authorization for a particular company code.In my bdc call transaction program i'm fetching mass data from excel file and for every record i've to check the company code field.If the company code is not the required one then that record should not be processed.
So before filling the bdc data i wrote like
LOOP AT gt_inrec INTO gs_inrec.
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'ACTVT' field '02'
ID 'BUKRS' field '2800'.
IF NOT sy-subrc = 0.
MESSAGE e058(zz) WITH gs_inrec-bukrs.
EXIT.
ENDIF.
PERFORM fill_bdc.
ENDLOOP.
but it is not exiting for different company codes and is allowing records with all company codes.
can anybody pls tell me how to rectify this?
thanks in advance,
poornimaI need to perform authority check on the field NAME1 present in the standard screen - customer master ( T.Code-XD02). Only certain users should be allowed to edit the field and others should be restricted.
I have created a field exit FIELD_EXIT_AD_NAME1 for the ADRC-NAME1 field.
Now inside this field exit i need to write the authority-check code.
I have created the authorisation object Z_KNA1_NAM for the field NAME1 using the SU20 and SU21.
For this scenario how do i write the authority-check code in my field exit?
Below is my field exit code,is that correct?
FUNCTION FIELD_EXIT_AD_NAME1.
""Local Interface:
*" IMPORTING
*" REFERENCE(INPUT)
*" EXPORTING
*" REFERENCE(OUTPUT)
AUTHORITY-CHECK OBJECT 'Z_KNA1_NAM'
ID 'NAME1' FIELD SY-UNAME
ID 'ACTVT' FIELD '03'.
IF SY-SUBRC = 0.
MESSAGE 'Not Allowed to Edit the Name 1 Field' TYPE 'E'.
ENDIF.
ENDFUNCTION.
In the above code i have given SY-UNAME in the code line 2 - ID 'NAME1' FIELD SY-UNAME ,is that correct? what should i give there?
Please help me on this issue.
Cheers,
P.S.Chitra -
Urgent(Authority-check)
HI Gurus..
I have used PNP L.database.
But i have used few select statements to read data from infotypes.
do i need to do authority check separately
or L database will take care of it.
Please provide me with the acurate answers.. as its an urgent issue..To create authority check object you can use transaction SU21. Here you can decide if you only want to create a new object and assign it to an existing class or if you can to create both object and class.
While defining the object you will have to provide what fields will be in this object. For example if i am creating a custom object to be used in SD based on customer and plant, i would include fields such as KUNNR and WERKS in my authority object. In addition to that if i also want to check for display/change/create access, i would also add a field called ACTVT (activity).
Once the object is defined, the authorization team will assign it to different authorization profiles with relevant values like for display only access for customer XYZ and plant 0001, these values will be provided in the authorization profile to this object. (As a developer this is not your headache )
You would be using it in your reports or transactions using Authority-check statements. You will be calling the specific object in your authority-check statement and passing it some values(say Actvt 03 customer ASD, plant 0002) and checking the value of sy-subrc. If subrc is 0 means the authority check is OK, the user has the authorization.
I think this will give you an idea on how to proceed.
Cheers -
Cross company payment through F-53, error in Check deposit & check issue tr
Hi
I have just joined the community and ready with 3 queries.
Please.......... help me to resolve.
i) While executing the cross company payment ( company code 1300 making payment for vendor in company code 0013) using transaction code F-53, I am getting error 'vendor not defined in company code 1300'.
For F-53 screen, vendor is selected from company code 0013.
I have executed APP (F110) successfully in company code 1300 for paying the same vendor in company code 0013.
ii) For check deposit transaction, error is " entry 1300 is missing in table TO43S'. (1300 is a company code)
iii) For check issue transaction, error is "no batch input data for screen SAPMF05A'
Thanks
Rekha1. Don't give vendor number in the main screen, give all remaining inouts and press enter, then it'll show the second screen
there you can give the company code and vendor account.
2. Cretae a tolerance group for GL accounts in OBA0.
Don't post more than one query in the same thread.
Rgds
Murali. N -
Authority check at field level in sales order
Dear all, our business requirement is the following:
only some users should be able to see the prices (including netwr, netpr,...) in the sales order depending on the authority check performed on the sales group field.
This means that for an order of sales group 'A':
a user of sales group 'A' can see the prices and change the order, a user of sales group 'B' cannnot see the prices but can change the order, a user of sales group 'C' can display the order but cannnot see the prices.
I ask you if such a scenario can be realized in SAP.
We currently run SAP ECC 5.0.
thx all !
bye RobertoHi agree with Jan and Auke,
To my knowledge it is object V_KONH_VKO which you are looking for. See the documentation in SU24 - SD class.
But whether or not that will influence the visibility / editability of the screen in VA02 etc when turned the check on in SU24, I am not sure.
If not, search the forum for topics relating to "transaction variants", "variant transactions" and "screen variants" to see whether those solutions will fulfill the requirement.
Cheers,
Julius -
Authority check on Creation of Purchase order usin badi BBP_ITEM_CHECK_BADI
hi all,
i have to apply authority checks on creation of Purchase order and shopping cart in SRM using badi BBP_ITEM_CHECK_BADI.
i have applied checks on creation of shopping cart using this badi which have some filters but how to apply on purchasing order using BBP_ITEM_CHECK_BADI.hi,
You can use the BBP_DOC_CHECK_BADI.
BR,
Disha.
Pls rewar points for useful answers. -
Hi all !!!
I'm using the ALV Grid control with checkboxes and I want to control if the actual user have the appropriate authorization to check/uncheck them.
In the AUTHORITY-CHECK call, I want to make the authorization test on the "DEPARTMENT" of the user (from Table USER_ADDR or SU01).
For example :
DEPARTMENT AA1 --> check/uncheck OK
DEPARTMENT AA2 --> check/uncheck NOT OK
DEPARTMENT AA3 --> check/uncheck OK
... etc.
How can I do ? Create an new authorization object/field ?
PS : it's the first time I'm using AUTHORITY-CHECK..Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
Example ;
REPORT EXAMPLE MESSAGE-ID Z1.
TABLES: USR02.
PARAMETERS: LOCK AS CHECKBOX, LISTLOCK AS CHECKBOX.
DATA: UFLAGVAL TYPE I, LOCKSTRING(8) TYPE C.
---- Authorization check -
AUTHORITY-CHECK OBJECT 'ZPROG_RUN' ID 'PROGRAM' FIELD SY-CPROG.
IF SY-SUBRC <> 0.
IF SY-SUBRC = 4.
MESSAGE E000 WITH SY-CPROG. "some message about authorization check failure
ELSE.
MESSAGE E005 WITH SY-SUBRC. "some message about authorization check failure
ENDIF.
ENDIF.
IF LISTLOCK = 'X'.
WRITE:/ 'List all locked users: '.
SELECT * FROM USR02 WHERE UFLAG = 64.
WRITE: / USR02-BNAME.
ENDSELECT.
EXIT.
ENDIF.
IF LOCK = 'X'.
UFLAGVAL = 64. "lock all users
LOCKSTRING = 'locked'.
ELSE.
UFLAGVAL = 0. "unlock all users
LOCKSTRING = 'unlocked'.
ENDIF.
SELECT * FROM USR02 WHERE BNAME <> 'SAP*' AND BNAME <> SY-UNAME.
IF USR02-UFLAG <> 0 AND USR02-UFLAG <> 64.
WRITE: 'User', USR02-BNAME, 'untouched; please handle manually.'.
CONTINUE.
ENDIF.
check that user has authority to make these changes
AUTHORITY-CHECK OBJECT 'S_USER_GRP'
ID 'CLASS' FIELD USR02-CLASS
ID 'ACTVT' FIELD '05'.
IF SY-SUBRC <> 0.
IF SY-SUBRC = 4.
WRITE: /'You are not authorized to lock/unlock user ',
USR02-BNAME, USR02-CLASS.
ELSE.
WRITE: /'Authorization error checking user ',
USR02-BNAME, USR02-CLASS, '(return code', SY-SUBRC, ').'.
ENDIF.
ELSE. "has authority
UPDATE USR02 SET UFLAG = UFLAGVAL WHERE BNAME = USR02-BNAME.
WRITE: / 'User', USR02-BNAME, LOCKSTRING, '.'.
ENDIF. -
Hi
we have created ZTTL01 table maintenance view. Should not allow unauthorized company code to update/create or display.
I searched thru forums and collected below points. but could not test it successfully.
Authorization object (Z_XXX_BUK) was created.But <Permitted activities> Button is not available in display authorization object(SU21) to see what are the activities are permitted.
In su01 for my user no roles or profiles are defined.
To do
Trying to write below code in PBO and PAI flow logic of ZCHECK_BUK table for screen 01
PBO & PAI
*First statement
Module Authorictycheck.
module Authoritycheck
LOOP AT EXTRACT.
AUTHORITY-CHECK OBJECT 'ZCHECK_BUK'
ID 'ACTVT' FIELD '01,02,03'
ID 'BUKRS' FIELD ZTTL01-BUKRS.
IF sy-subrc <> 0.
MESSAGE e000(zrpt) WITH 'You do not have the authorization to'
EXIT. 'access Bukrs'extract-bukrs.
ENDIF.
ENDLOOP.
endmodule
Can i use above code in PBO and PAI to check change of company code?
I am sharing role and profile created by other user, which allows only company code 'A10'.
How to test this now?
se11->Utilities->table contents create should not allow me to input A11 or other company codes? pls confirm.
Regards
ChandraHi Suhas
Regarding 1) It works when i remove the FORM routine assinged for EVENTS.
Thanks for ur input.
Regarding 2)When the user displays record in SM30 for a table, he must not be able to see the company code AD01.
To achieve this can i use EVENT AA?
I create FORM routine <hide_cocode> in EVENT AA and store at include LZXXXXF01.
FORM ZHIDE_COCODE.
DATA: F_INDEX LIKE SY-TABIX."Index to note the lines found"
LOOP AT TOTAL.
READ TABLE EXTRACT WITH KEY <vim_xtotal_key>.
IF SY-SUBRC EQ 0.
F_INDEX = SY-TABIX.
ELSE.
CLEAR F_INDEX.
ENDIF. "(make desired changes to the line TOTAL)
MODIFY TOTAL.
CHECK F_INDEX GT 0.
EXTRACT = TOTAL.
MODIFY EXTRACT INDEX F_INDEX.
*ENDIF.
ENDLOOP.
SY-SUBRC = 0.
ENDFORM.
I made break point at line LOOP at Total. and executed SM30 and clicked Display button.
Sorry Code stops here and table TOTAL has flat line structure of empty.Loop at total is skipping
what should be done now?
Regards
Chandra
Maybe you are looking for
-
Not able to create Follow up transaction since it has been grayed out
Hi Experts, We have a scenario where in we will create the Sales Transactions (OR) in ECC and then it will replicates to CRM. In CRM we wants to create Returns Order (RE) as a follow up Transaction to OR (which is replicated from ECC to CRM) . When I
-
Photo streaming is not working properly
I have an I phone & Ipad. Only part of the photos i take on the Iphone get uploaded in photostream, despite the fact that there are only 250 images in the stream. I took 4 photos yesterday, but only two have got uploaded. This happens all the time, a
-
Cross-refs don't convert when using DropDownCaption/DropDownBody
Using TCS 2.5 (RoboHelp 8.0.2.208 / Frame 9). I am current with all updates for this version. I'm still in the process of setting up our templates for converting our books from Frame to RoboHelp using the "linking" ability in RH. I have run into a pr
-
Teathering iPad2 to iPhone4S doesn't work
When I teather my iPad2 to my iPhone 4S with WiFi, the iPhone reports 1 connection. If I turn off WiFi and go with BlueTooth, it also reports 1 connection. If both WiFi and BlueTooth are on (and the BlueTooth is paired), the iPhone reports 2 connec
-
How to define ACH file name in OBPM4 so that rundate is also displayed
Hi All, I had done configuration in OBPM4 so that file is direclty sent to AL11 to the given path. My server is of 4.6c I had assigned file name to it . What I had observed in AL11 that along with the filename 4 characters sequential no is also assi