Authority Check issue

Similar Messages

• Authority CHeck VK11

  Hi Guru's,
  I want to have a authority check for  table control field KOMG-KBSTAT in the screen 1850 for the program SAPMV13A.
  I know how to create the authorisation object and also tested a sample code for a z-report .
  I want the details how to apply it to a standard program. Please guide me for this issue.
  Thanx in Advance,
  Arcahan

  Hello ,
  I will elaborate my requirement.
  See in the program SAPMV13A , screen no 1850 , the table control field is komg-kbstat .
  The possible value's for komg-kbstat are as mentioned -
  >  01-blocked  , 02 - Released
  Now  I want the User ' XYZ' should have the authority to block only and not to release.
  Regards,
  W. Archana

• Authority-Check

  Hi All..
  My requirement is to incorporate the Authority-Check for Sales Organization field ( VBAK-VKORG) inthe selection screen. In the meanwhlie, i should restrict further processing of Report, if unauthorized Sales Organzations.
  Please help me in explaining the meaning of above requirement and can any one give me the code sample for this..????
  Its urgent issue and kindly request you to help me out...

  Hi Pavan
    Have made some changes to the code. Please check the same.
    DATA: BEGIN OF lt_tvko OCCURS 0,
            vkorg TYPE vkorg,
            bukrs TYPE bukrs,
          END OF lt_tvko.
    SELECT vkorg bukrs FROM tvko INTO TABLE lt_tvko
      WHERE vkorg IN lr_vkorg.
    IF sy-subrc NE 0.
      MESSAGE e085(wv).
    ENDIF.
  * Check all retrieved co.codes
    SORT lt_tvko BY bukrs.
    DELETE ADJACENT DUPLICATES FROM lt_tvko COMPARING bukrs.
    LOOP AT lt_tvko.
  *   Error Message: No authorization for sales organization &1
      PERFORM f_bukrs_auth_chk_p USING lt_tvko-bukrs 'ICC_FI_CN' 'E' '010'
                                       lt_tvko-vkorg '' '' ''
                              CHANGING sy-subrc.
      if sy-subrc ne 0.
         delete lt_tvko.
      endif.
    ENDLOOP.
  ranges: r_vkorg for tvko-vkorg.
    if lt_tvko[] is initial.
  Message eooo(00) with ‘No authorization for any Sales Org input’.
    else.
       r_vkorg-sign = 'I'.
       r_vkorg-option = 'EQ'.
       loop at lt_tvko.
            r_vkorg-low = lt_tvko-vkorg.
            append r_vkorg.
       endlloop.
    endif.
  FORM f_bukrs_auth_chk_p USING value(lc_bukrs) TYPE bukrs
                                value(lc_msgid) LIKE sy-msgid
                                value(lc_msgty) LIKE sy-msgty
                                value(ln_msgno) LIKE sy-msgno
                                value(lc_msgv1)
                                value(lc_msgv2)
                                value(lc_msgv3)
                                value(lc_msgv4)
                       CHANGING p_subrc.
    AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
      ID 'BUKRS' FIELD lc_bukrs
      ID 'ACTVT' FIELD '03'.
    p_subrc = sy-subrc.
  ENDFORM.                    "f_bukrs_auth_chk_p
  Now range
  r_vkorg will have the list of authorized sales organizations. You can use it as the select-option for further processing. 
  Am not on SAP, have just coded from notepad. Please bear incase of any syntax errors.
  Kind Regards
  Eswar

• AUTHORITY-CHECK always Return sy-subrc 0

  Hi,
  I have created a Authorization Object  'ZAUTH_ATCH' and created Roles also. This role is assigned to only my Userid.
  When in Report program I do a check:
  AUTHORITY-CHECK OBJECT 'ZAUTH_ATCH'
           ID 'USER' FIELD l_syuname .
  But the AUTHORITY-CHECK return 0 for all User IDs.
  Pls help what could be the Issue.
  Thanks
  Mohammed

  Hi,
  May be you would need to change the auth object and add the following two fields:
  REPID        ABAP Program Name
  ACTVT      Activity
  allowed values for ACTVT :
                               01     Create or generate
                               02     Change
                               03     Display
                               16     Execute
  In the code you can check
  AUTHORITY-CHECK OBJECT   "OBJECT_NAME"
                        ID   'ACTVT'  FIELD '16'.
                        ID   'REPID'  FIELD sy-cprog.
  Hope it helps.
  Anju

• Authority Check - Best Practice - Optimum Way

  Hi Experts,
  I want to use authority check in my reports. The requirement is to filter data on the selection screen and execute the query. Error messages are not to be thrown because, a user will find it difficult to enter all the document types/company codes/sales areas etc authorized and remove the ones not authorized from the range.
  I am planning to create range tables and populate it with the authorized values and use it in the select queries.
  I have two concerns:
  1. I will have to build range tables based on the values authorized. This will take some time, keeping in mind that append is an expensive statement.
  2. What if the range table becomes big enough to give me a dump in the select query in some scenario. (What if scenario? Its a rare possibility that some field like this also needs to be authorized)
  What is the best practice or rule of the thumb that you have figured out.
  Thanks,
  Abdullah Ismail.

  Are they asking you to check the authorisations for each of the following?
  1.     Sales Organization
  2. Distribution Channel
  3. Division
  4. Sales Group
  5. Sales Office
  6. Sales Document Type
  7. Sales Country
  8. Material Group(Brands)
  If so that is completely over engineered and good luck with that.  Surely you only need to check at one level of the sales structure, the lowest level I would guess.  Your auths team should be able to guide you here and I cannot imagine they would want that level of auths as it would be a nightmare for them to build it. I suppose you might want one on material group as well.
  Therefore they auths team or functional consultants will need to tell you at what level you are checking for each report, there will only be a small number at each level, (think you will struggle to get near the 12,000 Rob points out would cause an issue with a range) of the sales structure so I would use a range, you wonu2019t have that many appends and it wonu2019t add much to the time of the report.  While for all entries is great you can also use the range where the report may have already used for all entries on a select and better not to have to rebuild the whole report.
  Also I would do the auths check first up and make the field mandatory if they really want it nice and tight so the user has to choose, you can use a PID to make it a bit more friendly.
  If you know the setup is the same each time you could use a standard include and subroutine, or ABAP objects would probably be the best route with a set of standard methods to call.
  Hope that helps,
  Tim

• Authority-Check in UPDATE TASK CALL

  Hi Gurus,
  Does anybody know, from the Technical point of view, if there is any special issue with an Authority-Check put in a user-exit called in UPDATE TASK?
  Thanks & Regards
  Ernesto.

  Hello Michael,
  Thank you for your reply. I was asking this because I have a problem regarding an Authority Check and I do not know what the problem is. In user exit EXIT_SAPLL03T_002 (executed in Update TASK) I want to check for Storage Type condition from the object L_LGNUM. The user that executes LT12 transaction has one role only that has object L_LGNUM like this:
  Object L_LGNUM
  Warehouse Number - LNUM = 200
  Storage Type - LGTYP = 100, 200, 300, 400, 500, 600, 700, 800
  The two checks I am doing are:
    Check Source Storage Type
      AUTHORITY-CHECK OBJECT 'L_LGNUM'
               ID 'LGNUM' FIELD i_ltak_vb-lgnum (200)
               ID 'LGTYP' FIELD ls_ltap_vb-vltyp (902)
      Check Destination Storage Type
        AUTHORITY-CHECK OBJECT 'L_LGNUM'
                 ID 'LGNUM' FIELD i_ltak_vb-lgnum (200)
                 ID 'LGTYP' FIELD ls_ltap_vb-nltyp (002)
  And for no reason SAP doesn't return sy-subrc NE 0 when it should. I've checked the role and it has no conflict with another one as it is the only role the user has. Any idea?
  Thanks & Regards
  Ernesto

• Info about AUTHORITY-CHECK

  Hi all.
  in CJ02 I have this autorization check:
  AUTHORITY-CHECK OBJECT 'C_DRAD_OBJ'
               ID 'ACTVT' FIELD lt_display-mode        
               ID 'DOKOB' FIELD object
               ID 'STATUS' FIELD ls_draw-dokst
               ID 'DOKAR'  FIELD ls_draw-dokar.
      IF sy-subrc <> 0 .
  no AUTHORITY
  the sy-subrc is <> 0. how can I see the data into this object? can i add data into?

  Hi Fabrizio,
  1. This is a normal
     'authorisation not there'
    issue.
  2. Contact your basis team
     and they will help out
     by assigning the values
     for the particular auth object
     for the required profile
     for the particular user !
  regards,
  amit m.

• LB13 add authority check

  Hi,
  I want to add an authority check on movement type using transaction LB13 and then create TO (both background as foreground) .
  Are there any user-exits / BADI's avaibalbe to build in an extra check, which allow error messages and will be passed using LB13?
  It seems that the only user-exit that is passed is EXIT_SAPML03T_002 but if I add an error message in this exit, it will end in an internal error, which of course I don't want to.
  kind regards
  Maarten

  Hi ,
  I don't know that you already resolved this issue. Any way try creating custome Authorization for plant and use it
  Create  Z_IS_WERKS with following authorization fields and assign permited value '03' for field ACTVT.
  ACTVT     Activity
  WERKS     Plant
  Use this code.
  AUTHORITY-CHECK OBJECT 'Z_IS_WERKS'
                 ID 'ACTVT' FIELD lv_display
                 ID 'WERKS' FIELD zmapw-werks.
  Regards,
  Babu

• Authority-check for a particular company code

  Hi,
     I need to check authorization for a particular company code.In my bdc call transaction program i'm fetching mass data from excel file and for every record i've to check the company code field.If the company code is not the required one then that record should not be processed.
    So before filling the bdc data i wrote like
  LOOP AT gt_inrec INTO gs_inrec.
       AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
                 ID 'ACTVT' field '02'
                 ID 'BUKRS' field '2800'.
      IF NOT sy-subrc = 0.
        MESSAGE e058(zz) WITH gs_inrec-bukrs.
        EXIT.
      ENDIF.
       PERFORM fill_bdc.
    ENDLOOP.
  but it is not exiting for different company codes and is allowing records with all company codes.
  can anybody pls tell me how to rectify this?
  thanks in advance,
  poornima

  I need to perform authority check on the field NAME1 present in the standard screen - customer master ( T.Code-XD02). Only certain users should be allowed to edit the field and others should be restricted.
  I have created a field exit FIELD_EXIT_AD_NAME1 for the ADRC-NAME1 field.
  Now inside this field exit i need to write the authority-check code.
  I have created the authorisation object Z_KNA1_NAM for the field NAME1 using the SU20 and SU21.
  For this scenario how do i write the authority-check code in my field exit?
  Below is my field exit code,is that correct?
  FUNCTION FIELD_EXIT_AD_NAME1.
  ""Local Interface:
  *" IMPORTING
  *" REFERENCE(INPUT)
  *" EXPORTING
  *" REFERENCE(OUTPUT)
  AUTHORITY-CHECK OBJECT 'Z_KNA1_NAM'
  ID 'NAME1' FIELD SY-UNAME
  ID 'ACTVT' FIELD '03'.
  IF SY-SUBRC = 0.
  MESSAGE 'Not Allowed to Edit the Name 1 Field' TYPE 'E'.
  ENDIF.
  ENDFUNCTION.
  In the above code i have given SY-UNAME in the code line 2 - ID 'NAME1' FIELD SY-UNAME ,is that correct? what should i give there?
  Please help me on this issue.
  Cheers,
  P.S.Chitra

• Urgent(Authority-check)

  HI Gurus..
  I have used PNP L.database.
  But i have used few select statements to read data from infotypes.
  do i need to do authority check separately
  or L database will take care of it.
  Please provide me with the acurate answers.. as its an urgent issue..

  To create authority check object you can use transaction SU21. Here you can decide if you only want to create a new object and assign it to an existing class or if you can to create both object and class.
  While defining the object you will have to provide what fields will be in this object. For example if i am creating a custom object to be used in SD based on customer and plant, i would include fields such as KUNNR and WERKS in my authority object. In addition to that if i also want to check for display/change/create access, i would also add a field called ACTVT (activity).
  Once the object is defined, the authorization team will assign it to different authorization profiles with relevant values like for display only access for customer XYZ and plant 0001, these values will be provided in the authorization profile to this object. (As a developer this is not your headache )
  You would be using it in your reports or transactions using Authority-check statements. You will be calling the specific object in your authority-check statement and passing it some values(say Actvt 03 customer ASD, plant 0002) and checking the value of sy-subrc. If subrc is 0 means the authority check is OK, the user has the authorization.
  I think this will give you an idea on how to proceed.
  Cheers

• Cross company payment through F-53, error in Check deposit & check issue tr

  Hi
  I have just joined the community and ready with 3 queries.
  Please.......... help me to resolve.
  i) While executing the cross company payment ( company code 1300 making payment for vendor in company code 0013) using transaction code F-53, I am getting error 'vendor not defined in company code 1300'.
  For F-53 screen, vendor is selected from company code 0013.
  I have executed APP (F110) successfully in company code 1300 for paying the same vendor in company code 0013.
  ii) For check deposit transaction, error is " entry 1300 is missing in table TO43S'. (1300 is a company code)
  iii) For check issue transaction, error is "no batch input data for screen SAPMF05A'
  Thanks
  Rekha

  1. Don't give vendor number in the main screen, give all remaining inouts and press enter, then it'll show the second screen
  there you can give the company code and vendor account.
  2.  Cretae a tolerance group for GL accounts in OBA0.
  Don't post more than one query in the same thread.
  Rgds
  Murali. N

• Authority check at field level in sales order

  Dear all, our business requirement is the following:
  only some users should be able to see the prices (including netwr, netpr,...) in the sales order depending on the authority check performed on the sales group field.
  This means that for an order of sales group 'A':
  a user of sales group 'A' can see the prices and change the order, a user of sales group 'B' cannnot see the prices but can change the order, a user of sales group 'C' can display the order but cannnot see the prices.
  I ask you if such a scenario can be realized in SAP.
  We currently run SAP ECC 5.0.
  thx all !
  bye Roberto

  Hi agree with Jan and Auke,
  To my knowledge it is object V_KONH_VKO which you are looking for. See the documentation in SU24 - SD class.
  But whether or not that will influence the visibility / editability of the screen in VA02 etc when turned the check on in SU24, I am not sure.
  If not, search the forum for topics relating to "transaction variants", "variant transactions" and "screen variants" to see whether those solutions will fulfill the requirement.
  Cheers,
  Julius

• Authority check on Creation of Purchase order usin badi BBP_ITEM_CHECK_BADI

  hi all,
  i have to apply authority checks on creation of Purchase order and shopping cart in SRM using badi BBP_ITEM_CHECK_BADI.
  i have applied checks on creation of shopping cart   using this badi which have some filters but how to apply on purchasing order using BBP_ITEM_CHECK_BADI.

  hi,
    You can use the BBP_DOC_CHECK_BADI.
  BR,
  Disha.
  Pls rewar points for useful answers.

• ALV GRID and AUTHORITY-CHECK

  Hi all !!! 
  I'm using the ALV Grid control with checkboxes and I want to control if the actual user have the appropriate authorization to check/uncheck them.
  In the AUTHORITY-CHECK call, I want to make the authorization test on the "DEPARTMENT" of the user (from Table USER_ADDR or SU01).
  For example :
  DEPARTMENT AA1 --> check/uncheck OK
  DEPARTMENT AA2 --> check/uncheck NOT OK
  DEPARTMENT AA3 --> check/uncheck OK
  ... etc.
  How can I do ? Create an new authorization object/field ?
  PS : it's the first time I'm using AUTHORITY-CHECK..

  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check. 
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object> 
     ID <authority field 1> FIELD <field value 1>. 
     ID <authority field 2> FIELD <field value 2>. 
     ID <authority-field n> FIELD <field value n>. 
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  Example ;
  REPORT  EXAMPLE MESSAGE-ID Z1.
  TABLES: USR02.
  PARAMETERS: LOCK AS CHECKBOX, LISTLOCK AS CHECKBOX.
  DATA: UFLAGVAL TYPE I, LOCKSTRING(8) TYPE C.
  ---- Authorization check -
  AUTHORITY-CHECK OBJECT 'ZPROG_RUN' ID 'PROGRAM' FIELD SY-CPROG.
  IF SY-SUBRC <> 0.
    IF SY-SUBRC = 4.
      MESSAGE E000 WITH SY-CPROG. "some message about authorization check failure
    ELSE.
      MESSAGE E005 WITH SY-SUBRC. "some message about authorization check failure
    ENDIF.
  ENDIF.
  IF LISTLOCK = 'X'.
    WRITE:/ 'List all locked users: '.
    SELECT * FROM USR02 WHERE UFLAG = 64.
      WRITE: / USR02-BNAME.
    ENDSELECT.
    EXIT.
  ENDIF.
  IF LOCK = 'X'.
    UFLAGVAL = 64.                       "lock all users
    LOCKSTRING = 'locked'.
  ELSE.
    UFLAGVAL = 0.                        "unlock all users
    LOCKSTRING = 'unlocked'.
  ENDIF.
  SELECT * FROM USR02 WHERE BNAME <> 'SAP*' AND BNAME <> SY-UNAME.
    IF USR02-UFLAG <> 0 AND USR02-UFLAG <> 64.
      WRITE: 'User', USR02-BNAME, 'untouched; please handle manually.'.
      CONTINUE.
    ENDIF.
  check that user has authority to make these changes
    AUTHORITY-CHECK OBJECT 'S_USER_GRP'
        ID 'CLASS' FIELD USR02-CLASS
        ID 'ACTVT' FIELD '05'.
    IF SY-SUBRC <> 0.
      IF SY-SUBRC = 4.
        WRITE: /'You are not authorized to lock/unlock user ',
          USR02-BNAME, USR02-CLASS.
      ELSE.
        WRITE: /'Authorization error checking user ',
               USR02-BNAME, USR02-CLASS, '(return code', SY-SUBRC, ').'.
      ENDIF.
    ELSE.                                "has authority
      UPDATE USR02 SET UFLAG = UFLAGVAL WHERE BNAME = USR02-BNAME.
      WRITE: / 'User', USR02-BNAME, LOCKSTRING, '.'.
    ENDIF.

• Company code authority check

  Hi
  we have created ZTTL01 table maintenance view. Should not allow unauthorized company code to update/create or display.
  I searched thru forums and collected below points. but could not test it successfully.
  Authorization object (Z_XXX_BUK) was created.But <Permitted activities> Button is not available in display authorization object(SU21) to see what are the activities are permitted.
  In su01 for my user no roles or profiles are defined.
  To do
  Trying to write  below code in PBO and PAI flow logic of ZCHECK_BUK table for screen 01
  PBO & PAI
  *First statement
  Module Authorictycheck.
  module Authoritycheck
    LOOP AT EXTRACT.
      AUTHORITY-CHECK OBJECT 'ZCHECK_BUK'
                          ID 'ACTVT' FIELD '01,02,03'
                          ID 'BUKRS' FIELD ZTTL01-BUKRS.
      IF sy-subrc <> 0.
        MESSAGE e000(zrpt) WITH 'You do not have the authorization to'
      EXIT.                          'access Bukrs'extract-bukrs.
      ENDIF.
    ENDLOOP.
  endmodule
  Can i use above code in PBO and PAI to check change of company code?
  I am sharing role and profile created by other user, which allows only company code 'A10'.
  How to test this now?
  se11->Utilities->table contents create should not allow me to input A11 or other company codes? pls confirm.
  Regards
  Chandra

  Hi Suhas
  Regarding 1) It works when i remove the FORM routine assinged for EVENTS.
  Thanks for ur input.
  Regarding 2)When the user displays record in SM30 for a table, he must not be able to see the company code AD01.
  To achieve this can i use EVENT AA?
  I create FORM routine <hide_cocode> in EVENT AA and store at include LZXXXXF01.
  FORM ZHIDE_COCODE.
  DATA: F_INDEX LIKE SY-TABIX."Index to note the lines found"
  LOOP AT TOTAL.
  READ TABLE EXTRACT WITH KEY <vim_xtotal_key>.
  IF SY-SUBRC EQ 0.
  F_INDEX = SY-TABIX.
  ELSE.
  CLEAR F_INDEX.
  ENDIF. "(make desired changes to the line TOTAL)
  MODIFY TOTAL.
  CHECK F_INDEX GT 0.
  EXTRACT = TOTAL.
  MODIFY EXTRACT INDEX F_INDEX.
  *ENDIF.
  ENDLOOP.
  SY-SUBRC = 0.
  ENDFORM.
  I made break point at line LOOP at Total. and executed SM30 and clicked Display button.
  Sorry Code stops here and table TOTAL has flat line structure of empty.Loop at total is skipping
  what should be done now?
  Regards
  Chandra