Authority-check problem

Similar Messages

• Problem with authority check

  in the USEREXIT_NUMBER_RANGE program RV60AFZZ, we have an authority check
  AUTHORITY-CHECK object 'F_BKPF_BUP'
          id 'BRGRU' field t001b-brgru. 
  This check is not working in the user exit. however when i created a test program to test the syntax for the authority check, it is working fine.
  Can anyone let me know what the problem can be?

  Hi,
  Check the fields whether they are having the values or not
  also check the sy-subrc authority check.
  Thanks
  Shiva

• Urgent! Problem with authority-check

  Hi all,
  I encounter some wierd scenario with authority-check.
  I try to run IW41 (create order confirmation) and the following authority-check
  AUTHORITY-CHECK OBJECT 'C_AFKO_ATY'
         ID 'ACTVT' FIELD TMP_ACTVT
         ID 'AUTYP' FIELD ACT_AUTYP.
    IF NOT SY-SUBRC IS INITIAL.
      MESSAGE E124 WITH SY-TCODE RAISING MISSING_AUTHORITY.
    ENDIF.
  was successful. However, when i try to run the FM CO_RI_CONFIRMATION_CREATE (use to create order confirmation), the exact same code is run and when i reach the above authority-check, it fails even if all the variable passed to the check is the same.
  How can this happen? I need some help. Very urgent.

  Hi Mil,
  Check the values of TMP_ACTVT and ACT_AUTYP for both the cases.
  May be they are different.
  Reward points if useful.
  Regards,
  Atish

• Web Service Homepage: Authority check failed

  Dear Colleagues,
  I have created a Web Service and now I want to test it via its Web Service Homepage (TA WSADMIN). The Homepage is displayed correctly, but testing leads to an error:
  Authority check failed
  Are there any prerequisites I maybe do not accomplish?
  (I tested a very similar web service in another system, and there it works)
  Here are some more information about my service:
  - Service was build with Web Service Wizzard out of a function module
  - Here you can see the conversation resulting of the test:
  POST /sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003 HTTP/1.1
  Host: bsl8011.wdf.sap.corp:50073
  Content-Type: text/xml; charset=UTF-8
  Connection: close
  Cookie: <value is hidden>
  Cookie: <value is hidden>
  Authorization: <value is hidden>
  Content-Length: 381
  SOAPAction: ""
  <?xml version="1.0" encoding="UTF-8" ?>
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <SOAP-ENV:Body>
  <ns1:Z_TEST_WS_CONFIG xmlns:ns1='urn:sap-com:document:sap:rfc:functions'>
  <INPUT>TEST</INPUT>
  </ns1:Z_TEST_WS_CONFIG>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  HTTP/1.1 500 Internal Server Error
  content-type: text/xml; charset=utf-8
  content-length: 363
  sap-srt_id: 20060404/125124/v1.00_final_6.40/1B0831447838C429E10000000A424016
  server: SAP Web Application Server (1.0;700)
  <soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
  <soap-env:Body>
  <soap-env:Fault>
  <faultcode xmlns:n0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">n0:FailedAuthentication</faultcode>
  <faultstring xml:lang="e">Authority check failed</faultstring>
  </soap-env:Fault>
  </soap-env:Body>
  </soap-env:Envelope>
  The WSDL-Document looks as follows:
  <?xml version="1.0" encoding="utf-8"?><wsdl:definitions targetNamespace="urn:sap-com:document:sap:rfc:functions" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="urn:sap-com:document:sap:rfc:functions" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><wsdl:types><xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:tns="urn:sap-com:document:sap:rfc:functions" targetNamespace="urn:sap-com:document:sap:rfc:functions" elementFormDefault="unqualified" attributeFormDefault="qualified"><xsd:simpleType name="char60"><xsd:restriction base="xsd:string"><xsd:maxLength value="60"/></xsd:restriction></xsd:simpleType><xsd:element name="Z_TEST_WS_CONFIG"><xsd:complexType><xsd:sequence><xsd:element name="INPUT" minOccurs="0" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element><xsd:element name="Z_TEST_WS_CONFIGResponse"><xsd:complexType><xsd:sequence><xsd:element name="OUTPUT" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element></xsd:schema></wsdl:types><wsdl:message name="Z_TEST_WS_CONFIG"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIG"/></wsdl:message><wsdl:message name="Z_TEST_WS_CONFIGResponse"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:message><wsdl:portType name="Z_TEST_Q73_CONFIG_WS"><wsdl:operation name="Z_TEST_WS_CONFIG"><wsdl:input message="tns:Z_TEST_WS_CONFIG"/><wsdl:output message="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:operation></wsdl:portType><wsdl:binding name="Z_TEST_Q73_CONFIG_WSSoapBinding" type="tns:Z_TEST_Q73_CONFIG_WS"><soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/><wsdl:operation name="Z_TEST_WS_CONFIG"><soap:operation soapAction=""/><wsdl:input><soap:body use="literal"/></wsdl:input><wsdl:output><soap:body use="literal"/></wsdl:output></wsdl:operation></wsdl:binding><wsdl:service name="Z_TEST_Q73_CONFIG_WSService"><wsdl:port name="Z_TEST_Q73_CONFIG_WSSoapBinding" binding="tns:Z_TEST_Q73_CONFIG_WSSoapBinding"><soap:address location="http://bsl8011.wdf.sap.corp:50073/sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003"/></wsdl:port></wsdl:service></wsdl:definitions>
  Can anyone help me, I have no Idea
  Message was edited by: Hans-Peter Bauer

  The message server defined in the SAP-Logon is us4278.wdf.sap.corp
  But the url of the web service starts with  http://us4185:58500/wsnavigator/jsps/explorer.jsp?description=WebServiceZ_TEST_Q73_CONFIG_WS
  But I think that's not the problem, is it? As I mentioned above the test page can be shown, but the after filling in the input parameters an pressing send, there appears the authorisation error.
  For better illustration I made some screenshots for you:
  1) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_OVERVIEW.gif
  2) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_INPUT_FORM.gif
  3) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_reqest_response.gif
  What can be wrong, if the error "n0:FailedAuthentication" appears?
  Regards,
  Peter
  Message was edited by: Hans-Peter Bauer

• PNP authority check

  Hi all,
  I have a problem with authority check in a report.
  I have to access to a field in an infotype and subtype.
  I have all authorizations for this subtype and infotype.
  I'm trying to retrieve this data from an employee, but this employee has informed another subtype in this infotype where I haven't permisions.
  As in the source code there aren't access to this subtype where I haven't permisions, I found that the systems make it's authority check before the START-OF-SELECTION in class CL_HRPAD00AUTH_CHECK_STD, method IF_EX_HRPAD00AUTH_CHECK~CHECK_AUTHORIZATION.
  The system takes the employee number, gets all its informed infotypes and subtypes and perform the authority check for my user, so I can't access to this employee information.
  I think this authority check is made by the use of PNP logical database.
  Is there any way to avoid this authority check?
  Regards,
  Angel Cepa

  Hi Angel Cepa,
  first of all: maybe you can use logical database PNPCE, because PNP is obsolet.
  Anyway, please refer to the documentation of PNPCE (transaction SE36), that may solve your problem.
  PNP/PNPCE knows two ways to check authority:
  1. If no authorization exists for even one individual data record of one of the infotypes used, processing of the personnel numbers is terminated by default (switch "PNP_SW_SKIP_PERNR" = Y)
  2. If you set this switch (at the INITIALIZATION or START-OF-SELECTION events) to N, no more personnel numbers (without authorization) are skipped. Only the data records for which no authorization exists are rejected (that is, not made available).
  So, simply set the switch, mentioned above, to "N" and you will have access to this employee (except the infotype-records, you don't have authority for).
  Regards
  CHRIS

• AUTHORITY-CHECK & customized program

  Hi,
  I've applied an authority-check to my customized program. What I did was, I've created an authorization object name 'ZFI_PGRM' in SU21 and tie it with authorization fields BUKRS, ACTVT. This authority-check will validate on the company code (BUKRS) entered from the selection screen. Below are my lines in the customized program :
  DATA: text      TYPE string,
            m_text  TYPE string.
  text = 'You are not authorised for Company Code'.
  DATA: t_t001 LIKE t001 OCCURS 0 WITH HEADER LINE..
  SELECT * FROM t001
         INTO TABLE t_t001
               WHERE bukrs IN s_bukrs.
  LOOP AT t_t001.
    AUTHORITY-CHECK OBJECT 'ZFI_PGRM'
        ID 'BUKRS' FIELD t_t001-bukrs
        ID 'ACTVT' FIELD '03'.
    IF sy-subrc <> 0.
      CONCATENATE text t_t001-bukrs INTO m_text SEPARATED BY space.
    ENDIF.
  ENDLOOP.
  At the same time BASIS tie the autorization object 'ZFI_PGRM' to the user role in order to access the program using PFCG. The problem now is the result that I'm getting always SY-SUBRC = 12 eventhough the user is allowed to access the company's report. Please help...
  Haryati

  Run transaction SU53 after the auth check fails and maybe it will give you a clue as to what is going on.

• AUTHORITY-CHECK for KUNNR

  Hi,
  I am new in core abap. For my report i have to do AUTHORITY-CHECK for kunnr. I am not finding any suitable object to use. kIndly suggest.
  Currently i am using the following code.
    UNPACK p_kunnr TO ws_werks.
    AUTHORITY-CHECK OBJECT 'M_MSEG_WWE'
             ID 'ACTVT' FIELD '01'
             ID 'WERKS' FIELD ws_werks.
  But this is giving dump in case KUNNR contains some alphabets because of type mismatch. Kindly suggest how can i achieve the same.
  Regards,
  Pankaj Aggarwal

  Don't use a WERKS authorization for KUNNR, did you foresee the problems that may will arise when you will manage the user authorisations and roles, this authorization is checked in many standard programs on WERKS fields.
  - SU20 - Create an authorization field with data element KUNNR and check table KNA1 (or use template KNDNR, look via SE16 at table AUTHX look for authorization fields using KNA1 as a control table)
  - SU21 - Create an authorization object in a Z-customer class which use this field and the ACTVT field (template W_AUFT_RMB)
  - Use the new object in your program
  - Give the object name to those who manage roles via PFCG
  Perform some search on subject like [Creating a Customer-Specific Authorization Object|http://help.sap.com/saphelp_ish471/helpdata/EN/9e/74ba3bd14a6a6ae10000000a114084/frameset.htm]
  Look also at some authorization objects like BRGRU which were intended to manage groups of customers.
  Regards,
  Raymond

• Authority Check Failed

  I have created a Web Service for a Function Module in ECC 5.0. I was able to generate the proxy using SE37--> Web Wizard. I can see the Web Service in WSADMIN, WSCONFIG, SICF. 
  I am using the WSADMIN and Test Tool to generate a request for testing the proxy hosted on my ECC 5.0 system. I am finding this particular error relating Authorization. We have granted most of the Authorzations. Any Clue on how to resolve?
  Request Object
  POST /sap/bc/srt/rfc/sap/ZWS_CONCATENATE_STRING?sap-client=100 HTTP/1.1
  Host: sapdbs.foxboro.com:8000
  Content-Type: text/xml; charset=UTF-8
  Connection: close
  Authorization: <value is hidden>
  Content-Length: 559
  SOAPAction: ""
  <?xml version="1.0" encoding="UTF-8" ?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"><SOAP-ENV:Header><sapsess:Session xmlns:sapsess="http://www.sap.com/webas/630/soap/features/session/"><enableSession>true</enableSession></sapsess:Session></SOAP-ENV:Header><SOAP-ENV:Body><ns1:Ztest4 xmlns:ns1='urn:sap-com:document:sap:soap:functions:mc-style'><Par1>str1</Par1><Par2>str2</Par2></ns1:Ztest4></SOAP-ENV:Body></SOAP-ENV:Envelope>
  Response Object
  HTTP/1.1 500 Internal Server Error
  Set-Cookie: <value is hidden>
  content-type: text/xml; charset=utf-8
  content-length: 363
  sap-srt_id: 20091117/102452/v1.00_final_6.40/4B02B94392E30041000000000A9BAC6E
  server: SAP Web Application Server (1.0;640)
  <soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Body><soap-env:Fault><faultcode xmlns:n0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">n0:FailedAuthentication</faultcode><faultstring xml:lang="e">Authority check failed</faultstring></soap-env:Fault></soap-env:Body></soap-env:Envelope>
  Thanks.

  Hi,
  This means your userid/password don't have sufficient authorization.
  do following:
  - Grant following authorization using SU01 : *WEBSERVICE* (search for all role with webservice)
  - If above doesn't work then check if your user exist in visual admin secure store (java side). Usually visual admin secure store point to ABAP client for user sync but it is possible it is not configured to right client (instead pointing to client 001).
  - check service with third party tool like SOAP UI (provide ur userid/password as well) - if it is working from here then it means you have problem with userid on java side (use visual admin to troubleshoot).
  Regards,
  Gourav

• How to make Authority Check for ALVGrid?!

  Hey mates,
  i got the problem which is mentioned in the headline. How can i make an authority check for my ALVGrid? I mean i want to restrict special functions to the matching users ( Display, Edit, Delete mode ).
  Would be cool if someone can help
  Regards Basti

  Hello Bastian
  A simple approach would be to define three different transactions (e.g. Z_MYALV01, Z_MYALV02, Z_MYALV03) for editing/deleting, editing only and displaying only. Add the following coding to the report displaying your ALV grid:
    CASE syst-tcode.
      WHEN gc_tcode_create.    " 01
        " Allow all grid functions
      WHEN gc_tcode_change.  " 02
        " Suppress grid functions for deleting rows
      WHEN gc_tcode_display.  " 03
        " Suppress grid functions for editing/deleting
      WHEN others.
        RETURN.
     ENDCASE.
  Regards
    Uwe

• About authority-check object 'M_MATE_WGR'

  hi all
        I have a problem about authority-check object 'M_MATE_WGR'. the detail is bleow:
  Read table T023 where the material group is in select option s_matkl. Then loop at the results and check for every found material group. If the user is authorized to use it with the ABAP statement AUTHORITY-CHECK with object M_MATE_WGR with parameters ACTVT = ‘03’ (display) and BEGRU = ‘the material group’. When the user is allowed to use it, store it in an internal table and continue with the remaining materials groups from T023. When the user is not allowed to use it, set the status flag to X and don’t save the current material group in the internal table.
  After all checks have been done, empty the select option s_matkl. Loop over the internal table with the allowed material groups and fill up the select option s_matkl again with these records.
  Thank you in advance .
  Nick

  You are on the right track. Authorization object M_MATE_WGR checks the Authorization Group (BEGRU) not the Material Group. You read table T023 with the Material Group to get the Authorization Group.
  Step 1: Read table T023 where MATKL = the Material Group you want to check authorization.
  Step 2: Retreive the value in field BEGRU from the record in table T023. Use the value in T023-BEGRU to pass to the AUTHORITY-CHECK object M_MATE_WGR.
  Hope that helps.

• Authority-Check in UPDATE TASK CALL

  Hi Gurus,
  Does anybody know, from the Technical point of view, if there is any special issue with an Authority-Check put in a user-exit called in UPDATE TASK?
  Thanks & Regards
  Ernesto.

  Hello Michael,
  Thank you for your reply. I was asking this because I have a problem regarding an Authority Check and I do not know what the problem is. In user exit EXIT_SAPLL03T_002 (executed in Update TASK) I want to check for Storage Type condition from the object L_LGNUM. The user that executes LT12 transaction has one role only that has object L_LGNUM like this:
  Object L_LGNUM
  Warehouse Number - LNUM = 200
  Storage Type - LGTYP = 100, 200, 300, 400, 500, 600, 700, 800
  The two checks I am doing are:
    Check Source Storage Type
      AUTHORITY-CHECK OBJECT 'L_LGNUM'
               ID 'LGNUM' FIELD i_ltak_vb-lgnum (200)
               ID 'LGTYP' FIELD ls_ltap_vb-vltyp (902)
      Check Destination Storage Type
        AUTHORITY-CHECK OBJECT 'L_LGNUM'
                 ID 'LGNUM' FIELD i_ltak_vb-lgnum (200)
                 ID 'LGTYP' FIELD ls_ltap_vb-nltyp (002)
  And for no reason SAP doesn't return sy-subrc NE 0 when it should. I've checked the role and it has no conflict with another one as it is the only role the user has. Any idea?
  Thanks & Regards
  Ernesto

• Authority check on WAD with testuser-id in SingleSignOn-Environment

  Hello,
  i want to check some changes i have made in rsecadmin.
  i want to proof the changes with our testuser-id (xy_test).
  the problem is, that i want to check the changes in an Webapplication (WAD) in a SSO-Envirnoment.
  Everytime i open the link to the specific Webappliction the system is login in with my user-id (xy).
  I have no idea how to logon with the credentials of my testuser.
  Anyone some ideas?
  every hint is wellcome
  best regards
  Oliver

  Hi
  use without qoutes if it is a variable .
  AUTHORITY-CHECK OBJECT 'B_USERSTAT'
  ID 'ACTVT' FIELD '02'
  ID 'BERSL' FIELD ZWP_CCS
  ID 'STSMA' FIELD ZS_IRC.
  and
  if sy-subrc <> 0.
  message " error ".
  endif.
  reg
  Ramya
  Edited by: Ramya S on Dec 31, 2008 5:43 AM

• Authority Check to a Query

  HELLO,
  I am trying to introduce an authority check in a query, to do this I use the SQ02 transaction but I have 2 problems:
  1.- I can't change the At selection-screen module
  2.- If I change the Start Of Selection, then I save the code and finally I generate the infoset but I can`t see the modifications in the query.
  Do you Know what can I do to solve this problem?
  Thanks

  I think you don`t understand me.
  I have put ZTCO_SOLTRAS_CAB-BUKRS in the GoTo ..., it works correctly, but it is not my problem. My problem is:
  before I modified the query, the query read the field SP$00001(a select options) and get all the bukrs between the SP$00001-low and the SP$00001-high . Then I had to put a new field s_bukrs in the selection screen and now the user put the bukrs in muy new field, in that way I can check the authrity perfectly; so up to now all is correct...
  but the problem arrives in order to show the query results,  it doesn't matter what values fill the user in my field (s_bukrs) because the query still uses the SP$00001 field to filter data.
  An example:
  The user introduces the values 'A41' in the SP$00001-low and 'A43' in the SP$00001-high.
  I get those values and I check the authority. Imagine tha the user can see all the bukrs and the query goes on.
  Here is the problem!!!!!!!!!!! The query continuous (and it was code so) and in order to show the bukrs, goes to the field SP$00001 to filter data.( I can´t modify this code....) SP$00001 is empty so the query shows all the bukrs and the user only want to see bukrs between A41 and A43
  Do you understand me now?
  Thanks a lot, yo are helping me a lot!

• User Exit for Cost Center authority check in reservation & service entry sh

  Hi,
  We want to have cost center authority check in reservation & SES. Whcih exit should we use for this purpose.
  BTW, we tried the same in SES via the user exit  “SRVREL” componet “EXIT_SAPLEBND_003 for Change to Comm. Structure for Release Strategy Determination” in the include “ZXMLUU10” . Since then the Release strategy for SES is not effecting . Even after blocking the entire code by commenting it, the strategy is not effective. We are able to accept the SES using the Flag Button but without any strategy. How to revive the release strategy.
  Thanks & regards,
  KT Varkey

  Hi Ramki,
  Thanks for the advice. The problem is solved except that for Cost Centre authority check for SES. Tried SRVESLL but it doesn't work. Any other exit or any specific advice to make SRVESLL work for KOSTL check.
  Best regards,
  KT Varkey

• Authority check at field level in sales order

  Dear all, our business requirement is the following:
  only some users should be able to see the prices (including netwr, netpr,...) in the sales order depending on the authority check performed on the sales group field.
  This means that for an order of sales group 'A':
  a user of sales group 'A' can see the prices and change the order, a user of sales group 'B' cannnot see the prices but can change the order, a user of sales group 'C' can display the order but cannnot see the prices.
  I ask you if such a scenario can be realized in SAP.
  We currently run SAP ECC 5.0.
  thx all !
  bye Roberto

  Hi agree with Jan and Auke,
  To my knowledge it is object V_KONH_VKO which you are looking for. See the documentation in SU24 - SD class.
  But whether or not that will influence the visibility / editability of the screen in VA02 etc when turned the check on in SU24, I am not sure.
  If not, search the forum for topics relating to "transaction variants", "variant transactions" and "screen variants" to see whether those solutions will fulfill the requirement.
  Cheers,
  Julius