Authority Check to a Query

Similar Messages

• Authority-Check in ABAP Query

  Hello,
          I have a requirement to add authority check on two fields "Sales Organization" & "Plant" in a ABAP Query.
  Please let me know how can I do it?
  Will I be required to add some "Authority-check" code in sq02 or is there any button/checkbox available to do the same.
  Please let me know.
  Thanks in advance.
  Best regards,
  Tejas Savla

  Hi Ronak,
  Check this thread, this might help you.
  Authorisation on field
  Regards,
  Chandra Sekhar

• Authority check in infoset query for field with multiple entries

  how can i perform the authority check in sq02 "at selection screen" for a multiple entry field
  e.g. EKORG low  0001 - high  0005
  or EKORG 0001, 0004, 0005
  I already added the following statements
  How the field for EKORG check must be filled
  if EKORG is initial.
    message 'Bitte Einkaufsorganisation wählen' TYPE 'E'.
  endif.
  AUTHORITY-CHECK OBJECT 'M_BEST_EKO'
           ID 'ACTVT' FIELD '03'
           ID 'EKORG' FIELD ?????.
  IF sy-subrc = 4.
    MESSAGE 'Keine Berechtigung für EKORG  sy-subrc 4'  TYPE 'E'.
  ENDIF.

  hi,
  which event do you use for your coding ?
  it must be AT SELECTION-SCREEN
  A.

• RE: Authority checks included in the info set of the query

  Hi all,
  I am checking the program code for one of our custom tcodes and i asked ABAP team to add authority check to the program code because there is no auth check in the code and abapers told me that the authority check is included inside the info set of the query and not in the program . the program is used to execute the query in the Tcode.
  how to find the Authority checks included in the info set of the query.
  Thanks in advance,
  Sun.

  If you have the BI support roles assigned to you  and the security admin  roles please login to the BI system
  execute transaction RSECADMIN, click on the analysis tab and execute as the user who is assigned the role with restrictions.
  For variables in authorizations like ( type customer exit )
  use RSECADMIN - maintain authorization tab - Click on value authorization tab.
  Keytransaction is RSECADMIN  & infoobject maintenance details you can get from RSD1.
  Regards

• Authority Check - Best Practice - Optimum Way

  Hi Experts,
  I want to use authority check in my reports. The requirement is to filter data on the selection screen and execute the query. Error messages are not to be thrown because, a user will find it difficult to enter all the document types/company codes/sales areas etc authorized and remove the ones not authorized from the range.
  I am planning to create range tables and populate it with the authorized values and use it in the select queries.
  I have two concerns:
  1. I will have to build range tables based on the values authorized. This will take some time, keeping in mind that append is an expensive statement.
  2. What if the range table becomes big enough to give me a dump in the select query in some scenario. (What if scenario? Its a rare possibility that some field like this also needs to be authorized)
  What is the best practice or rule of the thumb that you have figured out.
  Thanks,
  Abdullah Ismail.

  Are they asking you to check the authorisations for each of the following?
  1.     Sales Organization
  2. Distribution Channel
  3. Division
  4. Sales Group
  5. Sales Office
  6. Sales Document Type
  7. Sales Country
  8. Material Group(Brands)
  If so that is completely over engineered and good luck with that.  Surely you only need to check at one level of the sales structure, the lowest level I would guess.  Your auths team should be able to guide you here and I cannot imagine they would want that level of auths as it would be a nightmare for them to build it. I suppose you might want one on material group as well.
  Therefore they auths team or functional consultants will need to tell you at what level you are checking for each report, there will only be a small number at each level, (think you will struggle to get near the 12,000 Rob points out would cause an issue with a range) of the sales structure so I would use a range, you wonu2019t have that many appends and it wonu2019t add much to the time of the report.  While for all entries is great you can also use the range where the report may have already used for all entries on a select and better not to have to rebuild the whole report.
  Also I would do the auths check first up and make the field mandatory if they really want it nice and tight so the user has to choose, you can use a PID to make it a bit more friendly.
  If you know the setup is the same each time you could use a standard include and subroutine, or ABAP objects would probably be the best route with a set of standard methods to call.
  Hope that helps,
  Tim

• User role and Authority-check ?

  Hello,
  Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
  Thanks in advance

  Hello Martin,
  I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
  Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
  @OP:
  The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
  BR,
  Suhas

• Authority-check logic

  Hi ppl,
  I have a sales org field on the selection screen for which I have to check the authorization.
  The field name is s_vkorg (as a select-option).
  I am using the below logic to check for the sales org authorization:
    AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
             ID 'VKORG' FIELD s_vkorg
             ID 'VTWEG' DUMMY
             ID 'SPART' DUMMY
             ID 'ACTVT' FIELD '03'.
  My query is that will this logic check for all the sales orgs entered by the user OR should I loop at s_vkorg and write the logic as:
  loop at s_vkorg.
    AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
             ID 'VKORG' FIELD s_vkorg-low
             ID 'VTWEG' DUMMY
             ID 'SPART' DUMMY
             ID 'ACTVT' FIELD '03'.
  endloop.
  Please help.
  Thanks,
  Dawood.

  u have to do authorisation check aftr u have fetched all the sales organisation into one internal table..
  like..
  select vkorg from tvko
                     into table it_vkorg
                     where vkorg in s_vkorg.
  loop at it_vkorg into wa_vkorg.
  AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
  ID 'VKORG' FIELD wa_vkorg-vkorg
  ID 'VTWEG' DUMMY
  ID 'SPART' DUMMY
  ID 'ACTVT' FIELD '03'.
  endloop.

• SQ02 AUTHORITY-CHECK

  Hello,
  I try to control the access of the financial center of the table FICTR by FMFCTRT function AUTHORITY-CHECK in Infoset (SQ02 TX).
  I assume that this code is correct:
  AUTHORITY-CHECK OBJECT 'F_FICA_CTR'
  'd FM_AUTHACT 'FIELD '03'
  'd FM_FIKRS 'DUMMY
  'd FM_FICTR 'FIELD' XXX '. "XXX is the selected variable in the selection that I can not recover !!!!!
  IF sy-subrc NE 0.
  write 'NO ACCESS'.
  LEAVE LIST-PROCESSING.
  ENDIF.
  If someone could tell me what section of code must be placed and whether the program is correct (no error generation).
  Knowing that when I go into the code AT SELECTION SCREEN, I am automatically redirected to the code DATA??
  And how to retrieve FM_FICTR has been selected to power the test.
  Thank you in advance for your answers!

  Use the logical database as the data source for the query:
  " < ... > you should always use logical databases as the data source within InfoSets that are used for query-based reporting. Using a logical database as your data source guarantees that the SAP solution is smart enough to know which areas of the data a user is allowed to see so that only the appropriate data will show in an SAP query report. Regardless of what type of security access the person who created the report has, the system is smart enough to display only the appropriate data for the user executing the report. (Note that this is the case only when logical databases are used as the data source if a SAP query is created using an InfoSet that is based on anything other than a logical database (for example, a table, a table join, a program). It is fair to say that no security whatsoever is in place when the query is run because all records within the tables are displayed in the report output.)"
  Edited by: Jelena Perfiljeva on Jan 20, 2009 5:15 PM
  Edited by: Jelena Perfiljeva on Jan 20, 2009 5:15 PM

• RRMX Authority check

  hi,
  There are two SAP BW systems , one with component SAP_BW SAPKW70017 (say B1) , and other one with SAP_BW component SAPKW70103 ( say B2)
  In B2 , When a user executes RRMX , it takes them to the Business explorer(excel sheet) , however it throws a message in the GUI that "No authorization to change role <role>
  Message no. S#423"
  This message is received as soon as you get the excel sheet opened .
  When further looked into the situation , seems like in B2 , the follwing select statement is executed ,( as soon as u execute RRMX)for checking the change access for all the users "assigned roles" ( I wonder why all roles?) with the object S_USER_AGr and throws the message when there is no 02 activity for any of the roles present with the user .
  SELECT agr_name FROM agr_users INTO l_agr_name WHERE uname = sy-uname.
      CALL FUNCTION 'PRGN_AUTH_ACTIVITY_GROUP'  -
  > "this further throws the message"
        EXPORTING
          activity_group = l_agr_name
          action_change  = 'X'
        EXCEPTIONS
          not_authorized = 12
          OTHERS         = 13.
      IF sy-subrc = 0.
        e_s_system_info-can_change_pfcg_roles = rs_c_true.
  Whereas in B1 (old release) no such message is thrown for the same user . seems there is no such change activity check in the begining?( not too sure) and only when the user clicks the Role option in Query dialog , S_USER_AGR is checked as per the ST01 trace.
  Is this a bug in SAP_BW 701 release ? If so , do you the SAP notes for correcting the same ?please reply at the earliest .Thanks in advance

  Some customers have S_USER_GRP actvt '02' in production environments for the RRMX "key" users who publish queries to be able to add them to the menu for the users. A change in authorization data might not be required, typically.
  But this "change" authority gives more access than just the menu, and the user will need other authorizations for S_USER_TCD and VAL as well.
  It has been replaced by the BEXWeb, which you should take a look into.
  As SAP "owns" the authority-checks in their programs, they seemed to have felt it appropriate to add the same check to RRMX for "key" users.
  > Is this a bug in SAP_BW 701 release ?
  I don't think it is a bug in BW 7.01. Arguably they could have added it earlier.
  There is an approach to control this via the sideinfo.dat file using the program ID of the query - but I guess few did that or even knew about it. It is not intuitive.
  Cheers,
  Julius

• Authority check at field level in sales order

  Dear all, our business requirement is the following:
  only some users should be able to see the prices (including netwr, netpr,...) in the sales order depending on the authority check performed on the sales group field.
  This means that for an order of sales group 'A':
  a user of sales group 'A' can see the prices and change the order, a user of sales group 'B' cannnot see the prices but can change the order, a user of sales group 'C' can display the order but cannnot see the prices.
  I ask you if such a scenario can be realized in SAP.
  We currently run SAP ECC 5.0.
  thx all !
  bye Roberto

  Hi agree with Jan and Auke,
  To my knowledge it is object V_KONH_VKO which you are looking for. See the documentation in SU24 - SD class.
  But whether or not that will influence the visibility / editability of the screen in VA02 etc when turned the check on in SU24, I am not sure.
  If not, search the forum for topics relating to "transaction variants", "variant transactions" and "screen variants" to see whether those solutions will fulfill the requirement.
  Cheers,
  Julius

• Authority check on Creation of Purchase order usin badi BBP_ITEM_CHECK_BADI

  hi all,
  i have to apply authority checks on creation of Purchase order and shopping cart in SRM using badi BBP_ITEM_CHECK_BADI.
  i have applied checks on creation of shopping cart   using this badi which have some filters but how to apply on purchasing order using BBP_ITEM_CHECK_BADI.

  hi,
    You can use the BBP_DOC_CHECK_BADI.
  BR,
  Disha.
  Pls rewar points for useful answers.

• ALV GRID and AUTHORITY-CHECK

  Hi all !!! 
  I'm using the ALV Grid control with checkboxes and I want to control if the actual user have the appropriate authorization to check/uncheck them.
  In the AUTHORITY-CHECK call, I want to make the authorization test on the "DEPARTMENT" of the user (from Table USER_ADDR or SU01).
  For example :
  DEPARTMENT AA1 --> check/uncheck OK
  DEPARTMENT AA2 --> check/uncheck NOT OK
  DEPARTMENT AA3 --> check/uncheck OK
  ... etc.
  How can I do ? Create an new authorization object/field ?
  PS : it's the first time I'm using AUTHORITY-CHECK..

  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check. 
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object> 
     ID <authority field 1> FIELD <field value 1>. 
     ID <authority field 2> FIELD <field value 2>. 
     ID <authority-field n> FIELD <field value n>. 
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  Example ;
  REPORT  EXAMPLE MESSAGE-ID Z1.
  TABLES: USR02.
  PARAMETERS: LOCK AS CHECKBOX, LISTLOCK AS CHECKBOX.
  DATA: UFLAGVAL TYPE I, LOCKSTRING(8) TYPE C.
  ---- Authorization check -
  AUTHORITY-CHECK OBJECT 'ZPROG_RUN' ID 'PROGRAM' FIELD SY-CPROG.
  IF SY-SUBRC <> 0.
    IF SY-SUBRC = 4.
      MESSAGE E000 WITH SY-CPROG. "some message about authorization check failure
    ELSE.
      MESSAGE E005 WITH SY-SUBRC. "some message about authorization check failure
    ENDIF.
  ENDIF.
  IF LISTLOCK = 'X'.
    WRITE:/ 'List all locked users: '.
    SELECT * FROM USR02 WHERE UFLAG = 64.
      WRITE: / USR02-BNAME.
    ENDSELECT.
    EXIT.
  ENDIF.
  IF LOCK = 'X'.
    UFLAGVAL = 64.                       "lock all users
    LOCKSTRING = 'locked'.
  ELSE.
    UFLAGVAL = 0.                        "unlock all users
    LOCKSTRING = 'unlocked'.
  ENDIF.
  SELECT * FROM USR02 WHERE BNAME <> 'SAP*' AND BNAME <> SY-UNAME.
    IF USR02-UFLAG <> 0 AND USR02-UFLAG <> 64.
      WRITE: 'User', USR02-BNAME, 'untouched; please handle manually.'.
      CONTINUE.
    ENDIF.
  check that user has authority to make these changes
    AUTHORITY-CHECK OBJECT 'S_USER_GRP'
        ID 'CLASS' FIELD USR02-CLASS
        ID 'ACTVT' FIELD '05'.
    IF SY-SUBRC <> 0.
      IF SY-SUBRC = 4.
        WRITE: /'You are not authorized to lock/unlock user ',
          USR02-BNAME, USR02-CLASS.
      ELSE.
        WRITE: /'Authorization error checking user ',
               USR02-BNAME, USR02-CLASS, '(return code', SY-SUBRC, ').'.
      ENDIF.
    ELSE.                                "has authority
      UPDATE USR02 SET UFLAG = UFLAGVAL WHERE BNAME = USR02-BNAME.
      WRITE: / 'User', USR02-BNAME, LOCKSTRING, '.'.
    ENDIF.

• Company code authority check

  Hi
  we have created ZTTL01 table maintenance view. Should not allow unauthorized company code to update/create or display.
  I searched thru forums and collected below points. but could not test it successfully.
  Authorization object (Z_XXX_BUK) was created.But <Permitted activities> Button is not available in display authorization object(SU21) to see what are the activities are permitted.
  In su01 for my user no roles or profiles are defined.
  To do
  Trying to write  below code in PBO and PAI flow logic of ZCHECK_BUK table for screen 01
  PBO & PAI
  *First statement
  Module Authorictycheck.
  module Authoritycheck
    LOOP AT EXTRACT.
      AUTHORITY-CHECK OBJECT 'ZCHECK_BUK'
                          ID 'ACTVT' FIELD '01,02,03'
                          ID 'BUKRS' FIELD ZTTL01-BUKRS.
      IF sy-subrc <> 0.
        MESSAGE e000(zrpt) WITH 'You do not have the authorization to'
      EXIT.                          'access Bukrs'extract-bukrs.
      ENDIF.
    ENDLOOP.
  endmodule
  Can i use above code in PBO and PAI to check change of company code?
  I am sharing role and profile created by other user, which allows only company code 'A10'.
  How to test this now?
  se11->Utilities->table contents create should not allow me to input A11 or other company codes? pls confirm.
  Regards
  Chandra

  Hi Suhas
  Regarding 1) It works when i remove the FORM routine assinged for EVENTS.
  Thanks for ur input.
  Regarding 2)When the user displays record in SM30 for a table, he must not be able to see the company code AD01.
  To achieve this can i use EVENT AA?
  I create FORM routine <hide_cocode> in EVENT AA and store at include LZXXXXF01.
  FORM ZHIDE_COCODE.
  DATA: F_INDEX LIKE SY-TABIX."Index to note the lines found"
  LOOP AT TOTAL.
  READ TABLE EXTRACT WITH KEY <vim_xtotal_key>.
  IF SY-SUBRC EQ 0.
  F_INDEX = SY-TABIX.
  ELSE.
  CLEAR F_INDEX.
  ENDIF. "(make desired changes to the line TOTAL)
  MODIFY TOTAL.
  CHECK F_INDEX GT 0.
  EXTRACT = TOTAL.
  MODIFY EXTRACT INDEX F_INDEX.
  *ENDIF.
  ENDLOOP.
  SY-SUBRC = 0.
  ENDFORM.
  I made break point at line LOOP at Total. and executed SM30 and clicked Display button.
  Sorry Code stops here and table TOTAL has flat line structure of empty.Loop at total is skipping
  what should be done now?
  Regards
  Chandra

• Authority check on company code

  Hi ,
        How i need to check whether the company codes in an internal table is having creation access to the particular user or not ?.
       In authority check what is  ACTVT - 01,02,03  signifies ??
  Thanks in adv.
  varma

  LOOP ...
  AUTHORITY-CHECK OBJECT 'F_LFA1_BUK'
  ID 'BUKRS' FIELD T_COMP_CODES-BUKRS
  ID 'ACTVT' FIELD '01'.
  IF SY-SUBRC <> 0.
  move  w_COMP_CODES-bukrs to (itab1).
  ENDIF.
  AUTHORITY-CHECK OBJECT 'F_LFA1_BUK'
  ID 'BUKRS' FIELD T_COMP_CODES-BUKRS
  ID 'ACTVT' FIELD '02'.
  IF SY-SUBRC <> 0.
  move  w_COMP_CODES-bukrs to (itab2).
  ENDIF.
  ENDLOOP.
  Hence segregating all the Company codes as per the authorization.

• Authority check in hr payroll infotype report

  Hi all,
  We have developed a report which gives infotypewise employee details.here we are checking authority for reading employee data.we are applying authority check at selection-screen and while reading the data from database tables.following is the sample code.
  do .
  if  s_abkrs-high < s_abkrs-low.
      authority-check object 'P_PCR'
                id 'ABRKS' field s_abkrs-high
                id 'ACTVT' field '01'
                id 'ACTVT' field '02'.
      if sy-subrc <> 0.
        message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
      endif.
  exit.
  endif.
      authority-check object 'P_PCR'
                id 'ABRKS' field s_abkrs-low
                id 'ACTVT' field '01'
                id 'ACTVT' field '02'.
      if sy-subrc <> 0.
        message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
      endif.
    s_abkrs-low = s_abkrs-low + 1.
  enddo.
  my senior says this code is right but it is not checking authority for all infotypes.can anyone suggest what changes are required in this code so that it will check authority for all infotypes.
  Thanks in advance.
  Regards,
  Harshada

  Hi ,
        A select-option will have a structure with four fields (sign , option , low , high) .
        So if you want to use your below code : you cannot check authority.
  loop at s_abkrs.
  authority-check object 'P_PCR'
  id 'ABRKS' field s_abkrs  <-- is an internal table
  id 'ACTVT' field '01'
  id 'ACTVT' field '02'.
  if sy-subrc 0.
  message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
  endif.
  endloop.
  The other option is :
  If your select option has values only in low ... then you can loop thru it ...
  loop at s_abkrs.
  authority-check object 'P_PCR'
  id 'ABRKS' field s_abkrs-low
  endloop.
  Regards,
  Srini.