Authorization Check in BI7 using ABAP

Similar Messages

• Authorization check without using variable of type u0093Authorizationu0094

  In WEB-reporting we want to authorize on a navigational attribute without using the variable of type
  “ Authorization”. Why would we do this?
  1. In a lot of queries we have to replace the existing variable of type “User entry” to a variable of type “Authorization”. We would like to avoid this work.
  2. When the variable is not ready for input the Report will always include all the characteristic values for which the user is authorized. We don’s want this.
  3. When the variable is ready for input on the selection screen all the authorized values are displayed and the user is able to select / deselect the values he/she wants to report. In case of a lot of authorized characteristic values the screen does not appear user-friendly.
  What we want is a behavior like some parts of R/3. For example: Controlling Area X consists of the Costcenters C1000, C2000, C3000, C4000, C5000 and C6000. A particular user has authorization for Cost centers C1000, C3000 and C5000. When running a ABAP-report with Cosctcenters the user is able to select certain Costcenters. Three possibilities:
  1. The user selects Costcenter C1000, C3000 and / or C5000: the ABAP reports the selected Costcenters.
  2. The user selects Costcenter C2000, C4000 and / or C6000: the ABAP gives an error-message: “no authorization”.
  3. The user does not select any Costcenters: the ABAP reads all the Costcenters and reports – on the basis of the users authorization – only Costcenters C1000, C3000 and C5000.
  In term of BW: we would like to introduce authorizations for a specific InfoObject which is used as an navigational of an other InfoObject. In the queries a variable is used of the type “User entry”. The user can select one or more values on the selection screen; an authorization check is fulfilled. He may – however – choose to leave the selection field empty; in this case the OLAP processor should report only the authorized values (in our case the last situation results directly in an error-message “no authorization”).
  Anyone has a suggestion?
  Thx in advance,
  Henk

  If you change the variable to type exit, and user input enabled, you can then build your logic in the user exit.
  If users have entered unauthorised values, it will be checked (by the system??). If this assumption is correct then all you need to do in your exit is to continue with the values entered by the user; and in case user has entered no values, populate the variable with values valid for the user (by reading the user authorization and corresponding charactertistics values and moving these to the variable).
  --> Adding further
  Since the authorization will not be checked by the system (I missed that these are not of authorization type variables), user exit will need to do this check. The logic for doing authorization checks / error messages / restricting based on authorizations - will have to be done in the user-exit.
  cheers,
  Message was edited by: Ajay Das

• Abap programe 'AUTHORIZATION-CHECK'

  What is abap programe 'AUTHORIZATION-CHECK' how can i navigate there

  Hi,
  You can navigate to the Code this way
  1)
  SE93> Display>Double click in the Entry corresponding to Program-->then you enter the Source Code here select find and give the search string as
  "Authority-Check" this displays you whatever entries are there in the code.
  This method is useful if you know the Tcode and want to see what check statemetns are there in ABAP code corresponding to it.
  2)On the other hand if you know the program then go to
  SE38> enter the program name> Select Source Code> Press Display>
  and from there search with the string mentioned above justlike the case mentioned above...
  Hope this helps
  Regards,
  Manohar

• How to find which custom program uses authorization checks

  Hi all,
  I have been asked to find out which custom ABAP program in our organization is using Authorizations checks and which is not.
  Since there are thousands of custom programs I will need to automatize this process somehow.  But I am not an ABAP expert and I will need some help.
  Could any of you give me an idea of what would be the best strategy to find out if authorization objects/checks exist in a number of ABAP programs?  (would a simple text search do?).
  Many thanks,
  Aldo

  If you are looking out for Authorization related to Execution of any program, then look for entries in table TRDIR where field SECU (Authorization Group) is not blank.
  Below SAP documentation may help you:
  Authorization Group
  Authorization group to which the program is assigned.
  The assignment of a program to an authorization group plays a role when the system checks whether the user is authorized to:
  Execute a program
  --> Authorization object S_PROGRAM
  Edit a program (-Include) in the ABAP Workbench
  --> Authorization object S_DEVELOP
  Programs that are not assigned to an authorization group are not protected against display and execution.
  Security-related programs should, therefore, always be assigned to an authorization group.
  Report RSCSAUTH can also be used to assign programs to authorization groups. This report is documented in detail.

• In ecatt - how to check at database level using ABAP

  Hi,
  How to check at database level using ABAP in Ecatt tool.
  say,for example I want to check a particular sales order is invoiced or not ,at the database level and if it is invoiced I have stop proceeding to invoicing of that sales order number.
  Could anybody suggest on this with an example?
  thanks.

  Hi,
  you can use the command GETTAB to access single db records.
  Full specified or partitial specified keys can be use at GETTAB. It will return always only one record, also if a couple could match your selection.
  For more advanced scenarios you can also use eCATTs Inline ABAP. In a block between the commands ABAP. ENDABAP. you can code ABAP statements, e.g. SELECT ... INTO TABLE ...
  eCATT script parameters of type 'V' defined in that script using ABAP/ENDABAP will be transfered into the ABAP block and back to script after ABAP perform.
  Best regards
  Jens

• HR ABAP Custom Authorization Check

  Hi all,
  We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
  GET PERNR.
      I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
  Thanks in Advance.

  There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
  Some special differences are:
  - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
  - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
  - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
  This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
  Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

• Add authorization check in Infopackage Scheduler for option 6-ABAP Routine

  We want to add an authorization check in routine rssm_routines_maintain.    This is in the Infopackage scheduler in the Data Selection tab  under the column Type after selecting type=6(ABAP Routine).    This is a core modification.   We have checked with our Security team with traces and found nothing available to help us.
  Two questions:
  1) Is there any other way we can control who can create/change ABAP code by this method ?
  2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
  Your help would be appreciated.
  Robert Begin,
  450-677-9411 or
  514-924-4311
  or email at [email protected]

  Hi Chandran,  we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
  The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
  Do you have any solution/suggestions to lock this down?
  Much appreciated,
  Regards,
  Robert.

• Structural authorization check in HR-ABAP

  Hello Friends,
  I am not able to get how to do the structural authorization check, my exact problem was : There is a report where it diplays all the qualifications of the employees and now I should restrict to only the employees who belongs to the organization unit depending upon the user who is running the report belongs to. It should check some more authorization profiles also.
  Regards,
  Yoganand.

  Hi Yoganand,
  if you use logical database PCH in your report, it should work by default.
  Manually search for RHSTRUAUTH in transaction SE37. There
  is a function modul which gives a list with the person the user has authorization.
  With this list you could compare the list with selected persons.
  hope this helps.
  Regards
  Bernd

• ABAP: Modify PA infotype without authorization check

  Hello everyone,
  Short version:
  I know two FM that can modify PA infotype data:  HR_MAINTAIN_MASTERDATA and HR_INFOTYPE_OPERATION. However, neither of those includes a parameter that allows using them without them automatically checking authorizations (like you can do with, say, FM RH_INSERT_INFTY which has parameter AUTHY to disable authorization checks but only works with OM infotypes, but not PA infotypes).
  Does anybody know a solution?
  Long version:
  We want the travel department to be able to maintain infotype 17, and only infotype 17. In fact, there are only two fields there that need to be maintained in our company. That department should not have access to any other infotypes, and we are not going to give them PA30. On the other hand, they shall be able to do so for any employee, no matter from which personnel area, subarea, and organizational unit.
  So I have created a small program with a mask specifically tailored to their needs. But we do not want to give them any PA authorizations. Giving them P_ORGIN to infotype 17 might not be a big deal, but then we would also need to give them structural authorization to all companies (= org units and personnel areas). Unlimited structural authorization is a big deal, and I would rather avoid granting that to someone who is not supposed to be doing anything but this tiny bit in HR. The only authorization that I would like to see in place is transaction authorization for my program. Anyone who has that should be allowed to maintain these IT 17 fields for any employee, but nothing else.
  The problem is that upon writing the data, FM HR_INFOTYPE_OPERATION auto-checks the authorization required for maintaining the infotype, including structural authorization, and so does FM HR_MAINTAIN_MASTERDATA, as far as I understand. Is there an alternative I could go for?

  ECM stands for Employee Compensation management and is one of the SAP HR module.
  But I doubt you can use ECM specific function module to modify/insert infotype 17 values as below are the main infotypes for ECM module.
    Employee Infotype
    Description
  0758
  Compensation Program
  0759
  Compensation Process
  0760
  Compensation Eligibility Override
  0761
  LTI Granting
  0762
  LTI Exercising
  0763
  LTI Participant Data

• Populate user exit Variable with User Authorizations using ABAP?

  Hi, Does anyone know of a way to populate a user exit variable (with ABAP) with the Authorization Values for a user running a report?  I am turning off authorizations for our InfoProvider using RSSM and want to populate a variable instead and use the variable as a filter.

  Hi Kenneth ,
  You need dynamic authorization in your report .This can be done at query runtime by using exit variable and writing cmod code for the same .
  This code will read authorization maintained at runtime of query in i_step = 1 and will pass input var values accordingly .
  For step by step information you can access this document .
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0f9f33c-0f17-2d10-d3a2-ae52ccd00780?quicklink=index&overridelayout=true
  Hope this will be helpful .
  Regards,
  Jaya Tiwari

• Authorization check using FM /SAPAPO/MCP_PERMISSION_CHECK2

  Hi All,
        I have to perform the Authorization check using FM /SAPAPO/MCP_PERMISSION_CHECK2 based on 2 characteristics.
  What will be the inputs to the FM. Please tell with an example as in SE37 it is giving permission check parameter as 'X' even if I dont enter any value in the input
  Win full points for the answer.
  Best Regards,
  Chandan Dubey

  Hi Chandan,
       If you go through the function module the export parameter e_permission is marked as 'X' in the first line i.e before processing the code. Then it loops at table T_BOBJECTS ( need to pass the Name of Authorization Object). So if u don't have the authorization, then parameter e_permission is modified as space (Which means u don't have the authority). So when u test the function make sure that u pass the corresponding Authorization Object. If you execute just without passing any parameter u always get 'X' for the parameter e_permission. Let me know if you have further queries.
  <u>Test Data :</u>
  Fill the T_BOBJECTS (I think in your case it's 'C_APO_IOBJ'..... just make sure of it),
  i_actvt ,
  01     Create or Generate
  02     Change
  03     Display
  06     Delete
  16     Execute                                                                 
  i_pareaid,
  i_keyfigure2.
  Regards,
  Siva.

• Hierarchy authorization pbm in BI7.0 with Front end of BW3.5

  Hello All,
  We have a problem regarding authorizations for the hierarchies in BW7.0
  We have migrated from BW3.1 to BW7.0. Authorization are OK in our BW3.1 server, the authorization on hierrachy work well.
  Current Issue (in BI7.0) :
  An authorization object for XCOMPROD for a hierarchy 'ZMAT_HIER'.
  There are 2 queries which have variables of XCOMPROD & ZCOMPROD in selection criteria, ZCOMPROD has variable of type 'Hierarchy node'
  I've a test_user which has authorization on Product Group 5 (one of the nodes in the hierarchy-ZMAT_HIER).
  When i run the queries independently with this test_user, the user has access to Group 5 only, which is correct. 
  When i run a web template report with any one query (from the 2 queries), the user has access to Group 5 (as in first case) - correct.
  However when i run a web template report having above 2 queries together, the authorization fails, as user gets access to root node (instead of only Group 5).
  FYI, we're using BW3.5 front end (no PORTALS)  with the OLD authorization concept (of BW3.1).  Not 'Analysis Authorization' as in BI7.0.
  Looking forward to an explanation/solution to the above.
  Regards,
  Nagendra.

  Hi,
  Check out the customization of SPRO to select the authorization concept. I suspect that it's set on the new authorization concept.
  Tomer.

• Create authorization check for a report

  Hi,
  I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
  Say the report name is ZHR_TIMEABC.
  Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
  Thanks in advance,
  VG

  Hi,
  Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
  If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
  Your inputs will be helpful to understand this concept.
  Thanks,
  VG

• Authorization Check for Special Stock Indicator in IE02

  Dear Gurus,
  Would like to check with you if there is an authorization check for change in Special Stock Indicator in IE02-SerData Tab?
  For example, the User will only be allowed to change the Special Stock Indicator only to "E" - Sales Order.
  Would appreciate your help.
  Thanks.

  Hi,
  This cannot be done by using standard auth object. Standard SAP doesnt support control via this field.
  Take help of your ABAP team and create an customized authorization object "Z_OBJECT" with field SOBKZ and which check these field value in table EQBS. Assign this auth object to role and profile you want.
  Use the user exit IEQM0003 Additional checks before equipment update. Give a logic to check auth object when while using equipment change tcode.

• Authorization check

  Hi ,
  i new to authorization so i need help ,
  i go to transaction SU21 and i choose some object for example:
  Object R_CPM_BSC
  Text Authorization Object SEM: BSC Elements
  Class SEM Strategic Enterprise Management*
  Author STASTNY
  Field name Heading
  SEMSCARD Scorecard
  SEMOBJTYPE Scorecard Elements: Object Type
  SEMOBJKEY Scorecard Elements: Object Key
  ACTVT Activity
  And when i push on permitted activities i get:
  R_CPM_BSC Authorization Object SE
  ACTVT Activity
  activists
  01 Create or generate
  02 Change
  03 Display
  04 Print, edit messages
  1. i have always just permitted activities for ACTVT ?
  if i wont that user just have display Authorization how i have to write it like below?
  AUTHORITY-CHECK OBJECT R_CPM_BSC
  ID ACTVT FIELD '03'
  thats it i don't use the other fields?
  Regards

  Hi,
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Thanks
  Vikranth