Authorization check in Enhancement
Hi,
i do Enhancement for BW and my customer tell me that he
wont to check if user have authorization to watch the data.
1. i can do that?
2. what i have to check ,
i see the code :
AUTHORITY-CHECK OBJECT object
ID name1 FIELD f1
ID name2 FIELD f2
ID name10 FIELD f10.
what i have to put in object and what in name1 & and name2....
Regards
Hi friends,
any idea?
Regards
Similar Messages
-
Hi..
We have business requirement where cetain users are only allowed for certain material groups.
Say user1 can access only material groups grp1 and grp3.
Can we have a authorization check for material group in the purchase order ??.
I suppose only plant , doc type , p-grp and P-Org are only checked for authorization in ME21N.
I tried the following things ..
- Created a object class and object.
- Added this object to T-code ME21N (SU22).
But it was not working.
How do we handle this authorization check for material group.
Thanks in Advance.You can add authorization for material group using this way :
Put this code in program ZXM06U43.
LOOP AT tekpo INTO l_ekpo.
AUTHORITY-CHECK OBJECT 'M_MATE_WGR'
ID 'BEGRU' FIELD D_BEGRU.
If SY-SUBRC NE 0.
MESSAGE E002(zz) with 'You are not authorized with Material Group'
T_EKPO-MATKL.
Endif.
ENDLOOP.
Then activate enhancement MM06E005 using SMOD or put it in your CMOD project -
Putting Authorization Check in MM03 Material Dimension
Hi Experts,
I want to put a authorization check to stop unauthorized users from getting specific material details (or even looking at specific materials) via MM03. I've put break points at all the 3 enhancement points (MGA00001, MGA00002, MGA00003) available which could get from SMOD for package MGA. But when I go to MM03 it doesn't stop anywhere. How can I get it done? Please advise.
Thanks,
Pritam
Edited by: PRITAM MOHANTY on Nov 19, 2009 8:11 PMYou can add authorization for material group using this way :
Put this code in program ZXM06U43.
LOOP AT tekpo INTO l_ekpo.
AUTHORITY-CHECK OBJECT 'M_MATE_WGR'
ID 'BEGRU' FIELD D_BEGRU.
If SY-SUBRC NE 0.
MESSAGE E002(zz) with 'You are not authorized with Material Group'
T_EKPO-MATKL.
Endif.
ENDLOOP.
Then activate enhancement MM06E005 using SMOD or put it in your CMOD project -
Authorization Checks in Z programs
Dear Experts,
Fist of all, thanks for your time. We're being asked to review each Functional Specification in the company to suggest to the developement team the standard objects that should be included in the code in order to restrict the access within each developement. My understanding was that, as an standard practice, developers only use bapis, standard functions or call transactions in their code, for which we should be covered, as SAP includes standard object checks in them (so when using a bapi associated to VA01, the objects in the code for VA01 are being checked). The exception for this are reports, for which we have a Z object with most of the Organizational Values like Company Code, Plant, etc to allow restrictions to take place (and developers are supposed to include this check in this code).
My first question is: is it true that bapis, standard functions and call transactions use the regular standard objects when being executed?.
If this is the case, is there any point in suggesting the objects to be checked to the developers?. It looks as if this would be redundant, as SAP is making sure they're being checked when bapis, standard functions and call transactions are executed...(exception made for reports, as mentioned)
Thanks a lot for your help!!
Best regards,
CMPTHi,
It is always a good idea for the Z transaction review to be performed by the Security consultant. After all it will be his responsibility later on to restrict access to the transaction. You can always ask for the functional consultant's help with understanding the use of the transaction
In case the custom transaction has been created similar to or is an enhancement on a standard SAP transaction, then it is always a good idea to have at least the same authorization checks for the Z txn also.
For new developments you need to ensure that the authorization checks need to be implemented based on the functionality of the txn and the data it manipulates. For eg., if you have a Z-txn to make changes to purchase orders, you need to ensure that the program checks for change activity for Purchasing Org, Purchasing Group and Plant values and any other authorization relevant data.
The auth objects to be used depends entirely on the data and the functional module the custom program belongs to. I generally prefer to use SAP standard objects where possible. Else create new auth objects as per requirement.
Regards,
Sanju -
How to deactivate authorization check?
hi ,
how to deactivate Authorization check?
thanks.
reddy.Use switch T77S0 to control the use of an authorization object during the authorization check.
If value is 0 authorization check is inactive, if value is 1 inactive. See example below.
AUTSW ADAYS 15 HR: tolerance time for authorization check
AUTSW APPRO 0 HR: Test procedures
AUTSW DFCON 1 HR: Default Position (Context)
AUTSW INCON 0 HR: Master Data (Context)
AUTSW NNCON 0 HR:Customer-Specific Authorization Check (Context)
AUTSW NNNNN 0 HR: Customer-specific authorization check
AUTSW ORGIN 1 HR: Master data
AUTSW ORGPD 0 HR: Structural authorization check
AUTSW ORGXX 0 HR: Master data - Extended check
AUTSW PERNR 1 HR: Master data - Personnel number check
AUTSW VACAU Activate Auths for Maintaining Vacancies (PBAY)
AUTSW XXCON 0 HR: Master Data - Enhanced Check (Context)
http://help.sap.com/saphelp_erp60_sp/helpdata/EN/84/49ba3b3bf00152e10000000a114084/frameset.htm
Regards,
David -
PS Authorization Check (CJ20N)
Hi guys,
I am implementing 'authorization check' to projects and WBS elements. I found the enhancement CNEX0002 and everything worked fine for all PS transactions, except for CJ20N.
The implementation is to not allow changes for projects (and all it's WBS element) which I have no authorization. So we can see them (in gray color), but cannot change.
The problem is when we open a Project or WBS element at CJ20N. If I have no authorization to change them, the objects comes with no possibility for inputting data, but when we try to create an activity, it works and should not work.
I would appreciate some tips from people whom have done that.
Bests,Hi Karla,
I have successfully implemented that. Here you need to do the similar authorization checks in includes EXIT_SAPLCNAU_003 and EXIT_SAPLCNAU_004 for Network Header and Network activity authorization.
Then it will work fine.
Regards
Priyank -
Hello,
We are implementing CRM 5.0 and we are using BSP for opoprtunity management.
We need to implement quite complex authorization rules. We have found the standard authorization object for the Opportunity Management as well as the authorization object for the BSP application.
Unfortunately the parameters that are checked in standard does not meet our requirements we need to check more things before granting access to the user.
Please advise if we should enhance authorization object and create new fields or there is also another way for authorization check in BSPs.
Thanks in advance,
JuliaHello, Gregor and Tiest.
Thanks to both of you for the answer.
I have read the blog and I analyzed the customizing activities that you recommended.
Unfortunately, this functionality does not fit our requirements.
To make the problem more clear I will give more explanations:
- We are working with Opportunity Management application (crmd_bus2000111)
- We have enhanced the standard opportunity view by adding new tabs.
- These tabs are called by custom classes and are using custom structures.
- We have defined the roles using standard authorization objects. They influence the standard tabs even with custom fields, however there is no influence on custom tabs.
- Ex. We need to create the role for the viewer, who can only display the opportunity. When we enter the application with the user to which this role is assigned the user can see everything in display mode except for the custom tabs which are still allowed for changes.
Do you know if it is possible to create an authorization object that can be used to handle the custom tabs?
Will it be enough to create an object and assign it to the transaction or do we need to enhance also the classes to refer to this custom ocject?
Thanks for help,
Julia -
Hello.
We are trying to use the enhancement CNEX0002 to check the authorizations in PS.
It works very well in transaction CJ20N, but we are having problems in transactions CN21 and CN22. The main problem is that in both transactions, the exit is not executed when you save, so you can't check if the person has the authorization for what he wants to save.
For example, I need to verify something in the project when I create a network and I didn't have the project in the beginning the creation, but I have it when I want to save it.
Is there another way I can check this authorizations when I'm saving in CN21 and CN22??.
Thanks in advance.Hi Karla,
I have successfully implemented that. Here you need to do the similar authorization checks in includes EXIT_SAPLCNAU_003 and EXIT_SAPLCNAU_004 for Network Header and Network activity authorization.
Then it will work fine.
Regards
Priyank -
Authorization check For Test plan in SAP Solution Manager test management
Hi experts,
I need to allow only selected user to view their test package and the list of transaction so i need to have a authorization check by using enhancement i got struck since i am not able to find any badi for this ..kindly looking back your suggestionHi Namrata,
Yes, you can create project structure before using solar01 tcode. later once your test cases (either manual or automatic) are ready then you can upload them using solar02 on test cases tab,
refer Link Test Case to Transactions/Reports - Configuration - SAP Library
Assignments - SAP Solution Manager - SAP Library
Thanks
Jansi -
Issues with Analysis Authorization checks in APO
Hi Friends,
I am facing an issue with Analysis authorization checks in APO.
We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
Resultant trace results are as below: This should not happen..
I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
Will it be possible for you to advise on what could I be missing.Hi All,
If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
Please advise.. Thanks..
Regards,
Prakash -
HR ABAP Custom Authorization Check
Hi all,
We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
GET PERNR.
I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
Thanks in Advance.There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
Some special differences are:
- The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
- Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
- Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
Cheers,
Julius
Edited by: Julius Bussche on Apr 27, 2009 9:03 PM -
Authorization check in LDB PNP
Hi All,
I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
Can you please let me know if any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
Any information provided will be really helpful.
Thanks,
PavanHi,
A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
Thanks,
Pavan -
Authorization checks for PNP LDB
question : how to validate authorization checks for pnp logical database?
2 nd question: hr report
this report is basically for salary survey. in this i had so many fields can any body let me know how
can i form the internal tables. and i have to display overall 150 fields in csv file for that
how can i take in to the final internal table.
what is the logic behind this:
T71JPR09-JOBCODE
PA0000-PERNR
HRP1000-STEXT
P0006-PSTLZ
PA0008-ANSAL * 100 / PA0008-BSGRD
PA0015-BETRG
PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
PA0761-GRADT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
PA0761-ZZGRANT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN esu YEAR 1
like that i had.
please give me the steps how can i proceed.Hi,
The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
Hope this helps. -
CRM - Process Flow of Authorization Check in Business Transactions
Hello Folks:
I have implemented CRM security using Process Flow of Authorization Check in Business Transactions.
What I have in place:
CRM_ORD_OP (inactive, don't want access to own documents)
CRM_ORD_LP (inactive, not using standard org level values Distribution Channel, Sales Group, Sales Office, Sales Organization, and Service Organization.)
CRM_ACT (active)
CRM_CMP (active)
CRM_ORD_OE (active, restricted to display with dummy value ' ' for Distribution Channel
Sales Group, Sales Office, Sales Organization and Service Organization, as we are not restricting on them)
CRM_ORD_PR (active and restricted to display)
Issue:
Restrictions to display for documents works fine when using CRM backend system and the system throws out a message that you are not authorized to change. But, when i come in through Portals (PCUI), i dont get the display at all and it throws out a message insufficient access authorizations.
Traces on backend CRM reveal failing on change access for CRM_ORD_LP and CRM_ORD_PR, which we dont want to give out b/c we dont want to provide change for documents.
OSS notes to SAP have resulted in no results....please advise what is wrong here.
Thanks
KTThanks for the Priyanka for the reply, but what you mention is not correct.
BSP errors are different from what I am refering to.
The issue is still open...and looks like a SAP bug, which even they havent been able to fix so far.
Regards,
KT -
Document search error in webshop(Error in authorization check: user unknow)
Hi All
actually we have implemented the document search functionality in webshop to access all the documents in webshop who have created order in the webshop.
actually when i am logging into the portal with userid "skumar" after that there was role called "Document Search" when i click that document search role then the document search will be opened, based on the selections in the selection criteria then the documents will be displayed generally.
actually come to my error when i select in the selection criteria "order acknowledgement" and i select the one more column called "period" after that i click the search button then i am getting the error as follows.
<b>Error in authorization check: user unknown.</b>
Can you please help me where to check the authorizations in the system for accessing the documents.
Regards
SunilHi Sunil generally this kind of error will occur when you choose acknoledgement
for Future Periods,eventhough input is past date if the same problem occurs you should check for Su05 Internet USer authoriasations
Reward if helpful
Venkat
Maybe you are looking for
-
How can I scan multiple pages from the ADF to one pdf file?
I wirelessly scan double-sided multiple-page documents, typically 37 pages, using an ADF (Automatic Document Feeder) from my HP Officejet Pro 8600 N911g to my MacBook Pro. The scanner works fine except it tries to save the files as 37 separate files
-
i would like to down load past purchases from app store, and itunes. Has pc been stolen
-
C55Dt running Windows 8.1 will not go to sleep or turn off when lid is shut
Toshiba Model C55Dt will not go into sleep mode when I shut the lid. Only about 10 months old....will not turn off, either. I have checked and power settings are properly set. All 3 lights stay on in front....battery charge, power, and computer us
-
Any way to link a controls' custom shortcut menu to a new .rtm file?
My project programmatically generates controls from a template. The template has a custom shortcut menu that is saved in the project directory, and the generated controls all work fine with this. However, now I need to be able to export the project t
-
I am need to uplock this, via registry. as need to do some testing and set Outlook Web App to prompt for username and password