Authorization Check Infotype Header

Hi all,
i posted the following threat in HCM Forum, but i think it is also a question for ABAP Forum
Authorization Check Infotype Header
Thanks & regards

1. authorisations in hr cannot be controlled at infotype-header level and/or infotype field level.
2. If only a few fields of a specific infotype are to be allowed for a user the most efective way of doing it is by way of creating a view for the infotype with only the allowed fields in it.
3. another way of doing it is by way of a custom authorisation object (potentially) but then again your requirement is not going into explicit details,. so this option is a possibility you may want to do some due diligence on.
cheers

Similar Messages

  • ABAP: Modify PA infotype without authorization check

    Hello everyone,
    Short version:
    I know two FM that can modify PA infotype data:  HR_MAINTAIN_MASTERDATA and HR_INFOTYPE_OPERATION. However, neither of those includes a parameter that allows using them without them automatically checking authorizations (like you can do with, say, FM RH_INSERT_INFTY which has parameter AUTHY to disable authorization checks but only works with OM infotypes, but not PA infotypes).
    Does anybody know a solution?
    Long version:
    We want the travel department to be able to maintain infotype 17, and only infotype 17. In fact, there are only two fields there that need to be maintained in our company. That department should not have access to any other infotypes, and we are not going to give them PA30. On the other hand, they shall be able to do so for any employee, no matter from which personnel area, subarea, and organizational unit.
    So I have created a small program with a mask specifically tailored to their needs. But we do not want to give them any PA authorizations. Giving them P_ORGIN to infotype 17 might not be a big deal, but then we would also need to give them structural authorization to all companies (= org units and personnel areas). Unlimited structural authorization is a big deal, and I would rather avoid granting that to someone who is not supposed to be doing anything but this tiny bit in HR. The only authorization that I would like to see in place is transaction authorization for my program. Anyone who has that should be allowed to maintain these IT 17 fields for any employee, but nothing else.
    The problem is that upon writing the data, FM HR_INFOTYPE_OPERATION auto-checks the authorization required for maintaining the infotype, including structural authorization, and so does FM HR_MAINTAIN_MASTERDATA, as far as I understand. Is there an alternative I could go for?

    ECM stands for Employee Compensation management and is one of the SAP HR module.
    But I doubt you can use ECM specific function module to modify/insert infotype 17 values as below are the main infotypes for ECM module.
      Employee Infotype
      Description
    0758
    Compensation Program
    0759
    Compensation Process
    0760
    Compensation Eligibility Override
    0761
    LTI Granting
    0762
    LTI Exercising
    0763
    LTI Participant Data

  • Authorization check in LDB PNP

    Hi All,
    I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
    I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
    Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
    Any information provided will be really helpful.
    Thanks,
    Pavan

    Hi,
    A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
    Thanks,
    Pavan

  • Authorization check

    Hi ,
    i new to authorization so i need help ,
    i go to transaction SU21 and i choose some object for example:
    Object R_CPM_BSC
    Text Authorization Object SEM: BSC Elements
    Class SEM Strategic Enterprise Management*
    Author STASTNY
    Field name Heading
    SEMSCARD Scorecard
    SEMOBJTYPE Scorecard Elements: Object Type
    SEMOBJKEY Scorecard Elements: Object Key
    ACTVT Activity
    And when i push on permitted activities i get:
    R_CPM_BSC Authorization Object SE
    ACTVT Activity
    activists
    01 Create or generate
    02 Change
    03 Display
    04 Print, edit messages
    1. i have always just permitted activities for ACTVT ?
    if i wont that user just have display Authorization how i have to write it like below?
    AUTHORITY-CHECK OBJECT R_CPM_BSC
    ID ACTVT FIELD '03'
    thats it i don't use the other fields?
    Regards

    Hi,
    In general different users will be given different authorizations based on their role in the orgn.
    We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
    USe SUIM and SU21 T codes for this.
    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
    This means you have to allocate an authorization object in the definition of the transaction.
    For example:
    program an AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT <authorization object>
    ID <authority field 1> FIELD <field value 1>.
    ID <authority field 2> FIELD <field value 2>.
    ID <authority-field n> FIELD <field value n>.
    The OBJECT parameter specifies the authorization object.
    The ID parameter specifies an authorization field (in the authorization object).
    The FIELD parameter specifies a value for the authorization field.
    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
    Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
    You program the authorization check using the ABAP statement AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
    ID 'ACTVT' FIELD '02'
    ID 'CUSTTYPE' FIELD 'B'.
    IF SY-SUBRC 0.
    MESSAGE E...
    ENDIF.
    'S_TRVL_BKS' is a auth. object
    ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
    This Authorization concept is somewhat linked with BASIS people.
    As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
    Take the help of the basis Guy and create and use.
    Thanks
    Vikranth

  • Authorization Check Failed for HR P_ORGIN on VDSK1

    Hi Experts,
    We have an issue where an HR secretary is making an address change to an employee via pa30.  She is successfully able to save the change with no warning on the screen.  However, when we run /nsu53 immediately after, we see that there was an authorization check failed.  The check failed is in class HR, object P_ORGIN.  The field is VDSK1.  We have values defined there, whereas SAP is requesting a *.  We do not want to use the *, but the value in VDSK1 is correct and should not be failing.
    Anyone ever see this issue before?
    Thanks
    Shane

    Hi Shane,
    Since the secretary was able to save the record I assume there is no issue with the role. SU53 always shows last failed authorisation check. Even if transaction has been succesful you normally find failed authorisation checks from SU53. In your case I assume that PA30 checks first that if user happens to have P_ORGIN with * value in VDSK1. If not then it checks employees infotype 0001 and organisational key and tries to match that to the value in the role. If you pass this check SU53 will still show failed check where VDSK1=*.
    So this is normal behaviour for SU53 and nothing to be worried about. Annoying is when SU53 gives something sill as last check after error. Annoying are SU53 reports from users to add S_DEVELOP with Debug object because programmer has decided to leave break-point to program.
    cheers, s

  • Authorization Check in Ad Hoc Query

    Hi Experts,
    When a user is given access to an infoset via the query user group, he/she will be able to see all infotypes that are associated with the infoset. The user will actually be able to select the fields, construct the query, and only hit the authorization error when they execute the query.
    This is not ideal from a user perspective as the user might spend a lot of time constructing the query only to find out later that they are not able to execute it due to authorization restrictions. Is there a way to restrict upfront to show the user only the infotypes and fields they are authorized to when constructing the query? Please advice.

    You need to do this in your infoset ...
    You can use the following procedures if you want to change the behavior of the SAPDBPNP logical database:
    You can program the logical database not to skip personnel numbers. The data is, nevertheless, only made available to the relevant reports for the authorization check There is no direct way to access the data that was not read by the authorization check. This procedure is meaningful for the first example, but not for the other two examples. The relevant report implements the setting as follows:
    INITIALIZATION.
    PNP_SW_SKIP_PERNR = 'N'.
    It is conceivable in examples 2 and 3 that the evaluation would be possible for a certain period but not for a longer selection period. Normally, the logical database always selects all the data of an infotype and checks the authorization. If you want the system to read and check only the data of the selection period, you can use the RP_SET_DATA_INTERVALL macro (for the START-OF-SELECTION period) for this.
    The data is not requested immediately (addition MODE N for the INFOTYPES statement) and is checked by the report itself. The report uses the HR_READ_INFOTYP and/or the HR_CHECK_AUTHORITY_INFTY function modules from the HRAC group to check the data and decides itself how to react to missing authorizations.
    Procedures 1 and 2 are available for SAPDBPNP and are not supported by SAPDBPAP. Procedure 3 is always available. Procedure 3 is the only way of solving problems with the authorization check if a report requires only one subtype of an infotype and if users should not be able to access the other subtypes of the infotype
    -Saquib

  • Photo upload in infotype 2, or infotype header

    Can anyone tell me in detail how to upload photo of employee in infotype header and what all needs to be done in terms of basis also , archieve link or something.  I know oAAD but how does that linkage happen.

    Solution in https://wiki.sdn.sap.com/wiki/display/ERPHCM/Add%20Employee%20Photo%20on%20Infotype%200002?showChildren=false is very good.
    Mass upload program ZHR_BDC_UPLOADPIC requires input every file path for photos in dialog window.
    I have improved this process:
    1. Made a copy of program OANEWCON (program in transaction OAOH)  ZOANEWCON (hung on new transaction ZOAOH)
    inserted two lines  allow to pass a path as a parameter to this program:
    PROGRAM ZOANEWCO MESSAGE-ID OA.
    TABLES: TOAV0, TOAOM, TWFDB, TOAPA.
    DATA: KEY LIKE OJINT-KEY.
    DATA: OBJECT LIKE OJINT-NAME.
    DATA: OBJECT_ID LIKE TOAV0-OBJECT_ID.
    DATA: ARCHIV_ID LIKE TOAV0-ARCHIV_ID.
    DATA: ARC_DOC_ID LIKE TOAV0-ARC_DOC_ID.
    DATA: ABLAGEDATUM LIKE SAPB-SAPABLDATE.
    DATA: AR_DATE LIKE TOAV0-AR_DATE.
    DATA: DEL_DATE LIKE TOAV0-DEL_DATE.
    DATA: SAP_OBJECT LIKE TOAOM-SAP_OBJECT.
    DATA: AR_OBJECT LIKE TOAOM-AR_OBJECT.
    DATA: EXPIRY_TIM LIKE TOAOM-EXPIRY_TIM.
    DATA: METHOD LIKE OJINT-METHOD.
    DATA: RETURN LIKE OJINT-RETURN.
    DATA: PARAMETER LIKE OJINT-PARAMETER.
    DATA: BEGIN OF I_TOAV0 OCCURS 1.
            INCLUDE STRUCTURE TOAV0.
    DATA: END OF I_TOAV0.
    DATA: BEGIN OF I_TOAOM OCCURS 1.
            INCLUDE STRUCTURE TOAOM.
    DATA: END OF I_TOAOM.
    DATA: BEGIN OF FIELDS OCCURS 1.
            INCLUDE STRUCTURE OJFIELDS.
    DATA: END OF FIELDS.
    DATA: OK_CODE(4)         TYPE C,
          OK_CODE_SAVE(4)    TYPE C.
    DATA: CREATE(2) VALUE '01'.
    DATA: infile(70).
          MODULE INIT0100 OUTPUT                                        *
    MODULE INIT0100 OUTPUT.
      SET TITLEBAR '000'.
      CLEAR: OBJECT, AR_OBJECT.
      SET PF-STATUS 'POPU100'.
    ENDMODULE.
          MODULE EXIT_BEARBEITEN INPUT                                  *
    MODULE EXIT_BEARBEITEN INPUT.
      OK_CODE_SAVE = OK_CODE.
      CLEAR OK_CODE.
      CASE OK_CODE_SAVE.
        WHEN 'ESC'.
          SET SCREEN 0.
          LEAVE SCREEN.
        WHEN 'BACK'.
          SET SCREEN 0.
          LEAVE SCREEN.
        WHEN 'CANC'.
          SET SCREEN 0.
          LEAVE SCREEN.
      ENDCASE.
    ENDMODULE.
          MODULE READ0100 INPUT                                         *
    MODULE READ0100 INPUT.
      OK_CODE_SAVE = OK_CODE.
      CLEAR OK_CODE.
      CLEAR KEY.
      CASE OK_CODE_SAVE.
        WHEN 'NEW'.
          OBJECT = TOAOM-SAP_OBJECT.
          AR_OBJECT = TOAOM-AR_OBJECT.
          SELECT * FROM TOAOM WHERE AR_OBJECT = AR_OBJECT
          AND SAP_OBJECT = OBJECT.
          ENDSELECT.
          IF SY-SUBRC <> 0.
            MESSAGE W251 WITH AR_OBJECT OBJECT.
            "MESSAGE: NO NCI-DOCTYPE with this Objecttyp
          ELSE.
    Corr. 3.0. Begin
    Authority check with Archive id
            ARCHIV_ID = TOAOM-ARCHIV_ID.
            PERFORM AUTHORITY_CHECK_CREATE(OAALL)
               USING ARCHIV_ID OBJECT SPACE AR_OBJECT SPACE
               CHANGING SY-SUBRC.
            IF SY-SUBRC NE 0.
              MESSAGE ID SY-MSGID TYPE 'E' NUMBER SY-MSGNO
                      WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
            ELSE.
    Corr. 3.0 End.
    Change 5.0 for BOR Objecttypes with GUID vok
             METHOD = 'EDIT'.
        Eingabe der Object_Id
             CALL FUNCTION 'OJ_KEY_FIELDS'
                  EXPORTING
                       KEY                  = KEY
                       METHOD               = METHOD
                       OBJECT               = OBJECT
                       TITLE_DIALOG         = TEXT-001
                  IMPORTING
                       KEY                  = KEY
                  TABLES
                       FIELDS               = FIELDS
                  EXCEPTIONS
                       EXC_OBJECT_NOT_FOUND = 01.
              CALL FUNCTION 'ARCHIV_POPUP_OBJECT_KEY'
                  EXPORTING
                DISPLAY               = ' '
                    OBJTYPE               = OBJECT
                    TITLE                 = TEXT-001
                OBJKEY                = ' '
                LASTTYPE              = ' '
                LASTKEY               = ' '
                    CHECKEXISTENCE        = 'X'
                GENERIC               = ' '
                EDIT                  = ' '
                 IMPORTING
                CHANGED               =
                RETURN                =
                    OBJKEY                = KEY
                USE_LAST              =
                  EXCEPTIONS
                    ERROR_PARAMETER       = 1
                    USER_CANCEL           = 2
                    OTHERS                = 3
    End of change 5.0 for BOR Objecttypes with GUID vok
              IF SY-SUBRC <> 0.
                MESSAGE ID SY-MSGID TYPE 'W'      NUMBER SY-MSGNO
                WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
                CLEAR TOAV0.
              ELSE.
                TOAV0-OBJECT_ID = KEY.
                IF KEY EQ SPACE.
                  MESSAGE W252.
                  CLEAR TOAV0.
         'Kein SAP-Beleg vorhanden.'.
                ELSE." create archiveobject versus dialog
                  PERFORM CREATE_ARCHIVE_OBJECT.
                ENDIF.
              ENDIF.
            ENDIF.
          ENDIF.
      ENDCASE.
    ENDMODULE.
          FORM CREATE_ARCHIVE_OBJECT                                    *
    FORM CREATE_ARCHIVE_OBJECT.            "Create an archiveobject
      CALL FUNCTION 'ARCHIV_CREATE_DIALOG_META'
           EXPORTING
                AR_OBJECT                = TOAOM-AR_OBJECT
                OBJECT_ID                = TOAV0-OBJECT_ID
                SAP_OBJECT               = TOAOM-SAP_OBJECT
                FILE                     = infile
           IMPORTING
                ARCHIV                   = TOAV0-ARCHIV_ID
                ARCHIV_DOC_ID            = TOAV0-ARC_DOC_ID
                DOCUMENTCLASS            = TOAOM-DOC_TYPE
           EXCEPTIONS
                ERROR_ARCHIV             = 01
                ERROR_COMMUNICATIONTABLE = 02
                ERROR_CONNECTIONTABLE    = 03
                ERROR_KERNEL             = 04
                ERROR_PARAMETER          = 05
                ERROR_SCANQUEUE          = 06
                others                   = 7.
      IF SY-SUBRC <> 0.
        MESSAGE ID SY-MSGID TYPE 'W'      NUMBER SY-MSGNO
        WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
        CLEAR TOAV0.
      ELSE.
        MOVE TOAOM-DOC_TYPE TO TOAV0-RESERVE.
        TOAV0-SAP_OBJECT = TOAOM-SAP_OBJECT.
        TOAV0-AR_OBJECT = TOAOM-AR_OBJECT.
        COMMIT WORK.
        MESSAGE I044.
      ENDIF.
    ENDFORM.
    2. in program ZHR_BDC_UPLOADPIC calling transaction ZOAOH
    added parameters for data file, for a photo ID in archive, and add date of a photo into the data file
    e.g.: 0000000527.09.2004C:\Photos\5.jpg
    {REPORT ZHR_BDC_UPLOADPIC NO STANDARD PAGE HEADING LINE-SIZE 255.
    DATA : BEGIN OF IT_DATA OCCURS 0,
             PERNR(8), " LIKE RP50G-PERNR,
             DATUM(10), "date of the photo
             FILENAME(128),
           END OF IT_DATA.
    DATA:  T1(80),
                 file_path(132).
    SELECTION-SCREEN: BEGIN OF BLOCK sp WITH FRAME TITLE text-f01
      NO INTERVALS.
      SELECTION-SCREEN BEGIN OF LINE.
        SELECTION-SCREEN COMMENT 5(4) A1 .
      SELECTION-SCREEN   END OF LINE.
    SELECTION-SCREEN: END   OF BLOCK sp.
       INCLUDE BDCRECX1.
    SELECTION-SCREEN SKIP 2.
    SELECTION-SCREEN: BEGIN OF BLOCK vst WITH FRAME TITLE text-f02.
    SELECTION-SCREEN BEGIN OF LINE.
      SELECTION-SCREEN COMMENT 3(25) TEXT-S11 FOR FIELD IDOBJ.
      selection-screen position 45.
      PARAMETERS POPFILE(128)  VISIBLE LENGTH 50
        DEFAULT 'C:\PICTURE.TXT'.  "input data file
    SELECTION-SCREEN END OF LINE.
    SELECTION-SCREEN BEGIN OF LINE.
      SELECTION-SCREEN COMMENT 3(25) TEXT-S12 FOR FIELD IDOBJ.
      selection-screen position 45.
      PARAMETERS IDOBJ(2) DEFAULT '01'.  "id object
    SELECTION-SCREEN END OF LINE.
    SELECTION-SCREEN: END   OF BLOCK vst.
    at selection-screen on value-request for POPFILE.
      call function 'F4_FILENAME'
             exporting
                 field_name = file_path
             importing
                 file_name = POPFILE.
           exception
                others    = 1.
    START-OF-SELECTION.
      PERFORM OPEN_GROUP.
      CALL FUNCTION 'WS_UPLOAD'
        EXPORTING
          FILENAME = POPFILE
          FILETYPE = 'ASC'
        TABLES
          DATA_TAB = IT_DATA
        EXCEPTIONS
          CONVERSION_ERROR = 1
          INVALID_TABLE_WIDTH = 2
          INVALID_TYPE = 3
          NO_BATCH = 4
          UNKNOWN_ERROR = 5
          GUI_REFUSE_FILETRANSFER = 6
          OTHERS = 7.
      IF SY-SUBRC NE 0.
        WRITE : / 'No to able read input file'.
        STOP.
      ELSE.
        WRITE : / 'Data processing ...'.
        T1 = 'Data processing ...'.
        MESSAGE T1 Type 'S'.
      ENDIF.
      LOOP AT IT_DATA.
        PERFORM BDC_DYNPRO USING  'ZOANEWCON'         '0100'.
        PERFORM BDC_FIELD  USING  'BDC_CURSOR'       'TOAOM-AR_OBJECT'.
        PERFORM BDC_FIELD  USING  'BDC_OKCODE'       '=NEW'.
        PERFORM BDC_FIELD  USING  'TOAOM-SAP_OBJECT' 'PREL'.
        PERFORM BDC_FIELD  USING  'TOAOM-AR_OBJECT'  'HRICOLFOTO'.
        PERFORM BDC_FIELD  USING  'INFILE'           IT_DATA-FILENAME."JPG
        PERFORM BDC_DYNPRO USING  'SAPLOA12'         '0200'.
        PERFORM BDC_FIELD  USING  'BDC_CURSOR'       'OBJID-VALUE(03)'.
        PERFORM BDC_FIELD  USING  'BDC_OKCODE'       '=OK'.
        PERFORM BDC_FIELD  USING  'OBJID-VALUE(01)'  IT_DATA-PERNR.
        PERFORM BDC_FIELD  USING  'OBJID-VALUE(02)'  '0002'.
        PERFORM BDC_FIELD  USING  'OBJID-VALUE(04)'  IDOBJ.
        PERFORM BDC_FIELD  USING  'OBJID-VALUE(05)'  IT_DATA-DATUM.
        PERFORM BDC_TRANSACTION USING 'ZOAOH'.
        clear IT_DATA-FILENAME.
      ENDLOOP.
      PERFORM CLOSE_GROUP.}

  • Infotype header the format

    hello,
    As you know in the infotype header the format name that the screen shows is diferent
    for USA:            Last Name  , Name
    for MEX version :   Name , Last Name
    I need both to have the same format (Name , Last Name)
    Is that posible?
    Best Regards.

    Hello,
    Sure it's possible.
    1º) Open an infotype in pa20/pa30
    2º) Go system -> Status
    3º) Save the value of Program(Subscreen). E.g.: /1PAPAXX/HDR_00288A
    4º) Open Se38
    5º) Open the copied header. E.g.: /1PAPAXX/HDR_00288A
    6º) Check the comments in blue. The header modifier will be the 2 number on second column. E.g.:
    T588J (Table to change the header fields)
    002  88  1  01  TXD   0000   PERNR   08   PN1
    88 = Header modifier. Save this number.
    7º) Open SM31
    8º) Table T588J
    9º) Open the corresponding header modifier. E.g.: 88
    Now you can change the header
    If you nede to change the format displayed go thru table T552N and set the value at field "Conversion".
    Example:
    Conversion = 07 , make this:
                     Before   >    After
                   - GJM      >  G.J.M.
                   - ThChr    >  Th.Chr.
    Hope that helps.
    Márcio Leoni

  • PS Authorization Check (CJ20N)

    Hi guys,
    I am implementing 'authorization check' to projects and WBS elements. I found the enhancement CNEX0002 and everything worked fine for all PS transactions, except for CJ20N.
    The implementation is to not allow changes for projects (and all it's WBS element) which I have no authorization. So we can see them (in gray color), but cannot  change.
    The problem is when we open a Project or WBS element at CJ20N. If I have no authorization to change them, the objects comes with no possibility for inputting data, but when we try to create an activity, it works and should not work.
    I would appreciate some tips from people whom have done that.
    Bests,

    Hi Karla,
    I have successfully implemented that. Here you need to do the similar authorization checks in includes EXIT_SAPLCNAU_003 and EXIT_SAPLCNAU_004 for Network Header and Network activity authorization.
    Then it will work fine.
    Regards
    Priyank

  • PS Authorization check

    Hello.
    We are trying to use the enhancement CNEX0002 to check the authorizations in PS.
    It works very well in transaction CJ20N, but we are having problems in transactions CN21 and CN22. The main problem is that in both transactions, the exit is not executed when you save, so you can't check if the person has the authorization for what he wants to save.
    For example, I need to verify something in the project when I create a network and I didn't have the project in the beginning the creation, but I have it when I want to save it.
    Is there another way I can check this authorizations when I'm saving in CN21 and CN22??.
    Thanks in advance.

    Hi Karla,
    I have successfully implemented that. Here you need to do the similar authorization checks in includes EXIT_SAPLCNAU_003 and EXIT_SAPLCNAU_004 for Network Header and Network activity authorization.
    Then it will work fine.
    Regards
    Priyank

  • Authorization Check For Pricing Reference Materail In VA01 & VA02

    Hi Expert, 
    User has requested to do authorization check for pricing reference material in line item in VA01/VA02. currently SAP does not has any authorization check for pricing reference material field at line item in VA01/VA02.  Is there any standard authorization object for this purpose or needs to use user exit to do this checking ie if the pricing reference material entered does not belong to the sales org as entered in sales header data then system will issue warning/error message.  What will be the standard user exit routine if there is no standard authorization object for this purpose ?
    Thanks.
    Regards,
    Tay
    Edited by: Hung How Tay on May 13, 2010 2:48 AM

    Hi,
    Try below in MV45AFZB
    USEREXIT_SOURCE_DETERMINATION
    Best regards,
    Anupa

  • Where to Authorization check for the plant while creating outbound delivery

    Hi Experts,
    For outbound delivery , the standard program is not doing the authorization check .
    Can i use BADI       *LE_SHP_DELIVERY_PROC *        and the method :     DELIVERY_FINAL_CHECK
    To write Authority-check statement ,
    If the particular is not authorized for any of the plants of the items in the outbound delivery i will throw a error message
    Can i use as above?
    And if i use it has to apply only for outbound delivery?Because for inbound delivery also the same BADI is getting triggered?
    Please suggest.
    Regards
    Ramakrishna L

    Hi,
    Yes you can use the said BAdi and the method if it is triggerd before the SAVE of the Outbound Delivery Order to do the Authorisation Check. In case the code is triggered for all the orders and you want only to restrict for the Outbound Delivery, then check for the Delivery Type (LFART) from the Delivery Header table for only the Outbound Delivery Order.
    Thanks,
    Susanth Swain

  • Infotype Header Data - Cost center- System to read the latest data

    Dear Group Members,
    I am modifying Infotype Header data and calling Cost center (Field - KOSTL) in header data via modifying header data in   table T588J. The cost center values appears on the  header data (As stored in Infotype 0001) however it appears with the oldest data. i.e. if the employee cost center had been changed after his joining system does not picked up the Latest data/ Latest cost center value.
    Any one on how to resolve this issue with SAP Standard functionality.
    Regards
    VISHAL SAXENA
    SAP Specialist - HCM

    Hi,
    The answer to your question lies in table V_582A_B. You can either access it through SM30 or by following IMG path:
    SPRO>Personnel Management>Personnel Administration>Customizing User Interfaces>Change Screen Header>Header structure per infotype
    There is a u201Cchoose datau201D indicator for each infotype. If that is checked, the header displays data as per the start date of infotype displayed; otherwise, it shows data valid as of system date. Please bring up SAP help on the field by F1 for more information.
    Also check table T588H (data selection field) as it has some dependencies for the above mentioned settings. The table can be brought up from:
    SPRO>Personnel Management>Personnel Administration>Customizing User Interfaces>Change Screen Header> Infotype header data selection control
    Hope this helps.
    Donnie

  • Invoking HR Master Data (P_ORGIN) authorization check for transaction PCP0

    Hello,
    We have to limit access to executives (managers) sensitive posting data in transaction PCP0 (display posting runs).
    Since executives belong to a personnel area other than all other employees, I thought we can achieve this by personnel area distinction.
    In order to have this done, P_ORGIN authorization check should be performed.
    It looks that by standard, such check is not performed.
    Does anyone have any experience of dealing with this issue?
    Thanks,
    Isaac

    Hi,
    I have a vague idea.
    I remember while creating an ESS user, we did something in P_ORGIN so as to to restrict access to personnel master data.
    Check the composite role : SAP_EMPLOYEE_ERP.
    A Z role was created for SAP_EMPLOYEE_ERP=>the corresponding roles in it had to be copied to a z role.
    Check the z-role created ; zSAP_ESSUSER_ERP.
    In Authorizations tab=>Display authorization data option => ;
    Expand Human Resources;
    In HR : Master data, you can find the various authorization assignments to P_ORIGIN;  where
    Authorization level (AUTHC)
    Infotype (INFTY)          
    Personnel Area (PERSA)
    Employee Group   (PERSG)
    Employee Subgroup  (PERSK)
    Subtype (SUBTY)
    Organizational Key (VDSK1)
    Authorization level (AUTHC) takes the values :
    • R (Read) for read access
    • M (Matchcode) for read access to input helps (F4)
    • W (Write) for write access
    • E and D (Enqueue and Dequeue) for write access using the Asymmetrical Double Verification Principle. E allows the user to create and change locked data records and D allows the user to change lock indicators.
    • S (Symmetric) for write access using the Symmetric Double Verification Principle
    • * always includes all other authorization levels simultaneously
    In your case if some has to make changes through PPCO.. it's equivalent to making changes to infotype 0001 (Organizational Assignment)
    So, probably, you need the Authorization level to R for Infotype 0001.
    I have no personal hands-on experience on this...since we are not allowed to anything Basis
    I have seen this being done and have noted what was done... !! May or may not be correct....!!
    I hope this is what you want.
    Cheers and Good Luck!!
    Remi

  • Issues with Analysis Authorization checks in APO

    Hi Friends,
    I am facing an issue with Analysis authorization checks in APO.
    We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
    Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
    This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
    In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
    However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
    Resultant trace results are as below: This should not happen..
    I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
    Will it be possible for you to advise on what could I be missing.

    Hi All,
    If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
    while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
    Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
    Please advise.. Thanks..
    Regards,
    Prakash

Maybe you are looking for

  • Caching problem of javascript with servlet

    Hi guys There is a problem of caching with the our project. This project contains two servlets first is getAdServlet and second is richMediaServlet. getadservlet is called thru <script src=""> following is the code: <script LANGUAGE="JAVASCRIPT" src=

  • FDM validation report issue

    Hi, I am working on validation reports in FDM. My logic works fine and I see result by all Entities in Validation report. I need to see result by other dimension in validation report other than Entity dimension in FDM. Can you let me know how can we

  • While actual settlement to projects in CJ8G- there is an error

    Hi All.. While doing the actual settlement to projects we got an error saying that - you cannot use this transaction type to post to this asset. Is there anything i need to configure in AA. Kindly suggest. Thanks, Mercy

  • Inserting my photos into Word document

    I am putting together a document of my family history and want to insert some photos I've taken into it. But the photos are each about 2.2MB - 2.9 MB and when I copied & pasted the photos into the Word doc the Word doc ended up at 124MB! W/out these

  • Is there a code to place an "enter" (new line)?

    I would like to place an "enter" in CRM 2007 making a survey. So something that looks like this: - piece of text - another piece of text - yet another one Except, when I type the text as it is written above, the result is this (I placed blanks in bet