Authorization check of Tcode FCH7 (reprint check) / FCHN (display check)

Hello to you all,
Does any of you know of an option of extended the authorization check of Tcode FCH7 (reprint check) / FCHN (display check) using authorization object F_BKPF_BEK / F_LFA1_BEK?
Regards,
yoav Bernstain

Hi,
Authroization: User need authroization to post Financial Accounting Document for Vendor
Object: F_BKPF_BEK
Activities: 01-Creat, 02-Change and 06-Deleter
Authroization: User need authroization for vendor Master Data (03-Display activity can also work)
Object: F_LFA1_BEK
Activities: 01-Creat, 02-Change, 03-Display and 06-Deleter
Regards,
Prashant Rane

Similar Messages

  • Tcode to create activity group and authorization check,

    hi,
      can any one say me the transaction code to create activity group and authorization check.

    Hi
    I'm not sure about what you want to do, anyway have you try the trxs SU20 and SU21?
    Max

  • HR ABAP Custom Authorization Check

    Hi all,
    We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
    GET PERNR.
        I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
    Thanks in Advance.

    There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
    Some special differences are:
    - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
    - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
    - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
    This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
    Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
    Cheers,
    Julius
    Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

  • Authorization check in LDB PNP

    Hi All,
    I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
    I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
    Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
    Any information provided will be really helpful.
    Thanks,
    Pavan

    Hi,
    A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
    Thanks,
    Pavan

  • ESS: Who's Who Authorization Checks

    Hi,
    I am testing the ESS iView (tcode PZ01) in the Portal and it seems to be restricting the search results by my authorizations.  I am not getting a full list of people in the system.  Anyone know how to turn-off this authorization check?
    I noticed this only happens when I changed the ESS Who's Who customizing in the IMG for PZ01.  If I uncheck the checkbox 'Output fields list', then it checks authorzations.  I'm thinking this has something to do with using the BAPI vs. using the query infoset, as the documentation states.
    Message was edited by:
            Kenneth Moore

    Old post but I have had a similar issue and it was caused by P_ORGIN
    Infortype 0105 subtype?????
    Seem if the subtype is restricted then they are not displayed if subtype populated in the HR record.

  • Authorization Check for Special Stock Indicator in IE02

    Dear Gurus,
    Would like to check with you if there is an authorization check for change in Special Stock Indicator in IE02-SerData Tab?
    For example, the User will only be allowed to change the Special Stock Indicator only to "E" - Sales Order.
    Would appreciate your help.
    Thanks.

    Hi,
    This cannot be done by using standard auth object. Standard SAP doesnt support control via this field.
    Take help of your ABAP team and create an customized authorization object "Z_OBJECT" with field SOBKZ and which check these field value in table EQBS. Assign this auth object to role and profile you want.
    Use the user exit IEQM0003 Additional checks before equipment update. Give a logic to check auth object when while using equipment change tcode.

  • Authorization check

    Hi ,
    i new to authorization so i need help ,
    i go to transaction SU21 and i choose some object for example:
    Object R_CPM_BSC
    Text Authorization Object SEM: BSC Elements
    Class SEM Strategic Enterprise Management*
    Author STASTNY
    Field name Heading
    SEMSCARD Scorecard
    SEMOBJTYPE Scorecard Elements: Object Type
    SEMOBJKEY Scorecard Elements: Object Key
    ACTVT Activity
    And when i push on permitted activities i get:
    R_CPM_BSC Authorization Object SE
    ACTVT Activity
    activists
    01 Create or generate
    02 Change
    03 Display
    04 Print, edit messages
    1. i have always just permitted activities for ACTVT ?
    if i wont that user just have display Authorization how i have to write it like below?
    AUTHORITY-CHECK OBJECT R_CPM_BSC
    ID ACTVT FIELD '03'
    thats it i don't use the other fields?
    Regards

    Hi,
    In general different users will be given different authorizations based on their role in the orgn.
    We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
    USe SUIM and SU21 T codes for this.
    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
    This means you have to allocate an authorization object in the definition of the transaction.
    For example:
    program an AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT <authorization object>
    ID <authority field 1> FIELD <field value 1>.
    ID <authority field 2> FIELD <field value 2>.
    ID <authority-field n> FIELD <field value n>.
    The OBJECT parameter specifies the authorization object.
    The ID parameter specifies an authorization field (in the authorization object).
    The FIELD parameter specifies a value for the authorization field.
    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
    Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
    You program the authorization check using the ABAP statement AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
    ID 'ACTVT' FIELD '02'
    ID 'CUSTTYPE' FIELD 'B'.
    IF SY-SUBRC 0.
    MESSAGE E...
    ENDIF.
    'S_TRVL_BKS' is a auth. object
    ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
    This Authorization concept is somewhat linked with BASIS people.
    As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
    Take the help of the basis Guy and create and use.
    Thanks
    Vikranth

  • Authorization check failed

    hello experts!
    i created a program via smartforms but when my user try to generate a printed form an error message appear than FORM
    cannot be displayed. when i check Tcode: SU53 Authorization check failed.
    Object Class HR Human Resources
    Authorization Obj. P_ABAP  HR Reporting\
    Authorization Field COARS Degree of simplification for authorizaton check       1
    Authorization field REPID ABAP program name     ZHRPY00018C
    Please help on this one...
    How to fixed this
    Thank you

    hello...
    actually this report has 2 display a List display and via smartforms...
    we laready add this program  in her authorization profile... the only problem
    is when she try to generate the report via smartform she cannot produced the
    the output print docu. because an error appears that my FORM cannot be display.
    But when i check it in the development i can produced a test document.
    please help...

  • Authorization check question

    Hi all, I have a question regarding authority-check.
    I have a program with some custom buttons, these buttons will show a small window where the user has to enter some data. This data then will be shown in an ALV grid, and also be saved in a custom table.
    There are two buttoms, and I have to check is the user has authorization for each one of them. How do I do that? what would be the authorization object? and what would be the activity?. does the authorization object needs to be created somewhere? if so, can you give me the transaction?.
    TIA Mauro.

    Hello,
    You can create your own authorization object using Tcode SU21. Use the authorization object when he clicks on the button.
    Regards,
    Kiran I

  • Authorization Check in Personnel Cost Planning (PA-CP)

    Dear Experts,
    We are facing an issue where there is no authorization checking when performing the Cost Planning functions. The requirement here is to put in an authorization check such that when:
    1) collecting cost plan data for employees (tcode: PHCPDCEM), it will check against HR Master Data (e.g. P_ORGIN, P_ORGINCON) or HR Clusters (P_PCLX) (e.g. check which Personnel Area the user has authorization for). Currently, the Data Record Log does not have this checking.
    2) Creating, generating, viewing and maintenance of cost plan (e.g. tcode: PHCPADMN), it should have the same checking as above
    We are using SAP ECC 6.0.
    Has anyone encounter the same issue and has a resolution for it (configuration or user exit?)? I see that there is a user exit HRHCP00_RESP_OBJECTS available, but it does not provide the authorization check even when it returns "NO_AUTHORITY".
    Thanks very much in advance.
    Alex

    Hi Alex,
    I am not very sure about Personnel Cost Planning,
    But an approach I have used in the past when exploring a module about which there is limited documentation or SAP standard model roles is to
    1) Switch on Trace using ST01.
    2) Carry out a series of transcations using a user id which has a lot of authorizations or SAP_ALL.
    3) Anlayse the trace document and identify all the authorization object.
    4) BUild a new role with the auth objects and assign to test user id.
    5) test and confirm that the authorizations are not too many or too less.
    A time consuming but thorough approach.
    hope this helps.

  • Abap programe 'AUTHORIZATION-CHECK'

    What is abap programe 'AUTHORIZATION-CHECK' how can i navigate there

    Hi,
    You can navigate to the Code this way
    1)
    SE93> Display>Double click in the Entry corresponding to Program-->then you enter the Source Code here select find and give the search string as
    "Authority-Check" this displays you whatever entries are there in the code.
    This method is useful if you know the Tcode and want to see what check statemetns are there in ABAP code corresponding to it.
    2)On the other hand if you know the program then go to
    SE38> enter the program name> Select Source Code> Press Display>
    and from there search with the string mentioned above justlike the case mentioned above...
    Hope this helps
    Regards,
    Manohar

  • Authorization Check in Business Transactions in CRM 2007

    Hi everybody, I have a problem whit the authorization check in CRM 2007.
    This link help me to follow the steps
    http://help.sap.com/saphelp_crm60/helpdata/en/e9/b29a39e7aee372e10000000a11
    I follow this steps:
    1.- Created a new single role on the PFCG
    2.- On the Menu tab add the transaction BSP_CRMD_BUS2000108 (Trax for LEADS)
    3.- On the authorization tab create a new profile and in the authorization data set the values for CRM_ORD_OP: PARTN_FCT ‘00000012’, PARTN_FCTT ‘*’, ACTVT ‚'02,03’
    4.- Generate the authorization.
    5.- Set my user "TESTUSER" on the user tab
    6.- Save the profile
    Then, I login to CRM whit TESTUSER and I see all the leads.  I miss something, what could be the problem ?
    Thanks for your help

    Hi Shaji, Pankaj and Jushan, thanks four your answers.
    I still have the same problem, I want to see only my leads that I´am the responsible, after I generated the authorization and assign the role to my user from tcode PFCG and SU01, I logout and login again and no changes, I still see all the leads.
    Another test I made, I changed the authorization data and set the values for CRM_ORD_OP: PARTN_FCT ‘’, PARTN_FCTT ‘0008’, ACTVT ‚'’   (person responsible)  and the results was the same, see all the leads.
    How works the User Comparisons and how can I check for errors in my pfcg role ?
    Thanks for your help.

  • Skip Authorization Check in ECC5.0

    I have noticed a major diffrence in authorization check for tcodes in ECC5.0 . In earlier versions in debug mode I found that if there is a command like :
    CALL TRANSACTION 'PA30' and SKIP FIRST SCREEN
    If i press F5 it directly shows me the error message "Not authorised to PA30" in case there is no auth to execute it, and the debugging stops.
    But in Earlier versions it used to goto a function module to check the auth. I just want to customize the function module to skip the auth check for a certain set of users.
    Any clue for this?

    Hi Alex,
    I am not very sure about Personnel Cost Planning,
    But an approach I have used in the past when exploring a module about which there is limited documentation or SAP standard model roles is to
    1) Switch on Trace using ST01.
    2) Carry out a series of transcations using a user id which has a lot of authorizations or SAP_ALL.
    3) Anlayse the trace document and identify all the authorization object.
    4) BUild a new role with the auth objects and assign to test user id.
    5) test and confirm that the authorizations are not too many or too less.
    A time consuming but thorough approach.
    hope this helps.

  • Authorization check flow

    Hello Folks,
    I wonder if some one can help clearing a doubt of mine.
    The standard definition one finds on the net for Authorization check maintenance in SU24 for transactions is:
    CM = Check performed AND object added in PFCG when tcode added to the role.
    C = Check performed BUT object not added in PFCG when tcode added to the role.
    N = No check OR check will return sy-subrc = 0 even if the user does not have the authorization.
    U = Unknown. A check will may be hardcoded in the program, or maybe not.
    My take on the above definitions is:
    example object: V_VBAK_AAT
    if
    CM for  V_VBAK_AAT the object is included in the role while working with PFCG.
    As per the definition check performed on object and object added.
    Question 1: Even if the object is maintained as CM it would not make a difference if the check is not coded in the program (authority-check). Would it?
    If
    C check performed but object not added
    Question 2:  If a check is going to be made on this object, why not include it in the role i.e mark it as CM? I was once told that these are objects that are most commonly used and hence from a BASIS point of view that the roll buffer will have that much less authorizations to load. But that does not ring true to me.
    If
    N - check will return value 0 thereby allowing the user through even though he does not have the authorization to do so
    Question 3: Why suppress a check that is coded into the prgram in the first place. After all, the whole idea of Security is "any authorization not explicitly assigned" means NO AUTHORIZATION
    For the last couple of years that i have been working on this, i have accepted this, as one would,  the bible :-)...
    But now i wonder if there will be some enlightenment....
    Regards,
    Prashant

    >
    Prashant Pasala wrote:
    >
    > Question 1: Even if the object is maintained as CM it would not make a difference if the check is not coded in the program (authority-check). Would it?
    no, it wouldn't. the check has to be coded.
    >
    Prashant Pasala wrote:
    > Question 2:  If a check is going to be made on this object, why not include it in the role i.e mark it as CM?
    >
    because you would have many obsolete objects in your role, depending on the setup of your applications, the org-structure and several other things (mostly in configuration), whether an extension-set is active, a special IS used ...
    >
    Prashant Pasala wrote:
    > Question 3: Why suppress a check that is coded into the prgram in the first place. After all, the whole idea of Security is "any authorization not explicitly assigned" means NO AUTHORIZATION
    >
    here one can only guess. one scenario might be: due to a bug in a SAP standard BAPI you deactivate the check until you get a correction from SAP. you have to do this to keep up the business ...
    Edited by: Mylene Euridice Dorias on Mar 11, 2008 3:59 PM

  • Authorization checks and objects

    Do you have a tutorial for this topic for dummies? thanx in advance

    Hi
    In general different users will be given different authorizations based on their role in the orgn.
    We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
    USe SUIM and SU21 T codes for this.
    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
    This means you have to allocate an authorization object in the definition of the transaction.
    For example:
    program an AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT <authorization object>
    ID <authority field 1> FIELD <field value 1>.
    ID <authority field 2> FIELD <field value 2>.
    ID <authority-field n> FIELD <field value n>.
    The OBJECT parameter specifies the authorization object.
    The ID parameter specifies an authorization field (in the authorization object).
    The FIELD parameter specifies a value for the authorization field.
    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
    Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
    You program the authorization check using the ABAP statement AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
    ID 'ACTVT' FIELD '02'
    ID 'CUSTTYPE' FIELD 'B'.
    IF SY-SUBRC <> 0.
    MESSAGE E...
    ENDIF.
    'S_TRVL_BKS' is a auth. object
    ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
    This Authorization concept is somewhat linked with BASIS people.
    As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
    Take the help of the basis Guy and create and use.
    Thanks
    Seshu

Maybe you are looking for