Authorization check problem

Hello,
I would like to know if somehow is it possible to add an extra authorization check into a transaction. When the transaction PA20 is executed the following authorization object are checked:
PLOG
P_ORGIN
P_PCLX
P_PERNR
None of these object allow to filter by company code. Could I modify the PA20, so it could check an extra object to filter by Comany code without writting any code?

Hi Jesus,
As Jose mentioned, using the org key (VDSK1) is the easiest and recommended way by SAP.
But, if you are already using it for some other purposes, some options are available to you:
1- use the standard string split option to use a part of the VDSK1 (IMG) to capture the company code.
2- You can modify PA20 in the user exit section, through transaction code PM01. But again, I would recommend to use the VDSK1, it is much more simplier, and well SAP Supported.
Hope the 2- answered your second part of you question Cheers
Jean-Michel

Similar Messages

HR ABAP Custom Authorization Check

Hi all,
We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
GET PERNR.
I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
Thanks in Advance.

There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
Some special differences are:
- The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
- Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
- Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
Cheers,
Julius
Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

Document search error in webshop(Error in authorization check: user unknow)

Hi All
actually we have implemented the document search functionality in webshop to access all the documents in webshop who have created order in the webshop.
actually when i am logging into the portal with userid "skumar" after that there was role called "Document Search" when i click that document search role then the document search will be opened, based on the selections in the selection criteria then the documents will be displayed generally.
actually come to my error when i select in the selection criteria "order acknowledgement" and i select the one more column called "period" after that i click the search button then i am getting the error as follows.
Error in authorization check: user unknown.
Can you please help me where to check the authorizations in the system for accessing the documents.
Regards
Sunil

Hi Sunil generally this kind of error will occur when you choose acknoledgement
for Future Periods,eventhough input is past date if the same problem occurs you should check for Su05 Internet USer authoriasations
Reward if helpful
Venkat

Add authorization check in Infopackage Scheduler for option 6-ABAP Routine

We want to add an authorization check in routine rssm_routines_maintain. This is in the Infopackage scheduler in the Data Selection tab under the column Type after selecting type=6(ABAP Routine). This is a core modification. We have checked with our Security team with traces and found nothing available to help us.
Two questions:
1) Is there any other way we can control who can create/change ABAP code by this method ?
2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
Your help would be appreciated.
Robert Begin,
450-677-9411 or
514-924-4311
or email at [email protected]

Hi Chandran, we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
Do you have any solution/suggestions to lock this down?
Much appreciated,
Regards,
Robert.

Authorization Check when logon into SAP via ITS

Hello
We have implemented Authorization Check after user have logged on to SAP via ITS in this User Exit SUSR0001. It was working fine in 46C version, but after upgrade to ERP 2005, when user logs on into SAP via ITS, this user exits is ignored, while logging normally via SAP GUI; authorization check is performed as before?
Did anyone else have experienced the same problem?

From what I understand something on that line changed. We are still hanging on to our external ITS 6.20 so I am afraid I can not go into details.

Authorization check failed

hello experts!
i created a program via smartforms but when my user try to generate a printed form an error message appear than FORM
cannot be displayed. when i check Tcode: SU53 Authorization check failed.
Object Class HR Human Resources
Authorization Obj. P_ABAP HR Reporting\
Authorization Field COARS Degree of simplification for authorizaton check 1
Authorization field REPID ABAP program name ZHRPY00018C
Please help on this one...
How to fixed this
Thank you

hello...
actually this report has 2 display a List display and via smartforms...
we laready add this program in her authorization profile... the only problem
is when she try to generate the report via smartform she cannot produced the
the output print docu. because an error appears that my FORM cannot be display.
But when i check it in the development i can produced a test document.
please help...

Structural authorization check in HR-ABAP

Hello Friends,
I am not able to get how to do the structural authorization check, my exact problem was : There is a report where it diplays all the qualifications of the employees and now I should restrict to only the employees who belongs to the organization unit depending upon the user who is running the report belongs to. It should check some more authorization profiles also.
Regards,
Yoganand.

Hi Yoganand,
if you use logical database PCH in your report, it should work by default.
Manually search for RHSTRUAUTH in transaction SE37. There
is a function modul which gives a list with the person the user has authorization.
With this list you could compare the list with selected persons.
hope this helps.
Regards
Bernd

LDB PNP authorization check authorization object

Hi,
I have used LDB PNP for HR reports.
We are using the authority check also, but the problem is all the records/data for all the people is being read by the report where some of the people data should not have been read as they belong to some other personal area that the role of the executer (user).
Hence it appears that authorization check is not working properly.
Following is how I am using it, Please suggest corrections or alternate way to correct this issue.
    rp-provide-from-last p0002 space gwa_outlist-begda
                                                    gwa_outlist-begda.
    IF pnp-sw-found NE '1' OR
        pnp-sw-auth-skipped-record EQ '1'.
        EXIT.
    ELSE.
        ls_tab-vorna = p0002-vorna.
        ls_tab-nachn = p0002-nachn.
    ENDIF.
Please reply with the corrections ore alterations,
Thanks in advance.
Akash.

Hi,
(1)
Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
(2)
In some case you do not work with LDB report, then you need to do the authority check by yourself. General function AUTHORITY_CHECK is what you need. AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
P_ORGIN    HR: Master Data
PLOG       Personnel Planning
P_PCLX     HR: Clusters
P_TCODE    HR: Transaction codes
Sample of checking personal area:
CALL FUNCTION 'AUTHORITY_CHECK'
     EXPORTING
          FIELD1              = ' PERSA'
          OBJECT              = 'P_ORGIN'
          USER                = 'SAPSUPPORT1'
          VALUE1              = 'Z001'
     EXCEPTIONS
          USER_DONT_EXIST     = 1
          USER_IS_AUTHORIZED = 2
          USER_NOT_AUTHORIZED = 3
          USER_IS_LOCKED      = 4
          OTHERS              = 5.
IF SY-SUBRC NE 2.
MESSAGE E001(01) RAISING AUTH_FAILED.
ENDIF.
Reward if helpful pls!

ABAP: Modify PA infotype without authorization check

Hello everyone,
Short version:
I know two FM that can modify PA infotype data: HR_MAINTAIN_MASTERDATA and HR_INFOTYPE_OPERATION. However, neither of those includes a parameter that allows using them without them automatically checking authorizations (like you can do with, say, FM RH_INSERT_INFTY which has parameter AUTHY to disable authorization checks but only works with OM infotypes, but not PA infotypes).
Does anybody know a solution?
Long version:
We want the travel department to be able to maintain infotype 17, and only infotype 17. In fact, there are only two fields there that need to be maintained in our company. That department should not have access to any other infotypes, and we are not going to give them PA30. On the other hand, they shall be able to do so for any employee, no matter from which personnel area, subarea, and organizational unit.
So I have created a small program with a mask specifically tailored to their needs. But we do not want to give them any PA authorizations. Giving them P_ORGIN to infotype 17 might not be a big deal, but then we would also need to give them structural authorization to all companies (= org units and personnel areas). Unlimited structural authorization is a big deal, and I would rather avoid granting that to someone who is not supposed to be doing anything but this tiny bit in HR. The only authorization that I would like to see in place is transaction authorization for my program. Anyone who has that should be allowed to maintain these IT 17 fields for any employee, but nothing else.
The problem is that upon writing the data, FM HR_INFOTYPE_OPERATION auto-checks the authorization required for maintaining the infotype, including structural authorization, and so does FM HR_MAINTAIN_MASTERDATA, as far as I understand. Is there an alternative I could go for?

ECM stands for Employee Compensation management and is one of the SAP HR module.
But I doubt you can use ECM specific function module to modify/insert infotype 17 values as below are the main infotypes for ECM module.
Employee Infotype
Description
0758
Compensation Program
0759
Compensation Process
0760
Compensation Eligibility Override
0761
LTI Granting
0762
LTI Exercising
0763
LTI Participant Data

Authorization-check P_PCR fails...

Hey Guys,
I have a little authorization problem...
I created a role with authorizationobject P_PCR.
Payroll Area B8
Activity Change
In my program i have following code to check authorization :
GET pernr.
AUTHORITY-CHECK OBJECT 'P_PCR'
 ID 'ABKRS' FIELD pernr-abkrs
 ID 'ACTVT' FIELD '02'.
IF sy-subrc NE 0.
 REJECT.
ENDIF.
* further processing..
Everytime i execute this code, sy-subrc eq 4... :(.
When i look into SU53 :
The authorization check failed
Authorization obj. P_PCR HR: Payroll Control Record
 Object Class HR Human Resources
 B8
 Activity 02
My user is added to the role, so i don't see anymore why i can't execute this report ... Does anyone has an idea for me ?
Thanks,
Kind Regards,
Tom

Bon... Found the error...
AUTHORITY-CHECK OBJECT 'P_PCR'
 ID 'ABKRS' FIELD pernr-abkrs
 ID 'ACTVT' FIELD '02'.
IF sy-subrc NE 0.
 REJECT.
ENDIF.
In object P_PCR the field is not ABKRS, but the field is ABRKS.
So, problem solved...
Greetz,
Tom

Authorization check creating Work Orders (IW31)

Hello everyone,
We need to make an authorization check when creating a Work Order in transaction IW31.
That check is based on the field "Main work center for maintenance tasks"
No check apart from the plant associated to the work center is done, but the problem is that there exist different Work Centers associated to the same plant, and we need to restrict it.
Our authorization model considers the Cost Center associated to the Work Center, but the Cost Center is not checked in this IW31 when entering the Work Center.
We have also tried using the classification system, but despite activating authorization obejct C_KLAH_BKL, is neither checked.
(It is amazing the difference between the number of objects marked to be checked in SU24 for this IW31 and the objects really checked when looking at authorizations trace)
We know that Work Center field exit could be used, but we would prefer not to change ABAP code.
Could you please give us a hint about how we can restrict this field?
Thank you very much.
Best regards.
Jose Sanz.

Hi Jose,
You can look at the object C_ARPL_WRK,
if you work with this , i hope you would be able to find a solution for this situation.
Thanks,
Vijay

Missing authorization check on the IM Reports

Hi,
We use RAIMINFO reports (S_ALR_87012805, S_ALR_87012806 u2026 ) to display
structure and values in Ferrero Spa investment program
On the initial screen, the value types which have to be output, are
determined by the authorization checks to be carried out .
For example in case that an user decides to display the plan or budget
references to program position, the user has to have the authorizations
on the Persons responsible (A_IMPR_VER). For us this is OK because we
define responsibilities through A_IMPR_VER. But if user decides to
display the appropriation request or measures and he doesnu2019t indicates
the program position it seems that anything on the A_IMPR_VER will be
performed. We need that the check on A_IMPR_VER will be performed always(for all objects: measures, appropriation request ).
We think this is a function missing in RAIMINFO and in all the IM
reports.
Could you help us to solve this problem?
Thanks and best regards,

Hi,
If you want use check box in crystal., then you can do this by writing piece of code.
please try for
If {Table.Field} = True Then
'Display the checkbox of your choice here
Formula = Chr(254).
thanks.
Bala

Query hangs during Authorization Check (Event ID 4500)

I have a BI7 query when executed by developer role (no security) the query runs within seconds. When executing under end user id, it runs for 5 minutes +. Aggregates are built and the long runtime ONLY occurs when it is an end user role with specific CC's.
I tested the query via RSRT, Cache off and Display Statistics and it is clear the query gets stuck for 4.5 minutes under Event ID 4500, Authorization Check.
This delay does not occur when the query is initially executed. It only occurs AFTER the variable prompt and when query variables are entered and query is executed.
Q1) Can anyone explain a transaction or place to understand why the Authorization Check takes so long?
Q2) I would also like to understand the execution order for queries... for example how does the filters or data in the rows get executed?

Hi Anurag
i read again this documentation i'd get in another form ("howTo..." Guide on Help.sap.com) :
I create newsample from scratch and it works !
Reason of my problem :
I created 2 authorization objects (given to users) :
- first with IO 0CUSTOMER,value '*', without 0TCTAUTHH
- second with IO OCUSTOMER, valeur ' ' (blank), with 0TCTAUTH with required node value.
=> First authorization grants * for 0CUSTOMER (all) and present the entire hierarchy during selection node in query. By deleting it, it works.
Thank's a lot.
Etienne

Authorization Check in Ad Hoc Query

Hi Experts,
When a user is given access to an infoset via the query user group, he/she will be able to see all infotypes that are associated with the infoset. The user will actually be able to select the fields, construct the query, and only hit the authorization error when they execute the query.
This is not ideal from a user perspective as the user might spend a lot of time constructing the query only to find out later that they are not able to execute it due to authorization restrictions. Is there a way to restrict upfront to show the user only the infotypes and fields they are authorized to when constructing the query? Please advice.

You need to do this in your infoset ...
You can use the following procedures if you want to change the behavior of the SAPDBPNP logical database:
You can program the logical database not to skip personnel numbers. The data is, nevertheless, only made available to the relevant reports for the authorization check There is no direct way to access the data that was not read by the authorization check. This procedure is meaningful for the first example, but not for the other two examples. The relevant report implements the setting as follows:
INITIALIZATION.
PNP_SW_SKIP_PERNR = 'N'.
It is conceivable in examples 2 and 3 that the evaluation would be possible for a certain period but not for a longer selection period. Normally, the logical database always selects all the data of an infotype and checks the authorization. If you want the system to read and check only the data of the selection period, you can use the RP_SET_DATA_INTERVALL macro (for the START-OF-SELECTION period) for this.
The data is not requested immediately (addition MODE N for the INFOTYPES statement) and is checked by the report itself. The report uses the HR_READ_INFOTYP and/or the HR_CHECK_AUTHORITY_INFTY function modules from the HRAC group to check the data and decides itself how to react to missing authorizations.
Procedures 1 and 2 are available for SAPDBPNP and are not supported by SAPDBPAP. Procedure 3 is always available. Procedure 3 is the only way of solving problems with the authorization check if a report requires only one subtype of an infotype and if users should not be able to access the other subtypes of the infotype
-Saquib

Authorization Check in Business Transactions in CRM 2007

Hi everybody, I have a problem whit the authorization check in CRM 2007.
This link help me to follow the steps
http://help.sap.com/saphelp_crm60/helpdata/en/e9/b29a39e7aee372e10000000a11
I follow this steps:
1.- Created a new single role on the PFCG
2.- On the Menu tab add the transaction BSP_CRMD_BUS2000108 (Trax for LEADS)
3.- On the authorization tab create a new profile and in the authorization data set the values for CRM_ORD_OP: PARTN_FCT 00000012, PARTN_FCTT *, ACTVT '02,03
4.- Generate the authorization.
5.- Set my user "TESTUSER" on the user tab
6.- Save the profile
Then, I login to CRM whit TESTUSER and I see all the leads. I miss something, what could be the problem ?
Thanks for your help

Hi Shaji, Pankaj and Jushan, thanks four your answers.
I still have the same problem, I want to see only my leads that I´am the responsible, after I generated the authorization and assign the role to my user from tcode PFCG and SU01, I logout and login again and no changes, I still see all the leads.
Another test I made, I changed the authorization data and set the values for CRM_ORD_OP: PARTN_FCT , PARTN_FCTT 0008, ACTVT ' (person responsible) and the results was the same, see all the leads.
How works the User Comparisons and how can I check for errors in my pfcg role ?
Thanks for your help.

Authorization check problem

Similar Messages

Maybe you are looking for