Authorization check question

Similar Messages

• Analysis Authorization Migration Question

  Analysis Authorization Migration Question
  This is detail Question
  1)     I am testing Analysis Authorization Migration in NW2004s SP9 and have applied all OSS notes that are relevant to SP09 and are coming in SP10.
  2)     We have 2 Info object flagged as Authorization relevant 0COMP_CODE and 0COSTCENTER
  3)     We have Object level security set-up in BW 3.x system and for a role we have specified values like 0COMP_CODE has value 1000, 1800. “:”. In the same role we have specified 0COSTCENTER value 130001 to 180001, “:”  and hierarchy node.
  4)     When we migrate to Analysis Authorizations, using RSEC_MIGRATION, this program creates 2 Authorizations ZCOCODE00 & ZCOSTCTRH00. Both of them have 0COMP_CODE and 0COST_CENTER Objects.
  5)     ZCOCODE00 authorization gets value 0COMP_CODE values 1000, 1800. “:” and 0COSTCENTER Value “:”.
  6)     On the same line ZCOSTCTRH00 gets value 130001 to 180001, “:”  and 0COMP_CODE “:”.
  1st Question:
  1)     Why does it create 2 Authorizations?
  2)     During Checking it does not pass the authorizations, because it seems to me that it fails in Optimization process.
  3)     I manually merge the authorizations in “ONE” object then authorization check passes.  In other word if I combine ZCOSTCTRH00 & ZCOCODE00 then Query authorization check passes.
  Any one is struggling on this.
  Please note, I am doing Migration so that it updates existing Profiles (Roles now from SP9).
  Any comments will be very help full.
  Pankaj Gupta

  Hello Pankaj
  There are some basic misunderstandings on your side.
  Let me try to clarify:
  First we should distinguish between migration of authorizations and of what a query does with them.
  You had 2 auth objects before migration (in 3.x).
  Of course, they must be migrated to 2 new analysis auths.
  There is no general possibility to combine authorizations to a single one as the may appear in different roles and users. Moreover this would kill performance and finally, nobody would recognize the origin.
  Only in very restricted cases one could think of a combination of auths which come out of migration. But, then people loose overview about what goes on.
  Before the corrections in note "Migration IV" the : had not been inserted but now it is for good reasons.
  Now, accept for the moment that you receive 2 auths.
  Then, you cannnot (must not) combine the 2 resulting authorizations!
  <b>Authorization 1</b>
  COMP_CODE : 1000, 1300, “:”
  Cost Center : “:”
  <b>Authorizations 2</b>
  Comp_Code “:”
  Cost Center : 3100001-31999999; “:” plus a Hierarchy Node.
  This means that e.g. combination
  COMP_CODE 1000
  COST_CENTER 3100001-31999999
  <u>is not allowed!!!</u> Therefore, they must not be combined!
  Also, the query and its optimization is comepletely independent of the migration. And here, during query run time the auths cannot be combined. It is no failure!
  Moreover, the merging optimization is just a performance optimizaiton and has nothing to do with whether the query result is authorized or not.
  If you combine them manually you have authorized different combinations.
  Well, now you may wonder why you get 2 auths at all which leads to a "no auth" result in the query execution.
  The reason is, that in 3.x where you got a result with your 2 auth objects the modeling was wrong.
  If you want to authorize any combination of characteristic values, you should combine these characteritics together in one auth object, not in 2!
  (In BI7.0 it works like that but not in 3.x)
  But you defined 2 which may be valid even in several other InfoProviders independently and not even at the same time. Moreover, the auth objects may come from different roles and may be assigend to different users which then have completely different auth content. In general it is not possible to combine different auth objects or to find out those special situations which nevertheless allow for such optimizations. If you re-do a migration with more objects and users you could even receive different results which is also not satisfying.
  Therefore, instead, the mechanism was introduced to insert a : auth to those characteristics that are auth relevant (and checked now with 7.0) but not in the currently processed auth object.
  In you special case it may have made sense to combine them but not in general. And a migration can only try to work as general as possible.
  For your application you may combine the 2 auths manually if you want to allow also the crossover combinations
  COMP_CODE 1000
  COST_CENTER 3100001-31999999
  Best regards
  Peter John
  BI Development

• HR ABAP Custom Authorization Check

  Hi all,
  We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
  GET PERNR.
      I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
  Thanks in Advance.

  There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
  Some special differences are:
  - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
  - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
  - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
  This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
  Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

• Authorization checks for PNP LDB

  question    : how to validate authorization checks for pnp logical database?
  2 nd question: hr report
  this report is basically for salary survey. in this i had so many fields can any body let me know how
  can i form the internal tables. and i have to display overall 150 fields in csv file for that
  how can i take in to the final internal table.
  what is the logic behind this:
  T71JPR09-JOBCODE
  PA0000-PERNR
  HRP1000-STEXT
  P0006-PSTLZ
  PA0008-ANSAL * 100 / PA0008-BSGRD
  PA0015-BETRG
  PA0761-LTEXT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-GRADT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-ZZGRANT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN esu YEAR 1
  like that i had.
  please give me the steps how can i proceed.

  Hi,
  The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
  Hope this helps.

• Add authorization check in Infopackage Scheduler for option 6-ABAP Routine

  We want to add an authorization check in routine rssm_routines_maintain.    This is in the Infopackage scheduler in the Data Selection tab  under the column Type after selecting type=6(ABAP Routine).    This is a core modification.   We have checked with our Security team with traces and found nothing available to help us.
  Two questions:
  1) Is there any other way we can control who can create/change ABAP code by this method ?
  2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
  Your help would be appreciated.
  Robert Begin,
  450-677-9411 or
  514-924-4311
  or email at [email protected]

  Hi Chandran,  we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
  The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
  Do you have any solution/suggestions to lock this down?
  Much appreciated,
  Regards,
  Robert.

• Authorization Check Infotype Header

  Hi all,
  i posted the following threat in HCM Forum, but i think it is also a question for ABAP Forum
  Authorization Check Infotype Header
  Thanks & regards

  1. authorisations in hr cannot be controlled at infotype-header level and/or infotype field level.
  2. If only a few fields of a specific infotype are to be allowed for a user the most efective way of doing it is by way of creating a view for the infotype with only the allowed fields in it.
  3. another way of doing it is by way of a custom authorisation object (potentially) but then again your requirement is not going into explicit details,. so this option is a possibility you may want to do some due diligence on.
  cheers

• Disable authorization check RH_STRUC_GET

  hi,
  is there a possibility to use FM
  RH_STRUC_GET and to disable authorization check similar to  'HR_READ_INFOTYPE_AUTHC_DISABLE' for fm HR_READ_INFOTYPE?
  thanks for help

  stupid question - solved by myself.

• Authorization check in WDA

  Hello Gurus,
  I have two different types of users. Based on authorization check I should take them to respective view. Basically, I have 5 views, for type A users, I should take them from 1 thru 5 views. for type B users, I should them from 3 thru 5.  Please let me know how can I achieve this with necessary code/screen shots. (should I create 2 authorization objects).
  Thanks,
  David

  Hi David,
  I'm going to put my pseudo-moderator hat on for a moment, please bear with me, but the quality of this forum and that include the questions as well as the answers is important to me.
  Have you searched the forum for prior posts?
  I have seen some very similar questions answered before - perhaps you could have a look and if these are not enough to help you could you  let us know what it is that these prior posts do not answer for you.
  Thanks,
  Chris

• Authorization check flow

  Hello Folks,
  I wonder if some one can help clearing a doubt of mine.
  The standard definition one finds on the net for Authorization check maintenance in SU24 for transactions is:
  CM = Check performed AND object added in PFCG when tcode added to the role.
  C = Check performed BUT object not added in PFCG when tcode added to the role.
  N = No check OR check will return sy-subrc = 0 even if the user does not have the authorization.
  U = Unknown. A check will may be hardcoded in the program, or maybe not.
  My take on the above definitions is:
  example object: V_VBAK_AAT
  if
  CM for  V_VBAK_AAT the object is included in the role while working with PFCG.
  As per the definition check performed on object and object added.
  Question 1: Even if the object is maintained as CM it would not make a difference if the check is not coded in the program (authority-check). Would it?
  If
  C check performed but object not added
  Question 2:  If a check is going to be made on this object, why not include it in the role i.e mark it as CM? I was once told that these are objects that are most commonly used and hence from a BASIS point of view that the roll buffer will have that much less authorizations to load. But that does not ring true to me.
  If
  N - check will return value 0 thereby allowing the user through even though he does not have the authorization to do so
  Question 3: Why suppress a check that is coded into the prgram in the first place. After all, the whole idea of Security is "any authorization not explicitly assigned" means NO AUTHORIZATION
  For the last couple of years that i have been working on this, i have accepted this, as one would,  the bible :-)...
  But now i wonder if there will be some enlightenment....
  Regards,
  Prashant

  >
  Prashant Pasala wrote:
  >
  > Question 1: Even if the object is maintained as CM it would not make a difference if the check is not coded in the program (authority-check). Would it?
  no, it wouldn't. the check has to be coded.
  >
  Prashant Pasala wrote:
  > Question 2:  If a check is going to be made on this object, why not include it in the role i.e mark it as CM?
  >
  because you would have many obsolete objects in your role, depending on the setup of your applications, the org-structure and several other things (mostly in configuration), whether an extension-set is active, a special IS used ...
  >
  Prashant Pasala wrote:
  > Question 3: Why suppress a check that is coded into the prgram in the first place. After all, the whole idea of Security is "any authorization not explicitly assigned" means NO AUTHORIZATION
  >
  here one can only guess. one scenario might be: due to a bug in a SAP standard BAPI you deactivate the check until you get a correction from SAP. you have to do this to keep up the business ...
  Edited by: Mylene Euridice Dorias on Mar 11, 2008 3:59 PM

• Kanban authorization checks (SU24, PK13N, PK*)

  Hi,
  Does anyone know why the Kanban transactions (PK*) have mostly disabled authorization check indicators in SU24?
  In PK13N, for example, there is functionality to do a goods receipt (MIGO GR) and also functionality to create POs (and maybe more that I have not looked into yet).
  However, the related auth objects in SU24 are not enabled (check indicator = do not check).  This seems strange for these authorization objects.
  Especially in light of SoD.  Users could create POs or do Goods Receipt via PK13 without proper auth check and these 2 functions conflict already (using default GRC ruleset).
  But that's beside the point.  The question is: Is there a good reason why these are disabled and how is this NOT a secuty risk?
  Now, there is one object that is enabled: C_KANBAN
  But, I feel that this is insufficient to really secure the goods receipt action and the PO creation action.
  For reference, a list of disabled auth objects:
  C_STUE_WRK CS BOM Plant (Plant Assignments)
  C_TCLS_MNT Authorization for Characteristics of Org. Area
  F_BKPF_KOA Accounting Document: Authorization for Account Types
  F_FICA_CTR Funds Management Funds Center
  F_FICA_FTR Funds Management FM Account Assignment
  F_FICB_FKR Cash Budget Management/Funds Management FM Area
  F_FICB_FPS Cash Budget Management/Funds Management Commitment Item
  F_LFA1_APP Vendor: Application Authorization
  F_SKA1_BUK G/L Account: Authorization for Company Codes
  L_BWLVS Movement Type in the Warehouse Management System
  L_LGNUM Warehouse Number / Storage Type
  M_BANF_BSA Document Type in Purchase Requisition
  M_BANF_EKG Purchasing Group in Purchase Requisition
  M_BANF_EKO Purchasing Organization in Purchase Requisition
  M_BANF_WRK Plant in Purchase Requisition
  M_BEST_BSA Document Type in Purchase Order
  M_BEST_EKG Purchasing Group in Purchase Order
  M_BEST_EKO Purchasing Organization in Purchase Order
  M_BEST_WRK Plant in Purchase Order
  M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule
  M_MRES_BWA Reservations: Movement Type
  M_MRES_WWA Reservations: Plant
  M_MSEG_BWA Goods Movements: Movement Type
  M_MSEG_BWE Goods Receipt for Purchase Order: Movement Type
  M_MSEG_BWF Goods Receipt for Production Order: Movement Type
  M_MSEG_LGO Goods Movements: Storage Location
  M_MSEG_WMB Material Documents: Plant
  M_MSEG_WWA Goods Movements: Plant
  M_MSEG_WWE Goods Receipt for Purchase Order: Plant
  M_MSEG_WWF Goods Receipt for Production Order: Plant
  M_RAHM_BSA Document Type in Outline Agreement
  M_RAHM_EKG Purchasing Group in Outline Agreement
  M_RAHM_EKO Purchasing Organization in Outline Agreement

  Hi Steven
  Normally, when I submit OSS messages about security gaps the response is "working as designed", so I thought I'd try SCN first... perhaps it REALLY IS working as designed and there is a good reason why no auth checks should happen in this case.
  Unfortunately this is all too common. However, I have found a lot of the times it is a Level 1 Support person in SMP advising you of this. With perseverance and escalation to a the next level the chance of a fix is greater (still not a guarantee)
  It's a pity if working as per design they could explain why.
  MIGO can be used in display mode only. If PK13 and PK13N are meant to be display transaction and the SU24 allows you to perform change (i.e. none of the underlying auths are checked for change) then I would refuse to close the customer incident until SAP responds further. At the end of the day, if a display transaction allows modification then it isn't a display transaction
  I get the impression SU24 and some other security (e.g. authority check on '' instead of dummy) has been allowed to exist as customers give up and change the values themselves instead of getting SAP to fix their solution.
  You could also look at SE97 if call transaction can be switched to yes so users cannot jump from PK13N to MIGO (assuming the code was a CALL TRANSACTION)
  Regards
  Colleen
  P.s. - understand the comment with stale thread but take note of timezone and if you raise it on a Friday people may not see it until the following week. Although you did consider this, a lot of people on SCN put urgent in their question and then within the same day respond to their thread to "bump it" on the list

• Authorization checks vs ST01 data

  Experts. My 1st post.
  I Just tried to find on the forum about my issue and could not find anything.
  Question: How could ST01 shows that the user passed on the authorization check if he have authorization to a fixed value different?
  The user have VKORG assigned as MX* on 2 different roles. Using SE16 and AGR_1252 on both roles i have the value MX*.
  Opened the ST01 and set for the user received the message below. See that the first line have VKORG= ;
  20:18:34:342   AUT.       - - -     V_VBRK_VKO RC=0     VKORG= ;ACTVT=19;
  20:18:34:434   AUT.       - - -     V_VBRK_VKO RC=0     VKORG=MX02;ACTVT=01;
  20:18:34:434   AUT.       - - -     V_VBRK_FKA RC=0     FKART=F2;ACTVT=01;
  20:18:35: 4   AUT.       - - -     P_ORGIN    RC=0     INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
  20:18:35: 7   AUT.       - - -     P_ORGIN    RC=0     INFTY=0002;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
  20:18:35:11   AUT.       - - -     P_ORGIN    RC=0     INFTY=0900;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
  20:18:36:133   AUT.       - - -     V_VBRK_VKO RC=0     VKORG=MX02;ACTVT=01;
  20:18:36:133   AUT.       - - -     V_VBRK_FKA RC=0     FKART=ZLAT;ACTVT=01;
  20:18:37:888   AUT.       - - -     S_CTS_ADMI RC=0     CTS_ADMFCT=TABL;
  The problem is that the user while execution a procedure to create a few invoices have them with ZERO "0" Value on them.
  On most cases there is no problem with it, this happens sometimes.
  Sorry if I Could not express right and will put more information if needed.
  Regards.
  Vladimir

  >
  Jurjen Heeck wrote:
  > > 20:18:34:342   AUT.       - - -     V_VBRK_VKO RC=0     VKORG= ;ACTVT=19;
  >
  > I think (not completely sure here) the authorization check above just checks the activity and does not bother about the value of the VKORG field.
  >
  Hi Jurjen,
  you are right. This is a typcal case for the check for value 'dummy'.
  b.rgds, Bernhard

• Authorization Checks of Project in Incident

  Hello experts!
  It is necessary  to realize Authorization Check of the Project in SMIN incident. I want to use BADI CRM_ORDER_AUTH_CHECK. I find Authorization object S_PROJ_GEN. But I have questions.
  How the project related with incident GUID or number ?
  Whether it is possible to deduce the Field "Project" in assigment block "Details"? Field Project is in assigment block "Details" of  Request for Change.

  How to define relationship of incident with the project. What are there standard  functional modules, Tables? Thanks!

• Authorization Checks in Z programs

  Dear Experts,
  Fist of all, thanks for your time. We're being asked to review each Functional Specification in the company to suggest to the developement team the standard objects that should be included in the code in order to restrict the access within each developement. My understanding was that, as an standard practice, developers only use bapis, standard functions or call transactions in their code, for which we should be covered, as SAP includes standard object checks in them (so when using a bapi associated to VA01, the objects in the code for VA01 are being checked). The exception for this are reports, for which we have a Z object with most of the Organizational Values like Company Code, Plant, etc to allow restrictions to take place (and developers are supposed to include this check in this code).
  My first question is: is it true that bapis, standard functions and call transactions use the regular standard objects when being executed?.
  If this is the case, is there any point in suggesting the objects to be checked to the developers?. It looks as if this would be redundant, as SAP is making sure they're being checked when bapis, standard functions and call transactions are executed...(exception made for reports, as mentioned)
  Thanks a lot for your help!!
  Best regards,
  CMPT

  Hi,
  It is always a good idea for the Z transaction review to be performed by the Security consultant. After all it will be his responsibility later on to restrict access to the transaction. You can always ask for the functional consultant's help with understanding the use of the transaction
  In case the custom transaction has been created similar to or is an enhancement on a standard SAP transaction, then it is always a good idea to have at least the same authorization checks for the Z txn also.
  For new developments you need to ensure that the authorization checks need to be implemented based on the functionality of the txn and the data it manipulates. For eg., if you have a Z-txn to make changes to purchase orders, you need to ensure that the program checks for change activity for Purchasing Org, Purchasing Group and Plant values and any other authorization relevant data.
  The auth objects to be used depends entirely on the data and the functional module the custom program belongs to. I generally prefer to use SAP standard objects where possible. Else create new auth objects as per requirement.
  Regards,
  Sanju

• Authorization check - customer exit EXIT_SAPLRRS0_001

  Hi gurus,
  a question on customer exit about EXIT_SAPLRRS0_001 related to i_step = 0 (Authorization check).
  I have two InfoObjects: 0WS_CAT and 0WSCATQ. The last one has a compounding that is 0WS_CAT.
  In the exit: I need to check the 0WS_OBSFLAG (a simple flag attribute) to determine if the entries in 0WSCATQ Master data are valid or no.
  If I found that the entry is valid I add the value to the e_t_range export table in this way:
  if ( i_step = 0 ).
      l_s_range-sign = 'I'.
      l_s_range-opt = 'EQ'.
      l_s_range-low = '00000001'.
      append l_s_range to e_t_range.
  endif.
  The problem is the compound, how can specify the value key for the export table?
  For example ... in the table I have three entries:
  0001 00000001 #
  0002 00000001 X
  0003 00000001 #
  The valid entries are:
  0001 00000001 #
  0003 00000001 #
  How can specify '0001' or '0003'? Because if I assign only the value  '00000001' to l_s_range-low then the entries valid in the authorization for 0WS_CATQ are three and not two.
  It's important for me to find a solution.
  Regards, Roberto

  Hi Roberto,
  you have to build your logic into a variable for the other infoobject 0WS_CAT and find your values 0001 and 0003 the way you described.
  You might have to restrict the selection for 0WSCATQ to a single value, in case you have a record like this in addition to the 3 you have listed.
  0002 00000005 #
  Best,
  Ralf

• Authorization check problem

  Hello,
  I would like to know if somehow is it possible to add an extra authorization check into a transaction. When the transaction PA20 is executed the following authorization object are checked:
  PLOG
  P_ORGIN
  P_PCLX
  P_PERNR
  None of these object allow to filter by company code. Could I modify the PA20, so it could check an extra object to filter by Comany code without writting any code?

  Hi Jesus,
  As Jose mentioned, using the org key (VDSK1) is the easiest and recommended way by SAP. 
  But, if you are already using it for some other purposes, some options are available to you:
  1- use the standard string split option to use a part of the VDSK1 (IMG) to capture the company code.
  2- You can modify PA20 in the user exit section, through transaction code PM01.  But again, I would recommend to use the VDSK1, it is much more simplier, and well SAP Supported.
  Hope the 2- answered your second part of you question Cheers
  Jean-Michel