Authorization checks in WDA View
Hi All,
I have a single WDA Compnent having one View. This View has some buttons that only certain users should be allowed to access. So I need to carry out authorization checks in Backend. Can someone please give me an example of how to proceed on such a scenario? Appreciate your help.
Thks in advance, Liz
Hi Liz..
1) Create a field Zatt " tcode:su20"and assign DATa Element (Type : WDYBOOLEAN).
2) Create an ObjetClasse Zclass "tcode: su21"
3) In this objectclass you create an authorization Object. Z2 that contain ACTVT and the Field Zatt .
4) Now you can create one role "tcode : pfcg" with one authorization Z2 -> assign tha ACTVT : 03 and the Zatt to false.
5) Assign this role to the user that "tcode: SU01".
Finally in the WDY componant, you create a node with an attribute : Visibility type WDYBOOLEAN.
you bind the attribute VISIBLE of boutons that you like to Hide .
Finally -> In the method WDDOINIT of the main Insert this code :
Authority-check Object 'ROLE_NAME'
ID 'ACTVT' Field '03'
ID 'Zatt' FIELD Visibility.
IF sy-subrc EQ 0.
Visibility = 'X'.
lo_el_NADE_NAME->set_attribute(
name = `NODE_NAME`
value = Visibility ).
ENDIF.
Hope It's Help
Best Regards
Edited by: Jcrios on Jun 4, 2010 4:21 PM
Similar Messages
-
Hello Gurus,
I have two different types of users. Based on authorization check I should take them to respective view. Basically, I have 5 views, for type A users, I should take them from 1 thru 5 views. for type B users, I should them from 3 thru 5. Please let me know how can I achieve this with necessary code/screen shots. (should I create 2 authorization objects).
Thanks,
DavidHi David,
I'm going to put my pseudo-moderator hat on for a moment, please bear with me, but the quality of this forum and that include the questions as well as the answers is important to me.
Have you searched the forum for prior posts?
I have seen some very similar questions answered before - perhaps you could have a look and if these are not enough to help you could you let us know what it is that these prior posts do not answer for you.
Thanks,
Chris -
Error - No authorization for object while viewing transformations in BI 7.0
Folks,
In BI 7.0, In the Data flow diagram, when I had tried to click on the transformation sybmol, system is throwing an error message No authorization for object (authorization object ) Message no. RS_EXCEPTION250
Do I need to request for authorization to just view transformations or is this error something different ?
ThanksDid SU53 and below is theauthorization info. Does quality system usually not have access even to display/read transformations for func people ???
Authorization check failed
Object Class RS Business Information Warehouse
Authorization Obj. S_RS_DTP Data Warehousing Workbench - Data Transfer Process
Authorization Field ACTVT Activity
03
Authorization Field RSONDTPSRC Source
DTP_46UAQF4V7BE5JR0I3HKLLC6D2
Authorization Field RSONDTPTGT Target
ZSD_DEL
Authorization Field RSSTDTPSRC Subtype of the Source
Authorization Field RSSTDTPTGT Subtype of the Target
Authorization Field RSTLDTPSRC Type of Source
DTPA
Authorization Field RSTLDTPTGT Type of Target
ODSO
User's Authorization Data xxxx
Object Class RS Business Information Warehouse
Authorization Object S_RS_DTP Data Warehousing Workbench - Data Transfer Process
Authorizat. Z:GEFUNONC00 Data Warehousing Workbench - Data Transfer Process
Profl. Z:GEFUNONC Profile for role Z:GENAPO_FUNC_ONCALL
Role Z:GENAPO_FUNC_ONCALL Generic APO Fucntional Oncall Role
Authorization Field ACTVT Activity
03, 16, 23
Authorization Field RSONDTPSRC Source
Authorization Field RSONDTPTGT Target
Authorization Field RSSTDTPSRC Subtype of the Source
ATTR, HIER, TEXT
Authorization Field RSSTDTPTGT Subtype of the Target
ATTR, HIER, TEXT
Authorization Field RSTLDTPSRC Type of Source
CUBE, IOBJ, ISET, ODSO, RSDS, TRCS
Authorization Field RSTLDTPTGT Type of Target -
Direct database data access without data level authorization check
Hello,
My customer raised issue about direct database data access. Due to the customeru2019s strong security policy, it shouldnu2019t be allowed.
To prevent this kind of illegal data access, customer ask me to list up all the possibilities to display data without data level authorization check.
The things in my mind are
SQL Command Editor (for Oracle based system) : ORASPACE, DB02, ST04
Query Based : SQVI (Quick Viewer), SQ01/SQ02/SQ03 (SAP Query)
Data Browser : SE11, SE12, SE16, SE16N, SE17
Table Maintenance : SM30
Function Module : RFC_READ_TABLE
Function Module : DB_EXECUTE_SQL (DML)
Anyone knows anything which is not listed above?
ThanksHI,
Generally in production user's should not be given all these authorizations.
Ram. -
LDB PNP authorization check at record level - rp_provide_from_last
hi,
i am using LDB PNP,
I am using macro 'rp-provide-from-last' .
I neeed to place a authorization check so that the user of the program should only be allowed to view records of the people which comes under the same personnel area as of the user of the program.
Can you please guide me on how to implement this?
thanks in advance,
akash.Hi,
(1)
Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
(2)
In some case you do not work with LDB report, then you need to do the authority check by yourself. General function AUTHORITY_CHECK is what you need. AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
P_ORGIN HR: Master Data
PLOG Personnel Planning
P_PCLX HR: Clusters
P_TCODE HR: Transaction codes
Sample of checking personal area:
CALL FUNCTION 'AUTHORITY_CHECK'
EXPORTING
FIELD1 = ' PERSA'
OBJECT = 'P_ORGIN'
USER = 'SAPSUPPORT1'
VALUE1 = 'Z001'
EXCEPTIONS
USER_DONT_EXIST = 1
USER_IS_AUTHORIZED = 2
USER_NOT_AUTHORIZED = 3
USER_IS_LOCKED = 4
OTHERS = 5.
IF SY-SUBRC NE 2.
MESSAGE E001(01) RAISING AUTH_FAILED.
ENDIF.
Reward if helpful pls! -
Authorization Check in Personnel Cost Planning (PA-CP)
Dear Experts,
We are facing an issue where there is no authorization checking when performing the Cost Planning functions. The requirement here is to put in an authorization check such that when:
1) collecting cost plan data for employees (tcode: PHCPDCEM), it will check against HR Master Data (e.g. P_ORGIN, P_ORGINCON) or HR Clusters (P_PCLX) (e.g. check which Personnel Area the user has authorization for). Currently, the Data Record Log does not have this checking.
2) Creating, generating, viewing and maintenance of cost plan (e.g. tcode: PHCPADMN), it should have the same checking as above
We are using SAP ECC 6.0.
Has anyone encounter the same issue and has a resolution for it (configuration or user exit?)? I see that there is a user exit HRHCP00_RESP_OBJECTS available, but it does not provide the authorization check even when it returns "NO_AUTHORITY".
Thanks very much in advance.
AlexHi Alex,
I am not very sure about Personnel Cost Planning,
But an approach I have used in the past when exploring a module about which there is limited documentation or SAP standard model roles is to
1) Switch on Trace using ST01.
2) Carry out a series of transcations using a user id which has a lot of authorizations or SAP_ALL.
3) Anlayse the trace document and identify all the authorization object.
4) BUild a new role with the auth objects and assign to test user id.
5) test and confirm that the authorizations are not too many or too less.
A time consuming but thorough approach.
hope this helps. -
Authorization check for a program/table
Hi ,
Can anyone help me out in
How to do authorization check for an abap program and also a table.
I have no idea about the authorizations.
My requirement is that I need to do the authorization check in such a manner that only users having a certain profile
1. should be able to execute the program
2. View of the entries of the table.
Thanks & Regards,
KeerthiHello Keerhi ,
I got you wrong at first!
If you want to have only certain users to be able to do certain operations, then you need to assign the appropriate roles to those users!
First find the role
second add the user in the role ( PFCG T code---> USers tab)
Raj -
Authorization Check Infotype Header
Hi all,
i posted the following threat in HCM Forum, but i think it is also a question for ABAP Forum
Authorization Check Infotype Header
Thanks & regards1. authorisations in hr cannot be controlled at infotype-header level and/or infotype field level.
2. If only a few fields of a specific infotype are to be allowed for a user the most efective way of doing it is by way of creating a view for the infotype with only the allowed fields in it.
3. another way of doing it is by way of a custom authorisation object (potentially) but then again your requirement is not going into explicit details,. so this option is a possibility you may want to do some due diligence on.
cheers -
Hi all,
Iam having a requirement that i need to perform the authorization check for the portal users.
ie, my report is based on the input companycode and customer number, So it should allow the user
to view the report only he has been authorized for that company code.
Can anyone help me out in this..
Thanks
Nehru.There is no difference in how you perform an authorisation check in BSP to any other ABAP application.
Just use the ABAP AUTHORITY-CHECK OBJECT syntax as usual.
Cheers
Graham Robbo -
Include an authorization check in program
Hello,
I am new to SDN .
I got a requirement where i have to include an authorization check in programs this is required for all custom programs before they are added to roles . I am not sure what i have to do it .
These programs if i try to open in se38 , i cannot view them .
How do i include authorisation checks .
Please let me know step by step .
i will be grateful.
thanks
sumit
Edited by: sumit123 on Jan 20, 2010 9:52 AMHi Sumit,
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm
Check this link.
The following actions are authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid: .
1.Starting SAP transactions (authorization object S_TCODE)
2.Starting reports (authorization object S_PROGRAM)
3.Calling RFC function modules (authorization object S_RFC)
4.Table maintenance with generic tools (S_TABU_DIS)
Authority check is done to restrict the execution of a report to certain users.
Basis creates a authorisation group , includes certain roles in it, to which authorisation should be given.
If one's id has that role then he is authorised to execute the report..
IN the report the below code is written to do auth. check
Authority check on plant
AUTHORITY-CHECK OBJECT 'ZMMD_PROD'
ID 'WERKS' FIELD wf_werks.
Here authorisation is done on plant. and the authorisation object is ZMMD_PROD(to be created by BASIS) -
Hello Folks,
I wonder if some one can help clearing a doubt of mine.
The standard definition one finds on the net for Authorization check maintenance in SU24 for transactions is:
CM = Check performed AND object added in PFCG when tcode added to the role.
C = Check performed BUT object not added in PFCG when tcode added to the role.
N = No check OR check will return sy-subrc = 0 even if the user does not have the authorization.
U = Unknown. A check will may be hardcoded in the program, or maybe not.
My take on the above definitions is:
example object: V_VBAK_AAT
if
CM for V_VBAK_AAT the object is included in the role while working with PFCG.
As per the definition check performed on object and object added.
Question 1: Even if the object is maintained as CM it would not make a difference if the check is not coded in the program (authority-check). Would it?
If
C check performed but object not added
Question 2: If a check is going to be made on this object, why not include it in the role i.e mark it as CM? I was once told that these are objects that are most commonly used and hence from a BASIS point of view that the roll buffer will have that much less authorizations to load. But that does not ring true to me.
If
N - check will return value 0 thereby allowing the user through even though he does not have the authorization to do so
Question 3: Why suppress a check that is coded into the prgram in the first place. After all, the whole idea of Security is "any authorization not explicitly assigned" means NO AUTHORIZATION
For the last couple of years that i have been working on this, i have accepted this, as one would, the bible :-)...
But now i wonder if there will be some enlightenment....
Regards,
Prashant>
Prashant Pasala wrote:
>
> Question 1: Even if the object is maintained as CM it would not make a difference if the check is not coded in the program (authority-check). Would it?
no, it wouldn't. the check has to be coded.
>
Prashant Pasala wrote:
> Question 2: If a check is going to be made on this object, why not include it in the role i.e mark it as CM?
>
because you would have many obsolete objects in your role, depending on the setup of your applications, the org-structure and several other things (mostly in configuration), whether an extension-set is active, a special IS used ...
>
Prashant Pasala wrote:
> Question 3: Why suppress a check that is coded into the prgram in the first place. After all, the whole idea of Security is "any authorization not explicitly assigned" means NO AUTHORIZATION
>
here one can only guess. one scenario might be: due to a bug in a SAP standard BAPI you deactivate the check until you get a correction from SAP. you have to do this to keep up the business ...
Edited by: Mylene Euridice Dorias on Mar 11, 2008 3:59 PM -
Authorization checks for bank account number in vendor master
I am trying to find a way to set up authorization checks for specific fields in the vendor master: LFBK-BANKL, LFBK-BANKN, LFBK-EBPP_ACCNAME and LFBK-EBPP_ACCNAME. I am tring to set ip up so that if you have access to transactions FK03 or XK03, you can view vendor master data except for the above fields.
Does anyone know of a way to accomplish this? Your help will be greatly appreciated.
Thanks
-PeruHI Peru,
To supress a field in FK03 u will have to check
Financial Accounting (New)>Accounts Receivable and Accounts Payable>Vendor Accounts>Master Data>Preparations for Creating Vendor Master Data-->Define Screen Layout per Activity (Vendors)
in that Display Vendor (Accounting) for FK03 and Display vendor (centrally) for Xk03
But there bank account no is not there.
Moreover there r no authorization objects for all the fields that u gave.
So try creating screen variant/ transaction variant in SHD0.
Regards,
Kiran -
Regarding authorization checks
Dear forumers,
I have a new custom transaction code, and this transaction code is defined for a custom report program.
The custom report program provides end users with an interface to view and manually maintain data records in a custom table.
I wish to add authorization checks to this via SU24. After doing this, however, I noticed that if a user without the necessary authorization is unable to access the custom transaction code, he is still able to run it via SE38 by entering the custom program name.
How can this be resolved - so that, for a user who does not have the sufficient authorization, he cannot access both the transaction code and the program name manually?
Appreciate any advice on this at all. Thanks.If that is a custom program you can put the following in your program code before processing starts, right after START-OF-SELECTION and throw an error message if the function returns anything other than value 2. Replace VA42 with your transaction code
This will ensure that the user won't be able to executed it in SE38 even, if they don't have authorization to execute the transaction
CALL FUNCTION 'AUTHORITY_CHECK'
EXPORTING
user = sy-uname
object = 'S_TCODE'
field1 = 'TCD'
value1 = 'VA42'
EXCEPTIONS
user_dont_exist = 1
user_is_authorized = 2
user_not_authorized = 3
user_is_locked = 4
OTHERS = 5.
IF sy-subrc NE 2.
MESSAGE TYPE 'E'....
ENDIF. -
Authorization check on Z report
Hello Experts,
We had a requirement to develop a report which would combine the features of V.14 and V23 with some additional features like removing delivery blocks and billing blocks.
We want to add some authorization checks so that some people are restricted to view information of only some sales organizations and some people like management will have a broader authorization to view details of multiple sales organizations. How can we acheive this?
For example in SU23 when we run our custom T code we do not see the authorization object which is used in the program. We are currently using VBAK_VKO in our program.
Thanks and regards.
ES.Hi,
Adding to above replies, are you calling V.14 and V23 in your custom program or you created your own login in Z program? If standard tcodes are being called, make sure that appropriate restrictions are placed in SE97 tcode for the Z tcode.
In SU24, you will have to add the object to the Z tcode. You will not see it automatically. But make sure that the authority check is there in program (can verify by a ST01 trace).
As Anika said, you can create separate roles for each required sales organization.
Thanks -
Hi all,
Need to enforce an authorization check on KE24 for certain users are allowed to view records pertaining to some profit centers.
SAP suggested to use KE97 for Authorization Check.
If anybody knows step-by-step document to do this pls share with me.
ThanksHI,
well, I know that this own-defined authorization objects are working well (I used this once for own defined customer groups), but I am not totally sure what needs to be done in the user authorization maintenance to make it running (my former user-authorization responsible colleague did that).
Maybe its because your test-user has some other user rights that overrule the BUKRS / PRCTR restriction.
So try first to create a test-user with only KE24 authorization AND the limitation to one company code / profit center combination of your new created authorization object to ensure that this works fine.
Second step is to check how this authorization works in combination with all other authorization objects your users will have.
Best regards, Christian
Maybe you are looking for
-
Can't delete photos in camera roll received vis text message
Somebody sent me two photos vis SMS. I downloaded them to my camera roll. I have deleted the orignal text message and photo but they still exist as thumbnails in my camera roll. They can't be highlighted or deleted on the phone. They won't open on th
-
i just updated my iphone 4s with the new IOS6 update and now everytime i try to connect to my wifi it brings me to the apple page and will not connect to the wifi at all.. someone please help
-
Webservice Client for PI 7.1?
Hi, I've created successfully a stand-alone WS Client with Netweaver DevStudio for our PI 7.0 system. I use the client to trigger a scenario running over the SOAP adapter. I programmed the client according to the directions in help.sap.com and everyt
-
my iphoto 4 moves so slow and often stalls and i constantly get the little moving circle that times-out what i am trying to do. can i update my iphoto by installing a newer version? i've checked out the software section on apple.com but have not been
-
Does anyone know if there is a problem with Apple and its Times App as I am unable to open or download todays edition