Authorization Checks in Z programs

Dear Experts,
Fist of all, thanks for your time. We're being asked to review each Functional Specification in the company to suggest to the developement team the standard objects that should be included in the code in order to restrict the access within each developement. My understanding was that, as an standard practice, developers only use bapis, standard functions or call transactions in their code, for which we should be covered, as SAP includes standard object checks in them (so when using a bapi associated to VA01, the objects in the code for VA01 are being checked). The exception for this are reports, for which we have a Z object with most of the Organizational Values like Company Code, Plant, etc to allow restrictions to take place (and developers are supposed to include this check in this code).
My first question is: is it true that bapis, standard functions and call transactions use the regular standard objects when being executed?.
If this is the case, is there any point in suggesting the objects to be checked to the developers?. It looks as if this would be redundant, as SAP is making sure they're being checked when bapis, standard functions and call transactions are executed...(exception made for reports, as mentioned)
Thanks a lot for your help!!
Best regards,
CMPT

Hi,
It is always a good idea for the Z transaction review to be performed by the Security consultant. After all it will be his responsibility later on to restrict access to the transaction. You can always ask for the functional consultant's help with understanding the use of the transaction
In case the custom transaction has been created similar to or is an enhancement on a standard SAP transaction, then it is always a good idea to have at least the same authorization checks for the Z txn also.
For new developments you need to ensure that the authorization checks need to be implemented based on the functionality of the txn and the data it manipulates. For eg., if you have a Z-txn to make changes to purchase orders, you need to ensure that the program checks for change activity for Purchasing Org, Purchasing Group and Plant values and any other authorization relevant data.
The auth objects to be used depends entirely on the data and the functional module the custom program belongs to. I generally prefer to use SAP standard objects where possible. Else create new auth objects as per requirement.
Regards,
Sanju

Similar Messages

  • Authorization check for a program/table

    Hi ,
    Can anyone help me out in
       How to do authorization check for an abap program and also a table.
       I have no idea about the authorizations.
    My requirement is that I need to do the authorization check in such a manner that only users having a certain profile
    1. should be able to execute the program
    2. View of the entries of the table.
    Thanks & Regards,
    Keerthi

    Hello Keerhi ,
    I got you wrong at first!
    If you want to have only certain users to be able to do certain operations, then you need to assign the appropriate roles to those users!
    First find the role
    second add the user in the role ( PFCG T code---> USers tab)
    Raj

  • How to do Role and Authorization check in report program

    Hi Friends,
    Please provide me your guidance on how to add or give coding to check role authorisation of a particular field, input from selection screen.
    My requirement is,
    If the Fund center filed in my select option parameter has been filled, then I have to check the role authoriszation(which was created already) in the At selection-screen event to check and give access to the user to run the process further.
    Say my Fund center is "SH'
    and my Role authorisation to be settled to all users 'ZMM_BXI'.
    How to implement in report program, Please advise.
    Thanks & Regards
    Babu.

    Sorry SDN,
    Posted in a wrong Forum page.
    Please excuse.

  • Authorization checking in ABAP program

    I have a customed report which shows sales order information, with sales order no., sales. org, distribution channel, division and some others as selection criteria.
    How I can limit a user that can view only 1 or 2 specific sales. org. (according to his/her authorization profile) even though he/she hasn't input anything in the sales org. field during selection?
    Thanks!

    Hi Gundam
       If the user doesnt input any sales organization then
    you can get the list of sales organizations defined from
    table TVKO and then check for the authorization using each entry. Prepare a range for all sales organizations
    whereby later you can use in extraction process.
       Other better way is to make the parameter/select-option
    mandatory so the user has to enter the sales organization.
      Hope the above info helps you.
    Kind Regards
    Eswar

  • Authorization check for a program (Not SAP standard) from SA38(End user )

    Hi All,
    I have a requirement which involved in restricting the user to execute the program using SA38.Please suggest me.
    I went to SU20 but could not find the right way how to do?
    Thanks in advance

    1) check authority  object  for  field  for  whcich  u  want  to check  authority  is  present  or  not
    for  this  use transaction su20 /su21
    2)if  it  is  not  u create  object   by using su21.
    3)after that in programm use fm AUTHORITY-CHECK OBJECT .
    ex---AUTHORITY-CHECK OBJECT 'V_LIKP_VST'
    ID 'VSTEL' FIELD t_sel-vstel
    ID 'ACTVT' FIELD '01'
    ID 'ACTVT' FIELD '02'
    ID 'ACTVT' FIELD '03'
    ID 'ACTVT' FIELD '04'
    ID 'ACTVT' FIELD '18'
    ID 'ACTVT' FIELD '24'
    ID 'ACTVT' FIELD '25'
    ID 'ACTVT' FIELD '85'.
    IF sy-subrc <> 0.
    t_authority-vstel = t_sel-vstel.
    APPEND t_authority.
    CLEAR t_authority.

  • Find authorization check in BAPI implemented in a program

    Dear ,
    How can we find the authoruty check in a program in which a BAPI is used.If we search authority check in program click search button and find authority then only the authorization check implemented in program except BAPI is shown not in BAPI.
    Kindly send me solution ASAP.
    Regard,
    Yatendra Sharma
    Edited by: yatendra sharma on Mar 19, 2009 12:42 PM

    Hi Yatendra,
                      May be this code works out for you .It is just a dummy code.Try using Authority Check.Hope your query resolves soon.
    authority check
    PERFORM <AUTHORITY CHECK> USING <TABLE>.
    IF NO_AUTHORITY NE SPACE.
       PERFORM BAPIRETURN TABLES RETURN
                               USING  u2018VALUE1'
                                      u2018VALUE2'
                                      u2018VALUE3'
                                      VALUE4
                                      VALUE5.
        EXIT.
    ENDIF.
    Have a best day ahead.

  • Abap programe 'AUTHORIZATION-CHECK'

    What is abap programe 'AUTHORIZATION-CHECK' how can i navigate there

    Hi,
    You can navigate to the Code this way
    1)
    SE93> Display>Double click in the Entry corresponding to Program-->then you enter the Source Code here select find and give the search string as
    "Authority-Check" this displays you whatever entries are there in the code.
    This method is useful if you know the Tcode and want to see what check statemetns are there in ABAP code corresponding to it.
    2)On the other hand if you know the program then go to
    SE38> enter the program name> Select Source Code> Press Display>
    and from there search with the string mentioned above justlike the case mentioned above...
    Hope this helps
    Regards,
    Manohar

  • Include an authorization check in program

    Hello,
    I am new to SDN .
    I got a requirement where i have to include an authorization check in programs this is required for all custom programs before they are added to roles . I am not sure what i have to do it .
    These programs if i try to open in se38 , i cannot view them .
    How do i include authorisation checks .
    Please let me know step by step .
    i will be grateful.
    thanks
    sumit
    Edited by: sumit123 on Jan 20, 2010 9:52 AM

    Hi Sumit,
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm
    Check this link.
    The following actions are authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid: .
    1.Starting SAP transactions (authorization object S_TCODE)
    2.Starting reports (authorization object S_PROGRAM)
    3.Calling RFC function modules (authorization object S_RFC)
    4.Table maintenance with generic tools (S_TABU_DIS)
    Authority check is done to restrict the execution of a report to certain users.
    Basis creates a authorisation group , includes certain roles in it, to which authorisation should be given.
    If one's id has that role then he is authorised to execute the report..
    IN the report the below code is written to do auth. check
    Authority check on plant
    AUTHORITY-CHECK OBJECT 'ZMMD_PROD'
    ID 'WERKS' FIELD wf_werks.
    Here authorisation is done on plant. and the authorisation object is ZMMD_PROD(to be created by BASIS)

  • How to find which custom program uses authorization checks

    Hi all,
    I have been asked to find out which custom ABAP program in our organization is using Authorizations checks and which is not.
    Since there are thousands of custom programs I will need to automatize this process somehow.  But I am not an ABAP expert and I will need some help.
    Could any of you give me an idea of what would be the best strategy to find out if authorization objects/checks exist in a number of ABAP programs?  (would a simple text search do?).
    Many thanks,
    Aldo

    If you are looking out for Authorization related to Execution of any program, then look for entries in table TRDIR where field SECU (Authorization Group) is not blank.
    Below SAP documentation may help you:
    Authorization Group
    Authorization group to which the program is assigned.
    The assignment of a program to an authorization group plays a role when the system checks whether the user is authorized to:
    Execute a program
    --> Authorization object S_PROGRAM
    Edit a program (-Include) in the ABAP Workbench
    --> Authorization object S_DEVELOP
    Programs that are not assigned to an authorization group are not protected against display and execution.
    Security-related programs should, therefore, always be assigned to an authorization group.
    Report RSCSAUTH can also be used to assign programs to authorization groups. This report is documented in detail.

  • Does SAP direct input programs have authorization checks built-in?

    Can anyone advise if the SAP direct input programs eg. RFBIBL00, RMDATIND,      RCCLBI03,  RM60IN00,   RVINVB10 etc. have authorization checking features?
    In transaction BMV0,  there is a value for User Name.  If the user executes the direct input job from here, but uses a different User Name in the job definition in BMV0, does that mean that the authorization check is done against the User Name maintained instead?
    Kindly advise asap, thanks.

    Hi Li,
      This is what the SAP Doucmentation says about the USer name that is maintained in BMV0 transaction.
    <i><b>" User name in user master record                                                                               
    Background processing takes place under this user name. This person   
         needs to have the application-specific authorizations necessary for   
         running the direct input job (for example, all material master        
         authorizations).                                                                               
    If you do not enter a name, the job will run under the user name of the
         person scheduling it.                                                  "</b></i>
    Regards,
    Ravi

  • Authorization check - Lvel: Program/Tcode - report/SM30/odr

    How do we identify if an authority check should be given
    1) at the Program(Report) level or
    2) at the T-code level itself?
    Is there any other level we can do it?
    For SM30s / tablemaintenances, how do we do it?
    Suppose we have a  T-code with SM30 for a table having fields including 'PLANT'. Now if we want to restrict the users to have access to specific plants, where should we put the check -  in the Tcode?
    say - usergrp1 - plant1
    usergrp2- plant 2
    etc.
    How do we design this scenario?
    How is authorization for report and others different?
    Do we need to include S_TABU_CLI authorization object? what is its use?

    > For SM30s / tablemaintenances, how do we do it?
    >
    > Suppose we have a  T-code with SM30 for a table having fields including 'PLANT'. Now if we want to restrict the users to have access to specific plants, where should we put the check -  in the Tcode?
    > say - usergrp1 - plant1
    > usergrp2- plant 2
    > .
    > .
    > etc.
    > How do we design this scenario?
    This can only be achieved with a bespoke program in which authority-check statements are programmed at the right point. SM30 will not allow such granularity.
    > Do we need to include S_TABU_CLI authorization object? what is its use?
    This object is used to shield cross-client tables. Not needed here.

  • Authorization check in LDB PNP

    Hi All,
    I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
    I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
    Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
    Any information provided will be really helpful.
    Thanks,
    Pavan

    Hi,
    A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
    Thanks,
    Pavan

  • USE Standard Authorization object in Z Program

    Hi Experts,
    I have already checked other threads regarding this but could not resolve my problem.
    I have created a Z program to update Material Master. I need to use the Authorization object  M_MATE_STA in my program for performing authorization check. Please help me how can I do that?
    Thanks

    hI,
       below is a similar code...
    CONSTANTS:  lc_authobj  TYPE char15 VALUE 'F_BKPF_BUK',
    AUTHORITY-CHECK OBJECT lc_authobj
               ID lc_id_bukrs FIELD v_bukrs
               ID lc_id_actvt FIELD lc_activity.
      IF sy-subrc NE 0.
      ENDIF.
    Amol

  • Create authorization check for a report

    Hi,
    I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
    Say the report name is ZHR_TIMEABC.
    Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
    Thanks in advance,
    VG

    Hi,
    Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
    If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
    Your inputs will be helpful to understand this concept.
    Thanks,
    VG

  • Authorization check

    Hi ,
    i new to authorization so i need help ,
    i go to transaction SU21 and i choose some object for example:
    Object R_CPM_BSC
    Text Authorization Object SEM: BSC Elements
    Class SEM Strategic Enterprise Management*
    Author STASTNY
    Field name Heading
    SEMSCARD Scorecard
    SEMOBJTYPE Scorecard Elements: Object Type
    SEMOBJKEY Scorecard Elements: Object Key
    ACTVT Activity
    And when i push on permitted activities i get:
    R_CPM_BSC Authorization Object SE
    ACTVT Activity
    activists
    01 Create or generate
    02 Change
    03 Display
    04 Print, edit messages
    1. i have always just permitted activities for ACTVT ?
    if i wont that user just have display Authorization how i have to write it like below?
    AUTHORITY-CHECK OBJECT R_CPM_BSC
    ID ACTVT FIELD '03'
    thats it i don't use the other fields?
    Regards

    Hi,
    In general different users will be given different authorizations based on their role in the orgn.
    We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
    USe SUIM and SU21 T codes for this.
    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
    This means you have to allocate an authorization object in the definition of the transaction.
    For example:
    program an AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT <authorization object>
    ID <authority field 1> FIELD <field value 1>.
    ID <authority field 2> FIELD <field value 2>.
    ID <authority-field n> FIELD <field value n>.
    The OBJECT parameter specifies the authorization object.
    The ID parameter specifies an authorization field (in the authorization object).
    The FIELD parameter specifies a value for the authorization field.
    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
    Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
    You program the authorization check using the ABAP statement AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
    ID 'ACTVT' FIELD '02'
    ID 'CUSTTYPE' FIELD 'B'.
    IF SY-SUBRC 0.
    MESSAGE E...
    ENDIF.
    'S_TRVL_BKS' is a auth. object
    ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
    This Authorization concept is somewhat linked with BASIS people.
    As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
    Take the help of the basis Guy and create and use.
    Thanks
    Vikranth

Maybe you are looking for

  • How can I format my new MacBook Pro where I find Lion but not an installation DVD?

    I buy a new MacBook Pro with Lion installed jet. In the package there're not a Lion DVD's like whene i bought others mac. Now how can I have my OS if I want to format my mac?

  • Screen sleeps during Media playback (With external monitor connected)

    Here's a weird one... With no external screen connected to my T410 I can watch the BBC iPlayer without the screen 'sleeping' after 5 minutes, which is perfect..... as I don't want the screen dimming and then going into power save mode while watching

  • Installing Java add-in Netweaver 2004s SR1

    Hello, I am trying to install a Java Add-in on a newly upgraded Netweaver 2004s SR1 system (upgrade was from NW04). This system is a Unicode ABAP system at the moment. When running the DB instance installation, it fails with this message: ERROR XXXX

  • Copy URL to clipboard

    Having switched from Mozilla to Safari I am finding a small frustration copying a web address (URL) from the Safari address field to the clipboard. With Mozilla one click in the field would select the whole address - which is then easily copied with

  • Premiere Pro CC 2014 60GB virtual memory usage

    The longer Premiere stays open, the slower it runs and the more memory it uses until the system errors out and makes me close things. Any ideas? 60GB memory usage seems ridiculous. The total footage size is only 10GB. Running Premiere Pro CC 2014 and