Authorization checks vs ST01 data

Similar Messages

• Missing authorization check to display master data error..

  Hi,
  We are in SRM7.0.
  After adding content in my shopping cart, I am trying to change the Account Assignment in the Item Details from Network to Cost Center or GL Account.
  Under Item Overview, after changing the Account Assignment to Cost Center, I go to "Assign Number" to add a Cost center..On clicking the matchcode search box,  I get selection entries like Cost Center, Controlling area etc..If I click on the Search box without keying anything, I get a "Missing authorization check to display master data error".
  I get the same error, when I try to select Assets under Account Assignment area and use search under Assign number. I dont get any errors on searching networks.
  Am we missing any authorization check in the backend ?
  Regards,
  Rajan.K

  Hello Rajan,
  You could use transaction ST01 in SRM to perform some 'authorisation' trace.
  It might give you some pointers to the issue.
  Regards,
  Franz

• Direct database data access without data level authorization check

  Hello,
  My customer raised issue about direct database data access. Due to the customeru2019s strong security policy, it shouldnu2019t be allowed.
  To prevent this kind of illegal data access, customer ask me to list up all the possibilities to display data without data level authorization check.
  The things in my mind are
  SQL Command Editor (for Oracle based system) : ORASPACE, DB02, ST04
  Query Based : SQVI (Quick Viewer), SQ01/SQ02/SQ03 (SAP Query)
  Data Browser : SE11, SE12, SE16, SE16N, SE17
  Table Maintenance : SM30
  Function Module : RFC_READ_TABLE
  Function Module : DB_EXECUTE_SQL (DML)
  Anyone knows anything which is not listed above?
  Thanks

  HI,
      Generally in production user's should not be given all these authorizations.
  Ram.

• Logical Data Base- Authorization Check

  Hi,
      Please tellme when is the authorization checked if the LDB is used in the program. If I am not using 'GET PERNR' statement in the START-OF-SELECTION then will this authorization check will be performed for the data being extracted from the Data base using select statement.
  Waiting for reply,
  Shwetambari.

  HI,
  No it won't perform if you write the select statment, when you write the code GET PERNR, then internally it will get the data based on the Auth check and a SET PERNR will be triggers. so better to use the GET statment
  Regards
  Sudheer

• Invoking HR Master Data (P_ORGIN) authorization check for transaction PCP0

  Hello,
  We have to limit access to executives (managers) sensitive posting data in transaction PCP0 (display posting runs).
  Since executives belong to a personnel area other than all other employees, I thought we can achieve this by personnel area distinction.
  In order to have this done, P_ORGIN authorization check should be performed.
  It looks that by standard, such check is not performed.
  Does anyone have any experience of dealing with this issue?
  Thanks,
  Isaac

  Hi,
  I have a vague idea.
  I remember while creating an ESS user, we did something in P_ORGIN so as to to restrict access to personnel master data.
  Check the composite role : SAP_EMPLOYEE_ERP.
  A Z role was created for SAP_EMPLOYEE_ERP=>the corresponding roles in it had to be copied to a z role.
  Check the z-role created ; zSAP_ESSUSER_ERP.
  In Authorizations tab=>Display authorization data option => ;
  Expand Human Resources;
  In HR : Master data, you can find the various authorization assignments to P_ORIGIN;  where
  Authorization level (AUTHC)
  Infotype (INFTY)          
  Personnel Area (PERSA)
  Employee Group   (PERSG)
  Employee Subgroup  (PERSK)
  Subtype (SUBTY)
  Organizational Key (VDSK1)
  Authorization level (AUTHC) takes the values :
  • R (Read) for read access
  • M (Matchcode) for read access to input helps (F4)
  • W (Write) for write access
  • E and D (Enqueue and Dequeue) for write access using the Asymmetrical Double Verification Principle. E allows the user to create and change locked data records and D allows the user to change lock indicators.
  • S (Symmetric) for write access using the Symmetric Double Verification Principle
  • * always includes all other authorization levels simultaneously
  In your case if some has to make changes through PPCO.. it's equivalent to making changes to infotype 0001 (Organizational Assignment)
  So, probably, you need the Authorization level to R for Infotype 0001.
  I have no personal hands-on experience on this...since we are not allowed to anything Basis
  I have seen this being done and have noted what was done... !! May or may not be correct....!!
  I hope this is what you want.
  Cheers and Good Luck!!
  Remi

• Authorization Check in Personnel Cost Planning (PA-CP)

  Dear Experts,
  We are facing an issue where there is no authorization checking when performing the Cost Planning functions. The requirement here is to put in an authorization check such that when:
  1) collecting cost plan data for employees (tcode: PHCPDCEM), it will check against HR Master Data (e.g. P_ORGIN, P_ORGINCON) or HR Clusters (P_PCLX) (e.g. check which Personnel Area the user has authorization for). Currently, the Data Record Log does not have this checking.
  2) Creating, generating, viewing and maintenance of cost plan (e.g. tcode: PHCPADMN), it should have the same checking as above
  We are using SAP ECC 6.0.
  Has anyone encounter the same issue and has a resolution for it (configuration or user exit?)? I see that there is a user exit HRHCP00_RESP_OBJECTS available, but it does not provide the authorization check even when it returns "NO_AUTHORITY".
  Thanks very much in advance.
  Alex

  Hi Alex,
  I am not very sure about Personnel Cost Planning,
  But an approach I have used in the past when exploring a module about which there is limited documentation or SAP standard model roles is to
  1) Switch on Trace using ST01.
  2) Carry out a series of transcations using a user id which has a lot of authorizations or SAP_ALL.
  3) Anlayse the trace document and identify all the authorization object.
  4) BUild a new role with the auth objects and assign to test user id.
  5) test and confirm that the authorizations are not too many or too less.
  A time consuming but thorough approach.
  hope this helps.

• BPS You have no authorization for the requested data

  We are implementing Hierarchy node based security for our BPS.
  When the user tries to display the planning layout, they get the error message "You have no authorization for the requested data "
  I have given authorization to the relavant Infocubes, also checked the all the Authorization Relavant Info Objects and added theses Info Object to the custom authorization created in RSECADMIN.
  Also added the info objects 0TCAACTVT, 0TCAIPROV, 0TCAVALID to the custom authorization.
  In pfcg, this authorization has been added to S_RS_AUTH. I have also given activity 02, 03, 16 values and a * to planning areas, functions, packages, groups, levels, folders, ... to the objects R_AREA
  R_BUNDLE
  R_METHOD
  R_PACKAGE
  R_PARAM
  R_PLEVEL
  R_PM_NAME
  R_PROFILE
  But still we get the same error.
  Has anyone encountered this problem? Can you please provide me some clues to resolve this issue

  Thank you very much Grevaz, but that template does not help.
  I did run both ST01 trace and BI RSECADMIN trace.  RSECADMIN Trace shows the below authorization failure
  Subselection (Technical SUBNR) 1  
  Supplementation of Selection for Aggregated Characteristics
    No Check for Aggregation Authorization Required  
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Quantity 
  Characteristic  Contents 
  0FUNDS_CTR
  0TCAACTVT
  SQL Format:
  FUNDS_CTR BETWEEN '4012001000'
  AND '4012001999'
  AND TCAACTVT = '03'
  Characteristic  Contents 
  0FUNDS_CTR  Node 1 I EQ #
  I EQ :
  0TCAACTVT  I EQ 02
  I EQ 03
  Partially Authorized (Average)   Characteristic  Contents 
  0FUNDS_CTR
  0TCAACTVT
  SQL Format:
  FUNDS_CTR > '4012001000'
  AND FUNDS_CTR <= '4012001999'
  AND NOT FUNDS_CTR IN ('4012001001','4012001002','4012001003','4012001004','4012001005','4012001006','4012001007','4012001008','4012001009','4012001010')
  AND TCAACTVT = '03'
  Value selection partially authorized. Check of remainder at end
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Quantity 
  Characteristic  Contents 
  0FUNDS_CTR
  0TCAACTVT
  SQL Format:
  FUNDS_CTR > '4012001000'
  AND FUNDS_CTR <= '4012001999'
  AND NOT FUNDS_CTR IN ('4012001001','4012001002','4012001003','4012001004','4012001005','4012001006','4012001007','4012001008','4012001009','4012001010')
  AND TCAACTVT = '03'
  Characteristic  Contents 
  0FUNDS_CTR  Node 1 I EQ #
  I EQ :
  0TCAACTVT  I EQ 02
  I EQ 03
  Not Authorized   
  All Authorizations Tested
    Message EYE007: You do not have sufficient authorization  
    No Sufficient Authorization for This Subselection (SUBNR)  
  Following CHANMIDs Are Affected:
  206 ( 0FUNDS_CTR )
    Authorization Check Complete  
  We have created custom authorization and trying to restrict based on hierarchy node.
  One point I observed is, when I give access to all nodes with a wildcard * in the custom authorization, then the error disappears and the layout is visble. But our point here is to try to restrict based on the nodes and we cannot give display access to all nodes.

• Authorization check in LDB PNP

  Hi All,
  I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
  I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
  Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
  Any information provided will be really helpful.
  Thanks,
  Pavan

  Hi,
  A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
  Thanks,
  Pavan

• Document search error in webshop(Error in authorization check: user unknow)

  Hi All
  actually we have implemented the document search functionality in webshop to access all the documents in webshop who have created order in the webshop.
  actually when i am logging into the portal with userid "skumar" after that there was role called "Document Search" when i click that document search role then the document search will be opened, based on the selections in the selection criteria then the documents will be displayed generally.
  actually come to my error when i select in the selection criteria "order acknowledgement" and i select the one more column called "period" after that i click the search button then i am getting the error as follows.
  <b>Error in authorization check: user unknown.</b>
  Can you please help me where to check the authorizations in the system for accessing the documents.
  Regards
  Sunil

  Hi Sunil generally this kind of error will occur when you choose acknoledgement
  for Future Periods,eventhough input is past date if the same problem occurs you should check for Su05 Internet USer authoriasations
  Reward if helpful
  Venkat

• Add authorization check in Infopackage Scheduler for option 6-ABAP Routine

  We want to add an authorization check in routine rssm_routines_maintain.    This is in the Infopackage scheduler in the Data Selection tab  under the column Type after selecting type=6(ABAP Routine).    This is a core modification.   We have checked with our Security team with traces and found nothing available to help us.
  Two questions:
  1) Is there any other way we can control who can create/change ABAP code by this method ?
  2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
  Your help would be appreciated.
  Robert Begin,
  450-677-9411 or
  514-924-4311
  or email at [email protected]

  Hi Chandran,  we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
  The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
  Do you have any solution/suggestions to lock this down?
  Much appreciated,
  Regards,
  Robert.

• Authorization check

  Hi ,
  i new to authorization so i need help ,
  i go to transaction SU21 and i choose some object for example:
  Object R_CPM_BSC
  Text Authorization Object SEM: BSC Elements
  Class SEM Strategic Enterprise Management*
  Author STASTNY
  Field name Heading
  SEMSCARD Scorecard
  SEMOBJTYPE Scorecard Elements: Object Type
  SEMOBJKEY Scorecard Elements: Object Key
  ACTVT Activity
  And when i push on permitted activities i get:
  R_CPM_BSC Authorization Object SE
  ACTVT Activity
  activists
  01 Create or generate
  02 Change
  03 Display
  04 Print, edit messages
  1. i have always just permitted activities for ACTVT ?
  if i wont that user just have display Authorization how i have to write it like below?
  AUTHORITY-CHECK OBJECT R_CPM_BSC
  ID ACTVT FIELD '03'
  thats it i don't use the other fields?
  Regards

  Hi,
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Thanks
  Vikranth

• Authorization check of Tcode FCH7 (reprint check) / FCHN (display check)

  Hello to you all,
  Does any of you know of an option of extended the authorization check of Tcode FCH7 (reprint check) / FCHN (display check) using authorization object F_BKPF_BEK / F_LFA1_BEK?
  Regards,
  yoav Bernstain

  Hi,
  Authroization: User need authroization to post Financial Accounting Document for Vendor
  Object: F_BKPF_BEK
  Activities: 01-Creat, 02-Change and 06-Deleter
  Authroization: User need authroization for vendor Master Data (03-Display activity can also work)
  Object: F_LFA1_BEK
  Activities: 01-Creat, 02-Change, 03-Display and 06-Deleter
  Regards,
  Prashant Rane

• LDB PNP authorization check authorization object

  Hi,
  I have used LDB PNP for HR reports.
  We are using the authority check also, but the problem is all the records/data for all the people is being read by the report where some of the people data should not have been read as they belong to some other personal area that the role of the executer (user).
  Hence it appears that authorization check is not working properly.
  Following is how I am using it, Please suggest corrections or alternate way to correct this issue.
      rp-provide-from-last p0002 space gwa_outlist-begda 
                                                      gwa_outlist-begda.
      IF pnp-sw-found NE '1' OR
          pnp-sw-auth-skipped-record EQ '1'.
          EXIT.
      ELSE.
          ls_tab-vorna = p0002-vorna.
          ls_tab-nachn = p0002-nachn.
      ENDIF.
  Please reply with the corrections ore alterations,
  Thanks in advance.
  Akash.

  Hi,
  (1)
  Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
  So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
  ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
  (2)
  In some case you do not work with LDB report, then you need to do the authority check by yourself. General function  AUTHORITY_CHECK is what you need.  AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
  P_ORGIN    HR: Master Data
  PLOG       Personnel Planning
  P_PCLX     HR: Clusters
  P_TCODE    HR: Transaction codes
  Sample of checking personal area:
  CALL FUNCTION 'AUTHORITY_CHECK'
       EXPORTING
            FIELD1              = ' PERSA'
            OBJECT              = 'P_ORGIN'
            USER                = 'SAPSUPPORT1'
            VALUE1              = 'Z001'  
       EXCEPTIONS
            USER_DONT_EXIST     = 1
            USER_IS_AUTHORIZED  = 2
            USER_NOT_AUTHORIZED = 3
            USER_IS_LOCKED      = 4
            OTHERS              = 5.  
  IF SY-SUBRC NE 2.
  MESSAGE E001(01) RAISING AUTH_FAILED.
  ENDIF.
  Reward if helpful pls!

• LDB PNP authorization check at record level - rp_provide_from_last

  hi,
  i am using LDB PNP,
  I am using macro 'rp-provide-from-last' .
  I neeed to place a authorization check so that the user of the program should only be allowed to view records of the people which comes under the same personnel area as of the user of the program.
  Can you please guide me on how to implement this?
  thanks in advance,
  akash.

  Hi,
  (1)
  Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
  So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
  ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
  (2)
  In some case you do not work with LDB report, then you need to do the authority check by yourself. General function  AUTHORITY_CHECK is what you need.  AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
  P_ORGIN    HR: Master Data
  PLOG       Personnel Planning
  P_PCLX     HR: Clusters
  P_TCODE    HR: Transaction codes
  Sample of checking personal area:
  CALL FUNCTION 'AUTHORITY_CHECK'
       EXPORTING
            FIELD1              = ' PERSA'
            OBJECT              = 'P_ORGIN'
            USER                = 'SAPSUPPORT1'
            VALUE1              = 'Z001'  
       EXCEPTIONS
            USER_DONT_EXIST     = 1
            USER_IS_AUTHORIZED  = 2
            USER_NOT_AUTHORIZED = 3
            USER_IS_LOCKED      = 4
            OTHERS              = 5.  
  IF SY-SUBRC NE 2.
  MESSAGE E001(01) RAISING AUTH_FAILED.
  ENDIF.
  Reward if helpful pls!

• ABAP: Modify PA infotype without authorization check

  Hello everyone,
  Short version:
  I know two FM that can modify PA infotype data:  HR_MAINTAIN_MASTERDATA and HR_INFOTYPE_OPERATION. However, neither of those includes a parameter that allows using them without them automatically checking authorizations (like you can do with, say, FM RH_INSERT_INFTY which has parameter AUTHY to disable authorization checks but only works with OM infotypes, but not PA infotypes).
  Does anybody know a solution?
  Long version:
  We want the travel department to be able to maintain infotype 17, and only infotype 17. In fact, there are only two fields there that need to be maintained in our company. That department should not have access to any other infotypes, and we are not going to give them PA30. On the other hand, they shall be able to do so for any employee, no matter from which personnel area, subarea, and organizational unit.
  So I have created a small program with a mask specifically tailored to their needs. But we do not want to give them any PA authorizations. Giving them P_ORGIN to infotype 17 might not be a big deal, but then we would also need to give them structural authorization to all companies (= org units and personnel areas). Unlimited structural authorization is a big deal, and I would rather avoid granting that to someone who is not supposed to be doing anything but this tiny bit in HR. The only authorization that I would like to see in place is transaction authorization for my program. Anyone who has that should be allowed to maintain these IT 17 fields for any employee, but nothing else.
  The problem is that upon writing the data, FM HR_INFOTYPE_OPERATION auto-checks the authorization required for maintaining the infotype, including structural authorization, and so does FM HR_MAINTAIN_MASTERDATA, as far as I understand. Is there an alternative I could go for?

  ECM stands for Employee Compensation management and is one of the SAP HR module.
  But I doubt you can use ECM specific function module to modify/insert infotype 17 values as below are the main infotypes for ECM module.
    Employee Infotype
    Description
  0758
  Compensation Program
  0759
  Compensation Process
  0760
  Compensation Eligibility Override
  0761
  LTI Granting
  0762
  LTI Exercising
  0763
  LTI Participant Data