Check authorization at TCode Z...

Similar Messages

• Checking authorization of a tcode//

  can i check the authorization objects of a tcode?
  i want to assign a user with only a tcode not with the full role.
  is there any way that i cud asssign a user with a tcode only with out creating a new role, cud i view some how what particular authorization a tcode is using
  thanks
  akshat

  Akshat,
  are you sure that's a good idea...?
  First of all - use SU24 to check the objects that are defined for the TCode. Additionally, an authoritzations trace with ST01 will give you certainty.
  If you add the TCode manually, you lose that connection. I..e, when you remove the TCode, the user might still have the objects, and these may be harmful in conjunction with a different TCode, meaning that the user will have access to stuff you don't want him to.
  We recommend assigning transactions only via the menu, and maintaining SU24 properly.
  Kind regards,
  Frank.

• Authorization check - Lvel: Program/Tcode - report/SM30/odr

  How do we identify if an authority check should be given
  1) at the Program(Report) level or
  2) at the T-code level itself?
  Is there any other level we can do it?
  For SM30s / tablemaintenances, how do we do it?
  Suppose we have a  T-code with SM30 for a table having fields including 'PLANT'. Now if we want to restrict the users to have access to specific plants, where should we put the check -  in the Tcode?
  say - usergrp1 - plant1
  usergrp2- plant 2
  etc.
  How do we design this scenario?
  How is authorization for report and others different?
  Do we need to include S_TABU_CLI authorization object? what is its use?

  > For SM30s / tablemaintenances, how do we do it?
  >
  > Suppose we have a  T-code with SM30 for a table having fields including 'PLANT'. Now if we want to restrict the users to have access to specific plants, where should we put the check -  in the Tcode?
  > say - usergrp1 - plant1
  > usergrp2- plant 2
  > .
  > .
  > etc.
  > How do we design this scenario?
  This can only be achieved with a bespoke program in which authority-check statements are programmed at the right point. SM30 will not allow such granularity.
  > Do we need to include S_TABU_CLI authorization object? what is its use?
  This object is used to shield cross-client tables. Not needed here.

• Report to check authorization object used in customized programs

  Hi Guys,
  An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
  Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

  Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
  To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
  Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
  Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
  Code review is an art form!
  Cheers,
  Julius

• RFC method to check authorizations?

  Hi gurus,
  anybody has experience of checking authorizations via RFC method? Is there any RFC enabled function module in standard system can do that?
  Thanks & regards,
  Alex

  Hi,
  Try this FM AUTHORITY_CHECK.
  You can call in Remote and you can pass User ID.
  You must pass also Authority check you would like test.
  Example
  CALL FUNCTION 'AUTHORITY_CHECK'
    EXPORTING
  *   NEW_BUFFERING             = 3
     USER                      = 'SAP*'   "SY-UNAME
      OBJECT                    = S_TCODE " Objet name    This check transaction code
     FIELD1                    = 'TCODE'  " Field name of Object
     VALUE1                    = 'VA02'   " Transaction to modify sales Order
  *   FIELD2                    = ' '
  *   VALUE2                    = ' '
  *   FIELD3                    = ' '
  *   VALUE3                    = ' '
  *   FIELD4                    = ' '
  *   VALUE4                    = ' '
  *   FIELD5                    = ' '
  *   VALUE5                    = ' '
  *   FIELD6                    = ' '
  *   VALUE6                    = ' '
  *   FIELD7                    = ' '
  *   VALUE7                    = ' '
  *   FIELD8                    = ' '
  *   VALUE8                    = ' '
  *   FIELD9                    = ' '
  *   VALUE9                    = ' '
  *   FIELD10                   = ' '
  *   VALUE10                   = ' '
  EXCEPTIONS
     USER_DONT_EXIST           = 1
     USER_IS_AUTHORIZED        = 2
     USER_NOT_AUTHORIZED       = 3
     USER_IS_LOCKED            = 4
     OTHERS                    = 5
  IF SY-SUBRC <> 0.
  MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
           WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
  ENDIF.
  Rgds

• To restrict authorization of tcode MEK1,MEK2,MEK3,MEK4 at plant level

  Hi,
  We have  a requirement where we need to restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.
  Presently we can restrict authorization at Purchasing organization level but not at Plant level.
  Any pointer please!
  Regards,
  Chetan

  Hi,
  You can restrict the users for the authorization of these T-Codes on their  User ID. Take help of  Basis who controls Roles & Profiles. (T-Code PFCG)
  Hope this helps,
  Best regards
  Amit Bakshi

• To restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.

  Hi,
  We have  a requirement where we need to restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.
  Presently we can restrict authorization at Purchasing organization level but not at Plant level.
  Any pointer please!
  Regards,
  Chetan

  First of all, this is not the right forum to post such a question.  Coming to the requirement, this can be achieved by creating a role in PFCG where you can restrict plant and assign this role to each user id.  Your basis team can do this.
  thanks
  G. Lakshmipathi

• ERROR! CHECK AUTHORIZATION!

  I keep getting a message that says Error! Check Authorization! when I try to transfer from My Digital Editions to my Nook Tablet. Any help would be appreciated.

  This doesn't work for me (Win7, Digital Edition v. 4.0.3).  I am trying to open epub files with the .acsm extention on a Nook Reader..  Under Help it says the computer is Authorized; when I erase the Authorization it says it's been erased and I close for program (in order to re-authorize).  When I reopen the Digital Editions and try to Re-authorize, everything seems to work until I try to open a book and then I get the Error: Check Authorization message.

• Remove authorization for Tcode: ME21 and ME22 from certain users

  Hi Guys,
  I'm new to BASIS.
  My requirement is to: Remove authorization to Tcodes ME21/ME22 from a list of users.
  How do I acheive this? We run on SAP 4.0B version.
  Hoping to get this resolved as soon as possible.
  Thanks
  SAPUser

  dear friend,
  1.
  run SU01
  goto Information-Information system
  select node Roles-By Transaction Assignment
  type ME21, ME22
  execute report
  see the roles displayed
  2.
  then find user who have these roles (usually company uses z-roles copied from standard)
  just highlight the role and hit user assignment (Cntrl-Shift-F9)
  you see all users who have this role. that means they are able to run these transactions.
  3.
  let's remove the role(s) we found.
  open second session, run SU01 type one of the user , goto Roles tab and delete the particular role you found.
  save user and test it (ask hem/her to log in sap and run ME21 and ME22). if needed adjust it again (may be another role to be deleted)
  say, fix completely one user/test it and then do the same things for other. test them.
  good luck!

• Possibility that a check/ authorization on Pricing Date - Sales Order

  Is there any possibility that a check/ authorization on Pricing Date can be implemented at Sales Order Level.
  Regards,

  Hi
  You cant use authorizations in relation to the pricing date.
  I dont know which kind of check you want to make but of course user-exits like mv45afzz is always an option.
  Kind regards
  Søren Nielsen

• How to Check authorizations (user profiles) using eCATT?

  Hi All,
  Please tell me how to Check authorizations (user profiles) using eCATT?
  Thanks in advance.
  Regards
  Kalyani

  Hello ,
  Create a script for SU02 transaction in the SAPGUI mode, in the script move to the profiles tab and GETGUI the first profile and loop to all the profiles assigned to the user until you find your required profile.
  Other way is to identify the table where the profiles are stored and then create script using GETTAB , pass the user name and retreive all the profiles assigned to tht particular user, loop through profiles untill you find your required profile.
  Thanks & Best regards,
  Ajay

• What is the "Error! Check Authorization" message and why does my Digital Editions crash right after that pops up?

  I have authorized the Adobe Digital Editions with both my PC and my eReader. I try to download a library book and I get the "Error! Check Authorization" message. My Digital Editions will then crash.

  Hello,
  Please download the latest ADE 4.0.3.114137
  http://www.adobe.com/solutions/ebook/digital-editions/download.html
  Some of the crashes have been fixed in this release.
  Thanks for being the part of product improvement.

• Authorizations for Tcode Execution

  Hi. 
  I understand that users assigned a particular Tcode eg. PFCG might not be able to execute this Tcode if he is not assigned the corresponding Authorization object and related activity field values for the PFCG transaction to work.
  One tedious method of verifying that the user does indeed have authorization is to require the user to login and execute the transaction PFCG itself.
  Is there a faster way for the Administrator to check if the end-users does have the relevant authorizations/authorization_objects to support the execution of a tcode PFCG? This applies to all other tcodes.
  Thank you very much.

  Hi Chong,
  SAP delivers the tables USOBX and USOBT.
  Table USOBX defines which authorization checks are to be performed within a
  transaction and which not. This table also determines which authorization checks are maintained in the Profile Generator.
  Table USOBT defines for each transaction and for each authorization object which
  default values an authorization created from the authorization object should have
  in the Profile Generator.
  The tables are maintained in transaction <b>SU24</b>. This transaction displays the check indicators of a transaction. Check indicators determine if an authorization check will run within the transaction or not. Any object with CM(Check/Maintain) status will be pulled into PFCG when you add a transaction.
  To check this:
  Enter transaction SU24-->Enter any transaction which you want to check in "Transaction Code"->execute->Display check indicator-->Display field values.
  This would show you the authorzation objects along with there field values which will be pulled into a role when you add a transaction.
  Hope it helps.
  Please award points if it is useful.
  Thanks & Regards,
  Santosh

• BATCH INPUT TO CHECK AUTHORIZATION

  Hi All,
  Can anyone tell me how to code a small batch that will go into sap to ensure system authorizations are set?As the requirement is immediate,quick answers will be highly appreciated.
  Rewards if useful.
  Thanks n Regards,
  Indu.

  Hi,
  What type of authorization check u need like tcode r any field.
  U have follow like that.
  AUTHORITY-CHECK OBJECT 'ZPRCHK_NEW' :
           ID 'TCD' FIELD SY-TCODE
           ID 'BUKRS' DUMMY
           ID 'PRCTR' DUMMY
           ID 'SPART' DUMMY
           ID 'WERKS' DUMMY
           ID 'VKORG' DUMMY
           ID 'EKORG' DUMMY.
    IF sy-subrc NE 0.
      MESSAGE TEXT-003 TYPE 'E'.
      LEAVE PROGRAM.
    ENDIF.
  Regards:
  Prabu

• Level of authorization to Tcode

  Hi All,
  Is there a possibility to check the level of authorization ( example: edit, change, delete, etc)for a Tcode for a set of users in a company.can any one help me in finding out this.
  Thanks in advance,
  SapUser.

  It also depends on the tcode.
  Some don't offer such granularity, some do but don't use an ACTVT typed field for it. The majority do however.
  Which tcode is this you have a doubt about?
  Cheers,
  Julius