Curiosity Question Authorization Checks

I created a Supervisor role that had only CO13, I wanted to use this role with other roles in place that have the plant numbers. So for the field WERKS I entered ' ' on role A below. Then Role B has the plant numbers on field WERKS, that work as planned. The problem came under the ACTVT field. Role A has activity 85, Role B has 01.02 and 03 assigned. The authorization failed, I had to add 85 to the ACTVY for Role B. Why didn't pick up the 85 on the ACTVY field from Role A if both roles were asigned to the user?
Thanks for your help
TS

SAP does not create a pulp out of the authorizations. Each instance of authorizations (even if in the same role) is it's own combination.
What you have done is the basis for the biggest flawed disasters based on belief instead of proper training about authorization concepts. Sometimes even with training people (value role fanatics) are still stronger believers than what they are useful in the long run.
Go for course ADM940 - it will help you gain a good understanding of the fundamentals. Then carry on.
Cheers,
Julius

Similar Messages

HR ABAP Custom Authorization Check

Hi all,
We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
GET PERNR.
I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
Thanks in Advance.

There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
Some special differences are:
- The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
- Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
- Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
Cheers,
Julius
Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

Authorization checks for PNP LDB

question : how to validate authorization checks for pnp logical database?
2 nd question: hr report
this report is basically for salary survey. in this i had so many fields can any body let me know how
can i form the internal tables. and i have to display overall 150 fields in csv file for that
how can i take in to the final internal table.
what is the logic behind this:
T71JPR09-JOBCODE
PA0000-PERNR
HRP1000-STEXT
P0006-PSTLZ
PA0008-ANSAL * 100 / PA0008-BSGRD
PA0015-BETRG
PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
PA0761-GRADT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
PA0761-ZZGRANT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN esu YEAR 1
like that i had.
please give me the steps how can i proceed.

Hi,
The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
Hope this helps.

Add authorization check in Infopackage Scheduler for option 6-ABAP Routine

We want to add an authorization check in routine rssm_routines_maintain. This is in the Infopackage scheduler in the Data Selection tab under the column Type after selecting type=6(ABAP Routine). This is a core modification. We have checked with our Security team with traces and found nothing available to help us.
Two questions:
1) Is there any other way we can control who can create/change ABAP code by this method ?
2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
Your help would be appreciated.
Robert Begin,
450-677-9411 or
514-924-4311
or email at [email protected]

Hi Chandran, we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
Do you have any solution/suggestions to lock this down?
Much appreciated,
Regards,
Robert.

Authorization Check Infotype Header

Hi all,
i posted the following threat in HCM Forum, but i think it is also a question for ABAP Forum
Authorization Check Infotype Header
Thanks & regards

1. authorisations in hr cannot be controlled at infotype-header level and/or infotype field level.
2. If only a few fields of a specific infotype are to be allowed for a user the most efective way of doing it is by way of creating a view for the infotype with only the allowed fields in it.
3. another way of doing it is by way of a custom authorisation object (potentially) but then again your requirement is not going into explicit details,. so this option is a possibility you may want to do some due diligence on.
cheers

Disable authorization check RH_STRUC_GET

hi,
is there a possibility to use FM
RH_STRUC_GET and to disable authorization check similar to 'HR_READ_INFOTYPE_AUTHC_DISABLE' for fm HR_READ_INFOTYPE?
thanks for help

stupid question - solved by myself.

Authorization check in WDA

Hello Gurus,
I have two different types of users. Based on authorization check I should take them to respective view. Basically, I have 5 views, for type A users, I should take them from 1 thru 5 views. for type B users, I should them from 3 thru 5. Please let me know how can I achieve this with necessary code/screen shots. (should I create 2 authorization objects).
Thanks,
David

Hi David,
I'm going to put my pseudo-moderator hat on for a moment, please bear with me, but the quality of this forum and that include the questions as well as the answers is important to me.
Have you searched the forum for prior posts?
I have seen some very similar questions answered before - perhaps you could have a look and if these are not enough to help you could you let us know what it is that these prior posts do not answer for you.
Thanks,
Chris

Authorization check flow

Hello Folks,
I wonder if some one can help clearing a doubt of mine.
The standard definition one finds on the net for Authorization check maintenance in SU24 for transactions is:
CM = Check performed AND object added in PFCG when tcode added to the role.
C = Check performed BUT object not added in PFCG when tcode added to the role.
N = No check OR check will return sy-subrc = 0 even if the user does not have the authorization.
U = Unknown. A check will may be hardcoded in the program, or maybe not.
My take on the above definitions is:
example object: V_VBAK_AAT
if
CM for V_VBAK_AAT the object is included in the role while working with PFCG.
As per the definition check performed on object and object added.
Question 1: Even if the object is maintained as CM it would not make a difference if the check is not coded in the program (authority-check). Would it?
If
C check performed but object not added
Question 2: If a check is going to be made on this object, why not include it in the role i.e mark it as CM? I was once told that these are objects that are most commonly used and hence from a BASIS point of view that the roll buffer will have that much less authorizations to load. But that does not ring true to me.
If
N - check will return value 0 thereby allowing the user through even though he does not have the authorization to do so
Question 3: Why suppress a check that is coded into the prgram in the first place. After all, the whole idea of Security is "any authorization not explicitly assigned" means NO AUTHORIZATION
For the last couple of years that i have been working on this, i have accepted this, as one would, the bible :-)...
But now i wonder if there will be some enlightenment....
Regards,
Prashant

>
Prashant Pasala wrote:
>
> Question 1: Even if the object is maintained as CM it would not make a difference if the check is not coded in the program (authority-check). Would it?
no, it wouldn't. the check has to be coded.
>
Prashant Pasala wrote:
> Question 2: If a check is going to be made on this object, why not include it in the role i.e mark it as CM?
>
because you would have many obsolete objects in your role, depending on the setup of your applications, the org-structure and several other things (mostly in configuration), whether an extension-set is active, a special IS used ...
>
Prashant Pasala wrote:
> Question 3: Why suppress a check that is coded into the prgram in the first place. After all, the whole idea of Security is "any authorization not explicitly assigned" means NO AUTHORIZATION
>
here one can only guess. one scenario might be: due to a bug in a SAP standard BAPI you deactivate the check until you get a correction from SAP. you have to do this to keep up the business ...
Edited by: Mylene Euridice Dorias on Mar 11, 2008 3:59 PM

Kanban authorization checks (SU24, PK13N, PK*)

Hi,
Does anyone know why the Kanban transactions (PK*) have mostly disabled authorization check indicators in SU24?
In PK13N, for example, there is functionality to do a goods receipt (MIGO GR) and also functionality to create POs (and maybe more that I have not looked into yet).
However, the related auth objects in SU24 are not enabled (check indicator = do not check). This seems strange for these authorization objects.
Especially in light of SoD. Users could create POs or do Goods Receipt via PK13 without proper auth check and these 2 functions conflict already (using default GRC ruleset).
But that's beside the point. The question is: Is there a good reason why these are disabled and how is this NOT a secuty risk?
Now, there is one object that is enabled: C_KANBAN
But, I feel that this is insufficient to really secure the goods receipt action and the PO creation action.
For reference, a list of disabled auth objects:
C_STUE_WRK CS BOM Plant (Plant Assignments)
C_TCLS_MNT Authorization for Characteristics of Org. Area
F_BKPF_KOA Accounting Document: Authorization for Account Types
F_FICA_CTR Funds Management Funds Center
F_FICA_FTR Funds Management FM Account Assignment
F_FICB_FKR Cash Budget Management/Funds Management FM Area
F_FICB_FPS Cash Budget Management/Funds Management Commitment Item
F_LFA1_APP Vendor: Application Authorization
F_SKA1_BUK G/L Account: Authorization for Company Codes
L_BWLVS Movement Type in the Warehouse Management System
L_LGNUM Warehouse Number / Storage Type
M_BANF_BSA Document Type in Purchase Requisition
M_BANF_EKG Purchasing Group in Purchase Requisition
M_BANF_EKO Purchasing Organization in Purchase Requisition
M_BANF_WRK Plant in Purchase Requisition
M_BEST_BSA Document Type in Purchase Order
M_BEST_EKG Purchasing Group in Purchase Order
M_BEST_EKO Purchasing Organization in Purchase Order
M_BEST_WRK Plant in Purchase Order
M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule
M_MRES_BWA Reservations: Movement Type
M_MRES_WWA Reservations: Plant
M_MSEG_BWA Goods Movements: Movement Type
M_MSEG_BWE Goods Receipt for Purchase Order: Movement Type
M_MSEG_BWF Goods Receipt for Production Order: Movement Type
M_MSEG_LGO Goods Movements: Storage Location
M_MSEG_WMB Material Documents: Plant
M_MSEG_WWA Goods Movements: Plant
M_MSEG_WWE Goods Receipt for Purchase Order: Plant
M_MSEG_WWF Goods Receipt for Production Order: Plant
M_RAHM_BSA Document Type in Outline Agreement
M_RAHM_EKG Purchasing Group in Outline Agreement
M_RAHM_EKO Purchasing Organization in Outline Agreement

Hi Steven
Normally, when I submit OSS messages about security gaps the response is "working as designed", so I thought I'd try SCN first... perhaps it REALLY IS working as designed and there is a good reason why no auth checks should happen in this case.
Unfortunately this is all too common. However, I have found a lot of the times it is a Level 1 Support person in SMP advising you of this. With perseverance and escalation to a the next level the chance of a fix is greater (still not a guarantee)
It's a pity if working as per design they could explain why.
MIGO can be used in display mode only. If PK13 and PK13N are meant to be display transaction and the SU24 allows you to perform change (i.e. none of the underlying auths are checked for change) then I would refuse to close the customer incident until SAP responds further. At the end of the day, if a display transaction allows modification then it isn't a display transaction
I get the impression SU24 and some other security (e.g. authority check on '' instead of dummy) has been allowed to exist as customers give up and change the values themselves instead of getting SAP to fix their solution.
You could also look at SE97 if call transaction can be switched to yes so users cannot jump from PK13N to MIGO (assuming the code was a CALL TRANSACTION)
Regards
Colleen
P.s. - understand the comment with stale thread but take note of timezone and if you raise it on a Friday people may not see it until the following week. Although you did consider this, a lot of people on SCN put urgent in their question and then within the same day respond to their thread to "bump it" on the list

Authorization checks vs ST01 data

Experts. My 1st post.
I Just tried to find on the forum about my issue and could not find anything.
Question: How could ST01 shows that the user passed on the authorization check if he have authorization to a fixed value different?
The user have VKORG assigned as MX* on 2 different roles. Using SE16 and AGR_1252 on both roles i have the value MX*.
Opened the ST01 and set for the user received the message below. See that the first line have VKORG= ;
20:18:34:342   AUT.       - - -     V_VBRK_VKO RC=0     VKORG= ;ACTVT=19;
20:18:34:434   AUT.       - - -     V_VBRK_VKO RC=0     VKORG=MX02;ACTVT=01;
20:18:34:434   AUT.       - - -     V_VBRK_FKA RC=0     FKART=F2;ACTVT=01;
20:18:35: 4   AUT.       - - -     P_ORGIN    RC=0     INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
20:18:35: 7   AUT.       - - -     P_ORGIN    RC=0     INFTY=0002;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
20:18:35:11   AUT.       - - -     P_ORGIN    RC=0     INFTY=0900;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
20:18:36:133   AUT.       - - -     V_VBRK_VKO RC=0     VKORG=MX02;ACTVT=01;
20:18:36:133   AUT.       - - -     V_VBRK_FKA RC=0     FKART=ZLAT;ACTVT=01;
20:18:37:888   AUT.       - - -     S_CTS_ADMI RC=0     CTS_ADMFCT=TABL;
The problem is that the user while execution a procedure to create a few invoices have them with ZERO "0" Value on them.
On most cases there is no problem with it, this happens sometimes.
Sorry if I Could not express right and will put more information if needed.
Regards.
Vladimir

>
Jurjen Heeck wrote:
> > 20:18:34:342   AUT.       - - -     V_VBRK_VKO RC=0     VKORG= ;ACTVT=19;
>
> I think (not completely sure here) the authorization check above just checks the activity and does not bother about the value of the VKORG field.
>
Hi Jurjen,
you are right. This is a typcal case for the check for value 'dummy'.
b.rgds, Bernhard

Authorization Checks of Project in Incident

Hello experts!
It is necessary to realize Authorization Check of the Project in SMIN incident. I want to use BADI CRM_ORDER_AUTH_CHECK. I find Authorization object S_PROJ_GEN. But I have questions.
How the project related with incident GUID or number ?
Whether it is possible to deduce the Field "Project" in assigment block "Details"? Field Project is in assigment block "Details" of Request for Change.

How to define relationship of incident with the project. What are there standard functional modules, Tables? Thanks!

Authorization Checks in Z programs

Dear Experts,
Fist of all, thanks for your time. We're being asked to review each Functional Specification in the company to suggest to the developement team the standard objects that should be included in the code in order to restrict the access within each developement. My understanding was that, as an standard practice, developers only use bapis, standard functions or call transactions in their code, for which we should be covered, as SAP includes standard object checks in them (so when using a bapi associated to VA01, the objects in the code for VA01 are being checked). The exception for this are reports, for which we have a Z object with most of the Organizational Values like Company Code, Plant, etc to allow restrictions to take place (and developers are supposed to include this check in this code).
My first question is: is it true that bapis, standard functions and call transactions use the regular standard objects when being executed?.
If this is the case, is there any point in suggesting the objects to be checked to the developers?. It looks as if this would be redundant, as SAP is making sure they're being checked when bapis, standard functions and call transactions are executed...(exception made for reports, as mentioned)
Thanks a lot for your help!!
Best regards,
CMPT

Hi,
It is always a good idea for the Z transaction review to be performed by the Security consultant. After all it will be his responsibility later on to restrict access to the transaction. You can always ask for the functional consultant's help with understanding the use of the transaction
In case the custom transaction has been created similar to or is an enhancement on a standard SAP transaction, then it is always a good idea to have at least the same authorization checks for the Z txn also.
For new developments you need to ensure that the authorization checks need to be implemented based on the functionality of the txn and the data it manipulates. For eg., if you have a Z-txn to make changes to purchase orders, you need to ensure that the program checks for change activity for Purchasing Org, Purchasing Group and Plant values and any other authorization relevant data.
The auth objects to be used depends entirely on the data and the functional module the custom program belongs to. I generally prefer to use SAP standard objects where possible. Else create new auth objects as per requirement.
Regards,
Sanju

Authorization check - customer exit EXIT_SAPLRRS0_001

Hi gurus,
a question on customer exit about EXIT_SAPLRRS0_001 related to i_step = 0 (Authorization check).
I have two InfoObjects: 0WS_CAT and 0WSCATQ. The last one has a compounding that is 0WS_CAT.
In the exit: I need to check the 0WS_OBSFLAG (a simple flag attribute) to determine if the entries in 0WSCATQ Master data are valid or no.
If I found that the entry is valid I add the value to the e_t_range export table in this way:
if ( i_step = 0 ).
    l_s_range-sign = 'I'.
    l_s_range-opt = 'EQ'.
    l_s_range-low = '00000001'.
    append l_s_range to e_t_range.
endif.
The problem is the compound, how can specify the value key for the export table?
For example ... in the table I have three entries:
0001 00000001 #
0002 00000001 X
0003 00000001 #
The valid entries are:
0001 00000001 #
0003 00000001 #
How can specify '0001' or '0003'? Because if I assign only the value '00000001' to l_s_range-low then the entries valid in the authorization for 0WS_CATQ are three and not two.
It's important for me to find a solution.
Regards, Roberto

Hi Roberto,
you have to build your logic into a variable for the other infoobject 0WS_CAT and find your values 0001 and 0003 the way you described.
You might have to restrict the selection for 0WSCATQ to a single value, in case you have a record like this in addition to the 3 you have listed.
0002 00000005 #
Best,
Ralf

Authorization check problem

Hello,
I would like to know if somehow is it possible to add an extra authorization check into a transaction. When the transaction PA20 is executed the following authorization object are checked:
PLOG
P_ORGIN
P_PCLX
P_PERNR
None of these object allow to filter by company code. Could I modify the PA20, so it could check an extra object to filter by Comany code without writting any code?

Hi Jesus,
As Jose mentioned, using the org key (VDSK1) is the easiest and recommended way by SAP.
But, if you are already using it for some other purposes, some options are available to you:
1- use the standard string split option to use a part of the VDSK1 (IMG) to capture the company code.
2- You can modify PA20 in the user exit section, through transaction code PM01. But again, I would recommend to use the VDSK1, it is much more simplier, and well SAP Supported.
Hope the 2- answered your second part of you question Cheers
Jean-Michel

Exits in authorization checking (FI module)

Hello all,
I am using SAP R/3 version 4.7 and FI module.
I would like to know are there any exit can be called automatically when performing authorization checking.
I need to create some roles to control to authority for different users from different departments. To reduce the effort, I am thinking to create one common role, and then call the user-exits. Inside the user-exit, I can check by retrieving the authorization information from tables.
Are there any exit can be called when performing authorization checking?
Many thanks
Sunny

>
Manish Gupta wrote:
> Hi
>
> Use master derive concept for authorization control and maintain data in orzanization levels
>
> Steps go to PFCG create Master role give necessary t codes then save it.
>
> then run transaction PFCG -->create derive roles and assigned master roles -->go to orzagination levels and maintain data like plant level,Shiping area,Shiping point etc as per requirment
>
>
> Thanks
> Manish Gupta
I am interested to know, How is this related to the OP's question?

Curiosity Question Authorization Checks

Similar Messages

Maybe you are looking for