Custom Authority Check across system

Similar Messages

• Custom authority object

  Hallo guys,
  have you ever used a custom authority object within a standard transaction code?
  I need to use a custom authority check in VA01/02/03, is that possible?
  Thanx!

  Hi mike,
  1. Thats not directly possible.
  2. we have to Modify the original source code,
     (by taking access key)
  3. Only then its possible.
  regards,
  amit m.

• AUTHORITY-CHECK & customized program

  Hi,
  I've applied an authority-check to my customized program. What I did was, I've created an authorization object name 'ZFI_PGRM' in SU21 and tie it with authorization fields BUKRS, ACTVT. This authority-check will validate on the company code (BUKRS) entered from the selection screen. Below are my lines in the customized program :
  DATA: text      TYPE string,
            m_text  TYPE string.
  text = 'You are not authorised for Company Code'.
  DATA: t_t001 LIKE t001 OCCURS 0 WITH HEADER LINE..
  SELECT * FROM t001
         INTO TABLE t_t001
               WHERE bukrs IN s_bukrs.
  LOOP AT t_t001.
    AUTHORITY-CHECK OBJECT 'ZFI_PGRM'
        ID 'BUKRS' FIELD t_t001-bukrs
        ID 'ACTVT' FIELD '03'.
    IF sy-subrc <> 0.
      CONCATENATE text t_t001-bukrs INTO m_text SEPARATED BY space.
    ENDIF.
  ENDLOOP.
  At the same time BASIS tie the autorization object 'ZFI_PGRM' to the user role in order to access the program using PFCG. The problem now is the result that I'm getting always SY-SUBRC = 12 eventhough the user is allowed to access the company's report. Please help...
  Haryati

  Run transaction SU53 after the auth check fails and maybe it will give you a clue as to what is going on.

• Double Invoice check across company code

  Hi All,
  I have been trying to use the double invoice check functionality across company codes. i.e. when an invoice is posted in Company code A with ref no: xxx, and when I try to post a new inovice with the same reference ie. xxx in company code B, system does not give error message.
  Please note: I have maintained message in application F5, no: 117 and 312.
  Also in customization for double invoice check, I have unchecked "Check Company code" and checked "check reference" and "check invoice date"
  I have also maintained the double invoice check flag in the vendor master.
  Please help at the earliest.
  Regards,
  Ankush

  Hi Ankush,
  Good Day,
  Duplicate invoice check across company code will not check for FI related invoice ( Like FB60)
  But you can able to achive this with BTE ( SAMPLE_PROCESS_00001110 for FI Duplicate invoice check)
  Steps for Implementing a BTE
  (1)Goto transction FIBF menu Environment->Info System (P/S )
  (2)Select the BTE you want to implement.
  (3)Press button Sample function module
  (4)This brings you to SE37 - Copy the sample function module to a Z-function module (First create a new function group for the function module) . Note: The name of the Z-functionmodule is not important
  (5)Edit the code in the new function module
  (6)Go back to transaction FIBF - Menu Settings->Products -> Of a customer and create a new product whicj identifies the new product . Remember to mark the Active field.
  (7)Go back to FIBF menu Settings->P/S function modules->of a customer - Create an entry that links the BTE and Product with the new function module
  Best Regards,
  KSK

• How to create Authority check object

  Hello Gurus,
  How to create Authority-check object 'ZABC'
                                                           ID 'TABLE' FIELD 'ZTABLE'.
  Please tell me detailed procedure.
  Thanks in advance.
  Best Regards,
  zubera

  Dear Zubera,
  Creating Authorization Fields
  In authorization objects, authorization fields represent the values to be tested during authorization checks.
  To create authorization fields, choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects ® Fields.
  To create a authorization field:
  1. Choose Create authorization field.
  2. On the next screen, enter the name of the field. Field names    must be unique and must begin with the letter Y or Z.
  3. Assign a data element from the ABAP Dictionary to the field.
  4. If desired, enter a check table for the possible entries. For    more information about check tables.
  For more information about AUTHORITY-CHECK, see the keyword documentation of the ABAP Editor.
  You can often use the fields defined by SAP in your own authorization objects. If you create a new authorization object, you do not need to define your own fields. For example, you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system.
  Assigning an Authorization Object to an Object Class
  Each authorization object must be assigned to an object class when it is created.
  Choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects --> Objects.
  You can also create authorization objects in the Object Navigator (SE80).
  Creating / Choosing Object Classes
  The system displays a list of existing object classes.
  Object classes are organized according to the components of the system.
  Before you can create a new object, you must define the object class for the component in which you are working. The objects are not overwritten when you install new releases.
  You can also define your own object classes. If you do so, select class names that begin with Y or Z to avoid conflicts with SAP names.
  Creating an Object
  Enter a unique object name and the fields that belong to the object. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects.
  You can enter up to ten authorization fields in an object definition. You must also enter a description of the object and create documentation for it.
  Ensure that the object definition matches the AUTHORITY-CHECK calls that refer to the object.
  Do not change or delete authorization objects defined by SAP. This disables SAP programs that use the objects.
  You can regenerate the profile SAP_ALL after creating an authorization object.
  Best Regards,
  Rajesh
  Please reward points if found helpful.

• Analize authority checks in web dynpro processing

  Hi,
  I'm facing strange things here.
  A user was reported not to be able to successfully use a function provided in our system:
  We provide a function for use of our call center agents that will reprocess and output document and send it by mail to the customer. It looks as if it worked but the mail is not sent.
  I started SE80 with my own user and put some external breakpoints in the webdynpro code for the agents username. Then I started the webdynpro application by entering the URL into the browser and logging in with the agent's credentials.
  On my first try, the debugger started ehen the external breakpoint was reached. SY-UNAME was the agent's name but everything went fine.
  Obviously the authority checks where done for my own user although there was a different sy-uname.
  I logged off completely and started a second time. I used my owner user to set the external breakpoints because the agent's user has no rights for development, just restricted to a couple of roles.
  This time I got a rabax state error - the dump was caused because the agent's user does not have authority for debug. The rabax error shoed me the call hierarchy and pointed to the method where I set the external breakpoint.
  So, is the any way to come close to the code where authorization check fails?
  Or - which we could try: What are the roles/profiles for use of SAPOFFICE? (in SU53, we can see failed checks, but it looks strange as there are failed authority-checks for ...ADMIN - dont know exactly because now I', home and don't have remote access).
  Good ideas always welcome!
  Note: Nobody knows why this function is implemented in Webdynpro but we have to live with it and get it working for this group of agents.
  Regards
  Clemens

  Traditionally I would probably have used ST01 with the "Authorization check" option and general filters to log which authority checks are working / failing.
  But now I quite like using ST05 (SQL Trace) instead as drilldown to the code is available ... you can tick the "Buffer Trace" option and "Activate Trace with Filter" to log the other user's calls - this will then display lots of references to tables USOBX_C and USRBF2 - drilling to the code on these usually gives you the "authority-check object 'xyz' .." details.
  Jonathan

• RE: Authority checks included in the info set of the query

  Hi all,
  I am checking the program code for one of our custom tcodes and i asked ABAP team to add authority check to the program code because there is no auth check in the code and abapers told me that the authority check is included inside the info set of the query and not in the program . the program is used to execute the query in the Tcode.
  how to find the Authority checks included in the info set of the query.
  Thanks in advance,
  Sun.

  If you have the BI support roles assigned to you  and the security admin  roles please login to the BI system
  execute transaction RSECADMIN, click on the analysis tab and execute as the user who is assigned the role with restrictions.
  For variables in authorizations like ( type customer exit )
  use RSECADMIN - maintain authorization tab - Click on value authorization tab.
  Keytransaction is RSECADMIN  & infoobject maintenance details you can get from RSD1.
  Regards

• ALV GRID and AUTHORITY-CHECK

  Hi all !!! 
  I'm using the ALV Grid control with checkboxes and I want to control if the actual user have the appropriate authorization to check/uncheck them.
  In the AUTHORITY-CHECK call, I want to make the authorization test on the "DEPARTMENT" of the user (from Table USER_ADDR or SU01).
  For example :
  DEPARTMENT AA1 --> check/uncheck OK
  DEPARTMENT AA2 --> check/uncheck NOT OK
  DEPARTMENT AA3 --> check/uncheck OK
  ... etc.
  How can I do ? Create an new authorization object/field ?
  PS : it's the first time I'm using AUTHORITY-CHECK..

  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check. 
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object> 
     ID <authority field 1> FIELD <field value 1>. 
     ID <authority field 2> FIELD <field value 2>. 
     ID <authority-field n> FIELD <field value n>. 
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  Example ;
  REPORT  EXAMPLE MESSAGE-ID Z1.
  TABLES: USR02.
  PARAMETERS: LOCK AS CHECKBOX, LISTLOCK AS CHECKBOX.
  DATA: UFLAGVAL TYPE I, LOCKSTRING(8) TYPE C.
  ---- Authorization check -
  AUTHORITY-CHECK OBJECT 'ZPROG_RUN' ID 'PROGRAM' FIELD SY-CPROG.
  IF SY-SUBRC <> 0.
    IF SY-SUBRC = 4.
      MESSAGE E000 WITH SY-CPROG. "some message about authorization check failure
    ELSE.
      MESSAGE E005 WITH SY-SUBRC. "some message about authorization check failure
    ENDIF.
  ENDIF.
  IF LISTLOCK = 'X'.
    WRITE:/ 'List all locked users: '.
    SELECT * FROM USR02 WHERE UFLAG = 64.
      WRITE: / USR02-BNAME.
    ENDSELECT.
    EXIT.
  ENDIF.
  IF LOCK = 'X'.
    UFLAGVAL = 64.                       "lock all users
    LOCKSTRING = 'locked'.
  ELSE.
    UFLAGVAL = 0.                        "unlock all users
    LOCKSTRING = 'unlocked'.
  ENDIF.
  SELECT * FROM USR02 WHERE BNAME <> 'SAP*' AND BNAME <> SY-UNAME.
    IF USR02-UFLAG <> 0 AND USR02-UFLAG <> 64.
      WRITE: 'User', USR02-BNAME, 'untouched; please handle manually.'.
      CONTINUE.
    ENDIF.
  check that user has authority to make these changes
    AUTHORITY-CHECK OBJECT 'S_USER_GRP'
        ID 'CLASS' FIELD USR02-CLASS
        ID 'ACTVT' FIELD '05'.
    IF SY-SUBRC <> 0.
      IF SY-SUBRC = 4.
        WRITE: /'You are not authorized to lock/unlock user ',
          USR02-BNAME, USR02-CLASS.
      ELSE.
        WRITE: /'Authorization error checking user ',
               USR02-BNAME, USR02-CLASS, '(return code', SY-SUBRC, ').'.
      ENDIF.
    ELSE.                                "has authority
      UPDATE USR02 SET UFLAG = UFLAGVAL WHERE BNAME = USR02-BNAME.
      WRITE: / 'User', USR02-BNAME, LOCKSTRING, '.'.
    ENDIF.

• Web Service Homepage: Authority check failed

  Dear Colleagues,
  I have created a Web Service and now I want to test it via its Web Service Homepage (TA WSADMIN). The Homepage is displayed correctly, but testing leads to an error:
  Authority check failed
  Are there any prerequisites I maybe do not accomplish?
  (I tested a very similar web service in another system, and there it works)
  Here are some more information about my service:
  - Service was build with Web Service Wizzard out of a function module
  - Here you can see the conversation resulting of the test:
  POST /sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003 HTTP/1.1
  Host: bsl8011.wdf.sap.corp:50073
  Content-Type: text/xml; charset=UTF-8
  Connection: close
  Cookie: <value is hidden>
  Cookie: <value is hidden>
  Authorization: <value is hidden>
  Content-Length: 381
  SOAPAction: ""
  <?xml version="1.0" encoding="UTF-8" ?>
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <SOAP-ENV:Body>
  <ns1:Z_TEST_WS_CONFIG xmlns:ns1='urn:sap-com:document:sap:rfc:functions'>
  <INPUT>TEST</INPUT>
  </ns1:Z_TEST_WS_CONFIG>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  HTTP/1.1 500 Internal Server Error
  content-type: text/xml; charset=utf-8
  content-length: 363
  sap-srt_id: 20060404/125124/v1.00_final_6.40/1B0831447838C429E10000000A424016
  server: SAP Web Application Server (1.0;700)
  <soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
  <soap-env:Body>
  <soap-env:Fault>
  <faultcode xmlns:n0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">n0:FailedAuthentication</faultcode>
  <faultstring xml:lang="e">Authority check failed</faultstring>
  </soap-env:Fault>
  </soap-env:Body>
  </soap-env:Envelope>
  The WSDL-Document looks as follows:
  <?xml version="1.0" encoding="utf-8"?><wsdl:definitions targetNamespace="urn:sap-com:document:sap:rfc:functions" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="urn:sap-com:document:sap:rfc:functions" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><wsdl:types><xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:tns="urn:sap-com:document:sap:rfc:functions" targetNamespace="urn:sap-com:document:sap:rfc:functions" elementFormDefault="unqualified" attributeFormDefault="qualified"><xsd:simpleType name="char60"><xsd:restriction base="xsd:string"><xsd:maxLength value="60"/></xsd:restriction></xsd:simpleType><xsd:element name="Z_TEST_WS_CONFIG"><xsd:complexType><xsd:sequence><xsd:element name="INPUT" minOccurs="0" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element><xsd:element name="Z_TEST_WS_CONFIGResponse"><xsd:complexType><xsd:sequence><xsd:element name="OUTPUT" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element></xsd:schema></wsdl:types><wsdl:message name="Z_TEST_WS_CONFIG"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIG"/></wsdl:message><wsdl:message name="Z_TEST_WS_CONFIGResponse"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:message><wsdl:portType name="Z_TEST_Q73_CONFIG_WS"><wsdl:operation name="Z_TEST_WS_CONFIG"><wsdl:input message="tns:Z_TEST_WS_CONFIG"/><wsdl:output message="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:operation></wsdl:portType><wsdl:binding name="Z_TEST_Q73_CONFIG_WSSoapBinding" type="tns:Z_TEST_Q73_CONFIG_WS"><soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/><wsdl:operation name="Z_TEST_WS_CONFIG"><soap:operation soapAction=""/><wsdl:input><soap:body use="literal"/></wsdl:input><wsdl:output><soap:body use="literal"/></wsdl:output></wsdl:operation></wsdl:binding><wsdl:service name="Z_TEST_Q73_CONFIG_WSService"><wsdl:port name="Z_TEST_Q73_CONFIG_WSSoapBinding" binding="tns:Z_TEST_Q73_CONFIG_WSSoapBinding"><soap:address location="http://bsl8011.wdf.sap.corp:50073/sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003"/></wsdl:port></wsdl:service></wsdl:definitions>
  Can anyone help me, I have no Idea
  Message was edited by: Hans-Peter Bauer

  The message server defined in the SAP-Logon is us4278.wdf.sap.corp
  But the url of the web service starts with  http://us4185:58500/wsnavigator/jsps/explorer.jsp?description=WebServiceZ_TEST_Q73_CONFIG_WS
  But I think that's not the problem, is it? As I mentioned above the test page can be shown, but the after filling in the input parameters an pressing send, there appears the authorisation error.
  For better illustration I made some screenshots for you:
  1) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_OVERVIEW.gif
  2) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_INPUT_FORM.gif
  3) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_reqest_response.gif
  What can be wrong, if the error "n0:FailedAuthentication" appears?
  Regards,
  Peter
  Message was edited by: Hans-Peter Bauer

• How to use custom authority object to execute certain code?

  Hi Gurus,
  I'm trying to use an authority-check just to execute certain ABAP code for some roles only, but I don't get to make it work as every user gets to exectute the code. I'm also not sure of which field(s) I should add to my authorization object when I'm checking it.
  Does anyone know if there's a way of making it? Thanks in advance.
  Edited by: Jorge Gonzalez on Jun 25, 2010 11:42 AM

  Hi.
  If the authority object is already created then you can view in transaction SU21, Select the custom object and double click on it.
  You can see the Authorization fields that need to be passed to the authorization object while using.
  For eg: If you see BUKRS, then you need to pass the company codes relevant so the authority check is performed
  All Authority object has activity which informs the operation to be performed. for eg:
  ACTVT: Activities.
  01 = Create
  02 = Change
  03 = Display
  06 = Delete
  07 = Activate
  10 = Post
  Also check for documentation if it is available, if so it makes life easy.
  Hope this helps
  Regards
  Shiva

• Authority check in for condition type

  Hi
  What do you mean by an authority check on condition type.. especially Pricing..
  There are authority check that are embedded as Reqt and AltCTy in the IMG at the pricing procedure level for different condition type.
  Could someone explain me what they are for..?
  Thanks
  Jac

  Hi,
      authority check is the std sap methodology of check the permitted authorisation values for every transaction  and every user.
  here in this example;authority object is used to maintain or change condition record for allowed condition types.
  scenario eg;if we maintain create value for user mukund for pr00 condition type ,system allows me only for creating .if we maintain change value for user sherin for condition type,system allows to change the values.
  net net i can create and u can change ,not visa-viz or any body else cannot do it.
  hope this is clear.if it helps  REWARD!!!!!!!

• Credit check across operating unit- urgent pls

  Hi Everybody,
  We are implementing oracle receivables in our co., the query is, a credit limit is set for a customer. how does the system check the credit limit if he is transacting with different operating units of our company. There is no cerdit set at site, so there is a possibilty of the customer bypassing the credit limit set to him.
  How do we solve this or is there a feature i havent gone thru ?
  Kindly reply.
  regards
  Abdullah

  Dear Shailendra,
  To have default Credit limit as zero or a fixed amount for all new Customers do the following:
  IMG - Enterprise Structure - Definition - Financial accounting - Define Credit Control area - select your Credit control area & maintain Risk Category, Credit limit & Rep. Group.
  This would make sure that all Customers & Sales Orders go thru Credit check.
  Risk Category & Credit Representative group can be defined at - IMG - Fin Accounting - Accounts Rec & Accounts Payable - Credit Management - Credit control account...
  Hope this helps...
  Reward if useful...
  Thanks,
  Jignesh Mehta
  98700 10230
  Edited by: Jignesh Mehta on Jul 17, 2008 3:04 PM
  Edited by: Jignesh Mehta on Jul 17, 2008 3:06 PM

• PNP authority check

  Hi all,
  I have a problem with authority check in a report.
  I have to access to a field in an infotype and subtype.
  I have all authorizations for this subtype and infotype.
  I'm trying to retrieve this data from an employee, but this employee has informed another subtype in this infotype where I haven't permisions.
  As in the source code there aren't access to this subtype where I haven't permisions, I found that the systems make it's authority check before the START-OF-SELECTION in class CL_HRPAD00AUTH_CHECK_STD, method IF_EX_HRPAD00AUTH_CHECK~CHECK_AUTHORIZATION.
  The system takes the employee number, gets all its informed infotypes and subtypes and perform the authority check for my user, so I can't access to this employee information.
  I think this authority check is made by the use of PNP logical database.
  Is there any way to avoid this authority check?
  Regards,
  Angel Cepa

  Hi Angel Cepa,
  first of all: maybe you can use logical database PNPCE, because PNP is obsolet.
  Anyway, please refer to the documentation of PNPCE (transaction SE36), that may solve your problem.
  PNP/PNPCE knows two ways to check authority:
  1. If no authorization exists for even one individual data record of one of the infotypes used, processing of the personnel numbers is terminated by default (switch "PNP_SW_SKIP_PERNR" = Y)
  2. If you set this switch (at the INITIALIZATION or START-OF-SELECTION events) to N, no more personnel numbers (without authorization) are skipped. Only the data records for which no authorization exists are rejected (that is, not made available).
  So, simply set the switch, mentioned above, to "N" and you will have access to this employee (except the infotype-records, you don't have authority for).
  Regards
  CHRIS

• Authority-check for particular comp code

  Hi All,
  when i'm using standard Authority Object F_BKPF_BUK  for a particular standard code say 'CO01'. but it is working for all company code, but i want work for only one company code say 'CO01' ONLY.i'm using in report program (zreport prog)
  I written code as
  AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
      ID 'BUKRS' FIELD 'BE10'
      ID 'ACTVT' FIELD '03'.
  Please can u advice on this .
  Many Thanks in Advance for u r Answer
  Naren

  Hi
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Reward points if useful
  Regards
  Anji

• AUTHORITY-CHECK for KUNNR

  Hi,
  I am new in core abap. For my report i have to do AUTHORITY-CHECK for kunnr. I am not finding any suitable object to use. kIndly suggest.
  Currently i am using the following code.
    UNPACK p_kunnr TO ws_werks.
    AUTHORITY-CHECK OBJECT 'M_MSEG_WWE'
             ID 'ACTVT' FIELD '01'
             ID 'WERKS' FIELD ws_werks.
  But this is giving dump in case KUNNR contains some alphabets because of type mismatch. Kindly suggest how can i achieve the same.
  Regards,
  Pankaj Aggarwal

  Don't use a WERKS authorization for KUNNR, did you foresee the problems that may will arise when you will manage the user authorisations and roles, this authorization is checked in many standard programs on WERKS fields.
  - SU20 - Create an authorization field with data element KUNNR and check table KNA1 (or use template KNDNR, look via SE16 at table AUTHX look for authorization fields using KNA1 as a control table)
  - SU21 - Create an authorization object in a Z-customer class which use this field and the ACTVT field (template W_AUFT_RMB)
  - Use the new object in your program
  - Give the object name to those who manage roles via PFCG
  Perform some search on subject like [Creating a Customer-Specific Authorization Object|http://help.sap.com/saphelp_ish471/helpdata/EN/9e/74ba3bd14a6a6ae10000000a114084/frameset.htm]
  Look also at some authorization objects like BRGRU which were intended to manage groups of customers.
  Regards,
  Raymond