Custom authorization object and check logic

Similar Messages

• How to add custom authorization object to a SAP standard transaction

  Hi All,
  I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
  Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
  - tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
  - tcode SU21 - creation of  a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
  - tcode SU24 - insert of new authorization field e check indicator (green)
  - tcode SU22 - check indicator - check (green)
  After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
  We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
  It seems new authorization object was not checked.
  My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  Thanks
  Maurizio

  > My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
  >
  No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
  So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
  Regards,
  Dipanjan

• Custom authorization object

  Hi all,
  I have created a custom authorization object to define a data security based on the Company code field.
  These are the steps I did:
  - I create a new authorization object containing the Company code field (BUKRS).
  - I create a new role with this authorization object, and I have assigned a specific value to the Company code field.
  - The role contains also the standard authorization object HR Master data which contains the field: infotype, personnel area...
  - I have assigned the new role to a user and I have executed a report, but I had not the expected result.
  - I had assigned the custom authorization object to the report transaction through SU24 and SU22, but I had not the expected result.
  As expected result I was expecting that the data are filtered based on the Company code I put in the authorization field.
  Any idea about the problem?
  thx!

  Please check that you have followed all of the steps listed here when creating your object:
  <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm">http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm</a>
  - April

• Custom Authorization Object for HR

  Hi,
  As per our Company's internal needs I have created a Custom Authorization Object for HR named ZP_ORGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction & do a trace on it, the object ZP_ORGIN is never checked (for a user having this object in his/her User Master). Only P_ORGIN object is checked instead.
  I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell  which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked.
  Your help will be appreciated.
  Thanks,
  Mandeep Virk

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
  but still it is taking the P_ORGIN object.

• HR Authorization : Custom Authorization Object  for P_ORGIN

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  but still it is taking the P_ORGIN object

  Online Help
  <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a>

• Authorization Object and Authorization...!!!

  Hi BW Experts,
  Could anyone plz tell me what is the difference between Authorization Object and Authorization..!!!
  Thanks in Advance.
  Regards,
  Giftedbrain.

  Giftedbrain,
  Authorization Object:
  An authorization object groups up to ten fields that are related by AND.
  An authorization object allows complex tests of an authorization for multiple conditions. Authorizations allow users to execute actions within the system. For an authorization check to be successful, all field values of the authorization object must be appropriately maintained in the user master.
  Authorization objects are divided into classes for comprehensibility. An object class is a logical combination of authorization objects and corresponds, for example, to an application (financial accounting, human resources, and so on). The line of the authorization object class is colored orange in the profile generator.
  For information about maintaining the authorization values, double click an authorization object.
  The line of the authorization object is colored green in the profile generator.
  Authorization:
  Definition of an authorization object, that is, a combination of permissible values in each authorization field of an authorization object.
  An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  Authorizations allow you to specify any number of single values or value ranges for a field of an authorization object. You can also allow all values, or allow an empty field as a permissible value.
  If you change authorizations, all users whose authorization profile contains these authorizations are affected.
  As a system administrator, you can change authorizations in the following ways:
  ·        You can extend and change the SAP defaults with role maintenance.
  ·        You can change authorizations manually. These changes take effect for the relevant users as soon as you activate the authorization.
  The programmer of a function decides whether, where and how authorizations are to be checked. The program determines whether the user has sufficient authorization for a particular activity. To do this, it compares the field values specified in the program with the values contained in the authorizations of the user master record.
  The line of the authorization is colored yellow in the profile generator.
  -Doodle

• What is authorization object and how to create it for a table

  Hi All,
  What is authorization object and how to create it for a table?
  Thanks

  Hi
  Authorization
  For authorization checks, there are many ways of linking authorization objects with user actions in an SAP system. The following discusses three possibilities in the context of ABAP programming.
  Authorization Check for Transactions
  You can directly link authorization objects with transaction codes. You can enter values for the fields of an authorization object in the transaction maintenance. Before the transaction is executed, the system compares these values with the values in the user master record and only starts the transaction if the appropriate authorization exists.
  Authorization Check for ABAP Programs
  For ABAP programs, the two objects S_DEVELOP (program development and program execution) and S_PROGRAM (program maintenance) exist. They contains a field P_GROUP that is connected with the program attribute authorization group. Thus, you can assign users program-specific authorizations for individual ABAP programs.
  Authorization Check in ABAP Programs
  A more sophisticated, user-programmed authorization check is possible using the Authority-Check statement. It allows you to check the entries in the user master record for specific authorization objects against any other values. Therefore, if a transaction or program is not sufficiently protected or not every user that is authorized to use the program can also execute all the actions, this statement must be used.
  AUTHORITY-CHECK OBJECT object
                          ID name1 FIELD f1
                          ID name2 FIELD f2
                          ID namen FIELD fn.
  object is the name of an authorization object. With name1, name2 ... , and so on, you must list all fields of the authorization object object. With  f1, f2 ... , and so on, you must specify the values that the system is to check against the entries in the relevant authorization of the user master record. The AUTHORITY-CHECK statement searches for the specified object in the user profile and checks the useru2019s authorizations for all values of f1, f2 ... . You can avoid checking a field name1, name2 ... by replacing FIELD f1  FIELD f2 with DUMMY.
  After the FIELD addition, you can only specify an elementary field, not a selection table. However, there are function modules available that execute the AUTHORITY-CHECK statement for all values of selection tables. The AUTHORITY-CHECK statement is supported by a statement pattern.
  Only if the user has all authorizations, is the return value sy-subrc of the AUTHORITY-CHECK statement set to 0. The most important return values are:
  ·        0: The user has an authorization for all specified values.
  ·        4: The user does not have the authorization.
  ·        8: The number of specified fields is incorrect.
  ·        12: The specified authorization object does not exist.
  A list of all possible return values is available in the ABAP keyword documentation. The content of sy-subrc has to be closely examined to ascertain the result of the authorization check and react accordingly.
  REPORT demo_authorithy_check.
  PARAMETERS pa_carr LIKE sflight-carrid.
  DATA wa_flights LIKE demo_focc.
  AT SELECTION-SCREEN.
    AUTHORITY-CHECK OBJECT 'S_CARRID'
                    ID 'CARRID' FIELD pa_carr
                    ID 'ACTVT' FIELD '03'.
    IF sy-subrc = 4.
      MESSAGE e045(sabapdocu) WITH pa_carr.
    ELSEIF sy-subrc <> 0.
      MESSAGE e184(sabapdocu) WITH text-010.
    ENDIF.
  START-OF-SELECTION.
    SELECT  carrid connid fldate seatsmax seatsocc
      FROM  sflight
      INTO  CORRESPONDING FIELDS OF wa_flights
      WHERE carrid = pa_carr.
      WRITE: / wa_flights-carrid,
               wa_flights-connid,
               wa_flights-fldate,
               wa_flights-seatsmax,
               wa_flights-seatsocc.
    ENDSELECT.
  Regards
  Hitesh

• Code for Custom Business Object and Adding/Updating Data

  Hi,
  I would like to update/insert data thru Custom Business Object to sql Server.Pls let me know is it possible in MSA.If yes I would appreciate if you can share the code/Process in this forum.
  Thanks and Regds
  Harish

  Harish
  Depending on what data you update you need to do the following:
  If updating SAP tables or customer tables which are an extension of a SAP object like business partner, material, activity or similar:
  1. Create the extension of the data object via the easy enhancement workbench (EEWB). This will also create mapping functionality from MSA to CRM Server and extend the BDocs.
  2. Go to the BDoc modeler. Find the sBDoc for data exchange (type Write BDoc), that contains your object and check whether the new segment is there.
  3. In the Mobile Application Studio (MAS) you can now create a custom business object related to the standard sBDoc mentioned in 2 which is mapped to the new segment. This way the data exchange happens together with the main object
  4. Drag & drop the fields of the new BO to a new tile, and link that tile to the existing main object in the UI via the appropriate relation.
  If you would create a new business object / BDoc for a set of attributes belonging to a main object and not use an extension of the existing BDoc then the data would get its own flow and when replicating it would not come together with the main data. This can lead to data inconsistencies and in surplus effort administrating this data.
  If you have your own objects not related to a SAP object, you can do it the following way:
  1. Create your own table(s)
  2. Create a Write sBDoc on the table(s)
  3. Create BO's on each BDoc segment / table
  4. (as above)
  Hope this helps,
  Kai

• Table Name - For Authorization objects and fields.

  Hi
  Could any  one let me Know In which Table Authorization Objects and Authorization fields are stored.
  Thanks N Regards.
  Priya

  hi,
  TOBJ ---> Authorisation Objects
  Refer to the link.
  http://saptechnicalinfo.blogspot.com/2008/07/sap-authorization-objects-tables.html
  Regards
  Sumit Agarwal

• SAP Cloud Application Studio Create Custom Web Service From Custom Business Object and Consume in External System

  Hi Experts,
  I have requirement to create custom business object and create Web Service for that and use in external system (SAP ECC / SAP CRM / Third Party).
  1) Is it possible to create custom object web service and used in external system ?
  2) When we create the Web service from custom business object what the necessary steps(action : Create , Read , Update) require?
  3) Sample Scenario :
  My Custom Business Object
  businessobject Custom_Integration {
    element EP_VAL1 : LANGUAGEINDEPENDENT_MEDIUM_Text;
    element EP_VAL2 : LANGUAGEINDEPENDENT_MEDIUM_Text;
    element IP_RES : LANGUAGEINDEPENDENT_MEDIUM_Text;
  I have created the Web Service using this custom business object.
  3) How i can use this web service in external system? what are the prerequisite steps in external system to consume this service in it?
  Please anyone have idea about this how to do this and how to achieve this using SDK and custom business object.
  Many Thanks
  Mithun

  Hello Mithun,
  Does this section in the documentation help you:
  SAP Cloud Applications Studio Help -> Developers Desktop -> Web Services
  The entry "Task -> Create a Web Service" describes how to create a Web Service on your own BO
  The entry "Task -> Test a Web Service" helps you how you can use it in a foreign tool / application.
  HTH,
     Horst

• Authorization Object And Roles For  Functional Consultant

  Dear Expert,
  What kind of respective Authorization Object And Roles would be provided to  Functional Consultant (FI,MM, SD, PM, PS, CO, HR )at the time of implementation ?
  Thanx in advance
  Pavel

  Thanks Juan,
  We now already have it here and in the NW IDM forum a few times as well...
  Cheers,
  Julius

• Authorization Objects and RSABAPSC

  Hi All,
  I'm trying to get all the authorization objects associated with a program, without using system trace. I've tried using RSABAPSC but there are some programs that it doesn't output any authorization objects. When I checked using system trace, these programs do have auth objects. Does this mean that there are no authorization checks written in the program code?
  Apart from using system trace and RSABAPSC, are there other ways of getting the authorization objects?

  Hello Benedict,
  I think that a trace (ST01) would be better. You can try with a user that has all the authorizations and you'll be able to see all the checks that were performed.
  Anyway, I think that there's no "perfect method" and as I said before the checks depend on the program flow. Also have a look at here: http://forums.sdn.sap.com/thread.jspa?threadID=1837972
  Are you trying to get the authorizations for a custom program? If not, why don't you start with SU24 proposals and testing scenarios? You'll probably get better answers in the Security forum.
  Cheers,
  Diego.

• Authorization object and document management

  Hi !
  I'm french so please excuse my english level
  I'm not a technical consultant but my manager gave me the responsibility of authorization in a SAP BW project.
  There are several projects in the same system. A man in my team implemented a document fonctionality. When using BPS for planning, the user can create a document that will be bonded to a cell and will be displayed in queries.
  For my project, I implemented two authorization objects (AO): Division and region.
  My problem is that users of my project can't see the documents created if they're not autorized for ALL the AO existing in the system (aboute 12), even if theses AO are not involved in my project and not checked in the cubes and multiproviders of
  my project. I have to put "#" in profils for each specific AO existing in the systems.
  When I check in "RSSM", I see that these AO are not in relation with my info providers.
  I think it is a bug but if someone could help me it would be great !
  Thanks a lot.
  Best regards
  Rémy

  Hi,
  you have to create a role with the following object (classe BC_Z):
  S_BDS_D
  Activity                       *
  BDS: Data element for LOIO cla *
  S_BDS_DS
  Activity                       *  
  Business Document Service: Cla BW_*
  Business Document Service: Cla OT 
  And restrict in the role with your customer AO
  hope it help's

• Incorrect authorization object is checked in SU53. SU53 checks the wrong BP

  Hi all,
  I am setting up a new user and a new role in CRM 4.0.
  When coming to BP maintenance I get some frustrating errors.
  I have created a role with BP and SU53 transaction codes assigned.
  I have given the authorization to two BP roles:
  - 000000 (BP General) Activity: Display
  - ZCRM41 (Potential customer) Activity: Display and Edit.
  I can display the BP role '000000' but when trying to change to BP role 'ZCRM41' I get No authorization.
  SU53 indicates that I am trying to enter another BP role than ZCRM41.
  As a result no authorization is given. If I add the BP role the SU53 indicates and retry SU53 another BP role is checked and so on...
  Anyone who knows what is wrong?
  Points will be rewared!
  Thanks,
  //anders

  Hello Anders,
  Thanks for providing me the details. Now I am clear abt the problem.
  This is a sort of puzzling tome. Such a behavior should not happen. It can happen only:
  a) In SU53, are you seeing the role 'ZCRM41' and customer role as an additional check? If this is the case, there might be some dependency assigned like role groupings (check in SPRO under business partner if these two roles form a role) or if there is any functional dependency.
  b) Also make sure that you have assigned and generated the right profile for the role. Some time in a hurry we might miss to cross check this.
  c) For business partners, the role authority check is done inside function module BUP_BUPA_EVENT_AUTH1. We need to debug here to find cause for this problem.
  Hope this helps.
  Regards, Sudheer.

• HR custom authorization objects

  Is it possible to have more than one custom HR authorization object active at the same time? For example if I need 2 custom variations of P_ORGINCON (I  have some very complex requirements),  is that possible, or am I limited to just 1? Having more than 1 seems to present a problem when I run RPUACG00 to generate include MPAUTCON. It overlys the code generated fo the first cusom object with code for the second object, therefore only allowing cgenerated code to exist for 1 of the objects.
  And one additional question - when I create a custom HR object (one which contains infotype, subtype, persg, persk etc), am  I limitied to only using fields from PA0001 in that object?  If I include some other field that does not exist on PA0001, when I run RPUACG00 it gives me the error "Field xxx is not allowed  in authorization object Z_xxx".
  Many thanks,
      Mike

  One example of a  requiremnet I have is for a manager to have 3 different types  of authority based on when a position was in his org structure. So if a position is currently in his org structure he might have WRITE access to their infotype 2,6,8... for positions that were in his org strucure between 1 and 60 days ago (but are not in his structure as of today) he might have WRITE access to their infotype 2 and 6 and READ access to other infotypes, and for people that were in his structure 61-9999 days ago, he might have only READ  access to all the position's infotype data.
  I was thinking of using 3 disctinct HR authorization objects to cover each of these 3 scenarios, but ran into the issue mentioned above with the generation program RPUACG00.