Custom HR Report--Authorization check required

Similar Messages

• How to find which custom program uses authorization checks

  Hi all,
  I have been asked to find out which custom ABAP program in our organization is using Authorizations checks and which is not.
  Since there are thousands of custom programs I will need to automatize this process somehow.  But I am not an ABAP expert and I will need some help.
  Could any of you give me an idea of what would be the best strategy to find out if authorization objects/checks exist in a number of ABAP programs?  (would a simple text search do?).
  Many thanks,
  Aldo

  If you are looking out for Authorization related to Execution of any program, then look for entries in table TRDIR where field SECU (Authorization Group) is not blank.
  Below SAP documentation may help you:
  Authorization Group
  Authorization group to which the program is assigned.
  The assignment of a program to an authorization group plays a role when the system checks whether the user is authorized to:
  Execute a program
  --> Authorization object S_PROGRAM
  Edit a program (-Include) in the ABAP Workbench
  --> Authorization object S_DEVELOP
  Programs that are not assigned to an authorization group are not protected against display and execution.
  Security-related programs should, therefore, always be assigned to an authorization group.
  Report RSCSAUTH can also be used to assign programs to authorization groups. This report is documented in detail.

• Abap Report Authorization Checks

  Hi. I have some question on customized abap report to be based on user role organizational level.
  May I know how to program the abap report such that the report will show only data based on user role organizational level (Plant, Company, SalesOrg etc)?
  For instance, if userA role organizational level for plant is plantA, the abap report will only show data for plantA. If userB role organizational level for plant is plantB, the abap report will show data for plantB.
  May i know how to program the abap report?
  Appreciate any guidelines.

  Hi,
  Assign the Users with predefined roles.
  Attach the Orn Units(Plants/St locn, CC/etc) in the roles .
  create a Tcode for the report  and attach that Tcode in that role.
  So now the user can execute that report with that siplant to which he is authorised.
  Hope this helps.
  Regards,
  Anji
  Message was edited by:
          Anji Reddy Vangala

• PS reports authorization check

  Hi guys,
  I am experiencing an unexpected behavior in PS module.
  I have two different project areas using PS WBS.
  I am running some test due to a lack of security. I can control all access on WBS  using ACL configuration but ACL cannot control PS reports access. So a PS area can see the budget of another area and this is the main issue.
  So I suppose I could control all reports with C_PRPS_VNR authorization object in order to allow access using diferent roles with C_PRPS_VNR value according WBS.
  I run a test with S_ALR_87013558 report and in the authorization trace I found the following:
  10:27:27:305 AUTH    - - -   C_PRPS_VNR RC=12 PS_VERNR=01010101;PS_ACTVT=03;
  10:27:27:305 AUTH    - - -   C_PRPS_VNR RC=12 PS_VERNR=01010101;PS_ACTVT=24;
  10:27:27:305 AUTH    - - -   C_PRPS_VNR RC=12 PS_VERNR=01010101;PS_ACTVT=26;
  10:27:27:305 AUTH    - - -   C_PRPS_VNR RC=12 PS_VERNR=01010101;PS_ACTVT=28;
  Even with the RC=12 I can see all data!
  I found the same symptom in a lot of S_ALR_* reports.
  My question is: why the RC=12 donu2019t deny my access?
  Best Regards,
  LMG

  Hi  LMG,
  1. I would suggest you to build a role with the reports you are trying to run with a test user and see if you get the same result.
  2. I am guessing that you have another role which might be performing the same actions/activities or you have SAP ALL/SAP NEW
  3. I found these definitions for you to understand what  RC -12 could be.
  4 User has no authorization in the SAP System for such an action. If necessary, change the user master record.
  8 Too many parameters (fields, values). Maximum allowed is 10.
  12 Specified object not maintained in the user master record.
  16 No profile entered in the user master record.
  24 The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
  28 Incorrect structure for user master record.
  32 Incorrect structure for user master record.
  36 Incorrect structure for user master record.

• Report to check authorization object used in customized programs

  Hi Guys,
  An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
  Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

  Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
  To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
  Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
  Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
  Code review is an art form!
  Cheers,
  Julius

• Authorization check on Z report

  Hello Experts,
  We had a requirement to develop a report which would combine the features of V.14 and V23 with some additional features like removing delivery blocks and billing blocks.
  We want to add some authorization checks so that some people are restricted to view information of only some sales organizations and some people like management will have a broader authorization to view details of multiple sales organizations.  How can we acheive this?
  For example in SU23 when we run our custom T code we do not see the authorization object which is used in the program. We are currently using VBAK_VKO in our program.
  Thanks and regards.
  ES.

  Hi,
  Adding to above replies, are you calling V.14 and V23 in your custom program or you created your own login in Z program? If standard tcodes are being called, make sure that appropriate restrictions are placed in SE97 tcode for the Z tcode.
  In SU24, you will have to add the object to the Z tcode. You will not see it automatically. But make sure that the authority check is there in program (can verify by a ST01 trace).
  As Anika said, you can create separate roles for each required sales organization.
  Thanks

• HR ABAP Custom Authorization Check

  Hi all,
  We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
  GET PERNR.
      I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
  Thanks in Advance.

  There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
  Some special differences are:
  - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
  - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
  - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
  This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
  Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

• BW authorizations objects in Custom abap report

  Hi,
  we develop a BW custom abap report which we have to roll out to certain end users.
  We would like use our BW authorization design, and need therefore to incorperate these auth. objects into the abap.
  What is the best way to this? Can we use function modules?
  Any help welcome?
  Regards,
  Hans

  Hello Hans,
  please check out the following
  http://help.sap.com/bp_biv235/BI_EN/documentation/Authorization_BW_Proj.pdf
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/39f29890-0201-0010-1197-f0ed3a0d279f
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/e1cba990-0201-0010-43ae-af579aee7a73
  Hope it helps..
  thanks,

• Re: Setting Authorization Check in Report Writer

  Hi,
  In ABAP Query or ABAP customized program, it is possible to set authorization object checking.
  In Report Writer, how can I do it?
  <REMOVED BY MODERATOR - REQUEST OR OFFER POINTS ARE FORBIDDEN>
  Thanks
  Edited by: Alvaro Tejada Galindo on Dec 26, 2008 10:59 AM

  Hi Colin,
  I would like to suggest,
  Creating an Authorization object & then using it in the report program is the preffered way.
  I would like to suggest a couple of references, quite similar to your issue,
  [SDN - Reference for using authorization checks at the report level|User authorisation check in ABAP-HR program;
  [SAP HELP - Standard Reference for Programming Autorization checks|http://help.sap.com/saphelp_nw04/helpdata/en/52/6712ac439b11d1896f0000e8322d00/frameset.htm]
  [SAP HELP - Standard Reference for Authorization checks|http://help.sap.com/saphelp_nw04s/helpdata/en/fc/eb3ba5358411d1829f0000e829fbfe/frameset.htm]
  Hope that's usefull.
  Good Luck & Regards.
  Harsh Dave

• I played a rented movie in my newly bought ATV, but when i wanted to watch a TV Series i got the "Authorization is Required" !! although i have successfully played a rented movie at first !! and when checking into iTunes i couldnt find the ATV??

  I played a rented movie in my newly bought ATV, but when i wanted to watch a TV Series i got the "Authorization is Required" !! although i have successfully played a rented movie at first !! and when checking into iTunes i couldnt find the ATV??

  The ATV2 or ATV3 (small black boxes) don't show up as devices in iTunes. If iTunes and the ATV's have Home sharing turned on for the same account - and are on the same network, the ATV should show up as an AirPlay target device in iTunes.
  The rented movie - was this rented on the ATV or in iTunes?
  The TV series - where are you trying to play this from? Is it in iTunes or via the 'TV Shows' menu in ATV... i.e streaming from iCloud?

• Create authorization check for a report

  Hi,
  I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
  Say the report name is ZHR_TIMEABC.
  Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
  Thanks in advance,
  VG

  Hi,
  Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
  If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
  Your inputs will be helpful to understand this concept.
  Thanks,
  VG

• Missing authorization check on the IM Reports

  Hi,
  We use RAIMINFO reports (S_ALR_87012805, S_ALR_87012806 u2026 ) to display
  structure and values in Ferrero Spa investment program
  On the initial screen, the value types which have to be output, are
  determined by the authorization checks to be carried out .
  For example in case that an user decides to display the plan or budget
  references to program position, the user has to have the authorizations
  on the Persons responsible (A_IMPR_VER). For us this is OK because we
  define responsibilities through A_IMPR_VER. But if user decides to
  display the appropriation request or measures and he doesnu2019t indicates
  the program position it seems that anything on the A_IMPR_VER will be
  performed. We need that the check on A_IMPR_VER will be performed always(for all objects: measures, appropriation request ).
  We think this is a function missing in RAIMINFO and in all the IM
  reports.
  Could you help us to solve this problem?
  Thanks and best regards,

  Hi,
  If you want use check box in crystal., then you can do this by writing piece of code.
  please try for
  If {Table.Field} = True Then
  'Display the checkbox of your choice here
  Formula = Chr(254).
  thanks.
  Bala

• Authorization checked for infoObjects even though not relevant to report

  Hello guys,
  I am facing a problem in BI 7.0 authorization checks.
  For a given report the BI team has placed a restriction in the query only for infoObject 0Comp_code (company code) and 0SOLD_TO (sold to party). Accordingly i have created authorization in RSECADMIN and assigned to role--> user.
  But when the user runs the report, he gets as authorization error and during analysis in RSECADMIN i see that "list of Authorization relevant charecteristics(infoObjects) for info provider xxxx" contain other infoObjects as well.
  Is it a case where infoObjects can be made authorization relevant for the whole  info provider eg-ZSD_M42" (where this is a multi provider)apart from being checked for specific reports eg- ZSD_M42_Q0001?
  How do i get around this problem?
  Regards,
  Prashant

  Hi Prashanth,
  What Zaheer said was exactly correct.Make sure all the Auth relevant Chaaracteristics of an Infoprovider  are properly authorized through your Analysis Authorization.Suppose if you don't need security on other Characteristics of an InfoProvider give * in your AA which will byepass check on that particular Auth relevant Characteristics..
  More over,See to that all the key figures are properly authorized as all the keyfigures are by default auth relevant in BI.
  Cheers,,
  Ramkumar C

• Authorization check - customer exit EXIT_SAPLRRS0_001

  Hi gurus,
  a question on customer exit about EXIT_SAPLRRS0_001 related to i_step = 0 (Authorization check).
  I have two InfoObjects: 0WS_CAT and 0WSCATQ. The last one has a compounding that is 0WS_CAT.
  In the exit: I need to check the 0WS_OBSFLAG (a simple flag attribute) to determine if the entries in 0WSCATQ Master data are valid or no.
  If I found that the entry is valid I add the value to the e_t_range export table in this way:
  if ( i_step = 0 ).
      l_s_range-sign = 'I'.
      l_s_range-opt = 'EQ'.
      l_s_range-low = '00000001'.
      append l_s_range to e_t_range.
  endif.
  The problem is the compound, how can specify the value key for the export table?
  For example ... in the table I have three entries:
  0001 00000001 #
  0002 00000001 X
  0003 00000001 #
  The valid entries are:
  0001 00000001 #
  0003 00000001 #
  How can specify '0001' or '0003'? Because if I assign only the value  '00000001' to l_s_range-low then the entries valid in the authorization for 0WS_CATQ are three and not two.
  It's important for me to find a solution.
  Regards, Roberto

  Hi Roberto,
  you have to build your logic into a variable for the other infoobject 0WS_CAT and find your values 0001 and 0003 the way you described.
  You might have to restrict the selection for 0WSCATQ to a single value, in case you have a record like this in addition to the 3 you have listed.
  0002 00000005 #
  Best,
  Ralf

• Error for customer specific Authorization check (User Exit)

  Dear Experts,
  I am facing a problem in PM.
  I have created a maintenace plan for calibration via t code IP42 and mentioned the order type PM05. Scheduling is done for the order. I got the order number.
  I have released the order and got the inspection lot number.
  While entering the results recording through t code QE17, the reluts are out of the specified range, i have given the valuation Rejected, immediately system is giving an error message as below:
  "Error for customer specific Authorization check (User Exit)"
  Though there is no user exit activated in the system, this message is coming and not allowing the result recoring for rejection.
  If I'm entering the result recording within the specified range, then valuation is Accepted and its allowing to save.
  I have checked the following user exits:
  QQMA0002: QM: Authorization Check for Entry into Notif. Transaction
  QQMA0026: PM/SM: Auth. check when accessing notification transaction.
  The above 2 User Exits are not active.
  I have also checked a note 429066. But it says incase of any dump for that user exit only its applicable and more over the current version of the system is ECC 6.0 packae 15, where as that note is applicable upto 4.6C.
  Please some one help me on this issue.
  Thanks and Regards,
  Praveen.

  Dear Pete,
  I have cheked with my technical team, There is no hotpacks updated recently. This is the implementaion project I'm in, so performing the cycle for the first time.
  Any how I got it solved, in T code QE17, after entering the Inspection lot in next screen goto menu path Settings - User settings - Defects recording mention the reprt type and tick on Reprt type Changable.
  At the time of result recording if the valuation is Rejected then it ask for defects recording close that window if not rwequired then save, the error message no longer apperaing now.
  Regards,
  Praveen