How to check if the user has only the display authority of a message

hi,
How to check if the user has only the display authority of a message but does not have the change authority for a certain message?
Best regards,

hi blake
though i am an application consultant and for authorisation u need to have help of BASIS person if u r not the one but still i can guide u regarding the same,
Basically Authorization Management 
Use
You can use the following authorization objects to control the authorizations for maintaining business partner data:
•        Authorization objects for the Business Partner:
•             B_BUPA_GRP
•             B_BUPA_ATT
•             B_BUPA_FDG
•             B_BUPA_RLT•       
Authorization objects for relationships:
•             B_BUPR_BZT
•             B_BUPR_FDG
In addition, you can assign an authorization group to a business partner in the dialog. The authorization group controls which users may maintain data for this business partner.
You can also define authorizations for fields and field groups using the Business Data Toolset (BDT). Depending on the settings you have made, the system carries out the relevant authorization checks.
In the dialog in the SAP GUI, you can display an overview of the authorizations assigned to you by pressing the button Settings.
For more information on authorization management, see the Implementation Guide (IMG) of the Business Partner, as well as in the Developer’s Handbook for the BDT under  Authorizations.
IntegrationAuthorization management for the Business Partner forms part of the  SAP authorization concept.
Prerequisites
You have made the necessary settings in Customizing of the Business Partner under Basic Settings--> -Address Management.
Moving over
AS ABAP Authorization Concept 
The ABAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. On the basis of the authorization concept, the administrator assigns authorizations to the users that determine which actions a user can execute in the SAP system, after he or she has logged on to the system and authenticated himself or herself.
To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks.
Authorization Checks 
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:
•        Starting SAP transactions (authorization object S_TCODE)
•        Starting reports (authorization object S_PROGRAM)
•        Calling RFC function modules (authorization object S_RFC)
•        Table maintenance with generic tools (S_TABU_DIS)
Checking at Program Level with AUTHORITY-CHECK
Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source code of the program, to check whether users have the appropriate authorization and whether these authorizations are suitably defined; that is, whether the user administrator has assigned the values required for the fields by the programmer. In this way, you can also protect transactions that are called indirectly by other programs.
AUTHORITY-CHECK searches profiles specified in the user master record to see whether the user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of the authorizations found matches the required values, the check is successful.
Starting SAP Transactions
When a user starts a transaction, the system performs the following checks:
•        The system checks in table TSTC whether the transaction code is valid and whether the system administrator has locked the transaction.
•        The system then checks whether the user has authorization to start the transaction.
The SAP system performs the authorization checks every time a user starts a transaction from the menu or by entering a command. Indirectly called transactions are not included in this authorization check. For more complex transactions, which call other transactions, there are additional authorization checks.
•             The authorization object S_TCODE (transaction start) contains the field TCD (transaction code). The user must have an authorization with a value for the selected transaction code.
•             If an additional authorization is entered using transaction SE93 for the transaction to be started, the user also requires the suitable defined authorization object (TSTA, table TSTCA).
If you create a transaction in transaction SE93, you can assign an additional authorization to this transaction. This is useful, if you want to be able to protect a transaction with a separate authorization. If this is not the case, you should consider using other methods to protect the transaction (such as AUTHORITY-CHECK at program level).
•        The system checks whether the transaction code is assigned an authorization object. If so, a check is made that the user has authorization for this authorization object.
The check is not performed in the following cases:
You have deactivated the check of the authorization objects for the transaction (with transaction SU24) using check indicators, that is, you have removed an authorization object entered using transaction SE93. You cannot deactivate the check for objects from the SAP NetWeaver and HR areas.
This can be useful, as a large number of authorization objects are often checked when transactions are executed, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload. You can therefore deactivate authorization checks of this type in a targeted manner using transaction SU24.
•             You have globally deactivated authorization objects for all transactions with transaction SU24 or transaction SU25.
•             So that the entries that you have made with transactions SU24 and SU25 become effective, you must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to “Y” (using transaction RZ10).
All of the above checks must be successful so that the user can start the transaction. Otherwise, the transaction is not called and the system displays an appropriate message.
Starting Report Classes
You can perform additional authorization checks by assigning reports to authorization classes (using report RSCSAUTH). You can, for example, assign all PA* reports to an authorization class for PA (such as PAxxx). If a user wants to start a PA report, he or she requires the appropriate authorization to execute reports in this class.
We do not deliver any predefined report classes. You must decide yourself which reports you want to protect in this way. You can also enter the authorization classes for reports with the maintenance functions for report trees. This method provides a hierarchical approach for assigning authorizations for reports. You can, for example, assign an authorization class to a report node, meaning that all reports at this node automatically belong to this class. This means that you have a more transparent overview of the authorization classes to which the various reports are transported.
You must consider the following:
•     •         After you have assigned reports to authorization classes or have changed assignments, you may have to adjust objects in your authorization concept (such as roles (activity groups), profiles, or user master records).
•     •         There are certain system reports that you cannot assign to any authorization class. These include:
•     •         RSRZLLG0
•     •         STARTMEN (as of SAP R/3 4.0)
•     •         Reports that are called using SUBMIT in a customer exit at logon (such as SUSR0001, ZXUSRU01).
•     •         Authorization assignments for reports are overwritten during an upgrade. After an upgrade, you must therefore restore your customer-specific report authorizations.
Calling RFC Function Modules
When RFC function modules are called by an RFC client program or another system, an authorization check is performed for the authorization object S_RFC in the called system. This check uses the name of the function group to which the function module belongs. You can deactivate this check with parameter auth/rfc_authority_check.
Checking Assignment of Authorization Groups to Tables
You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.
You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).
please See also:
•        SAP Notes 7642, 20534, 23342, 33154, and 67766
guess this info will help you,there is one graphic which actually explain the hierarchy of authorisation,i will find some time out to let u know more info about the authorisation
but if u sit with ur BASIS guy then u can learn lot of things in PFCG
i guess u r a basis guy,then its not a problem
best regards
ashish

Similar Messages

  • How to check if a user exists in the system ?

    Dear Gurus,
    I want to check whether a user ID exists in the system after logon by using VBA. If the user ID exists, then I will update the user's information with external data by using the method user.change.
    When running below codes, error occurs and error msg is: "The persistent key for an business object instance of type USER has not been set. Cannot invoke method EXISTENCECHECK"
    How can I do to check the user ID existence ?
    Set oUser = oBAPICtrl.GetSapObject("user")
    oUser.ExistenceCheck "MyUserID", return:=oReturn
    Thanks and Regards,
    Bao Yan

    Mickey,
    I'm afraid I never did get this to work properly. However, in the way of all bad/good (delete as appropriate) programmers eveywhere I worked around this problem. I was using this code in Banner.asp to change the view based on the user group so if a given session variable was set a user would see a different view. It works fine with no slow down on the page and you should be able to adapt it to what you need.
    Hope this helps.
    Neville
    Note: Application variables are ones I have defined in config.xml.
    Code follows:
    <!--START:INC\common\getgroup.asp-->
    <% 'NAH 29/03/2004 ' 'This check the to see if the current user has the group in their membership that has been defined as the group to provide an alternative view of the portal.' 'The group variable is defined in the config.xml as "ALTVIEWGROUP"'
    'Do not do this is we have already matched the group'If Session("groupMatch") <> "1" and Session("groupMatch") <> "2" then
    Dim pGroup
    pGroup = Application("ALTVIEWGROUP") Set Session("groupMatch") = nothing
    Dim Plumtree
    Set Plumtree = Server.CreateObject("ADODB.Recordset") Plumtree.ActiveConnection = "Driver={SQL Server};Server=" & Application("DBSERVER") & ";Database=" & Application("PLUMTREEDB") & ";" Plumtree.Source = "SELECT GROUPID FROM " & Application("PLUMTREEDBUSER") & ".PTGROUPMEMBERSHIP WHERE (USERID = " & strUserID & ") AND (GROUPID = " & pGroup & ")" Plumtree.CursorType = 3 Plumtree.CursorLocation = 2 Plumtree.LockType = 1 Plumtree.Open()
    'If there are records we should have a match otherwise set the session varible to no match.' If Plumtree.EOF then Session("groupMatch") = "2" Else 'By getting here the user should have the matching group but complete one final check to make sure' If cInt(Plumtree.Fields.Item("GROUPID").Value) = cInt(pGroup) then Session("groupMatch") = "1" Else Session("groupMatch") = "2" End If
    End If
    Plumtree.Close() Set Plumtree = Nothing
    End if%><!--END:INC\common\getgroup.asp-->

  • How to check if a user has SAP_ALL in a program?

    Hi:
    I want to create a program that will check if the user has SAP_ALL. Is there a standard FM or BAPI?. Otherwise, can someone pelase help.
    Thank you.
    Seshagiri Gopi

    Hi,
    Please check the below link:
    http://wiki.sdn.sap.com/wiki/display/BI/AuthorizationinSAPNWBI
    Regards,
    Nilesh.

  • Module status on LMS is showing as incomplete - even after the user has completed the module.

    Hi Folks,
    Hope you are all keeping well! I have a bit of a problem here. On a number of modules that were developed using presenter - and custom animation (including click next to continue) etc etc, the LMS is not showing the module status as complete - even AFTER the user had comleted the module and closed. This problem has been noticed only when the user uses the CLICK NEXT or click this part of the screen to continue.
    When the user navigates using the presenter control buttons - to navigate the training content that is, the LMS is correctly showing as the module has been completed.
    The problem I am having is that - is there any way to make presenter detect a click within a slide (user click to navigate from within a slide) and thereby register it as a valid module completion?
    Thanks in advance folks,
    Kind Regards,
    Alex.

    Hi Shubi,
    Thanks for you quick reply.
    Shubhi Shukla Dubey wrote:
    Hi Alex,
    Which LMS server you are using?  Secondly what is the Setting in Quiz>Reporting tab is it SCORM 1.2,2004 or Aicc.
    You want status on basis of user clicks then please make sure that Report data is set to "Slide view =100%" (or whatever precentage you want) and  Report Pass/Fail set to "Complete/ Incomplete."
    Thanks,
    Shubhi
    LMS = cornerstone on demand. It has been customised to suit the company requirements, Reporting tab is SCORM 1.2   
    To circumvent the issue I have changed the % view to 0% so in theory when the user launches even one slide / page - it will set it to report as status complete.
    However this is not a viable solution on content critical modules....dont you think so?
    Ideally I would like to get to the bottom of why a button within the module (which is able to navigate between pages) is not being able to report / set / increment the completion status counter.
    Thanks and Kind Regards,
    Alex.

  • How to check if a user has a deferred task or not?

    Right now, I use getView and then check for the deferred task as below
    1)
    <Action id='0' application='com.waveset.session.WorkflowServices'>
    <Argument name='op' value='getView'/>
    <Argument name='type' value='User'/>
    <Argument name='id' value='$(accountId)'/>
    </Action>
    2)
    <Transition to='Add Deferred Task'>
    <isnull>
    <ref>view.accounts[Lighthouse].properties.tasks[Task Name]</ref>
    </isnull>
    </Transition>
    Is there a quicker way to combine both steps 1 and 2 into one step?

    Here's my code
    <Action id='0' application='com.waveset.session.WorkflowServices'>
    <Argument name='op' value='queryObjectNames'/>
    <Argument name='type' value='User'/>
    <Argument name='single' value='true'/>
    <Argument name='attributes'>
    <map>
    <s>accountId</s>
    <ref>accountId</ref>
    <s>deferredTaskDate</s>
    <s>Task 123</s>
    </map>
    </Argument>
    </Action>
    So I'll pass in 2 parameters, the accountId and a task name. I want to see if this user has that particular task name or not.
    In the WF trace, I see this
    Argument attributes = {accountId=ABC, deferredTaskDate=Task 123}
    queryResult is null because it could not find this user even though user ABC exists in IDM and has a deferred task named Task 123.
    Is my code wrong and how do I use AttributeCondition in the queryObjectNames above?

  • How to check if a user has access to a responsibility

    Hi,
    I have a user_id in the controller. How do I know if this user has a particular responsibility added to him or not. I guess there a specific proflle call which gives this information. Can you give me that information.
    Thanks,
    HC

    Create a vo with the following SQL passing userid as bind value:
    SELECT C.USER_NAME,
    B.RESPONSIBILITY_NAME,
    A.START_DATE,
    A.END_DATE
    FROM APPS.FND_USER_RESP_GROUPS_DIRECT A,
    APPS.FND_RESPONSIBILITY_TL B,
    APPS.FND_USER C
    WHERE C.USER_ID = A.USER_ID
    AND C.USER_NAME= :1
    AND B.RESPONSIBILITY_ID = A.RESPONSIBILITY_ID
    You will have the list of all the responsibilities of a user.
    Kristofer

  • How to check if a user has a particular role in sql server

    Is it possible to check to see if a user has a particular role in sql server? For instance, I need to check to see if the user logging in has wite ability to the database. Thanks in advance.

    To answer your question from a Java-perspective, since this is a Java-forum: No.
    The JDBC 3.0 specification does not state that the driver has to implement a user credential mechanism.
    However, the DriverManager will throw an SQLException if user credentials are not met at all and the Connection should throw you a SQLException when trying to create or execute a statement that you are not alowed to do.

  • How to check whether a user has permission to create term in Taxonomy Term Store using CSOM ?

    I want to check programmatically whether the current user is a Term Store Administrator or not.

    I am not sure how Tomcat handles this, but you need to use two-way (mutual authentication) request but not enforce SSL between Tomcat and the client browser. This will make the browser prompt the user for the cert they want to send. Then you'll need to tackle the other part of your problem, getting the correct content displayed depending on whether the user sent a cert or not. I'm even less help there than I was on the first part of your question.
    So, yeah - good luck with that
    Lee

  • How to check if a user has clicked on a digital control and changed its value?

    Greetings !!!
    I am looking for a simple way (without using Windows messages)of knowing if an user has clicked on a digital control and changed its value.
    I have tried the key focus property; but I have to click twice to make it work.
    If somebody knows a better solution; please let me know.
    Thank you in advance for your help

    If you just want to know if the value has changed you can put it in a while loop and use shift registers to see if the value has changed.
    Brian
    Attachments:
    Changed.vi ‏22 KB

  • How to create a jframe which has only the close button

    hi
    i want to create a jframe which hold only the close button on the title bar. just like an JOptionPane.
    hussain52

    Well, if you are in a window's environment and using forte, you can go to sample forms, MDI, and then just highlight and delete what you don't want from the menubar.

  • How to verify that the user has changed table row data before db update

    Hi all,
    Iam using Oracle ADF with EJBs.
    I have a single selection table that displays rows of data returned from a function of my data control.
    The columns of my table are editable so that the user can change the data. The user selects a row, changes the data in one or more columns of the row and saves the data by means of a submit button. The code in the submit button, identifies the row of the corresponding iterator that the user clicked on and updates the data in the database (using the 'mergeEntity' function of the EntityManager)
    Before saving the data, I want to put some logic to check whether the user has actually changed some data to avoid unnecessary updates in the database . But for this I need a technique to detect that the user has indeed changed some data in the table row.
    One technique I have been using so far was to isolate the iterator row of the table and then query the corresponding row in the database table and compare their values.
    Except from dummy, this technique is not efficient if the table contains many rows.
    Moreover, in my case I have observed that on successive updates on the same row , the query on the database returns the new values (user changed values) and not the actual values contained in the database table. This means that when the user updates an iterator row the cached data affect also the results of the SELECT statement from the actual database table!!! Isn't this strange ?
    Can somebody propose me a neat method to detect when the user has changed the the data of an iterator row ?

    Hey Alan,
    The below solution seems overly complicated to me and can not be implemented without a custom screen and/or the use of JavaScript. Also, if your main concern is that a user may accidentally loose all their data because they closed the browser window or the session times out before they hit the save button then this solution does not help you.
    There are a couple of simpler approaches you can take here:
    # If the use of JavaScript is permissible you can hook into the windows 'onUnload' event, and pop-up a message box which gives the user the opportunity to cancel closing the window and save their case if they haven't already.
    # Implement an autosave feature by hooking into one of events provided by web determinations. A simple (but rather naive) way of doing this would be to hook into the OnRenderScreenEvent and call save on the interview session every time the event fires. This guarantees that all the data the user has submitted will aways automatically be saved, thereby removing the need to make sure the user manually saves their data before closing the browser.
    Automatically making Web Determinations close a browser window has to be done using JavaScript. However, doing so means that a) it won't work for people who turn off JavaScript, which is commonly done for accessibility reasons b) you'll likely run afoul of the browser's security mechanism (they generally won't let you close a window that you didn't open and some really don't like you doing that at all).
    Thanks,
    Kristy

  • How to find the user who deleted the contents of DSO.

    Dear friends,
    Can u please tell me ,how to find the user who deleted the contents of the DSO.
    The user has deleted the complete contents of the DSO. We need to find the user ,date and time.
    regards,
    Vijai

    Hi,
    If the user has used the manage option to delete the contents of the DSO then the changed by field will be updated by the users name. In case a program is used for the deletion then it wont be the case.
    Regards
    Govind.

  • How to tell if a user has logged in to teststand

    I am using a custom LV UI. I would like to know if there is a way to tell if the user has clicked the cancel button on the standard TS login. I would like to keep using the standard TS login if possible.
    Thanks
    Joe.
    "NOTHING IS EVER EASY"

    Hi Joe,
    Unfortunately, the default TestStand login code uses a TestStand engine method (DisplayLoginDialog) to handle this dialog box.  The method returns a user object based on the user's selections, and cannot be modified.  However, a clone of theTestStand login code developed in LabVIEW can be downloaded from the developer zone.  This set of VIs does not use this method, and will allow you to configure what data is returned by the dialog.The files can be downloaded here:
    LabVIEW based Login Reference Example for Teststand
    Let me know if you need any help configuring this code, and I'll be happy to help!
    Al B.
    Staff Software Engineer - TestStand
    CTA/CLD

  • How do I sign my VB / VS 2010 based shared COM add-in for Excel so it loads when the user has checked "Require application add-ins to be signed by a trusted publisher"?

    My COM add-in is developed using VS 2010 and VB. It's a shared COM add-in (not VSTO) and it works with Excel 2007 - 2013. My installer is signed with a code signing certificate but it would appear that my add-in's .dll should also be signed if the user has
    checked the "Require application add-ins to be signed by a trusted publisher" option.
    The "Sign the assembly" option is checked in my add-in's VB -> My Project -> Signing. I have a .snk file selected which I seem to recall generating 6 or 7 years ago when I ported the COM add-in from VB6 to .NET. 
    I have an up-to-date Comodo code signing certificate (a pfx file called MyCompanyCodeSigningCertificatePrivateKey.pfx) which I purchased to use with the installer and was wondering if and how I could use this.
    I tried selecting my pfx file in the My Project -> Signing -> "Choose a strong name key file" dialog. It made a copy of the pfx file in my project folder but when I tried to build the project, I got the following error:
    Error 1 Cannot import the following key file: MyCompanyCodeSigningCertificatePrivateKey.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the
    following key container name: VS_KEY_C0B6F251F0FB6016
    After a little research, I found out I might be able to use signtool to sign the dll in a post-build step.
    I added the following command to the post-build event, before the command I use to regasm the assembly.
    "path to signtool\signtool" sign /f "MyCompanyCodeSigningCertificatePrivateKey.pfx" /p "xxxx" /v "$(TargetPath)"
    When I built the project, the dll appeared to get signed (the output window showed a bunch of confirming text as well as "Successfully signed: c:\MyAddIn\bin\Release\MyAddIn.dll") but the next step in the post-build (regasm myaddin.dll /codebase)
    issued a warning RA0000 (see below) but reported "Types registered successfully".
    Here's the message I get from regasm, even though the output window says the dll was sucessfully signed:
    RegAsm : warning RA0000: Registering an unsigned assembly with /codebase can cause your assembly to interfere with other applications that may be installed on the same computer. The /codebase switch is intended to be used only with signed assemblies. Please give your assembly a strong name and re-register it.
    Types registered successfully
    I'm not using a shim if that makes a difference.
    How do I sign my add-in so it loads when the user has checked "Require application add-ins to be signed by a trusted publisher"?
    Any tips would be appreciated.

    Hello,
    Why do you need to use the regasm utility from the post-build action?
    There is a difference between signing the assembly with a strong name and digital signature. The
    How to: Sign an Assembly with a Strong Name article in MSDN explains how to sign an assembly with a strong name (.snk). See
    How to digitally sign a strong named assembly for adding a digital signature.
    You may also find the
    What's the Difference, Part Five: certificate signing vs strong naming article helpful.

  • HT1451 Hi All, I have 2 users on my desktop, 1 i-tunes account and log-in but both users have different music contents i.e. one has the full iTunes library and the other only has some songs. How do i get both users to have the same music content?

    I Have 2 users on my computer and both access i-tunes using same password etc. however 1 library has the full content of music but the other one has only partial playlists. How do I get both users to have the same full library?

    The title of my initial post is a bit misleading. I already took a chance deleting one of the iPhones, hoping if I deleted the wrong one, I can still reauthorize it (all with the same Apple ID acct, so not subject to 90-day waiting period, right?) The iTunes database just updated itself, and it says I have 4 "devices" "in the Cloud", but 5 "computers" associated w my account. How can I find out what computers are associated? Isn't there a list I can see? I dont have a clue what computers they might be. If I use the  "Deauthorize All" option, is it a pain to add them all back in. I assume I would have to log in from each computer to reauthorize each one. Would I have to be running the newest OS or version of iTunes to reauthorize? I think I have a PowerBook G4 Titanium with an older OS and iTunes. I'd like to keep that authorized, if possible.

Maybe you are looking for