HR_CHECK_AUTHORITY_INFTY
Hi all!
I would like know what all Authority Checks does the Function Module HR_CHECK_AUTHORITY_INFTY perform and Is this Function Module alone sufficient to replace for the Complete Authorization Check performed by the LDB?
Thanks,
Pravs
Hi,
Here is the information.
Authorization checks are not supported by the SELECT statement and must be executed at the program level.
In this case, you must use the function module HR_CHECK_AUTHORITY_INFTY to check whether the user has the required authorization for data and persons.
If the infotype does not have any subtypes, you can use the value SPACE with the parameter SUBTY.
SAP recommends that you use logical database PNP because it runs authorization checks automatically.
If you use SQL commands,you must run the authorisation check using this FM.
Similar Messages
-
Calling HR_CHECK_AUTHORITY_INFTY with a specific UNAME
Hi all,
i'm realy confused about this.
when a login with the user HCMTEST40 and go to PA20 and enter PERNR 00000620, i can access Infotype 0001 of the PERNR 00000620.
I'm am trying to make a report, which checks if the user HCMTEST40 has access to Infotype 0001 of PERNR 00000620 by calling the following FM HR_CHECK_AUTHORITY_INFTY, which is by the way called with the same paramters from PA20.
106 CALL FUNCTION 'HR_CHECK_AUTHORITY_INFTY'
107 EXPORTING
108 pernr = lv_persno
109 infty = lv_infty
110 subty = lv_subty
111 begda = lv_begda
112 endda = lv_endda
113 level = lv_level
114 uname = lv_uname (HCMTEST40)
115 EXCEPTIONS
116 no_authorization = 1
117 internal_error = 2
118 OTHERS = 3.
if i login with my own User (not HCMTEST40) an start the new report, i get a not_authroized-Error....
what's wrong here?
i appriciate any help.
thanks
PourangHi Dilek,
actually i want to check differnt combination (R, M, etc.) and Infotypes (0001, 0002 , etc) for a lot of users every day with the FM HR_CHECK_AUTHORITY_INFTY with a given uname, to figure out, if specific user have proper authorizations.
i don't check if some one has the TCODE-Authorization PA20...
the problem is, that the FM returns another result, when i call it with the same paramters and values as it is called when the user starts PA20.
how ist this possible?
thanks. -
FM HR_CHECK_AUTHORITY_INFTY is failing
Hi,
I am logging in to ESS portal with two different IDs, which has same roles. For one ID it is returning the value as no_authorization
whereas for the other ID, it is returning the value as Authorised.. Both the IDS have the same roles and profiles. Please let me know how to solve it..Hi,
Is the second id created by copying first id -
HR_CHECK_AUTHORITY_INFTY and queries
Hi,
Wanna know if this can check for PD infotype authorisation as well other than PA infotypes?
such as hrp1000 etc.
Currently did not work for me..
Does anyone got any FM to check this? For HRP infotype...
thanks a million,
lihuiHi,
By the way may i know when using RH_PM_AUTH_CHECK,
i need to check for the user that runs the report such as sy-uname is user1234, how do i pass this value to this fm to check if this user has authorisation to read hrp1000 values?
which parameters shld i use?
Thanks and Regards,
lihui -
How To Create ABAP Code For HR Context Sensitive Structural Authorization
Hello,
We have created a HR Custom Program which IS NOT built off the PCH or PNP Logical Database. As a result, we need to manually create ABAP code for HR Context Sensitive Structural Authorization Check in our custom HR program. Via HR Context Sensitive Structural Authorizations, we are restricting access to personnel numbers and the underlying HRP* tables.
Any assistance would be greatly appreciated with the identification of the SAP standard function modules (Ex. RH_STRU_AUTHORITY_CHECK, HR_CHECK_AUTHORITY_INFTY, HR_CHECK_AUTHORITY_INFTY , etc) used in HR Context Sensitive Structural Authorization Check, how they are used to control HR Structural authorization (P_ORGINCON), and some sample code.
Thank you in advance for all your assistance,
Ken BowersHello Ken
You can use the interface methods IF_EX_HRPAD00AUTH_CHECK to get the same structural authorization as you can see in PA20/PA30. You need to use the methods set_org_assignment and check_authorization for this purpose. For more information you can refer to include FP50PE21 from line 237 onwards till 270.
Regards
Ranganath -
How to can we do selection-screen modification for LDB?
Hi All,
I have custom field in my selection-screen of LDB PNP.
Can you people please let me know how can I put the selection-screen modificaiton For ex:
i have created
parameters a as checbox.
select-options: p_btrtl for p0001-btrtl no-intervals.
now If the check box is selected then p_btrtl we can enter values or esle If check box is not selected then p_btrtl will be grayed out, ( I.e. SCREEN-INPUT = 0)
This is simple from ABAP without LDB. But with LDB can we achieve?????????????
Satish
Edited by: Satish Vasireddy on Jun 23, 2010 4:05 PMyou can use the following logic for the additional selection validation. I have done by using PNP LDB. Ex : I have done for one of the field in IT0377.
SELECT-OPTIONS: s_bplan FOR p0377-bplan.
*& Form check_selection_0377
This subroutine is used to check the selection screen
FORM check_selection_0377.
LOOP AT p0377 WHERE pltyp IN s_bplan
AND levl1 IN s_lti
AND begda LE pn-endda
AND endda GE pn-begda.
CALL FUNCTION 'HR_CHECK_AUTHORITY_INFTY'
EXPORTING
tclas = 'A'
pernr = pernr-pernr
infty = p0377-infty
subty = p0377-subty
begda = pn-begda
endda = pn-endda
level = 'R'
EXCEPTIONS
no_authorization = 1
internal_error = 2
OTHERS = 3.
IF NOT sy-subrc IS INITIAL.
DELETE p0377.
ENDIF.
ENDLOOP.
selection not found and no value selected
IF sy-subrc NE 0.
READ TABLE s_bplan.
IF sy-subrc EQ 0.
REJECT.
ENDIF.
READ TABLE s_lti.
IF sy-subrc EQ 0.
REJECT.
ENDIF.
ENDIF.
ENDFORM. " check_selection_0377
Regards,
Preetham -
HR PNP LDB and authority check
Hello All,
Can someone plzz tell me if there is any major difference between CODE1 and CODE2 below? I understand if we use LDB we dont need to do authority check but is there is any exceptional case where we do this kind of codeing...
CODE1:
Start-of-selection
GET pernr.
CALL FUNCTION 'HR_CHECK_AUTHORITY_INFTY'
EXPORTING
tclas = w_tclas
pernr = pernr-pernr
infty = '0001'
subty = space
begda = pn-begda
endda = pn-endda
level = w_level
EXCEPTIONS
no_authorization = 1
internal_error = 2
OTHERS = 3.
if not sy-subrc is initial.
reject.
endif.
PERFORM list_data.
END-OF-SELECTION.
CODE2:
Start-of-selection
GET pernr.
PERFORM list_data.
END-OF-SELECTION.
Thanks in advance...
-MuktarHi Muktar,
In my opinion, certain infotypes hold certain level of access by different user who is using that report to view HR information. Particularly sensitive infotype like 0008 (basic pay) and other pay involving infotypes can be use to check for authority before it is display or modify by users. So HR_CHECK_AUTHORITY_INFTY is used.
Get PERNR does not validate the authority because PERNR itself is just a structure that contains a few PA Keys and several of other infotype structure that doesn't tell the authority to read by any specific users. Get PERNR contains the PROVIDE macro and in it does not do any authorization, if i am not mistaken.
This is my understanding. I hope my explanation is correct and have help you in a way.
Thanks
William Wilstroth -
Use HR_READ_INFOTYPE or select (for all entries)
Hi
As I have understood the difference between FM HR_READ_INFOTYPE and a select directly from PA0001 (as example) is that the FM take the authorization into account. (please correct me if I am wrong).
My problem is that I need to select from the infotype for a lot of pernr, so I would use this statement:
SELECT * FROM pa0001 INTO CORRESPONDING FIELDS OF TABLE wt_pa0001
FOR ALL ENTRIES IN wt_pernr
WHERE pernr = wt_pernr-pernr
AND begda LE pn-endda
AND endda GE pn-begda.
but then I don't get the authorization check.
For the FM HR_READ_INFOTYPE I can't use the "FOR ALL ENTRIES".
Can I do it in an easy way, or do need to do the select, and then use an authority check after the select from each infotype?Calling HR_READ_INFOTYPE or selecting directly from the tables may depend on how much data you are processing. If you only need to retrieve a few records, you could process the PERNR records you need in a loop and call HR_READ_INFOTYPE for each. If you're processing a larger number of records, check the authorization for the each table first and then do a SELECT for all entries. Before you read, make sure that your "FOR ALL ENTRIES" table is not empty. In order to make your code more generic, you may want to use function module HR_CHECK_AUTHORITY_INFTY to check the authorization for each infotype. This is the FM that the HR_READ_INFOTYPE function module uses.
.. Craig -
Authorization access Issue for Transaction Codes PA10 to PA40
Hi Experts,
I have created Custom role for accessing ALL HR Transaction codes in IDES System and added to the user & Tested.
All transactions codes are working fine except PA10,PA20,PA30 &PA40
We have new installation of ECC6.0 (HR) IDES System.
I am new to HR Security.
Here anything needs to configure in HR System for accessing transaction code PA10 to PA40.
Please help me regading this.
Advance Thanks,
BBCI have checked in SM01, Transaction codes PA10 to PA40 are not locked.
We are facing two issues
1) when accessing T- Codes PA10 to PA40, System showing message: You are not authorized to use Transaction code.
Thatz the reason i suggested you to check with basis consultant. Becuas he is the power user he can only see that from his window all the autharizations
May be you checked from your user your user might have autharization. that user might be end user who getting msg might not have authorizatoins.
2) function module : HR_READ_INFOTYPE.
When Debuging this, It calls internal FM
HR_CHECK_AUTHORITY_INFTY and returns exception
no_authorization=1
See this means that that user have NO autharizatoins
Best Regards -
Authorization Check in Ad Hoc Query
Hi Experts,
When a user is given access to an infoset via the query user group, he/she will be able to see all infotypes that are associated with the infoset. The user will actually be able to select the fields, construct the query, and only hit the authorization error when they execute the query.
This is not ideal from a user perspective as the user might spend a lot of time constructing the query only to find out later that they are not able to execute it due to authorization restrictions. Is there a way to restrict upfront to show the user only the infotypes and fields they are authorized to when constructing the query? Please advice.You need to do this in your infoset ...
You can use the following procedures if you want to change the behavior of the SAPDBPNP logical database:
You can program the logical database not to skip personnel numbers. The data is, nevertheless, only made available to the relevant reports for the authorization check There is no direct way to access the data that was not read by the authorization check. This procedure is meaningful for the first example, but not for the other two examples. The relevant report implements the setting as follows:
INITIALIZATION.
PNP_SW_SKIP_PERNR = 'N'.
It is conceivable in examples 2 and 3 that the evaluation would be possible for a certain period but not for a longer selection period. Normally, the logical database always selects all the data of an infotype and checks the authorization. If you want the system to read and check only the data of the selection period, you can use the RP_SET_DATA_INTERVALL macro (for the START-OF-SELECTION period) for this.
The data is not requested immediately (addition MODE N for the INFOTYPES statement) and is checked by the report itself. The report uses the HR_READ_INFOTYP and/or the HR_CHECK_AUTHORITY_INFTY function modules from the HRAC group to check the data and decides itself how to react to missing authorizations.
Procedures 1 and 2 are available for SAPDBPNP and are not supported by SAPDBPAP. Procedure 3 is always available. Procedure 3 is the only way of solving problems with the authorization check if a report requires only one subtype of an infotype and if users should not be able to access the other subtypes of the infotype
-Saquib
Maybe you are looking for
-
My notebook won't recognize my external hard drive
my notebook won't recognize my external hard drive. I can safely remove it, but when i look for it on my computer its not there?
-
Hi, This may have been answered previously but couldn't find answer. Am using RH7 WebHelp. I have many pages with acronyms in title and body. Searching in RoboHelp by the acronym brings no results, except for a couple of Word docs and .pdfs that have
-
DME - Multiple Vendors in single DME file not appearing
Hi there, I have created a DME structure and created PMW format , as required by bank, to generate DME text file. When i run the APP (F110) for single vendor ,, one DME text file is generating correctly, Now problem is when i run F110 for multip
-
Problem in selection screen because of GEN_SELECTION_SCREEN_ERROR error
Hi Experts, I have one strange problom in selection screen. here is my code..for selection screen. Report Z_TEST_BEGINOF_ENDOF. SELECTION-SCREEN: BEGIN OF BLOCK B1 WITH FRAME TITLE TEXT-001. SELECTION-SCREEN: BEGIN OF LINE. SELECTION-SCREEN: COMMENT
-
Okay - I am new to PLSQL & stored procedures. This will be something that I shall be learning. I am not new to SQL, however. And so: as a sql command I am able to execute a command to get data from our production database and 'migrate' the data to a