HR_CHECK_AUTHORITY_INFTY

Hi all!
I would like know what all Authority Checks does the Function Module HR_CHECK_AUTHORITY_INFTY perform and Is this Function Module alone sufficient to replace for the Complete Authorization Check performed by the LDB?
Thanks,
Pravs

Hi,
Here is the information.
Authorization checks are not supported by the SELECT statement and must be executed at the program level.
In this case, you must use the function module HR_CHECK_AUTHORITY_INFTY to check whether the user has the required authorization for data and persons.
If the infotype does not have any subtypes, you can use the value SPACE with the parameter SUBTY.
SAP recommends that you use logical database PNP because it runs authorization checks automatically.
If you use SQL commands,you must run the authorisation check using this FM.

Similar Messages

  • Calling HR_CHECK_AUTHORITY_INFTY with a specific UNAME

    Hi all,
    i'm realy confused about this.
    when a login with the user HCMTEST40 and go to PA20 and enter PERNR 00000620, i can access Infotype 0001 of the PERNR 00000620.
    I'm am trying to make a report, which checks if the user HCMTEST40 has access to Infotype 0001 of PERNR 00000620 by calling the following FM HR_CHECK_AUTHORITY_INFTY, which is by the way called with the same paramters from PA20.
         106       CALL FUNCTION 'HR_CHECK_AUTHORITY_INFTY'
                                                            107         EXPORTING
                                                            108           pernr            = lv_persno
                                                            109           infty            = lv_infty
                                                            110           subty            = lv_subty
                                                            111           begda            = lv_begda
                                                            112           endda            = lv_endda
                                                            113           level            = lv_level
                                                            114           uname            = lv_uname (HCMTEST40)
                                                            115         EXCEPTIONS
                                                            116           no_authorization = 1
                                                            117           internal_error   = 2
                                                            118           OTHERS           = 3.
    if i login with my own User (not HCMTEST40) an start the new report, i get a not_authroized-Error....
    what's wrong here?
    i appriciate any help.
    thanks
    Pourang

    Hi Dilek,
    actually i want to check differnt combination (R, M, etc.) and Infotypes (0001, 0002 , etc) for a lot of users every day with the FM HR_CHECK_AUTHORITY_INFTY with a given uname, to figure out, if specific user have proper authorizations.
    i don't check if some one has the TCODE-Authorization PA20...
    the problem is, that the FM returns another result, when i call it with the same paramters and values as it is called when the user starts PA20.
    how ist this possible?
    thanks.

  • FM HR_CHECK_AUTHORITY_INFTY is failing

    Hi,
    I am logging in to ESS portal with two different IDs, which has same roles. For one ID it is returning the value as no_authorization
    whereas for the other ID, it is returning the value as Authorised.. Both the IDS have the same roles and profiles. Please let me know how to solve it..

    Hi,
    Is the second id created by copying first id

  • HR_CHECK_AUTHORITY_INFTY and queries

    Hi,
    Wanna know if this can check for PD infotype authorisation as well other than PA infotypes?
    such as hrp1000 etc.
    Currently did not work for me..
    Does anyone got any FM to check this? For HRP infotype...
    thanks a million,
    lihui

    Hi,
    By the way may i know when using RH_PM_AUTH_CHECK,
    i need to check for the user that runs the report such as sy-uname is user1234, how do i pass this value to this fm to check if this user has authorisation to read hrp1000 values?
    which parameters shld i use?
    Thanks and Regards,
    lihui

  • How To Create ABAP Code For HR Context Sensitive Structural Authorization

    Hello,
    We have created a HR Custom Program which IS NOT built off the PCH or PNP Logical Database. As a result, we need to manually create ABAP code for HR Context Sensitive Structural Authorization Check in our custom HR program. Via HR Context Sensitive Structural Authorizations, we are restricting access to personnel numbers and the underlying HRP* tables.
    Any assistance would be greatly appreciated with the identification of the SAP standard function modules (Ex. RH_STRU_AUTHORITY_CHECK, HR_CHECK_AUTHORITY_INFTY, HR_CHECK_AUTHORITY_INFTY , etc) used in HR Context Sensitive Structural Authorization Check, how they are used to control HR Structural authorization (P_ORGINCON), and some sample code.
    Thank you in advance for all your assistance,
    Ken Bowers

    Hello Ken
    You can use the interface methods IF_EX_HRPAD00AUTH_CHECK to get the same structural authorization as you can see in PA20/PA30. You need to use the methods set_org_assignment and check_authorization for this purpose. For more information you can refer to include FP50PE21 from line 237 onwards till 270.
    Regards
    Ranganath

  • How to can we do selection-screen modification for LDB?

    Hi All,
    I have custom field in my selection-screen of LDB PNP.
    Can you people please let me know how can I put the selection-screen modificaiton For ex:
    i have created
    parameters a as checbox.
    select-options: p_btrtl for p0001-btrtl no-intervals.
    now If the check box is selected then p_btrtl we can enter values or esle If check box is not selected then p_btrtl will be grayed out, ( I.e. SCREEN-INPUT = 0)
    This is simple from ABAP without LDB. But with LDB can we achieve?????????????
    Satish
    Edited by: Satish Vasireddy on Jun 23, 2010 4:05 PM

    you can use the following logic for the additional selection validation. I have done by using PNP LDB. Ex : I have done for one of the field in IT0377.
    SELECT-OPTIONS: s_bplan FOR p0377-bplan.
    *&      Form  check_selection_0377
      This subroutine is used to check the selection screen
    FORM check_selection_0377.
      LOOP AT p0377 WHERE pltyp  IN s_bplan
                     AND levl1 IN s_lti
                     AND   begda LE pn-endda
                     AND   endda GE pn-begda.
        CALL FUNCTION 'HR_CHECK_AUTHORITY_INFTY'
          EXPORTING
            tclas            = 'A'
            pernr            = pernr-pernr
            infty            = p0377-infty
            subty            = p0377-subty
            begda            = pn-begda
            endda            = pn-endda
            level            = 'R'
          EXCEPTIONS
            no_authorization = 1
            internal_error   = 2
            OTHERS           = 3.
        IF NOT sy-subrc IS INITIAL.
          DELETE p0377.
        ENDIF.
      ENDLOOP.
    selection not found and no value selected
      IF sy-subrc NE 0.
        READ TABLE s_bplan.
        IF sy-subrc EQ 0.
          REJECT.
        ENDIF.
        READ TABLE s_lti.
        IF sy-subrc EQ 0.
          REJECT.
        ENDIF.
      ENDIF.
    ENDFORM.                    " check_selection_0377
    Regards,
    Preetham

  • HR PNP LDB and authority check

    Hello All,
                  Can someone plzz tell me if there is any major difference between CODE1 and CODE2 below? I understand if we use LDB we dont need to do authority check but is there is any exceptional case where we do this kind of codeing...
    CODE1:
    Start-of-selection
    GET pernr.
      CALL FUNCTION 'HR_CHECK_AUTHORITY_INFTY'
            EXPORTING
                 tclas            = w_tclas
                 pernr            = pernr-pernr
                 infty            = '0001'
                 subty            = space
                 begda            = pn-begda
                 endda            = pn-endda
                 level            = w_level
            EXCEPTIONS
                 no_authorization = 1
                 internal_error   = 2
                 OTHERS           = 3.
      if not sy-subrc is initial.
        reject.
      endif.
      PERFORM list_data.
    END-OF-SELECTION.
    CODE2:
    Start-of-selection
    GET pernr.
      PERFORM list_data.
    END-OF-SELECTION.
    Thanks in advance...
    -Muktar

    Hi Muktar,
    In my opinion, certain infotypes hold certain level of access by different user who is using that report to view HR information. Particularly sensitive infotype like 0008 (basic pay) and other pay involving infotypes can be use to check for authority before it is display or modify by users. So HR_CHECK_AUTHORITY_INFTY is used.
    Get PERNR does not validate the authority because PERNR itself is just a structure that contains a few PA Keys and several of other infotype structure that doesn't tell the authority to read by any specific users. Get PERNR contains the PROVIDE macro and in it does not do any authorization, if i am not mistaken.
    This is my understanding. I hope my explanation is correct and have help you in a way.
    Thanks
    William Wilstroth

  • Use HR_READ_INFOTYPE or select (for all entries)

    Hi
    As I have understood the difference between FM HR_READ_INFOTYPE and a select directly from PA0001 (as example) is that the FM take the authorization into account. (please correct me if I am wrong).
    My problem is that I need to select from the infotype for a lot of pernr, so I would use this statement:
        SELECT * FROM pa0001 INTO CORRESPONDING FIELDS OF TABLE wt_pa0001
          FOR ALL ENTRIES IN wt_pernr
             WHERE pernr = wt_pernr-pernr
              AND begda LE pn-endda
              AND endda GE pn-begda.
    but then I don't get the authorization check.
    For the FM HR_READ_INFOTYPE I can't use the "FOR ALL ENTRIES".
    Can I do it in an easy way, or do need to do the select, and then use an authority check after the select from each infotype?

    Calling HR_READ_INFOTYPE or selecting directly from the tables may depend on how much data you are processing.  If you only need to retrieve a few records, you could process the PERNR records you need in a loop and call HR_READ_INFOTYPE for each.  If you're processing a larger number of records, check the authorization for the each table first and then do a SELECT for all entries.  Before you read, make sure that your "FOR ALL ENTRIES" table is not empty.  In order to make your code more generic, you may want to use function module HR_CHECK_AUTHORITY_INFTY to check the authorization for each infotype.  This is the FM that the HR_READ_INFOTYPE function module uses.
    .. Craig

  • Authorization access Issue for Transaction Codes PA10 to PA40

    Hi Experts,
    I have created Custom role for accessing ALL HR Transaction codes in IDES System and added to the user & Tested.
    All transactions codes are working fine except PA10,PA20,PA30 &PA40
    We have new installation of ECC6.0 (HR) IDES System.
    I am new to HR Security.
    Here anything needs to configure in HR System for accessing transaction code PA10 to PA40.
    Please help me regading this.
    Advance Thanks,
    BBC

    I have checked in SM01, Transaction codes PA10 to PA40 are not locked.
    We are facing two issues
    1) when accessing T- Codes PA10 to PA40, System showing message: You are not authorized to use Transaction code.
    Thatz the reason i suggested you to check with basis consultant. Becuas he is the power user he can only see that from his window all the autharizations
    May be you checked from your user your user might have autharization. that user  might be end user who getting msg might not have authorizatoins.
    2) function module : HR_READ_INFOTYPE.
    When Debuging this, It calls internal FM
    HR_CHECK_AUTHORITY_INFTY and returns exception
    no_authorization=1
    See this means that that user have NO autharizatoins
    Best Regards

  • Authorization Check in Ad Hoc Query

    Hi Experts,
    When a user is given access to an infoset via the query user group, he/she will be able to see all infotypes that are associated with the infoset. The user will actually be able to select the fields, construct the query, and only hit the authorization error when they execute the query.
    This is not ideal from a user perspective as the user might spend a lot of time constructing the query only to find out later that they are not able to execute it due to authorization restrictions. Is there a way to restrict upfront to show the user only the infotypes and fields they are authorized to when constructing the query? Please advice.

    You need to do this in your infoset ...
    You can use the following procedures if you want to change the behavior of the SAPDBPNP logical database:
    You can program the logical database not to skip personnel numbers. The data is, nevertheless, only made available to the relevant reports for the authorization check There is no direct way to access the data that was not read by the authorization check. This procedure is meaningful for the first example, but not for the other two examples. The relevant report implements the setting as follows:
    INITIALIZATION.
    PNP_SW_SKIP_PERNR = 'N'.
    It is conceivable in examples 2 and 3 that the evaluation would be possible for a certain period but not for a longer selection period. Normally, the logical database always selects all the data of an infotype and checks the authorization. If you want the system to read and check only the data of the selection period, you can use the RP_SET_DATA_INTERVALL macro (for the START-OF-SELECTION period) for this.
    The data is not requested immediately (addition MODE N for the INFOTYPES statement) and is checked by the report itself. The report uses the HR_READ_INFOTYP and/or the HR_CHECK_AUTHORITY_INFTY function modules from the HRAC group to check the data and decides itself how to react to missing authorizations.
    Procedures 1 and 2 are available for SAPDBPNP and are not supported by SAPDBPAP. Procedure 3 is always available. Procedure 3 is the only way of solving problems with the authorization check if a report requires only one subtype of an infotype and if users should not be able to access the other subtypes of the infotype
    -Saquib

Maybe you are looking for

  • My notebook won't recognize my external hard drive

    my notebook won't recognize my external hard drive.  I can safely remove it, but when i look for it on my computer its not there?

  • Searching for Acronyms

    Hi, This may have been answered previously but couldn't find answer. Am using RH7 WebHelp. I have many pages with acronyms in title and body. Searching in RoboHelp by the acronym brings no results, except for a couple of Word docs and .pdfs that have

  • DME - Multiple Vendors in single DME file not appearing

    Hi there, I have created a DME structure  and created PMW format , as required by bank, to generate DME text file. When i run the APP (F110) for single vendor ,,  one DME text file is generating correctly, Now problem is when i run F110 for    multip

  • Problem in selection screen because of GEN_SELECTION_SCREEN_ERROR  error

    Hi Experts, I have one strange problom in selection screen. here is my code..for selection screen. Report Z_TEST_BEGINOF_ENDOF. SELECTION-SCREEN: BEGIN OF BLOCK B1 WITH FRAME TITLE TEXT-001. SELECTION-SCREEN: BEGIN OF LINE. SELECTION-SCREEN: COMMENT

  • Writing a Stored Procedure

    Okay - I am new to PLSQL & stored procedures. This will be something that I shall be learning. I am not new to SQL, however. And so: as a sql command I am able to execute a command to get data from our production database and 'migrate' the data to a