Include an authorization check in program

Similar Messages

• Authorization check - Lvel: Program/Tcode - report/SM30/odr

  How do we identify if an authority check should be given
  1) at the Program(Report) level or
  2) at the T-code level itself?
  Is there any other level we can do it?
  For SM30s / tablemaintenances, how do we do it?
  Suppose we have a  T-code with SM30 for a table having fields including 'PLANT'. Now if we want to restrict the users to have access to specific plants, where should we put the check -  in the Tcode?
  say - usergrp1 - plant1
  usergrp2- plant 2
  etc.
  How do we design this scenario?
  How is authorization for report and others different?
  Do we need to include S_TABU_CLI authorization object? what is its use?

  > For SM30s / tablemaintenances, how do we do it?
  >
  > Suppose we have a  T-code with SM30 for a table having fields including 'PLANT'. Now if we want to restrict the users to have access to specific plants, where should we put the check -  in the Tcode?
  > say - usergrp1 - plant1
  > usergrp2- plant 2
  > .
  > .
  > etc.
  > How do we design this scenario?
  This can only be achieved with a bespoke program in which authority-check statements are programmed at the right point. SM30 will not allow such granularity.
  > Do we need to include S_TABU_CLI authorization object? what is its use?
  This object is used to shield cross-client tables. Not needed here.

• Table showing authorization checks for programs

  Can anyone tell me which table shows the list of all programs and the authorizations they are currently checking?  Thanks for your  help.

  link:[http://www.tamboly.com/SAPSecurityTable.html]

• Command For Authorization Check

  Hii...Dudes...
  Can Any one tell me..What are the Commands and Procedure to do Authorization Check for Programs..
  Any documentation could be help ful...
  Tell me How to create ....an Z Object and tell me procedure too...
  points will be rewarded .........
  Regards,
  sg.....
  Edited by: Suneel Kumar Gopisetty on May 17, 2008 12:10 PM
  Edited by: Suneel Kumar Gopisetty on May 17, 2008 12:21 PM

  hi,
  go to this link it will be useful.
  http://help.sap.com/saphelp_nw04/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  authority-check object 'S_TCODE'
                  id     'TCD'
                  field  'SM35'.
  if sy-subrc ne 0.
    User does not have authority for transaction SM35!!!
  endif.
  Do you want for the Creation of Zoject means using oops concept.

• Authorization Checks in Z programs

  Dear Experts,
  Fist of all, thanks for your time. We're being asked to review each Functional Specification in the company to suggest to the developement team the standard objects that should be included in the code in order to restrict the access within each developement. My understanding was that, as an standard practice, developers only use bapis, standard functions or call transactions in their code, for which we should be covered, as SAP includes standard object checks in them (so when using a bapi associated to VA01, the objects in the code for VA01 are being checked). The exception for this are reports, for which we have a Z object with most of the Organizational Values like Company Code, Plant, etc to allow restrictions to take place (and developers are supposed to include this check in this code).
  My first question is: is it true that bapis, standard functions and call transactions use the regular standard objects when being executed?.
  If this is the case, is there any point in suggesting the objects to be checked to the developers?. It looks as if this would be redundant, as SAP is making sure they're being checked when bapis, standard functions and call transactions are executed...(exception made for reports, as mentioned)
  Thanks a lot for your help!!
  Best regards,
  CMPT

  Hi,
  It is always a good idea for the Z transaction review to be performed by the Security consultant. After all it will be his responsibility later on to restrict access to the transaction. You can always ask for the functional consultant's help with understanding the use of the transaction
  In case the custom transaction has been created similar to or is an enhancement on a standard SAP transaction, then it is always a good idea to have at least the same authorization checks for the Z txn also.
  For new developments you need to ensure that the authorization checks need to be implemented based on the functionality of the txn and the data it manipulates. For eg., if you have a Z-txn to make changes to purchase orders, you need to ensure that the program checks for change activity for Purchasing Org, Purchasing Group and Plant values and any other authorization relevant data.
  The auth objects to be used depends entirely on the data and the functional module the custom program belongs to. I generally prefer to use SAP standard objects where possible. Else create new auth objects as per requirement.
  Regards,
  Sanju

• How to find which custom program uses authorization checks

  Hi all,
  I have been asked to find out which custom ABAP program in our organization is using Authorizations checks and which is not.
  Since there are thousands of custom programs I will need to automatize this process somehow.  But I am not an ABAP expert and I will need some help.
  Could any of you give me an idea of what would be the best strategy to find out if authorization objects/checks exist in a number of ABAP programs?  (would a simple text search do?).
  Many thanks,
  Aldo

  If you are looking out for Authorization related to Execution of any program, then look for entries in table TRDIR where field SECU (Authorization Group) is not blank.
  Below SAP documentation may help you:
  Authorization Group
  Authorization group to which the program is assigned.
  The assignment of a program to an authorization group plays a role when the system checks whether the user is authorized to:
  Execute a program
  --> Authorization object S_PROGRAM
  Edit a program (-Include) in the ABAP Workbench
  --> Authorization object S_DEVELOP
  Programs that are not assigned to an authorization group are not protected against display and execution.
  Security-related programs should, therefore, always be assigned to an authorization group.
  Report RSCSAUTH can also be used to assign programs to authorization groups. This report is documented in detail.

• Authorization check for a program/table

  Hi ,
  Can anyone help me out in
     How to do authorization check for an abap program and also a table.
     I have no idea about the authorizations.
  My requirement is that I need to do the authorization check in such a manner that only users having a certain profile
  1. should be able to execute the program
  2. View of the entries of the table.
  Thanks & Regards,
  Keerthi

  Hello Keerhi ,
  I got you wrong at first!
  If you want to have only certain users to be able to do certain operations, then you need to assign the appropriate roles to those users!
  First find the role
  second add the user in the role ( PFCG T code---> USers tab)
  Raj

• Abap programe 'AUTHORIZATION-CHECK'

  What is abap programe 'AUTHORIZATION-CHECK' how can i navigate there

  Hi,
  You can navigate to the Code this way
  1)
  SE93> Display>Double click in the Entry corresponding to Program-->then you enter the Source Code here select find and give the search string as
  "Authority-Check" this displays you whatever entries are there in the code.
  This method is useful if you know the Tcode and want to see what check statemetns are there in ABAP code corresponding to it.
  2)On the other hand if you know the program then go to
  SE38> enter the program name> Select Source Code> Press Display>
  and from there search with the string mentioned above justlike the case mentioned above...
  Hope this helps
  Regards,
  Manohar

• Find authorization check in BAPI implemented in a program

  Dear ,
  How can we find the authoruty check in a program in which a BAPI is used.If we search authority check in program click search button and find authority then only the authorization check implemented in program except BAPI is shown not in BAPI.
  Kindly send me solution ASAP.
  Regard,
  Yatendra Sharma
  Edited by: yatendra sharma on Mar 19, 2009 12:42 PM

  Hi Yatendra,
                    May be this code works out for you .It is just a dummy code.Try using Authority Check.Hope your query resolves soon.
  authority check
  PERFORM <AUTHORITY CHECK> USING <TABLE>.
  IF NO_AUTHORITY NE SPACE.
     PERFORM BAPIRETURN TABLES RETURN
                             USING  u2018VALUE1'
                                    u2018VALUE2'
                                    u2018VALUE3'
                                    VALUE4
                                    VALUE5.
      EXIT.
  ENDIF.
  Have a best day ahead.

• Does SAP direct input programs have authorization checks built-in?

  Can anyone advise if the SAP direct input programs eg. RFBIBL00, RMDATIND,      RCCLBI03,  RM60IN00,   RVINVB10 etc. have authorization checking features?
  In transaction BMV0,  there is a value for User Name.  If the user executes the direct input job from here, but uses a different User Name in the job definition in BMV0, does that mean that the authorization check is done against the User Name maintained instead?
  Kindly advise asap, thanks.

  Hi Li,
    This is what the SAP Doucmentation says about the USer name that is maintained in BMV0 transaction.
  <i><b>" User name in user master record                                                                               
  Background processing takes place under this user name. This person   
       needs to have the application-specific authorizations necessary for   
       running the direct input job (for example, all material master        
       authorizations).                                                                               
  If you do not enter a name, the job will run under the user name of the
       person scheduling it.                                                  "</b></i>
  Regards,
  Ravi

• ABAP: Modify PA infotype without authorization check

  Hello everyone,
  Short version:
  I know two FM that can modify PA infotype data:  HR_MAINTAIN_MASTERDATA and HR_INFOTYPE_OPERATION. However, neither of those includes a parameter that allows using them without them automatically checking authorizations (like you can do with, say, FM RH_INSERT_INFTY which has parameter AUTHY to disable authorization checks but only works with OM infotypes, but not PA infotypes).
  Does anybody know a solution?
  Long version:
  We want the travel department to be able to maintain infotype 17, and only infotype 17. In fact, there are only two fields there that need to be maintained in our company. That department should not have access to any other infotypes, and we are not going to give them PA30. On the other hand, they shall be able to do so for any employee, no matter from which personnel area, subarea, and organizational unit.
  So I have created a small program with a mask specifically tailored to their needs. But we do not want to give them any PA authorizations. Giving them P_ORGIN to infotype 17 might not be a big deal, but then we would also need to give them structural authorization to all companies (= org units and personnel areas). Unlimited structural authorization is a big deal, and I would rather avoid granting that to someone who is not supposed to be doing anything but this tiny bit in HR. The only authorization that I would like to see in place is transaction authorization for my program. Anyone who has that should be allowed to maintain these IT 17 fields for any employee, but nothing else.
  The problem is that upon writing the data, FM HR_INFOTYPE_OPERATION auto-checks the authorization required for maintaining the infotype, including structural authorization, and so does FM HR_MAINTAIN_MASTERDATA, as far as I understand. Is there an alternative I could go for?

  ECM stands for Employee Compensation management and is one of the SAP HR module.
  But I doubt you can use ECM specific function module to modify/insert infotype 17 values as below are the main infotypes for ECM module.
    Employee Infotype
    Description
  0758
  Compensation Program
  0759
  Compensation Process
  0760
  Compensation Eligibility Override
  0761
  LTI Granting
  0762
  LTI Exercising
  0763
  LTI Participant Data

• Authorization check flow

  Hello Folks,
  I wonder if some one can help clearing a doubt of mine.
  The standard definition one finds on the net for Authorization check maintenance in SU24 for transactions is:
  CM = Check performed AND object added in PFCG when tcode added to the role.
  C = Check performed BUT object not added in PFCG when tcode added to the role.
  N = No check OR check will return sy-subrc = 0 even if the user does not have the authorization.
  U = Unknown. A check will may be hardcoded in the program, or maybe not.
  My take on the above definitions is:
  example object: V_VBAK_AAT
  if
  CM for  V_VBAK_AAT the object is included in the role while working with PFCG.
  As per the definition check performed on object and object added.
  Question 1: Even if the object is maintained as CM it would not make a difference if the check is not coded in the program (authority-check). Would it?
  If
  C check performed but object not added
  Question 2:  If a check is going to be made on this object, why not include it in the role i.e mark it as CM? I was once told that these are objects that are most commonly used and hence from a BASIS point of view that the roll buffer will have that much less authorizations to load. But that does not ring true to me.
  If
  N - check will return value 0 thereby allowing the user through even though he does not have the authorization to do so
  Question 3: Why suppress a check that is coded into the prgram in the first place. After all, the whole idea of Security is "any authorization not explicitly assigned" means NO AUTHORIZATION
  For the last couple of years that i have been working on this, i have accepted this, as one would,  the bible :-)...
  But now i wonder if there will be some enlightenment....
  Regards,
  Prashant

  >
  Prashant Pasala wrote:
  >
  > Question 1: Even if the object is maintained as CM it would not make a difference if the check is not coded in the program (authority-check). Would it?
  no, it wouldn't. the check has to be coded.
  >
  Prashant Pasala wrote:
  > Question 2:  If a check is going to be made on this object, why not include it in the role i.e mark it as CM?
  >
  because you would have many obsolete objects in your role, depending on the setup of your applications, the org-structure and several other things (mostly in configuration), whether an extension-set is active, a special IS used ...
  >
  Prashant Pasala wrote:
  > Question 3: Why suppress a check that is coded into the prgram in the first place. After all, the whole idea of Security is "any authorization not explicitly assigned" means NO AUTHORIZATION
  >
  here one can only guess. one scenario might be: due to a bug in a SAP standard BAPI you deactivate the check until you get a correction from SAP. you have to do this to keep up the business ...
  Edited by: Mylene Euridice Dorias on Mar 11, 2008 3:59 PM

• Authorization check without writing password?

  Hi experts!
  I could really use a help with this issue...
  There are several statuses available for transport requests in our SManager. Those are:
  1. import of request
  2. development finished
  3. transported to test
  4. test finished
  5. approval
  6. transported to production
  Now we're facing the problem that every SOL user can set any status he wants, which is not very wise thing to do (some external programmer can easily set status 'approval for production').
  We tried to accept usage of digital signature (method: System signature) but couldn't deal with it, because it takes to much time to enter password for each and every one of the requests you want to change status... Everybody is full of administration and we want some kind of user exit that will perform authority check and inform user is he or is he not able to set the status.
  Now, I realize there is another possibility to implement digital signature using another kind of method, but don't know what to do, where should I start with my programming :)?
  I suppose I need to have some kind of Z* function module or BAPI or ABAP program to provide this?
  Please help me.... Any kind of information will be useful...
  Thanks and best regards,
  Sanja

  Hey Sanja,
  My answer to this question would differ depending on our scenario..
  Since your are working with URgent or normal corrections which are also classifed as change transaction, your best bet would be to go for use of authorizartion code..
  Detailed xplanations:
  This could be done using Authorization codes assigned to status..
  Now there is an authorization object B_USERSTAT which can be used to achieve this..
  So Follow these steps:
  1) SPRO-> SAP solution manager->scenario specific settings-> status profile-> Change Status profile for user status..
  Now here navigate to the status profile attached to your Urgent correction transaction type..
  Generally status profile is SDHFHEAD.
  If your using a Z status profile navigatte to that status profile.
  2) After this done, against each status, you will find auth Codes assgned to status
  For Status 30 ZUTE Zu testen( TO be tested) find the corresponding auth code, generally ( SDHF_02).
  Similarly for status 60 PROD Produktiv( production) find the corresponding auth code..
  3) Assign the relevant auth code to appropiatate roles by including new authorization object in that role( B_USERSTAT) so assign relevant values to that roles..
  Important:
  if you dont want to use standard auth codes, you can also create custom auth codes..
  i dont remember exact path in spro, but just search for keyword authorization codes and you will get it.
  So only users with valid auth codes can set that particular status and no other user can set it, if he/she tries the system will throw an authorization error..
  Please do reward points for usefull answers...
  Revert for any clarifications..
  Regards,
  Anand..

• Question on Search Help and Authorization Check for Sales Order Type

  Question 1:
  When I go to VA01 and click the search help, it shows only order type that are not blocked.
  However, when I have sales order type in select-options of a Z program,
  S_AUART FOR VBAK-AUART
  I click on the search help, it gives all the sales order types. How can I have a list with unblocked sales order type only?
  Question 2:
  I want to check whether a use can extract data from a sales order type (e.g. OR and RE)that he/she authorized to use.
  I have include the following in my program:
  AUTHORITY-CHECK OBJECT 'AUART'
  ID 'AUART' FIELD 'OR'.
  It always returns SY-SUBRC = 12.
  But order type 'OR' is granted to the user (he/she can create order with type OR in VA01)
  Please kindly give me some ideas, thanks.

  hi,
  ad1
  use following code:
  AT SELECTION-SCREEN ON VALUE-REQUEST FOR auart.
    PERFORM auartGet.
  FORM auartGet.
      CALL FUNCTION 'RV_HELP'
           EXPORTING
                KEY            = VKORG
                KEY2           = VTWEG
                KEY3           = SPART
                KEY4           = '0'
                NUMBER         = '008'
                FIELD_IN       = AUART
           IMPORTING
                FIELD          = AUART.
  ENDFORM.
  ad2.
  example:
     AUTHORITY-CHECK OBJECT 'V_VBAK_AAT'
           ID 'AUART' FIELD 'OR'
           ID 'ACTVT' FIELD '01'. "01-create order, 02-change, 03 display
  check sy-subrc eq 0.
  regards,darek

• Authorization check in LDB PNP

  Hi All,
  I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
  I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
  Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
  Any information provided will be really helpful.
  Thanks,
  Pavan

  Hi,
  A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
  Thanks,
  Pavan