Incorrect authorization object is checked in SU53. SU53 checks the wrong BP

Similar Messages

• I checked the wrong box on for a website I use frequently and now recieve the message "Access to xpcom is denied. Set "signed.applets.codebase_principal_support=true" in about:config"; how can I change this?

  I am tech challenged. I know this is probably a setting that just needs to be changed but I have idea on how or where to go to change it. It appears to be a security setting - I checked the wrong box on a firefox popup regarding access. The site is grammarly.com and when I attempt to paste my copy to be grammar checked it won't allow me to do so, and I get the above quoted message. Please help!

  You can check the file prefs.js in the profile folder to see if you find any lines referring to that website and remove those capability.principal.codebase lines.
  *http://kb.mozillazine.org/prefs.js_file
  *http://kb.mozillazine.org/Profile_folder_-_Firefox
  Help > Troubleshooting Information > Profile Directory: Open Containing Folder

• Custom authorization object and check logic

  Hi gurus,
  we need to apply additional authorization check in our custom reports.
  so i created a custom fields & object, and put the statement
        AUTHORITY-CHECK OBJECT 'ZHR_APP01' FOR USER uname
                 ID 'ZROLEID' FIELD '03'
                 ID 'ZSOBID'  FIELD zzdwbm.
  in a abap class method centrally, so it could be called by many reports.
  but the test show that the sy-subrc always set to 0, even for users without any authorization.
  what i missed for adding custom auth check?
  for this case, do i need to maintain authorization check indicator in SU24?
  what i am confused is that , su24, you have to maintain a transaction , but our authorization check is not for transaction , but for reports and bsp application, how should i maintain su24 for that?
  thanks and best regards.
  Jun

  Hi,
  I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
  I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
  Everything looks fine, but when I execute the transaction  the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
  We've ran the report RPUACG00 also which is mentioned in this thread.
  We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
  I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
  but still it is taking the P_ORGIN object.

• Authorization Object - Availability Check in Sales Order

  Hi,
  Restriction is required for availability check  (i.e. button 'check item availability') in sales order for a given user.
  Is there authorization object to control the same ?
  Regards,
  RS

  Hello RS,
  Availability check is controller by FM AVAILABILITY_CHECK_CONTROLLER and there is no authority check in it. As per previous reply you can add additional checks in user exit EXIT_SAPLATPC_001 which is called before an atp is run.
  Thanks
  Amber

• Authorization Object Related To Movement Type

  Hi,
  I meet one problem, one user want to check which user can use MB1A t-code with movement type 201 and 202, but I know there are some authorization object related to movement type and I want to use suim with mb1a t-code and authorization object to check the user, but I don't know the authorization object about movement type in MB1A t-code, does anyone can help?

  Go to SU24, enter the transaction code and press execute.
  Here you can see the all authorization object whose are used for the transaction code MB1C.
  Regards
  Dev

• How to add authorization field to a standard authorization object

  Hi All,
  I'm trying to limit user to can only create & change X type of order type in PM module. This can be fullfill by creating suer with assigned role with only allow X type of order type.
  But when I assigned a display role which has authorization to display all order type (maintained as authorization object), now my user can create and change all order type.
  How to limit user to can only create & change X order type and only display the rest of order type?
  I assume by adding authorization field: AUFART(order type) in authorization object: I_TCODE will solve the problem, is it right? and is it possible to do that?
  regards,
  Andre

  Hi,
  your assumption is incorrect. First of all, adding a new field to standard authorization object is a bad idea. You would have to modify all checks for that object. For standard SAP object it means that you would have to modify many SAP programs.
  The authorization object I_TCODE is checked in PM transactions. It gives you authorization to run that transactions. That object can't be used to limit what you do in that transaction or what order type you can process. You are looking for some other authorization object(s). You need to go to SU24 which gives you what authorization objects are checked in particular transaction. It does not have to cover all objects but it's a good starting point.
  Cheers

• How to use authorization object P_PERNR ?

  Hi, Gurus~
  In our system, there is a user whose User ID is "00041", and she can modify her own 0008, we want to control it so that she can only display her own 0008, but process 0008 for all other employees
  So, i use the authorization object P_PERNR to do this, i set the fields value like this (totally copy from the SAP help for P_PERNR....):
  Authorization level:  W,S,D,E
  Infotype: 0008
  Interpretation of assignment personnel number: E
  Subtype: *
  and then, i maintain her master data 0105's subtype 0001-system user name as 00041
  i think she shouldn't maintain her own 0008 now ,but she still can maintain it
  i want to know why and how to solve it, did i do it in the right way?
  Thank you in advance!

  P_PERNR   HR: Master Data - Personnel Number Check
  You use the HR: Master Data - Personnel Number Check authorization object if you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures.
  The following values are possible for the PSIGN field:
  I   =          Authorization for personnel number assigned, that is for own personnel number
  E  =          Authorization for all personnel numbers excluding own personnel number
  You can assign a user a personnel number using infotype 0105, subtype 0001 (in earlier releases using the V_T513A view).
  This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own. In other words, this check is completely irrelevant for personnel numbers that are not assigned to the user.
  Example of Personnel Number Check P_PERNR
  The authorization checks for P_ORGIN and P_PERNR are activated in the system. In addition, there are user assignments for some personnel numbers.
  The user in our example is assigned a personnel number and is administrator responsible for the Basic Pay infotype (0008) of a personnel area (that is, the user has the corresponding P_ORGIN authorization). The employee should also be able to display his or her own data but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. The corresponding authorizations for the P_PERNR authorization object must be set up as follows: AUTHC = R, M
  PSIGN = I
  INFTY = *
  SUBTY = * AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0008
  SUBTY = *
  In our example, the user is an administrator responsible for the basic pay (infotype 0008) of a personnel area (since the administrator has the corresponding HR: Master Data authorization). The employee should also be able to display his or her own data at all times but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. You need to set up the appropriate authorizations for the HR: Personnel Number Check object as shown in this example.
  The first authorization grants the employee read authorization for all infotypes that are stored under the employee's personnel number. The second authorization denies write access to all data records of infotype 0008 for the employee's own personnel number in case the administrator is responsible at some point in the future for the personnel area to which he or she belongs.
  As the following examples illustrate, inconsistent authorizations can be granted.
  Example 1:
  AUTHC = *
  PSIGN = I
  INFTY = 0014
  SUBTY = M* AUTHC = W, S, D, E
  PSIGN = E
  INFTY = 0014
  SUBTY = *
  The first authorization grants the employee read authorization (AUTHC = R) for the Recurrent Payments/Deductions infotype (0014), subtype M120, which allows the employee to access the data stored under his or her personnel number. In this case, the second authorization is irrelevant.
  The first authorization grants the employee write authorization (AUTHC = W) for the Recurrent Payments/Deductions infotype (0014), subtype B030, which denies the employee access to the data stored under his or her personnel number. In this case, the first authorization is irrelevant.
  The first authorization grants the employee write authorization for the Recurrent Payments/Deductions infotype (0014), subtype M120, the second authorization denies the employee this authorization. The desired system response is unclear from this example. According to the documentation, the system response is undefined in such situations. In reality, the authorization check always denies authorization in unclear situations, that is E is stronger than I and therefore the authorization is not granted.
  Example 2:
  AUTHC = *
  PSIGN = *
  INFTY = *
  SUBTY = *
  This type of authorization is required by superusers with unlimited access, for example. The above authorization is appropriate if an employee wants to access an infotype. However, since PSIGN = * and * can be substituted for any value, PSIGN and E can also be interpreted as I. This can also lead to an undefined situation. In earlier releases, the authorization was denied on the basis of the rule E is stronger than I. This meant that superusers with assigned personnel numbers were not able to access their own personnel number. The programs have since been changed and now * is interpreted as I and is stronger than E. In other words, * is stronger than E and E is stronger than I, whereby * is interpreted as I.
  As already indicated in Example 1, the combination of different authorizations can produce a complicated result. We therefore recommend that you avoid combinations where P_PERNR authorizations can be interpreted differently for the same combination of AUTHC(Authorization Level), INFTY(Infotype) and SUBTY (Subtype).
  Misunderstandings arising from the complex situations described above are not the most frequent causes of customer inquiries, however. The most frequent cause is the incorrect assumption that authorizations by personnel number affect authorizations for non-assigned personnel numbers. This is not the case at all.
  If you use authorizations by personnel number, you should always first set up all non-personnel number-related authorizations. As soon as you have done this, you should create different access authorizations for the personnel numbers that are assigned to users using appropriate P_PERNR authorizations. This is always possible since the P_PERNR authorizations override all other authorizations directly (except Test Procedures).
  P_PERNR authorization checks cannot bypass test procedures directly. For instance, a test procedure is only carried out on the Recurring Payments/Deductions infotype (0014) if a corresponding P_PERNR authorization (with PSIGN = I) exists. If an appropriate authorization for the corresponding subtype of the infotype 0130 exists, it can be used effectively to carry out the test procedures.

• Regardig Authorization object

  Hi All,
    I would like to know the step by step creation of authorization object...
    Iam able to create the authorization class and objects using SU21 for a ztable fields..
    And am not getting how to use this in ABAP program.
    I know using Authority-check we can do this...
    Here Iam not understanding to whom we are checking the authorization..and how...
    And also is this necessary to create a role in pfcg and assign it to user...
    if so what is the necessary to create a role...
    and what is the link between SU21 and pfcg...
    how this is affecting...
    can any one help me...out of this...
  thanks and regards
    raghu

  Hai Phani
  Go through this
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  go through report
  TABLES: TOBJT.
  DATA: OBJECT1 LIKE USR12-OBJCT,
  OBJECT2 LIKE USR12-OBJCT,
  OBJECT3 LIKE USR12-OBJCT,
  AUTH1 LIKE USR12-AUTH,
  AUTH2 LIKE USR12-AUTH,
  AUTH3 LIKE USR12-AUTH,
  IND LIKE SY-INDEX,
  FLAG TYPE I.
  DATA: BEGIN OF INTTAB OCCURS 30,
  OBJECT LIKE USR12-OBJCT,
  AUTH LIKE USR12-AUTH,
  END OF INTTAB.
  DATA: BEGIN OF INTTAB2 OCCURS 30,
  OBJECT LIKE USR12-OBJCT,
  AUTH LIKE USR12-AUTH,
  EXPL LIKE TOBJT-TTEXT,
  END OF INTTAB2.
  DATA: BEGIN OF TABSET OCCURS 30,
  SFIELD LIKE TOBJ-FIEL1,
  VON(18),
  BIS(18),
  END OF TABSET.
  *read up the authorizations from the user buffer
  CALL 'ANALYSE_USERBUFFER'
  ID 'AUTHS' FIELD INTTAB-SYS.
  *filter out the multipy authorizatios of the same object
  SORT INTTAB BY OBJECT.
  DO.
  IF SY-INDEX = 1.
  OBJECT1 = ''. AUTH1 = ''.
  READ TABLE INTTAB INDEX 1.
  OBJECT2 = INTTAB-OBJECT .AUTH2 = INTTAB-AUTH.
  READ TABLE INTTAB INDEX 2.
  OBJECT3 = INTTAB-OBJECT.AUTH3 = INTTAB-AUTH.
  ELSE.
  OBJECT1 = OBJECT2. AUTH1 = AUTH2.
  READ TABLE INTTAB INDEX SY-INDEX.
  OBJECT2 = INTTAB-OBJECT .AUTH2 = INTTAB-AUTH.
  IND = SY-INDEX + 1.
  READ TABLE INTTAB INDEX IND.
  IF SY-SUBRC = 0.
  OBJECT3 = INTTAB-OBJECT.AUTH3 = INTTAB-AUTH.
  ELSE.
  OBJECT3 = ''. AUTH3 = ''.
  IF OBJECT2 = OBJECT1 OR OBJECT2 = OBJECT3.
  INTTAB2-OBJECT = OBJECT2.
  INTTAB2-AUTH = AUTH2.
  SELECT SINGLE * FROM TOBJT
  WHERE LANGU = SY-LANGU
  AND OBJECT = OBJECT2.
  INTTAB2-EXPL = TOBJT-TTEXT.
  ENDIF.
  EXIT.
  ENDIF.
  ENDIF.
  IF OBJECT2 = OBJECT1 OR OBJECT2 = OBJECT3.
  INTTAB2-OBJECT = OBJECT2.
  INTTAB2-AUTH = AUTH2.
  SELECT SINGLE * FROM TOBJT
  WHERE LANGU = SY-LANGU
  AND OBJECT = OBJECT2.
  INTTAB2-EXPL = TOBJT-TTEXT.
  APPEND INTTAB2.
  ENDIF.
  ENDDO.
  SORT INTTAB2 BY OBJECT AUTH.
  *display the authorization and description, the objects, fields and
  *field values
  FLAG = 0. OBJECT1 = ''.
  LOOP AT INTTAB2.
  IF OBJECT1 = INTTAB2-OBJECT.
  WRITE: / INTTAB2-AUTH COLOR 2.
  PERFORM FIELD_VALUES.
  LOOP AT TABSET.
  WRITE: / TABSET-SFIELD, TABSET-VON, TABSET-BIS.
  ENDLOOP.
  ELSE.
  SKIP.
  WRITE: / INTTAB2-OBJECT COLOR 3, INTTAB2-EXPL COLOR 3.
  PERFORM FIELD_VALUES.
  WRITE: / INTTAB2-AUTH COLOR 2.
  LOOP AT TABSET.
  WRITE: / TABSET-SFIELD, TABSET-VON, TABSET-BIS.
  ENDLOOP.
  ENDIF.
  OBJECT1 = INTTAB2-OBJECT.
  ENDLOOP.
  FORM FIELD_VALUES *
  retrieve the field values of an authorization *
  FORM FIELD_VALUES.
  TABLES: USR12.
  FIELD-SYMBOLS .
  DATA: INTFLAG TYPE I VALUE 0, OFF TYPE I, VTYP, LNG TYPE I,
  CLNG(2), GLNG(2), FLDLNG TYPE I VALUE 10, SETFILL.
  SELECT SINGLE * FROM USR12
  WHERE AUTH = INTTAB2-AUTH
  AND OBJCT = INTTAB2-OBJECT
  AND AKTPS = 'A'.
  SETFILL = 0.
  REFRESH TABSET.
  CLEAR TABSET.
  OFF = 2.
  ASSIGN USR12-VALS+OFF(1) TO .
  WRITE TO VTYP.
  WHILE VTYP <> ' ' AND OFF < USR12-LNG.
  OFF = OFF + 1.
  CASE VTYP.
  WHEN 'F'.
  OFF = OFF + 5.
  ASSIGN USR12-VALS+OFF(2) TO .
  WRITE TO CLNG.
  LNG = CLNG.
  IF LNG <= 0.
  EXIT.
  ENDIF.
  OFF = OFF + 2.
  ASSIGN USR12-VALS+OFF(FLDLNG) TO .
  WRITE TO TABSET-SFIELD.
  OFF = OFF + FLDLNG.
  WHEN 'E'.
  ASSIGN USR12-VALS+OFF(LNG) TO .
  WRITE TO TABSET-VON.
  IF TABSET-VON = SPACE.
  TABSET-VON = ''' '''.
  ENDIF.
  APPEND TABSET.
  SETFILL = SETFILL + 1.
  TABSET-VON = SPACE.
  TABSET-BIS = SPACE.
  OFF = OFF + LNG.
  WHEN 'G'.
  ASSIGN USR12-VALS+OFF(2) TO .
  WRITE TO CLNG.
  GLNG = CLNG.
  OFF = OFF + 2.
  ASSIGN USR12-VALS+OFF(LNG) TO .
  IF INTFLAG = 0.
  WRITE TO TABSET-VON.
  WRITE '*' TO TABSET-VON+GLNG.
  ELSE.
  WRITE TO TABSET-BIS.
  WRITE '*' TO TABSET-BIS+GLNG.
  INTFLAG = 0.
  ENDIF.
  APPEND TABSET.
  SETFILL = SETFILL + 1.
  TABSET-VON = SPACE.
  TABSET-BIS = SPACE.
  OFF = OFF + LNG.
  WHEN 'V'.
  INTFLAG = 1.
  ASSIGN USR12-VALS+OFF(LNG) TO .
  WRITE TO TABSET-VON.
  IF TABSET-VON = SPACE.
  TABSET-VON = ''' '''.
  ENDIF.
  OFF = OFF + LNG.
  WHEN 'B'.
  INTFLAG = 0.
  ASSIGN USR12-VALS+OFF(LNG) TO .
  WRITE TO TABSET-BIS.
  IF TABSET-BIS = SPACE.
  TABSET-BIS = ''' '''.
  ENDIF.
  APPEND TABSET.
  SETFILL = SETFILL + 1.
  TABSET-VON = SPACE.
  TABSET-BIS = SPACE.
  OFF = OFF + LNG.
  ENDCASE.
  ASSIGN USR12-VALS+OFF(1) TO .
  WRITE TO VTYP.
  ENDWHILE.
  ENDFORM.
  go through this link
  http://www.thespot4sap.com/Articles/SAP_ABAP_Queries_Authorizations.asp
  also go through this Document
  AUTHORITY-CHECK OBJECT object
  ID name1 FIELD f1
  ID name2 FIELD f2
  ID name10 FIELD f10.
  Effect
  Explanation of IDs:
  object Field which contains the name of the object for which the authorization is to be checked.
  name1 ... Fields which contain the names of the name10 authorization fields defined in the object.
  f1 ... Fields which contain the values for which the f10 authorization is to be checked.
  AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
  You must specify all authorizations for an object and a also a value for each ID (or DUMMY ).
  The system checks the values for the ID s by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
  If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
  If the return code SY-SUBRC = 0, the user has the required authorization and may continue.
  The return code is modified to suit the different error scenarios. The return code values have the following meaning:
  4 User has no authorization in the SAP System for such an action. If necessary, change the user master record.
  8 Too many parameters (fields, values). Maximum allowed is 10.
  12 Specified object not maintained in the user master record.
  16 No profile entered in the user master record.
  24 The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
  28 Incorrect structure for user master record.
  32 Incorrect structure for user master record.
  36 Incorrect structure for user master record.
  If the return code value is 8 or possibly 24, inform the person responsible for the program. If the return code value is 4, 12, 15 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP, since authorizations have probably been destroyed.
  Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
  Note
  Instead of ID name FIELD f , you can also write ID name DUMMY . This means that no check is performed for the field concerned.
  The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
  Example
  Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
  Table OBJ : Definition of authorization object
  M_EINF_WRK
  ACTVT
  WERKS
  Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
  M_EINF_WRK_BERECH1
  ACTVT 01-03
  WERKS 0001-0003 .
  can display and change plants within the Purchasing and Materials Management areas.
  Such a user would thus pass the checks
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
  ID 'WERKS' FIELD '0002'
  ID 'ACTVT' FIELD '02'.
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
  ID 'WERKS' DUMMY
  ID 'ACTVT' FIELD '01':
  but would fail the check
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
  ID 'WERKS' FIELD '0005'
  ID 'ACTVT' FIELD '04'.
  Thanks & regards
  Sreenivasulu P

• Details about authorization Object

  Please help ,i had two fields ex sales org & distribution chanel and i have to write a code for authorization , is the authorization object which i wrote is right or not.
  I know that we can use at max of 10 fields , but say vkorg / vtweg is used 5 times  with different variable name in same prog how to make sure that this code will work for authorization check on VKORG/ VTWEG can anybody please explain me in step's
  AUTHORITY-CHECK
            OBJECT 'Z_zzlau'
            ID  'VKORG' FIELD  'S_VKORG'
            ID  'VTWEG' FIELD  'S_VTWEG'
            ID  'ACTVT' FIELD '02'
            ID  'ACTVT' FIELD '03'
            ID  'ACTVT' FIELD '70'.
  Thanks

  Hi,
  ACTVT field is used for checking the create /display / change authorizations.
  after creation of the activity group , add it to the user profiles which need authorizations.
  01-create 02-change 03-display
  AUTHORITY-CHECK
  OBJECT 'Z_zzlau'
  ID 'VKORG' FIELD 'S_VKORG'
  ID 'VTWEG' FIELD 'S_VTWEG'
  ID 'ACTVT' FIELD '02'
  ID 'ACTVT' FIELD '03'
  ID 'ACTVT' FIELD '70'.
  if you are checking authorizations with the selection screen parameters then change your code like below:(if change is required)
  AUTHORITY-CHECK
  OBJECT 'Z_ZZLAU'
  ID 'VKORG' FIELD S_VKORG
  ID 'VTWEG' FIELD S_VTWEG
  ID 'ACTVT' FIELD '02'.
  and also check SAP help on this :
  AUTHORITY-CHECK
  Basic form
  AUTHORITY-CHECK OBJECT object
      ID name1  FIELD f1
      ID name2  FIELD f2
      ID name10 FIELD f10.
  Effect
  Explanation of IDs:
  object
  Field which contains the name of the object for which the authorization is to be checked.
  name1 ...
  Fields which contain the names of the
  name10
  authorization fields defined in the object.
  f1 ...
  Fields which contain the values for which the
  f10
  authorization is to be checked.
  AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
  You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
  The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
  If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
  If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
  The return code value changes according to the different error scenarios. The return code values have the following meaning:
  4
  User has no authorization in the SAP System for such an action. If necessary, change the user master record.
  8
  Too many parameters (fields, values). Maximum allowed is 10.
  12
  Specified object not maintained in the user master record.
  16
  No profile entered in the user master record.
  24
  The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
  28
  Incorrect structure for user master record.
  32
  Incorrect structure for user master record.
  36
  Incorrect structure for user master record.
  If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
  Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
  Note
  Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
  The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
  Example
  Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
  Table OBJ: Definition of authorization object
  M_EINF_WRK
     ACTVT
     WERKS
  Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
  M_EINF_WRK_BERECH1
     ACTVT 01-03
     WERKS 0001-0003 .
  can display and change plants within the Purchasing and Materials Management areas.
  Such a user would thus pass the checks
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' FIELD '0002'
      ID 'ACTVT' FIELD '02'.
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' DUMMY
      ID 'ACTVT' FIELD '01':
  but would fail the check
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' FIELD '0005'
      ID 'ACTVT' FIELD '04'.
  To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.
  Regards
  Appana

• Authorization Object is not working when report is modified.

  Hi BW Guru's
  We have Company Code as Authorization Object .and we have 3 company Codes (xxxx,yyyy,zzzz).where the users under Company code xxxx are not supposed to view company code yyyy,zzzz data etc.
  I modified an existing Report and transported to production.But the Authorization Object is not working for that report.The Report is defaultly displaying all the company codes data(xxxx,yyyy) for all the users.But for the other reports its(company code ) is working fine.
  What could be the problem?Is theproblem in transporting the objects.But i transported all the objects inluding auhorization object.
  Please send me the solution as it is very much urgent.
  The solution will be def. awarded with full points.
  Regards
  Sanjay

  hi Sanjay,
  please don't post the same question again, check and response back from your previous thread
  Re: Authorization Object is not working when report is Modified.
  hope this helps.
  would be nice if you reward for helpful answers to all of your previous postings, e.g
  docs related to RRI

• Authorization object for plant on selection-screen

  Hi All,
  I need to cehck the authorization object for plant on sleection screen..the palnt is select-options.
  I have written the code
  Declaration of local constants.
    CONSTANTS : lc_i(1)  TYPE c VALUE 'I',
                lc_eq(2) TYPE c VALUE 'EQ'.
    REFRESH : r_werks.
    LOOP AT s_werks.
      IF s_werks-low IS NOT INITIAL.
        AUTHORITY-CHECK OBJECT 'M_MATE_WRK'                "Check if the user has autorization for the plant.
                             ID 'ACTVT' FIELD '03'
                             ID 'WERKS' FIELD s_werks-low.
        IF sy-subrc NE 0.
          r_werks-sign   = lc_i.
          r_werks-option = lc_eq.
          r_werks-low    = s_werks-low.
          APPEND r_werks.
        ENDIF.
      ENDIF.
    ENDLOOP.
    LOOP AT s_werks.
      IF s_werks-high IS NOT INITIAL.
        AUTHORITY-CHECK OBJECT 'M_MATE_WRK'                "Check if the user has autorization for the plant.
                             ID 'ACTVT' FIELD '03'
                             ID 'WERKS' FIELD s_werks-high.
        IF sy-subrc NE 0.
          r_werks-sign   = lc_i.
          r_werks-option = lc_eq.
          r_werks-low    = s_werks-high.
          APPEND r_werks.
        ENDIF.
      ENDIF.
    ENDLOOP.
  My doubt is will the authorization will check the plants in between 1001 and 2001..suppose i have pplants 1001,1002,1003,1004,2001..Now will the above code will check for all the plants or only 1001 and 2001 if i specify in the select-options.
  Regards,
  raj

  Hi Raj
  First no need to LOOP AT s_werks and check s_werks-high as it will always be present only once in the table s_werks.
  Do this
  SELECT werks FROM t001w INTO li_werks
  WHERE werks IN s_werks.
  LOOP AT li_werks.
  *check your authority thing here and fill the range
  ENDLOOP.
  Pushpraj

• Authorization objects in web dynpro ABAP and SU24 transaction

  Hi,
  I have created a new authorization object to check a storage location for certain activities. I have added the authorization object in a specific web dynpro ABAP and I have created a new role in PFCG for my web dynpro ABAP.
  The organization level for storage location is not recognized in PFCG. Someone told me I have to maintain my authorization object in SU24 as it is done for transaction.
  I wanted to maintain my web dynpro in SU24 but I found no way to do that.
  It seems that we can maintain authorization for TADIR service and in those services there is R3TR WDYA but when I use the search help for  OBJ_NAME I don't find may web dynpro ABAP. I suppose I have to create a TADIR service for my web dynpro ABAP or something like that but I don't know how to do ?
  Does anybody  know how to deal with specific authorization in web dynpro ABAP and t ohave the organizational level recognized in PFCG.
  Thanks for your help,
  Emmanuel

  Hi,
  Please RUN the function module as "AUTH_TRACE_WRITE_USOBHASH" with following parameter
  R3TR
  "custom webdynpro application"
  SERVICE TYPE and Service can be kept blank
  after this try  SU24 it will be available in SU24 list.
  Thanks & regards

• Authorization object impact

  Hi,
  I have got an infocube(IC) and multicube based on IC (MC).
  The authorization object for IC and MC are A & B.
  A report on MC has got B as authorization object.
  Now does the object 'A' has got any impact on report.
  As on now its saying that indequate authorization, even if authorization for B is given.
  Please clarify,
  Thanks in Advance,
  Naveen.A

  hi Naveen,
  object A won't get impact on report if in RSSM you didn't mark multicube/multiprovider MC. check again RSSM for object A if MC is marked. (by default system will mark new create reporting authorization object for relevant infoproviders).
  further more, what the 'no authorization' message say ? is it say no authorization for A ?
  you can try with transaction RSRT.
  and have trace set trace with RSRTRACE to find what exactly the authorization problem.
  hope this helps.

• Authorization object - dump on field type due to character

  Hi all,
  As i have created an Authorization object
  AUTHORITY-CHECK OBJECT 'YINF_BYTE'
                          ID 'Y_BYTE_CON' FIELD lv_byte_count.
  While creating the authorization field ('Y_BYTE_CON' ), the data type I defined is ABAP_MSIZE.Similarly the type of the variable('LV_BYTE_COUNT)  i am passing to the authorization object
  is of the same type (i.e.,ABAP_MSIZE).
  I am getting an syntax error 'LV_BYTE_COUNT must be a Character type field',Please help me out in resolving this.
  Thanks in advance,
  Ram
  Edited by: Julius Bussche on Feb 20, 2009 9:19 AM
  Please use meaningfull subject titles

  Hi Chinmaya,
  Which data type i need to go with ABAPTYPE..? is it the variable i am passing to the authorization object or the authorization field i need to change as ABAPTYPE..?
  Plz advice me.
  Thanks,
  Ram

• Cannot modify an authorization object in pfcg role for a business role

  Hi Experts,
  I have created two z pfcg roles from the standard business role CRM_UIU_SRV_PROFESSIONAL  lets say by names zagent and zmanager. My requirement is actually to map these two pfcg roles two a service professional agent and service professional manager custom business roles respectively( I have created these custome business roles from standard business role servicepro) . I have identified an authorization object by name CRM_CO_SE which is basically used to check whether the user is authorized to create service contract transactions. So, in the agent pfcg role, I need to de activate or deselect this particular authorization object so that the agent will not be able to create service contract. (This is not a real time requirement, but an internal assignment). When I change this object in the pfcg by deselecting 'Allow' check box and try to generate, it is not getting generated. I have selected all the options from the 'Expert mode for the profile generation' and still the traffic indicator for that authorization object is yellow.  Am I doing anything wrong?
  Please help me.
  Thanks
  Ajith C

  Hi Leon,
  Thanks for helping me, I have restricted the unauthorized user from creating a new order by disabling the 'New' button by checking the business role in  the code. The pfcg configuration, I am skipping it for now.  I have one mnore requirement. When one clicks on any items in the search result for the Service Contracts, it opens the details of that service contract with an 'edit' button. I can disable this button using do_output_preparation method for the some business roles. However, I want to disable this after checking a condition. The condition is that, edit button should be active, only if that service order was created by the employee who has currently logged on. I am relatively new to CRM and I could not figure how I can check it during run time. Could any one please help me with this?
  Thanks,
  Ajith