Is it possible to bypass authority check in standard program?

Similar Messages

• Bypassing authority check in function module

  hi experts
  I have developed an abap  report on material bom explosion using function module cs_bom_explosion
  Its working fine and all data are coming ok since I HAVE THE AUTHORITY OF T CODE CS03..
  pls note all bom fn modules checks for authorization .
  However in production environment some users may not have CS03 AUTHORIZATION.
  for them this report is not displaying  any bom data.
  Now the requirement  is such that user will not have cs03 authorization,
  but will see the bom data through this report.
  so how to stop the authorization check for cs_bom_explosion in  abap report.
  regards
  pankaj

  as per my knowledge, granting the rights to those users is only the solution. Now a days the customers are wanting to add explicit authority-check too in the Z objects!! so, i dont see its good idea to bypass the check.
  thanq
  Edited by: SAP ABAPer on Mar 7, 2009 6:12 AM

• Bypass authority check when creating Ibase from BAPI

  Hi,
  We have a requirement to create/update an Ibase when saving a Service Order.  We don't want to give users authorization to update the Ibase via PFCG.
  Is there a way to bypass the standard authority check that is executed when calling CRM_ICSS_CREATE_IBASE or CRM_ICSS_CREATE_COMPONENT so that the Ibase can be updated without the user having to have the necessary athorisation object?
  Is there an alternative method to create/update the Ibase that will not check authorizations?
  regards
  Tim

  Hi,
  FM CRM_IB_AUTHORITY_CHECK gets called during IBase create.
  You can create implicit enhancement in this FM to bypass the authority check.

• Authority check in ABAP program

  Hello All
  I am having some trouble with authority object in ABAP programming
  This is the situation.
  I have a field "plant" which is a select options in the selection screen.
  I have to write an authority-check for this "plant" field in the program and display the report for only the plants for which the user is authorised. There is a select statement in the program which selects all the plants entered. If it is single plant entry and the user is not authorised or the user is not authorised to none of the plants entered for multiple plant entries, an error message should be displayed saying "no authority to display plants x, y, z"
  How can I incorporate this logic in the report.
  This the current coding
  AT SELECTION-SCREEN.
  AUTHORITY-CHECK OBJECT 'C_ROUT'
            ID 'ACTVT' FIELD '03'
            ID 'PLNTY' FIELD 'DUMMY'
            ID 'WERKS' FIELD s_werks
            ID 'STATU' FIELD 'DUMMY'
            ID 'VERWE' FIELD 'DUMMY'.
  START-OF-SELECTION.
    SELECT amatnr  aplnnr aplnal awerks aplnty bstlnr b~stlal INTO TABLE t_mapl FROM mapl AS a INNER JOIN mast AS b
                             ON amatnr = bmatnr
                              AND awerks = bwerks
                           WHERE a~matnr IN s_matnr
                                 AND a~plnnr IN s_plnnr
                            AND a~plnal IN s_plnal
                          AND a~werks IN s_werks
                         AND a~plnty IN s_plnty
                         AND b~stlnr IN s_stlnr
                           AND b~stlal IN s_stlal. "(ALT BOM)
  Thanks
  Ricky

  Hi Ricky,
  to check each individual plant in the selection, you can not use s_plant in the authority chek, here you need to give the value..
  Code like this:
  DATA : BEGIN of t_werks OCCURS 0,
                werks TYPE t001w-werks,
  END OF t_werks.
  DATA : w_text(30) TYPE c.
  AT SELECTION-SCREEN.
  IF NOT s_werks[] IS INITIAL.
  REFRESH t_werks.
  SELECT werks
  FROM t001w
  INTO TABLE t_werks
  WHERE werks IN s_werks.
  IF sy-subrc EQ 0.
  LOOP AT t_werks.
  AUTHORITY CHECK...
  ID 'WERKS' FIELD t_werks-werks.
  IF sy-subrc EQ 0.
  DELETE t_werks.
  ENDIF.
  ENDLOOP.
  IF NOT t_werks[] IS INITIAL.
  LOOP AT t_werks.
  CONCATENATE t_werks-werks
                           w_text
                  INTO w_text.
  ENDLOOP.
  MESSAGE exxx WITH 'No authorisation for '
                                    w_text.
  ENDIF.
  ENDIF.
  ENDIF.
  Thanks and Best Regards,
  Vikas Bittera.
  **Reward if useful**

• Authority check in webdynpro

  Hi All,
  Is it possible to give access to webdynpro screen after performing authority check in webdynpro.
  In my case, I have created three tabs in my view.
  Now is it possible to give authority check to each of these tabs from web dynpro itself.
  If so, Please explain how to proceed.

  Hi,
  Hope It can be done. On event TABSELECT write the authority check.You can get the tabname selected from the SELECTEDTAB.
  Thanks,
  Bindu.

• Bypass check for this program only

  Hi FI Masters,
  i have a zprint prog ex : ZRFFOZA_H2H. i copied this prog and given a transaction(ZRFFOZA_H2H_FI   tcode : ZFI_H2H ) and run to see the results where it works fine.
  but....
  payment method can be linked to only one print program and in this test case payment method M is linked to ZRFFOZA_H2H, so now the problem is that the new transaction code ZFI_H2H is built on program ZRFFOZA_H2H_FI and the system refuses to run. 
  when i see the message it shows like this...
  The list of payment methods (M) may only be processed by other payment medium programs.
  now how can i bypass this check for this program only?
  can i have some info please....
  Thanks,
  pasala.

  hi FI masters,
  to be more clear to the above quetion,
  i have 2 zprog for the Payment run
  for the Payment method 'M' i have z prog ZRFFOZA_H2H which is configued
  again i have made a copy of above prog to ZRFFOZA_H2H_FI  and run the payment run for the Payemnt method 'M'.
  Now it gives me a message : Payment method(s) are not allowed for this program.
  since below copy prog not configed we get this message.
  NOW : What can i do to bypass this check for this program only
  can i have some info pls?
  thanks again,
  pasala.

• Hi   authority check  in prog

  hi
  could anyone tell me how to use authority check in report program.
  please provide me with code in report only.
  thanx
  rocky robo

  PARAMETERS: P_BUKRS LIKE T001-BUKRS.
  SELECT-OPTIONS:
                  S_VKBUR FOR ZSD_BILLINFO-VKBUR OBLIGATORY,
  AT SELECTION-SCREEN.
    AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
        ID 'BUKRS' FIELD P_BUKRS
        ID 'ACTVT' FIELD '03'.
    if sy-subrc <> 0.
      message e001(ZAUT) with P_BUKRS.
    endif.
  loop at S_VKBUR.
      AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
          ID 'VKBUR' FIELD S_VKBUR-LOW
          ID 'ACTVT' FIELD '03'.
      if sy-subrc <> 0.
        message e001(ZAUT) with S_VKBUR-low.
      endif.
      if S_VKBUR-high <> space.
        AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
            ID 'VKBUR' FIELD S_VKBUR-HIGH
            ID 'ACTVT' FIELD '03'.
        if sy-subrc <> 0.
          message e001(ZAUT) with S_VKBUR-high.
        endif.
      endif.
    endloop.

• User role and Authority-check ?

  Hello,
  Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
  Thanks in advance

  Hello Martin,
  I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
  Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
  @OP:
  The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
  BR,
  Suhas

• RE: Authority checks included in the info set of the query

  Hi all,
  I am checking the program code for one of our custom tcodes and i asked ABAP team to add authority check to the program code because there is no auth check in the code and abapers told me that the authority check is included inside the info set of the query and not in the program . the program is used to execute the query in the Tcode.
  how to find the Authority checks included in the info set of the query.
  Thanks in advance,
  Sun.

  If you have the BI support roles assigned to you  and the security admin  roles please login to the BI system
  execute transaction RSECADMIN, click on the analysis tab and execute as the user who is assigned the role with restrictions.
  For variables in authorizations like ( type customer exit )
  use RSECADMIN - maintain authorization tab - Click on value authorization tab.
  Keytransaction is RSECADMIN  & infoobject maintenance details you can get from RSD1.
  Regards

• RRMX Authority check

  hi,
  There are two SAP BW systems , one with component SAP_BW SAPKW70017 (say B1) , and other one with SAP_BW component SAPKW70103 ( say B2)
  In B2 , When a user executes RRMX , it takes them to the Business explorer(excel sheet) , however it throws a message in the GUI that "No authorization to change role <role>
  Message no. S#423"
  This message is received as soon as you get the excel sheet opened .
  When further looked into the situation , seems like in B2 , the follwing select statement is executed ,( as soon as u execute RRMX)for checking the change access for all the users "assigned roles" ( I wonder why all roles?) with the object S_USER_AGr and throws the message when there is no 02 activity for any of the roles present with the user .
  SELECT agr_name FROM agr_users INTO l_agr_name WHERE uname = sy-uname.
      CALL FUNCTION 'PRGN_AUTH_ACTIVITY_GROUP'  -
  > "this further throws the message"
        EXPORTING
          activity_group = l_agr_name
          action_change  = 'X'
        EXCEPTIONS
          not_authorized = 12
          OTHERS         = 13.
      IF sy-subrc = 0.
        e_s_system_info-can_change_pfcg_roles = rs_c_true.
  Whereas in B1 (old release) no such message is thrown for the same user . seems there is no such change activity check in the begining?( not too sure) and only when the user clicks the Role option in Query dialog , S_USER_AGR is checked as per the ST01 trace.
  Is this a bug in SAP_BW 701 release ? If so , do you the SAP notes for correcting the same ?please reply at the earliest .Thanks in advance

  Some customers have S_USER_GRP actvt '02' in production environments for the RRMX "key" users who publish queries to be able to add them to the menu for the users. A change in authorization data might not be required, typically.
  But this "change" authority gives more access than just the menu, and the user will need other authorizations for S_USER_TCD and VAL as well.
  It has been replaced by the BEXWeb, which you should take a look into.
  As SAP "owns" the authority-checks in their programs, they seemed to have felt it appropriate to add the same check to RRMX for "key" users.
  > Is this a bug in SAP_BW 701 release ?
  I don't think it is a bug in BW 7.01. Arguably they could have added it earlier.
  There is an approach to control this via the sideinfo.dat file using the program ID of the query - but I guess few did that or even knew about it. It is not intuitive.
  Cheers,
  Julius

• Authority CHeck VK11

  Hi Guru's,
  I want to have a authority check for  table control field KOMG-KBSTAT in the screen 1850 for the program SAPMV13A.
  I know how to create the authorisation object and also tested a sample code for a z-report .
  I want the details how to apply it to a standard program. Please guide me for this issue.
  Thanx in Advance,
  Arcahan

  Hello ,
  I will elaborate my requirement.
  See in the program SAPMV13A , screen no 1850 , the table control field is komg-kbstat .
  The possible value's for komg-kbstat are as mentioned -
  >  01-blocked  , 02 - Released
  Now  I want the User ' XYZ' should have the authority to block only and not to release.
  Regards,
  W. Archana

• AUTHORITY-CHECK for an defined USER

  Hi,
  i write a abap (protokol) which shell be started every hour. In this report i will use
  an AUTHORITY-CHECK for an defined user, because i will send the protokol via email, but i have
  to check if this user is allowed to see the data.
  I will use this:
  AUTHORITY-CHECK OBJECT 'F_LFA1_BEK'
  ID 'BRGRU' FIELD '__________'
  ID 'ACTVT' FIELD '__________'.
  for an defined user.
  Is this possible, or how can i check this in another way?
  Thanks.
  Regards, Dieter

  Hi Eric,
  i tried it like this:
  UTHORITY-CHECK OBJECT 'F_LFA1_BEK'
           ID 'BRGRU' FIELD 'KRED'
           ID 'ACTVT' FIELD '03'.
  BREAK-POINT.
  CALL FUNCTION 'AUTHORITY_CHECK'
    EXPORTING
    NEW_BUFFERING             = 3
    USER                      = SY-UNAME
      OBJECT                    = 'F_LFA1_BEK'
      FIELD1                    = 'BRGRU'
      VALUE1                    = 'KRED'
      FIELD2                    = 'ACTVT'
      VALUE2                    = '03'
  EXCEPTIONS
     USER_DONT_EXIST           = 1
     USER_IS_AUTHORIZED        = 2
     USER_NOT_AUTHORIZED       = 3
     USER_IS_LOCKED            = 4
     OTHERS                    = 5.
  BREAK-POINT.
  at first breakt-point sy-subrc = 0 at second sy-subrc = 2. Can you tell why i get another sy-subrc?
  is my FM-Call correct?
  thanks.
  Regards, Dieter

• Authority Check Failed

  I have created a Web Service for a Function Module in ECC 5.0. I was able to generate the proxy using SE37--> Web Wizard. I can see the Web Service in WSADMIN, WSCONFIG, SICF. 
  I am using the WSADMIN and Test Tool to generate a request for testing the proxy hosted on my ECC 5.0 system. I am finding this particular error relating Authorization. We have granted most of the Authorzations. Any Clue on how to resolve?
  Request Object
  POST /sap/bc/srt/rfc/sap/ZWS_CONCATENATE_STRING?sap-client=100 HTTP/1.1
  Host: sapdbs.foxboro.com:8000
  Content-Type: text/xml; charset=UTF-8
  Connection: close
  Authorization: <value is hidden>
  Content-Length: 559
  SOAPAction: ""
  <?xml version="1.0" encoding="UTF-8" ?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"><SOAP-ENV:Header><sapsess:Session xmlns:sapsess="http://www.sap.com/webas/630/soap/features/session/"><enableSession>true</enableSession></sapsess:Session></SOAP-ENV:Header><SOAP-ENV:Body><ns1:Ztest4 xmlns:ns1='urn:sap-com:document:sap:soap:functions:mc-style'><Par1>str1</Par1><Par2>str2</Par2></ns1:Ztest4></SOAP-ENV:Body></SOAP-ENV:Envelope>
  Response Object
  HTTP/1.1 500 Internal Server Error
  Set-Cookie: <value is hidden>
  content-type: text/xml; charset=utf-8
  content-length: 363
  sap-srt_id: 20091117/102452/v1.00_final_6.40/4B02B94392E30041000000000A9BAC6E
  server: SAP Web Application Server (1.0;640)
  <soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Body><soap-env:Fault><faultcode xmlns:n0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">n0:FailedAuthentication</faultcode><faultstring xml:lang="e">Authority check failed</faultstring></soap-env:Fault></soap-env:Body></soap-env:Envelope>
  Thanks.

  Hi,
  This means your userid/password don't have sufficient authorization.
  do following:
  - Grant following authorization using SU01 : *WEBSERVICE* (search for all role with webservice)
  - If above doesn't work then check if your user exist in visual admin secure store (java side). Usually visual admin secure store point to ABAP client for user sync but it is possible it is not configured to right client (instead pointing to client 001).
  - check service with third party tool like SOAP UI (provide ur userid/password as well) - if it is working from here then it means you have problem with userid on java side (use visual admin to troubleshoot).
  Regards,
  Gourav

• Authority Check - Best Practice - Optimum Way

  Hi Experts,
  I want to use authority check in my reports. The requirement is to filter data on the selection screen and execute the query. Error messages are not to be thrown because, a user will find it difficult to enter all the document types/company codes/sales areas etc authorized and remove the ones not authorized from the range.
  I am planning to create range tables and populate it with the authorized values and use it in the select queries.
  I have two concerns:
  1. I will have to build range tables based on the values authorized. This will take some time, keeping in mind that append is an expensive statement.
  2. What if the range table becomes big enough to give me a dump in the select query in some scenario. (What if scenario? Its a rare possibility that some field like this also needs to be authorized)
  What is the best practice or rule of the thumb that you have figured out.
  Thanks,
  Abdullah Ismail.

  Are they asking you to check the authorisations for each of the following?
  1.     Sales Organization
  2. Distribution Channel
  3. Division
  4. Sales Group
  5. Sales Office
  6. Sales Document Type
  7. Sales Country
  8. Material Group(Brands)
  If so that is completely over engineered and good luck with that.  Surely you only need to check at one level of the sales structure, the lowest level I would guess.  Your auths team should be able to guide you here and I cannot imagine they would want that level of auths as it would be a nightmare for them to build it. I suppose you might want one on material group as well.
  Therefore they auths team or functional consultants will need to tell you at what level you are checking for each report, there will only be a small number at each level, (think you will struggle to get near the 12,000 Rob points out would cause an issue with a range) of the sales structure so I would use a range, you wonu2019t have that many appends and it wonu2019t add much to the time of the report.  While for all entries is great you can also use the range where the report may have already used for all entries on a select and better not to have to rebuild the whole report.
  Also I would do the auths check first up and make the field mandatory if they really want it nice and tight so the user has to choose, you can use a PID to make it a bit more friendly.
  If you know the setup is the same each time you could use a standard include and subroutine, or ABAP objects would probably be the best route with a set of standard methods to call.
  Hope that helps,
  Tim

• How to create Authority check object

  Hello Gurus,
  How to create Authority-check object 'ZABC'
                                                           ID 'TABLE' FIELD 'ZTABLE'.
  Please tell me detailed procedure.
  Thanks in advance.
  Best Regards,
  zubera

  Dear Zubera,
  Creating Authorization Fields
  In authorization objects, authorization fields represent the values to be tested during authorization checks.
  To create authorization fields, choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects ® Fields.
  To create a authorization field:
  1. Choose Create authorization field.
  2. On the next screen, enter the name of the field. Field names    must be unique and must begin with the letter Y or Z.
  3. Assign a data element from the ABAP Dictionary to the field.
  4. If desired, enter a check table for the possible entries. For    more information about check tables.
  For more information about AUTHORITY-CHECK, see the keyword documentation of the ABAP Editor.
  You can often use the fields defined by SAP in your own authorization objects. If you create a new authorization object, you do not need to define your own fields. For example, you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system.
  Assigning an Authorization Object to an Object Class
  Each authorization object must be assigned to an object class when it is created.
  Choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects --> Objects.
  You can also create authorization objects in the Object Navigator (SE80).
  Creating / Choosing Object Classes
  The system displays a list of existing object classes.
  Object classes are organized according to the components of the system.
  Before you can create a new object, you must define the object class for the component in which you are working. The objects are not overwritten when you install new releases.
  You can also define your own object classes. If you do so, select class names that begin with Y or Z to avoid conflicts with SAP names.
  Creating an Object
  Enter a unique object name and the fields that belong to the object. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects.
  You can enter up to ten authorization fields in an object definition. You must also enter a description of the object and create documentation for it.
  Ensure that the object definition matches the AUTHORITY-CHECK calls that refer to the object.
  Do not change or delete authorization objects defined by SAP. This disables SAP programs that use the objects.
  You can regenerate the profile SAP_ALL after creating an authorization object.
  Best Regards,
  Rajesh
  Please reward points if found helpful.