Is there authority check in every BAPI?

Similar Messages

• I dragged my ext. HD iTunes backed up folder into my new mac. Now there are duplicates of every song!! The problem is both versions seem to actually BE there when I check the info. Now I have no idea if iTunes is playing the files in the trash or not

  Hi. I'm in a situation here and would really welcome some guidance. I dragged my ext. HD iTunes backed up folder into my new mac. Now there are duplicates of every song. Both versions seem to actually BE there when I check the info. So, I moved what I thought were duplicates into the trash from iTunes, and resigned myself to the fact that I would have to do this manually for each album. I did this with about 10 albums. I emptied the trash and lost them even though they still LOOKED like they were in iTunes. I repeated the process tonight on a bunch of other albums not realizing yet that I had screwed up terribly the first time. This time I saw what had happened and pulled the files out of the trash, onto my desktop and dragged them back into iTunes, then deleted the duplicate files that had exclamation points next to them. Now I have no idea if iTunes is playing duplicate files from the trash or not, and am nervous about emptying the trash. Anyone dealt with this before? Thank you

  Hi. I'm in a situation here and would really welcome some guidance. I dragged my ext. HD iTunes backed up folder into my new mac. Now there are duplicates of every song. Both versions seem to actually BE there when I check the info. So, I moved what I thought were duplicates into the trash from iTunes, and resigned myself to the fact that I would have to do this manually for each album. I did this with about 10 albums. I emptied the trash and lost them even though they still LOOKED like they were in iTunes. I repeated the process tonight on a bunch of other albums not realizing yet that I had screwed up terribly the first time. This time I saw what had happened and pulled the files out of the trash, onto my desktop and dragged them back into iTunes, then deleted the duplicate files that had exclamation points next to them. Now I have no idea if iTunes is playing duplicate files from the trash or not, and am nervous about emptying the trash. Anyone dealt with this before? Thank you

• Bypass authority check when creating Ibase from BAPI

  Hi,
  We have a requirement to create/update an Ibase when saving a Service Order.  We don't want to give users authorization to update the Ibase via PFCG.
  Is there a way to bypass the standard authority check that is executed when calling CRM_ICSS_CREATE_IBASE or CRM_ICSS_CREATE_COMPONENT so that the Ibase can be updated without the user having to have the necessary athorisation object?
  Is there an alternative method to create/update the Ibase that will not check authorizations?
  regards
  Tim

  Hi,
  FM CRM_IB_AUTHORITY_CHECK gets called during IBase create.
  You can create implicit enhancement in this FM to bypass the authority check.

• Authority check in for condition type

  Hi
  What do you mean by an authority check on condition type.. especially Pricing..
  There are authority check that are embedded as Reqt and AltCTy in the IMG at the pricing procedure level for different condition type.
  Could someone explain me what they are for..?
  Thanks
  Jac

  Hi,
      authority check is the std sap methodology of check the permitted authorisation values for every transaction  and every user.
  here in this example;authority object is used to maintain or change condition record for allowed condition types.
  scenario eg;if we maintain create value for user mukund for pr00 condition type ,system allows me only for creating .if we maintain change value for user sherin for condition type,system allows to change the values.
  net net i can create and u can change ,not visa-viz or any body else cannot do it.
  hope this is clear.if it helps  REWARD!!!!!!!

• Include authority check in PM User exit

  Dear all,
  Is there any user exit for adding an authority check object in IW31 transaction program?
  Kindly advise.
  Thanks.

  Hi,
  There is a Function module AUTHORITY-CHECK to check the authrization, here you can give the trnasaction code as well as the user name .. look at the function module in SE37..
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  <b>Reward points if useful</b>
  Regards
  Ashu

• Authority-check for a particular company code

  Hi,
     I need to check authorization for a particular company code.In my bdc call transaction program i'm fetching mass data from excel file and for every record i've to check the company code field.If the company code is not the required one then that record should not be processed.
    So before filling the bdc data i wrote like
  LOOP AT gt_inrec INTO gs_inrec.
       AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
                 ID 'ACTVT' field '02'
                 ID 'BUKRS' field '2800'.
      IF NOT sy-subrc = 0.
        MESSAGE e058(zz) WITH gs_inrec-bukrs.
        EXIT.
      ENDIF.
       PERFORM fill_bdc.
    ENDLOOP.
  but it is not exiting for different company codes and is allowing records with all company codes.
  can anybody pls tell me how to rectify this?
  thanks in advance,
  poornima

  I need to perform authority check on the field NAME1 present in the standard screen - customer master ( T.Code-XD02). Only certain users should be allowed to edit the field and others should be restricted.
  I have created a field exit FIELD_EXIT_AD_NAME1 for the ADRC-NAME1 field.
  Now inside this field exit i need to write the authority-check code.
  I have created the authorisation object Z_KNA1_NAM for the field NAME1 using the SU20 and SU21.
  For this scenario how do i write the authority-check code in my field exit?
  Below is my field exit code,is that correct?
  FUNCTION FIELD_EXIT_AD_NAME1.
  ""Local Interface:
  *" IMPORTING
  *" REFERENCE(INPUT)
  *" EXPORTING
  *" REFERENCE(OUTPUT)
  AUTHORITY-CHECK OBJECT 'Z_KNA1_NAM'
  ID 'NAME1' FIELD SY-UNAME
  ID 'ACTVT' FIELD '03'.
  IF SY-SUBRC = 0.
  MESSAGE 'Not Allowed to Edit the Name 1 Field' TYPE 'E'.
  ENDIF.
  ENDFUNCTION.
  In the above code i have given SY-UNAME in the code line 2 - ID 'NAME1' FIELD SY-UNAME ,is that correct? what should i give there?
  Please help me on this issue.
  Cheers,
  P.S.Chitra

• SM30 and AUTHORITY-CHECK

  Hi experts !
  Is There a way to see if the user has authority to chance the table view ? All users can see the data but not all can chance but i can't block the transaction.
  I also need show just some fields. The table has 7 fields but i can show just 4. How to do that ??
  Last doubt. The others 3 fields that do not appear I need to enter some informations like date and hour.
  Thx in advance.

  Hi
  At role Level you can keep the Authrization check for the Tcodes (PFCG tcode)
  using auth objects you can keep authorization check on the table fields or fields in a transaction
  see the following
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Regards
  Anji

• ALV GRID and AUTHORITY-CHECK

  Hi all !!! 
  I'm using the ALV Grid control with checkboxes and I want to control if the actual user have the appropriate authorization to check/uncheck them.
  In the AUTHORITY-CHECK call, I want to make the authorization test on the "DEPARTMENT" of the user (from Table USER_ADDR or SU01).
  For example :
  DEPARTMENT AA1 --> check/uncheck OK
  DEPARTMENT AA2 --> check/uncheck NOT OK
  DEPARTMENT AA3 --> check/uncheck OK
  ... etc.
  How can I do ? Create an new authorization object/field ?
  PS : it's the first time I'm using AUTHORITY-CHECK..

  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check. 
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object> 
     ID <authority field 1> FIELD <field value 1>. 
     ID <authority field 2> FIELD <field value 2>. 
     ID <authority-field n> FIELD <field value n>. 
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  Example ;
  REPORT  EXAMPLE MESSAGE-ID Z1.
  TABLES: USR02.
  PARAMETERS: LOCK AS CHECKBOX, LISTLOCK AS CHECKBOX.
  DATA: UFLAGVAL TYPE I, LOCKSTRING(8) TYPE C.
  ---- Authorization check -
  AUTHORITY-CHECK OBJECT 'ZPROG_RUN' ID 'PROGRAM' FIELD SY-CPROG.
  IF SY-SUBRC <> 0.
    IF SY-SUBRC = 4.
      MESSAGE E000 WITH SY-CPROG. "some message about authorization check failure
    ELSE.
      MESSAGE E005 WITH SY-SUBRC. "some message about authorization check failure
    ENDIF.
  ENDIF.
  IF LISTLOCK = 'X'.
    WRITE:/ 'List all locked users: '.
    SELECT * FROM USR02 WHERE UFLAG = 64.
      WRITE: / USR02-BNAME.
    ENDSELECT.
    EXIT.
  ENDIF.
  IF LOCK = 'X'.
    UFLAGVAL = 64.                       "lock all users
    LOCKSTRING = 'locked'.
  ELSE.
    UFLAGVAL = 0.                        "unlock all users
    LOCKSTRING = 'unlocked'.
  ENDIF.
  SELECT * FROM USR02 WHERE BNAME <> 'SAP*' AND BNAME <> SY-UNAME.
    IF USR02-UFLAG <> 0 AND USR02-UFLAG <> 64.
      WRITE: 'User', USR02-BNAME, 'untouched; please handle manually.'.
      CONTINUE.
    ENDIF.
  check that user has authority to make these changes
    AUTHORITY-CHECK OBJECT 'S_USER_GRP'
        ID 'CLASS' FIELD USR02-CLASS
        ID 'ACTVT' FIELD '05'.
    IF SY-SUBRC <> 0.
      IF SY-SUBRC = 4.
        WRITE: /'You are not authorized to lock/unlock user ',
          USR02-BNAME, USR02-CLASS.
      ELSE.
        WRITE: /'Authorization error checking user ',
               USR02-BNAME, USR02-CLASS, '(return code', SY-SUBRC, ').'.
      ENDIF.
    ELSE.                                "has authority
      UPDATE USR02 SET UFLAG = UFLAGVAL WHERE BNAME = USR02-BNAME.
      WRITE: / 'User', USR02-BNAME, LOCKSTRING, '.'.
    ENDIF.

• Web Service Homepage: Authority check failed

  Dear Colleagues,
  I have created a Web Service and now I want to test it via its Web Service Homepage (TA WSADMIN). The Homepage is displayed correctly, but testing leads to an error:
  Authority check failed
  Are there any prerequisites I maybe do not accomplish?
  (I tested a very similar web service in another system, and there it works)
  Here are some more information about my service:
  - Service was build with Web Service Wizzard out of a function module
  - Here you can see the conversation resulting of the test:
  POST /sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003 HTTP/1.1
  Host: bsl8011.wdf.sap.corp:50073
  Content-Type: text/xml; charset=UTF-8
  Connection: close
  Cookie: <value is hidden>
  Cookie: <value is hidden>
  Authorization: <value is hidden>
  Content-Length: 381
  SOAPAction: ""
  <?xml version="1.0" encoding="UTF-8" ?>
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <SOAP-ENV:Body>
  <ns1:Z_TEST_WS_CONFIG xmlns:ns1='urn:sap-com:document:sap:rfc:functions'>
  <INPUT>TEST</INPUT>
  </ns1:Z_TEST_WS_CONFIG>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  HTTP/1.1 500 Internal Server Error
  content-type: text/xml; charset=utf-8
  content-length: 363
  sap-srt_id: 20060404/125124/v1.00_final_6.40/1B0831447838C429E10000000A424016
  server: SAP Web Application Server (1.0;700)
  <soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
  <soap-env:Body>
  <soap-env:Fault>
  <faultcode xmlns:n0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">n0:FailedAuthentication</faultcode>
  <faultstring xml:lang="e">Authority check failed</faultstring>
  </soap-env:Fault>
  </soap-env:Body>
  </soap-env:Envelope>
  The WSDL-Document looks as follows:
  <?xml version="1.0" encoding="utf-8"?><wsdl:definitions targetNamespace="urn:sap-com:document:sap:rfc:functions" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="urn:sap-com:document:sap:rfc:functions" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><wsdl:types><xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:tns="urn:sap-com:document:sap:rfc:functions" targetNamespace="urn:sap-com:document:sap:rfc:functions" elementFormDefault="unqualified" attributeFormDefault="qualified"><xsd:simpleType name="char60"><xsd:restriction base="xsd:string"><xsd:maxLength value="60"/></xsd:restriction></xsd:simpleType><xsd:element name="Z_TEST_WS_CONFIG"><xsd:complexType><xsd:sequence><xsd:element name="INPUT" minOccurs="0" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element><xsd:element name="Z_TEST_WS_CONFIGResponse"><xsd:complexType><xsd:sequence><xsd:element name="OUTPUT" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element></xsd:schema></wsdl:types><wsdl:message name="Z_TEST_WS_CONFIG"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIG"/></wsdl:message><wsdl:message name="Z_TEST_WS_CONFIGResponse"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:message><wsdl:portType name="Z_TEST_Q73_CONFIG_WS"><wsdl:operation name="Z_TEST_WS_CONFIG"><wsdl:input message="tns:Z_TEST_WS_CONFIG"/><wsdl:output message="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:operation></wsdl:portType><wsdl:binding name="Z_TEST_Q73_CONFIG_WSSoapBinding" type="tns:Z_TEST_Q73_CONFIG_WS"><soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/><wsdl:operation name="Z_TEST_WS_CONFIG"><soap:operation soapAction=""/><wsdl:input><soap:body use="literal"/></wsdl:input><wsdl:output><soap:body use="literal"/></wsdl:output></wsdl:operation></wsdl:binding><wsdl:service name="Z_TEST_Q73_CONFIG_WSService"><wsdl:port name="Z_TEST_Q73_CONFIG_WSSoapBinding" binding="tns:Z_TEST_Q73_CONFIG_WSSoapBinding"><soap:address location="http://bsl8011.wdf.sap.corp:50073/sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003"/></wsdl:port></wsdl:service></wsdl:definitions>
  Can anyone help me, I have no Idea
  Message was edited by: Hans-Peter Bauer

  The message server defined in the SAP-Logon is us4278.wdf.sap.corp
  But the url of the web service starts with  http://us4185:58500/wsnavigator/jsps/explorer.jsp?description=WebServiceZ_TEST_Q73_CONFIG_WS
  But I think that's not the problem, is it? As I mentioned above the test page can be shown, but the after filling in the input parameters an pressing send, there appears the authorisation error.
  For better illustration I made some screenshots for you:
  1) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_OVERVIEW.gif
  2) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_INPUT_FORM.gif
  3) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_reqest_response.gif
  What can be wrong, if the error "n0:FailedAuthentication" appears?
  Regards,
  Peter
  Message was edited by: Hans-Peter Bauer

• How to use the AUTHORITY-CHECK in ABAP

  I am a security guy but am trying to understand how the AUTHORITY-CHECK works. I have read the help on it but it doesn't answer to my understanding. I want a check in a report so that no matter what the user selects the program goes out and checks the authorization in the users master record and only displays what he has access to. I am sure this is basic but I am not a programmer.
  Thanks

  Hi Greg,
    Basically a AUTHORITY-CHECK is a programmatic way to check a auth object a user has.  This is only as good as the person writing the code makes is.
  Here is a basic example of how it could work.  Lets say you have auth objects for users that limit them to see company code. User A can see cc 10, User B can see cc 20 and user C can see both.
  In the code the programmer would have to first do the authcheck to see what CC the user has access to.  Then they would have to limit his reporting based on the results of the authority check.  So they might do it by saying SELECT * FROM XYZTAB WHERE COMPANY CODE = AUTHCC
  This is what I think you are looking for.  There are other ways to use the auth check.  You can do a check and end the program with a message if they don't have authorization. 
  If you need more info, let me know
  John

• PNP authority check

  Hi all,
  I have a problem with authority check in a report.
  I have to access to a field in an infotype and subtype.
  I have all authorizations for this subtype and infotype.
  I'm trying to retrieve this data from an employee, but this employee has informed another subtype in this infotype where I haven't permisions.
  As in the source code there aren't access to this subtype where I haven't permisions, I found that the systems make it's authority check before the START-OF-SELECTION in class CL_HRPAD00AUTH_CHECK_STD, method IF_EX_HRPAD00AUTH_CHECK~CHECK_AUTHORIZATION.
  The system takes the employee number, gets all its informed infotypes and subtypes and perform the authority check for my user, so I can't access to this employee information.
  I think this authority check is made by the use of PNP logical database.
  Is there any way to avoid this authority check?
  Regards,
  Angel Cepa

  Hi Angel Cepa,
  first of all: maybe you can use logical database PNPCE, because PNP is obsolet.
  Anyway, please refer to the documentation of PNPCE (transaction SE36), that may solve your problem.
  PNP/PNPCE knows two ways to check authority:
  1. If no authorization exists for even one individual data record of one of the infotypes used, processing of the personnel numbers is terminated by default (switch "PNP_SW_SKIP_PERNR" = Y)
  2. If you set this switch (at the INITIALIZATION or START-OF-SELECTION events) to N, no more personnel numbers (without authorization) are skipped. Only the data records for which no authorization exists are rejected (that is, not made available).
  So, simply set the switch, mentioned above, to "N" and you will have access to this employee (except the infotype-records, you don't have authority for).
  Regards
  CHRIS

• HR PNP LDB and authority check

  Hello All,
                Can someone plzz tell me if there is any major difference between CODE1 and CODE2 below? I understand if we use LDB we dont need to do authority check but is there is any exceptional case where we do this kind of codeing...
  CODE1:
  Start-of-selection
  GET pernr.
    CALL FUNCTION 'HR_CHECK_AUTHORITY_INFTY'
          EXPORTING
               tclas            = w_tclas
               pernr            = pernr-pernr
               infty            = '0001'
               subty            = space
               begda            = pn-begda
               endda            = pn-endda
               level            = w_level
          EXCEPTIONS
               no_authorization = 1
               internal_error   = 2
               OTHERS           = 3.
    if not sy-subrc is initial.
      reject.
    endif.
    PERFORM list_data.
  END-OF-SELECTION.
  CODE2:
  Start-of-selection
  GET pernr.
    PERFORM list_data.
  END-OF-SELECTION.
  Thanks in advance...
  -Muktar

  Hi Muktar,
  In my opinion, certain infotypes hold certain level of access by different user who is using that report to view HR information. Particularly sensitive infotype like 0008 (basic pay) and other pay involving infotypes can be use to check for authority before it is display or modify by users. So HR_CHECK_AUTHORITY_INFTY is used.
  Get PERNR does not validate the authority because PERNR itself is just a structure that contains a few PA Keys and several of other infotype structure that doesn't tell the authority to read by any specific users. Get PERNR contains the PROVIDE macro and in it does not do any authorization, if i am not mistaken.
  This is my understanding. I hope my explanation is correct and have help you in a way.
  Thanks
  William Wilstroth

• Authority check in ABAP program

  Hello All
  I am having some trouble with authority object in ABAP programming
  This is the situation.
  I have a field "plant" which is a select options in the selection screen.
  I have to write an authority-check for this "plant" field in the program and display the report for only the plants for which the user is authorised. There is a select statement in the program which selects all the plants entered. If it is single plant entry and the user is not authorised or the user is not authorised to none of the plants entered for multiple plant entries, an error message should be displayed saying "no authority to display plants x, y, z"
  How can I incorporate this logic in the report.
  This the current coding
  AT SELECTION-SCREEN.
  AUTHORITY-CHECK OBJECT 'C_ROUT'
            ID 'ACTVT' FIELD '03'
            ID 'PLNTY' FIELD 'DUMMY'
            ID 'WERKS' FIELD s_werks
            ID 'STATU' FIELD 'DUMMY'
            ID 'VERWE' FIELD 'DUMMY'.
  START-OF-SELECTION.
    SELECT amatnr  aplnnr aplnal awerks aplnty bstlnr b~stlal INTO TABLE t_mapl FROM mapl AS a INNER JOIN mast AS b
                             ON amatnr = bmatnr
                              AND awerks = bwerks
                           WHERE a~matnr IN s_matnr
                                 AND a~plnnr IN s_plnnr
                            AND a~plnal IN s_plnal
                          AND a~werks IN s_werks
                         AND a~plnty IN s_plnty
                         AND b~stlnr IN s_stlnr
                           AND b~stlal IN s_stlal. "(ALT BOM)
  Thanks
  Ricky

  Hi Ricky,
  to check each individual plant in the selection, you can not use s_plant in the authority chek, here you need to give the value..
  Code like this:
  DATA : BEGIN of t_werks OCCURS 0,
                werks TYPE t001w-werks,
  END OF t_werks.
  DATA : w_text(30) TYPE c.
  AT SELECTION-SCREEN.
  IF NOT s_werks[] IS INITIAL.
  REFRESH t_werks.
  SELECT werks
  FROM t001w
  INTO TABLE t_werks
  WHERE werks IN s_werks.
  IF sy-subrc EQ 0.
  LOOP AT t_werks.
  AUTHORITY CHECK...
  ID 'WERKS' FIELD t_werks-werks.
  IF sy-subrc EQ 0.
  DELETE t_werks.
  ENDIF.
  ENDLOOP.
  IF NOT t_werks[] IS INITIAL.
  LOOP AT t_werks.
  CONCATENATE t_werks-werks
                           w_text
                  INTO w_text.
  ENDLOOP.
  MESSAGE exxx WITH 'No authorisation for '
                                    w_text.
  ENDIF.
  ENDIF.
  ENDIF.
  Thanks and Best Regards,
  Vikas Bittera.
  **Reward if useful**

• Authority-check for particular comp code

  Hi All,
  when i'm using standard Authority Object F_BKPF_BUK  for a particular standard code say 'CO01'. but it is working for all company code, but i want work for only one company code say 'CO01' ONLY.i'm using in report program (zreport prog)
  I written code as
  AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
      ID 'BUKRS' FIELD 'BE10'
      ID 'ACTVT' FIELD '03'.
  Please can u advice on this .
  Many Thanks in Advance for u r Answer
  Naren

  Hi
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Reward points if useful
  Regards
  Anji

• AUTHORITY-CHECK before Selection-screen?

  Hi,
  i want to check the authority before the selection-screen. I do it in this way:
  AT SELECTION-SCREEN OUTPUT.
    AUTHORITY-CHECK OBJECT 'Z_REPORT'
             ID 'PROGRAM' FIELD SY-REPID
             ID 'ACTVT'   FIELD '16'. "Ausführen
    IF SY-SUBRC <> 0.
      MESSAGE E010 WITH 'Keine Berechtigung für Programm: '
      SY-REPID.
    ENDIF.
  But the selection appears without any parameters.
  Is there a way to check without the selection-screen?
  thanks.
  regards, Dieter

  Hi Dieter,
  Please check the below code for at selection screen authorization check.
  Handling selection screen events
  AT SELECTION-SCREEN ON p_carrid.
    IF p_carrid IS INITIAL.
      MESSAGE 'Please enter a value' TYPE 'E'.
    ENDIF.
    AUTHORITY-CHECK OBJECT 'S_CARRID'
                        ID 'CARRID' FIELD p_carrid
                        ID 'ACTVT'  FIELD '03'.
    IF sy-subrc = 4.
      MESSAGE 'No authorization for carrier' TYPE 'E'.
    ELSEIF sy-subrc <> 0.
      MESSAGE 'Error in authority check' TYPE 'A'.
    ELSE.
      IF sy-ucomm = 'ONLI'.
        CALL SELECTION-SCREEN '0500'.
      ENDIF.
    ENDIF.
  Regards,
  Md Ziauddin