Kanban authorization checks (SU24, PK13N, PK*)

Similar Messages

• HR ABAP Custom Authorization Check

  Hi all,
  We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
  GET PERNR.
      I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
  Thanks in Advance.

  There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
  Some special differences are:
  - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
  - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
  - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
  This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
  Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

• Deactivate authorization checks in BSP or function modules?

  Hi all
  I have a BSP application that seems to use a standard function module that performs an unwanted authorization check on object M_MATE_VKO (Material check on sales organization)
  I know it is possible to globally deactivate authorization checks in certain SAP transactions (SU24)
  Does anyone know if there is a similar functionality for BSP applications or function modules? Any suggestions on how to deactivate such authorization checks in BSP applications?
  Regards
  Mike

  > I will also check with my developer if this function module has any return codes etc that can be useful for a custom authorization check. However, I thought these checks were all done within the function module and that it will only return a true/false authorization, sort of... and I am not sure it's a good idea to override all standard authorization checks in this function module
  Sometimes you can handle the messages, but your developer will be able to help you decide whether that is a good idea or not.
  Globally deactivating the object for the whole system is most likely not a good idea, as you seem not to want to grant it because you need it somewhere else...
  Deactivating all checks for the function module is probably not wise either, as I would think that it applies to the whole function group. Developers can do such things sometimes, but often it results in all end users being able to do the same.
  I know that proposal indicators can be set for function modules, but have not tried check indicators. Again, I suspect that it would apply to the whole function group.
  I would think that a carefull choice of function module and consulting with your functional guru about config which will not interfer with other requirements is the best route to take.
  I like threads like this. If I bump into a specific solution I will remember it. Try using the search here at SDN on the names of some of the FM's which you are considering - someone might already have solved it...
  Cheers,
  Julius

• Authorization check creating Work Orders (IW31)

  Hello everyone,
  We need to make an authorization check when creating a Work Order in transaction IW31.
  That check is based on the field "Main work center for maintenance tasks"
  No check apart from the plant associated to the work center is done, but the problem is that there exist different Work Centers associated to the same plant, and we need to restrict it.
  Our authorization model considers the Cost Center associated to the Work Center, but the Cost Center is not checked in this IW31 when entering the Work Center.
  We have also tried using the classification system, but despite activating authorization obejct C_KLAH_BKL, is neither checked.
  (It is amazing the difference between the number of objects marked to be checked in SU24 for this IW31 and the objects really checked when looking at authorizations trace)
  We know that Work Center field exit could be used, but we would prefer not to change ABAP code.
  Could you please give us a hint about how we can restrict this field?
  Thank you very much.
  Best regards.
  Jose Sanz.

  Hi Jose,
  You can look at the object C_ARPL_WRK,
  if you work with this , i hope you would be able to find a solution for this situation.
  Thanks,
  Vijay

• Authorization check flow

  Hello Folks,
  I wonder if some one can help clearing a doubt of mine.
  The standard definition one finds on the net for Authorization check maintenance in SU24 for transactions is:
  CM = Check performed AND object added in PFCG when tcode added to the role.
  C = Check performed BUT object not added in PFCG when tcode added to the role.
  N = No check OR check will return sy-subrc = 0 even if the user does not have the authorization.
  U = Unknown. A check will may be hardcoded in the program, or maybe not.
  My take on the above definitions is:
  example object: V_VBAK_AAT
  if
  CM for  V_VBAK_AAT the object is included in the role while working with PFCG.
  As per the definition check performed on object and object added.
  Question 1: Even if the object is maintained as CM it would not make a difference if the check is not coded in the program (authority-check). Would it?
  If
  C check performed but object not added
  Question 2:  If a check is going to be made on this object, why not include it in the role i.e mark it as CM? I was once told that these are objects that are most commonly used and hence from a BASIS point of view that the roll buffer will have that much less authorizations to load. But that does not ring true to me.
  If
  N - check will return value 0 thereby allowing the user through even though he does not have the authorization to do so
  Question 3: Why suppress a check that is coded into the prgram in the first place. After all, the whole idea of Security is "any authorization not explicitly assigned" means NO AUTHORIZATION
  For the last couple of years that i have been working on this, i have accepted this, as one would,  the bible :-)...
  But now i wonder if there will be some enlightenment....
  Regards,
  Prashant

  >
  Prashant Pasala wrote:
  >
  > Question 1: Even if the object is maintained as CM it would not make a difference if the check is not coded in the program (authority-check). Would it?
  no, it wouldn't. the check has to be coded.
  >
  Prashant Pasala wrote:
  > Question 2:  If a check is going to be made on this object, why not include it in the role i.e mark it as CM?
  >
  because you would have many obsolete objects in your role, depending on the setup of your applications, the org-structure and several other things (mostly in configuration), whether an extension-set is active, a special IS used ...
  >
  Prashant Pasala wrote:
  > Question 3: Why suppress a check that is coded into the prgram in the first place. After all, the whole idea of Security is "any authorization not explicitly assigned" means NO AUTHORIZATION
  >
  here one can only guess. one scenario might be: due to a bug in a SAP standard BAPI you deactivate the check until you get a correction from SAP. you have to do this to keep up the business ...
  Edited by: Mylene Euridice Dorias on Mar 11, 2008 3:59 PM

• Regarding authorization checks

  Dear forumers,
  I have a new custom transaction code, and this transaction code is defined for a custom report program.
  The custom report program provides end users with an interface to view and manually maintain data records in a custom table.
  I wish to add authorization checks to this via SU24. After doing this, however, I noticed that if a user without the necessary authorization is unable to access the custom transaction code, he is still able to run it via SE38 by entering the custom program name.
  How can this be resolved - so that, for a user who does not have the sufficient authorization, he cannot access both the transaction code and the program name manually?
  Appreciate any advice on this at all. Thanks.

  If that is a custom program you can put the following in your program code before processing starts, right after START-OF-SELECTION and throw an error message if the function returns anything other than value 2. Replace VA42 with your transaction code
  This will ensure that the user won't be able to executed it in SE38 even, if they don't have authorization to execute the transaction
  CALL FUNCTION 'AUTHORITY_CHECK'
         EXPORTING
              user                = sy-uname
              object              = 'S_TCODE'
              field1              = 'TCD'
              value1              = 'VA42'
         EXCEPTIONS
              user_dont_exist     = 1
              user_is_authorized  = 2
              user_not_authorized = 3
              user_is_locked      = 4
              OTHERS              = 5.
  IF sy-subrc NE 2.
    MESSAGE TYPE 'E'....
  ENDIF.

• Authorization check on Z report

  Hello Experts,
  We had a requirement to develop a report which would combine the features of V.14 and V23 with some additional features like removing delivery blocks and billing blocks.
  We want to add some authorization checks so that some people are restricted to view information of only some sales organizations and some people like management will have a broader authorization to view details of multiple sales organizations.  How can we acheive this?
  For example in SU23 when we run our custom T code we do not see the authorization object which is used in the program. We are currently using VBAK_VKO in our program.
  Thanks and regards.
  ES.

  Hi,
  Adding to above replies, are you calling V.14 and V23 in your custom program or you created your own login in Z program? If standard tcodes are being called, make sure that appropriate restrictions are placed in SE97 tcode for the Z tcode.
  In SU24, you will have to add the object to the Z tcode. You will not see it automatically. But make sure that the authority check is there in program (can verify by a ST01 trace).
  As Anika said, you can create separate roles for each required sales organization.
  Thanks

• Authorization check for F_BL_BANK

  Dear all,
  All this while my users don't have problem with their roles until recently they hit problem with authorization check on the object F_BL_BANK. This object is not available in their roles.
  My question
  a.) what could have been configured to start the authorization check on this object ? how do i check ?
  Comment and advice will be appreciated.
  Thanks.
  Regards,
  Kent

  Hi Kent,
  It is very possible that this object was activated in SU24 from "Not check" to "Check." Can you have someone checked if this is the same situation in DEV? If yes, you can either go back and set the auth object as "as not check" and transport it across, or maintain the newly checked object for all roles.
  You can also check the object F_BL_BANK in the tranport objects by taking the following steps;
  SE03 <SELECT "SEARCH FOR OBJECTS IN REQUESTS/TASKS<SELECT AN OBJECT AND ENTER SUSO, press enter and insert the auth object being searched. That will give you the transport request where that object was included and the name of the user who did it.

• Issues with Analysis Authorization checks in APO

  Hi Friends,
  I am facing an issue with Analysis authorization checks in APO.
  We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
  Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
  This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
  In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
  However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
  Resultant trace results are as below: This should not happen..
  I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
  Will it be possible for you to advise on what could I be missing.

  Hi All,
  If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
  while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
  Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
  Please advise.. Thanks..
  Regards,
  Prakash

• Authorization check in LDB PNP

  Hi All,
  I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
  I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
  Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
  Any information provided will be really helpful.
  Thanks,
  Pavan

  Hi,
  A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
  Thanks,
  Pavan

• Authorization checks for PNP LDB

  question    : how to validate authorization checks for pnp logical database?
  2 nd question: hr report
  this report is basically for salary survey. in this i had so many fields can any body let me know how
  can i form the internal tables. and i have to display overall 150 fields in csv file for that
  how can i take in to the final internal table.
  what is the logic behind this:
  T71JPR09-JOBCODE
  PA0000-PERNR
  HRP1000-STEXT
  P0006-PSTLZ
  PA0008-ANSAL * 100 / PA0008-BSGRD
  PA0015-BETRG
  PA0761-LTEXT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-GRADT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-ZZGRANT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN esu YEAR 1
  like that i had.
  please give me the steps how can i proceed.

  Hi,
  The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
  Hope this helps.

• CRM - Process Flow of Authorization Check in Business Transactions

  Hello Folks:
  I have implemented CRM security using Process Flow of Authorization Check in Business Transactions.
  What I have in place:
  CRM_ORD_OP (inactive, don't want access to own documents)
  CRM_ORD_LP (inactive, not using standard org level values Distribution Channel, Sales Group, Sales Office, Sales Organization, and Service Organization.)
  CRM_ACT (active)
  CRM_CMP (active)
  CRM_ORD_OE (active, restricted to display with dummy value ' ' for Distribution Channel
  Sales Group, Sales Office, Sales Organization and Service Organization, as we are not restricting on them)
  CRM_ORD_PR (active and restricted to display)
  Issue:
  Restrictions to display for documents works fine when using CRM backend system and the system throws out a message that you are not authorized to change. But, when i come in through Portals (PCUI), i dont get the display at all and it throws out a message insufficient access authorizations.
  Traces on backend CRM reveal failing on change access for CRM_ORD_LP and CRM_ORD_PR, which we dont want to give out b/c we dont want to provide change for documents.
  OSS notes to SAP have resulted in no results....please advise what is wrong here.
  Thanks
  KT

  Thanks for the Priyanka for the reply, but what you mention is not correct.
  BSP errors are different from what I am refering to.
  The issue is still open...and looks like a SAP bug, which even they havent been able to fix so far.
  Regards,
  KT

• Document search error in webshop(Error in authorization check: user unknow)

  Hi All
  actually we have implemented the document search functionality in webshop to access all the documents in webshop who have created order in the webshop.
  actually when i am logging into the portal with userid "skumar" after that there was role called "Document Search" when i click that document search role then the document search will be opened, based on the selections in the selection criteria then the documents will be displayed generally.
  actually come to my error when i select in the selection criteria "order acknowledgement" and i select the one more column called "period" after that i click the search button then i am getting the error as follows.
  <b>Error in authorization check: user unknown.</b>
  Can you please help me where to check the authorizations in the system for accessing the documents.
  Regards
  Sunil

  Hi Sunil generally this kind of error will occur when you choose acknoledgement
  for Future Periods,eventhough input is past date if the same problem occurs you should check for Su05 Internet USer authoriasations
  Reward if helpful
  Venkat

• Create authorization check for a report

  Hi,
  I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
  Say the report name is ZHR_TIMEABC.
  Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
  Thanks in advance,
  VG

  Hi,
  Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
  If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
  Your inputs will be helpful to understand this concept.
  Thanks,
  VG

• Add authorization check in Infopackage Scheduler for option 6-ABAP Routine

  We want to add an authorization check in routine rssm_routines_maintain.    This is in the Infopackage scheduler in the Data Selection tab  under the column Type after selecting type=6(ABAP Routine).    This is a core modification.   We have checked with our Security team with traces and found nothing available to help us.
  Two questions:
  1) Is there any other way we can control who can create/change ABAP code by this method ?
  2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
  Your help would be appreciated.
  Robert Begin,
  450-677-9411 or
  514-924-4311
  or email at [email protected]

  Hi Chandran,  we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
  The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
  Do you have any solution/suggestions to lock this down?
  Much appreciated,
  Regards,
  Robert.