LDB PNP authorization check authorization object

Similar Messages

• Authorization checks and objects

  Do you have a tutorial for this topic for dummies? thanx in advance

  Hi
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Thanks
  Seshu

• Deactivate authorization checks in BSP or function modules?

  Hi all
  I have a BSP application that seems to use a standard function module that performs an unwanted authorization check on object M_MATE_VKO (Material check on sales organization)
  I know it is possible to globally deactivate authorization checks in certain SAP transactions (SU24)
  Does anyone know if there is a similar functionality for BSP applications or function modules? Any suggestions on how to deactivate such authorization checks in BSP applications?
  Regards
  Mike

  > I will also check with my developer if this function module has any return codes etc that can be useful for a custom authorization check. However, I thought these checks were all done within the function module and that it will only return a true/false authorization, sort of... and I am not sure it's a good idea to override all standard authorization checks in this function module
  Sometimes you can handle the messages, but your developer will be able to help you decide whether that is a good idea or not.
  Globally deactivating the object for the whole system is most likely not a good idea, as you seem not to want to grant it because you need it somewhere else...
  Deactivating all checks for the function module is probably not wise either, as I would think that it applies to the whole function group. Developers can do such things sometimes, but often it results in all end users being able to do the same.
  I know that proposal indicators can be set for function modules, but have not tried check indicators. Again, I suspect that it would apply to the whole function group.
  I would think that a carefull choice of function module and consulting with your functional guru about config which will not interfer with other requirements is the best route to take.
  I like threads like this. If I bump into a specific solution I will remember it. Try using the search here at SDN on the names of some of the FM's which you are considering - someone might already have solved it...
  Cheers,
  Julius

• Authorization check for ME54N   v/s Authorization check for ME54

  Hi,
  We have created th PR and release it, with reference to PR we have created the PO. When we try to revoke the PR releas using the t-code ME54 systems gives me a error message, that  PO is already created for this PR.
  however, if i try to revoke this pr using ME54N system allows me to revoke it.
  My requirement is that the user should not revoke the Pr once the PO is created against this using t-code ME54N. is there any authorization check or object to control the t-code ME54N.
  Regards
  Ajit

  >
  Alex Ayers wrote:
  > Why do you not remove access to ME54N if they are supposed to use ME54?
  I apologise, Alex - but I do not think that is a good advise. ME54 N is there for a reason. It will one day substitute ME54 and anyway, changes bugfixes etc may no longer be developed for the 'old' transaction.
  Futhermore: compensating lacking functionality or a bug with withdrawing authorisations to the new functionality is -if any- a temporary option only. The OP's phenomenon has to be solved sooner or later.
  So my advise would be:
  First check in SMP whether one of the several notes on ME54N and 'release' applies to your system/version/process.
  Consider opening a call with SAP.

• Authorization check in LDB PNP

  Hi All,
  I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
  I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
  Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
  Any information provided will be really helpful.
  Thanks,
  Pavan

  Hi,
  A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
  Thanks,
  Pavan

• LDB PNP authorization check at record level - rp_provide_from_last

  hi,
  i am using LDB PNP,
  I am using macro 'rp-provide-from-last' .
  I neeed to place a authorization check so that the user of the program should only be allowed to view records of the people which comes under the same personnel area as of the user of the program.
  Can you please guide me on how to implement this?
  thanks in advance,
  akash.

  Hi,
  (1)
  Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
  So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
  ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
  (2)
  In some case you do not work with LDB report, then you need to do the authority check by yourself. General function  AUTHORITY_CHECK is what you need.  AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
  P_ORGIN    HR: Master Data
  PLOG       Personnel Planning
  P_PCLX     HR: Clusters
  P_TCODE    HR: Transaction codes
  Sample of checking personal area:
  CALL FUNCTION 'AUTHORITY_CHECK'
       EXPORTING
            FIELD1              = ' PERSA'
            OBJECT              = 'P_ORGIN'
            USER                = 'SAPSUPPORT1'
            VALUE1              = 'Z001'  
       EXCEPTIONS
            USER_DONT_EXIST     = 1
            USER_IS_AUTHORIZED  = 2
            USER_NOT_AUTHORIZED = 3
            USER_IS_LOCKED      = 4
            OTHERS              = 5.  
  IF SY-SUBRC NE 2.
  MESSAGE E001(01) RAISING AUTH_FAILED.
  ENDIF.
  Reward if helpful pls!

• Authorization checks for PNP LDB

  question    : how to validate authorization checks for pnp logical database?
  2 nd question: hr report
  this report is basically for salary survey. in this i had so many fields can any body let me know how
  can i form the internal tables. and i have to display overall 150 fields in csv file for that
  how can i take in to the final internal table.
  what is the logic behind this:
  T71JPR09-JOBCODE
  PA0000-PERNR
  HRP1000-STEXT
  P0006-PSTLZ
  PA0008-ANSAL * 100 / PA0008-BSGRD
  PA0015-BETRG
  PA0761-LTEXT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-GRADT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-ZZGRANT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN esu YEAR 1
  like that i had.
  please give me the steps how can i proceed.

  Hi,
  The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
  Hope this helps.

• Report to check authorization object used in customized programs

  Hi Guys,
  An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
  Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

  Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
  To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
  Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
  Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
  Code review is an art form!
  Cheers,
  Julius

• Where we check the authorization group & authorization object?

  Hi all,
  i have a  std program & tcode  like fb03 . now i want to know the authorization group & authorization object. so where we will check..?
  help me.
  thanks.
  Vipin

  Hi,
  Use transaction SU21 & SU22 for Auth Objects & Class

• Coding ABAP using LDB PNP and authorizations problems

  This post requires a blend of ABAP and HCM skills.
  When coding my own ABAP using LDB PNP, the LDB will provide me with the employees selected but will skip those for which I do not have access (regarding Authorizations settings) to one or more of the infotypes declared in the program.
  As a programmer I would like to receive from the LDB the information that an employee is skipped so that I can handle the exception.
  Do you know how can I get this information from the LDB?
  Thanks

  I dont know if PNP can do it but PNPCE can:
  at END-OF-SELECTION call macro PNP_GET_AUTH_SKIPPED_PERNRS
  it will provide a list of skiped PERNRs
  for further info see docu PNPCE

• How to turn off the authorization checks for a object in infoproviders?

  Hi - how can I turn off the authorization check for an object (ex: 0orgunit) in infoproviders?
  I have 0orgunit as an authorization-relevant object and is used in one of the cubes. When reports are run for this cube, this is causing authorization issues. The object is present in other cubes also but I have to remove or turn off the authorization check of this cube alone. How to do this? Please help.
  Thanks,
  Raj.

  Hi Raj,
  Srinivas, is right , however in BI7 the correct transaction is RSECADMIN and not RSADMIN.
  In BW3.5, use RSSM transaction to do thins.
  OR
  Go to transaction RSECAUTH ---> Choose  the authorization object that has been created for org unit(and has been assigned to the user). Go to change mode. Remove the cube from the dimension 0TCAIPROV
  If you are using old authorization concept in 3.5 or in 7.0
  Go to RSSM. In the checks for infoprovider, enter your infoprovider name. Choose change.Here you will see a checkbox to switch off the authorization.
  Hope this helps you,
  Best regards,
  Sunmit.

• Authority Object? Authorization Check for Period

  We consolidated from R3 to SEM tax reporting. So we now are using a  different authority-check object. However, all of the parameters that were in the 'Authorization Check for Period' in R3 are not in SEM. Can you manually add parameters for to the authority-check. I am not even sure how to change or activate. Is this a Basis thing?
  To be honest I do not know what this object checks when processing. It cannot be debugged?
  I do not think my authorization level will be fully defined with the new object.
  Any suggestions?
            Thanks.
  *In old ERP we used*
  AUTHORITY-CHECK OBJECT 'E_CS_PERMO'
     ID 'PERMO' FIELD '1'   "Open period
     ID 'DIMEN' FIELD g_dimen
     ID 'RVERS' FIELD g_rvers
     ID 'BUNIT' DUMMY
     ID 'CONGR' FIELD g_congr.
  In new SEM system we now need to use:
  AUTHORITY-CHECK OBJECT 'R_UC_PERIO'
             ID 'ACTVT'     FIELD 'PA'          "open period
             ID 'CONS_AREA' FIELD g_congr.
            ID 'TASK_FLD1' FIELD '__________'
            ID 'TASK_FLD2' FIELD '__________'
            ID 'TASK_FLD3' FIELD '__________'
            ID 'TASK_FLD4' FIELD '__________'
            ID 'TASK_FLD5' FIELD '__________'
            ID 'TASK_FLD6' FIELD '__________'
            ID 'TASK_FLD7' FIELD '__________'
            ID 'TASK_FLD8' FIELD '__________'.

  Resolved issue.

• How to use LDB PNP with ABAP objects in a program

  Hello,
  I am wondering if anybody has used the HR logical database(LDB) PNP with user defined ABAP objects in a program? I am using the FM- <b>LDB_PROCESS</b> but its not working. Also assigning PNP in the attributes section of the program -- so that I can use predefined fields from the LDB and then invoking the FM doesn't work -- throwing 'Logical database already active' error.
  I suppose even with the ABAP objects and the new FM -- I should still be able to utilize the pre-defined fields of the PNP database -- and also the built in authorizations. I cannot use GET PERNR and REJECT as they give errors. I understand that the use of HR-macros (RP-PROVIDE-FROM-LAST and et al.) are not allowed as they use the table work area -- which is not allowed in ABAP-OOPS.
  I would really appreciate if anyone could show me some insight regarding this. Thank you.
  Kshitij R. Devre

  Hi Kshitij
  It would be really good if we could use both together. But as I know, it is not possible. "GET pernr." is an event-like loop statement and so cannot be used in OO context. And I guess, the same restriction holds for the "LDB_PROCESS" since it uses LDB-specific processing.
  What I suggest you is to use standard and BAPI functions.
  Sorry for giving bad news...
  *--Serdar

• SU22 authorization checks

  Hello,
  We are looking at solving all Priority 1(RED) and Priority 2(YELLOW) errors appearing in SU22 for release 6 and 7.
  I have some understanding of how the errors come up.
  I have a few concerns.
  1) How do we decide whether to set proposal value as YS or NO for particular object for that transaction, what are different parametrs that we are concerned about?
  2) Some transactions have Priority 1 error , even if there is one authorization object with propsal as MAINTAINED status as NO (As per my understanding it should be priority 2).
  3)Most priority errors have problem of being all object's status set as Check + NO.
  How do we solve this?
  4) Some transactions are not associated with any objects and are shown as priority 1 , how to deal with this?
  Also send links if I can find documenation specific to these objects,
  something .<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/fe/73ba3bd14a6a6ae10000000a114084/content.htm">as specific as for PLOG</a>
  We need this urgently, please help
  Thnaks,
  Samir

  Hi,
  The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
  Hope this helps.

• HR ABAP Custom Authorization Check

  Hi all,
  We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
  GET PERNR.
      I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
  Thanks in Advance.

  There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
  Some special differences are:
  - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
  - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
  - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
  This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
  Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 27, 2009 9:03 PM