P_ABAP

Similar Messages

• P_ABAP not skipping the authorization check

  Hi All,
  I would require your assistance on the following issue at earliest.
  HR key users are executing the HR standard reports by using the t-code S_PH0_48000509 Adhoc query and also with t-code SQ01. when they executing the reports, system has been checking their authorizations while executing the report and this execution time of report taking longer and also throwing a ABAP DUMP.
  Hence, I gone through some blogs and also sap help about the auth object P_ABAP, as stated in the help I have provide an access to the user
  with option 2 under
  P_ABAP (HR: Reporting) - Authorizations for Human Resources - SAP Library
  HR InfoSets for InfoSet Query (SAP Library - InfoSet Query)
  But system still checking the authorization against the user in both foreground and background for above t-codes. Please assist on the same
  Thanking you,
  Kotesh

  Hi,
  The P_ABAP object works with programs, in the transaction you mention, the program getting the final result is not the same as the one behing the transaction for the AdHoc query... The programs for the queries are generated because the user has to make selection for input and output.
  So from there you cannot use this simplifcation object. But if the users starts already saved queries (and not infoset), then you could find and use that specific report.
  I tried and traced myself:
  AUTH       
  P_ABAP
  RC=0  REPID=!QZZ/SAPQUERY/H0MUYLAE08141045;COARS=2;type=TR;name=S_PH0_48000509;
  AUTH       
  P_ABAP
  RC=0  REPID=SAPDBPNP;COARS=2;type=TR;name=S_PH0_48000509;
  The name of the report is generated and always starts with something like AQZZ* or !QZZ*
  But this is because they work from the Infoset.
  If you start from the SQ01 and the queries:
  AUTH       
  P_ABAP
  RC=0  REPID=AQZZ/SAPQUERY/H0CM_02========= ;COARS=2;type=TR;name=SQ01;
  AUTH       
  P_ABAP
  RC=0  REPID=SAPDBPNP;COARS=2;type=TR;name=SQ01;
  There the name of the query is fixed because the structure of the selection, the fileds  are already defined and fixed. You only choose the values to be processed.
  The name is no more generic but always the same AQZZ/SAPQUERY/H0CM_02 for:
  AQZZ  this is for a query from infoset /SAPQUERY/H0 on query CM_02
  The second line on the trace, is very dangerous to use because this would skip all HR controls in PNP programs, meaning almost all HR programs... So I do not recommand that option.
  Best regards,
  Jonathan

• Object autorization P_ABAP in RPAPRT09 for trx. PBA7

  Hello, I have problems with PBA7, this activating the authorization object P_ABAP in LRP, but in LRQ  doesn't, and the rol in LRP and LRQ is the same ones for the user.  The value that requires is (2) but the rol has the value (1).  The program is RPAPRT09 
  Some suggestion?

  Hello Simon,
  putting P_ABAP in a authorisation role, in particular with SAPDBPNP and simplification 2, will open up all reports based on logical database PNP/PNPCE.
  I suggest to add the leaver position (I guess that will be 99999999) as a root object to the structural profile of the user.
  Also run a full trace on the user authorisation with transaction ST01 that will show if the user misses authorisations for certain infotypes. If that is the case it might be as simple as adding authorisation for these infotypes (probably in object P_ORGIN or P_ORGINCON).
  Best regards
  Karsten

• Default Authorization object P_ABAP for PA20

  Dear colleagues!
  After SP implementation roles werу adjusted and new authorization check for P_ABAP was added for transaction PA* (PA20, PA30...).
  Where is hr-reporting checks in these transactions? It's critical for personnel data maintenance or used only for sub-menu reports?
  Trace for PA20 shows the following values for P_ABAP check (PA20-Goto-Planning Data-...):
  P_ABAP     RC=12 REPID=SAPMP50A;COARS=2;
  P_ABAP     RC=12 REPID=SAPDBPNP;COARS=2;
  SAP Release ERP 6.0 EHP4 (10 stack)
  Regards,
  A.M.

  Hi,
  The values mentioned for P_ABAP here is not necessary to be added in a role. SAPDBPNP is a logical database and providing P_ABAP with degree of simplification (COARS) = 2 is very dangerous, as it will bypass any authorization check while executing reports related to that logical database.
  Providing such values will disturb your entire authorization design as even though you might restrict an user on few Infotypes in P_ORGINCON, but with this value, it actually bypasses any report using this logical database to check for Infotype authorization or structural auth restriction.
  To suggest a possible solution, I would like to know exact activities intended to be done with PA20 and level to access provided in P_ORGINCON. Please can you share that here?
  Thanks,
  Deb

• P_ABAP Object

  Hi,
  Can anyone give me solution for the below issue;
  I  Dont' want to give read authorization for IT 0008 and appraisal infotypes, but I want user to execute reports , which uses IT 0008 and appraisal infotypes to give result
  For example RPTIMEOO Report uses IT 0008 to give result;
  Thanks,
  Shahid

  You can take a look at usage P_ABAP object; P_ABAP is used to override P_ORGIN authorization for a particular report or program. You can add the payroll program to the object with value 2 to ignore completely the authorization for <b>this program</b>. However you might need to remember that using this Auth object will lead to some performance issues. Also this need to be used carefully as it has the tendancy to override the HR master data authorization - P_ORGIN.
  You can read about the object in this link -
  http://help.sap.com/saphelp_47x200/helpdata/en/16/b8b83b5b831f3be10000000a114084/content.htm
  Hope this helps.
  Regards
  Chandra

• Using of P_ABAP for Batch User IDs

  Hi Experts,
  I'm am contemplating to assign P_ABAP to bypass all authorization checks for reports for our system batch ids that will be used for executing background jobs. My consideration is that if P_ABAP is utilized, unnecessary authorization checks during execution of the background jobs by these batch ids will be skipped and will improve our performance of the background jobs.
  I want to seek advise if this is a recommended practice and if any experts have implemented similar set-up. I would also like to know if there is any risk that could result from such an implementation.
  Regards,
  Justin

  In my opinion, there's some risk with doing this. A person with 'S_BTCH_NAM' authorization could easily run these reports in background job submitted as one of these batch ids which could really cause issues.
  Rgds.

• Authorization on PNP logical database

  My limited understanding of authorization on reports that uses PNP/PNPCE logical database is that if a user who runs the report does not have authorization for any of the declared infotypes then the report stops with message 'no authorization for infotype ...'.  And if the user has authorization for the infotypes but do not have authorizations for some of the PERNRS then it will only display those records that user have authorization for and shows message saying no. of skipped records (of those that user did not have authorization).
  Programmers here say that the users who do not have authorization for some infotypes should still be able to see list for other infotypes that they do have authorization for.
  -- Please shed some light on this and guide me if there is a cookbook/document out there about this.
  Thanks a bunch.
  Netra

  Hi Neha,
  Adding further.
  Each report is different in its own way and there are various ways of controlling the access to the Reports based on ur scenario.
  The first check happens at the P_ABAP level where in it checks the access to the program corresponding to that report and level of access (1,2).
  If these are missing then it goes further to check for the explicit access
  in objects like
  P_ORGIN, P_PERNR etc.
  Now in some of these reports the processing is designed in such a way that if the access to an IT is not available it throughs a error message and the processing of the report stops at that instance (this depends on the message type which has been defined at that instance to be displayed) so at this instance you need to have access to that IT to proceed further but in some other cases the check does happen but the processing continues without stopping at that check failure(example is P_PERNR, the check happens but is not required for processing the report).
  This is one example but there could even more criterion based on which the processing of the report is terminated or allowed to continue depending on the reports utility
  <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/9f/dbaabc35c111d1829f0000e829fbfe/frameset.htm">The different message types and their significance is as follows</a>
  So what you have been told by programmers is true in some cases but surely not accross all the HR reports and all auth objects.
  Hope this helps
  Manohar
  Message was edited by:
          Manohar Kappala

• Authorization check in LDB PNP

  Hi All,
  I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
  I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
  Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
  Any information provided will be really helpful.
  Thanks,
  Pavan

  Hi,
  A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
  Thanks,
  Pavan

• Portal runtime error in Purchasing in ESS

  Hello,
  After logging in to the portal, when I go to Employee Self-Services -> Purchasing, which ever option (Shop, Confirm Goods / Services, Check Status) I click, I get a portal runtime error as shown below:
  #1.5 #005056803084006B00000039000000FC0004638903CCAF24#1235340032299#com.sap.portal.portal#sap.com/irj#com.sap.portal.portal#smagan#23907##KSCEPD.esr.cri.nz_EPD_3051250#smagan#f667c1b0012b11deb880005056803084#SAPEngine_Application_Thread[impl:3]_29##0#0#Error#1#/System/Server#Java###Exception ID:11:00_23/02/09_0004_3051250
  [EXCEPTION]
  #1#com.sapportals.portal.prt.component.PortalComponentException: Error in service call of Portal Component
  Component : pcd:portal_content/com.sap.pct/every_user/com.sap.pct.erp.ess.bp_folder/com.sap.pct.erp.ess.roles/com.sap.pct.erp.ess.employee_self_service/com.sap.pct.erp.ess.employee_self_service/com.sap.pct.erp.ess.area_purchasing/com.sap.pct.erp.ess.purchasing_services/com.sap.pct.erp.ess.purchasing_service
  Component class : com.sapportals.portal.sapapplication.SAPApplicationIntegratorComponent
  User : smagan
  at com.sapportals.portal.prt.core.PortalRequestManager.handlePortalComponentException(PortalRequestManager.java:973)
  at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:343)
  at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
  at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
  at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215)
  at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:645)
  at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
  at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
  at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
  at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753)
  at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
  at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  Caused by: com.sapportals.portal.prt.runtime.PortalRuntimeException: Exception in SAP Application Integrator occured: Unable to parse template &\#39;&lt;System.Access.ITS.protocol&gt;://&lt;System.Access.ITS.hostname&gt;/sap&lt;ESID&gt;/bc/gui/sap/its/&lt;IAC[SAP_ITS_NAMESPACE]&gt;?sap-client=&lt;System.client&gt;&amp;sap-language=&lt;Request.Language&gt;&amp;sap-accessibility=&lt;User.Accessibility[SAP_BOOL]&gt;&amp;DisconnectOnClose=0&amp;DesignBaseUrl=&lt;LAF.BaseUrl[url_ENCODE]&gt;&amp;~design=&lt;LAF.Theme[url_ENCODE]&gt;&amp;&lt;Authentication&gt;&amp;&lt;DynamicParameter[PROCESS_RECURSIVE]&gt;&amp;&lt;ForwardParameters[QUERYSTRING]&gt;&amp;&lt;ApplicationParameter[PROCESS_RECURSIVE]&gt;&\#39;; the problem occured at position 121. Cannot process expression &lt;System.client&gt; because Invalid System Attribute:
  System:    &amp;\#39;SAP_LocalSystem&amp;\#39;,
  Attribute: &amp;\#39;client&amp;\#39;.
  at com.sapportals.portal.appintegrator.AbstractIntegratorComponent.doContentPass(AbstractIntegratorComponent.java:123)
  at com.sapportals.portal.appintegrator.AbstractIntegratorComponent.doContent(AbstractIntegratorComponent.java:98)
  at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209)
  at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114)
  at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
  ... 29 more
  Working Time, Timesheet, Personal Information, Pay Statement works perfectly. The error happens only in the case of Purchasing. I am new to ESS, so any help in this regard would be highly appreciated.
  Thanks,
  Ajay

  Hi Bala,
  It is happening for all users. I checked the authorizations in the backend. The roles assigned to the user has the following authorizations: S_RFC, S_SERVICE, S_TCODE, S_DATASET, S_TABU_DIS, S_WF_WI, P_TRAVL, PLOG, P_ABAP, P_ORGIN, P_ORGINCON, P_ORGXXCON, P_PCLX, P_PERNR, P_TCODE, M_BANF_BSA, M_BANF_EKG, M_BANF_EKO, M_BANF_WRK, M_BEST_BSA, M_BEST_EKG, M_BEST_EKO, M_BEST_WRK.
  In portal the user is assigned the ESS and Standard portal user role.
  The transaction ST22 shows the following:
      The user "TESTUSER9" has no RFC authorization for the function group                         
      "SDIFRUNTIME". Please contact your system administrator to give you                          
      the RFC authorization for the required function groups (such as "SDIFRUNTIME").              
      The RFC authorization object is S_RFC.
  Thanks,
  Ajay

• F110 Payment run - problem with DME file

  We are using a custom Payment medium Program for Colombia to generate a DME file. The problem is that after scheduling the Payment Run the user is trying to download the DME File into a folder on the PC to send to the bank. When the user clicks on the export file button the message says:
  'There is no source for the data record'.
  We tested this thoroughly in the Test environment and the user was able to download the file. But for some strange reason this is not happening in our production. The user has proper authorizations w.r.t F110 and FDTA transaction codes.
  I am not sure if this would be useful but when the user gets this message the SU53 screenshot shows Authorization failure to the object P_ABAP  HR: Reporting. The Object class is HR Human Resources and the ABAP Program name is SAPMFDTA.
  I am not able to understand why we get this because my client does not use SAP HR module.
  Please let me know how to resolve this.
  Regards,
  Raj/

  Hello,
  Please check the variant in OBPM4. To down load the file to PC, you special authorization and it is not rcommended as these files are very critical and changing to PC would allow the user to modify them.
  These files are being downloaded to application servers. You can see the folders in AL11.
  In OBPM1, you have enabled "DME file output".
  Hope this solves your problem.
  Regards,
  Ravi

• Authority Objects to read HR FM BAPI_ORGUNITEXT_DATA_GET

  Hello gurus,
     i want to run only FM BAPI_ORGUNITEXT_DATA_GET  through a SAP User ID, i assigned some Authority Objects to it but its not returining anything if i run it through other user using same parameters its showing me the data. i assigned S_DEVELOP the FM and Function group of the FM, it has access to all the infotypes P_ORGIN-all, S_DEVELOP - All tables, P_PERNR - all, S_RFC-the selected FUGR and SYST function group, P_ABAP -all.
  Do you guys think i am still missing something, to view the FM output.
  In the same user I am getting output from FM BAPI_EMPLOYEE_GETDATA. using these objects.
  NOTE: the user dont have any other objects assigned to it, apart from the specified here. (Though i assigned se37 for testing purpose).
  i will really appreciate your reply on the same.
  thanks in advance
  Mani

  Sorry - meant PLOG.  I haven't checked the FM in any depths,  but you if you pass object type O to the FM, this is the object type you will need to assign. 
  The PLOG could look like this:
  Infotype               1000, 1002 (you could put * here)
  Planning status    1 (presuming this is what you use)
  Object type          O
  Plan version         01 (or whatever is your active plan version)
  Function code      DISP, LISD (assuming you only want to see)
  Subtype              *
  You may need other obejct types in the authorization object.  If you use structural authorizations, they have to be in place as well. Consider that the authorization object defines what data your are allowed to read. Structural Authorizations decides where in the org.structure you can read those data.
  Your best way forward may be to got to SE37 and test the FM.  Then directly after (if it fails to deliver) go to SU53 and check the authorizations.
  No - you should not have to assign the transaction codes.
  Hope this helps.
  I may have misunderstood the usage of the FM. I am basing my answer on the fact that it reads OM.

• Access for the IT 0008 at the Program Level.

  Friends
  Quick question for your for the access for IT 008 for specific user.
  User have the access for the PA30 Tcode for IT 008.
  but user runs the Z* customized program to update IT 008 for specific Per number, he or she
  can not update the IT 008 for the user.
  There is not "authority-check" statement in the program
  Please advise.
  Thanks,
  From
  PT.

  Hi,
    Try assigning the P_ABAP  authorization objects which is used during the authorization check for HR Reports.
  Give the report name in the REPID field
  and in the COARS give 0,1, or 2 depending on the degree of simplification required.
  Different values for COARS
  : Authorization using
  COARS = <BLANK> or no authorization. The authorization checks are to be processed as in
  Authorization using
  COARS = 1.The authorization checks for the infotype/subtype combination and for organizational assignment are to be checked separately. This means that a user is authorized to read a personnel number when he or she has a read authorization for all the infotypes (subtypes) requested by the program and that the user has a read authorization for the organizational assignment of the personnel number. Authorization using
  COARS = 2. The authorization check is inactive.
  Thanks.
  Neha.
  Erie.Edited by: Neha Kapoor on Apr 7, 2009 8:51 PM
  Edited by: Neha Kapoor on Apr 7, 2009 8:53 PM

• Standard report Q's.

  Is there any EASY WAY to add fields to SAP standard report than copy and create a custom one?
  I am not a security expert but any idea's on how to restrict access to certain standard reports for certain user's?
  I dont want them to run any report who has basic pay info.
  Can we restrict them for infotype's.
  Thanks for earlier reply guys, SDN is best.
  Paul

  > Is there any EASY WAY to add fields to SAP standard
  > report than copy and create a custom one?
  It wasn't possibel in the old days.. You could some extent achieve this if an ENAHNCEMENT SPOT exists in the Report.
  > I am not a security expert but any idea's on how to
  > restrict access to certain standard reports for
  > certain user's?
  > I dont want them to run any report who has basic pay
  > info.
  > Can we restrict them for infotype's.
  There are few ways to restrict Access to reports/Infotypes ..Pl take a look at the Auth Objects P_ABAP & P_ORGIN.
  ~Suresh
  >
  > Thanks for earlier reply guys, SDN is best.
  >
  > Paul

• Ad Hoc Query & HR Structural Authorisations

  Good day,
  Can you kindly suggest solutions to the following?
  Users with access to IT0008 can view basic pay across company codes. Iam using user groups for restriction per company code and PD Profiles for structural authorisations - there is also a restiction on personnel areas for the company code in the role in which IT8 is allocated...
  Can you advise how i can restrict IT8 access for users across sites/company codes?
  Thanks have a lovely day!

  Hi Anders,
  Thank you for the reply,
  We are using HR structural authorisations with context solution P_ORGINCON, we have a HR Organisational based structure - where roles and PD profiles are linked to postions (PD Profiles are per company code as well nd linked to IT1017 on object S)... That is correct In our HR enterprise structure the personnel area is a breakdown of the section/s within a company code.
  My roles have the personnel area restriction specified however when using Ad hoc query it is still allowing cross company access on it8. is there perhaps an object that is allowing this access we are not using object S_QUERY at this stage. could P_ABAP be allowing this access?

• Authorization check failed

  hello experts!
  i created a program via smartforms but when my user try to generate a printed form an error message appear than FORM
  cannot be displayed. when i check Tcode: SU53 Authorization check failed.
  Object Class HR Human Resources
  Authorization Obj. P_ABAP  HR Reporting\
  Authorization Field COARS Degree of simplification for authorizaton check       1
  Authorization field REPID ABAP program name     ZHRPY00018C
  Please help on this one...
  How to fixed this
  Thank you

  hello...
  actually this report has 2 display a List display and via smartforms...
  we laready add this program  in her authorization profile... the only problem
  is when she try to generate the report via smartform she cannot produced the
  the output print docu. because an error appears that my FORM cannot be display.
  But when i check it in the development i can produced a test document.
  please help...