PA0008 table Authorization

The information in infotype 0008 is accessed in multiple ways (direct select statements, throu' PNP and function modules) by HR programs.  Many of these programs do not have an authorization check built in. Is it possible to give a authorization check in Data base table (PA0008) level .Using AUTHORITY CHECK statement ABAP can  be used,but the problem is so many pgms are there .So is there any way to overcome this situation.

The only method of getting to Inftoype 0008 without an authorization check is a direct select from the database.  Now eventually all SAP Programs, functions etc have to do a select at the lowest level of code to get the data.
To answer your question, the only way to ensure an authorization check is carried out is to have it in the ABAP Code.  But here are some more specific answers:
1.  Logical Database PNP - As long as a program uses PNP in combination with the provide, enprovide commands for the infotype, authority checks will be carried out.  The only time a program will not do an authority check is if a programmer bypasses this with a direct select.
2.  Standard SAP Function Modules - I have yet to come across standard SAP Function modules that read infotype 0008 without an authority check.  I have seen some function modules that have a parameter to skip the auth check, but I have not seen this used much in SAP Standard Code.  I have seen developer's write custom code that have set the parameter to ignore the auth checks but we don't allow this.
3.  Custom Z Programs - My recommendation is to use logical database PNP or SAP Standard functions whenever possible to read infotype 8.  If you have to do a direct select, the custom program an authority check.
For the most part, if you stick to SAP standard, you should be fine.  The most problems will come in with custom development where these guidelines are not followed.
Best Regards,
Chris H.

Similar Messages

  • External Table Authorization Best practices

    Hi,
    I am working on OBIEE External table Authorization. I am able to successfully implement for one Project (catalog). The field for Authorization table (AuthTable) are
    Windows_ID     Employeeid     Name     EmpEMail     GroupName     Process_ID     Process_Name     Portal_Path
    Here as per requirement a user should see data for a few process. So, I put a column for Process_ID and subsequently I created a INIT block in repository where query are like
    Select 'PROCESS_ID',AuthTable. Process_id
    From AuthTable
    WHERE upper(AuthTable.AD_ID) = upper(':USER')
    Then for User Groups I applied FILTERs for all the tables E.G for every Logical Table I applied Filter
    Dim_Process."Process ID" = VALUEOF(NQ_SESSION."PROCESS_ID")
    I checked data and every thing is correct. But My question is:
    We have many projects/catalog for which Filter Criteria will be different so shall we insert a new column for each criteria in SAME AuthTable or there is any other and better way to maintain it. Because if we maintain one table for all the projects/catalog it will be very messy I would prefer to keep different tables for different projects/catalog as there data marts are different.
    But Problem is for all other session variables we may use different INIT BLOCKS and hence different tables BUT for PORTALPATH there should be only one INIT BLOCK so only for PORTALPATH sake we need to keep every thing in same table ?
    Tell me if I am wrong some where in my understanding or there is a better way to do it.
    Regards
    Saurabh

    Hi,
    Pls refer to this link. Kumar explained it very clearly
    http://obieeblog.wordpress.com/category/obiee/obiee-security/
    Pls award points, if helpful
    Regards,
    Sarat Nallapati

  • How to find tables changed from one table authorization group to other.

    Hi Experts,
    We have a issue where certain tables have been moved from one Authorizaiton group to the othe table authorization group.
    We want to find all tables previous authorization group.
    Is there any wayt we could find the old authorization group.
    (for example)
    Consider a scenario where a table agr_1251 was moved to the new auth group ZAUTH.
    I wanted to find which auth group was holding the table agr_1251 previously.
    Can you please help me on this request?
    Thanks.

    One more way is to check TR (Table E070, E071). But you need to find the details for table (Like for role it is R3TR, ACGR).
    Regards,
    Arpan Paik

  • Find when table Authorization Group was changed

    Dear Experts,
    Kindly help me on finding this. Table T001B have standard Authorization group as FB31 but it has been changed to &NC& by some one. It means &NC& means there is no Authorization group assigned to the table. I need to find when it was changed. Do i have any ways to find it out? I checked with entering table name in CDPOS i didnt find any entry. Kindly help me out how to find who and when this table Authorization group was changed for table T001B.
    Thanks & Regards,
    Sathish

    Thanks Thomas,
    I check in that transaction it shows log only for 3 months. I dont see any changes to those table what i want may be this Authorization group change in done even older.
    Thanks for your reply.

  • Table Authorization GRP info req?

    Hi
    I need to make a new Z authorization grp for a ztable,so that it can be used in mataiance generator.
    So plz tell me how to make it & is there any concern shd be taken care in making it so that MG can be used with limited authorization.
    Plz tell me the way for it,so that i can used it in my MG.
    Regds

    hi
    good
    Below is the procedure to create table maintenance generator.
    1) Create one function group.
    2) after activating your Ztable, choose 'Utilities'----> 'Table maintenance genrator'.
    3) then give the authorization group and function group created abobe in the next screen.
    4) Then choose the "create" button in your application tool bar, which will creates the module pool program.
    5) then create one Tcode by chosing "Transaction with parameters( parameter transaction)".
    6) in transaction field give "SM30", select the check box "Skip initial screen".
    7) in the below of that screen you can find the "Default values" frame.
    8) there under the "name of screen field" type "View name' and "update".
    9) in the column against to "view name" give you table name, and against to "Update" put 'X' in capital letters.
    save it then you can straight away use this newly created Tcode to maintain your table.
    Note:- 1) you can do modification to this newly generated program (even though it looks like standard program; no need to enter the access key).
    2) if you do any changes to your table and press the activate button automatically the table maintenace generator will be goes off, you need to create this again.
    thanks
    mrutyun^

  • Help with external table authorization

    Hi Every One,
    I am using OBIEE 11.1.1.6.
    I have setup MSAD authentication through rpd and every user is able to login to analytics.
    And there is an external table in the database where I have all the user and their groups( all users in MSAD are in this table)
    I have created session variable called GROUP to have these usergroups for authorization.
    I have created the groups in the front end with exact names that are in the external table.
    But I cant set up the Required privilages
    every user is seeing all the reports and subject areas.
    Do I need to create the application roles with exact names as groups names in rpd?
    Do i need to create groups in weblogic console?
    Please help me in this regard.

    Hi,
    I have created the groups in the front end with exact names that are in the external table.
    Do I need to create the application roles with exact names as groups names in rpd?No need to create any groups or application roles in rpd.
    Test Authorization init block properly.
    Create application roles under console, which are nothing but groups in your external table. Apply security to dashboards accordingly.
    Regards,
    Srikanth

  • Custom Table Authorization Control

    Hi gurus-
    I got the following scenerios-
    The scenario is-
    We have a custom table. On that custom table, there are couple of fields that we want to control access (display access, edit access, no access etc.) based on different user profile role. I know you can control access on table basis by Authorization Group but for access control within a field (some records within that field will be accessed by only few people, other records by other group of people), how can these be accomplished, if possible. Authorization Object Controls access for a particular field. But my understanding is for all records in the field. Can you subdivide those into different groups of records?
    The logic is-
    After user enters input values (key fields in the custom table maintenance program), the program looks up the authorization group for the user and checks if the key combination has authorization to change access, if yes it executes the program, otherwise returns an error message. Can you accomplish that with the use of another field like Profile Group to maintain a list of records for different user groups?
    Any help will be greatly appreciated!!!
    Thanks!

    Hi,
    you can ask your ABAP consultant to code in the table maintenance events. We need to call appropriate authorization objects in the events and allow/disallow the changes for a field/record based on the authorization.
    If you want more details on TMG events, just search in SCN. We have lot of information on this.
    Thanks,
    Vinod.

  • Table authorization group SE54

    fellows,
    i created new authorization group in SE54 and assigned some tables to new auth. group. but now the business is asking me to reverse the whole thing, which means assign tables to auth. group assigned previously. but i dont remember previous auth. group. is there any i can find out that how it was before i made the changes? you help will be appreciated.

    You can only do that by using the "negative list" approach - also previously known as "ranging" in R/3...
    At least it checks something, but the user might have access to everything which you do not exclude in their authorizations or the code.
    Chances are very good, that users will have many different ways to access tables directly. So depending on how disciplined you are about your security concept, it might well be that they will bypass transaction code restrictions, organizational logic (contents of the table fields) and other programmed authority-check or file system logic to access / download data if they are determined.
    Most users do not knowingly deploy such tools or queries, but that is of course no reason not to protect business or legal critical data, and other data.
    Cheers,
    Julius

  • Broadcast Setting Table ( Authorization User )

    Hello All,
    I have a requirement wherein , I need to change the "Authorization User".
    But everytime going into the setting & changing it manually is quite tedious job.
    Is there any table which stores information regarding Authorization User.
    PS : RSRD_SETTING stores only Owner & Last Changed By, but not Authorization User.
    Thanks & Regards,
    Sheetal

    Hello Pravender,
    Thanks, It has solved my problem
    Thanks & Regards,
    Sheetal

  • External table authorization

    I have done external table authentication by creating user related details in db, but i'm unable to view user specific data (row level data security) ie external table authoriztion. I have not used user groups..It is showing details pertaining to all users
    Looking forward for your valuable suggestion....

    Hi,
    Pls refer to this link. Kumar explained it very clearly
    http://obieeblog.wordpress.com/category/obiee/obiee-security/
    Pls award points, if helpful
    Regards,
    Sarat Nallapati

  • OBIEE11g1.5 External Table Authorization

    Hi,
    I have integrated LDAP for authentication.
    But for roles I have created an external table and by initialize block, I am populating it dynamically.
    My cache is disabled in NQSConfig file and Cache is unchecked in initialize block also.
    It is populating properly in My Account-->Roles and Catalog Groups.
    But my problem is:
    If user1 first logs in and he has access to AP Subject Areas, he is able to see it.
    But after it User2 logs in, who has AR Subject Areas, is seeing AP Subject Areas, rather than AR.
    Could anybody help me.
    Thanks,
    Sunil
    Edited by: 990324 on Mar 5, 2013 11:28 PM

    Hi Sunil,
    Couple of questions here.
    1. If you do not assign the roles through an external table and manage them still through EM, do you still see this issue?
    2. If you still see that user2 could see AP Suject Area then, there is a high chance of an issue with your roles and their relationships.
    3. How about the user2 roles relationship with roles of user1. I mean, by any chance user2 belongs to a role which has access even to AP Subject Area. Did you try explicitly setting the role 'NO Access' restriction in your dashboards security?
    4. What happens if the user2 logs in first? Does he still see AR Dashboard, but this time if user1 logs in later, he too sees AR Dashboard?
    Thank you,
    Dhar

  • To extract data from PA0008 table

    Hi to all
    My requirement is to check for wage type 1005 for a employee.
    But problem is wage type field is lga01,lga02,lga03......like that.
    How to check for 1005 wage type.
    Please guide me.
    Thanks & Regards
    Anubhav

    hi check this ,
    REPORT  ZZZ009.
    TABLES:PERNR.
    INFOTYPES: 0008.
    DATA: BEGIN OF WAGETYPES,
          LGA LIKE P0008-LGA01,
          BET LIKE P0008-BET01,
          ANZ LIKE P0008-ANZ01,
          EIN LIKE P0008-EIN01,
          OPK LIKE P0008-OPK01,
          BEGDA LIKE P0008-BEGDA,
          ENDDA LIKE P0008-ENDDA,
          END OF WAGETYPES.
    GET PERNR.
      PROVIDE * FROM P0008  BETWEEN PN-BEGDA AND PN-ENDDA.
      DO 3 TIMES VARYING WAGETYPES-LGA FROM P0008-LGA01 NEXT P0008-LGA02
                 VARYING WAGETYPES-BET FROM P0008-BET01 NEXT P0008-BET02
                 VARYING WAGETYPES-ANZ FROM P0008-ANZ01 NEXT P0008-ANZ02
                 VARYING WAGETYPES-EIN FROM P0008-EIN01 NEXT P0008-EIN02
                 VARYING WAGETYPES-OPK FROM P0008-OPK01 NEXT P0008-OPK02.
           IF WAGETYPES-LGA IS INITIAL.
              EXIT.
           ELSE.
              WRITE: / WAGETYPES-LGA, WAGETYPES-BET,WAGETYPES-ANZ,WAGETYPES-EIN,WAGETYPES-OPK,WAGETYPES-BEGDA,WAGETYPES-ENDDA,SY-TABIX
           ENDIF.
       ENDDO.
         ENDPROVIDE.
    regards,
    venkat.
    Edited by: venkat  appikonda on Mar 14, 2008 12:44 PM

  • Table Name - For Authorization objects and fields.

    Hi
    Could any  one let me Know In which Table Authorization Objects and Authorization fields are stored.
    Thanks N Regards.
    Priya

    hi,
    TOBJ ---> Authorisation Objects
    Refer to the link.
    http://saptechnicalinfo.blogspot.com/2008/07/sap-authorization-objects-tables.html
    Regards
    Sumit Agarwal

  • External Table User-ID authorization?

    Hi All,
    http://obieeblog.wordpress.com/2009/06/18/obiee-security-enforcement-%E2%80%93-external-database-table-authorization/
    In this blog, the procedure in connection pool, as data Source Name as Whatever.World, and the Shared Logon as, username. What should actually go in there, or does it really matter?
    Thank you.

    Hi ssk1974,
    What should actually go in there, or does it really matter?Yes you need to give the credentials as per your database,there in that blog he gave an example saying give out your username and password.
    In your case give your stage or development database name,user name and password your using for RPD and presentation server.
    So you can move ahead with the blog steps....Hope it helps you.
    By,
    KK

  • ASSIGN AN AUTHORIZATION GROUP TO MANY TABLE

    Hello,
    I have several hundreds table to assgin an authorization group zaut.
    Is there any easy way to do it?
    I do not want to go se54 and change all table authorization group one by one.
    Please help.
    Thanks,
    Jeongbae

    Use Tcode SM30V_DDAT to assign the Authorization Group to multiple tables.
    Regards,
    Naimesh Patel

Maybe you are looking for

  • Slow Mac Mini with i7 quad core (current gen.) with most current OSX vs. a PC-Winodws 8.1

    My Mac Mini is somewhat slow... don't get me wrong it's a fast computer but I got a new work laptop i5 Dual Core Acer laptop with windows 8.1 (I know LOL) & it is so much faster with media and browsing the web and overall boot up everything.... Now I

  • Apple Tv or HDMI cable?

    When watching netflix the screen on the Tv cuts out to a green screen then says no signal, then cuts back to the movie. I had this problem with the apple tv before so i had it replaced then replaced the cable. So which is it now? The cable or tv?

  • Met a problem when excute a process about Create InfoArea

    Dear all, we met a problem when excute a process in our bw system: our process as follow: rsa1(Data Warehousing Workbench:Modeling) --> InfoProvider --> Create InfoArea the below error message window came out. error in object editing No valid change

  • How to call c++ code from java

    i have a third party dll written in c++. I want to call its methods in java. I searched web and found that I have to use JNI for this. I have seen examples on web writing c++ code and then using it from java through JNI, but can anybody please point

  • BI 7.0 Data Source Question

    I have requirement in Funct spec from Tables EKKO , EKPO  . The data sources 2lis_02_itm ,2lis_02_scl etc will have these tabels data . But in BI 7.0 there is a data source called 2LIS_06_Inv which provides data from all these data sources.i.e, The n