PS reports authorization check

Similar Messages

• Custom HR Report--Authorization check required

  Hello,
  I have a requirement where in we have created a custom report.Now when user logs in and run this particular report as their authorisation is restricted to india or whatever, they should only see data relating to their company code/country. They must not be able to see data from any other country / company code.
  Another scenario is for some users authorisations is restricted to certain Org Units and when a Key User whose authorisation is restricted to a certain Org Unit, they should only see data relating to that Org. Unit and not every one's data.
  Is there any authorization object already existing that can acheive this functionality.
  Please suggest!!
  Thank you
  Arvind
  Edited by: Arvind Soni on Sep 17, 2009 3:43 PM
  Edited by: Arvind Soni on Sep 17, 2009 3:43 PM

  Hi,
  There are some auth. objects exist in HR. Such as P_ORGIN, P_ORGXX, P_ORGINCON, P_PERNR, P_APPL, PLOG,etc..
  Make the requried setting via t-code: OOAC
  Also you can define structural auth. via t-code OOSP, OOSB.
  If you use logical database of HR (PNP,PNPCE,PCH,PAP)or standard FM to read HR data, auth. check of these auth. object will be carried out automaticlly.
  You can change the profile of the users to achieve.
  Regards,
  Chen Jian

• Abap Report Authorization Checks

  Hi. I have some question on customized abap report to be based on user role organizational level.
  May I know how to program the abap report such that the report will show only data based on user role organizational level (Plant, Company, SalesOrg etc)?
  For instance, if userA role organizational level for plant is plantA, the abap report will only show data for plantA. If userB role organizational level for plant is plantB, the abap report will show data for plantB.
  May i know how to program the abap report?
  Appreciate any guidelines.

  Hi,
  Assign the Users with predefined roles.
  Attach the Orn Units(Plants/St locn, CC/etc) in the roles .
  create a Tcode for the report  and attach that Tcode in that role.
  So now the user can execute that report with that siplant to which he is authorised.
  Hope this helps.
  Regards,
  Anji
  Message was edited by:
          Anji Reddy Vangala

• Report to check authorization object used in customized programs

  Hi Guys,
  An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
  Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

  Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
  To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
  Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
  Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
  Code review is an art form!
  Cheers,
  Julius

• Create authorization check for a report

  Hi,
  I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
  Say the report name is ZHR_TIMEABC.
  Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
  Thanks in advance,
  VG

  Hi,
  Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
  If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
  Your inputs will be helpful to understand this concept.
  Thanks,
  VG

• Re: Setting Authorization Check in Report Writer

  Hi,
  In ABAP Query or ABAP customized program, it is possible to set authorization object checking.
  In Report Writer, how can I do it?
  <REMOVED BY MODERATOR - REQUEST OR OFFER POINTS ARE FORBIDDEN>
  Thanks
  Edited by: Alvaro Tejada Galindo on Dec 26, 2008 10:59 AM

  Hi Colin,
  I would like to suggest,
  Creating an Authorization object & then using it in the report program is the preffered way.
  I would like to suggest a couple of references, quite similar to your issue,
  [SDN - Reference for using authorization checks at the report level|User authorisation check in ABAP-HR program;
  [SAP HELP - Standard Reference for Programming Autorization checks|http://help.sap.com/saphelp_nw04/helpdata/en/52/6712ac439b11d1896f0000e8322d00/frameset.htm]
  [SAP HELP - Standard Reference for Authorization checks|http://help.sap.com/saphelp_nw04s/helpdata/en/fc/eb3ba5358411d1829f0000e829fbfe/frameset.htm]
  Hope that's usefull.
  Good Luck & Regards.
  Harsh Dave

• Missing authorization check on the IM Reports

  Hi,
  We use RAIMINFO reports (S_ALR_87012805, S_ALR_87012806 u2026 ) to display
  structure and values in Ferrero Spa investment program
  On the initial screen, the value types which have to be output, are
  determined by the authorization checks to be carried out .
  For example in case that an user decides to display the plan or budget
  references to program position, the user has to have the authorizations
  on the Persons responsible (A_IMPR_VER). For us this is OK because we
  define responsibilities through A_IMPR_VER. But if user decides to
  display the appropriation request or measures and he doesnu2019t indicates
  the program position it seems that anything on the A_IMPR_VER will be
  performed. We need that the check on A_IMPR_VER will be performed always(for all objects: measures, appropriation request ).
  We think this is a function missing in RAIMINFO and in all the IM
  reports.
  Could you help us to solve this problem?
  Thanks and best regards,

  Hi,
  If you want use check box in crystal., then you can do this by writing piece of code.
  please try for
  If {Table.Field} = True Then
  'Display the checkbox of your choice here
  Formula = Chr(254).
  thanks.
  Bala

• Authorization checked for infoObjects even though not relevant to report

  Hello guys,
  I am facing a problem in BI 7.0 authorization checks.
  For a given report the BI team has placed a restriction in the query only for infoObject 0Comp_code (company code) and 0SOLD_TO (sold to party). Accordingly i have created authorization in RSECADMIN and assigned to role--> user.
  But when the user runs the report, he gets as authorization error and during analysis in RSECADMIN i see that "list of Authorization relevant charecteristics(infoObjects) for info provider xxxx" contain other infoObjects as well.
  Is it a case where infoObjects can be made authorization relevant for the whole  info provider eg-ZSD_M42" (where this is a multi provider)apart from being checked for specific reports eg- ZSD_M42_Q0001?
  How do i get around this problem?
  Regards,
  Prashant

  Hi Prashanth,
  What Zaheer said was exactly correct.Make sure all the Auth relevant Chaaracteristics of an Infoprovider  are properly authorized through your Analysis Authorization.Suppose if you don't need security on other Characteristics of an InfoProvider give * in your AA which will byepass check on that particular Auth relevant Characteristics..
  More over,See to that all the key figures are properly authorized as all the keyfigures are by default auth relevant in BI.
  Cheers,,
  Ramkumar C

• Authorization check on Z report

  Hello Experts,
  We had a requirement to develop a report which would combine the features of V.14 and V23 with some additional features like removing delivery blocks and billing blocks.
  We want to add some authorization checks so that some people are restricted to view information of only some sales organizations and some people like management will have a broader authorization to view details of multiple sales organizations.  How can we acheive this?
  For example in SU23 when we run our custom T code we do not see the authorization object which is used in the program. We are currently using VBAK_VKO in our program.
  Thanks and regards.
  ES.

  Hi,
  Adding to above replies, are you calling V.14 and V23 in your custom program or you created your own login in Z program? If standard tcodes are being called, make sure that appropriate restrictions are placed in SE97 tcode for the Z tcode.
  In SU24, you will have to add the object to the Z tcode. You will not see it automatically. But make sure that the authority check is there in program (can verify by a ST01 trace).
  As Anika said, you can create separate roles for each required sales organization.
  Thanks

• Authorization check in LDB PNP

  Hi All,
  I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
  I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
  Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
  Any information provided will be really helpful.
  Thanks,
  Pavan

  Hi,
  A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
  Thanks,
  Pavan

• Authorization checks for PNP LDB

  question    : how to validate authorization checks for pnp logical database?
  2 nd question: hr report
  this report is basically for salary survey. in this i had so many fields can any body let me know how
  can i form the internal tables. and i have to display overall 150 fields in csv file for that
  how can i take in to the final internal table.
  what is the logic behind this:
  T71JPR09-JOBCODE
  PA0000-PERNR
  HRP1000-STEXT
  P0006-PSTLZ
  PA0008-ANSAL * 100 / PA0008-BSGRD
  PA0015-BETRG
  PA0761-LTEXT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-GRADT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-ZZGRANT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN esu YEAR 1
  like that i had.
  please give me the steps how can i proceed.

  Hi,
  The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
  Hope this helps.

• Reporting authorization issue after BI 701 05 EHP1 upgrade

  Hello,
  We have recently upgraded our BI 7.0 to BI 701 EHP1 with 05 patch level. After this we had a problem with reporting authorizations for a report (query), which has created under Virtual Infoprovider.
  Earlier the report use to be execute perfectly with authorizations S_RS_ICUBE object with Act 03, Subobject DATA, but after upgrade to EHP1, while executing report its throwing a error pasted below.
  =============================================================================================
  "Diagnosis
  Errors occured while reading a VirtualProvider outside the BI system. Check whether the previous error messages contains any information about the possible cause of this error.
  It is possible that the error message can not be displayed because the error message class does not exist in the BI system. If this is the case, only the name of the error class and the message number are displayed. View the error class in the source system of the VirtualProvider.
  System Response
  Procedure
  Since the error is not necessarily in the BI system, there is no specific procedure for resolving it. With VirtualProviders, problems often occure with the connection to the system; these can lead to system termination. If the code for the VirtualProvider is not from the SAP, contact the relevant person to help resolve the issue.
  If an SQL error is listed in the previous message, see the procedure for SQL errors."
  ===============================================================================================
  After running st01 trace we identified the missing authorization is S_RS_ICUBE with Act 03, subobject DEFINATION.
  Here please tell why is the subobject check is performed to execute a report (query), as this is happening after EHP1 upgrade, so let me know if anyone had any clue on this ...
  Thanks

  Hi Martin,
  Thanks for reply.
  The assumption what you made are correct, but these are the possible reasons only. Is there any specific note or any info from sap that these changes came due to the new release change, so that i can tell my manager clearly.
  And I am not sure whether this is impacting the reports which using the VirtualProviders (Virtual CUBE) in place. If you could get bit more information that will be helpful...Thanks in advance.
  Sridhar

• Authorization check failed

  hello experts!
  i created a program via smartforms but when my user try to generate a printed form an error message appear than FORM
  cannot be displayed. when i check Tcode: SU53 Authorization check failed.
  Object Class HR Human Resources
  Authorization Obj. P_ABAP  HR Reporting\
  Authorization Field COARS Degree of simplification for authorizaton check       1
  Authorization field REPID ABAP program name     ZHRPY00018C
  Please help on this one...
  How to fixed this
  Thank you

  hello...
  actually this report has 2 display a List display and via smartforms...
  we laready add this program  in her authorization profile... the only problem
  is when she try to generate the report via smartform she cannot produced the
  the output print docu. because an error appears that my FORM cannot be display.
  But when i check it in the development i can produced a test document.
  please help...

• Structural authorization check in HR-ABAP

  Hello Friends,
  I am not able to get how to do the structural authorization check, my exact problem was : There is a report where it diplays all the qualifications of the employees and now I should restrict to only the employees who belongs to the organization unit depending upon the user who is running the report belongs to. It should check some more authorization profiles also.
  Regards,
  Yoganand.

  Hi Yoganand,
  if you use logical database PCH in your report, it should work by default.
  Manually search for RHSTRUAUTH in transaction SE37. There
  is a function modul which gives a list with the person the user has authorization.
  With this list you could compare the list with selected persons.
  hope this helps.
  Regards
  Bernd

• Report authorization

  The authorization check on reports based on PNP/PNPCE logical database (both SAP and custom), I think is not working as suggested by SAP.  We have reports that have information on some sensitive information on employees.  From what SAP suggests if the user has infotype authorization then it should display all (including sensitive ) and if the user does not have authorization to view one infotype then it should display everything except this one infotype.  BUT in our place if a user does not have authoriztion for one infotype the reports stop saying no authorization for that particular infotype.
  I have experimented this with P_ABAP with swith 1 and 2.  It still does not resolve the issue. 
  It works fine on the structural profiles side.
  I would appreciate if somebody can tell me if my assumptions are wrong or there is a way to make it work.
  Thanks,
  Net

  Any ideas???