Putting Authorization Check in MM03 Material Dimension

Similar Messages

• Query - Authorization Check for Material Details

  Hi Experts,
  I've got a requirement where I've to put authorization check in a number of transactions (standard as well as custom) which lead to material display some way or the other for specifc matarils (checking the authorization field). Few are for reports (may be interactive) as well. The need is to stop unauthorized people from getting access to the specifc material details such as dimensions (quantity,length, width, etc.).
  The first option would be to stop the user from viewing the material itself and showing some appropriate error message.
  The second option would be to make the above said details invisible in the screen for the specific matarials.
  The Authorization object is M_MATE_MAT.
  The Authorization field is BEGRU.
  The range of tcodes start from ME21, ME22, ME23, ME23N ...to MM01, MM02 etc. and a number of custom tcodes.
  What is the best way to achieve this? I guess I'd need to look for exits. Please suggest
  Thanks & Regards
  Pritam

  > I've got a requirement where I've to put authorization check in a number of transactions (standard as well as custom) which lead to material display some way or the other for specifc matarils (checking the authorization field). Few are for reports (may be interactive) as well. The need is to stop unauthorized people from getting access to the specifc material details such as dimensions (quantity,length, width, etc.).
  >
  > The first option would be to stop the user from viewing the material itself and showing some appropriate error message.
  >
  You can do this with authorization at transaction level.
  > The second option would be to make the above said details invisible in the screen for the specific matarials.
  >
  Invisible on the screen, you might need to consider the material screens user exit. I am not sure how your material master configured
  > The Authorization object is M_MATE_MAT.
  > The Authorization field is BEGRU.
  >
  > The range of tcodes start from ME21, ME22, ME23, ME23N ...to MM01, MM02 etc. and a number of custom tcodes.
  >
  > What is the best way to achieve this? I guess I'd need to look for exits. Please suggest
  All in all, you need user exits to have field level authorization and maintain authorizations at transaction level for the one you dont want to show anyone or to few

• Authorization check on movement of material type

  Dear Experts ,
  Is it possible to have authorization check based on material type for a particular MB1B T code  with movement type 311 .
  Or
  Is it possible to have a restriction of material type for a particular movement type ?
  Regards
  Anis

  Hi Nick Whitehurst
  Do you know what is the exact settings for M_MATE_MAR for Material Type &
  M_MSEG_BWA for movement type ?
  Appreciated

• Authorization checking in BAPI

  Hi,
  I put in authorization checking for the 'Material group 1' field of a SD document. With this, only authorized users are allowed to change this field while other users without the authorization will not be allowed to change it. When i tested the authorization in VA02, it works fine. I was able to change it as i has been assigned with the required role/profile. On ther other hand, the other user without the role/profile was not able to change the field using VA02. I did another test using a Z program that calls 'BAPI_SALESORDER_CHANGE'. The Z program will change the 'Material group 1' field using 'BAPI_SALESORDER_CHANGE'. My initial thought was me with the required role/profile when running the Z program, will be able to change the field while the other user without the required role/profile will not be able to change it when running the Z program. However, the result shows that both users (with/without the role/profile) was also able to change the field using the Z program. Is there anyway to control the BAPI so that it works the same as in VA02? Thanks much for your advice.

  In your coding change
  IF sy-tcode = 'VA02'.
  to
  IF T180-TRTYP = 'V'.
  Then your coding will also work with BAPI. Try putting a break point before the If clause and execute the BAPI, you can see it yourself.
  SAP will set T180-TRTYP = 'H' for create, = 'V' for change and = 'A' for display.
  T180-TRTYP is a SAP recommended field to be used in user exits to know if the document is being created, changed or displayed
  If sy-tcode = 'VA02' will not work with BAPI as you are actually not executing transaction VA02.
  Also just disabling screen fields for input will not have affect on the BAPI call.
  You would need to ensure it through separate coding

• Authorization Check during PR creation

  Hi,
  I would like to put authorization check in PR creation,particularly
  in the account assignment category. I have created a customized authorization object ZX with the field activity and knttp. My problem now is what userexit i can put this authorization check during PR creation/change...
  i have 2 kind of user, 1st is have access to all and 2nd user is create/change/display to kntpp = K. how can i accomplish this?
  appreciate all the help.points will be given. thanks
  she

  thanks. at the moment, we dont have abaper to work on the coding and to check userexit..so i was hitting this by all the help i can get from this forum. anyone had tried or worked with the same requirement? appreciate if i can have the abap coding at the same time the userexit being used.
  the requirement is to restrict user to create/edit PR to a certain account assignment KNTTP.
  i have created the customized auth object (knttp  -( actvy, knttp)..the customized auth object is maintained to each user role.
  Eg. user1 - knttp (acvtyt =*, knttp=KNTTP)
         user2- knttp(actvt = *, knttp=K)
  so if user2 try to create/change PR with account assigment not equal to K - cost center.
  error message will be trigger during authorization check.
  appreciate all the help.. thanks in advance.

• MM03 Material master display F4 help is not available

  Dear All..
                  For one particular user MM03 Material master display F4 help is not available
  even i have press the push button on material text the help is not popup.
  Even authorization already exist  for that user material master display.
  Please give your suggestion on this.
  Regards
  Anand.

  HI Anand,
  I am going to assume that the problem is with F4 help in general, and not just with MM03.
  If you have only one user with the problem, then the best way to troubleshoot is to compare with another user who is not having the same problem (like yourself).
  First check Help settings for the user:  From any screen, select Help>Settings  select F4 tab.  Review the settings. Look for differences.  Make corrections.  Save.
  If you can find nothing amiss, then the GUI is probably the culprit.  Check to see if this user is on the same version and patch as the 'successful' users.  From SAPLOGON, select the tiny SAP icon from the blue bar, then select 'About SAP logon'.  Alternately, you can right clik on the SAPLOGON on the Windows taskbar and select 'About SAP Logon'. 
  There are known problems of bad interactions between certain Microsoft Software and certain patches of SAPGUI.  If any problems, download the latest GUI version and patch from SAP software distribution Center
  http://service.sap.com/swdc
  Select Download>Support packages and Patches>Entry by Application group
  Select SAP frontend components.
  Select the appropriate platform, then download the version that you need.
  If the user is on the same vers & patch as you, and you can't find any other problem, might be a good idea to reinstall the SAPGUI.
  Regards,
  DB49

• Authorization Check in PO

  Hi..
        We have business requirement where cetain users are only allowed for certain material groups.
  Say user1 can access only material groups grp1 and grp3.
  Can we have a authorization check for material group in the purchase order ??.
  I suppose only plant , doc type , p-grp and P-Org are only checked for authorization in ME21N.
  I tried the following things ..
  - Created a object class and object.
  - Added this object to T-code ME21N (SU22).
  But it was not working.
  How do we handle this authorization check for material group.
  Thanks in Advance.

  You can add authorization for material group using this way :
  Put this code in program ZXM06U43.
  LOOP AT tekpo INTO l_ekpo.
    AUTHORITY-CHECK OBJECT 'M_MATE_WGR'
        ID 'BEGRU' FIELD D_BEGRU.
    If SY-SUBRC NE 0.
      MESSAGE E002(zz) with 'You are not authorized with Material Group'
       T_EKPO-MATKL.
    Endif.
  ENDLOOP.
  Then activate enhancement MM06E005 using SMOD or put it in your CMOD project

• Kanban authorization checks (SU24, PK13N, PK*)

  Hi,
  Does anyone know why the Kanban transactions (PK*) have mostly disabled authorization check indicators in SU24?
  In PK13N, for example, there is functionality to do a goods receipt (MIGO GR) and also functionality to create POs (and maybe more that I have not looked into yet).
  However, the related auth objects in SU24 are not enabled (check indicator = do not check).  This seems strange for these authorization objects.
  Especially in light of SoD.  Users could create POs or do Goods Receipt via PK13 without proper auth check and these 2 functions conflict already (using default GRC ruleset).
  But that's beside the point.  The question is: Is there a good reason why these are disabled and how is this NOT a secuty risk?
  Now, there is one object that is enabled: C_KANBAN
  But, I feel that this is insufficient to really secure the goods receipt action and the PO creation action.
  For reference, a list of disabled auth objects:
  C_STUE_WRK CS BOM Plant (Plant Assignments)
  C_TCLS_MNT Authorization for Characteristics of Org. Area
  F_BKPF_KOA Accounting Document: Authorization for Account Types
  F_FICA_CTR Funds Management Funds Center
  F_FICA_FTR Funds Management FM Account Assignment
  F_FICB_FKR Cash Budget Management/Funds Management FM Area
  F_FICB_FPS Cash Budget Management/Funds Management Commitment Item
  F_LFA1_APP Vendor: Application Authorization
  F_SKA1_BUK G/L Account: Authorization for Company Codes
  L_BWLVS Movement Type in the Warehouse Management System
  L_LGNUM Warehouse Number / Storage Type
  M_BANF_BSA Document Type in Purchase Requisition
  M_BANF_EKG Purchasing Group in Purchase Requisition
  M_BANF_EKO Purchasing Organization in Purchase Requisition
  M_BANF_WRK Plant in Purchase Requisition
  M_BEST_BSA Document Type in Purchase Order
  M_BEST_EKG Purchasing Group in Purchase Order
  M_BEST_EKO Purchasing Organization in Purchase Order
  M_BEST_WRK Plant in Purchase Order
  M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule
  M_MRES_BWA Reservations: Movement Type
  M_MRES_WWA Reservations: Plant
  M_MSEG_BWA Goods Movements: Movement Type
  M_MSEG_BWE Goods Receipt for Purchase Order: Movement Type
  M_MSEG_BWF Goods Receipt for Production Order: Movement Type
  M_MSEG_LGO Goods Movements: Storage Location
  M_MSEG_WMB Material Documents: Plant
  M_MSEG_WWA Goods Movements: Plant
  M_MSEG_WWE Goods Receipt for Purchase Order: Plant
  M_MSEG_WWF Goods Receipt for Production Order: Plant
  M_RAHM_BSA Document Type in Outline Agreement
  M_RAHM_EKG Purchasing Group in Outline Agreement
  M_RAHM_EKO Purchasing Organization in Outline Agreement

  Hi Steven
  Normally, when I submit OSS messages about security gaps the response is "working as designed", so I thought I'd try SCN first... perhaps it REALLY IS working as designed and there is a good reason why no auth checks should happen in this case.
  Unfortunately this is all too common. However, I have found a lot of the times it is a Level 1 Support person in SMP advising you of this. With perseverance and escalation to a the next level the chance of a fix is greater (still not a guarantee)
  It's a pity if working as per design they could explain why.
  MIGO can be used in display mode only. If PK13 and PK13N are meant to be display transaction and the SU24 allows you to perform change (i.e. none of the underlying auths are checked for change) then I would refuse to close the customer incident until SAP responds further. At the end of the day, if a display transaction allows modification then it isn't a display transaction
  I get the impression SU24 and some other security (e.g. authority check on '' instead of dummy) has been allowed to exist as customers give up and change the values themselves instead of getting SAP to fix their solution.
  You could also look at SE97 if call transaction can be switched to yes so users cannot jump from PK13N to MIGO (assuming the code was a CALL TRANSACTION)
  Regards
  Colleen
  P.s. - understand the comment with stale thread but take note of timezone and if you raise it on a Friday people may not see it until the following week. Although you did consider this, a lot of people on SCN put urgent in their question and then within the same day respond to their thread to "bump it" on the list

• Authorization check

  Hi ,
  i new to authorization so i need help ,
  i go to transaction SU21 and i choose some object for example:
  Object R_CPM_BSC
  Text Authorization Object SEM: BSC Elements
  Class SEM Strategic Enterprise Management*
  Author STASTNY
  Field name Heading
  SEMSCARD Scorecard
  SEMOBJTYPE Scorecard Elements: Object Type
  SEMOBJKEY Scorecard Elements: Object Key
  ACTVT Activity
  And when i push on permitted activities i get:
  R_CPM_BSC Authorization Object SE
  ACTVT Activity
  activists
  01 Create or generate
  02 Change
  03 Display
  04 Print, edit messages
  1. i have always just permitted activities for ACTVT ?
  if i wont that user just have display Authorization how i have to write it like below?
  AUTHORITY-CHECK OBJECT R_CPM_BSC
  ID ACTVT FIELD '03'
  thats it i don't use the other fields?
  Regards

  Hi,
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Thanks
  Vikranth

• Deactivate authorization checks in BSP or function modules?

  Hi all
  I have a BSP application that seems to use a standard function module that performs an unwanted authorization check on object M_MATE_VKO (Material check on sales organization)
  I know it is possible to globally deactivate authorization checks in certain SAP transactions (SU24)
  Does anyone know if there is a similar functionality for BSP applications or function modules? Any suggestions on how to deactivate such authorization checks in BSP applications?
  Regards
  Mike

  > I will also check with my developer if this function module has any return codes etc that can be useful for a custom authorization check. However, I thought these checks were all done within the function module and that it will only return a true/false authorization, sort of... and I am not sure it's a good idea to override all standard authorization checks in this function module
  Sometimes you can handle the messages, but your developer will be able to help you decide whether that is a good idea or not.
  Globally deactivating the object for the whole system is most likely not a good idea, as you seem not to want to grant it because you need it somewhere else...
  Deactivating all checks for the function module is probably not wise either, as I would think that it applies to the whole function group. Developers can do such things sometimes, but often it results in all end users being able to do the same.
  I know that proposal indicators can be set for function modules, but have not tried check indicators. Again, I suspect that it would apply to the whole function group.
  I would think that a carefull choice of function module and consulting with your functional guru about config which will not interfer with other requirements is the best route to take.
  I like threads like this. If I bump into a specific solution I will remember it. Try using the search here at SDN on the names of some of the FM's which you are considering - someone might already have solved it...
  Cheers,
  Julius

• Selection screen and authorization check for plant from 2 diff tables?

  Hi,
  Could anyone help me out?
  how to write code for  this?
  u2022   Fields for selection
  Plant : WERKS (one selection) - check authorization access u2013 Mandatory .
  Material code MATNR (one selection) - Mandatory
  and while doing the authorization check how should i check it ? here iam taking the table as t001w for werks and for selection screen iam taking it from another Z table......i should take 2 different tables here.....for selection and for authorization.
  my code is pasted below:
                   Data Declarations                                  *
  data: s_werks type t001w-werks.
                   Selection Screen                                    *
    SELECTION-SCREEN BEGIN OF BLOCK b1 WITH FRAME TITLE text-h01.
    PARAMETER : p_werks like Ztable-werks OBLIGATORY,
                p_matnr like mara-matnr  OBLIGATORY.
    SELECTION-SCREEN END OF BLOCK b1.
                   Start-of-Selection                                  *
  START-OF-SELECTION.
  **-Get Plants for Authorization check.
     SELECT werks
            FROM t001w
            INTO TABLE it_werks
        WHERE werks IN s_werks.
      LOOP AT it_werks INTO x_werks.
         v_werks = x_werks.
  Regards,
  Reddy

  Plant : WERKS (one selection)
  That means only 1 plant value to be given? Then you can use PARAMETERS instead of SELECT-OPTIONS. And additionally, you'll only have to check that plant value.
  Using SELECT-OPTIONS you would indeed retrieve the plants and check each individual selected plant. Your code for that is good enough to start with.
  I wouldn't do the check in the START-OF-SELECTION event, but rather in the AT SELECTION_SCREEN event.
  To perform an authorisation check; try the ABAP help on AUTHORITY-CHECK. And you will need to know which authorisation object you need to use.
  Just noticed you're using PARAMETERS
  WHERE werks IN s_werks
  should be
  WHERE werks eq p_werks
  But actually you don't need to select T001W. Just use the value in p_werks.
  Edited by: Maen Anachronos on Oct 10, 2008 7:53 PM

• Authorization Check in Personnel Cost Planning (PA-CP)

  Dear Experts,
  We are facing an issue where there is no authorization checking when performing the Cost Planning functions. The requirement here is to put in an authorization check such that when:
  1) collecting cost plan data for employees (tcode: PHCPDCEM), it will check against HR Master Data (e.g. P_ORGIN, P_ORGINCON) or HR Clusters (P_PCLX) (e.g. check which Personnel Area the user has authorization for). Currently, the Data Record Log does not have this checking.
  2) Creating, generating, viewing and maintenance of cost plan (e.g. tcode: PHCPADMN), it should have the same checking as above
  We are using SAP ECC 6.0.
  Has anyone encounter the same issue and has a resolution for it (configuration or user exit?)? I see that there is a user exit HRHCP00_RESP_OBJECTS available, but it does not provide the authorization check even when it returns "NO_AUTHORITY".
  Thanks very much in advance.
  Alex

  Hi Alex,
  I am not very sure about Personnel Cost Planning,
  But an approach I have used in the past when exploring a module about which there is limited documentation or SAP standard model roles is to
  1) Switch on Trace using ST01.
  2) Carry out a series of transcations using a user id which has a lot of authorizations or SAP_ALL.
  3) Anlayse the trace document and identify all the authorization object.
  4) BUild a new role with the auth objects and assign to test user id.
  5) test and confirm that the authorizations are not too many or too less.
  A time consuming but thorough approach.
  hope this helps.

• Authorization check in WDA

  Hello Gurus,
  I have two different types of users. Based on authorization check I should take them to respective view. Basically, I have 5 views, for type A users, I should take them from 1 thru 5 views. for type B users, I should them from 3 thru 5.  Please let me know how can I achieve this with necessary code/screen shots. (should I create 2 authorization objects).
  Thanks,
  David

  Hi David,
  I'm going to put my pseudo-moderator hat on for a moment, please bear with me, but the quality of this forum and that include the questions as well as the answers is important to me.
  Have you searched the forum for prior posts?
  I have seen some very similar questions answered before - perhaps you could have a look and if these are not enough to help you could you  let us know what it is that these prior posts do not answer for you.
  Thanks,
  Chris

• Regarding authorization checks

  Dear forumers,
  I have a new custom transaction code, and this transaction code is defined for a custom report program.
  The custom report program provides end users with an interface to view and manually maintain data records in a custom table.
  I wish to add authorization checks to this via SU24. After doing this, however, I noticed that if a user without the necessary authorization is unable to access the custom transaction code, he is still able to run it via SE38 by entering the custom program name.
  How can this be resolved - so that, for a user who does not have the sufficient authorization, he cannot access both the transaction code and the program name manually?
  Appreciate any advice on this at all. Thanks.

  If that is a custom program you can put the following in your program code before processing starts, right after START-OF-SELECTION and throw an error message if the function returns anything other than value 2. Replace VA42 with your transaction code
  This will ensure that the user won't be able to executed it in SE38 even, if they don't have authorization to execute the transaction
  CALL FUNCTION 'AUTHORITY_CHECK'
         EXPORTING
              user                = sy-uname
              object              = 'S_TCODE'
              field1              = 'TCD'
              value1              = 'VA42'
         EXCEPTIONS
              user_dont_exist     = 1
              user_is_authorized  = 2
              user_not_authorized = 3
              user_is_locked      = 4
              OTHERS              = 5.
  IF sy-subrc NE 2.
    MESSAGE TYPE 'E'....
  ENDIF.

• Authorization checks vs ST01 data

  Experts. My 1st post.
  I Just tried to find on the forum about my issue and could not find anything.
  Question: How could ST01 shows that the user passed on the authorization check if he have authorization to a fixed value different?
  The user have VKORG assigned as MX* on 2 different roles. Using SE16 and AGR_1252 on both roles i have the value MX*.
  Opened the ST01 and set for the user received the message below. See that the first line have VKORG= ;
  20:18:34:342   AUT.       - - -     V_VBRK_VKO RC=0     VKORG= ;ACTVT=19;
  20:18:34:434   AUT.       - - -     V_VBRK_VKO RC=0     VKORG=MX02;ACTVT=01;
  20:18:34:434   AUT.       - - -     V_VBRK_FKA RC=0     FKART=F2;ACTVT=01;
  20:18:35: 4   AUT.       - - -     P_ORGIN    RC=0     INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
  20:18:35: 7   AUT.       - - -     P_ORGIN    RC=0     INFTY=0002;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
  20:18:35:11   AUT.       - - -     P_ORGIN    RC=0     INFTY=0900;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
  20:18:36:133   AUT.       - - -     V_VBRK_VKO RC=0     VKORG=MX02;ACTVT=01;
  20:18:36:133   AUT.       - - -     V_VBRK_FKA RC=0     FKART=ZLAT;ACTVT=01;
  20:18:37:888   AUT.       - - -     S_CTS_ADMI RC=0     CTS_ADMFCT=TABL;
  The problem is that the user while execution a procedure to create a few invoices have them with ZERO "0" Value on them.
  On most cases there is no problem with it, this happens sometimes.
  Sorry if I Could not express right and will put more information if needed.
  Regards.
  Vladimir

  >
  Jurjen Heeck wrote:
  > > 20:18:34:342   AUT.       - - -     V_VBRK_VKO RC=0     VKORG= ;ACTVT=19;
  >
  > I think (not completely sure here) the authorization check above just checks the activity and does not bother about the value of the VKORG field.
  >
  Hi Jurjen,
  you are right. This is a typcal case for the check for value 'dummy'.
  b.rgds, Bernhard