RE: Authority checks included in the info set of the query
Hi all,
I am checking the program code for one of our custom tcodes and i asked ABAP team to add authority check to the program code because there is no auth check in the code and abapers told me that the authority check is included inside the info set of the query and not in the program . the program is used to execute the query in the Tcode.
how to find the Authority checks included in the info set of the query.
Thanks in advance,
Sun.
If you have the BI support roles assigned to you and the security admin roles please login to the BI system
execute transaction RSECADMIN, click on the analysis tab and execute as the user who is assigned the role with restrictions.
For variables in authorizations like ( type customer exit )
use RSECADMIN - maintain authorization tab - Click on value authorization tab.
Keytransaction is RSECADMIN & infoobject maintenance details you can get from RSD1.
Regards
Similar Messages
-
Authority check based on the tables used in a programme
based on the tables used in a programme can I see authority checks available in the system.If yes how do i go about it .
Using the below FM:
SUSR_USER_AUTH_FOR_OBJ_GET
EFG_USER_AUTH_FOR_OBJ_GET
You can get all the autority check available for a user.
Regards,
Prakash. -
Authority check at field level in the sales order
Dear all, our business requirement is the following:
only some users should be able to see the prices (including netwr, netpr,...) in the sales order depending on the authority check performed on the sales group field.
This means that for an order of sales group 'A':
a user of sales group 'A' can see the prices and change the order, a user of sales group 'B' cannnot see the prices but can change the order, a user of sales group 'C' can display the order but cannnot see the prices.
I ask you if such a scenario can be realized in SAP.
We currently run SAP ECC 5.0.
thx all !
bye RobertoHi
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
<b><REMOVED BY MODERATOR></b>
regards
Anji
Message was edited by:
Alvaro Tejada Galindo -
Authority check at field level in sales order
Dear all, our business requirement is the following:
only some users should be able to see the prices (including netwr, netpr,...) in the sales order depending on the authority check performed on the sales group field.
This means that for an order of sales group 'A':
a user of sales group 'A' can see the prices and change the order, a user of sales group 'B' cannnot see the prices but can change the order, a user of sales group 'C' can display the order but cannnot see the prices.
I ask you if such a scenario can be realized in SAP.
We currently run SAP ECC 5.0.
thx all !
bye RobertoHi agree with Jan and Auke,
To my knowledge it is object V_KONH_VKO which you are looking for. See the documentation in SU24 - SD class.
But whether or not that will influence the visibility / editability of the screen in VA02 etc when turned the check on in SU24, I am not sure.
If not, search the forum for topics relating to "transaction variants", "variant transactions" and "screen variants" to see whether those solutions will fulfill the requirement.
Cheers,
Julius -
About authority-check object 'M_MATE_WGR'
hi all
I have a problem about authority-check object 'M_MATE_WGR'. the detail is bleow:
Read table T023 where the material group is in select option s_matkl. Then loop at the results and check for every found material group. If the user is authorized to use it with the ABAP statement AUTHORITY-CHECK with object M_MATE_WGR with parameters ACTVT = 03 (display) and BEGRU = the material group. When the user is allowed to use it, store it in an internal table and continue with the remaining materials groups from T023. When the user is not allowed to use it, set the status flag to X and dont save the current material group in the internal table.
After all checks have been done, empty the select option s_matkl. Loop over the internal table with the allowed material groups and fill up the select option s_matkl again with these records.
Thank you in advance .
NickYou are on the right track. Authorization object M_MATE_WGR checks the Authorization Group (BEGRU) not the Material Group. You read table T023 with the Material Group to get the Authorization Group.
Step 1: Read table T023 where MATKL = the Material Group you want to check authorization.
Step 2: Retreive the value in field BEGRU from the record in table T023. Use the value in T023-BEGRU to pass to the AUTHORITY-CHECK object M_MATE_WGR.
Hope that helps. -
Authority-Check object 'Z99_ARB ' id 'Z99_ARBMGR' field 'Y'.
Hi
I'd appreciate a STEP-BY-STEP on how to create my own authority-check objects.
The help I have is not comprehensive - it only refered me to SU20 and SU21.
Thank youMoving on; there are hundreds of scenarios, but this is the simple step-by-step I was looking for:
Step 1:
SU20 - List of Authorization Fields
--> Create a new authorization field e.g. Z_FIELD and assign either SAP standard or custom Data Element and a Package
Step 2:
SU21 - List of Object Classes
--> Forward Navigate into the application area of choice e.g. HR
> Create your Z object e.g. Z_OBJEC
> Add Z_FIELD as an authorization field
Step 3:
Set up the user list that should have the authorization added to their profile and fwd to your Security Consultant
Step 4:
Within ABAP editor use the Pattern to select your new Z_OBJEC
and assign a required field value for the id (object-field) e.g.
authority-check object 'Z_OBJEC'
id 'Z_FIELD'
field 'X'.
Edited by: Adrian Bruwer on Mar 9, 2010 7:36 PM -
HI Gurus..
I have used PNP L.database.
But i have used few select statements to read data from infotypes.
do i need to do authority check separately
or L database will take care of it.
Please provide me with the acurate answers.. as its an urgent issue..To create authority check object you can use transaction SU21. Here you can decide if you only want to create a new object and assign it to an existing class or if you can to create both object and class.
While defining the object you will have to provide what fields will be in this object. For example if i am creating a custom object to be used in SD based on customer and plant, i would include fields such as KUNNR and WERKS in my authority object. In addition to that if i also want to check for display/change/create access, i would also add a field called ACTVT (activity).
Once the object is defined, the authorization team will assign it to different authorization profiles with relevant values like for display only access for customer XYZ and plant 0001, these values will be provided in the authorization profile to this object. (As a developer this is not your headache )
You would be using it in your reports or transactions using Authority-check statements. You will be calling the specific object in your authority-check statement and passing it some values(say Actvt 03 customer ASD, plant 0002) and checking the value of sy-subrc. If subrc is 0 means the authority check is OK, the user has the authorization.
I think this will give you an idea on how to proceed.
Cheers -
Bypassing authority check in function module
hi experts
I have developed an abap report on material bom explosion using function module cs_bom_explosion
Its working fine and all data are coming ok since I HAVE THE AUTHORITY OF T CODE CS03..
pls note all bom fn modules checks for authorization .
However in production environment some users may not have CS03 AUTHORIZATION.
for them this report is not displaying any bom data.
Now the requirement is such that user will not have cs03 authorization,
but will see the bom data through this report.
so how to stop the authorization check for cs_bom_explosion in abap report.
regards
pankajas per my knowledge, granting the rights to those users is only the solution. Now a days the customers are wanting to add explicit authority-check too in the Z objects!! so, i dont see its good idea to bypass the check.
thanq
Edited by: SAP ABAPer on Mar 7, 2009 6:12 AM -
Authority check - in terms of User Group
Hi all,
I need restrict the usage of a finnance report by order of users.the report has order grup as an input, only certain order groups should be viewed by certain users. in authority check can do the checking by using user groups instead of individual used.i.e create separate object for seperate order group and for each order group can i check against user group instead of individual users. kindly help.
thanks.hi,
Authorizationcheck can be done for:
1.Transactions
2.ABAP programs
in abap programs use the below code as reference for authorization check
AUTHORITY-CHECK OBJECT 0.
MESSAGE e184(sabapdocu) WITH text-010.
ENDIF.
rewards points if useful.
regards
sandhya -
Hi!
Let me ask something.
As usual, when we call a program using T-CODE in command field, R3 checks the authority. even BDC prog.
But, in program text, I programed like this. "CALL TRANSACTION XXX".
the system doesn't check authority.
for example, A user type 'XD01' in command field, system denyed. but, A user call 'XD01' through my progam. system admitted it. and in my program, I coded like this "CALL TRANSACTION 'XD01'.
I don't know why... Have you ever seen like this?
If sb know this, please let me know! what shold I do for it!
sorry for my poor english, I need your help~~Hi Kyung Woo,
When the user enters the transaction code, let's say XD01, the R/3 system would get the authorization information as defined in the user's profile and check if the authority object required to execute the transaction exists in the user's profile. This is just a preliminary check. It prevents the non-technical users from accessing the transaction.
But when it comes to a technical user like an ABAP Programmer, almost anything can be done within the R/3 system. For example, you can just write a small program of about a few lines and cause serious damage to the entire R/3 System.
The point is that when you use the CALL TRANSACTION statement, it means that you are writing the program to accomplish some functionality. The preliminary check is bypassed in this case. But if there's an authority check coded into the transaction, then even the CALL TRANSACTION method won't work.
But remember one thing - so long as you are an ABAPer, with the authorization to create a program in SE38 and execute it, along with the authorization for Debugging, you can do almost anything within the R/3 system.
It is upto the programmer and the company to take care of any such mishaps happening. Anyways, when it comes to the Production system, your hands are all tied up. you would never have the authorization to do any development directly in there. If you do, then somebody is in very deep trouble !!:-).
As far as the Development system is concerned, nobody really bothers too much about them, because they do not affect any real-time data.
Regards,
Anand Mandalika. -
Posting Period coming into the rows at the query runtime & couldn't drop it
Hi All,
We have a query on an InfoCube that we have copied to the Multiprovider containing two cubes, exact copies of the original cubes.
Two cubes are one for the previous years and one for the current year.
Now, the query is copied from original cube to the MultiCube.
The query looks exactly the same in the Query Designer. But when run in Analyzer or on Web, Posting Period is coming into the rows automatically and in Analyzer, when I double click on the Posting Period to take it away from the report, it doesn't go away. Similarly in web, I do not have a option 'Remove Drilldown from rows', against posting period. I have identified posting period in both the cubes in the MultiCube configuration.
Thanks in advance for any suggestions that you have.
Best Regards,
- Shashihmm, we have now something interesting....
but this means that you have two structures defined in your query right?
Is your query cell based? It looks to me that this is the case; you have elements using created using the posting period thus it can be moved to the free chars and must be included in the drilldown.
Remove the posting period again and perform a check before saving the query; this may give the element defined with your posting period.
hope this helps...
Olivier. -
Hi All
I am adding CKF's to the columns in the Bex query, then after when I Check or Save the query it is throwing the error which i have no idea, did any one face this issue before?
Error: [A299[Brain] Terminate: System error in program SAPLRRI2 and from CHECK_MAX_MEMBERS-01- (see long text)
Diagnosis
This internal error is an intended termination resulting from a program state that is not permitted.
Procedure
Analyze the situation and inform SAP.
If the termination occurred when you executed a query or Web template, or during interaction in the planning modeler, and if you can reproduce this termination, record a trace (transaction RSTT).
For more information about recording a trace, see the documentation for the trace tool environment as well as SAP Note 899572.
ThanksThis looks like a bug. I will enter a bug report. Thanks, Laura.
-
Why does Firefox remove the URL from the query string?
Hello there,
I've writing a servlet to read data from a file stored on a server. I'm using an HTTP <INPUT TYPE=file > element to locate the file to be read. When I run the servlet using IE as the browser it works fine. When I try running it using Firefox, the path to the file is not included in the query string. The full URL to the file shows up in the file input text field but then mysteriously disappears from the query string. Without the path, the servlet can't locate the file and the servlet fails. How do I get Firefox to include the path in the query string or is there some other workaround for this problem. I want my servlet to work on all types of browsers.
thanks,
grantWell you may also ask it the other way. Why does Microsoft send the full path file with the input type="file" component?
The purpose of this control is to upload a file from the client to the server. That file is sent with the request.
It does not allow you to browse server files at all. Most probably you are working on your developer machine where the client IS the server, so it works right now.
It won't once they're seperate.
<input type="file"> is the wrong tool to use to browser the server. You need to write your own html pages to do that.
Cheers,
evnafets -
How to use the AUTHORITY-CHECK in ABAP
I am a security guy but am trying to understand how the AUTHORITY-CHECK works. I have read the help on it but it doesn't answer to my understanding. I want a check in a report so that no matter what the user selects the program goes out and checks the authorization in the users master record and only displays what he has access to. I am sure this is basic but I am not a programmer.
ThanksHi Greg,
Basically a AUTHORITY-CHECK is a programmatic way to check a auth object a user has. This is only as good as the person writing the code makes is.
Here is a basic example of how it could work. Lets say you have auth objects for users that limit them to see company code. User A can see cc 10, User B can see cc 20 and user C can see both.
In the code the programmer would have to first do the authcheck to see what CC the user has access to. Then they would have to limit his reporting based on the results of the authority check. So they might do it by saying SELECT * FROM XYZTAB WHERE COMPANY CODE = AUTHCC
This is what I think you are looking for. There are other ways to use the auth check. You can do a check and end the program with a message if they don't have authorization.
If you need more info, let me know
John -
Hi,
In how many ways can we set authorizations? I mean, in how many levels? My requirement is, to check the Authorization for a specific user to see if he is authorized to execute a Specific Z-Transaction (Report) for a specific Plant. How do I do that? I assume I need to code the AUTHORITY-CHECK OBJECT.... in my report. If yes, in which event? Please let me know.
Thanks and Regards,
Venkat.Hi Venkat,
You can put in the AUTHORITY-CHECK at a number of points, after initialisation, during selection, prior to output - it depends on what the program is doing and how the rest of it is coded.
For example, doing a big select and then only outputting based on the authority check may not efficient with large volumes of data.
Maybe you are looking for
-
I
-
Trying to find out how to use my default browser better.
-
How to know the OS block size ?
Hi all I want to know how to get the OS block size of my server ? For example if my server is Windows 2000 Professionnal , how can I get the size of my OS block size ? Thank you
-
Hi, I need an answer to a question.
I need to log in to Apple ID with my other I'd and I don't know how? I'm logged in as one and I need to use the other? Also I would like to know how to use my iCloud to store memory. Really I need to know how to log in with a different Apple ID.
-
Rules Regarding Software Updates
I purchased a MacBook Pro in March this year and have been extremely happy with it. I have also been keeping up with the discussions on this forum concerning 10.5.7 and 10.5.8, and now understand that I need to do three key things when installing sof