Reg:Authority Check object
Dear All,
I am calling two authority check object M_MATE_MAR and M_MSEG_BMB in my report.
Now for a user if i see the Role the second object M_MSEG_BMB is maintained and the object M_MATE_MAR is not maintained.
Now in my program for the object M_MATE_MAR(as it is not maintained),my sy-subrc is returning 12,hence check faing and for
M_MSEG_BMB sy-subrc = 4 as check is failng.
My requirement is the user should not see some movement types irrespective of the material ,
If i pass a material in the selection screen report , movement type records are deleting fine along with that others are alos deleting becs of sy-subrc <> 0(sy-subrc = 12).so i get a blank report as output.
so wht should be done in my case.
Regards
Hi Rajendra,
When you hit F1 on the Authority-check,
If Sy-subrc = 4, Authorization check not successful. One or several authorizations were indeed found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect or too many authorization fields were specified.
If Sy-subrc = 12, No authorization was found for the authorization object in the user master record.
When Sy-subrc = 24, Incorrect authorization fields or an incorrect number of authorization fields was found. This return value is no longer set since Release 6.20. Up to Release 4.6 it is set only if the profile parameter "auth/new_buffering" has a value less than 3.
When sy-subrc = 40, An invalid user ID has been entered in user.
Hope it helps.
Sujay
Similar Messages
-
Authority-Check Object for PLANT(WERKS)?
Hi Experts,
By using "V_VBAK_VKO" Authority Object am checking the user Authentication against the sales area(Sales OrgDistr. ChannelDivision) in my custom report. Below is the code,
AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
ID 'VKORG' FIELD s_vkorg
ID 'VTWEG' FIELD s_vtweg
ID 'SPART' FIELD s_spart
ID 'ACTVT' FIELD '01'
ID 'ACTVT' FIELD '02'.
(Note: My report is for SD/OTC module)
I also need to check the authenmtication of user against entered PLANT (WERKS) in selection screen, so, pls. let me know that What is the Authority-Check Object for PLANT(WERKS)
Thank youHi,
Transaction SU20, search for WERKS.
When you find it, double click on the row, in the bottom half of the resulting screen there is a list of authorisation objects that contain the field.
Unfortunately, you can't navigate from this list into the definition of the objects, so you'll need to cross-reference against transaction SU21.
Regards,
Nick -
How to create authority check object and assign to ztcode which is of modu
Dear ,
how to create authority check object and assign to ztcode which is of custom module pool program.its urgent kindly help points rewarded.Manoj,
You can check with your Basis team to create authorisation object and assigining tcodes to the user profiles.
K.Kiran. -
Plz tell me how to create authority check objects and how to usein prg
dear sir,
plz tell me how to create authority check objects and how to usein prghttp://help.sap.com/saphelp_46c/helpdata/en/5c/deaa74d3d411d3970a0000e82de14a/content.htm
http://help.sap.com/saphelp_nw70/helpdata/en/52/6716a6439b11d1896f0000e8322d00/content.ht
Create custom authorization Customer specific object
If you have requirements that cannot be met using the P_ORGIN and P_ORGXX authorization objects (for example, because you want to build your authorization checks on additional fields of the Organizational Assignment infotype (0001) that are customer-specific), you can include an authorization object in the authorization checks yourself.
Create the authorization object using transaction SU21. Make sure you keep to the customer name range (Z/Y). To be able to use the new authorization object you have created in the master data authorization check, the object must contain the INFTY, SUBTY, and AUTHC fields. You can use any of the fields of the Organizational Assignment infotype (0001) for the other fields. You can also use customer-specific additional fields provided they are CHAR or NUMC type fields.
After you have created the object, you must start the RPUACG00 report. This report overwrites the MPPAUTZZ standard include with the code that is needed to evaluate the authorization object you created. Note: Technically speaking, this involves a modification. However, SAP fully supports this procedure. And you should not have more maintenance work as a result of this modification.
Note: that if you use customer-specific authorization objects, you must maintain these objects in transaction SU24 (Maintain Assignment of Authorization Objects to Transactions) in the same way as you maintain the authorization objects P_ORGIN, P_ORGXX, and P_PERNR
AUTHORITY CHECK OBJECT Object_name
ID fieldname1 FIELD fieldvalue1
ID fieldname2 FIELD fieldvalue2
ID fieldname3 FIELD fieldvalue3.
If sy-subrc eq 0. "Authorization exists
Endif.
http://articles.techrepublic.com.com/5100-6329_11-5110893.html
Edited by: JackandJay on Jan 16, 2008 10:21 AM -
How to create Authority check object
Hello Gurus,
How to create Authority-check object 'ZABC'
ID 'TABLE' FIELD 'ZTABLE'.
Please tell me detailed procedure.
Thanks in advance.
Best Regards,
zuberaDear Zubera,
Creating Authorization Fields
In authorization objects, authorization fields represent the values to be tested during authorization checks.
To create authorization fields, choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects ® Fields.
To create a authorization field:
1. Choose Create authorization field.
2. On the next screen, enter the name of the field. Field names must be unique and must begin with the letter Y or Z.
3. Assign a data element from the ABAP Dictionary to the field.
4. If desired, enter a check table for the possible entries. For more information about check tables.
For more information about AUTHORITY-CHECK, see the keyword documentation of the ABAP Editor.
You can often use the fields defined by SAP in your own authorization objects. If you create a new authorization object, you do not need to define your own fields. For example, you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system.
Assigning an Authorization Object to an Object Class
Each authorization object must be assigned to an object class when it is created.
Choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects --> Objects.
You can also create authorization objects in the Object Navigator (SE80).
Creating / Choosing Object Classes
The system displays a list of existing object classes.
Object classes are organized according to the components of the system.
Before you can create a new object, you must define the object class for the component in which you are working. The objects are not overwritten when you install new releases.
You can also define your own object classes. If you do so, select class names that begin with Y or Z to avoid conflicts with SAP names.
Creating an Object
Enter a unique object name and the fields that belong to the object. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects.
You can enter up to ten authorization fields in an object definition. You must also enter a description of the object and create documentation for it.
Ensure that the object definition matches the AUTHORITY-CHECK calls that refer to the object.
Do not change or delete authorization objects defined by SAP. This disables SAP programs that use the objects.
You can regenerate the profile SAP_ALL after creating an authorization object.
Best Regards,
Rajesh
Please reward points if found helpful. -
About authority-check object 'M_MATE_WGR'
hi all
I have a problem about authority-check object 'M_MATE_WGR'. the detail is bleow:
Read table T023 where the material group is in select option s_matkl. Then loop at the results and check for every found material group. If the user is authorized to use it with the ABAP statement AUTHORITY-CHECK with object M_MATE_WGR with parameters ACTVT = 03 (display) and BEGRU = the material group. When the user is allowed to use it, store it in an internal table and continue with the remaining materials groups from T023. When the user is not allowed to use it, set the status flag to X and dont save the current material group in the internal table.
After all checks have been done, empty the select option s_matkl. Loop over the internal table with the allowed material groups and fill up the select option s_matkl again with these records.
Thank you in advance .
NickYou are on the right track. Authorization object M_MATE_WGR checks the Authorization Group (BEGRU) not the Material Group. You read table T023 with the Material Group to get the Authorization Group.
Step 1: Read table T023 where MATKL = the Material Group you want to check authorization.
Step 2: Retreive the value in field BEGRU from the record in table T023. Use the value in T023-BEGRU to pass to the AUTHORITY-CHECK object M_MATE_WGR.
Hope that helps. -
Securing action box items with authority-check object
In a 4.6c environment I have setup action box items for various sm and QM notifications.
I would like to secure some of the action box items that their execution is only allowed by authorized personnel using authority-check objects.
Is there a way to secure the action box item by the item number? If not the action box items are using a function module. Maybe I could use the fm name in the authority-check.
Any ideas would be greatly appreciated.Hi,
just see these examples
SAPTLIST_TREE_CONTROL_DEMO_HDR
SAPTLIST_TREE_CONTROL_DEMO
SAPTLIST_TREE_MODEL_DEMO
and for getting a checkbox we have to repalce the icon what is there in the example program and handle the checked and unchecked event for the checkbox.
this can be achieved by using object oriented methods...
reward if helpful
rgds,
Prajith
Prajith -
Hello Freinds,
If there is a field from custamize table for exa.(Zmara-werks )then can we use standard authority check object? or should we create custamize authority object.
Please guide me...........
Thanks,
AmarHi ,
To Find Authorization Object for a particular field, use TCode SU21. Click on Find button and enter the filed name to know the Authorization Object.
If suitable combination of required fields is not found in Authorization objects, new objects need to be created. Use TCode SU21 to create new authorization objects. Click on Create Button and enter new object class name and press save button. -
We consolidated R3 financial data to an SEM system. The authority-check object does not exists in SEM, thus the user can never perform those things unless I comment it out, or find one that works. The code is below.
Any suggestions?
Thank-You.
" Check security to determine if this user has unlock permission
AUTHORITY-CHECK OBJECT 'E_CS_PERMO'
ID 'PERMO' FIELD '1' "Open period
ID 'DIMEN' FIELD g_dimen
ID 'RVERS' FIELD g_rvers
ID 'BUNIT' DUMMY
ID 'CONGR' FIELD g_congr.If auth object check is really required, i suggest to check with functional team for equivalent auth object.
Thanks,
SKJ -
Regarding Authority check objects
Hi All,
I have some confusion on Authority-check and its working.
AUTHORITY-CHECK OBJECT 'S_TABU_DIS'
ID 'ACTVT' FIELD '03'
ID 'DICBERCLS' FIELD tddat-cclass.
In the above code, 'DICBERCLS' FIELD tddat-cclass... these values will take and compare with tddat table list.
but my question is how it will check the ID 'ACTVT' FIELD '03' ??How it will check for the ACTVT is '03'.
It will take it from any table?
Thanks in advance,
MadhuHi,
You are coding as follows:-
AUTHORITY-CHECK OBJECT 'S_TABU_DIS'
ID 'ACTVT' FIELD '03'
ID 'DICBERCLS' FIELD tddat-cclass
This authorisation object is for Table Maintenance (via standard tools such as SM30).
Now when the code is executed, SAP will check that whether the current user has an Authorization Group as the value in TDDAT-CLASS in the user role and the activity is 03 or display.
If in the user role, the basis guys have given the Authorization Group(DICBERCLS) value as XYZ and the value in tddat-cclass is also 'XYZ' and the value of ACTVT field in the user role is '03', SAP will allow the user only to display the table via SM30.
If the authorisation group is different or if the ACTVT is different, the user will not be allowed for this authority check.
I hope this is clear for you.
Regards,
Ankur Parab -
Authority-Check object 'Z99_ARB ' id 'Z99_ARBMGR' field 'Y'.
Hi
I'd appreciate a STEP-BY-STEP on how to create my own authority-check objects.
The help I have is not comprehensive - it only refered me to SU20 and SU21.
Thank youMoving on; there are hundreds of scenarios, but this is the simple step-by-step I was looking for:
Step 1:
SU20 - List of Authorization Fields
--> Create a new authorization field e.g. Z_FIELD and assign either SAP standard or custom Data Element and a Package
Step 2:
SU21 - List of Object Classes
--> Forward Navigate into the application area of choice e.g. HR
> Create your Z object e.g. Z_OBJEC
> Add Z_FIELD as an authorization field
Step 3:
Set up the user list that should have the authorization added to their profile and fwd to your Security Consultant
Step 4:
Within ABAP editor use the Pattern to select your new Z_OBJEC
and assign a required field value for the id (object-field) e.g.
authority-check object 'Z_OBJEC'
id 'Z_FIELD'
field 'X'.
Edited by: Adrian Bruwer on Mar 9, 2010 7:36 PM -
Hi all,
can anyone explain what this statement does.
authority-check object 'Z_Abc_def'
id 'ZAbc_defI' field '*'.
Thanks in advanceCheck the sap provided help:
here is an excerpt:
AUTHORITY-CHECK
Basic form
AUTHORITY-CHECK OBJECT object
ID name1 FIELD f1
ID name2 FIELD f2
ID name10 FIELD f10.
Effect
Explanation of IDs:
object
Field which contains the name of the object for which the authorization is to be checked.
name1 ...
Fields which contain the names of the
name10
authorization fields defined in the object.
f1 ...
Fields which contain the values for which the
f10
authorization is to be checked.
AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
The return code value changes according to the different error scenarios. The return code values have the following meaning:
4
User has no authorization in the SAP System for such an action. If necessary, change the user master record.
8
Too many parameters (fields, values). Maximum allowed is 10.
12
Specified object not maintained in the user master record.
16
No profile entered in the user master record.
24
The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
28
Incorrect structure for user master record.
32
Incorrect structure for user master record.
36
Incorrect structure for user master record.
If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
Note
Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
Example
Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
Table OBJ: Definition of authorization object
M_EINF_WRK
ACTVT
WERKS
Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
M_EINF_WRK_BERECH1
ACTVT 01-03
WERKS 0001-0003 .
can display and change plants within the Purchasing and Materials Management areas.
Such a user would thus pass the checks
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0002'
ID 'ACTVT' FIELD '02'.
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' DUMMY
ID 'ACTVT' FIELD '01':
but would fail the check
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0005'
ID 'ACTVT' FIELD '04'.
To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.
Regards,
ravi -
Hi Everybody ,
Can anyone send me the PPT for authority check .
My mail id is [email protected]
Regards ,
Senthil .Hi,
You can check in the below SAP link, this is having the Screen shots also ..
http://help.sap.com/saphelp_46c/helpdata/en/5c/deaa74d3d411d3970a0000e82de14a/content.htm
http://www.sapdevelopment.co.uk/security/authority/authhome.htm
Regards
Sudheer -
With regard to lock object and authority check
hi all
i would like to know about lock object and authority check specifically in reports. there is a coding in sap library with regard to authority check, but there is no coding to restrict user (i mean there is no user names that the object is restricting for a particular user or any user has got permission to change or display object).
further, the code mentions that you need an authorization in your user master record for the object, could any of u explain where is user master record.
below is the code for authority check.
*& Module USER_COMMAND_0100 INPUT
MODULE USER_COMMAND_0100 INPUT.
CASE OK_CODE.
WHEN 'SHOW'.
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'CARRID' FIELD '*'
ID 'ACTVT' FIELD '03'.
IF SY-SUBRC NE 0. MESSAGE E009. ENDIF.
MODE = CON_SHOW.
SELECT SINGLE * FROM SPFLI
WHERE CARRID = SPFLI-CARRID
AND CONNID = SPFLI-CONNID.
IF SY-SUBRC NE 0.
MESSAGE E005 WITH SPFLI-CARRID SPFLI-CONNID.
ENDIF.
CLEAR OK_CODE.
SET SCREEN 200.
WHEN 'CHNG'.
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'CARRID' FIELD '*'
ID 'ACTVT' FIELD '02'.
IF SY-SUBRC NE 0. MESSAGE E010. ENDIF.
MODE = CON_CHANGE.
SELECT SINGLE * FROM SPFLI
WHERE CARRID = SPFLI-CARRID
AND CONNID = SPFLI-CONNID.
IF SY-SUBRC NE 0.
MESSAGE E005 WITH SPFLI-CARRID SPFLI-CONNID.
ENDIF.
OLD_SPFLI = SPFLI.
CLEAR OK_CODE.
SET SCREEN 200.
ENDCASE.
ENDMODULE. " USER_COMMAND_0100 INPUT
i thank u all for the help in advance.hi
this might help
REPORT YUSRLOCK NO STANDARD PAGE HEADING.
TABLES: TRDIR, USR02.
DATA: MARK,CNTR TYPE I,
ACCNT LIKE USR02-ACCNT, ERDAT LIKE USR02-ERDAT,
ANAME LIKE USR02-ANAME, CLI(3) VALUE 'AAA', SZIN TYPE I,
SYDATUM LIKE SY-DATUM, FLAG(3).
TABLES: UINFO.
DATA: OPCODE TYPE X VALUE 2.
DATA: BEGIN OF USR_TABL OCCURS 10.
INCLUDE STRUCTURE UINFO.
DATA: END OF USR_TABL.
START-OF-SELECTION.
CALL 'ThUsrInfo' ID 'OPCODE' FIELD OPCODE
ID 'TAB' FIELD USR_TABL-SYS.
SELECT * FROM USR02 CLIENT SPECIFIED ORDER BY MANDT BNAME.
IF USR02-MANDT <> CLI.
SZIN = SZIN + 1. SZIN = SZIN MOD 2.
CLI = USR02-MANDT.
ENDIF.
IF USR02-UFLAG = 0.
MARK = ' '.
ELSE.
MARK = 'X'.
ENDIF.
CLEAR FLAG.
LOOP AT USR_TABL.
IF USR_TABL-BNAME = USR02-BNAME AND USR_TABL-MANDT = USR02-MANDT.
FLAG = '!!!'.
ENDIF.
ENDLOOP.
SYDATUM = SY-DATUM - 30.
IF SYDATUM < USR02-TRDAT.
IF SZIN = 0.
WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 2,
' ',USR02-MANDT COLOR 2,
' ',USR02-USTYP COLOR 2,
' ',USR02-TRDAT COLOR 2, USR02-LTIME COLOR 2,
' ',FLAG COLOR 6.
ELSE.
WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 3,
' ',USR02-MANDT COLOR 2,
' ',USR02-USTYP COLOR 2,
' ',USR02-TRDAT COLOR 2, USR02-LTIME COLOR 2,
' ',FLAG COLOR 6.
ENDIF.
ELSE.
IF SZIN = 0.
WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 2,
' ',USR02-MANDT COLOR 2,
' ',USR02-USTYP COLOR 2,
' ',USR02-TRDAT COLOR 4, USR02-LTIME COLOR 4,
' ',FLAG COLOR 6.
ELSE.
WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 3,
' ',USR02-MANDT COLOR 2,
' ',USR02-USTYP COLOR 2,
' ',USR02-TRDAT COLOR 4, USR02-LTIME COLOR 4,
' ',FLAG COLOR 6.
ENDIF.
ENDIF.
HIDE: USR02-BNAME, USR02-MANDT.
ENDSELECT.
CLEAR USR02.
TOP-OF-PAGE.
WRITE:/ 'LOCK USER CLIENT TYPE LAST lOGIN ' COLOR 6.
SKIP.
AT USER-COMMAND.
IF SY-UCOMM = 'SEL'.
DO.
CLEAR MARK.
READ LINE SY-INDEX FIELD VALUE MARK.
IF SY-SUBRC NE 0. EXIT. ENDIF.
IF USR02-BNAME IS INITIAL.CONTINUE.ENDIF.
SELECT SINGLE * FROM USR02 CLIENT SPECIFIED WHERE
MANDT = USR02-MANDT AND BNAME = USR02-BNAME.
IF MARK = 'X' AND USR02-UFLAG = 0.
USR02-UFLAG = 64.
UPDATE USR02 CLIENT SPECIFIED SET: UFLAG = 64 WHERE
MANDT = USR02-MANDT AND
BNAME = USR02-BNAME.
COMMIT WORK.
ENDIF.
IF MARK = ' ' AND USR02-UFLAG = 64.
USR02-UFLAG = 0.
UPDATE USR02 CLIENT SPECIFIED SET: UFLAG = 0 WHERE
MANDT = USR02-MANDT AND
BNAME = USR02-BNAME.
COMMIT WORK.
ENDIF.
ENDDO.
CLEAR USR02.
ENDIF.
regards
Arun -
Authority Check on B_USERSTAT not working
Hi Gurus,
I have a simple question on authority check that I cant quite understand.
Basis has created auth key : ZWP_CCS, where by user with the auth key can create,change, delete.
so, in my code, I have implemented the following. However, it seems that all user, even though from different auth key can still pass thru. Is there something that I miss? Thanks.
AUTHORITY-CHECK OBJECT 'B_USERSTAT'
ID 'ACTVT' FIELD '02'
ID 'BERSL' FIELD 'ZWP_CCS'
ID 'STSMA' FIELD 'ZS_IRC'.
Edited by: Julius Bussche on Jan 1, 2009 1:32 PM
More meaningfull subject title added.Hi
use without qoutes if it is a variable .
AUTHORITY-CHECK OBJECT 'B_USERSTAT'
ID 'ACTVT' FIELD '02'
ID 'BERSL' FIELD ZWP_CCS
ID 'STSMA' FIELD ZS_IRC.
and
if sy-subrc <> 0.
message " error ".
endif.
reg
Ramya
Edited by: Ramya S on Dec 31, 2008 5:43 AM
Maybe you are looking for
-
I downloaded Mountain Lion onto my iMac. Now i want to upgrade my Macbook Pro (10.7.5) to Mountain Lion. Do i need to purchase another download?
-
How to add a route in routing table
Hi, I want to add a new route to the routing table to get access to a explicit tunnel. Using Terminal I tried route add 172.16.0.0 mask 255.255.0.0 192.168.0.102 route: must be root to alter routing table so I tried: sudo route add 172.16.0.0 mask 25
-
Is there a way to calculate the area of a shape?
I work in toy packaging and the size of the warning we have to use is dictated by the size of the package. On most items, it's pretty straight forward, LxW... But that doesn't always work, as the packaging isn't always that simple. Is there a way to
-
hi , if the end-user is entering some garbage like "-/-*" in the select-option. how to do validations at selection-screen? with regards always learner points will be rewarded if useful
-
Change request without correction
Hello. Is it possible to create Corrections without link to Transport Request? In case I need to make some changes non-conected with settings in system.