Regarding Authority check objects

Similar Messages

• Authority-Check Object for PLANT(WERKS)?

  Hi Experts,
  By using "V_VBAK_VKO" Authority Object am checking the user Authentication against the sales area(Sales OrgDistr. ChannelDivision) in my custom report. Below is the code,
  AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
      ID 'VKORG' FIELD s_vkorg
      ID 'VTWEG' FIELD s_vtweg
      ID 'SPART' FIELD s_spart
      ID 'ACTVT' FIELD '01'
      ID 'ACTVT' FIELD '02'.
  (Note: My report is for SD/OTC module)
  I also need to check the authenmtication of user against entered PLANT (WERKS) in selection screen, so, pls. let me know that  What is the Authority-Check Object for PLANT(WERKS)
  Thank you

  Hi,
  Transaction SU20, search for WERKS.
  When you find it, double click on the row, in the bottom half of the resulting screen there is a list of authorisation objects that contain the field.
  Unfortunately, you can't navigate from this list into the definition of the objects, so you'll need to cross-reference against transaction SU21.
  Regards,
  Nick

• How to create Authority check object

  Hello Gurus,
  How to create Authority-check object 'ZABC'
                                                           ID 'TABLE' FIELD 'ZTABLE'.
  Please tell me detailed procedure.
  Thanks in advance.
  Best Regards,
  zubera

  Dear Zubera,
  Creating Authorization Fields
  In authorization objects, authorization fields represent the values to be tested during authorization checks.
  To create authorization fields, choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects ® Fields.
  To create a authorization field:
  1. Choose Create authorization field.
  2. On the next screen, enter the name of the field. Field names    must be unique and must begin with the letter Y or Z.
  3. Assign a data element from the ABAP Dictionary to the field.
  4. If desired, enter a check table for the possible entries. For    more information about check tables.
  For more information about AUTHORITY-CHECK, see the keyword documentation of the ABAP Editor.
  You can often use the fields defined by SAP in your own authorization objects. If you create a new authorization object, you do not need to define your own fields. For example, you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system.
  Assigning an Authorization Object to an Object Class
  Each authorization object must be assigned to an object class when it is created.
  Choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects --> Objects.
  You can also create authorization objects in the Object Navigator (SE80).
  Creating / Choosing Object Classes
  The system displays a list of existing object classes.
  Object classes are organized according to the components of the system.
  Before you can create a new object, you must define the object class for the component in which you are working. The objects are not overwritten when you install new releases.
  You can also define your own object classes. If you do so, select class names that begin with Y or Z to avoid conflicts with SAP names.
  Creating an Object
  Enter a unique object name and the fields that belong to the object. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects.
  You can enter up to ten authorization fields in an object definition. You must also enter a description of the object and create documentation for it.
  Ensure that the object definition matches the AUTHORITY-CHECK calls that refer to the object.
  Do not change or delete authorization objects defined by SAP. This disables SAP programs that use the objects.
  You can regenerate the profile SAP_ALL after creating an authorization object.
  Best Regards,
  Rajesh
  Please reward points if found helpful.

• Regarding Authority check for V_VTTK_SHT  in one exit

  Hi Experts
  1.For VT01N transaction , there is one customer exit : ZXV56U18.
  2.In this  we will get the shipment type value.
  3.I have to check the authority check for this shipment type (SHTYP) field.
  4.I have written the following statement :
     authority-check object 'V_VTTK_SHT'
                    ID 'SHTYP' field    I_XVTTK_TAB-SHTYP
                    ID 'ACTVT' field '07'.
  5. For my user id , i have check the user profile in SU01.
  6.For me this authorization object , field ACTVT does not contain 07 value.
  7.In debugging , the SY-SUBRC  giving the value 0.even the user profile does not contain the value '07' for ACTVT field
  Can u tell y it is happening like that ?
  Regards
  Ramakrishna L.

  Hi Experts
  1.For VT01N transaction , there is one customer exit : ZXV56U18.
  2.In this  we will get the shipment type value.
  3.I have to check the authority check for this shipment type (SHTYP) field.
  4.I have written the following statement :
     authority-check object 'V_VTTK_SHT'
                    ID 'SHTYP' field    I_XVTTK_TAB-SHTYP
                    ID 'ACTVT' field '07'.
  5. For my user id , i have check the user profile in SU01.
  6.For me this authorization object , field ACTVT does not contain 07 value.
  7.In debugging , the SY-SUBRC  giving the value 0.even the user profile does not contain the value '07' for ACTVT field
  Can u tell y it is happening like that ?
  Regards
  Ramakrishna L.

• How to create authority check object and assign to  ztcode which is of modu

  Dear ,
           how to create authority check object and assign to  ztcode which is of custom module pool program.its urgent kindly help points rewarded.

  Manoj,
  You can check with your Basis team to create authorisation object and assigining tcodes to the user profiles.
  K.Kiran.

• Plz tell me how to create authority check objects and how to usein prg

  dear sir,
  plz tell me how to create authority check objects and how to usein prg

  http://help.sap.com/saphelp_46c/helpdata/en/5c/deaa74d3d411d3970a0000e82de14a/content.htm
  http://help.sap.com/saphelp_nw70/helpdata/en/52/6716a6439b11d1896f0000e8322d00/content.ht
  Create custom authorization – Customer specific object
  If you have requirements that cannot be met using the P_ORGIN and P_ORGXX authorization objects (for example, because you want to build your authorization checks on additional fields of the Organizational Assignment infotype (0001) that are customer-specific), you can include an authorization object in the authorization checks yourself.
  Create the authorization object using transaction SU21. Make sure you keep to the customer name range (Z/Y). To be able to use the new authorization object you have created in the master data authorization check, the object must contain the INFTY, SUBTY, and AUTHC fields. You can use any of the fields of the Organizational Assignment infotype (0001) for the other fields. You can also use customer-specific additional fields provided they are CHAR or NUMC type fields.
  After you have created the object, you must start the RPUACG00 report. This report overwrites the MPPAUTZZ standard include with the code that is needed to evaluate the authorization object you created. Note: Technically speaking, this involves a modification. However, SAP fully supports this procedure. And you should not have more maintenance work as a result of this modification.
            Note: that if you use customer-specific authorization objects, you must maintain these objects in transaction SU24 (Maintain Assignment of Authorization Objects to Transactions) in the same way as you maintain the authorization objects P_ORGIN, P_ORGXX, and P_PERNR
  AUTHORITY CHECK OBJECT Object_name
              ID fieldname1 FIELD fieldvalue1
              ID fieldname2 FIELD fieldvalue2
              ID fieldname3 FIELD fieldvalue3.
               If sy-subrc eq 0.   "Authorization exists
               Endif.
  http://articles.techrepublic.com.com/5100-6329_11-5110893.html
  Edited by: JackandJay on Jan 16, 2008 10:21 AM

• About authority-check object 'M_MATE_WGR'

  hi all
        I have a problem about authority-check object 'M_MATE_WGR'. the detail is bleow:
  Read table T023 where the material group is in select option s_matkl. Then loop at the results and check for every found material group. If the user is authorized to use it with the ABAP statement AUTHORITY-CHECK with object M_MATE_WGR with parameters ACTVT = ‘03’ (display) and BEGRU = ‘the material group’. When the user is allowed to use it, store it in an internal table and continue with the remaining materials groups from T023. When the user is not allowed to use it, set the status flag to X and don’t save the current material group in the internal table.
  After all checks have been done, empty the select option s_matkl. Loop over the internal table with the allowed material groups and fill up the select option s_matkl again with these records.
  Thank you in advance .
  Nick

  You are on the right track. Authorization object M_MATE_WGR checks the Authorization Group (BEGRU) not the Material Group. You read table T023 with the Material Group to get the Authorization Group.
  Step 1: Read table T023 where MATKL = the Material Group you want to check authorization.
  Step 2: Retreive the value in field BEGRU from the record in table T023. Use the value in T023-BEGRU to pass to the AUTHORITY-CHECK object M_MATE_WGR.
  Hope that helps.

• Securing action box items with authority-check object

  In a 4.6c environment I have setup action box items for various sm and QM notifications.
  I would like to secure some of the action box items that their execution is only allowed by authorized personnel using authority-check objects.
  Is there a way to secure the action box item by the item number? If not the action box items are using a function module. Maybe I could use the fm name in the authority-check.
  Any ideas would be greatly appreciated.

  Hi,
  just see these examples
  SAPTLIST_TREE_CONTROL_DEMO_HDR
  SAPTLIST_TREE_CONTROL_DEMO
  SAPTLIST_TREE_MODEL_DEMO
  and for getting a checkbox we have to repalce the icon what is there in the example program and handle the checked and unchecked event for the checkbox.
  this can be achieved by using object oriented methods...
  reward if helpful
  rgds,
  Prajith
  Prajith

• Reg:Authority Check object

  Dear All,
  I am calling two authority check object M_MATE_MAR  and M_MSEG_BMB in my report.
  Now for a user if i see the Role the second object  M_MSEG_BMB is maintained and the object M_MATE_MAR is not maintained.
  Now in my program for the object M_MATE_MAR(as it is not maintained),my sy-subrc is returning 12,hence check faing and for
  M_MSEG_BMB sy-subrc = 4 as check is failng.
  My requirement is the user should not see some movement types irrespective of the material ,
  If i pass a material in the selection screen report , movement type records are deleting fine along with that others are alos deleting becs of sy-subrc <> 0(sy-subrc = 12).so i get a blank report as output.
  so wht should be done in my case.
  Regards

  Hi Rajendra,
  When you hit F1 on the Authority-check,
  If Sy-subrc = 4, Authorization check not successful. One or several authorizations were indeed found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect or too many authorization fields were specified.
  If Sy-subrc = 12, No authorization was found for the authorization object in the user master record.
  When Sy-subrc = 24, Incorrect authorization fields or an incorrect number of authorization fields was found. This return value is no longer set since Release 6.20. Up to Release 4.6 it is set only if the profile parameter "auth/new_buffering" has a value less than 3.
  When sy-subrc = 40, An invalid user ID has been entered in user.
  Hope it helps.
  Sujay

• Authority Check Object

  Hello Freinds,
  If there is a field from custamize table for exa.(Zmara-werks )then can we use standard authority check object? or should we create custamize authority object.
  Please guide me...........
  Thanks,
  Amar

  Hi ,
         To Find Authorization Object for a particular field, use TCode SU21. Click on Find button and enter the filed name to know the Authorization Object.
  If suitable combination of required fields is not found in Authorization objects, new objects need to be created. Use TCode SU21 to create new authorization objects. Click on Create Button and enter new object class name and press save button.

• Authority-Check Object Help

  We consolidated R3 financial data to an SEM system. The authority-check object does not exists in SEM, thus the user can never perform those things unless I comment it out, or find one that works. The code is below.
  Any suggestions?
  Thank-You.
  " Check security to determine if this user has unlock permission
  AUTHORITY-CHECK OBJECT 'E_CS_PERMO'
     ID 'PERMO' FIELD '1'   "Open period
     ID 'DIMEN' FIELD g_dimen
     ID 'RVERS' FIELD g_rvers
     ID 'BUNIT' DUMMY
     ID 'CONGR' FIELD g_congr.

  If auth object check is really required, i suggest to check with functional team for equivalent auth object.
  Thanks,
  SKJ

• Authority-Check object 'Z99_ARB ' id 'Z99_ARBMGR' field 'Y'.

  Hi
  I'd appreciate a STEP-BY-STEP on how to create my own authority-check objects.
  The help I have is not comprehensive - it only refered me to SU20 and SU21.
  Thank you

  Moving on; there are hundreds of scenarios, but this is the simple step-by-step I was looking for:
  Step 1:
    SU20 - List of Authorization Fields
    --> Create a new authorization field e.g. Z_FIELD and assign either SAP standard or custom Data Element and a Package
  Step 2:
    SU21 - List of Object Classes
    --> Forward Navigate into the application area of choice e.g. HR
  > Create your Z object e.g. Z_OBJEC
  > Add Z_FIELD as an authorization field
  Step 3:
    Set up the user list that should have the authorization added to their profile and fwd to your Security Consultant
  Step 4:
    Within ABAP editor use the Pattern to select your new Z_OBJEC
    and assign a required field value for the id (object-field) e.g.
    authority-check object 'Z_OBJEC'
                                     id 'Z_FIELD'
                                 field 'X'.
  Edited by: Adrian Bruwer on Mar 9, 2010 7:36 PM

• With regard to lock object and authority check

  hi all
  i would like to know about lock object and authority check specifically in reports. there is a coding in sap library with regard to authority check, but there is no coding to restrict user (i mean there is no user names that the object is restricting for a particular user or any user has got permission to change or display object). 
  further, the code mentions that you need an authorization in your user master record for the object, could any of u explain where is user master record.
  below is the code for authority check.
  *&      Module  USER_COMMAND_0100  INPUT
  MODULE USER_COMMAND_0100 INPUT.
    CASE OK_CODE.
      WHEN 'SHOW'.
     AUTHORITY-CHECK OBJECT 'S_CARRID'
  ID 'CARRID' FIELD '*'
  ID 'ACTVT'  FIELD '03'.
     IF SY-SUBRC NE 0. MESSAGE E009. ENDIF.
     MODE = CON_SHOW.
     SELECT SINGLE * FROM  SPFLI
      WHERE  CARRID      = SPFLI-CARRID
      AND    CONNID      = SPFLI-CONNID.
     IF SY-SUBRC NE 0.
  MESSAGE E005 WITH SPFLI-CARRID SPFLI-CONNID.
     ENDIF.
     CLEAR OK_CODE.
     SET SCREEN 200.
      WHEN 'CHNG'.
     AUTHORITY-CHECK OBJECT 'S_CARRID'
  ID 'CARRID' FIELD '*'
  ID 'ACTVT'  FIELD '02'.
     IF SY-SUBRC NE 0. MESSAGE E010. ENDIF.
     MODE = CON_CHANGE.
     SELECT SINGLE * FROM  SPFLI
      WHERE  CARRID      = SPFLI-CARRID
      AND    CONNID      = SPFLI-CONNID.
     IF SY-SUBRC NE 0.
       MESSAGE E005 WITH SPFLI-CARRID SPFLI-CONNID.
     ENDIF.
     OLD_SPFLI = SPFLI.
     CLEAR OK_CODE.
     SET SCREEN 200.
    ENDCASE.
  ENDMODULE.                 " USER_COMMAND_0100  INPUT
  i thank u all for the help in advance.

  hi
  this might help
  REPORT YUSRLOCK NO STANDARD PAGE HEADING.
  TABLES: TRDIR, USR02.
  DATA: MARK,CNTR TYPE I,
        ACCNT LIKE USR02-ACCNT, ERDAT LIKE USR02-ERDAT,
        ANAME LIKE USR02-ANAME, CLI(3) VALUE 'AAA', SZIN TYPE I,
        SYDATUM LIKE SY-DATUM, FLAG(3).
  TABLES: UINFO.
  DATA: OPCODE TYPE X VALUE 2.
  DATA: BEGIN OF USR_TABL OCCURS 10.
          INCLUDE STRUCTURE UINFO.
  DATA: END OF USR_TABL.
  START-OF-SELECTION.
    CALL 'ThUsrInfo' ID 'OPCODE' FIELD OPCODE
      ID 'TAB' FIELD USR_TABL-SYS.
    SELECT * FROM USR02 CLIENT SPECIFIED ORDER BY MANDT BNAME.
      IF USR02-MANDT <> CLI.
        SZIN = SZIN + 1. SZIN = SZIN MOD 2.
        CLI = USR02-MANDT.
      ENDIF.
      IF USR02-UFLAG = 0.
        MARK = ' '.
      ELSE.
        MARK = 'X'.
      ENDIF.
      CLEAR FLAG.
      LOOP AT USR_TABL.
        IF USR_TABL-BNAME = USR02-BNAME AND USR_TABL-MANDT = USR02-MANDT.
          FLAG = '!!!'.
        ENDIF.
      ENDLOOP.
      SYDATUM = SY-DATUM - 30.
      IF SYDATUM < USR02-TRDAT.
        IF SZIN = 0.
          WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 2,
                ' ',USR02-MANDT COLOR 2,
                '   ',USR02-USTYP COLOR 2,
                ' ',USR02-TRDAT COLOR 2, USR02-LTIME COLOR 2,
                ' ',FLAG COLOR 6.
        ELSE.
          WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 3,
                ' ',USR02-MANDT COLOR 2,
                '   ',USR02-USTYP COLOR 2,
                ' ',USR02-TRDAT COLOR 2, USR02-LTIME COLOR 2,
                ' ',FLAG COLOR 6.
        ENDIF.
      ELSE.
        IF SZIN = 0.
          WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 2,
                ' ',USR02-MANDT COLOR 2,
                '   ',USR02-USTYP COLOR 2,
                ' ',USR02-TRDAT COLOR 4, USR02-LTIME COLOR 4,
                ' ',FLAG COLOR 6.
        ELSE.
          WRITE:/ ' ', MARK AS CHECKBOX,' ', USR02-BNAME COLOR 3,
                ' ',USR02-MANDT COLOR 2,
                '   ',USR02-USTYP COLOR 2,
                ' ',USR02-TRDAT COLOR 4, USR02-LTIME COLOR 4,
                ' ',FLAG COLOR 6.
        ENDIF.
      ENDIF.
      HIDE: USR02-BNAME, USR02-MANDT.
    ENDSELECT.
    CLEAR USR02.
  TOP-OF-PAGE.
  WRITE:/ 'LOCK   USER         CLIENT  TYPE     LAST lOGIN     ' COLOR 6.
    SKIP.
  AT USER-COMMAND.
    IF SY-UCOMM = 'SEL'.
      DO.
        CLEAR MARK.
        READ LINE SY-INDEX FIELD VALUE MARK.
        IF SY-SUBRC NE 0.  EXIT. ENDIF.
        IF USR02-BNAME IS INITIAL.CONTINUE.ENDIF.
        SELECT SINGLE * FROM USR02 CLIENT SPECIFIED WHERE
        MANDT = USR02-MANDT AND BNAME = USR02-BNAME.
        IF MARK = 'X' AND USR02-UFLAG = 0.
          USR02-UFLAG = 64.
          UPDATE USR02 CLIENT SPECIFIED SET: UFLAG = 64 WHERE
          MANDT = USR02-MANDT AND
          BNAME = USR02-BNAME.
          COMMIT WORK.
        ENDIF.
        IF MARK = ' ' AND USR02-UFLAG = 64.
          USR02-UFLAG = 0.
          UPDATE USR02 CLIENT SPECIFIED SET: UFLAG = 0 WHERE
          MANDT = USR02-MANDT AND
          BNAME = USR02-BNAME.
          COMMIT WORK.
        ENDIF.
      ENDDO.
      CLEAR USR02.
    ENDIF.
  regards
  Arun

• Company code authority check

  Hi
  we have created ZTTL01 table maintenance view. Should not allow unauthorized company code to update/create or display.
  I searched thru forums and collected below points. but could not test it successfully.
  Authorization object (Z_XXX_BUK) was created.But <Permitted activities> Button is not available in display authorization object(SU21) to see what are the activities are permitted.
  In su01 for my user no roles or profiles are defined.
  To do
  Trying to write  below code in PBO and PAI flow logic of ZCHECK_BUK table for screen 01
  PBO & PAI
  *First statement
  Module Authorictycheck.
  module Authoritycheck
    LOOP AT EXTRACT.
      AUTHORITY-CHECK OBJECT 'ZCHECK_BUK'
                          ID 'ACTVT' FIELD '01,02,03'
                          ID 'BUKRS' FIELD ZTTL01-BUKRS.
      IF sy-subrc <> 0.
        MESSAGE e000(zrpt) WITH 'You do not have the authorization to'
      EXIT.                          'access Bukrs'extract-bukrs.
      ENDIF.
    ENDLOOP.
  endmodule
  Can i use above code in PBO and PAI to check change of company code?
  I am sharing role and profile created by other user, which allows only company code 'A10'.
  How to test this now?
  se11->Utilities->table contents create should not allow me to input A11 or other company codes? pls confirm.
  Regards
  Chandra

  Hi Suhas
  Regarding 1) It works when i remove the FORM routine assinged for EVENTS.
  Thanks for ur input.
  Regarding 2)When the user displays record in SM30 for a table, he must not be able to see the company code AD01.
  To achieve this can i use EVENT AA?
  I create FORM routine <hide_cocode> in EVENT AA and store at include LZXXXXF01.
  FORM ZHIDE_COCODE.
  DATA: F_INDEX LIKE SY-TABIX."Index to note the lines found"
  LOOP AT TOTAL.
  READ TABLE EXTRACT WITH KEY <vim_xtotal_key>.
  IF SY-SUBRC EQ 0.
  F_INDEX = SY-TABIX.
  ELSE.
  CLEAR F_INDEX.
  ENDIF. "(make desired changes to the line TOTAL)
  MODIFY TOTAL.
  CHECK F_INDEX GT 0.
  EXTRACT = TOTAL.
  MODIFY EXTRACT INDEX F_INDEX.
  *ENDIF.
  ENDLOOP.
  SY-SUBRC = 0.
  ENDFORM.
  I made break point at line LOOP at Total. and executed SM30 and clicked Display button.
  Sorry Code stops here and table TOTAL has flat line structure of empty.Loop at total is skipping
  what should be done now?
  Regards
  Chandra

• Authority check in hr payroll infotype report

  Hi all,
  We have developed a report which gives infotypewise employee details.here we are checking authority for reading employee data.we are applying authority check at selection-screen and while reading the data from database tables.following is the sample code.
  do .
  if  s_abkrs-high < s_abkrs-low.
      authority-check object 'P_PCR'
                id 'ABRKS' field s_abkrs-high
                id 'ACTVT' field '01'
                id 'ACTVT' field '02'.
      if sy-subrc <> 0.
        message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
      endif.
  exit.
  endif.
      authority-check object 'P_PCR'
                id 'ABRKS' field s_abkrs-low
                id 'ACTVT' field '01'
                id 'ACTVT' field '02'.
      if sy-subrc <> 0.
        message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
      endif.
    s_abkrs-low = s_abkrs-low + 1.
  enddo.
  my senior says this code is right but it is not checking authority for all infotypes.can anyone suggest what changes are required in this code so that it will check authority for all infotypes.
  Thanks in advance.
  Regards,
  Harshada

  Hi ,
        A select-option will have a structure with four fields (sign , option , low , high) .
        So if you want to use your below code : you cannot check authority.
  loop at s_abkrs.
  authority-check object 'P_PCR'
  id 'ABRKS' field s_abkrs  <-- is an internal table
  id 'ACTVT' field '01'
  id 'ACTVT' field '02'.
  if sy-subrc 0.
  message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
  endif.
  endloop.
  The other option is :
  If your select option has values only in low ... then you can loop thru it ...
  loop at s_abkrs.
  authority-check object 'P_PCR'
  id 'ABRKS' field s_abkrs-low
  endloop.
  Regards,
  Srini.