Regarding authorization checks

Similar Messages

• Issues with Analysis Authorization checks in APO

  Hi Friends,
  I am facing an issue with Analysis authorization checks in APO.
  We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
  Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
  This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
  In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
  However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
  Resultant trace results are as below: This should not happen..
  I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
  Will it be possible for you to advise on what could I be missing.

  Hi All,
  If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
  while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
  Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
  Please advise.. Thanks..
  Regards,
  Prakash

• Question regarding Authorizations in SAP CRM 7.0

  Hello,
  The problem is this:
  We have a client who will use two ways of accessing SAP CRM 7.0 data -
  1. CRM Web UI
  2. Mobile devices via standard SAP CRM BAPIs
  Now the situation is that the client wishes to control display authorizations based on the Business Role. Certain Business Roles can allow its User to see Accounts where the User is also Employee Responsible and certain other Business Roles can allow its User to see all those Accounts that are associated with that Role. In summary Business Roles control what an User can see.
  This has already been implemented for the CRM Web UI using the Access Control Engine (ACE).
  Now the questions are:
  1. How do we implement this for BAPI Access?
  2. Should we recreate what has been achieved by ACE, via PFCG Authorization Profiles?
  3. Can we not reuse what has been done by ACE?
  4. What are the runtime APIs that allow somebody to use the authorization checks of ACE?
  5. Does the standard Function Module CRM_ORDER_CHECK_AUTHORITY_ACE help in this regard?
  Any help here will be greatly appreciated. Please let me know if you need any clarifications.
  Thanks in advance.
  Best regards,
  Sudhi

  Hello,
  Normally, some notes are recommended in addition to the current support package implementation because they were developed to solve any known issues. These known issues occurred as side effect of any note which belongs to the implemented support package.
  If you take a look at older release notes, you will see the same.
  This is a part of implementation stack.
  1345085  SAP SRM 7.0 SP Stack 04 (09/2009):Release & Information Note 
  1365574  SAP SRM 7.0 SP Stack 05 (12/2009):Release & Information Note   
  1436687  SAP SRM 7.0 SP Stack 06 (03/2010):Release & Information Note 
  Kind regards,
  Ricardo

• CRM - Process Flow of Authorization Check in Business Transactions

  Hello Folks:
  I have implemented CRM security using Process Flow of Authorization Check in Business Transactions.
  What I have in place:
  CRM_ORD_OP (inactive, don't want access to own documents)
  CRM_ORD_LP (inactive, not using standard org level values Distribution Channel, Sales Group, Sales Office, Sales Organization, and Service Organization.)
  CRM_ACT (active)
  CRM_CMP (active)
  CRM_ORD_OE (active, restricted to display with dummy value ' ' for Distribution Channel
  Sales Group, Sales Office, Sales Organization and Service Organization, as we are not restricting on them)
  CRM_ORD_PR (active and restricted to display)
  Issue:
  Restrictions to display for documents works fine when using CRM backend system and the system throws out a message that you are not authorized to change. But, when i come in through Portals (PCUI), i dont get the display at all and it throws out a message insufficient access authorizations.
  Traces on backend CRM reveal failing on change access for CRM_ORD_LP and CRM_ORD_PR, which we dont want to give out b/c we dont want to provide change for documents.
  OSS notes to SAP have resulted in no results....please advise what is wrong here.
  Thanks
  KT

  Thanks for the Priyanka for the reply, but what you mention is not correct.
  BSP errors are different from what I am refering to.
  The issue is still open...and looks like a SAP bug, which even they havent been able to fix so far.
  Regards,
  KT

• Document search error in webshop(Error in authorization check: user unknow)

  Hi All
  actually we have implemented the document search functionality in webshop to access all the documents in webshop who have created order in the webshop.
  actually when i am logging into the portal with userid "skumar" after that there was role called "Document Search" when i click that document search role then the document search will be opened, based on the selections in the selection criteria then the documents will be displayed generally.
  actually come to my error when i select in the selection criteria "order acknowledgement" and i select the one more column called "period" after that i click the search button then i am getting the error as follows.
  <b>Error in authorization check: user unknown.</b>
  Can you please help me where to check the authorizations in the system for accessing the documents.
  Regards
  Sunil

  Hi Sunil generally this kind of error will occur when you choose acknoledgement
  for Future Periods,eventhough input is past date if the same problem occurs you should check for Su05 Internet USer authoriasations
  Reward if helpful
  Venkat

• Create authorization check for a report

  Hi,
  I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
  Say the report name is ZHR_TIMEABC.
  Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
  Thanks in advance,
  VG

  Hi,
  Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
  If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
  Your inputs will be helpful to understand this concept.
  Thanks,
  VG

• Add authorization check in Infopackage Scheduler for option 6-ABAP Routine

  We want to add an authorization check in routine rssm_routines_maintain.    This is in the Infopackage scheduler in the Data Selection tab  under the column Type after selecting type=6(ABAP Routine).    This is a core modification.   We have checked with our Security team with traces and found nothing available to help us.
  Two questions:
  1) Is there any other way we can control who can create/change ABAP code by this method ?
  2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
  Your help would be appreciated.
  Robert Begin,
  450-677-9411 or
  514-924-4311
  or email at [email protected]

  Hi Chandran,  we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
  The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
  Do you have any solution/suggestions to lock this down?
  Much appreciated,
  Regards,
  Robert.

• Authorization check of Tcode FCH7 (reprint check) / FCHN (display check)

  Hello to you all,
  Does any of you know of an option of extended the authorization check of Tcode FCH7 (reprint check) / FCHN (display check) using authorization object F_BKPF_BEK / F_LFA1_BEK?
  Regards,
  yoav Bernstain

  Hi,
  Authroization: User need authroization to post Financial Accounting Document for Vendor
  Object: F_BKPF_BEK
  Activities: 01-Creat, 02-Change and 06-Deleter
  Authroization: User need authroization for vendor Master Data (03-Display activity can also work)
  Object: F_LFA1_BEK
  Activities: 01-Creat, 02-Change, 03-Display and 06-Deleter
  Regards,
  Prashant Rane

• Deactivate authorization checks in BSP or function modules?

  Hi all
  I have a BSP application that seems to use a standard function module that performs an unwanted authorization check on object M_MATE_VKO (Material check on sales organization)
  I know it is possible to globally deactivate authorization checks in certain SAP transactions (SU24)
  Does anyone know if there is a similar functionality for BSP applications or function modules? Any suggestions on how to deactivate such authorization checks in BSP applications?
  Regards
  Mike

  > I will also check with my developer if this function module has any return codes etc that can be useful for a custom authorization check. However, I thought these checks were all done within the function module and that it will only return a true/false authorization, sort of... and I am not sure it's a good idea to override all standard authorization checks in this function module
  Sometimes you can handle the messages, but your developer will be able to help you decide whether that is a good idea or not.
  Globally deactivating the object for the whole system is most likely not a good idea, as you seem not to want to grant it because you need it somewhere else...
  Deactivating all checks for the function module is probably not wise either, as I would think that it applies to the whole function group. Developers can do such things sometimes, but often it results in all end users being able to do the same.
  I know that proposal indicators can be set for function modules, but have not tried check indicators. Again, I suspect that it would apply to the whole function group.
  I would think that a carefull choice of function module and consulting with your functional guru about config which will not interfer with other requirements is the best route to take.
  I like threads like this. If I bump into a specific solution I will remember it. Try using the search here at SDN on the names of some of the FM's which you are considering - someone might already have solved it...
  Cheers,
  Julius

• Structural authorization check in HR-ABAP

  Hello Friends,
  I am not able to get how to do the structural authorization check, my exact problem was : There is a report where it diplays all the qualifications of the employees and now I should restrict to only the employees who belongs to the organization unit depending upon the user who is running the report belongs to. It should check some more authorization profiles also.
  Regards,
  Yoganand.

  Hi Yoganand,
  if you use logical database PCH in your report, it should work by default.
  Manually search for RHSTRUAUTH in transaction SE37. There
  is a function modul which gives a list with the person the user has authorization.
  With this list you could compare the list with selected persons.
  hope this helps.
  Regards
  Bernd

• Logical Data Base- Authorization Check

  Hi,
      Please tellme when is the authorization checked if the LDB is used in the program. If I am not using 'GET PERNR' statement in the START-OF-SELECTION then will this authorization check will be performed for the data being extracted from the Data base using select statement.
  Waiting for reply,
  Shwetambari.

  HI,
  No it won't perform if you write the select statment, when you write the code GET PERNR, then internally it will get the data based on the Auth check and a SET PERNR will be triggers. so better to use the GET statment
  Regards
  Sudheer

• Selection screen and authorization check for plant from 2 diff tables?

  Hi,
  Could anyone help me out?
  how to write code for  this?
  u2022   Fields for selection
  Plant : WERKS (one selection) - check authorization access u2013 Mandatory .
  Material code MATNR (one selection) - Mandatory
  and while doing the authorization check how should i check it ? here iam taking the table as t001w for werks and for selection screen iam taking it from another Z table......i should take 2 different tables here.....for selection and for authorization.
  my code is pasted below:
                   Data Declarations                                  *
  data: s_werks type t001w-werks.
                   Selection Screen                                    *
    SELECTION-SCREEN BEGIN OF BLOCK b1 WITH FRAME TITLE text-h01.
    PARAMETER : p_werks like Ztable-werks OBLIGATORY,
                p_matnr like mara-matnr  OBLIGATORY.
    SELECTION-SCREEN END OF BLOCK b1.
                   Start-of-Selection                                  *
  START-OF-SELECTION.
  **-Get Plants for Authorization check.
     SELECT werks
            FROM t001w
            INTO TABLE it_werks
        WHERE werks IN s_werks.
      LOOP AT it_werks INTO x_werks.
         v_werks = x_werks.
  Regards,
  Reddy

  Plant : WERKS (one selection)
  That means only 1 plant value to be given? Then you can use PARAMETERS instead of SELECT-OPTIONS. And additionally, you'll only have to check that plant value.
  Using SELECT-OPTIONS you would indeed retrieve the plants and check each individual selected plant. Your code for that is good enough to start with.
  I wouldn't do the check in the START-OF-SELECTION event, but rather in the AT SELECTION_SCREEN event.
  To perform an authorisation check; try the ABAP help on AUTHORITY-CHECK. And you will need to know which authorisation object you need to use.
  Just noticed you're using PARAMETERS
  WHERE werks IN s_werks
  should be
  WHERE werks eq p_werks
  But actually you don't need to select T001W. Just use the value in p_werks.
  Edited by: Maen Anachronos on Oct 10, 2008 7:53 PM

• Authorization check question

  Hi all, I have a question regarding authority-check.
  I have a program with some custom buttons, these buttons will show a small window where the user has to enter some data. This data then will be shown in an ALV grid, and also be saved in a custom table.
  There are two buttoms, and I have to check is the user has authorization for each one of them. How do I do that? what would be the authorization object? and what would be the activity?. does the authorization object needs to be created somewhere? if so, can you give me the transaction?.
  TIA Mauro.

  Hello,
  You can create your own authorization object using Tcode SU21. Use the authorization object when he clicks on the button.
  Regards,
  Kiran I

• Authorization Check on Radio Button

  Hi,
  I have a custom report which has a radio button. Can I provide the authorization on this radio button, meaning only selected no. of users can run this report with radio button checked. I know it's possible through maintaining a list of users in custom table, But I want to check if we can do it using authorization object/group etc...

  Birendra, you're absolutely correct that we need to consider future maintenance efforts. But this is exactly a weak side of the parameter approach that you've suggested. The jet analogy is impressive, but way out of proportion in this case.
  Using authority check command in ABAP code and modifying screen elements is not hard-coding. The parameter approach also requires writing some code, so it has no advantage here.
  Also it requires someone (a Basis admin?) to update the user profile and a table entry that you've mentioned. To use the standard authorizations, only one authorization object will need to be created (although it may even be possible to use another, existing object if it's the same authorization level). It won't take more space or more time to create than an SM30 entry. Updating the roles might be more of a hassle than updating the user parameter, but the difference can hardly be considered significant and it's a one-time thing anyway.
  It is a matter of preference whether to hide a control, disable it or display a message. (By the way, in many standard transactions you'll find that controls or menu options are hidden/disabled based on authorization, so it is nothing exotic.) But I stand by my suggestion of using standard authorization check functionality specifically because it makes the future maintenance easier.
  1) Basis admins most likely already maintain some document regarding the role assignment. It might be actually easier to them to maintain the roles than to keep track of the additional profile parameter and remember it in future.
  2) Imagine years from now you're gone and all the new people are maintaining the system. The user gets a 'no authorization' message and, naturally, contacts a system admin. Again, naturally, admin will check security trace. Now guess what - your parameter thingy cannot be tracked anywhere. No one knows about it and it will take an ABAPer to figure this out.
  With standard approach it will only take a second to run SU53 and a few minutes to resolve an issue by a Basis admin. Additionally, authorization objects have 'where used' button, so it would be easy to check if and where the object is used (e.g. if the report has been changed/deleted it will be easy to spot the 'orphaned' object). With the profile parameter sooner or later someone will have to wonder what the heck it is for and might accidentally delete it. By the way, sometimes users actually have access to their own parameters, so it's not a very secure option either.
  I understand you mean well, but, unfortunately, in my work quite frequently I have to deal with some things that were developed by well-meaining consultants who overlooked some long-term effects of their approach.

• Authorization-check P_PCR fails...

  Hey Guys,
  I have a little authorization problem... 
  I created a role with authorizationobject P_PCR. 
  Payroll Area                   B8    
  Activity                       Change
  In my program i have following code to check authorization :
  GET pernr.
    AUTHORITY-CHECK OBJECT 'P_PCR'
      ID 'ABKRS' FIELD pernr-abkrs
      ID 'ACTVT' FIELD '02'.
    IF sy-subrc NE 0.
      REJECT.
    ENDIF.
  * further processing..
  Everytime i execute this code, sy-subrc eq 4... :(.
  When i look into SU53 :
  The authorization check failed
    Authorization obj. <i>P_PCR</i>  HR: Payroll Control Record
      Object Class <i>HR</i>  Human Resources
                                      B8
        Activity                      02
  My user is added to the role, so i don't see anymore why i can't execute this report ...  Does anyone has an idea for me ?
  Thanks,
  Kind Regards,
  Tom

  Bon...  Found the error...
    AUTHORITY-CHECK OBJECT 'P_PCR'
      ID 'ABKRS' FIELD pernr-abkrs
      ID 'ACTVT' FIELD '02'.
    IF sy-subrc NE 0.
      REJECT.
    ENDIF.
  In object P_PCR the field is not AB<b>KR</b>S, but the field is AB<b>RK</b>S.
  So, problem solved...
  Greetz,
  Tom