Securing action box items with authority-check object

Similar Messages

• How to create Authority check object

  Hello Gurus,
  How to create Authority-check object 'ZABC'
                                                           ID 'TABLE' FIELD 'ZTABLE'.
  Please tell me detailed procedure.
  Thanks in advance.
  Best Regards,
  zubera

  Dear Zubera,
  Creating Authorization Fields
  In authorization objects, authorization fields represent the values to be tested during authorization checks.
  To create authorization fields, choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects ® Fields.
  To create a authorization field:
  1. Choose Create authorization field.
  2. On the next screen, enter the name of the field. Field names    must be unique and must begin with the letter Y or Z.
  3. Assign a data element from the ABAP Dictionary to the field.
  4. If desired, enter a check table for the possible entries. For    more information about check tables.
  For more information about AUTHORITY-CHECK, see the keyword documentation of the ABAP Editor.
  You can often use the fields defined by SAP in your own authorization objects. If you create a new authorization object, you do not need to define your own fields. For example, you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system.
  Assigning an Authorization Object to an Object Class
  Each authorization object must be assigned to an object class when it is created.
  Choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects --> Objects.
  You can also create authorization objects in the Object Navigator (SE80).
  Creating / Choosing Object Classes
  The system displays a list of existing object classes.
  Object classes are organized according to the components of the system.
  Before you can create a new object, you must define the object class for the component in which you are working. The objects are not overwritten when you install new releases.
  You can also define your own object classes. If you do so, select class names that begin with Y or Z to avoid conflicts with SAP names.
  Creating an Object
  Enter a unique object name and the fields that belong to the object. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects.
  You can enter up to ten authorization fields in an object definition. You must also enter a description of the object and create documentation for it.
  Ensure that the object definition matches the AUTHORITY-CHECK calls that refer to the object.
  Do not change or delete authorization objects defined by SAP. This disables SAP programs that use the objects.
  You can regenerate the profile SAP_ALL after creating an authorization object.
  Best Regards,
  Rajesh
  Please reward points if found helpful.

• Authority-Check Object Help

  We consolidated R3 financial data to an SEM system. The authority-check object does not exists in SEM, thus the user can never perform those things unless I comment it out, or find one that works. The code is below.
  Any suggestions?
  Thank-You.
  " Check security to determine if this user has unlock permission
  AUTHORITY-CHECK OBJECT 'E_CS_PERMO'
     ID 'PERMO' FIELD '1'   "Open period
     ID 'DIMEN' FIELD g_dimen
     ID 'RVERS' FIELD g_rvers
     ID 'BUNIT' DUMMY
     ID 'CONGR' FIELD g_congr.

  If auth object check is really required, i suggest to check with functional team for equivalent auth object.
  Thanks,
  SKJ

• How to create authority check object and assign to  ztcode which is of modu

  Dear ,
           how to create authority check object and assign to  ztcode which is of custom module pool program.its urgent kindly help points rewarded.

  Manoj,
  You can check with your Basis team to create authorisation object and assigining tcodes to the user profiles.
  K.Kiran.

• Action box item activation!!

  Hi All,
  I have created a new action box item for 'return delivery to vendor' to which I have assigned the standard function module.
  But when I click on this action nothing happens...how do I activate this action?
  Am I missing something...is something more required to be done?
  Regards,
  V S

  I presume that purchase order number exists in the Notification & you are doing RD with reference to existing PO
  In IMG settings , Go to
  QM->QN->Notification processing -? Additional Not functions->Define action box.
  maintain :QMLR_CREATE_RETURN_ORDER_FA
  Also explore
  Return delivery in QM02
  Also refer
  http://help.sap.com/saphelp_46c/helpdata/en/e4/e312e41ff611d4b2cd0050da4ceab0/content.htm

• Plz tell me how to create authority check objects and how to usein prg

  dear sir,
  plz tell me how to create authority check objects and how to usein prg

  http://help.sap.com/saphelp_46c/helpdata/en/5c/deaa74d3d411d3970a0000e82de14a/content.htm
  http://help.sap.com/saphelp_nw70/helpdata/en/52/6716a6439b11d1896f0000e8322d00/content.ht
  Create custom authorization – Customer specific object
  If you have requirements that cannot be met using the P_ORGIN and P_ORGXX authorization objects (for example, because you want to build your authorization checks on additional fields of the Organizational Assignment infotype (0001) that are customer-specific), you can include an authorization object in the authorization checks yourself.
  Create the authorization object using transaction SU21. Make sure you keep to the customer name range (Z/Y). To be able to use the new authorization object you have created in the master data authorization check, the object must contain the INFTY, SUBTY, and AUTHC fields. You can use any of the fields of the Organizational Assignment infotype (0001) for the other fields. You can also use customer-specific additional fields provided they are CHAR or NUMC type fields.
  After you have created the object, you must start the RPUACG00 report. This report overwrites the MPPAUTZZ standard include with the code that is needed to evaluate the authorization object you created. Note: Technically speaking, this involves a modification. However, SAP fully supports this procedure. And you should not have more maintenance work as a result of this modification.
            Note: that if you use customer-specific authorization objects, you must maintain these objects in transaction SU24 (Maintain Assignment of Authorization Objects to Transactions) in the same way as you maintain the authorization objects P_ORGIN, P_ORGXX, and P_PERNR
  AUTHORITY CHECK OBJECT Object_name
              ID fieldname1 FIELD fieldvalue1
              ID fieldname2 FIELD fieldvalue2
              ID fieldname3 FIELD fieldvalue3.
               If sy-subrc eq 0.   "Authorization exists
               Endif.
  http://articles.techrepublic.com.com/5100-6329_11-5110893.html
  Edited by: JackandJay on Jan 16, 2008 10:21 AM

• About authority-check object 'M_MATE_WGR'

  hi all
        I have a problem about authority-check object 'M_MATE_WGR'. the detail is bleow:
  Read table T023 where the material group is in select option s_matkl. Then loop at the results and check for every found material group. If the user is authorized to use it with the ABAP statement AUTHORITY-CHECK with object M_MATE_WGR with parameters ACTVT = ‘03’ (display) and BEGRU = ‘the material group’. When the user is allowed to use it, store it in an internal table and continue with the remaining materials groups from T023. When the user is not allowed to use it, set the status flag to X and don’t save the current material group in the internal table.
  After all checks have been done, empty the select option s_matkl. Loop over the internal table with the allowed material groups and fill up the select option s_matkl again with these records.
  Thank you in advance .
  Nick

  You are on the right track. Authorization object M_MATE_WGR checks the Authorization Group (BEGRU) not the Material Group. You read table T023 with the Material Group to get the Authorization Group.
  Step 1: Read table T023 where MATKL = the Material Group you want to check authorization.
  Step 2: Retreive the value in field BEGRU from the record in table T023. Use the value in T023-BEGRU to pass to the AUTHORITY-CHECK object M_MATE_WGR.
  Hope that helps.

• Urgent! Problem with authority-check

  Hi all,
  I encounter some wierd scenario with authority-check.
  I try to run IW41 (create order confirmation) and the following authority-check
  AUTHORITY-CHECK OBJECT 'C_AFKO_ATY'
         ID 'ACTVT' FIELD TMP_ACTVT
         ID 'AUTYP' FIELD ACT_AUTYP.
    IF NOT SY-SUBRC IS INITIAL.
      MESSAGE E124 WITH SY-TCODE RAISING MISSING_AUTHORITY.
    ENDIF.
  was successful. However, when i try to run the FM CO_RI_CONFIRMATION_CREATE (use to create order confirmation), the exact same code is run and when i reach the above authority-check, it fails even if all the variable passed to the check is the same.
  How can this happen? I need some help. Very urgent.

  Hi Mil,
  Check the values of TMP_ACTVT and ACT_AUTYP for both the cases.
  May be they are different.
  Reward points if useful.
  Regards,
  Atish

• Reg:Authority Check object

  Dear All,
  I am calling two authority check object M_MATE_MAR  and M_MSEG_BMB in my report.
  Now for a user if i see the Role the second object  M_MSEG_BMB is maintained and the object M_MATE_MAR is not maintained.
  Now in my program for the object M_MATE_MAR(as it is not maintained),my sy-subrc is returning 12,hence check faing and for
  M_MSEG_BMB sy-subrc = 4 as check is failng.
  My requirement is the user should not see some movement types irrespective of the material ,
  If i pass a material in the selection screen report , movement type records are deleting fine along with that others are alos deleting becs of sy-subrc <> 0(sy-subrc = 12).so i get a blank report as output.
  so wht should be done in my case.
  Regards

  Hi Rajendra,
  When you hit F1 on the Authority-check,
  If Sy-subrc = 4, Authorization check not successful. One or several authorizations were indeed found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect or too many authorization fields were specified.
  If Sy-subrc = 12, No authorization was found for the authorization object in the user master record.
  When Sy-subrc = 24, Incorrect authorization fields or an incorrect number of authorization fields was found. This return value is no longer set since Release 6.20. Up to Release 4.6 it is set only if the profile parameter "auth/new_buffering" has a value less than 3.
  When sy-subrc = 40, An invalid user ID has been entered in user.
  Hope it helps.
  Sujay

• Help with authority-check

  Hello ppl,
  On my selection screen for a report, I have the field Sales Org. SELECT-OPTIONS: s_vkorg FOR gs_selscr-vkorg 
                                OBLIGATORY, "Sales Org.
  I need to check whether the user has the authorization for the selected sales organisations. So, I am using:
    AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
             ID 'VKORG' FIELD s_vkorg
             ID 'ACTVT' FIELD '03'.
    IF sy-subrc NE 0.
      MESSAGE e013.    " No authorization
      SET CURSOR FIELD 'S_VKORG-LOW'.
    ENDIF.
  But, will this code handle a range of sales organisations?
  Also, how will I be able to display an error message displaying the sales org for which the user has no authorization?
  Please help.
  Thanks.

  selection-screen begin of block b1 with frame .
  select-options : so_bukrs for bsid-bukrs obligatory,
  so_kunnr for bsid-kunnr,
  so_hkont for bsid-hkont,
  so_prctr for bsid-prctr ,
  so_ktokd for kna1-ktokd.
  selection-screen end of block b1.
  initialization.
  *Clearing the work area.
  clear gs_bsid.
  Refreshing the internal tables.
  refresh gt_bsid.
  *comm1 = 'Post Dt'.
  *comm2 = 'Doc Dt'.
  *comm3 = 'Bline Dt'.
  *******AUTHORITY-CHECK ***********************************************
  at selection-screen .
  call function 'ZCAGL_COUNTRYCODE'
  exporting
  IM_WERKS =
  IM_SPART =
  IM_PRCTR =
  im_bukrs = so_bukrs-low
  importing
  e_land1 = e_land1.
  if e_land1 ne 'IN'.
  message i004(yfi02) with 'This Company Code' so_bukrs-low
  'doesn''t belong to INDIA'.
  leave program.
  else.
  authority-check object 'ZPRCHK_NEW' :
  id 'BUKRS' field so_bukrs-low.
  if sy-subrc ne 0.
  message e001(yfi02).
  leave program.
  endif.
  endif.
  if so_prctr-low is not initial.
  call function 'ZCAGL_COUNTRYCODE'
  exporting
  IM_WERKS =
  IM_SPART =
  im_prctr = so_prctr-low
  IM_BUKRS =
  importing
  e_land1 = e_land1.
  if e_land1 ne 'IN'.
  message i004(yfi02) with 'This Profit center'
  so_prctr-low 'doesn''t belong to INDIA' .
  leave program.
  else.
  authority-check object 'ZPRCHK_NEW' :
  id 'PRCTR' field so_prctr-low.
  if sy-subrc ne 0.
  message e002(yfi02).
  leave program.
  endif.
  endif.
  endif.
  this will help u....
  Regards
  Anbu

• Regarding Authority check objects

  Hi All,
  I have some confusion on Authority-check and its working.
  AUTHORITY-CHECK OBJECT 'S_TABU_DIS'
    ID 'ACTVT'     FIELD '03'
    ID 'DICBERCLS' FIELD tddat-cclass.
  In the above code, 'DICBERCLS' FIELD tddat-cclass... these values will take and compare with tddat table list.
  but my question is how it will check the   ID 'ACTVT'     FIELD '03' ??How it will check for the ACTVT is '03'.
  It will take it from any table?
  Thanks in advance,
  Madhu

  Hi,
  You are coding as follows:-
  AUTHORITY-CHECK OBJECT 'S_TABU_DIS'
  ID 'ACTVT' FIELD '03'
  ID 'DICBERCLS' FIELD tddat-cclass
  This authorisation object is for Table Maintenance (via standard tools such as SM30).
  Now when the code is executed, SAP will check that whether the current user has an Authorization Group as the value in TDDAT-CLASS in the user role and the activity is 03 or display.
  If in the user role, the basis guys have given the Authorization Group(DICBERCLS) value as XYZ and the value in  tddat-cclass is also 'XYZ' and the value of ACTVT field in the user role is '03', SAP will allow the user only to display the table via SM30.
  If the authorisation group is different or if the ACTVT is different, the user will not be allowed for this authority check.
  I hope this is clear for you.
  Regards,
  Ankur Parab

• QM02 - notifications - update document flow for new action box item

  I have added a new action box item on qm02 (notifications). I am created a PO and a delivery. I wish to update the document flow to include these new records.
  I am trying to work with function qmlr_create_document_flow without success.
  Does anyone know how to do this?
  Thanks,
  rv

  Hi Rags,
  Thanks for your reply.
  About your reply:
  1) Yes, I was also thinking that 2 preceding docs may not be possible in a doc flow, and had also indicated the same to my customer. However, wanted to be 100% sure that it cannot be done.
  2) I cannot go ahead with a Service/Release Order. The requirement is to create a Return Order or a Credit Memo Request (CR) directly from the Service Notification and any other order is not in scope.
  I was thinking of something as below:
  The Service Notification header is linked to Return Order header only, there are no links at the item level. Is it a feasible solution to have a doc flow between invoice items &  return order items, since return order items are not yet linked?....I am just thinking of different things to find a solution!
  Thanks again.
  Cheers
  Vicky

• Authority-Check object 'Z99_ARB ' id 'Z99_ARBMGR' field 'Y'.

  Hi
  I'd appreciate a STEP-BY-STEP on how to create my own authority-check objects.
  The help I have is not comprehensive - it only refered me to SU20 and SU21.
  Thank you

  Moving on; there are hundreds of scenarios, but this is the simple step-by-step I was looking for:
  Step 1:
    SU20 - List of Authorization Fields
    --> Create a new authorization field e.g. Z_FIELD and assign either SAP standard or custom Data Element and a Package
  Step 2:
    SU21 - List of Object Classes
    --> Forward Navigate into the application area of choice e.g. HR
  > Create your Z object e.g. Z_OBJEC
  > Add Z_FIELD as an authorization field
  Step 3:
    Set up the user list that should have the authorization added to their profile and fwd to your Security Consultant
  Step 4:
    Within ABAP editor use the Pattern to select your new Z_OBJEC
    and assign a required field value for the id (object-field) e.g.
    authority-check object 'Z_OBJEC'
                                     id 'Z_FIELD'
                                 field 'X'.
  Edited by: Adrian Bruwer on Mar 9, 2010 7:36 PM

• Authority-Check Object for PLANT(WERKS)?

  Hi Experts,
  By using "V_VBAK_VKO" Authority Object am checking the user Authentication against the sales area(Sales OrgDistr. ChannelDivision) in my custom report. Below is the code,
  AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
      ID 'VKORG' FIELD s_vkorg
      ID 'VTWEG' FIELD s_vtweg
      ID 'SPART' FIELD s_spart
      ID 'ACTVT' FIELD '01'
      ID 'ACTVT' FIELD '02'.
  (Note: My report is for SD/OTC module)
  I also need to check the authenmtication of user against entered PLANT (WERKS) in selection screen, so, pls. let me know that  What is the Authority-Check Object for PLANT(WERKS)
  Thank you

  Hi,
  Transaction SU20, search for WERKS.
  When you find it, double click on the row, in the bottom half of the resulting screen there is a list of authorisation objects that contain the field.
  Unfortunately, you can't navigate from this list into the definition of the objects, so you'll need to cross-reference against transaction SU21.
  Regards,
  Nick

• Authority Check Object

  Hello Freinds,
  If there is a field from custamize table for exa.(Zmara-werks )then can we use standard authority check object? or should we create custamize authority object.
  Please guide me...........
  Thanks,
  Amar

  Hi ,
         To Find Authorization Object for a particular field, use TCode SU21. Click on Find button and enter the filed name to know the Authorization Object.
  If suitable combination of required fields is not found in Authorization objects, new objects need to be created. Use TCode SU21 to create new authorization objects. Click on Create Button and enter new object class name and press save button.