Skip Authorization Check in ECC5.0

Similar Messages

• Skipping Authorization check in LDB

  Hi Experts,
  I have developed a report using PNPCE LDB which displays organizational data and data from infotypes 0000,0001,0006,0017,0019,0020,0027,0105,0315 in the form of ALV.
  Currently, if the person who runs the report doesnt have authorization for any of the above infotypes, the report completely errors out with message 'No authorization for infotype xxxx' . this happens in GET PERAS in method CHECK_MIN_INFTY_AUTHORIZATION of class CL_HRPAD00AUTH_CHECK_STD.
  but my client wants the different functionality. If the person who is running the report doesnt have authorization for any particular infotype (for ex 0002) then data from that infotype should not appear in the output but data from other infotypes for which he has authorizations should be displayed.(error message should not be displayed).
  Please suggest me how to meet above requirement.

  Hi
  Try setting the PNP_SW_SKIP_PERNR to 'N' Initialization.

• How to Skip Authorisation Checks when i use LDB PNPCE

  Hi Experts,
  I have requirement to skip authorization checks in PNPCE LDB.
  Please let me know how it is possible , it is quite urgent
  Thanks a lot in Advance!
  Regards,
  Akila
  Moderator message: do not skip authorization checks, do not post "urgent" issues here.
  Edited by: Thomas Zloch on Aug 7, 2011 9:53 PM

  Hi Akila,
  Its not the good idea to ignore the authorization check, There should be a legitimate reason why it has implemented at first place?
  (If programmatic)The one who implemented the Auth check is he right person to approach how to ignore,just a matter of checking sy-subrc(But i would hesitate to apply that) . Or if this applied by roles then Security person might help you.
  @Prasenjit: How Dummy value could serve this purpose?
  Cheers
  Amit

• HR ABAP Custom Authorization Check

  Hi all,
  We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
  GET PERNR.
      I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
  Thanks in Advance.

  There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
  Some special differences are:
  - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
  - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
  - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
  This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
  Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

• LDB PNP authorization check authorization object

  Hi,
  I have used LDB PNP for HR reports.
  We are using the authority check also, but the problem is all the records/data for all the people is being read by the report where some of the people data should not have been read as they belong to some other personal area that the role of the executer (user).
  Hence it appears that authorization check is not working properly.
  Following is how I am using it, Please suggest corrections or alternate way to correct this issue.
      rp-provide-from-last p0002 space gwa_outlist-begda 
                                                      gwa_outlist-begda.
      IF pnp-sw-found NE '1' OR
          pnp-sw-auth-skipped-record EQ '1'.
          EXIT.
      ELSE.
          ls_tab-vorna = p0002-vorna.
          ls_tab-nachn = p0002-nachn.
      ENDIF.
  Please reply with the corrections ore alterations,
  Thanks in advance.
  Akash.

  Hi,
  (1)
  Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
  So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
  ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
  (2)
  In some case you do not work with LDB report, then you need to do the authority check by yourself. General function  AUTHORITY_CHECK is what you need.  AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
  P_ORGIN    HR: Master Data
  PLOG       Personnel Planning
  P_PCLX     HR: Clusters
  P_TCODE    HR: Transaction codes
  Sample of checking personal area:
  CALL FUNCTION 'AUTHORITY_CHECK'
       EXPORTING
            FIELD1              = ' PERSA'
            OBJECT              = 'P_ORGIN'
            USER                = 'SAPSUPPORT1'
            VALUE1              = 'Z001'  
       EXCEPTIONS
            USER_DONT_EXIST     = 1
            USER_IS_AUTHORIZED  = 2
            USER_NOT_AUTHORIZED = 3
            USER_IS_LOCKED      = 4
            OTHERS              = 5.  
  IF SY-SUBRC NE 2.
  MESSAGE E001(01) RAISING AUTH_FAILED.
  ENDIF.
  Reward if helpful pls!

• Authorization Check in Ad Hoc Query

  Hi Experts,
  When a user is given access to an infoset via the query user group, he/she will be able to see all infotypes that are associated with the infoset. The user will actually be able to select the fields, construct the query, and only hit the authorization error when they execute the query.
  This is not ideal from a user perspective as the user might spend a lot of time constructing the query only to find out later that they are not able to execute it due to authorization restrictions. Is there a way to restrict upfront to show the user only the infotypes and fields they are authorized to when constructing the query? Please advice.

  You need to do this in your infoset ...
  You can use the following procedures if you want to change the behavior of the SAPDBPNP logical database:
  You can program the logical database not to skip personnel numbers. The data is, nevertheless, only made available to the relevant reports for the authorization check There is no direct way to access the data that was not read by the authorization check. This procedure is meaningful for the first example, but not for the other two examples. The relevant report implements the setting as follows:
  INITIALIZATION.
  PNP_SW_SKIP_PERNR = 'N'.
  It is conceivable in examples 2 and 3 that the evaluation would be possible for a certain period but not for a longer selection period. Normally, the logical database always selects all the data of an infotype and checks the authorization. If you want the system to read and check only the data of the selection period, you can use the RP_SET_DATA_INTERVALL macro (for the START-OF-SELECTION period) for this.
  The data is not requested immediately (addition MODE N for the INFOTYPES statement) and is checked by the report itself. The report uses the HR_READ_INFOTYP and/or the HR_CHECK_AUTHORITY_INFTY function modules from the HRAC group to check the data and decides itself how to react to missing authorizations.
  Procedures 1 and 2 are available for SAPDBPNP and are not supported by SAPDBPAP. Procedure 3 is always available. Procedure 3 is the only way of solving problems with the authorization check if a report requires only one subtype of an infotype and if users should not be able to access the other subtypes of the infotype
  -Saquib

• SM30 Field level authorization check

  Hi,
  I have a requirement to add the authorization check in SM30 for the company field in the custom table. Please suggest.
  Thanks,
  Gagan Chodhry

  Hi,
  I have this requirement for both type of tables i.e. custom as well as standard. Tables has got field profit center.. I need to show the table based on the loggedin user authorization to the profit center.
  If it is a custom table then as mentioned by Siva, there is a way I heared that we can check the authorization in PAI event, but when I tried to do a small test, I could get the field symbol with the values, but I was not able to skip that record for disply.
  If anyone can send the sample or the way to skip the record based on the check.
  Also is there any other way to add the field level authorization to custom and standard tables...
  Thanks,
  Gagan Chodhry

• Issues with Analysis Authorization checks in APO

  Hi Friends,
  I am facing an issue with Analysis authorization checks in APO.
  We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
  Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
  This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
  In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
  However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
  Resultant trace results are as below: This should not happen..
  I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
  Will it be possible for you to advise on what could I be missing.

  Hi All,
  If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
  while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
  Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
  Please advise.. Thanks..
  Regards,
  Prakash

• Authorization check in LDB PNP

  Hi All,
  I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
  I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
  Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
  Any information provided will be really helpful.
  Thanks,
  Pavan

  Hi,
  A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
  Thanks,
  Pavan

• Authorization checks for PNP LDB

  question    : how to validate authorization checks for pnp logical database?
  2 nd question: hr report
  this report is basically for salary survey. in this i had so many fields can any body let me know how
  can i form the internal tables. and i have to display overall 150 fields in csv file for that
  how can i take in to the final internal table.
  what is the logic behind this:
  T71JPR09-JOBCODE
  PA0000-PERNR
  HRP1000-STEXT
  P0006-PSTLZ
  PA0008-ANSAL * 100 / PA0008-BSGRD
  PA0015-BETRG
  PA0761-LTEXT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-GRADT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-ZZGRANT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN esu YEAR 1
  like that i had.
  please give me the steps how can i proceed.

  Hi,
  The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
  Hope this helps.

• CRM - Process Flow of Authorization Check in Business Transactions

  Hello Folks:
  I have implemented CRM security using Process Flow of Authorization Check in Business Transactions.
  What I have in place:
  CRM_ORD_OP (inactive, don't want access to own documents)
  CRM_ORD_LP (inactive, not using standard org level values Distribution Channel, Sales Group, Sales Office, Sales Organization, and Service Organization.)
  CRM_ACT (active)
  CRM_CMP (active)
  CRM_ORD_OE (active, restricted to display with dummy value ' ' for Distribution Channel
  Sales Group, Sales Office, Sales Organization and Service Organization, as we are not restricting on them)
  CRM_ORD_PR (active and restricted to display)
  Issue:
  Restrictions to display for documents works fine when using CRM backend system and the system throws out a message that you are not authorized to change. But, when i come in through Portals (PCUI), i dont get the display at all and it throws out a message insufficient access authorizations.
  Traces on backend CRM reveal failing on change access for CRM_ORD_LP and CRM_ORD_PR, which we dont want to give out b/c we dont want to provide change for documents.
  OSS notes to SAP have resulted in no results....please advise what is wrong here.
  Thanks
  KT

  Thanks for the Priyanka for the reply, but what you mention is not correct.
  BSP errors are different from what I am refering to.
  The issue is still open...and looks like a SAP bug, which even they havent been able to fix so far.
  Regards,
  KT

• Document search error in webshop(Error in authorization check: user unknow)

  Hi All
  actually we have implemented the document search functionality in webshop to access all the documents in webshop who have created order in the webshop.
  actually when i am logging into the portal with userid "skumar" after that there was role called "Document Search" when i click that document search role then the document search will be opened, based on the selections in the selection criteria then the documents will be displayed generally.
  actually come to my error when i select in the selection criteria "order acknowledgement" and i select the one more column called "period" after that i click the search button then i am getting the error as follows.
  <b>Error in authorization check: user unknown.</b>
  Can you please help me where to check the authorizations in the system for accessing the documents.
  Regards
  Sunil

  Hi Sunil generally this kind of error will occur when you choose acknoledgement
  for Future Periods,eventhough input is past date if the same problem occurs you should check for Su05 Internet USer authoriasations
  Reward if helpful
  Venkat

• Create authorization check for a report

  Hi,
  I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
  Say the report name is ZHR_TIMEABC.
  Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
  Thanks in advance,
  VG

  Hi,
  Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
  If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
  Your inputs will be helpful to understand this concept.
  Thanks,
  VG

• Add authorization check in Infopackage Scheduler for option 6-ABAP Routine

  We want to add an authorization check in routine rssm_routines_maintain.    This is in the Infopackage scheduler in the Data Selection tab  under the column Type after selecting type=6(ABAP Routine).    This is a core modification.   We have checked with our Security team with traces and found nothing available to help us.
  Two questions:
  1) Is there any other way we can control who can create/change ABAP code by this method ?
  2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
  Your help would be appreciated.
  Robert Begin,
  450-677-9411 or
  514-924-4311
  or email at [email protected]

  Hi Chandran,  we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
  The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
  Do you have any solution/suggestions to lock this down?
  Much appreciated,
  Regards,
  Robert.

• ESS: Who's Who Authorization Checks

  Hi,
  I am testing the ESS iView (tcode PZ01) in the Portal and it seems to be restricting the search results by my authorizations.  I am not getting a full list of people in the system.  Anyone know how to turn-off this authorization check?
  I noticed this only happens when I changed the ESS Who's Who customizing in the IMG for PZ01.  If I uncheck the checkbox 'Output fields list', then it checks authorzations.  I'm thinking this has something to do with using the BAPI vs. using the query infoset, as the documentation states.
  Message was edited by:
          Kenneth Moore

  Old post but I have had a similar issue and it was caused by P_ORGIN
  Infortype 0105 subtype?????
  Seem if the subtype is restricted then they are not displayed if subtype populated in the HR record.