Skip Authorization Check in ECC5.0
I have noticed a major diffrence in authorization check for tcodes in ECC5.0 . In earlier versions in debug mode I found that if there is a command like :
CALL TRANSACTION 'PA30' and SKIP FIRST SCREEN
If i press F5 it directly shows me the error message "Not authorised to PA30" in case there is no auth to execute it, and the debugging stops.
But in Earlier versions it used to goto a function module to check the auth. I just want to customize the function module to skip the auth check for a certain set of users.
Any clue for this?
Hi Alex,
I am not very sure about Personnel Cost Planning,
But an approach I have used in the past when exploring a module about which there is limited documentation or SAP standard model roles is to
1) Switch on Trace using ST01.
2) Carry out a series of transcations using a user id which has a lot of authorizations or SAP_ALL.
3) Anlayse the trace document and identify all the authorization object.
4) BUild a new role with the auth objects and assign to test user id.
5) test and confirm that the authorizations are not too many or too less.
A time consuming but thorough approach.
hope this helps.
Similar Messages
-
Skipping Authorization check in LDB
Hi Experts,
I have developed a report using PNPCE LDB which displays organizational data and data from infotypes 0000,0001,0006,0017,0019,0020,0027,0105,0315 in the form of ALV.
Currently, if the person who runs the report doesnt have authorization for any of the above infotypes, the report completely errors out with message 'No authorization for infotype xxxx' . this happens in GET PERAS in method CHECK_MIN_INFTY_AUTHORIZATION of class CL_HRPAD00AUTH_CHECK_STD.
but my client wants the different functionality. If the person who is running the report doesnt have authorization for any particular infotype (for ex 0002) then data from that infotype should not appear in the output but data from other infotypes for which he has authorizations should be displayed.(error message should not be displayed).
Please suggest me how to meet above requirement.Hi
Try setting the PNP_SW_SKIP_PERNR to 'N' Initialization. -
How to Skip Authorisation Checks when i use LDB PNPCE
Hi Experts,
I have requirement to skip authorization checks in PNPCE LDB.
Please let me know how it is possible , it is quite urgent
Thanks a lot in Advance!
Regards,
Akila
Moderator message: do not skip authorization checks, do not post "urgent" issues here.
Edited by: Thomas Zloch on Aug 7, 2011 9:53 PMHi Akila,
Its not the good idea to ignore the authorization check, There should be a legitimate reason why it has implemented at first place?
(If programmatic)The one who implemented the Auth check is he right person to approach how to ignore,just a matter of checking sy-subrc(But i would hesitate to apply that) . Or if this applied by roles then Security person might help you.
@Prasenjit: How Dummy value could serve this purpose?
Cheers
Amit -
HR ABAP Custom Authorization Check
Hi all,
We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
GET PERNR.
I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
Thanks in Advance.There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
Some special differences are:
- The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
- Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
- Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
Cheers,
Julius
Edited by: Julius Bussche on Apr 27, 2009 9:03 PM -
LDB PNP authorization check authorization object
Hi,
I have used LDB PNP for HR reports.
We are using the authority check also, but the problem is all the records/data for all the people is being read by the report where some of the people data should not have been read as they belong to some other personal area that the role of the executer (user).
Hence it appears that authorization check is not working properly.
Following is how I am using it, Please suggest corrections or alternate way to correct this issue.
rp-provide-from-last p0002 space gwa_outlist-begda
gwa_outlist-begda.
IF pnp-sw-found NE '1' OR
pnp-sw-auth-skipped-record EQ '1'.
EXIT.
ELSE.
ls_tab-vorna = p0002-vorna.
ls_tab-nachn = p0002-nachn.
ENDIF.
Please reply with the corrections ore alterations,
Thanks in advance.
Akash.Hi,
(1)
Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
(2)
In some case you do not work with LDB report, then you need to do the authority check by yourself. General function AUTHORITY_CHECK is what you need. AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
P_ORGIN HR: Master Data
PLOG Personnel Planning
P_PCLX HR: Clusters
P_TCODE HR: Transaction codes
Sample of checking personal area:
CALL FUNCTION 'AUTHORITY_CHECK'
EXPORTING
FIELD1 = ' PERSA'
OBJECT = 'P_ORGIN'
USER = 'SAPSUPPORT1'
VALUE1 = 'Z001'
EXCEPTIONS
USER_DONT_EXIST = 1
USER_IS_AUTHORIZED = 2
USER_NOT_AUTHORIZED = 3
USER_IS_LOCKED = 4
OTHERS = 5.
IF SY-SUBRC NE 2.
MESSAGE E001(01) RAISING AUTH_FAILED.
ENDIF.
Reward if helpful pls! -
Authorization Check in Ad Hoc Query
Hi Experts,
When a user is given access to an infoset via the query user group, he/she will be able to see all infotypes that are associated with the infoset. The user will actually be able to select the fields, construct the query, and only hit the authorization error when they execute the query.
This is not ideal from a user perspective as the user might spend a lot of time constructing the query only to find out later that they are not able to execute it due to authorization restrictions. Is there a way to restrict upfront to show the user only the infotypes and fields they are authorized to when constructing the query? Please advice.You need to do this in your infoset ...
You can use the following procedures if you want to change the behavior of the SAPDBPNP logical database:
You can program the logical database not to skip personnel numbers. The data is, nevertheless, only made available to the relevant reports for the authorization check There is no direct way to access the data that was not read by the authorization check. This procedure is meaningful for the first example, but not for the other two examples. The relevant report implements the setting as follows:
INITIALIZATION.
PNP_SW_SKIP_PERNR = 'N'.
It is conceivable in examples 2 and 3 that the evaluation would be possible for a certain period but not for a longer selection period. Normally, the logical database always selects all the data of an infotype and checks the authorization. If you want the system to read and check only the data of the selection period, you can use the RP_SET_DATA_INTERVALL macro (for the START-OF-SELECTION period) for this.
The data is not requested immediately (addition MODE N for the INFOTYPES statement) and is checked by the report itself. The report uses the HR_READ_INFOTYP and/or the HR_CHECK_AUTHORITY_INFTY function modules from the HRAC group to check the data and decides itself how to react to missing authorizations.
Procedures 1 and 2 are available for SAPDBPNP and are not supported by SAPDBPAP. Procedure 3 is always available. Procedure 3 is the only way of solving problems with the authorization check if a report requires only one subtype of an infotype and if users should not be able to access the other subtypes of the infotype
-Saquib -
SM30 Field level authorization check
Hi,
I have a requirement to add the authorization check in SM30 for the company field in the custom table. Please suggest.
Thanks,
Gagan ChodhryHi,
I have this requirement for both type of tables i.e. custom as well as standard. Tables has got field profit center.. I need to show the table based on the loggedin user authorization to the profit center.
If it is a custom table then as mentioned by Siva, there is a way I heared that we can check the authorization in PAI event, but when I tried to do a small test, I could get the field symbol with the values, but I was not able to skip that record for disply.
If anyone can send the sample or the way to skip the record based on the check.
Also is there any other way to add the field level authorization to custom and standard tables...
Thanks,
Gagan Chodhry -
Issues with Analysis Authorization checks in APO
Hi Friends,
I am facing an issue with Analysis authorization checks in APO.
We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
Resultant trace results are as below: This should not happen..
I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
Will it be possible for you to advise on what could I be missing.Hi All,
If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
Please advise.. Thanks..
Regards,
Prakash -
Authorization check in LDB PNP
Hi All,
I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
Can you please let me know if any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
Any information provided will be really helpful.
Thanks,
PavanHi,
A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
Thanks,
Pavan -
Authorization checks for PNP LDB
question : how to validate authorization checks for pnp logical database?
2 nd question: hr report
this report is basically for salary survey. in this i had so many fields can any body let me know how
can i form the internal tables. and i have to display overall 150 fields in csv file for that
how can i take in to the final internal table.
what is the logic behind this:
T71JPR09-JOBCODE
PA0000-PERNR
HRP1000-STEXT
P0006-PSTLZ
PA0008-ANSAL * 100 / PA0008-BSGRD
PA0015-BETRG
PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
PA0761-GRADT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
PA0761-ZZGRANT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN esu YEAR 1
like that i had.
please give me the steps how can i proceed.Hi,
The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
Hope this helps. -
CRM - Process Flow of Authorization Check in Business Transactions
Hello Folks:
I have implemented CRM security using Process Flow of Authorization Check in Business Transactions.
What I have in place:
CRM_ORD_OP (inactive, don't want access to own documents)
CRM_ORD_LP (inactive, not using standard org level values Distribution Channel, Sales Group, Sales Office, Sales Organization, and Service Organization.)
CRM_ACT (active)
CRM_CMP (active)
CRM_ORD_OE (active, restricted to display with dummy value ' ' for Distribution Channel
Sales Group, Sales Office, Sales Organization and Service Organization, as we are not restricting on them)
CRM_ORD_PR (active and restricted to display)
Issue:
Restrictions to display for documents works fine when using CRM backend system and the system throws out a message that you are not authorized to change. But, when i come in through Portals (PCUI), i dont get the display at all and it throws out a message insufficient access authorizations.
Traces on backend CRM reveal failing on change access for CRM_ORD_LP and CRM_ORD_PR, which we dont want to give out b/c we dont want to provide change for documents.
OSS notes to SAP have resulted in no results....please advise what is wrong here.
Thanks
KTThanks for the Priyanka for the reply, but what you mention is not correct.
BSP errors are different from what I am refering to.
The issue is still open...and looks like a SAP bug, which even they havent been able to fix so far.
Regards,
KT -
Document search error in webshop(Error in authorization check: user unknow)
Hi All
actually we have implemented the document search functionality in webshop to access all the documents in webshop who have created order in the webshop.
actually when i am logging into the portal with userid "skumar" after that there was role called "Document Search" when i click that document search role then the document search will be opened, based on the selections in the selection criteria then the documents will be displayed generally.
actually come to my error when i select in the selection criteria "order acknowledgement" and i select the one more column called "period" after that i click the search button then i am getting the error as follows.
<b>Error in authorization check: user unknown.</b>
Can you please help me where to check the authorizations in the system for accessing the documents.
Regards
SunilHi Sunil generally this kind of error will occur when you choose acknoledgement
for Future Periods,eventhough input is past date if the same problem occurs you should check for Su05 Internet USer authoriasations
Reward if helpful
Venkat -
Create authorization check for a report
Hi,
I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
Say the report name is ZHR_TIMEABC.
Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
Thanks in advance,
VGHi,
Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
Your inputs will be helpful to understand this concept.
Thanks,
VG -
Add authorization check in Infopackage Scheduler for option 6-ABAP Routine
We want to add an authorization check in routine rssm_routines_maintain. This is in the Infopackage scheduler in the Data Selection tab under the column Type after selecting type=6(ABAP Routine). This is a core modification. We have checked with our Security team with traces and found nothing available to help us.
Two questions:
1) Is there any other way we can control who can create/change ABAP code by this method ?
2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
Your help would be appreciated.
Robert Begin,
450-677-9411 or
514-924-4311
or email at [email protected]Hi Chandran, we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
Do you have any solution/suggestions to lock this down?
Much appreciated,
Regards,
Robert. -
ESS: Who's Who Authorization Checks
Hi,
I am testing the ESS iView (tcode PZ01) in the Portal and it seems to be restricting the search results by my authorizations. I am not getting a full list of people in the system. Anyone know how to turn-off this authorization check?
I noticed this only happens when I changed the ESS Who's Who customizing in the IMG for PZ01. If I uncheck the checkbox 'Output fields list', then it checks authorzations. I'm thinking this has something to do with using the BAPI vs. using the query infoset, as the documentation states.
Message was edited by:
Kenneth MooreOld post but I have had a similar issue and it was caused by P_ORGIN
Infortype 0105 subtype?????
Seem if the subtype is restricted then they are not displayed if subtype populated in the HR record.
Maybe you are looking for
-
I wish to reset my ipad (as advised by the Apple Store) to attempt to resolve an issue with a non-responsive part of the screen.. However, when I select General>Reset>Erase all content and Settings, I am prompted for a a Restrictions Passcode (which
-
Check boxes not responding correctly in form.
I've created a form in forms central. Then I used XI to edit more fields. I have 7 check boxes grouped together. They are required and have a min. of 1 and max of 7. They are allowed to check as many as they wish. But when they hit the submission of
-
Hi to all, could anybody tell the t.code about to show the trial balance for particular datewise.its very urgent. let me inform to my mail id [email protected] thanks with regards, mohan
-
Installing Adobe Reader 10 / 9 / X fails
After having downloaded the executable install-file in my download-area I dubbelclick that file, answer "Yes" at the question whether I am sure . . . and then nothing happens any more. In my Process list there is a new process "install_reader10_nl_
-
How do I upgrade CS2 ...
I puchased Photoshop CS2, student version, in 2006. Now it is obsolete with my recent upgrade of Mac OSX Mountain Lion. Is it possible to get a free upgrade to CS5? I don't think I can go up to CS6. I only want Photoshop, nothing else. Thanks much.