Skipping Authorization check in LDB

Similar Messages

• Authorization check in LDB PNP

  Hi All,
  I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
  I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
  Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
  Any information provided will be really helpful.
  Thanks,
  Pavan

  Hi,
  A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
  Thanks,
  Pavan

• Skip Authorization Check in ECC5.0

  I have noticed a major diffrence in authorization check for tcodes in ECC5.0 . In earlier versions in debug mode I found that if there is a command like :
  CALL TRANSACTION 'PA30' and SKIP FIRST SCREEN
  If i press F5 it directly shows me the error message "Not authorised to PA30" in case there is no auth to execute it, and the debugging stops.
  But in Earlier versions it used to goto a function module to check the auth. I just want to customize the function module to skip the auth check for a certain set of users.
  Any clue for this?

  Hi Alex,
  I am not very sure about Personnel Cost Planning,
  But an approach I have used in the past when exploring a module about which there is limited documentation or SAP standard model roles is to
  1) Switch on Trace using ST01.
  2) Carry out a series of transcations using a user id which has a lot of authorizations or SAP_ALL.
  3) Anlayse the trace document and identify all the authorization object.
  4) BUild a new role with the auth objects and assign to test user id.
  5) test and confirm that the authorizations are not too many or too less.
  A time consuming but thorough approach.
  hope this helps.

• Macro to switch off authorization check in LDB

  Hello Folks,
  Could anyone share the macro to switchoff autorization check in LDB for a particular program.
  Regards,
  Nishanth Kumar

  not answered

• Skipping Authorisation checks in LDB

  Hi All,
  I am working on HR module and I have got to work on a report which is using LDB (Logical DataBase).LDB will do authorisation checks by default.
  1) My requirement is to skip the authorisation checks  and allow all the data to be retrieved.
  Can this be done by calling any standard FM ? If yes , please name it.
  regards,
  PP

  //LDB will do authorisation checks by default.
  in my opinion you are looking for a data retrieval process from report development point of view.
  Ok say you are pulling data from infotype -08 which is sensitive information. now you need a entry for the object of this and then you are allowed to select on this table.
  keep an authority-check on this table pa0008 and if you have the access then you will proceed or else dont pull the records.
  Authority-object / Authority -check from program perspective will do .
  ex:
  AUTHORITY-CHECK OBJECT 'Z_TCODE'
  ID 'ACTVT' FIELD '03' " read access
  ID 'ZTCODE' FIELD p_tcode. " actual value
  IF sy-subrc EQ 0. " check authorization
  * fetch record
  SELECT SINGLE *
  FROM tstc
  INTO wa_tstc
  WHERE tcode EQ p_tcode.
  Br,
  Vijay.

• How to Skip Authorisation Checks when i use LDB PNPCE

  Hi Experts,
  I have requirement to skip authorization checks in PNPCE LDB.
  Please let me know how it is possible , it is quite urgent
  Thanks a lot in Advance!
  Regards,
  Akila
  Moderator message: do not skip authorization checks, do not post "urgent" issues here.
  Edited by: Thomas Zloch on Aug 7, 2011 9:53 PM

  Hi Akila,
  Its not the good idea to ignore the authorization check, There should be a legitimate reason why it has implemented at first place?
  (If programmatic)The one who implemented the Auth check is he right person to approach how to ignore,just a matter of checking sy-subrc(But i would hesitate to apply that) . Or if this applied by roles then Security person might help you.
  @Prasenjit: How Dummy value could serve this purpose?
  Cheers
  Amit

• LDB PNP authorization check authorization object

  Hi,
  I have used LDB PNP for HR reports.
  We are using the authority check also, but the problem is all the records/data for all the people is being read by the report where some of the people data should not have been read as they belong to some other personal area that the role of the executer (user).
  Hence it appears that authorization check is not working properly.
  Following is how I am using it, Please suggest corrections or alternate way to correct this issue.
      rp-provide-from-last p0002 space gwa_outlist-begda 
                                                      gwa_outlist-begda.
      IF pnp-sw-found NE '1' OR
          pnp-sw-auth-skipped-record EQ '1'.
          EXIT.
      ELSE.
          ls_tab-vorna = p0002-vorna.
          ls_tab-nachn = p0002-nachn.
      ENDIF.
  Please reply with the corrections ore alterations,
  Thanks in advance.
  Akash.

  Hi,
  (1)
  Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
  So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
  ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
  (2)
  In some case you do not work with LDB report, then you need to do the authority check by yourself. General function  AUTHORITY_CHECK is what you need.  AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
  P_ORGIN    HR: Master Data
  PLOG       Personnel Planning
  P_PCLX     HR: Clusters
  P_TCODE    HR: Transaction codes
  Sample of checking personal area:
  CALL FUNCTION 'AUTHORITY_CHECK'
       EXPORTING
            FIELD1              = ' PERSA'
            OBJECT              = 'P_ORGIN'
            USER                = 'SAPSUPPORT1'
            VALUE1              = 'Z001'  
       EXCEPTIONS
            USER_DONT_EXIST     = 1
            USER_IS_AUTHORIZED  = 2
            USER_NOT_AUTHORIZED = 3
            USER_IS_LOCKED      = 4
            OTHERS              = 5.  
  IF SY-SUBRC NE 2.
  MESSAGE E001(01) RAISING AUTH_FAILED.
  ENDIF.
  Reward if helpful pls!

• LDB PNP authorization check at record level - rp_provide_from_last

  hi,
  i am using LDB PNP,
  I am using macro 'rp-provide-from-last' .
  I neeed to place a authorization check so that the user of the program should only be allowed to view records of the people which comes under the same personnel area as of the user of the program.
  Can you please guide me on how to implement this?
  thanks in advance,
  akash.

  Hi,
  (1)
  Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
  So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
  ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
  (2)
  In some case you do not work with LDB report, then you need to do the authority check by yourself. General function  AUTHORITY_CHECK is what you need.  AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
  P_ORGIN    HR: Master Data
  PLOG       Personnel Planning
  P_PCLX     HR: Clusters
  P_TCODE    HR: Transaction codes
  Sample of checking personal area:
  CALL FUNCTION 'AUTHORITY_CHECK'
       EXPORTING
            FIELD1              = ' PERSA'
            OBJECT              = 'P_ORGIN'
            USER                = 'SAPSUPPORT1'
            VALUE1              = 'Z001'  
       EXCEPTIONS
            USER_DONT_EXIST     = 1
            USER_IS_AUTHORIZED  = 2
            USER_NOT_AUTHORIZED = 3
            USER_IS_LOCKED      = 4
            OTHERS              = 5.  
  IF SY-SUBRC NE 2.
  MESSAGE E001(01) RAISING AUTH_FAILED.
  ENDIF.
  Reward if helpful pls!

• Authorization checks for PNP LDB

  question    : how to validate authorization checks for pnp logical database?
  2 nd question: hr report
  this report is basically for salary survey. in this i had so many fields can any body let me know how
  can i form the internal tables. and i have to display overall 150 fields in csv file for that
  how can i take in to the final internal table.
  what is the logic behind this:
  T71JPR09-JOBCODE
  PA0000-PERNR
  HRP1000-STEXT
  P0006-PSTLZ
  PA0008-ANSAL * 100 / PA0008-BSGRD
  PA0015-BETRG
  PA0761-LTEXT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-GRADT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-ZZGRANT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
  PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN esu YEAR 1
  like that i had.
  please give me the steps how can i proceed.

  Hi,
  The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
  Hope this helps.

• HR ABAP Custom Authorization Check

  Hi all,
  We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
  GET PERNR.
      I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
  Thanks in Advance.

  There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
  Some special differences are:
  - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
  - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
  - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
  This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
  Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

• Logical Data Base- Authorization Check

  Hi,
      Please tellme when is the authorization checked if the LDB is used in the program. If I am not using 'GET PERNR' statement in the START-OF-SELECTION then will this authorization check will be performed for the data being extracted from the Data base using select statement.
  Waiting for reply,
  Shwetambari.

  HI,
  No it won't perform if you write the select statment, when you write the code GET PERNR, then internally it will get the data based on the Auth check and a SET PERNR will be triggers. so better to use the GET statment
  Regards
  Sudheer

• Authorization Check in Ad Hoc Query

  Hi Experts,
  When a user is given access to an infoset via the query user group, he/she will be able to see all infotypes that are associated with the infoset. The user will actually be able to select the fields, construct the query, and only hit the authorization error when they execute the query.
  This is not ideal from a user perspective as the user might spend a lot of time constructing the query only to find out later that they are not able to execute it due to authorization restrictions. Is there a way to restrict upfront to show the user only the infotypes and fields they are authorized to when constructing the query? Please advice.

  You need to do this in your infoset ...
  You can use the following procedures if you want to change the behavior of the SAPDBPNP logical database:
  You can program the logical database not to skip personnel numbers. The data is, nevertheless, only made available to the relevant reports for the authorization check There is no direct way to access the data that was not read by the authorization check. This procedure is meaningful for the first example, but not for the other two examples. The relevant report implements the setting as follows:
  INITIALIZATION.
  PNP_SW_SKIP_PERNR = 'N'.
  It is conceivable in examples 2 and 3 that the evaluation would be possible for a certain period but not for a longer selection period. Normally, the logical database always selects all the data of an infotype and checks the authorization. If you want the system to read and check only the data of the selection period, you can use the RP_SET_DATA_INTERVALL macro (for the START-OF-SELECTION period) for this.
  The data is not requested immediately (addition MODE N for the INFOTYPES statement) and is checked by the report itself. The report uses the HR_READ_INFOTYP and/or the HR_CHECK_AUTHORITY_INFTY function modules from the HRAC group to check the data and decides itself how to react to missing authorizations.
  Procedures 1 and 2 are available for SAPDBPNP and are not supported by SAPDBPAP. Procedure 3 is always available. Procedure 3 is the only way of solving problems with the authorization check if a report requires only one subtype of an infotype and if users should not be able to access the other subtypes of the infotype
  -Saquib

• SM30 Field level authorization check

  Hi,
  I have a requirement to add the authorization check in SM30 for the company field in the custom table. Please suggest.
  Thanks,
  Gagan Chodhry

  Hi,
  I have this requirement for both type of tables i.e. custom as well as standard. Tables has got field profit center.. I need to show the table based on the loggedin user authorization to the profit center.
  If it is a custom table then as mentioned by Siva, there is a way I heared that we can check the authorization in PAI event, but when I tried to do a small test, I could get the field symbol with the values, but I was not able to skip that record for disply.
  If anyone can send the sample or the way to skip the record based on the check.
  Also is there any other way to add the field level authorization to custom and standard tables...
  Thanks,
  Gagan Chodhry

• Check the ldb

  How to check the ldb in a database table

  Hi this may be helpful 4 u.
  A logical database is a special ABAP/4 program which combines the contents of certain database tables. You can link a logical database to an ABAP/4 report program as an attribute. The logical database then supplies the report program with a set of hierarchically structured table lines which can be taken from different database tables.
  LDB offers an easy-to-use selection screens. You can modify the pre-generated selection screen to your needs. It offers check functions to check whether user input is complete, correct, and plausible. It offers reasonable data selections. It contains central authorization checks for data base accesses. Enhancements such as improved performance immediately apply to all report programs that use the logical database.
  Less coding s required to retrieve data compared to normal internel tables.
  Tables used LDB are in hierarchial structure.
  Mainly we used LDBs in HR Abap Programming.
  Where all tables are highly inter related so LDBs can optimize the performance there.
  Check this Document. All abt LDB's
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.highlightedcontent?documenturi=%2flibrary%2fabap%2fabap-code-samples%2fldb+browser.doc
  GO THROUGH LINKS -
  http://www.sap-basis-abap.com/saptab.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/9f/db9bfa35c111d1829f0000e829fbfe/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/9f/db9b5e35c111d1829f0000e829fbfe/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/c6/8a15381b80436ce10000009b38f8cf/frameset.htm
  /people/srivijaya.gutala/blog/2007/03/05/why-not-logical-databases
  Re: **LDB**
  www.sapbrain.com/FAQs/TECHNICAL/SAP_ABAP_Logical_Database_FAQ.html
  www.sap-img.com/abap/abap-interview-question.htm
  www.sap-img.com/abap/quick-note-on-design-of-secondary-database-indexes-and-logical-databases.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/9f/db9b5e35c111d1829f0000e829fbfe/content.htm
  http://help.sap.com/saphelp_nw2004s/helpdata/en/9f/db9bb935c111d1829f0000e829fbfe/content.htm
  Gothru the blog which provides info on LDB's:
  /people/srivijaya.gutala/blog/2007/03/05/why-not-logical-databases
  Sample code
  TABLES: SPFLI,
  SFLIGHT,
  SBOOK,
  SCARR.
  START-OF-SELECTION.
  GET SPFLI.
  WRITE:/ ’SPFLI: ’, SPFLI-CARRID, SPFLI-CONNID,
  SPFLI-AIRPFROM, SPFLI-AIRPTO.
  GET SFLIGHT.
  WRITE:/ ’ SFLIGHT: ’, SFLIGHT-CARRID, SFLIGHT-CONNID, SFLIGHT-FLDATE.
  GET SBOOK.
  WRITE:/ ’ SBOOK: ’, SBOOK-CARRID, SBOOK-CONNID,
  SBOOK-FLDATE, SBOOK-BOOKID.
  GET SFLIGHT LATE.
  WRITE:/ ’ GET SFLIGHT LATE: ’, SFLIGHT-FLDATE.
  with regards,
  Hema sundara.
  pls reward  points if u find it heplful.

• Issues with Analysis Authorization checks in APO

  Hi Friends,
  I am facing an issue with Analysis authorization checks in APO.
  We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
  Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
  This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
  In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
  However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
  Resultant trace results are as below: This should not happen..
  I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
  Will it be possible for you to advise on what could I be missing.

  Hi All,
  If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
  while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
  Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
  Please advise.. Thanks..
  Regards,
  Prakash