SM30 Field level authorization check

Hi,
I have a requirement to add the authorization check in SM30 for the company field in the custom table. Please suggest.
Thanks,
Gagan Chodhry

Hi,
I have this requirement for both type of tables i.e. custom as well as standard. Tables has got field profit center.. I need to show the table based on the loggedin user authorization to the profit center.
If it is a custom table then as mentioned by Siva, there is a way I heared that we can check the authorization in PAI event, but when I tried to do a small test, I could get the field symbol with the values, but I was not able to skip that record for disply.
If anyone can send the sample or the way to skip the record based on the check.
Also is there any other way to add the field level authorization to custom and standard tables...
Thanks,
Gagan Chodhry

Similar Messages

  • Direct database data access without data level authorization check

    Hello,
    My customer raised issue about direct database data access. Due to the customeru2019s strong security policy, it shouldnu2019t be allowed.
    To prevent this kind of illegal data access, customer ask me to list up all the possibilities to display data without data level authorization check.
    The things in my mind are
    SQL Command Editor (for Oracle based system) : ORASPACE, DB02, ST04
    Query Based : SQVI (Quick Viewer), SQ01/SQ02/SQ03 (SAP Query)
    Data Browser : SE11, SE12, SE16, SE16N, SE17
    Table Maintenance : SM30
    Function Module : RFC_READ_TABLE
    Function Module : DB_EXECUTE_SQL (DML)
    Anyone knows anything which is not listed above?
    Thanks

    HI,
        Generally in production user's should not be given all these authorizations.
    Ram.

  • Field Level Authorization

    Hi Gurus,
    Can you explain me how to proceed forward inrelation to Field Level Authorizations in SAP HR. For instance I want to restrict roles of individuals based on Field for example restrict users based on Field Workschedule in IT 0007 ( Planned Working Time).
    Regards,
    Happy

        AUTHORITY-CHECK OBJECT 'S_TABU_LIN'
          ID 'ORG_CRIT' FIELD 'MOLGA'
          ID 'ACTVT' FIELD '03'
          ID 'ORG_FIELD1' FIELD '10'
          ID 'ORG_FIELD2' FIELD '*'
          ID 'ORG_FIELD3' FIELD '*'
          ID 'ORG_FIELD4' FIELD '*'
          ID 'ORG_FIELD5' FIELD '*'
          ID 'ORG_FIELD6' FIELD '*'
          ID 'ORG_FIELD7' FIELD '*'
          ID 'ORG_FIELD8' FIELD '*'.
        IF sy-subrc NE 0 .
          MESSAGE e000 WITH 'No Authorization for area' v_text.
        ENDIF.
    Use S_TABU_LIN authority object for field level authorizations.

  • Field level Authorization configuration in SAP BO issue !!!

    Hi gurus,
    I want to create field level authorization at query level and use the same at BO web Intelligence. (Ex if i h ave company code as A,B,and C. and if i have created a rolehe users  where only A and C is assigned so when i crreate a webi where users should only able to select comapny code as A and C only.)
    Now i want to know the steps to configure the same in BO for roles import and SAP authentication setting.Please do tell the pre-requisites .I got lot of links but am still confused.
    So please provide exact steps and setting to configure the same.
    Thanks &Regards,
    Montz
    Edited by: montz2006 on Jun 27, 2011 9:05 PM

        AUTHORITY-CHECK OBJECT 'S_TABU_LIN'
          ID 'ORG_CRIT' FIELD 'MOLGA'
          ID 'ACTVT' FIELD '03'
          ID 'ORG_FIELD1' FIELD '10'
          ID 'ORG_FIELD2' FIELD '*'
          ID 'ORG_FIELD3' FIELD '*'
          ID 'ORG_FIELD4' FIELD '*'
          ID 'ORG_FIELD5' FIELD '*'
          ID 'ORG_FIELD6' FIELD '*'
          ID 'ORG_FIELD7' FIELD '*'
          ID 'ORG_FIELD8' FIELD '*'.
        IF sy-subrc NE 0 .
          MESSAGE e000 WITH 'No Authorization for area' v_text.
        ENDIF.
    Use S_TABU_LIN authority object for field level authorizations.

  • 'DUMMY' value of the field in Authorization Check

    Hello everyone!
    I have some misunderstanding. I made an authorization check in transaction SU53 and i see a class, an object and the field which need to be DUMMY. What does it mean? What Value of this field I  have to choose when I give an authorization for myself?

    Sorry, but that's not correct.
    "DUMMY" is equivalent to "don't care" or "any value".
    That is different from requesting a SPACE value (which is just one distinct value).
    If a "dummy" value is requested, actually no value is requested - any value will satisfy the request.
    See <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/9f/dbaccb35c111d1829f0000e829fbfe/frameset.htm">ABAP Online Documentation</a>.

  • We need to give field-level authorization for some fields

    The schenario is as follows :
    1. There are various storage locations within a plant.
    2. There is one or more people incharge of creating PO and receiving
    stocks for every storage location.
    3. We dont want to authorise the person incharge of one storage
    location to receive stock in another storage location or even view the
    other storage locations at the time of creating the PO or any other
    transaction. The user incharge of one storage location should not be
    able to view any other storage location in any storage location field's
    drop down.
    regards
    Manish
    +91 9811647727

    Hi Umesh,
    Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
    SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu."  -> the pop-up "help - P_ABAP" appears.
    There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
    The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
    Object HR: Master data (P_ORGIN) (two authorizations)
      Infotype                  0002             ' '
      Subtype                   *                ' '
      Authorization level       R                ' '
      Organizational key        ' '              0001YYYYXXX
    Object HR: Reporting  (P_ABAP)
      Report name                SAPDBPNP
      Degree of simplification   1
    Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
    Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
    Hope this help
    Sarah

  • Field level Authorization for IT0002

    Hi All,
    We have a requirement to control the authorization for the field NI Number/Social Security number from IT0002.
    This field is getting displayed in various standard reports which are in use by administrators/Managers etc....
    We want to disable the access of this field to every one, even the HR administartor.
    Kindly suggest if this is possible using authorizations.
    I know that we can hide the field in display access for PA20 or PA30, but I am particularly serching the option for various reports.
    Regards,
    Umesh Chaudhari.

    Hi Umesh,
    Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
    SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu."  -> the pop-up "help - P_ABAP" appears.
    There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
    The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
    Object HR: Master data (P_ORGIN) (two authorizations)
      Infotype                  0002             ' '
      Subtype                   *                ' '
      Authorization level       R                ' '
      Organizational key        ' '              0001YYYYXXX
    Object HR: Reporting  (P_ABAP)
      Report name                SAPDBPNP
      Degree of simplification   1
    Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
    Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
    Hope this help
    Sarah

  • Restore Organisation field for authorization check

    I´ve got a role in which a organisation field is maintained normally.
    Is there a Report which can detect the org-fields and repair them?

    1st you need to collect all the technical name of org level field (refer table USORG). Then in table AGR_1251 restrict data to these fields only. Where ever you do not got a value not start with "$" is the data you need. Sort by value column can help you in that.
    To fix this in the role beside the org level field you have a delete button. That will overwrite manually maintained values with NORMALLY maintained value in org level ;-). Careful you may loose data during this process, so may need to fix org level data at 1st place.
    Regards,
    Arpan Paik
    Edited by: P Arpan on Mar 5, 2012 8:21 PM

  • BW Field level Autorizations are not working in the WEBI Reports

    Dear All,
    1. I have created Authorization roles with Infoobjects Authorization Objects.
    2. In Bex Query Authoizations are working on the Infoobjects like for
    Ex: For USER1 I have given Company code = 1000 &
    User 2 I have given authorization for 1100.....
    3. Import those roles into Business Objects-CMC.
    4.Users were Imported.
    But in the WEBI Reports BW Field level Authorizations are not working i.e for USER1 authorization for Company code is 1000 , in WEBI report it is showing all the Company codes data for USER1.
    For USER2 also showing all the data in the WEBI report.
    Plz help me on this issue.
    Thanks,
    Kiran Manyam

    Hi,
    For Authorization to work in BO you can check the following:
    1. You need to create authorization variables in your BEx query.
         Also these variables should not be input ready.
    2. While creating universe in BO you need to select "Single Sign On" option available in the parameters iwhile creating a new
        connection.
    Regards,
    Rohit

  • Query - Authorization Check for Material Details

    Hi Experts,
    I've got a requirement where I've to put authorization check in a number of transactions (standard as well as custom) which lead to material display some way or the other for specifc matarils (checking the authorization field). Few are for reports (may be interactive) as well. The need is to stop unauthorized people from getting access to the specifc material details such as dimensions (quantity,length, width, etc.).
    The first option would be to stop the user from viewing the material itself and showing some appropriate error message.
    The second option would be to make the above said details invisible in the screen for the specific matarials.
    The Authorization object is M_MATE_MAT.
    The Authorization field is BEGRU.
    The range of tcodes start from ME21, ME22, ME23, ME23N ...to MM01, MM02 etc. and a number of custom tcodes.
    What is the best way to achieve this? I guess I'd need to look for exits. Please suggest
    Thanks & Regards
    Pritam

    > I've got a requirement where I've to put authorization check in a number of transactions (standard as well as custom) which lead to material display some way or the other for specifc matarils (checking the authorization field). Few are for reports (may be interactive) as well. The need is to stop unauthorized people from getting access to the specifc material details such as dimensions (quantity,length, width, etc.).
    >
    > The first option would be to stop the user from viewing the material itself and showing some appropriate error message.
    >
    You can do this with authorization at transaction level.
    > The second option would be to make the above said details invisible in the screen for the specific matarials.
    >
    Invisible on the screen, you might need to consider the material screens user exit. I am not sure how your material master configured
    > The Authorization object is M_MATE_MAT.
    > The Authorization field is BEGRU.
    >
    > The range of tcodes start from ME21, ME22, ME23, ME23N ...to MM01, MM02 etc. and a number of custom tcodes.
    >
    > What is the best way to achieve this? I guess I'd need to look for exits. Please suggest
    All in all, you need user exits to have field level authorization and maintain authorizations at transaction level for the one you dont want to show anyone or to few

  • Authorization check in LDB PNP

    Hi All,
    I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
    I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
    Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
    Any information provided will be really helpful.
    Thanks,
    Pavan

    Hi,
    A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
    Thanks,
    Pavan

  • Table maintenance - autorization check on field level

    Dear all,
    I generated a table maintenance view for a custom table via SE11 --> Utilities --> Table maintenance generator.
    The table for which the maint. view was generated has a field bukrs. When a user enters a company code via table maintenance in SM30, i want to check if he has the right authorizations for that company code. This check, is this something i have to implement in the modification events or are there other alternatives?
    Suppose i want a non-key field to be unique, is there a way to automatically check this, or has this to be done via implementation of the same events?
    Kind regards,
    J

    Hi,
    You can do it via the events.
    There is one more alternative also.
    Create a Z report with the plant as parameter or select-options.
    Do an authorisation check on it using the authority object.
    Then call the FM of SM30.
    The FM of SM30 is 'VIEW_MAINTENANCE_CALL'
    See the following code
    PARAMETERS: y_p_lgnm TYPE lgnum.
    DATA : y_v_string   TYPE string.
    CONSTANTS: y_k_u        TYPE char1   VALUE 'U',
               y_k_x        TYPE char1   VALUE 'X',
               y_k_lgnum    TYPE char7   VALUE 'LGNUM',
               y_k_lgtyp    TYPE char5   VALUE 'LGTYP',
               y_k_eq       TYPE char2   VALUE 'EQ',
               y_k_viewname TYPE tabname VALUE 'YLOMANAGTROL'.
    *                   INTERNAL TABLE DECLARATION.
    DATA: y_i_seltab TYPE STANDARD TABLE OF vimsellist.
    *                   WORKAREA DECLARATION.
    DATA: y_wa_seltab TYPE vimsellist.
    START-OF-SELECTION.
    *authority check for warehouse number
      AUTHORITY-CHECK OBJECT 'L_LGNUM'
                  ID y_k_lgnum FIELD y_p_lgnm
                  ID y_k_lgtyp FIELD '*'.
      IF sy-subrc NE 0.
    * user not authorised
        CONCATENATE y_p_lgnm text-003 INTO y_v_string SEPARATED BY space.
        MESSAGE s015(ylo1) WITH text-001
                                sy-uname
                                text-002
                                y_v_string.
      ELSE.
    *Clear Internal Table
        CLEAR y_i_seltab.
        CLEAR y_wa_seltab.
    *passing the selection parameters to the function module
    *view_maintenance_call.
        y_wa_seltab-viewfield = y_k_lgnum.
        y_wa_seltab-value     = y_p_lgnm.
        y_wa_seltab-operator  = y_k_eq.
        APPEND y_wa_seltab TO y_i_seltab.
        CALL FUNCTION 'VIEW_MAINTENANCE_CALL'
          EXPORTING
            action               = y_k_u
            view_name            = y_k_viewname
            show_selection_popup = y_k_x
          TABLES
            dba_sellist          = y_i_seltab.
      ENDIF.
    In my case i had a table YLOMANAGTROL with field LGNUM.
    So i put an authority check on LGNUM.
    Regards,
    Ankur Parab

  • Can we give more than one value for an Authorization field in Auth-Check.

    Hi all,
    Can we give more than one value for an Authorization field in Auth-Check.
    Ex: AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
    ID 'ACTVT' FIELD '02'
    ID 'CUSTTYPE' FIELD <Value 1> <Value 2> <Value 3>.
    IF SY-SUBRC 0.
    MESSAGE E...
    ENDIF.
    If yes, please help me with exact syntax.
    Think it will be like
    ID 'CUSTTYPE' FIELD: <Value 1>, <Value 2>, <Value 3>.

    Hi,
    yes we can give more than one field.
    program an AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT <authorization object> 
       ID <authority field 1> FIELD <field value 1>. 
       ID <authority field 2> FIELD <field value 2>. 
       ID <authority-field n> FIELD <field value n>. 
    The OBJECT parameter specifies the authorization object.
    The ID parameter specifies an authorization field (in the authorization object).
    The FIELD parameter specifies a value for the authorization field.
    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
    please reward points, if it is useful.
    satish.

  • Authorization Check Field Name

    Hi,
    Do we need to specify all field names when coding authorization check in abap?

    Hi,
    Plz go through this...
    AUTHORITY-CHECK OBJECT object
    ID name1 FIELD f1
    ID name2 FIELD f2
    ID name10 FIELD f10.
    Explanation of IDs:
    object Field which contains the name of the object for which the authorization is to be checked.
    name1 ... Fields which contain the names of the name10 authorization fields defined in the object.
    f1 ... Fields which contain the values for which the f10 authorization is to be checked.
    AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
    You must specify all authorizations for an object and a also a value for each ID (or DUMMY ).
    The system checks the values for the ID s by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
    If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
    If the return code SY-SUBRC = 0, the user has the required authorization and may continue.
    The return code is modified to suit the different error scenarios.
    The return code values have the following meaning:
    4 User has no authorization in the SAP System for such an action. If necessary, change the user master record.
    8 Too many parameters (fields, values). Maximum allowed is 10.
    12 Specified object not maintained in the user master record.
    16 No profile entered in the user master record.
    24 The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
    28 Incorrect structure for user master record.
    32 Incorrect structure for user master record.
    36 Incorrect structure for user master record.
    If the return code value is 8 or possibly 24, inform the person responsible for the program. If the return code value is 4, 12, 15 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP, since authorizations have probably been destroyed.
    Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
    Instead of ID name FIELD f , you can also write ID name DUMMY . This means that no check is performed for the field concerned.
    The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.

  • Authority check at field level in the sales order

    Dear all, our business requirement is the following:
    only some users should be able to see the prices (including netwr, netpr,...) in the sales order depending on the authority check performed on the sales group field.
    This means that for an order of sales group 'A':
    a user of sales group 'A' can see the prices and change the order, a user of sales group 'B' cannnot see the prices but can change the order, a user of sales group 'C' can display the order but cannnot see the prices.
    I ask you if such a scenario can be realized in SAP.
    We currently run SAP ECC 5.0.
    thx all !
    bye Roberto

    Hi
    In general different users will be given different authorizations based on their role in the orgn.
    We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
    USe SUIM and SU21 T codes for this.
    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
    This means you have to allocate an authorization object in the definition of the transaction.
    For example:
    program an AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT <authorization object>
    ID <authority field 1> FIELD <field value 1>.
    ID <authority field 2> FIELD <field value 2>.
    ID <authority-field n> FIELD <field value n>.
    The OBJECT parameter specifies the authorization object.
    The ID parameter specifies an authorization field (in the authorization object).
    The FIELD parameter specifies a value for the authorization field.
    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
    Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
    You program the authorization check using the ABAP statement AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
    ID 'ACTVT' FIELD '02'
    ID 'CUSTTYPE' FIELD 'B'.
    IF SY-SUBRC <> 0.
    MESSAGE E...
    ENDIF.
    'S_TRVL_BKS' is a auth. object
    ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
    This Authorization concept is somewhat linked with BASIS people.
    As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
    Take the help of the basis Guy and create and use.
    <b><REMOVED BY MODERATOR></b>
    regards
    Anji
    Message was edited by:
            Alvaro Tejada Galindo

Maybe you are looking for

  • Why do I get these messages "logged in but not to a specific secure zone"

    Could anyone please explain why this messge would appear on the dashboard 'username' logged in but not to a specific secure zone instead of 'username' logged in to Member Only Area secure zone On this website, customers can only log on to a secure zo

  • Setting a Radio Button value using Javascript

    After much research, I've figured out that the appropriate command to get the value of a Radio Button in APEX JavaScript is "html_RadioValue", but I haven't been able to figure out a command that will let you set the value of the Radio Button. Is the

  • Jpopupmenu visibility problem with JWindows

    Hello, BACKGROUND: I am attempting to implement a feature similar to one found in the netbeans IDE for a programming editor I am helping to write. The feature is an autocomplete/function suggestion based on the current word being typed, and an api po

  • Photos not shown in Photos-Application any more

    Suddenly the pictures i have taken with the phone do not show up any more in the standard photos application. It shows only one picture this month..... but they are still existing on phone memory. Looks like the library information are corrupted. Any

  • Presenting Multipul Shows

    Hello, I have an event night the requires me to play multiple shows. Not at the same time but I need the shows to change over pretty seamlessly. Example: Main show is running, but need to switch to the Live Auction slides. Live auction is over need t