Structural authorization check in HR-ABAP

Hello Friends,
I am not able to get how to do the structural authorization check, my exact problem was : There is a report where it diplays all the qualifications of the employees and now I should restrict to only the employees who belongs to the organization unit depending upon the user who is running the report belongs to. It should check some more authorization profiles also.
Regards,
Yoganand.

Hi Yoganand,
if you use logical database PCH in your report, it should work by default.
Manually search for RHSTRUAUTH in transaction SE37. There
is a function modul which gives a list with the person the user has authorization.
With this list you could compare the list with selected persons.
hope this helps.
Regards
Bernd

Similar Messages

CATS selection + Structural Authorization Check

Hi, guys!
   Please, check if you can help me with this doubt.
   The seleciton of CATS are according to the Cost Center. And we need to change the employee selection of CATS according to the new Structural Authorization (recorded in OOSB).
   So the doubt is, if we configure the CATS profile to report selection criteria and create a generic variant, will it select the employees according to OOSB?
Regards

Hi, everyone!
   I've just made the test and it worked without problem.
Regards,

How To Create ABAP Code For HR Context Sensitive Structural Authorization

Hello,
We have created a HR Custom Program which IS NOT built off the PCH or PNP Logical Database. As a result, we need to manually create ABAP code for HR Context Sensitive Structural Authorization Check in our custom HR program. Via HR Context Sensitive Structural Authorizations, we are restricting access to personnel numbers and the underlying HRP* tables.
Any assistance would be greatly appreciated with the identification of the SAP standard function modules (Ex. RH_STRU_AUTHORITY_CHECK, HR_CHECK_AUTHORITY_INFTY, HR_CHECK_AUTHORITY_INFTY , etc) used in HR Context Sensitive Structural Authorization Check, how they are used to control HR Structural authorization (P_ORGINCON), and some sample code.
Thank you in advance for all your assistance,
Ken Bowers

Hello Ken
You can use the interface methods IF_EX_HRPAD00AUTH_CHECK to get the same structural authorization as you can see in PA20/PA30. You need to use the methods set_org_assignment and check_authorization for this purpose. For more information you can refer to include FP50PE21 from line 237 onwards till 270.
Regards
Ranganath

Authorization check

Hi ,
i new to authorization so i need help ,
i go to transaction SU21 and i choose some object for example:
Object R_CPM_BSC
Text Authorization Object SEM: BSC Elements
Class SEM Strategic Enterprise Management*
Author STASTNY
Field name Heading
SEMSCARD Scorecard
SEMOBJTYPE Scorecard Elements: Object Type
SEMOBJKEY Scorecard Elements: Object Key
ACTVT Activity
And when i push on permitted activities i get:
R_CPM_BSC Authorization Object SE
ACTVT Activity
activists
01 Create or generate
02 Change
03 Display
04 Print, edit messages
1. i have always just permitted activities for ACTVT ?
if i wont that user just have display Authorization how i have to write it like below?
AUTHORITY-CHECK OBJECT R_CPM_BSC
ID ACTVT FIELD '03'
thats it i don't use the other fields?
Regards

Hi,
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Thanks
Vikranth

Structure Authorization Issue

Hi guys,
I don't have structure authorization implemented or HR system implemented. I was playing with my sandbox system to learn structure authorization by using step by step tutorial. After I created a structure authorization for two users I deleted everything related to structure authorization but unfortunately, some t-codes related to org chart for example PPOME, PPOMW are not working properly, its not allowing to create new org char.
We have another team needs to create some org chart for prototyping but they can't create org chart its giving no authorization error when I ran SU53 it's not giving regular auth error its also give failed HR structure authorization error, this is the error in su53 coming (Date 10/01/2010 and time Plan version 01 Object ID 5000075 Action LISD) there are so many different object ID on the list.
They all already have SAP_ALL in the system. Can anybody give some kind of report so I remove structure authorization completely from the system.
Please help
Thanks

Structural Authorization Check
Structural authorizations are used to grant access to view information for personnel where HR OM has been implemented as we stated. The Access is granted to a user implicitly by the useru2019s position on the organizational plan.
On top of the general authorization check, which is based on authorization objects, you can define additional authorizations by hierarchical structures.
In each area, the combination of start object and [Evaluation Path|http://help.sap.com/saphelp_erp60_sp/helpdata/en/35/26c256afab52b9e10000009b38f974/content.htm] from an existing structure returns a specific number of objects. This exact combination, in other words the number of objects returned by this combination, represents a useru2019s [Structural profile|http://help.sap.com/saphelp_erp60_sp/helpdata/en/0c/49ba3b3bf00152e10000000a114084/content.htm]. So structural authorization check is therefore based on a Dynamic concept: The concrete objects that are returned by a structural profile change as the structure (under the start object) changes.
Steps to Perform to Set Up Structural Authorization Check in brief:
(Before start moving for str. auth profile it is assumed that the Switch AUTSW for HR General Authorization check is also activated in table T77S0. Structural Authorization won't give the access for accessing HR data as described in the last posts and works together with General Authorization - to remind you)
1. Integration: Control parameters for the integration of Personnel Planning and Development (PD) with other applications (such as Personnel Administration (PA) and Cost Accounting (CO), etc.) are specified in the "PLOGI" group.
2. Turn on PD PA switch: TCode used is OOPS. Ensure value registered for PLOGI u2013 ORGA is X. No other values need to be checked or changed.
(Note: PD and PA sub modules of HR are not configured to share data by default in the SAP delivered system. This switch must be on for data to flow between both modules.)
3. Turn on Structural Authorizations Main Switches : TCode is OOAC. Value for ORGPD is set to 1.
4. Create Org. Plan (check the first post).
(Note: Do not create your Organizational Plan without this switch on. If you do, structural authorizations will not work and some org and infotype setup will not work. You cannot turn the switch on and get structural authorizations on an organizational plan, that was created while it was off, to work..)
5. Create Personnel Master Record: Tcode is PA40. This is time consuming staff.
6. Create record for Infotype 0105 - TCode is PA30.
7. Create Structural Authorization Profiles u2013 TCode = OOSP
8. Create entry for IT 1017 - TCode is PO10 (Organizational Unit) or PO13 (Position).
9. Assignment of Structural Authorizations: The assignment of the Structural Authorization can be found with good details here in [SAP Help|http://help.sap.com/saphelp_erp60_sp/helpdata/en/97/27973b3ea3eb0fe10000000a114084/frameset.htm].
Please check and let us know for any query.
Regards,
Dipanjan

Authorization check for a program/table

Hi ,
Can anyone help me out in
How to do authorization check for an abap program and also a table.
I have no idea about the authorizations.
My requirement is that I need to do the authorization check in such a manner that only users having a certain profile
1. should be able to execute the program
2. View of the entries of the table.
Thanks & Regards,
Keerthi

Hello Keerhi ,
I got you wrong at first!
If you want to have only certain users to be able to do certain operations, then you need to assign the appropriate roles to those users!
First find the role
second add the user in the role ( PFCG T code---> USers tab)
Raj

HR strutural Authorization check in the Lean order Interface (LORD)

Hi ,
We place Quotations , Orders in CRM 7.0 , via the Lean order Interface Screen (LORD) . So users in ECC have HR structural authorization and they seems to the checked ( for the HR# part of the Sales Team , and comming accross as partner function in the Quotations , Orders documents )
Can we avoid the HR structural Authorization check in the Lean order Interface ?

Dear Christophe,
I do not understand the requirement...you create ERP orders via CRM interface, and you have set up authorization in ERP for the users. Why do you want to prevent the authority check when coming from CRM when it is needed ?
However please consider note 1446253 quesiton 9.
You might activate or deactivate the "current user" flag in sm59 for your ERP system.
Hope this information helps...
Regards
Rene

Authorization checks and objects

Do you have a tutorial for this topic for dummies? thanx in advance

Hi
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Thanks
Seshu

How to deactivate authorization check?

hi ,
how to deactivate Authorization check?
thanks.
reddy.

Use switch T77S0 to control the use of an authorization object during the authorization check.
If value is 0 authorization check is inactive, if value is 1 inactive. See example below.
AUTSW     ADAYS            15     HR: tolerance time for authorization check
AUTSW     APPRO     0     HR: Test procedures
AUTSW     DFCON     1     HR: Default Position (Context)
AUTSW     INCON     0     HR: Master Data (Context)
AUTSW     NNCON     0     HR:Customer-Specific Authorization Check (Context)
AUTSW     NNNNN     0     HR: Customer-specific authorization check
AUTSW     ORGIN     1     HR: Master data
AUTSW     ORGPD     0     HR: Structural authorization check
AUTSW     ORGXX     0     HR: Master data - Extended check
AUTSW     PERNR     1     HR: Master data - Personnel number check
AUTSW     VACAU          Activate Auths for Maintaining Vacancies (PBAY)
AUTSW     XXCON     0     HR: Master Data - Enhanced Check (Context)
http://help.sap.com/saphelp_erp60_sp/helpdata/EN/84/49ba3b3bf00152e10000000a114084/frameset.htm
Regards,
David

What are authorization checks? And where and what will you write?

hai, plz anybody send me the answer?

Hi
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
As the name suggest it if for Authority check so that the person who is not having authorization for some data/transaction can be restricted from viewing it. It is very imortant for the security of data. Check below link for details on authorization.
http://help.sap.com/saphelp_nw04/helpdata/en/9f/dbaccb35c111d1829f0000e829fbfe/content.htm

Structural authorization - creation of employee number in webdynpro or abap

Hello Experts,
We are facing some problems with the combination of structural authorizations and the creation of a new employee.
When we use PA40 to create a new employee this does not give any problem.
In the webdynpro we first execute a call transaction PA40 to apply infotype 0000 and 0001. This works well.
Except that the call transaction does not set the connection between PA and OM. (so we did program this ourselves)
In PO13 and the table HRP1001 the same relations are made as when we use PA40 in the sap gui.
After this we do call transactions PA30 for the next infotypes.
When we check the SU53 it gives a message: problems with structural authorizations object P (with the employeenumber) starting at 01.01.1800, enddate is empty.
The employee is manager and connected with his userid in infotype 0105.
We use in the structural profile the function module RH_GET_MANAGER_ASSIGNMENT
We checked with transaction HRHAUTH.
User has been adjusted to the tables T77UA etc.
We do not use workflow in this webdynpro
We used the trace function when this was executed, but it did not give more information about missing structural authorizations.
This issue was before on SDN (Structural authorization - creation of employee number) but unfortunally there was no solution there for the issue!
Hope one of you can help me to find the solution!
With kind regards,
Rita Mensink

Hi.
After 2½ days of frustration I finally nailed this.
Function group RHAC, that handles the authority checks, initially buffers a table called VIEW containing all objects available for the user. As stated earlier in this conversation, SAP handles creation of relations in HRP1001 (links PA and OM). At this point the new employee number is appended to buffered table VIEW in function group RHAC.
When execution the PA40 activity through CALL TRANSACTION, the creation of the relations are not handled - and the same goes for updating the buffered table VIEW. The table can be updated using the function module RH_VIEW_ENTRY_INSERT from the same fundtion group:
This example might be useful
data: ls_view_entry type hrview,
        ls_related_object type hrobject.
ls_view_entry-plvar = '01'.
ls_view_entry-otype = 'P'.
ls_view_entry-objid = lv_pernr.
ls_view_entry-begda = '18000101'.
ls_view_entry-endda = '99991231'.
ls_view_entry-maint = 'X'.
ls_related_object-plvar = '01'.
ls_related_object-otype = 'S'.
ls_related_object-objid = lv_ny_objid.
call function 'RH_VIEW_ENTRY_INSERT'
    exporting
      view_entry     = ls_view_entry
      related_object = ls_related_object.
Best regards
Poul Steen Hansen
Senior Technical Consultant
EDB Consulting Group A/S, Denmark

Add authorization check in Infopackage Scheduler for option 6-ABAP Routine

We want to add an authorization check in routine rssm_routines_maintain. This is in the Infopackage scheduler in the Data Selection tab under the column Type after selecting type=6(ABAP Routine). This is a core modification. We have checked with our Security team with traces and found nothing available to help us.
Two questions:
1) Is there any other way we can control who can create/change ABAP code by this method ?
2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
Your help would be appreciated.
Robert Begin,
450-677-9411 or
514-924-4311
or email at [email protected]

Hi Chandran, we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
Do you have any solution/suggestions to lock this down?
Much appreciated,
Regards,
Robert.

ABAP: Modify PA infotype without authorization check

Hello everyone,
Short version:
I know two FM that can modify PA infotype data: HR_MAINTAIN_MASTERDATA and HR_INFOTYPE_OPERATION. However, neither of those includes a parameter that allows using them without them automatically checking authorizations (like you can do with, say, FM RH_INSERT_INFTY which has parameter AUTHY to disable authorization checks but only works with OM infotypes, but not PA infotypes).
Does anybody know a solution?
Long version:
We want the travel department to be able to maintain infotype 17, and only infotype 17. In fact, there are only two fields there that need to be maintained in our company. That department should not have access to any other infotypes, and we are not going to give them PA30. On the other hand, they shall be able to do so for any employee, no matter from which personnel area, subarea, and organizational unit.
So I have created a small program with a mask specifically tailored to their needs. But we do not want to give them any PA authorizations. Giving them P_ORGIN to infotype 17 might not be a big deal, but then we would also need to give them structural authorization to all companies (= org units and personnel areas). Unlimited structural authorization is a big deal, and I would rather avoid granting that to someone who is not supposed to be doing anything but this tiny bit in HR. The only authorization that I would like to see in place is transaction authorization for my program. Anyone who has that should be allowed to maintain these IT 17 fields for any employee, but nothing else.
The problem is that upon writing the data, FM HR_INFOTYPE_OPERATION auto-checks the authorization required for maintaining the infotype, including structural authorization, and so does FM HR_MAINTAIN_MASTERDATA, as far as I understand. Is there an alternative I could go for?

ECM stands for Employee Compensation management and is one of the SAP HR module.
But I doubt you can use ECM specific function module to modify/insert infotype 17 values as below are the main infotypes for ECM module.
Employee Infotype
Description
0758
Compensation Program
0759
Compensation Process
0760
Compensation Eligibility Override
0761
LTI Granting
0762
LTI Exercising
0763
LTI Participant Data

Authorization Check in BI7 using ABAP

Dear Experts,
i've got a question regarding how to check authorizations in BI7 using ABAP.
How do i check authorizations?
In Detail: I want to check, whether a user has the appropriate authorization to access an company code. For that i created an authorization in resecadmin restricted to one single company code. My user has this single authirization assigned.
In my coding i tried using 'RSEC_GET_AUTH_FOR_USER_MDATA' but it returns an empty table.
Any ideas how to check the authorizations?
Thanks & best regards,
Daniel

Hi,
I am using RSEC_GET_AUTH_FOR_USER and it works fine as long as I test with rsudo testuser.
E_T_RANGESID gives back the authorized characteristic values.
But I have a problem with users with *-authorization. ET_RAGESID is empty and an exception is thrown "not authorized".
So, the coding doesn't work properly if I test with my own user, but yes, works in case that user has explicitly limited values. (btw, fetch the user via FM RSEC_GET_USERNAME beforehand).
I think I'll overcome this problem (maybe in connection with param I_NO_WARNINGS).
I'll keep you informed, though it's pretty late for Daniel or even you I guess...
(But maybe somebody else is interested...)

Abap programe 'AUTHORIZATION-CHECK'

What is abap programe 'AUTHORIZATION-CHECK' how can i navigate there

Hi,
You can navigate to the Code this way
1)
SE93> Display>Double click in the Entry corresponding to Program-->then you enter the Source Code here select find and give the search string as
"Authority-Check" this displays you whatever entries are there in the code.
This method is useful if you know the Tcode and want to see what check statemetns are there in ABAP code corresponding to it.
2)On the other hand if you know the program then go to
SE38> enter the program name> Select Source Code> Press Display>
and from there search with the string mentioned above justlike the case mentioned above...
Hope this helps
Regards,
Manohar

Structural authorization check in HR-ABAP

Similar Messages

Maybe you are looking for