Transaction AFAR doesn't check for authorization

Hi,
I've added transaction code AFAR in one of the role that has Check/Maintain for authorization object A_PERI_BUK which should restrict on company code. Ive even check the associated program RAAFAR00 which has the authority chekc statement.
But, when I restrict the access to a specific company code in the role, the transaction is still allowing the users to execute it with other company codes. User doesn't have any other roles assigned and all the other tcodes such as AFAB, AFBP are giving authorization errors.
Can some one help!!
Regards,
Raghu

Hi,
it is not throwing failed authority check error but should work just fine.
    AUTHORITY-CHECK   OBJECT 'A_PERI_BUK'
                      ID      'AM_ACT_PER'      FIELD con_31
                      ID      'BUKRS'           FIELD x093c-bukrs.
    IF sy-subrc NE 0.
*       WRITE: / text-f08, x093c-bukrs. commented by C5053255
      CONTINUE.
    ELSE.
*      Rücklesen des eingegebenen Geschäftsjahres pro Buchungskreis
      p_gjahr = sav_gjahr.                                  "> 627533
    ENDIF.
CONTINUE statement executed in case of failed authority-check causes loop to skip processing for this item ... so only elements for which user has proper authorizations are processed. Try debugging to confirm
Best regards,
FS

Similar Messages

Check for Authorization object

Hi All,
I have a report which will authorize the person running the report.
I have been given a requirement which is to not accept some users and accept some users.
Now I know this is possible with authorization object but as I never worked with it so I exactly kind of getting in confusion as to how to go about it.
Could some one let me know how to go about it. I have few questions.
1. what is the exact use of authorization object.
2. I can build in the logic but what all should one start with before going for before implementing authorization object for the report.
3. I know there is some basis work involved in this but what is that ?
Thanks,
Mahen

Hi,
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Reward points if useful
Regards
Anji

Is there any way to force a Role Check for authorization from a Ztable

Hi all,
I have an issue that deals with Authorization check using a role. I have to know if there is any way to make a Role force to check if an entry exists in a Ztable.
Eg. A User is assigned a role Z:Ztable_check. Can we now force this Role to somehow check for a particular entry in a Ztable which has a Username and its Corresponding Authorized Cost center. Can the role check from the Ztable and allow the user to view only those cost centers that he is allowed to.
Don't know if this is even theoretically possible.

hi
see if this helps you
<b>The SAP Authorization Concept
Authorization checks are a means of protecting functions or objects in the R/3 System. The programmer of the function determines where and how these checks are made, while the user administrator determines (within the framework defined by the programmer) who can execute a function or access an object.
The terms central to the SAP authorization concept are:
Authorization field
This is the smallest unit against which checks can be made. The programmer can create authorization fields by selecting Tools → ABAP Workbench → Development → Other tools → Authorization objs → Fields.
Example: ACTVT and CUSTTYPE.
Authorization object
An authorization object groups together 1 to 10 authorization fields which can then be checked as a combination. The programmer can create authorization fields by selecting Tools → ABAP Workbench → Development → Other tools → Authorization objs → Objects.
Example: The authorization objekt S_TRVL_BKS groups together the authorization fields ACTVT and CUSTTYPE.
Authorization
An authorization is a combination of permitted values for each authorization field of an authorization object. The user administrator creates authorizations by selecting Tools → Administration → Maintain users → Authorization.
Example:
S_TRVL_CUS1 is an authorization for the authorization object S_TRVL_BKS with the values
for customer type (CUSTTYPE) and
02 for activity (ACTVT).
Users who have this authorization are allowed to change the bookings of all customers.
S_TRVL_CUS2 is an authorization for the authorization object S_TRVL_BKS with the values
B for customer type (CUSTTYPE) and
03 for activity (ACTVT).
Users who have this authorization are allowed to display the postings of all customers.
Authorization profile
An authorization profile represents a simple workplace in the context of authorizations. An authorization profile contains authorizations for the authorization objects a user needs to operate effectively in a restricted task area. The user administrator creates authorizations by selecting Tools → Administration → Maintain users → Profiles.
User master record
Your user master record is checked when you logon to the R/3 system. Through the authorization profiles, this provides restricted access to the functions and objects of the R/3 System. The user administrator creates authorizations by selecting Tools → Administration → Maintain users → Users.
Authorization check
The programmer can perform authorization checks with the ABAP command AUTHORITY-CHECK by specifying the value to be checked for each authorization field defined. The system then scans the profiles in the user master record for the authorizations specified. If one of the authorizations found for all fields of the authorization object covers the values specified by AUTHORITY-CHECK, the check was successful.
Example: Check whether the user is allowed to change the postings of business customers:
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
                ID 'ACTVT'    FIELD '02'
                ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
If the authorization S_TRVL_CUS1 exists in the user's master record, the authorization check is successful. However, if the authorization S_TRVL_CUS2 exists, but not the authorization S_TRVL_CUS1, the check fails.
Authorization assignment
The system administrator is responsible for assigning user master records with the correct authorizations. You should use the Profile Generator to maintain authorization profiles. However, you can also change them manually. Each authorization object contains authorizations. These are grouped together in authorization profiles such that each authorization profile represents a job description, for example 'flight reservations clerk'. You assign one or more authrization profiles to each user master record. You can assign an authorization to as many authorization profiles as you like, and an authorization profile to as many composite profiles and users as you like. Composite profiles are used in manual authorization maintenance, and form a further division in the authorization structure. However, they are not strictly necessary.
                  User master record
                Auth. profile Composite auth. profile
           Authorization              Auth. profile
             Values              Authorization
                               Values</b>
plz reward if satisfied

Why doesn't "Check for Updates" appear in my Help menu?

running firefox 4.0.1 under windows 7 with an account that has administrator privileges.

That item has been moved and can now be found in the Help > About Firefox window.

Authorization check for surveys

Hello Friends,
Does anybody know if there is Authorization check for surveys?
I want to restrict access to surveys, depend on user and status of surveys (answered or not).
Thanks for any help.
Lalas

Dear Lalas,
Unfortunately the survey runtime itself doesn't check any authorization.
But for my personal point of view, you might be able to look into the
following to fulfil your requirement:
1.add java script into the survey xml file
Or
2.define your own function module with additional authorization check,
and assign it to survey attributes in transaction CRM_SURVEY_SUITE,
as PBO or PAI function module.
(relevant steps necessary to activate the customer defined
authorization obj.)
Hope these could do help!
Regards, Gerhard

Authorization check for posting a specified movement type on certain plant

<h5>Iu2019m posting goods movements using BAPI_GOODSMVT_CREATE, I have to check If the user has authorities for posting for a specified movement type on certain plant.
How do I implement it, do I need to create a authorization object with ACTVT, WERKS and BWART, what will be value of ACTVT in this case?
Or is there any other way through which the BAPI can automatically check for authorization.</h5>

Just to bring to your notice that authorization check is done by the BAPI. Please check the function module.
AUTHORITY-CHECK OBJECT 'M_MSEG_WMB'
              ID 'ACTVT' FIELD '03'
              ID 'WERKS' FIELD I_MSEG-WERKS.
     AUTHORITY-CHECK OBJECT 'M_MSEG_BMB'
              ID 'ACTVT' FIELD '03'
              ID 'BWART' FIELD I_MSEG-BWART.
Regards,
Lalit MOhan Gupta

Disabling authorizations checks for transactions SU53 and/or SU56.

Greetings.
I seem to remember reading that there was either a system profile parameter or a table entry that can be used to disable all authorizations checks for transactions SU53 and/or SU56.
Any truth in this or is my mind playing tricks on me?

Hi,
I guess theres is profile param auth/tcodes_not_checked(I guess thats right), this will exclude SU53/SU56 from checks on transaction code.
This can be done using RZ10 and need to restart the system.
Rakesh

Authorization checks for bank account number in vendor master

I am trying to find a way to set up authorization checks for specific fields in the vendor master: LFBK-BANKL, LFBK-BANKN, LFBK-EBPP_ACCNAME and LFBK-EBPP_ACCNAME. I am tring to set ip up so that if you have access to transactions FK03 or XK03, you can view vendor master data except for the above fields.
Does anyone know of a way to accomplish this? Your help will be greatly appreciated.
Thanks
-Peru

HI Peru,
To supress a field in FK03 u will have to check
Financial Accounting (New)>Accounts Receivable and Accounts Payable>Vendor Accounts>Master Data>Preparations for Creating Vendor Master Data-->Define Screen Layout per Activity (Vendors)
in that Display Vendor (Accounting) for FK03 and Display vendor (centrally) for Xk03
But there bank account no is not there.
Moreover there r no authorization objects for all the fields that u gave.
So try creating screen variant/ transaction variant in SHD0.
Regards,
Kiran

How to turn off the authorization checks for a object in infoproviders?

Hi - how can I turn off the authorization check for an object (ex: 0orgunit) in infoproviders?
I have 0orgunit as an authorization-relevant object and is used in one of the cubes. When reports are run for this cube, this is causing authorization issues. The object is present in other cubes also but I have to remove or turn off the authorization check of this cube alone. How to do this? Please help.
Thanks,
Raj.

Hi Raj,
Srinivas, is right , however in BI7 the correct transaction is RSECADMIN and not RSADMIN.
In BW3.5, use RSSM transaction to do thins.
OR
Go to transaction RSECAUTH ---> Choose the authorization object that has been created for org unit(and has been assigned to the user). Go to change mode. Remove the cube from the dimension 0TCAIPROV
If you are using old authorization concept in 3.5 or in 7.0
Go to RSSM. In the checks for infoprovider, enter your infoprovider name. Choose change.Here you will see a checkbox to switch off the authorization.
Hope this helps you,
Best regards,
Sunmit.

No ICF authorization CHECK for executing /sap/bc/bsp/sap/hap_document

In EP we are trying to access bsp
and we are getting error ,User T000209 (client 350) has no ICF authorization CHECK for executing /sap/bc/bsp/sap/hap_document
How to give authorization please help
venkateswararao

First Check is the ICF service is active using the SICF transaction.
Then Check for the authorization objects SAP_HR_HAP_EMPLOYEE
and SAP_HR_HAP_MANAGER.
Add the above roles to your user , it should work

Authorisation check for Object F_BL_BANK using transaction F110

Hi
Can you help me with transaction F110. The object F_BL_BANK has been linked on SU24 to transaction F110. It has also been set for Check/maintain.
There is no authorisation check for this object using F110.
How can we resolve the issue.

Hi
We are on 4.6
I linked the object but the program is not doing an authority check The F_BL_BANK object has the following linked to it
. .     . Check          F_BKPF_BUP Accounting Document: Authorization for Posting Periods
. . .     Check/maintain F_BL_BANK Authorization for House Banks and Payment Methods
. .     . Check          F_KNA1_APP Customer: Application Authorization
. .     . Check          F_KNA1_BED Customer: Account Authorization
. .     . Check          F_KNA1_BUK Customer: Authorization for Company Codes
. .     . Check          F_KNA1_GEN Customer: Central Data
. .     . Check          F_KNA1_GRP Customer: Account Group Authorization
. .     . Check          F_LFA1_APP Vendor: Application Authorization
. .     . Check          F_LFA1_BEK Vendor: Account Authorization
. .     . Check          F_LFA1_BUK Vendor: Authorization for Company Codes
. .     . Check          F_LFA1_GEN Vendor: Central Data
. .     . Check          F_LFA1_GRP Vendor: Account Group Authorization
. .     . Check          F_PAYR_BUK Check Management: Action Authorization for Company Codes
. . .     Check/maintain F_REGU_BUK Automatic Payment: Activity Authorization for Company Code
. . .     Check/maintain F_REGU_KOA Automatic Payment: Activity Authorization for Account Type
. .     . Check          PLOG       Personnel Planning
. .     . Check          P_ABAP     HR: Reporting
Ther are more objects but these are the key ones The object also has a custom object in that was build by SAP called ZLSCH      Payment method We want the system to do a check on the payment method

Command For Authorization Check

Hii...Dudes...
Can Any one tell me..What are the Commands and Procedure to do Authorization Check for Programs..
Any documentation could be help ful...
Tell me How to create ....an Z Object and tell me procedure too...
points will be rewarded .........
Regards,
sg.....
Edited by: Suneel Kumar Gopisetty on May 17, 2008 12:10 PM
Edited by: Suneel Kumar Gopisetty on May 17, 2008 12:21 PM

hi,
go to this link it will be useful.
http://help.sap.com/saphelp_nw04/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
authority-check object 'S_TCODE'
id 'TCD'
field 'SM35'.
if sy-subrc ne 0.
User does not have authority for transaction SM35!!!
endif.
Do you want for the Creation of Zoject means using oops concept.

Set Up Authorization Check for G/L Accounts into PO creation

Dear friends !
How could I activate check to the access to certain accounts into PO creation ?
I know that is possible to activate this into Purchasing customizing under path
SPRO > Materials management > Purchasing > Purchase order > Set Up Authorization Check for G/L Accounts
But could I use it to give access only to certain GL Accounts by user ? Is this the purpose of this customizing ?
If yes what´s the object should I use to link with user account !?
best regards,
Ale

Hi ,
After you setup the configuration in transaction OMRP, please setup up
the authorisation group in the account code (FS02, the field is on the
"Control", technical name is BEGRU).
When a account assigned purchase order is created, the system checks for
object F_BKPF_BES with values from the BEGRU and activity 01.

Query - Authorization Check for Material Details

Hi Experts,
I've got a requirement where I've to put authorization check in a number of transactions (standard as well as custom) which lead to material display some way or the other for specifc matarils (checking the authorization field). Few are for reports (may be interactive) as well. The need is to stop unauthorized people from getting access to the specifc material details such as dimensions (quantity,length, width, etc.).
The first option would be to stop the user from viewing the material itself and showing some appropriate error message.
The second option would be to make the above said details invisible in the screen for the specific matarials.
The Authorization object is M_MATE_MAT.
The Authorization field is BEGRU.
The range of tcodes start from ME21, ME22, ME23, ME23N ...to MM01, MM02 etc. and a number of custom tcodes.
What is the best way to achieve this? I guess I'd need to look for exits. Please suggest
Thanks & Regards
Pritam

> I've got a requirement where I've to put authorization check in a number of transactions (standard as well as custom) which lead to material display some way or the other for specifc matarils (checking the authorization field). Few are for reports (may be interactive) as well. The need is to stop unauthorized people from getting access to the specifc material details such as dimensions (quantity,length, width, etc.).
>
> The first option would be to stop the user from viewing the material itself and showing some appropriate error message.
>
You can do this with authorization at transaction level.
> The second option would be to make the above said details invisible in the screen for the specific matarials.
>
Invisible on the screen, you might need to consider the material screens user exit. I am not sure how your material master configured
> The Authorization object is M_MATE_MAT.
> The Authorization field is BEGRU.
>
> The range of tcodes start from ME21, ME22, ME23, ME23N ...to MM01, MM02 etc. and a number of custom tcodes.
>
> What is the best way to achieve this? I guess I'd need to look for exits. Please suggest
All in all, you need user exits to have field level authorization and maintain authorizations at transaction level for the one you dont want to show anyone or to few

Authorization Check for Storage Location

Hi Experts,
I have the following requirement :-
I have Plant : P081 created under Company Code : P110.
I have got various Storage Locations under this Plant for example
KT01 - Main Stores
KT24 - Remote Store.
The KT24 store is basically a remote location store. I have activated the Authorization for the Storage Location KT24 in the SPRO Settings
Material Management --> Inventory Management and Physical Inventory --> Authorization Management --> Authorization check for storage location.
I have maintain the following authorizations for the Object M_MSEG_LGO as follows :-
1. OBJECT : M_MSEG_LGO.
>> 2. USER ID : 081Store
>> 3. PLANT : P081
>> 4. STORAGE LOCATION : Kt24
>> 5. ACTIVITY : 01-03
>> 6. MOVEMENT : 101, 102, 201, 221, 261
and authorization for T_code MIGO_GR and MIGO_GI . I want to restrict the user for transaction only for this storage location but the system is allowing the user to post GR document for KT01 stores also.
Can any one suggest a solution or settings that need to be done for the user to be restricted to prepared GR for Storage Location KT24 only.
Thanks in advance.
AJ

Hi,
You set the authorizations to users with tcode PFCG. To know the reason of deny some access run tcode SU53 after SAP denies the access to some documents / objects.
Regards,
Eduardo

Transaction AFAR doesn't check for authorization

Similar Messages

Maybe you are looking for