Using AUTHORITY-CHECK

Similar Messages

• ALV GRID and AUTHORITY-CHECK

  Hi all !!! 
  I'm using the ALV Grid control with checkboxes and I want to control if the actual user have the appropriate authorization to check/uncheck them.
  In the AUTHORITY-CHECK call, I want to make the authorization test on the "DEPARTMENT" of the user (from Table USER_ADDR or SU01).
  For example :
  DEPARTMENT AA1 --> check/uncheck OK
  DEPARTMENT AA2 --> check/uncheck NOT OK
  DEPARTMENT AA3 --> check/uncheck OK
  ... etc.
  How can I do ? Create an new authorization object/field ?
  PS : it's the first time I'm using AUTHORITY-CHECK..

  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check. 
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object> 
     ID <authority field 1> FIELD <field value 1>. 
     ID <authority field 2> FIELD <field value 2>. 
     ID <authority-field n> FIELD <field value n>. 
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  Example ;
  REPORT  EXAMPLE MESSAGE-ID Z1.
  TABLES: USR02.
  PARAMETERS: LOCK AS CHECKBOX, LISTLOCK AS CHECKBOX.
  DATA: UFLAGVAL TYPE I, LOCKSTRING(8) TYPE C.
  ---- Authorization check -
  AUTHORITY-CHECK OBJECT 'ZPROG_RUN' ID 'PROGRAM' FIELD SY-CPROG.
  IF SY-SUBRC <> 0.
    IF SY-SUBRC = 4.
      MESSAGE E000 WITH SY-CPROG. "some message about authorization check failure
    ELSE.
      MESSAGE E005 WITH SY-SUBRC. "some message about authorization check failure
    ENDIF.
  ENDIF.
  IF LISTLOCK = 'X'.
    WRITE:/ 'List all locked users: '.
    SELECT * FROM USR02 WHERE UFLAG = 64.
      WRITE: / USR02-BNAME.
    ENDSELECT.
    EXIT.
  ENDIF.
  IF LOCK = 'X'.
    UFLAGVAL = 64.                       "lock all users
    LOCKSTRING = 'locked'.
  ELSE.
    UFLAGVAL = 0.                        "unlock all users
    LOCKSTRING = 'unlocked'.
  ENDIF.
  SELECT * FROM USR02 WHERE BNAME <> 'SAP*' AND BNAME <> SY-UNAME.
    IF USR02-UFLAG <> 0 AND USR02-UFLAG <> 64.
      WRITE: 'User', USR02-BNAME, 'untouched; please handle manually.'.
      CONTINUE.
    ENDIF.
  check that user has authority to make these changes
    AUTHORITY-CHECK OBJECT 'S_USER_GRP'
        ID 'CLASS' FIELD USR02-CLASS
        ID 'ACTVT' FIELD '05'.
    IF SY-SUBRC <> 0.
      IF SY-SUBRC = 4.
        WRITE: /'You are not authorized to lock/unlock user ',
          USR02-BNAME, USR02-CLASS.
      ELSE.
        WRITE: /'Authorization error checking user ',
               USR02-BNAME, USR02-CLASS, '(return code', SY-SUBRC, ').'.
      ENDIF.
    ELSE.                                "has authority
      UPDATE USR02 SET UFLAG = UFLAGVAL WHERE BNAME = USR02-BNAME.
      WRITE: / 'User', USR02-BNAME, LOCKSTRING, '.'.
    ENDIF.

• Hi   authority check  in prog

  hi
  could anyone tell me how to use authority check in report program.
  please provide me with code in report only.
  thanx
  rocky robo

  PARAMETERS: P_BUKRS LIKE T001-BUKRS.
  SELECT-OPTIONS:
                  S_VKBUR FOR ZSD_BILLINFO-VKBUR OBLIGATORY,
  AT SELECTION-SCREEN.
    AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
        ID 'BUKRS' FIELD P_BUKRS
        ID 'ACTVT' FIELD '03'.
    if sy-subrc <> 0.
      message e001(ZAUT) with P_BUKRS.
    endif.
  loop at S_VKBUR.
      AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
          ID 'VKBUR' FIELD S_VKBUR-LOW
          ID 'ACTVT' FIELD '03'.
      if sy-subrc <> 0.
        message e001(ZAUT) with S_VKBUR-low.
      endif.
      if S_VKBUR-high <> space.
        AUTHORITY-CHECK OBJECT 'Z_REPORT_N'
            ID 'VKBUR' FIELD S_VKBUR-HIGH
            ID 'ACTVT' FIELD '03'.
        if sy-subrc <> 0.
          message e001(ZAUT) with S_VKBUR-high.
        endif.
      endif.
    endloop.

• Authority Check - Best Practice - Optimum Way

  Hi Experts,
  I want to use authority check in my reports. The requirement is to filter data on the selection screen and execute the query. Error messages are not to be thrown because, a user will find it difficult to enter all the document types/company codes/sales areas etc authorized and remove the ones not authorized from the range.
  I am planning to create range tables and populate it with the authorized values and use it in the select queries.
  I have two concerns:
  1. I will have to build range tables based on the values authorized. This will take some time, keeping in mind that append is an expensive statement.
  2. What if the range table becomes big enough to give me a dump in the select query in some scenario. (What if scenario? Its a rare possibility that some field like this also needs to be authorized)
  What is the best practice or rule of the thumb that you have figured out.
  Thanks,
  Abdullah Ismail.

  Are they asking you to check the authorisations for each of the following?
  1.     Sales Organization
  2. Distribution Channel
  3. Division
  4. Sales Group
  5. Sales Office
  6. Sales Document Type
  7. Sales Country
  8. Material Group(Brands)
  If so that is completely over engineered and good luck with that.  Surely you only need to check at one level of the sales structure, the lowest level I would guess.  Your auths team should be able to guide you here and I cannot imagine they would want that level of auths as it would be a nightmare for them to build it. I suppose you might want one on material group as well.
  Therefore they auths team or functional consultants will need to tell you at what level you are checking for each report, there will only be a small number at each level, (think you will struggle to get near the 12,000 Rob points out would cause an issue with a range) of the sales structure so I would use a range, you wonu2019t have that many appends and it wonu2019t add much to the time of the report.  While for all entries is great you can also use the range where the report may have already used for all entries on a select and better not to have to rebuild the whole report.
  Also I would do the auths check first up and make the field mandatory if they really want it nice and tight so the user has to choose, you can use a PID to make it a bit more friendly.
  If you know the setup is the same each time you could use a standard include and subroutine, or ABAP objects would probably be the best route with a set of standard methods to call.
  Hope that helps,
  Tim

• User role and Authority-check ?

  Hello,
  Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
  Thanks in advance

  Hello Martin,
  I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
  Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
  @OP:
  The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
  BR,
  Suhas

• Securing action box items with authority-check object

  In a 4.6c environment I have setup action box items for various sm and QM notifications.
  I would like to secure some of the action box items that their execution is only allowed by authorized personnel using authority-check objects.
  Is there a way to secure the action box item by the item number? If not the action box items are using a function module. Maybe I could use the fm name in the authority-check.
  Any ideas would be greatly appreciated.

  Hi,
  just see these examples
  SAPTLIST_TREE_CONTROL_DEMO_HDR
  SAPTLIST_TREE_CONTROL_DEMO
  SAPTLIST_TREE_MODEL_DEMO
  and for getting a checkbox we have to repalce the icon what is there in the example program and handle the checked and unchecked event for the checkbox.
  this can be achieved by using object oriented methods...
  reward if helpful
  rgds,
  Prajith
  Prajith

• Help with authority-check

  Hello ppl,
  On my selection screen for a report, I have the field Sales Org. SELECT-OPTIONS: s_vkorg FOR gs_selscr-vkorg 
                                OBLIGATORY, "Sales Org.
  I need to check whether the user has the authorization for the selected sales organisations. So, I am using:
    AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
             ID 'VKORG' FIELD s_vkorg
             ID 'ACTVT' FIELD '03'.
    IF sy-subrc NE 0.
      MESSAGE e013.    " No authorization
      SET CURSOR FIELD 'S_VKORG-LOW'.
    ENDIF.
  But, will this code handle a range of sales organisations?
  Also, how will I be able to display an error message displaying the sales org for which the user has no authorization?
  Please help.
  Thanks.

  selection-screen begin of block b1 with frame .
  select-options : so_bukrs for bsid-bukrs obligatory,
  so_kunnr for bsid-kunnr,
  so_hkont for bsid-hkont,
  so_prctr for bsid-prctr ,
  so_ktokd for kna1-ktokd.
  selection-screen end of block b1.
  initialization.
  *Clearing the work area.
  clear gs_bsid.
  Refreshing the internal tables.
  refresh gt_bsid.
  *comm1 = 'Post Dt'.
  *comm2 = 'Doc Dt'.
  *comm3 = 'Bline Dt'.
  *******AUTHORITY-CHECK ***********************************************
  at selection-screen .
  call function 'ZCAGL_COUNTRYCODE'
  exporting
  IM_WERKS =
  IM_SPART =
  IM_PRCTR =
  im_bukrs = so_bukrs-low
  importing
  e_land1 = e_land1.
  if e_land1 ne 'IN'.
  message i004(yfi02) with 'This Company Code' so_bukrs-low
  'doesn''t belong to INDIA'.
  leave program.
  else.
  authority-check object 'ZPRCHK_NEW' :
  id 'BUKRS' field so_bukrs-low.
  if sy-subrc ne 0.
  message e001(yfi02).
  leave program.
  endif.
  endif.
  if so_prctr-low is not initial.
  call function 'ZCAGL_COUNTRYCODE'
  exporting
  IM_WERKS =
  IM_SPART =
  im_prctr = so_prctr-low
  IM_BUKRS =
  importing
  e_land1 = e_land1.
  if e_land1 ne 'IN'.
  message i004(yfi02) with 'This Profit center'
  so_prctr-low 'doesn''t belong to INDIA' .
  leave program.
  else.
  authority-check object 'ZPRCHK_NEW' :
  id 'PRCTR' field so_prctr-low.
  if sy-subrc ne 0.
  message e002(yfi02).
  leave program.
  endif.
  endif.
  endif.
  this will help u....
  Regards
  Anbu

• Rfc call with authority check

  Hello,
  how can I use authority check in a remote function call from another system?
  The user is there not the real personalized user.
  Thank you for help!
  Christine

  Hi,
  CALL FUNCTION 'AUTHORITY_CHECK'
             EXPORTING
                  USER                = LV_USER
                  OBJECT              = lv_object
                  FIELD1              = lv_field
                VALUE1              = LV_VALUE
                field2              = space
                value2              = space
                field3              = space
                value3              = space
             EXCEPTIONS
                  USER_IS_AUTHORIZED  = 0
                  USER_DONT_EXIST     = 1
                  USER_IS_LOCKED      = 1
                  USER_NOT_AUTHORIZED = 2.
  Regards,
  Arek
  Reward points if useful

• Urgent(Authority-check)

  HI Gurus..
  I have used PNP L.database.
  But i have used few select statements to read data from infotypes.
  do i need to do authority check separately
  or L database will take care of it.
  Please provide me with the acurate answers.. as its an urgent issue..

  To create authority check object you can use transaction SU21. Here you can decide if you only want to create a new object and assign it to an existing class or if you can to create both object and class.
  While defining the object you will have to provide what fields will be in this object. For example if i am creating a custom object to be used in SD based on customer and plant, i would include fields such as KUNNR and WERKS in my authority object. In addition to that if i also want to check for display/change/create access, i would also add a field called ACTVT (activity).
  Once the object is defined, the authorization team will assign it to different authorization profiles with relevant values like for display only access for customer XYZ and plant 0001, these values will be provided in the authorization profile to this object. (As a developer this is not your headache )
  You would be using it in your reports or transactions using Authority-check statements. You will be calling the specific object in your authority-check statement and passing it some values(say Actvt 03 customer ASD, plant 0002) and checking the value of sy-subrc. If subrc is 0 means the authority check is OK, the user has the authorization.
  I think this will give you an idea on how to proceed.
  Cheers

• How to use the AUTHORITY-CHECK in ABAP

  I am a security guy but am trying to understand how the AUTHORITY-CHECK works. I have read the help on it but it doesn't answer to my understanding. I want a check in a report so that no matter what the user selects the program goes out and checks the authorization in the users master record and only displays what he has access to. I am sure this is basic but I am not a programmer.
  Thanks

  Hi Greg,
    Basically a AUTHORITY-CHECK is a programmatic way to check a auth object a user has.  This is only as good as the person writing the code makes is.
  Here is a basic example of how it could work.  Lets say you have auth objects for users that limit them to see company code. User A can see cc 10, User B can see cc 20 and user C can see both.
  In the code the programmer would have to first do the authcheck to see what CC the user has access to.  Then they would have to limit his reporting based on the results of the authority check.  So they might do it by saying SELECT * FROM XYZTAB WHERE COMPANY CODE = AUTHCC
  This is what I think you are looking for.  There are other ways to use the auth check.  You can do a check and end the program with a message if they don't have authorization. 
  If you need more info, let me know
  John

• Authority check based on the tables used in a programme

  based on the tables used in a programme can I see authority checks available in the system.If yes how do i go about it .

  Using the below FM:
  SUSR_USER_AUTH_FOR_OBJ_GET
  EFG_USER_AUTH_FOR_OBJ_GET
  You can get all the autority check available for a user.
  Regards,
  Prakash.

• LSO: Java errors when using Authoring Environment to check-in eLearning

  Have any users here encountered any of these Java errors when trying to check-in eLearning content to the Master Repository?
  reuseObj is null
  java.lang.NullPointerException: reuseObj is null
       at com.sap.hcm.ls.shared.repository.exchange.DeltaVersionData.<init>(DeltaVersionData.java:62)
       at com.sap.hcm.ls.shared.repository.exchange.CopyMan.checkIn(CopyMan.java:160)
       at com.sap.hcm.ls.shared.repository.exchange.Publisher.checkInObjects(Publisher.java:270)
       at com.sap.hcm.ls.las.repository.explorer.wizard.steps.CheckInObjectsStep.workerThread(CheckInObjectsStep.java:85)
       at com.sap.hcm.ls.shared.util.swing.wizardfw.steps.ProgressWizardStep.run(ProgressWizardStep.java:209)
       at java.lang.Thread.run(Unknown Source)
  No semaphore for: /<path>/_groupManProps.txt
  java.io.IOException: No semaphore for: /<path>/_groupManProps.txt
       at com.sap.hcm.ls.shared.repository.control.implicit.ImpVersManager.getAndUpdateNextRevisionNumberForGroup(ImpVersManager.java:920)
       at com.sap.hcm.ls.shared.repository.control.implicit.ImpVersManager.postSpecifyRevisionNumber(ImpVersManager.java:624)
       at com.sap.hcm.ls.shared.repository.exchange.CopyMan.copyProps(CopyMan.java:867)
       at com.sap.hcm.ls.shared.repository.exchange.CopyMan.checkIn(CopyMan.java:227)
       at com.sap.hcm.ls.shared.repository.exchange.Publisher.checkInObjects(Publisher.java:270)
       at com.sap.hcm.ls.las.repository.explorer.wizard.steps.CheckInObjectsStep.workerThread(CheckInObjectsStep.java:85)
       at com.sap.hcm.ls.shared.util.swing.wizardfw.steps.ProgressWizardStep.run(ProgressWizardStep.java:209)
       at java.lang.Thread.run(Thread.java:619)
  Unexpected object state: /<path>/v1/ [rep=http://<path>:80/publishing/LSO_SH1/, type=4, props={status=reserved, type=4, isVersioned=m, pathHash=1855656709}]
  com.sap.hcm.ls.shared.repository.access.ConcurrentIOException: Unexpected object state: /<path>/v1/ [rep=http://<path>:80/publishing/LSO_SH1/, type=4, props={status=reserved, type=4, isVersioned=m, pathHash=1855656709}]
       at com.sap.hcm.ls.shared.repository.exchange.Publisher.announceToPublisherDB(Publisher.java:733)
       at com.sap.hcm.ls.shared.repository.exchange.Publisher.checkInObjects(Publisher.java:288)
       at com.sap.hcm.ls.las.repository.explorer.wizard.steps.CheckInObjectsStep.workerThread(CheckInObjectsStep.java:85)
       at com.sap.hcm.ls.shared.util.swing.wizardfw.steps.ProgressWizardStep.run(ProgressWizardStep.java:209)
       at java.lang.Thread.run(Thread.java:619)
  They each seem to point to some degree or another to using Versioning, but I've gotten those errors whether the "Use Delta Versioning..." checkbox is checked or unchecked.  I do have the standard versioning settings set in the IMG, the standard delivered settings.  And it's referencing the same file, _groupManProps.txt, that doesn't exist in any of the packages I've tried to publish/check-in.  I've tried both AICC and SCORM content and I get the same errors.
  We have an ECC6 system on EHP5, and using Authoring Environment version LSOAE09_0-10006103.
  I'm running the Authoring Environment on a 64-bit Windows 7 PC.
  I've tried to publish/check-in with the following versions of the Java SDK:
  1.4.2 Update 13
  1.4.2 Update 19 (the latest in 1.4.2 with a Windows installer available)
  6 Update 14 (a colleague is using this version successfully with the AE)
  6 Update 23
  Each of those were the 32-bit versions after trying a 64-bit version of one (based on my PC's OS) and getting an unrelated 64-bit error.
  I would appreciate any experience or wisdom any other users here have to share.
  Thanks!
  Jason
  Edited by: jtrain on Nov 22, 2011 9:29 AM

  It was an adjustment we made on our ISA 2006 server. Under
  1. Open Array - Configurarion - General
  2. Select Additional Security Policy - Configure Flood Mitigation
  3. On the Flood Mitigations Tab, there are a number of flood mitigation settings that can be configured.
  The setting we had to adjust is under the "Maximum HTTP requests per minute per IP address (Click on Edit)
  Increase the  "Limit:"  setting. We set it to 1500 which resolved our problem.
  4. Apply the policy and wait for the configuration to be updated on all array members ( may take several minutes)
  Regards,

• Authority check on Creation of Purchase order usin badi BBP_ITEM_CHECK_BADI

  hi all,
  i have to apply authority checks on creation of Purchase order and shopping cart in SRM using badi BBP_ITEM_CHECK_BADI.
  i have applied checks on creation of shopping cart   using this badi which have some filters but how to apply on purchasing order using BBP_ITEM_CHECK_BADI.

  hi,
    You can use the BBP_DOC_CHECK_BADI.
  BR,
  Disha.
  Pls rewar points for useful answers.

• Company code authority check

  Hi
  we have created ZTTL01 table maintenance view. Should not allow unauthorized company code to update/create or display.
  I searched thru forums and collected below points. but could not test it successfully.
  Authorization object (Z_XXX_BUK) was created.But <Permitted activities> Button is not available in display authorization object(SU21) to see what are the activities are permitted.
  In su01 for my user no roles or profiles are defined.
  To do
  Trying to write  below code in PBO and PAI flow logic of ZCHECK_BUK table for screen 01
  PBO & PAI
  *First statement
  Module Authorictycheck.
  module Authoritycheck
    LOOP AT EXTRACT.
      AUTHORITY-CHECK OBJECT 'ZCHECK_BUK'
                          ID 'ACTVT' FIELD '01,02,03'
                          ID 'BUKRS' FIELD ZTTL01-BUKRS.
      IF sy-subrc <> 0.
        MESSAGE e000(zrpt) WITH 'You do not have the authorization to'
      EXIT.                          'access Bukrs'extract-bukrs.
      ENDIF.
    ENDLOOP.
  endmodule
  Can i use above code in PBO and PAI to check change of company code?
  I am sharing role and profile created by other user, which allows only company code 'A10'.
  How to test this now?
  se11->Utilities->table contents create should not allow me to input A11 or other company codes? pls confirm.
  Regards
  Chandra

  Hi Suhas
  Regarding 1) It works when i remove the FORM routine assinged for EVENTS.
  Thanks for ur input.
  Regarding 2)When the user displays record in SM30 for a table, he must not be able to see the company code AD01.
  To achieve this can i use EVENT AA?
  I create FORM routine <hide_cocode> in EVENT AA and store at include LZXXXXF01.
  FORM ZHIDE_COCODE.
  DATA: F_INDEX LIKE SY-TABIX."Index to note the lines found"
  LOOP AT TOTAL.
  READ TABLE EXTRACT WITH KEY <vim_xtotal_key>.
  IF SY-SUBRC EQ 0.
  F_INDEX = SY-TABIX.
  ELSE.
  CLEAR F_INDEX.
  ENDIF. "(make desired changes to the line TOTAL)
  MODIFY TOTAL.
  CHECK F_INDEX GT 0.
  EXTRACT = TOTAL.
  MODIFY EXTRACT INDEX F_INDEX.
  *ENDIF.
  ENDLOOP.
  SY-SUBRC = 0.
  ENDFORM.
  I made break point at line LOOP at Total. and executed SM30 and clicked Display button.
  Sorry Code stops here and table TOTAL has flat line structure of empty.Loop at total is skipping
  what should be done now?
  Regards
  Chandra

• Authority check in hr payroll infotype report

  Hi all,
  We have developed a report which gives infotypewise employee details.here we are checking authority for reading employee data.we are applying authority check at selection-screen and while reading the data from database tables.following is the sample code.
  do .
  if  s_abkrs-high < s_abkrs-low.
      authority-check object 'P_PCR'
                id 'ABRKS' field s_abkrs-high
                id 'ACTVT' field '01'
                id 'ACTVT' field '02'.
      if sy-subrc <> 0.
        message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
      endif.
  exit.
  endif.
      authority-check object 'P_PCR'
                id 'ABRKS' field s_abkrs-low
                id 'ACTVT' field '01'
                id 'ACTVT' field '02'.
      if sy-subrc <> 0.
        message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
      endif.
    s_abkrs-low = s_abkrs-low + 1.
  enddo.
  my senior says this code is right but it is not checking authority for all infotypes.can anyone suggest what changes are required in this code so that it will check authority for all infotypes.
  Thanks in advance.
  Regards,
  Harshada

  Hi ,
        A select-option will have a structure with four fields (sign , option , low , high) .
        So if you want to use your below code : you cannot check authority.
  loop at s_abkrs.
  authority-check object 'P_PCR'
  id 'ABRKS' field s_abkrs  <-- is an internal table
  id 'ACTVT' field '01'
  id 'ACTVT' field '02'.
  if sy-subrc 0.
  message id 'ZHR_ERRMSGS' type 'E' number '292' with s_abkrs-low.
  endif.
  endloop.
  The other option is :
  If your select option has values only in low ... then you can loop thru it ...
  loop at s_abkrs.
  authority-check object 'P_PCR'
  id 'ABRKS' field s_abkrs-low
  endloop.
  Regards,
  Srini.