Workcenter wise Authorization Checking in CO11N T.Code
Hi All,
In our business we have 12 operation stages in routing and total process passes through 4 depts.We have 4 SAP Logon id for these dept.We are using 4 Milestone Confirmation stages (Control Key PP03) and separate dept. confirm their stages by using CO11N T.Code.Now I want o check authorization on the basis of Order Operation Activity number wise or Work Centerwise so that no other dept can confirm other stages only responsible dept. has authorization to confirm their stages.
Please let me know how can I incorporate this things so that it works.I have checked authorization objects for Confirmation but it is not there.Please guide me.
Thanks & Regards
Nirmal
Hi
Try with this User Exit's
CONFPP01 PP order conf.: Determine customer specific default values
CONFPP02 PP order conf.: Customer specific input checks 1
CONFPP03 PP order conf.: Cust. specific check after op. selection
CONFPP04 PP order conf.: Customer specific input checks 2
CONFPP05 PP order conf.: Customer specific enhancements when saving
CONFPP06 PP Order Confirmations: Actual Data Transfer
CONFPP07 Single Screen Entry: Inclusion of User-Defined Subscreens
Thanks
S.Murali
Similar Messages
-
How to Project Code wise Authorization.
Hi,
i want to give project code wise authorizations to users. in
authorization we can give only total project code
Full/Readonly/No Authorizations. A user only he want to see
Project Code Hyd. remaining project code he want see in all
the documents. for documnet numbering we have option
Grouping like this is there any option to prevent projec code to
users.
reds,
samapth.It is possible to do through SDK. although on a rather large scale. You need to establish an UDO idientify the userid with multiple project code, or project code with mulitple user ID. Then all the project code drop down inside SBO will need to be replaced by SDK to show only the project associated with current log in user id. To make it more complete, you need to establish error message in the SP_transactionnofication to hold the document if project code used (as they can still manually type in) is not usable by them!
-
How add Authorization check for user with assigened role for t.code-MIR4
Hi All,
Regarding authorization how to check authorizations check for user whith assigned roles for the t.code MIR4 using ABAP.
In Detail:2) All users are allowed to go to MIR4(invoice number), But ONLY for users with role: MM_RELEASE_INVOICE can proceed to do the posting.
suggest me...
Thanks,
srii..Hi Sri ,
first u need to find out in which user rules u are using this object , after that if u want to restrict users then remove create/change values from that object values .
make use of Tcode SUIM to find out all roles which are using this Object.
or
ask ur basis guy to remove authorizations to create/change....
regards
Prabhu -
Authorization-check and Match code
Hi
How do we declare authorization check?Plase provide me syntax?
does match code relates to it?
Thanks in advance.Hi RK,
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
AUTHORITY CHECK OBJECT <object name>
ID <name1> FIELD <f1>
ID <name2> FIELD <f2>
IF SY-SUBRC NE 0.
For Matchcode (which is now called Search help) go to the link
http://help.sap.com/saphelp_nw04s/helpdata/en/c9/83eb02be4c11d1950200a0c929b3c3/content.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/cf/21ee93446011d189700000e8322d00/content.htm
Reward points if this helps.
Manish -
Authorization check for select-options field - Company code.
Hi experts,
i have company code field on the report selection screen and i have to validate the authorization check for BUKRS.
How to do authorization check for a select-options field?
Any function modules used to write the authorization check for a SELECT-OPTIONS FIELD?
Thanks.>
RNB wrote:
> Any function modules used to write the authorization check for a SELECT-OPTIONS FIELD?
Does it hurt to type a few lines of code? Why do you need an FM for this my friend?
Anyways can you please tell which SAP application area (viz. FI, SD etc.) do you want to run the report?
Suhas -
Authorization check For T code
Hi everyone,
Can anybody guide to set a authorization check for a particular Tcode.
I have ztable where users are assigned particular numbers.
I want the users who are assigned some numbers should be able to use this particular t code
Thanks in advancehi
chk this out
AUTHORITY-CHECK
Basic form
AUTHORITY-CHECK OBJECT object
ID name1 FIELD f1
ID name2 FIELD f2
ID name10 FIELD f10.
Effect
Explanation of IDs:
object
Field which contains the name of the object for which the authorization is to be checked.
name1 ...
Fields which contain the names of the
name10
authorization fields defined in the object.
f1 ...
Fields which contain the values for which the
f10
authorization is to be checked.
AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
The return code value changes according to the different error scenarios. The return code values have the following meaning:
4
User has no authorization in the SAP System for such an action. If necessary, change the user master record.
8
Too many parameters (fields, values). Maximum allowed is 10.
12
Specified object not maintained in the user master record.
16
No profile entered in the user master record.
24
The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
28
Incorrect structure for user master record.
32
Incorrect structure for user master record.
36
Incorrect structure for user master record.
If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
Note
Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
Example
Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
Table OBJ: Definition of authorization object
M_EINF_WRK
ACTVT
WERKS
Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
M_EINF_WRK_BERECH1
ACTVT 01-03
WERKS 0001-0003 .
can display and change plants within the Purchasing and Materials Management areas.
Such a user would thus pass the checks
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0002'
ID 'ACTVT' FIELD '02'.
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' DUMMY
ID 'ACTVT' FIELD '01':
but would fail the check
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0005'
ID 'ACTVT' FIELD '04'.
To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK -
Forcing Authorization for a transaction code without authorization check in
Transaction code 'PP02' has an authorization object P_TCODE. So when a user who does not have authorization to transaction 'PP02' tries to execute it from command prompt, the SAP system appropriately restricts user saying "You have no authorization".
However, If Ia program has "Call transaction" verb calling this transaction and if the restricted user runs this report or module program, it does not restrict the user to access the transaction.
Is there any way to restrict user to access the transaction from program without explicitly doing authorization check from within the program?
Jitendra MehtaHi Florin:
S_TCODE restricts the user only at command prompt level, not if you run the transaction for program using "CALL TRANSACTION" verb.
If we assign auth.object P_TCODE with some other transaction values (not one for which we want to restrict), then the authority check works for the above.
But say, if I have no other transaction code values to be assigned to auth. object P_TCODE for the restricted user ( therefore, obviously I don't assign auth. object P_TCODE to any auth. profile for the restricted user) then again, I am out of luck.
The only way, I have seen this working is to assign value space ( ' ' ) to auth. object P_TCODE and then assign this auth.object to one of the auth. profiles of the restricted user, BINGO!, then it works.
But our Authorization team has an objection saying "We assign the transactions ( to auth. object ) which the user should have access. It is not proper to assign a no value to auth. object ( assigning space value ) "
I do not know how much merit their argument has, however, I was wondering if there is another way I could achieve it without relying on tens of hundred of programs doing auth. checks whenever they call the restricted transaction.
Please let me know your thoughts.
Thanks.
Jitendra Mehta -
Authorization check (compagny code)
Hi,
For one user I'm trying to seperate access on two company codes:
-For company Code A: User1 should be able to modify only Accounting Documents (Customers and Vendors)
-For company Code B: User1 should be able to modify only Accounting Documents (G/L accounts)
Does any one knows how can I separate such access for the same user.
Thanks
Kamel
Edited by: Kamel Souilah on Dec 1, 2009 10:56 PMThank you Julius for your reply,
Most of the Tcodes used in this scenario are validating their authorization checks on the same objects. Hard to limit access using those objects. It could be feasible if F_BKPF_KOA has the field company code BURKS.
I have to explore your suggestion regarding the subledgers so if you have more details about that point it would be appreciated.
Thanks
Kamel -
Deactivate authorization checks in BSP or function modules?
Hi all
I have a BSP application that seems to use a standard function module that performs an unwanted authorization check on object M_MATE_VKO (Material check on sales organization)
I know it is possible to globally deactivate authorization checks in certain SAP transactions (SU24)
Does anyone know if there is a similar functionality for BSP applications or function modules? Any suggestions on how to deactivate such authorization checks in BSP applications?
Regards
Mike> I will also check with my developer if this function module has any return codes etc that can be useful for a custom authorization check. However, I thought these checks were all done within the function module and that it will only return a true/false authorization, sort of... and I am not sure it's a good idea to override all standard authorization checks in this function module
Sometimes you can handle the messages, but your developer will be able to help you decide whether that is a good idea or not.
Globally deactivating the object for the whole system is most likely not a good idea, as you seem not to want to grant it because you need it somewhere else...
Deactivating all checks for the function module is probably not wise either, as I would think that it applies to the whole function group. Developers can do such things sometimes, but often it results in all end users being able to do the same.
I know that proposal indicators can be set for function modules, but have not tried check indicators. Again, I suspect that it would apply to the whole function group.
I would think that a carefull choice of function module and consulting with your functional guru about config which will not interfer with other requirements is the best route to take.
I like threads like this. If I bump into a specific solution I will remember it. Try using the search here at SDN on the names of some of the FM's which you are considering - someone might already have solved it...
Cheers,
Julius -
Release Strategy (EBAN-FRGST) in PR authorization check
Hi,
Do you know if it is possible to make release strategy (EBAN-FRGST) in authorization check of purchase requisition, other than release code & release group?
Thanks.Hi,
It's possibile though user exist to control the department wise, please consult your ABAP -
Supress authentication check from within ABAP code
Hi,
we want all users to update their email-address in their own sap profile. (a self service)
By default, in the screen "System"->"User Profile"->"Own Data", he can update all except his email-id.
For this, we have written an abap report.
DATA: p_smtp TYPE TABLE OF bapiadsmtp WITH HEADER LINE,
p_return TYPE TABLE OF bapiret2 WITH HEADER LINE,
p_addressx TYPE bapiaddr3x.
data: p_uname TYPE xubname.
PARAMETERS: p_email TYPE ad_smtpadr OBLIGATORY.
p_uname = sy-uname. "logged in user
p_smtp-e_mail = p_email.
p_smtp-std_no = 'X'.
p_smtp-home_flag = 'X'.
p_smtp-consnumber = '001'.
p_addressx-e_mail = 'X'.
CALL FUNCTION 'BAPI_USER_CHANGE'
EXPORTING
username = p_uname
addressx = p_addressx
TABLES
return = p_return
addsmtp = p_smtp.
when we execute this report, with all rights, it works fine.
but a normal user when he executes, he is getting this error:
"You are not authorized to change users in group"
the su53 screen shows:
Authorization check failed
Object Class BC_A Basis: Administration
Authorization Obj. S_USER_GRP User Master Maintenance: User Groups
Authorization Field ACTVT Activity
02
Authorization Field CLASS User group in user master maintenance
<Dummy>
the point here is we cannot add User Maintenance rights to all our normal users.
is there any way, within the report (code) we can suppress the authentication check, programatically just while calling 'BAPI_USER_CHANGE', so that the user will be able to update his email-id.
thanks in advance,
Madhu_1980Here are 2 useful links:
http://www.sapdev.co.uk/fmodules/fms_updateaddress.htm
Updating email address in SU1/SU3
If these don't help the noly thing I can suggest is that you write your own bdc program.
Regards,
Warren. -
Create authorization check for a report
Hi,
I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
Say the report name is ZHR_TIMEABC.
Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
Thanks in advance,
VGHi,
Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
Your inputs will be helpful to understand this concept.
Thanks,
VG -
Add authorization check in Infopackage Scheduler for option 6-ABAP Routine
We want to add an authorization check in routine rssm_routines_maintain. This is in the Infopackage scheduler in the Data Selection tab under the column Type after selecting type=6(ABAP Routine). This is a core modification. We have checked with our Security team with traces and found nothing available to help us.
Two questions:
1) Is there any other way we can control who can create/change ABAP code by this method ?
2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
Your help would be appreciated.
Robert Begin,
450-677-9411 or
514-924-4311
or email at [email protected]Hi Chandran, we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
Do you have any solution/suggestions to lock this down?
Much appreciated,
Regards,
Robert. -
Hi ,
i new to authorization so i need help ,
i go to transaction SU21 and i choose some object for example:
Object R_CPM_BSC
Text Authorization Object SEM: BSC Elements
Class SEM Strategic Enterprise Management*
Author STASTNY
Field name Heading
SEMSCARD Scorecard
SEMOBJTYPE Scorecard Elements: Object Type
SEMOBJKEY Scorecard Elements: Object Key
ACTVT Activity
And when i push on permitted activities i get:
R_CPM_BSC Authorization Object SE
ACTVT Activity
activists
01 Create or generate
02 Change
03 Display
04 Print, edit messages
1. i have always just permitted activities for ACTVT ?
if i wont that user just have display Authorization how i have to write it like below?
AUTHORITY-CHECK OBJECT R_CPM_BSC
ID ACTVT FIELD '03'
thats it i don't use the other fields?
RegardsHi,
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Thanks
Vikranth -
Section Wise Authorization for automatic payment (F110)
Hi SAP Gurus,
Our client wants Section Wise authorization on Automatic Payment (F110). That is User A is authorized to make payments for the vendors which have open line items which has section XX. While User B is authorized to make payments for that particular vendors which have open line items which has section YY.
While execution F110 by User A, system will make payment for all those open items which has section XX. But, when User B is executing F110, system will make payment for all those open items which has section YY.
Please guide, how to achieve the results.
Points will be awarded
Regards
Rajesh GuptaWhile executing F110, you can choose BSEG-SECCO in 'Field Name' field in 'Free Selection' tab and enter particular values for this field in Values field, i.e. XX or YY. That way, you can segregate payments. As far as authorization issue goes, check with your security consultant if particular users can be given authorization for F110 transactions for particular values of BSEG-SECCO field; I am sure this can be done in user authorization profile by the Security Team.
Maybe you are looking for
-
Unable to open projects from an external hard drive... Help??
Ok, so here's the problem. I recently moved all of my projects onto my external hard drive (G-Drive) and now I am unable to open them in FCP X. All of the projects were originally created using FCP, opened them using FCP X this morning, saved again
-
I ordered by phone yesterday afternoon and I have not received a confirmation e-mail about my order. I was just wondering when I would get one. I have a confirmation number and my order is in MyVerizon. Thanks.
-
Anybody out there can please tell me how do I clear the SENDING AND RECEIVING LOGS on a LASERJET M1212nf MFP ???
-
Cannot save pages/numbers/keynote files to server
Since I started using OS Mavericks I have been unable to save documents to our PC Server Win 2008 R2. It always worked with the other Mac OS systems. Even installing the lastest update today did not help.
-
How to quickly/safely remove files before giving Mac away?
Hi, I'm giving me my Mac away, I'm wondering what is the fastest/easiest way to remove all my personal files (mail, iTunes, videos, documents, iPhoto)? Is the best way, to create a new admin account, and delete the old admin account? Will it securely